Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    13-05-2021 12:55

General

  • Target

    14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe

  • Size

    255KB

  • MD5

    5596c16aa632fda3736791a939823e5a

  • SHA1

    82083ec2d74969fd07aa5b878287779b0c85a507

  • SHA256

    14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1

  • SHA512

    ddb44da1636aa43953da973702beca76233e8bb4a0580c31525f21bb6d7b22f5bccfa8c0b0fae6a20415e255f79a204a023b465e8ef1b7df3b7c0927a503a6e9

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs
  • Windows security bypass 2 TTPs
  • Disables RegEdit via registry modification
  • Executes dropped EXE 5 IoCs
  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
  • Modifies registry class 19 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe
    "C:\Users\Admin\AppData\Local\Temp\14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Windows\SysWOW64\zyitkiivaj.exe
      zyitkiivaj.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1412
      • C:\Windows\SysWOW64\ocpjdimp.exe
        C:\Windows\system32\ocpjdimp.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2008
    • C:\Windows\SysWOW64\ztnwykfyecsbvrc.exe
      ztnwykfyecsbvrc.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1972
    • C:\Windows\SysWOW64\ocpjdimp.exe
      ocpjdimp.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2000
    • C:\Windows\SysWOW64\llieahfmagiem.exe
      llieahfmagiem.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1740
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:884
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1580

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Persistence

    Hidden Files and Directories

    2
    T1158

    Registry Run Keys / Startup Folder

    1
    T1060

    Winlogon Helper DLL

    1
    T1004

    Defense Evasion

    Hidden Files and Directories

    2
    T1158

    Modify Registry

    7
    T1112

    Disabling Security Tools

    2
    T1089

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Collection

    Data from Local System

    1
    T1005

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
      MD5

      cccc2067e26bb916a11dde55fc23cb41

      SHA1

      210575486d0d2df723a7eca077ff2acb3b77f43d

      SHA256

      a3c59f6a5b64827ee7b9f962bcc247d5e0928dbeb52bb96e98a2f5e172222d98

      SHA512

      af7c8c36f043992106a7a90e9fce05ddbea1b00a35b2fd1f1978344b5a0044d1d2dee141cf2c9a720d80cb62cabaa862ed92df04d590a735809314d10d017ca0

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
      MD5

      79ff48cf711e92bbbed599131f69996c

      SHA1

      9ef0e07303c3007994bfc063153b5dd30f740c6d

      SHA256

      318ffb23ece5e1a7c57d82a41549f1611bfab36b2db0b3820b5315aa54db9f12

      SHA512

      3fa394c64f0a1bbfe690a5489dd0b4fbbd29494e11ff3041dc885731ac67c0b491e28f20f64685ce55c073ce97c61763f45fa2da208c3d997cf9118a4b0c2d01

    • C:\Users\Admin\Documents\ReceiveEdit.doc.exe
      MD5

      8813ebcacedcc656dab6cd9d0e75d792

      SHA1

      72f5c560d591e203b89838585972e786aefbe12b

      SHA256

      e63c87cf76998f18ff83f0f88aafb975c6c868e83d452ef88bc9d0a685e2ba88

      SHA512

      fff29f08140e4dcd3f9d01f09558c2b11544632c25d0a99ed5246dcdaa972ff02d7f3d6564d335edef7d8c90ce6b7b59bb6e866ca16f4efc5bfb7f256a49fb5b

    • C:\Users\Admin\Downloads\InvokeUndo.doc.exe
      MD5

      4a836fcbd114f648a731e38ab46250e6

      SHA1

      8edb6eb377f0d5aef6f589f9ede413be58d65d67

      SHA256

      bcd025674d7ab73ace9f2c0c340a2acd31cf9e0774bbdef13508ec5082aeb4ec

      SHA512

      be18e2b335d9c723482dbab04d58ae9ae34c2f6d9c3e413c9aaa7984ace8b1566863eb0f5df77babb84ad257642f154d174f4141ea7b92426dcd2454ab6edd88

    • C:\Windows\SysWOW64\llieahfmagiem.exe
      MD5

      9ebb82f38887848f3e190a864dbcf3d5

      SHA1

      b54b79daf78655e3984ec53ec0315392124949cb

      SHA256

      39e6c38f5cb0e072204ff5891199772284e38c5834c464b15fec37d8ee8bf6e2

      SHA512

      bd5595e782bcaf7d405cc0dd0d9f729f56b212e4bda1316134e2b3336021ca885aa149ff6d048050780f9e4c4cb7389de302a759994a22306359683de6940705

