Analysis
-
max time kernel
150s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
13-05-2021 12:55
General
-
Target
14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe
-
Size
255KB
-
MD5
5596c16aa632fda3736791a939823e5a
-
SHA1
82083ec2d74969fd07aa5b878287779b0c85a507
-
SHA256
14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1
-
SHA512
ddb44da1636aa43953da973702beca76233e8bb4a0580c31525f21bb6d7b22f5bccfa8c0b0fae6a20415e255f79a204a023b465e8ef1b7df3b7c0927a503a6e9
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs
-
Windows security bypass 2 TTPs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Disables RegEdit via registry modification
-
Executes dropped EXE 5 IoCs
-
UPX packed file 13 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 6 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon 2 TTPs 2 IoCs
-
Drops file in System32 directory 15 IoCs
-
Drops file in Program Files directory 8 IoCs
-
Drops file in Windows directory 11 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 20 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of FindShellTrayWindow 18 IoCs
-
Suspicious use of SendNotifyMessage 18 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe"C:\Users\Admin\AppData\Local\Temp\14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ltswbzvzru.exeltswbzvzru.exe2⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\fhztlxno.exeC:\Windows\system32\fhztlxno.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\fzhpzkjetmzzmvp.exefzhpzkjetmzzmvp.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\htyphgadhqjxm.exehtyphgadhqjxm.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\fhztlxno.exefhztlxno.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hidden Files and Directories
2Modify Registry
6Disabling Security Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeMD5
9041a87509e8e7dd1c18833b1a6d1644
SHA1a8ae0862e9c198ad00ad03843e97b715d7410d34
SHA256f9c5ccfa112ae95eb68dadd38bbc2c407d7add3b6c7b1c797c729f0613a913ce
SHA512a8af73b09c08397f362ec17df2f9e033812dfbb9e12b47a2b9b21572fae025cee29f944af3ebdc0ee4564e4b400f7667cf86da7930b7f44bdf33e503455c565d
-
C:\Windows\SysWOW64\fhztlxno.exeMD5
bfc4b41dea6b6916b58ea4a65e85f8be
SHA18d98a29d7577f053ce292a0cd91b32484c19bfa0
SHA2563fc6f2ecfa22d77ef0ea4a56590100372cca53b6fe27cc279b27f075ab5cdc25
SHA51212b0d87d59808923b715353c6119e63447c2a7278aabe10d0980869ce2ab4fddaa22be89157a33258290329759dbf1473c72f29d3178ce92dce66518f81b4b7f
-
C:\Windows\SysWOW64\fhztlxno.exeMD5
bfc4b41dea6b6916b58ea4a65e85f8be
SHA18d98a29d7577f053ce292a0cd91b32484c19bfa0
SHA2563fc6f2ecfa22d77ef0ea4a56590100372cca53b6fe27cc279b27f075ab5cdc25
SHA51212b0d87d59808923b715353c6119e63447c2a7278aabe10d0980869ce2ab4fddaa22be89157a33258290329759dbf1473c72f29d3178ce92dce66518f81b4b7f
-
C:\Windows\SysWOW64\fhztlxno.exeMD5
bfc4b41dea6b6916b58ea4a65e85f8be
SHA18d98a29d7577f053ce292a0cd91b32484c19bfa0
SHA2563fc6f2ecfa22d77ef0ea4a56590100372cca53b6fe27cc279b27f075ab5cdc25
SHA51212b0d87d59808923b715353c6119e63447c2a7278aabe10d0980869ce2ab4fddaa22be89157a33258290329759dbf1473c72f29d3178ce92dce66518f81b4b7f
-
C:\Windows\SysWOW64\fzhpzkjetmzzmvp.exeMD5
ca92c74816ed5a8bc2a0327805836564
SHA1da9c1d291c6856ca20f7a1d2266ecfe0e0c740cf
SHA2561b45dd430fc196dc18f9ba8c85f141ff0152233da809f78e04f955d44a9d116b
SHA5124edec67108d33ac6e453bf6fd75f21bb150309f482edd979d6404ebb036c00150b9a5fa0bf68df556b2fa94688bf978276a602f80143aa5057e183ce569d62bc
-
C:\Windows\SysWOW64\fzhpzkjetmzzmvp.exeMD5
ca92c74816ed5a8bc2a0327805836564
SHA1da9c1d291c6856ca20f7a1d2266ecfe0e0c740cf
