Overview

overview

10

Static

static

8

b1964713a0...fb.exe

windows7-x64

10

b1964713a0...fb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    43s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    11/10/2022, 21:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b1964713a0feed48c132d06d2c6a11f3c41fd700efca283311a5133ba553a2fb.exe

  • Size

    255KB

  • MD5

    4bd5c40959b71c897229aba22ef0f6a1

  • SHA1

    a382a5864ddbc0b8728d18c232b39dd96f50c73f

  • SHA256

    b1964713a0feed48c132d06d2c6a11f3c41fd700efca283311a5133ba553a2fb

  • SHA512

    e44cb9b23645c51b77caebf031ffd981c12939644a911f2fb387612cd4a9951c2274bfb42f5ec06f69002a63a5eccc5c0f8197eef6c147c35c9d62beb270a1c5

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJV:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIw

Score
10/10
evasionpersistencetrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • UPX packed file 28 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 5 IoCs
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 12 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b1964713a0feed48c132d06d2c6a11f3c41fd700efca283311a5133ba553a2fb.exe
    "C:\Users\Admin\AppData\Local\Temp\b1964713a0feed48c132d06d2c6a11f3c41fd700efca283311a5133ba553a2fb.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Windows\SysWOW64\ahrpvaedcw.exe
      ahrpvaedcw.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1684
      • C:\Windows\SysWOW64\nwmetfus.exe
        C:\Windows\system32\nwmetfus.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1320
    • C:\Windows\SysWOW64\jvtdptcebqnausl.exe
      jvtdptcebqnausl.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1744
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c sdztrwpqlavnf.exe
        3⤵
          PID:2040
      • C:\Windows\SysWOW64\nwmetfus.exe
        nwmetfus.exe
        2⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1288
      • C:\Windows\SysWOW64\sdztrwpqlavnf.exe
        sdztrwpqlavnf.exe
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1708
      • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
        2⤵
        • Drops file in Windows directory
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1504
        • C:\Windows\splwow64.exe
          C:\Windows\splwow64.exe 12288
          3⤵
            PID:1012

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\ahrpvaedcw.exe
        Filesize

        255KB

        MD5

        1d03f32cac6d5c0039f6565d132489ec

        SHA1

        7c1d70792f353e15e88895ce680458e2aeb66cab

        SHA256

        b2cd9d6384a15ba3af76642a31241ff399c567e6aa80c2e65282f31208731cba

        SHA512

        b9b78dfaee94e74332cfab408a840ba5d0e024ef209c62a3373173b6af26d97e606f0e11113f4aabd3f955d7c1993ad635b561ffc3c5f31813a69bd3e8b783b1

        Download Submit

      • C:\Windows\SysWOW64\ahrpvaedcw.exe
        Filesize

        255KB

        MD5

        1d03f32cac6d5c0039f6565d132489ec

        SHA1

        7c1d70792f353e15e88895ce680458e2aeb66cab

        SHA256

        b2cd9d6384a15ba3af76642a31241ff399c567e6aa80c2e65282f31208731cba

        SHA512

        b9b78dfaee94e74332cfab408a840ba5d0e024ef209c62a3373173b6af26d97e606f0e11113f4aabd3f955d7c1993ad635b561ffc3c5f31813a69bd3e8b783b1

        Download Submit

      • C:\Windows\SysWOW64\jvtdptcebqnausl.exe
        Filesize

        255KB

        MD5

        c37486ec071ccb330f38738c2465eef4

        SHA1

        46146dde96074e8d572b5ebefd33140879a8d6c9

        SHA256

        b55b4f2bac3f381ee79bc63d3cbc82de5c0b4c5429e08643209be3bfa1a54d70

        SHA512

        772000afbd4052320191f5bfdadc7a3667ca4c971800e0d0312ec6f9e882ebb4ea279100905217a789ec3655be449dacc94dee0cf4033b35c19af0c2af3a9c4a

        Download Submit

      • C:\Windows\SysWOW64\jvtdptcebqnausl.exe
        Filesize

        255KB

        MD5

        c37486ec071ccb330f38738c2465eef4

        SHA1

        46146dde96074e8d572b5ebefd33140879a8d6c9

        SHA256

        b55b4f2bac3f381ee79bc63d3cbc82de5c0b4c5429e08643209be3bfa1a54d70

        SHA512

        772000afbd4052320191f5bfdadc7a3667ca4c971800e0d0312ec6f9e882ebb4ea279100905217a789ec3655be449dacc94dee0cf4033b35c19af0c2af3a9c4a

