Analysis

  • max time kernel
    150s
  • max time network
    135s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    13-05-2021 12:55

General

  • Target

    14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe

  • Size

    255KB

  • MD5

    5596c16aa632fda3736791a939823e5a

  • SHA1

    82083ec2d74969fd07aa5b878287779b0c85a507

  • SHA256

    14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1

  • SHA512

    ddb44da1636aa43953da973702beca76233e8bb4a0580c31525f21bb6d7b22f5bccfa8c0b0fae6a20415e255f79a204a023b465e8ef1b7df3b7c0927a503a6e9

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs
  • Windows security bypass 2 TTPs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Disables RegEdit via registry modification
  • Executes dropped EXE 5 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • Drops file in System32 directory 15 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe
    "C:\Users\Admin\AppData\Local\Temp\14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3708
    • C:\Windows\SysWOW64\ltswbzvzru.exe
      ltswbzvzru.exe
      2⤵
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3992
      • C:\Windows\SysWOW64\fhztlxno.exe
        C:\Windows\system32\fhztlxno.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3564
    • C:\Windows\SysWOW64\fzhpzkjetmzzmvp.exe
      fzhpzkjetmzzmvp.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2076
    • C:\Windows\SysWOW64\htyphgadhqjxm.exe
      htyphgadhqjxm.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:204
    • C:\Windows\SysWOW64\fhztlxno.exe
      fhztlxno.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2580
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2520

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Hidden Files and Directories

2
T1158

Registry Run Keys / Startup Folder

1
T1060

Winlogon Helper DLL

1
T1004

Defense Evasion

Hidden Files and Directories

2
T1158

Modify Registry

6
T1112

Disabling Security Tools

2
T1089

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

4
T1082

Collection

Data from Local System

1
T1005

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    MD5

    9041a87509e8e7dd1c18833b1a6d1644

    SHA1

    a8ae0862e9c198ad00ad03843e97b715d7410d34

    SHA256

    f9c5ccfa112ae95eb68dadd38bbc2c407d7add3b6c7b1c797c729f0613a913ce

    SHA512

    a8af73b09c08397f362ec17df2f9e033812dfbb9e12b47a2b9b21572fae025cee29f944af3ebdc0ee4564e4b400f7667cf86da7930b7f44bdf33e503455c565d

  • C:\Windows\SysWOW64\fhztlxno.exe
    MD5

    bfc4b41dea6b6916b58ea4a65e85f8be

    SHA1

    8d98a29d7577f053ce292a0cd91b32484c19bfa0

    SHA256

    3fc6f2ecfa22d77ef0ea4a56590100372cca53b6fe27cc279b27f075ab5cdc25

    SHA512

    12b0d87d59808923b715353c6119e63447c2a7278aabe10d0980869ce2ab4fddaa22be89157a33258290329759dbf1473c72f29d3178ce92dce66518f81b4b7f

  • C:\Windows\SysWOW64\fhztlxno.exe
    MD5

    bfc4b41dea6b6916b58ea4a65e85f8be

    SHA1

    8d98a29d7577f053ce292a0cd91b32484c19bfa0

    SHA256

    3fc6f2ecfa22d77ef0ea4a56590100372cca53b6fe27cc279b27f075ab5cdc25

    SHA512

    12b0d87d59808923b715353c6119e63447c2a7278aabe10d0980869ce2ab4fddaa22be89157a33258290329759dbf1473c72f29d3178ce92dce66518f81b4b7f

  • C:\Windows\SysWOW64\fhztlxno.exe
    MD5

    bfc4b41dea6b6916b58ea4a65e85f8be

    SHA1

    8d98a29d7577f053ce292a0cd91b32484c19bfa0

    SHA256

    3fc6f2ecfa22d77ef0ea4a56590100372cca53b6fe27cc279b27f075ab5cdc25

    SHA512

    12b0d87d59808923b715353c6119e63447c2a7278aabe10d0980869ce2ab4fddaa22be89157a33258290329759dbf1473c72f29d3178ce92dce66518f81b4b7f

  • C:\Windows\SysWOW64\fzhpzkjetmzzmvp.exe
    MD5

    ca92c74816ed5a8bc2a0327805836564

    SHA1

    da9c1d291c6856ca20f7a1d2266ecfe0e0c740cf

    SHA256

    1b45dd430fc196dc18f9ba8c85f141ff0152233da809f78e04f955d44a9d116b

    SHA512

    4edec67108d33ac6e453bf6fd75f21bb150309f482edd979d6404ebb036c00150b9a5fa0bf68df556b2fa94688bf978276a602f80143aa5057e183ce569d62bc

  • C:\Windows\SysWOW64\fzhpzkjetmzzmvp.exe
    MD5

    ca92c74816ed5a8bc2a0327805836564

    SHA1

    da9c1d291c6856ca20f7a1d2266ecfe0e0c740cf

    SHA256

    1b45dd430fc196dc18f9ba8c85f141ff0152233da809f78e04f955d44a9d116b

    SHA512

    4edec67108d33ac6e453bf6fd75f21bb150309f482edd979d6404ebb036c00150b9a5fa0bf68df556b2fa94688bf978276a602f80143aa5057e183ce569d62bc