    • C:\Windows\SysWOW64\llieahfmagiem.exe
      MD5

      9ebb82f38887848f3e190a864dbcf3d5

      SHA1

      b54b79daf78655e3984ec53ec0315392124949cb

      SHA256

      39e6c38f5cb0e072204ff5891199772284e38c5834c464b15fec37d8ee8bf6e2

      SHA512

      bd5595e782bcaf7d405cc0dd0d9f729f56b212e4bda1316134e2b3336021ca885aa149ff6d048050780f9e4c4cb7389de302a759994a22306359683de6940705

    • C:\Windows\SysWOW64\ocpjdimp.exe
      MD5

      6333c214ad431f9f45ffc2ce4cbbc60c

      SHA1

      5ed2ae189baab90ab868822bf2457343c16fdab8

      SHA256

      c0b2c4e9dd74916b9c7fa1fe7405f75241c5d5400ea54d3e850444de60b8b6ff

      SHA512

      67015d60cfb42a0ff50df959db10362ca8e7ff5ef7477151a01ec9d870be144495f8600f2112ef0f59b7df3e47b99f1714a8691662ff9af30a37d2695e57dd8f

    • C:\Windows\SysWOW64\ocpjdimp.exe
      MD5

      6333c214ad431f9f45ffc2ce4cbbc60c

      SHA1

      5ed2ae189baab90ab868822bf2457343c16fdab8

      SHA256

      c0b2c4e9dd74916b9c7fa1fe7405f75241c5d5400ea54d3e850444de60b8b6ff

      SHA512

      67015d60cfb42a0ff50df959db10362ca8e7ff5ef7477151a01ec9d870be144495f8600f2112ef0f59b7df3e47b99f1714a8691662ff9af30a37d2695e57dd8f

    • C:\Windows\SysWOW64\ocpjdimp.exe
      MD5

      6333c214ad431f9f45ffc2ce4cbbc60c

      SHA1

      5ed2ae189baab90ab868822bf2457343c16fdab8

      SHA256

      c0b2c4e9dd74916b9c7fa1fe7405f75241c5d5400ea54d3e850444de60b8b6ff

      SHA512

      67015d60cfb42a0ff50df959db10362ca8e7ff5ef7477151a01ec9d870be144495f8600f2112ef0f59b7df3e47b99f1714a8691662ff9af30a37d2695e57dd8f

    • C:\Windows\SysWOW64\ztnwykfyecsbvrc.exe
      MD5

      b27b048961e442a99d07926213659f9c

      SHA1

      3fe3a41497ed0367d30dc5f3a8744e440bd398a5

      SHA256

      bd4908777daf16e5059691ca1657dd69ea1c0c3771598709e08fe80694c60678

      SHA512

      8a9abbe0c09b0215e7d69aa849ab9e57617e6a9ad7d0e2032856d1d706d1f0a45d1c762c3bd08f2033e2fc0cdfd633399b2a14b4349196bca0d2ceb464c80997

    • C:\Windows\SysWOW64\ztnwykfyecsbvrc.exe
      MD5

      b27b048961e442a99d07926213659f9c

      SHA1

      3fe3a41497ed0367d30dc5f3a8744e440bd398a5

      SHA256

      bd4908777daf16e5059691ca1657dd69ea1c0c3771598709e08fe80694c60678

      SHA512

      8a9abbe0c09b0215e7d69aa849ab9e57617e6a9ad7d0e2032856d1d706d1f0a45d1c762c3bd08f2033e2fc0cdfd633399b2a14b4349196bca0d2ceb464c80997

    • C:\Windows\SysWOW64\zyitkiivaj.exe
      MD5

      ec1ffaa0ebca3fa99fb836d86c2ffe31

      SHA1

      bf0a3d6f7e9707fcdf6ffc42dbeba3208a227bee

      SHA256

      c30bf14e04c3be289ce572da64424144d376c45424a1ac2fe1715ba08fc4ffb1

      SHA512

      affdf68748fe878dbeab9dc3d74758bf5f6703b5c8391174b8837cf39d22cf846fece12ec28078868bb2e58a6ee070817f8a7de561fda9e764a1e346d08b2072