SHA2561b45dd430fc196dc18f9ba8c85f141ff0152233da809f78e04f955d44a9d116b
SHA5124edec67108d33ac6e453bf6fd75f21bb150309f482edd979d6404ebb036c00150b9a5fa0bf68df556b2fa94688bf978276a602f80143aa5057e183ce569d62bc
-
C:\Windows\SysWOW64\htyphgadhqjxm.exeMD5
a8b7f0628405097442107ef99a79a532
SHA1484e46d98af957998bf7d8c39e9256f8d89b85df
SHA256e032ffe4ff37d71604529ddd9edb632b2ac01118b069fff5a1230dfdf4bcf7cd
SHA5125c1140f119e5e4a9939caf4ad003b905f3f6df89584071dfa637267705ace1faa0bde4d2f8a0bb9bd1fead0633c29cf4ee9620eded817e8bfd12ced990dda54c
-
C:\Windows\SysWOW64\htyphgadhqjxm.exeMD5
a8b7f0628405097442107ef99a79a532
SHA1484e46d98af957998bf7d8c39e9256f8d89b85df
SHA256e032ffe4ff37d71604529ddd9edb632b2ac01118b069fff5a1230dfdf4bcf7cd
SHA5125c1140f119e5e4a9939caf4ad003b905f3f6df89584071dfa637267705ace1faa0bde4d2f8a0bb9bd1fead0633c29cf4ee9620eded817e8bfd12ced990dda54c
-
C:\Windows\SysWOW64\ltswbzvzru.exeMD5
951d5642124d2f3c67e00917fe114d75
SHA1bfe42e562d6b5460a7927c6c6e06f0713e927125
SHA25679f294a1c9f96fd726b9de635fb0cd068947a7e65d7549720a9767eceba0b524
SHA512aa68cc8a6fb58c114e56bef283a10f3fcc88ca8c96706f0524eb6257a6277ed87b0f0f327d36c95ae8daf2353aedec468a4a2f5a36ca1ae68c299f195f814086
-
C:\Windows\SysWOW64\ltswbzvzru.exeMD5
951d5642124d2f3c67e00917fe114d75
SHA1bfe42e562d6b5460a7927c6c6e06f0713e927125
SHA25679f294a1c9f96fd726b9de635fb0cd068947a7e65d7549720a9767eceba0b524
SHA512aa68cc8a6fb58c114e56bef283a10f3fcc88ca8c96706f0524eb6257a6277ed87b0f0f327d36c95ae8daf2353aedec468a4a2f5a36ca1ae68c299f195f814086
-
C:\Windows\mydoc.rtfMD5
06604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeMD5
25a06a393f3d10b024d248bb0bdd210c
SHA1ea977e43cfc9d259a5f7370c6d27e29c877e3e57
SHA256458b623d63c8be6b3af217ef34a39cd06bfb54613c2c793e5427ec734c11665a
SHA512be9731c93f672fe091b22cb188475e398ed7354de8acc914a2d7326b6a83369318281f0eece75536197c0e681cab0075e8120c1297315c0fe47d20cb9844b59d
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeMD5
25a06a393f3d10b024d248bb0bdd210c
SHA1ea977e43cfc9d259a5f7370c6d27e29c877e3e57
SHA256458b623d63c8be6b3af217ef34a39cd06bfb54613c2c793e5427ec734c11665a
SHA512be9731c93f672fe091b22cb188475e398ed7354de8acc914a2d7326b6a83369318281f0eece75536197c0e681cab0075e8120c1297315c0fe47d20cb9844b59d
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeMD5
9041a87509e8e7dd1c18833b1a6d1644
SHA1a8ae0862e9c198ad00ad03843e97b715d7410d34
SHA256f9c5ccfa112ae95eb68dadd38bbc2c407d7add3b6c7b1c797c729f0613a913ce
SHA512a8af73b09c08397f362ec17df2f9e033812dfbb9e12b47a2b9b21572fae025cee29f944af3ebdc0ee4564e4b400f7667cf86da7930b7f44bdf33e503455c565d
-
memory/204-122-0x0000000000000000-mapping.dmp
-
memory/2076-115-0x0000000000000000-mapping.dmp
-
memory/2520-137-0x00007FFFB6BB0000-0x00007FFFB7C9E000-memory.dmpFilesize
16.9MB
-
memory/2520-131-0x00007FFF9B3D0000-0x00007FFF9B3E0000-memory.dmpFilesize
64KB
-
memory/2520-132-0x00007FFF9B3D0000-0x00007FFF9B3E0000-memory.dmpFilesize
64KB
-
memory/2520-133-0x00007FFF9B3D0000-0x00007FFF9B3E0000-memory.dmpFilesize
64KB
-
memory/2520-134-0x00007FFFBC2A0000-0x00007FFFBEDC3000-memory.dmpFilesize
43.1MB
-
memory/2520-129-0x00007FFF9B3D0000-0x00007FFF9B3E0000-memory.dmpFilesize
64KB
-
memory/2520-138-0x00007FFFB4CB0000-0x00007FFFB6BA5000-memory.dmpFilesize
31.0MB
-
memory/2520-126-0x0000000000000000-mapping.dmp
-
memory/2520-130-0x00007FFF9B3D0000-0x00007FFF9B3E0000-memory.dmpFilesize
64KB
-
memory/2580-118-0x0000000000000000-mapping.dmp
-
memory/3564-127-0x0000000000000000-mapping.dmp
-
memory/3992-114-0x0000000000000000-mapping.dmp