  • C:\Windows\SysWOW64\htyphgadhqjxm.exe
    MD5

    a8b7f0628405097442107ef99a79a532

    SHA1

    484e46d98af957998bf7d8c39e9256f8d89b85df

    SHA256

    e032ffe4ff37d71604529ddd9edb632b2ac01118b069fff5a1230dfdf4bcf7cd

    SHA512

    5c1140f119e5e4a9939caf4ad003b905f3f6df89584071dfa637267705ace1faa0bde4d2f8a0bb9bd1fead0633c29cf4ee9620eded817e8bfd12ced990dda54c

  • C:\Windows\SysWOW64\htyphgadhqjxm.exe
    MD5

    a8b7f0628405097442107ef99a79a532

    SHA1

    484e46d98af957998bf7d8c39e9256f8d89b85df

    SHA256

    e032ffe4ff37d71604529ddd9edb632b2ac01118b069fff5a1230dfdf4bcf7cd

    SHA512

    5c1140f119e5e4a9939caf4ad003b905f3f6df89584071dfa637267705ace1faa0bde4d2f8a0bb9bd1fead0633c29cf4ee9620eded817e8bfd12ced990dda54c

  • C:\Windows\SysWOW64\ltswbzvzru.exe
    MD5

    951d5642124d2f3c67e00917fe114d75

    SHA1

    bfe42e562d6b5460a7927c6c6e06f0713e927125

    SHA256

    79f294a1c9f96fd726b9de635fb0cd068947a7e65d7549720a9767eceba0b524

    SHA512

    aa68cc8a6fb58c114e56bef283a10f3fcc88ca8c96706f0524eb6257a6277ed87b0f0f327d36c95ae8daf2353aedec468a4a2f5a36ca1ae68c299f195f814086

  • C:\Windows\SysWOW64\ltswbzvzru.exe
    MD5

    951d5642124d2f3c67e00917fe114d75

    SHA1

    bfe42e562d6b5460a7927c6c6e06f0713e927125

    SHA256

    79f294a1c9f96fd726b9de635fb0cd068947a7e65d7549720a9767eceba0b524

    SHA512

    aa68cc8a6fb58c114e56bef283a10f3fcc88ca8c96706f0524eb6257a6277ed87b0f0f327d36c95ae8daf2353aedec468a4a2f5a36ca1ae68c299f195f814086

  • C:\Windows\mydoc.rtf
    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    MD5

    25a06a393f3d10b024d248bb0bdd210c

    SHA1

    ea977e43cfc9d259a5f7370c6d27e29c877e3e57

    SHA256

    458b623d63c8be6b3af217ef34a39cd06bfb54613c2c793e5427ec734c11665a

    SHA512

    be9731c93f672fe091b22cb188475e398ed7354de8acc914a2d7326b6a83369318281f0eece75536197c0e681cab0075e8120c1297315c0fe47d20cb9844b59d

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    MD5

    25a06a393f3d10b024d248bb0bdd210c

    SHA1

    ea977e43cfc9d259a5f7370c6d27e29c877e3e57

    SHA256

    458b623d63c8be6b3af217ef34a39cd06bfb54613c2c793e5427ec734c11665a

    SHA512

    be9731c93f672fe091b22cb188475e398ed7354de8acc914a2d7326b6a83369318281f0eece75536197c0e681cab0075e8120c1297315c0fe47d20cb9844b59d

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    MD5

    9041a87509e8e7dd1c18833b1a6d1644

    SHA1

    a8ae0862e9c198ad00ad03843e97b715d7410d34

    SHA256

    f9c5ccfa112ae95eb68dadd38bbc2c407d7add3b6c7b1c797c729f0613a913ce

    SHA512

    a8af73b09c08397f362ec17df2f9e033812dfbb9e12b47a2b9b21572fae025cee29f944af3ebdc0ee4564e4b400f7667cf86da7930b7f44bdf33e503455c565d

  • memory/204-122-0x0000000000000000-mapping.dmp
  • memory/2076-115-0x0000000000000000-mapping.dmp
  • memory/2520-137-0x00007FFFB6BB0000-0x00007FFFB7C9E000-memory.dmp
    Filesize

    16.9MB

  • memory/2520-131-0x00007FFF9B3D0000-0x00007FFF9B3E0000-memory.dmp
    Filesize

    64KB

  • memory/2520-132-0x00007FFF9B3D0000-0x00007FFF9B3E0000-memory.dmp
    Filesize

    64KB

  • memory/2520-133-0x00007FFF9B3D0000-0x00007FFF9B3E0000-memory.dmp
    Filesize

    64KB

  • memory/2520-134-0x00007FFFBC2A0000-0x00007FFFBEDC3000-memory.dmp
    Filesize

    43.1MB

  • memory/2520-129-0x00007FFF9B3D0000-0x00007FFF9B3E0000-memory.dmp
    Filesize

    64KB

  • memory/2520-138-0x00007FFFB4CB0000-0x00007FFFB6BA5000-memory.dmp
    Filesize

    31.0MB

  • memory/2520-126-0x0000000000000000-mapping.dmp
  • memory/2520-130-0x00007FFF9B3D0000-0x00007FFF9B3E0000-memory.dmp
    Filesize

    64KB

  • memory/2580-118-0x0000000000000000-mapping.dmp
  • memory/3564-127-0x0000000000000000-mapping.dmp
  • memory/3992-114-0x0000000000000000-mapping.dmp