    • C:\Windows\SysWOW64\zyitkiivaj.exe
      MD5

      ec1ffaa0ebca3fa99fb836d86c2ffe31

      SHA1

      bf0a3d6f7e9707fcdf6ffc42dbeba3208a227bee

      SHA256

      c30bf14e04c3be289ce572da64424144d376c45424a1ac2fe1715ba08fc4ffb1

      SHA512

      affdf68748fe878dbeab9dc3d74758bf5f6703b5c8391174b8837cf39d22cf846fece12ec28078868bb2e58a6ee070817f8a7de561fda9e764a1e346d08b2072

    • C:\Windows\mydoc.rtf
      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    • \Windows\SysWOW64\llieahfmagiem.exe
      MD5

      9ebb82f38887848f3e190a864dbcf3d5

      SHA1

      b54b79daf78655e3984ec53ec0315392124949cb

      SHA256

      39e6c38f5cb0e072204ff5891199772284e38c5834c464b15fec37d8ee8bf6e2

      SHA512

      bd5595e782bcaf7d405cc0dd0d9f729f56b212e4bda1316134e2b3336021ca885aa149ff6d048050780f9e4c4cb7389de302a759994a22306359683de6940705

    • \Windows\SysWOW64\ocpjdimp.exe
      MD5

      6333c214ad431f9f45ffc2ce4cbbc60c

      SHA1

      5ed2ae189baab90ab868822bf2457343c16fdab8

      SHA256

      c0b2c4e9dd74916b9c7fa1fe7405f75241c5d5400ea54d3e850444de60b8b6ff

      SHA512

      67015d60cfb42a0ff50df959db10362ca8e7ff5ef7477151a01ec9d870be144495f8600f2112ef0f59b7df3e47b99f1714a8691662ff9af30a37d2695e57dd8f

    • \Windows\SysWOW64\ocpjdimp.exe
      MD5

      6333c214ad431f9f45ffc2ce4cbbc60c

      SHA1

      5ed2ae189baab90ab868822bf2457343c16fdab8

      SHA256

      c0b2c4e9dd74916b9c7fa1fe7405f75241c5d5400ea54d3e850444de60b8b6ff

      SHA512

      67015d60cfb42a0ff50df959db10362ca8e7ff5ef7477151a01ec9d870be144495f8600f2112ef0f59b7df3e47b99f1714a8691662ff9af30a37d2695e57dd8f

    • \Windows\SysWOW64\ztnwykfyecsbvrc.exe
      MD5

      b27b048961e442a99d07926213659f9c

      SHA1

      3fe3a41497ed0367d30dc5f3a8744e440bd398a5

      SHA256

      bd4908777daf16e5059691ca1657dd69ea1c0c3771598709e08fe80694c60678

      SHA512

      8a9abbe0c09b0215e7d69aa849ab9e57617e6a9ad7d0e2032856d1d706d1f0a45d1c762c3bd08f2033e2fc0cdfd633399b2a14b4349196bca0d2ceb464c80997

    • \Windows\SysWOW64\zyitkiivaj.exe
      MD5

      ec1ffaa0ebca3fa99fb836d86c2ffe31

      SHA1

      bf0a3d6f7e9707fcdf6ffc42dbeba3208a227bee

      SHA256

      c30bf14e04c3be289ce572da64424144d376c45424a1ac2fe1715ba08fc4ffb1

      SHA512

      affdf68748fe878dbeab9dc3d74758bf5f6703b5c8391174b8837cf39d22cf846fece12ec28078868bb2e58a6ee070817f8a7de561fda9e764a1e346d08b2072

    • memory/884-87-0x00000000700E1000-0x00000000700E3000-memory.dmp
      Filesize

      8KB

    • memory/884-85-0x0000000000000000-mapping.dmp
    • memory/884-86-0x0000000072661000-0x0000000072664000-memory.dmp
      Filesize

      12KB

    • memory/884-88-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

    • memory/884-96-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

    • memory/1412-62-0x0000000000000000-mapping.dmp
    • memory/1580-94-0x0000000000000000-mapping.dmp
    • memory/1580-95-0x000007FEFBB51000-0x000007FEFBB53000-memory.dmp
      Filesize

      8KB

    • memory/1688-60-0x0000000075011000-0x0000000075013000-memory.dmp
      Filesize

      8KB

    • memory/1740-75-0x0000000000000000-mapping.dmp
    • memory/1972-66-0x0000000000000000-mapping.dmp
    • memory/2000-70-0x0000000000000000-mapping.dmp
    • memory/2008-82-0x0000000000000000-mapping.dmp