        Download Submit

      • C:\Windows\SysWOW64\nwmetfus.exe
        Filesize

        255KB

        MD5

        eb670aa491a0ea06681298fdd403485b

        SHA1

        a9e77477da8d725f7b1c7dbe61f4be5bfdf3178e

        SHA256

        763b6ad9d543d149b390261048d1ea43b2535d2e6dd9d4d2ac9ddd70c04ee8fd

        SHA512

        e4ba69983c520f90fe5038fd354ef927f27b4dec3238319b348a74c8a1c95ce102669b54ea3c3661590906b888e63d3cb508b2f8a37973892bad9f0567899409

        Download Submit

      • C:\Windows\SysWOW64\nwmetfus.exe
        Filesize

        255KB

        MD5

        eb670aa491a0ea06681298fdd403485b

        SHA1

        a9e77477da8d725f7b1c7dbe61f4be5bfdf3178e

        SHA256

        763b6ad9d543d149b390261048d1ea43b2535d2e6dd9d4d2ac9ddd70c04ee8fd

        SHA512

        e4ba69983c520f90fe5038fd354ef927f27b4dec3238319b348a74c8a1c95ce102669b54ea3c3661590906b888e63d3cb508b2f8a37973892bad9f0567899409

        Download Submit

      • C:\Windows\SysWOW64\nwmetfus.exe
        Filesize

        255KB

        MD5

        eb670aa491a0ea06681298fdd403485b

        SHA1

        a9e77477da8d725f7b1c7dbe61f4be5bfdf3178e

        SHA256

        763b6ad9d543d149b390261048d1ea43b2535d2e6dd9d4d2ac9ddd70c04ee8fd

        SHA512

        e4ba69983c520f90fe5038fd354ef927f27b4dec3238319b348a74c8a1c95ce102669b54ea3c3661590906b888e63d3cb508b2f8a37973892bad9f0567899409

        Download Submit

      • C:\Windows\SysWOW64\sdztrwpqlavnf.exe
        Filesize

        255KB

        MD5

        eac2b257b86522a6d49cce8c499e5632

        SHA1

        fedd8305938c9dc5b97db01f15cd27f788d7c247

        SHA256

        f8d14621dcb705f0e6d5623ea16de6dd98e861afd34b528102d7f7ec13191f71

        SHA512

        409b1b6e1b04ecb0a32af378fa3eadc12924270c2a494544a3b1f25217d4f0c2704b283d8aa772454c6055d2885e01f26476a76ed3408190edaaec9ab2f359ba

        Download Submit

      • C:\Windows\SysWOW64\sdztrwpqlavnf.exe
        Filesize

        255KB

        MD5

        eac2b257b86522a6d49cce8c499e5632

        SHA1

        fedd8305938c9dc5b97db01f15cd27f788d7c247

        SHA256

        f8d14621dcb705f0e6d5623ea16de6dd98e861afd34b528102d7f7ec13191f71

        SHA512

        409b1b6e1b04ecb0a32af378fa3eadc12924270c2a494544a3b1f25217d4f0c2704b283d8aa772454c6055d2885e01f26476a76ed3408190edaaec9ab2f359ba

        Download Submit

      • C:\Windows\mydoc.rtf
        Filesize

        223B

        MD5

        06604e5941c126e2e7be02c5cd9f62ec

        SHA1

        4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

        SHA256

        85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

        SHA512

        803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

        Download Submit

      • \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
        Filesize

        255KB

        MD5

        829b9dfcb3f8436225afac9b188a8c93

        SHA1

        04dd5bd413168cdbca3ee76d1cfc0bd53df66afe

        SHA256

        9794bb1675ac2838eff593c029e80fc1432edae2f6e9285a58a9b708d9a788e0

        SHA512

        9e1b24ad461e639138b44f795f4220c3d00212c043ccda8da3aa1b9497d9e20c826eea6f29c0394a1be62df2bad134d9c765299cba3582a1dd9edc6aff883bc2

        Download Submit

      • \Windows\SysWOW64\ahrpvaedcw.exe
        Filesize

        255KB

        MD5

        1d03f32cac6d5c0039f6565d132489ec

        SHA1

        7c1d70792f353e15e88895ce680458e2aeb66cab

        SHA256

        b2cd9d6384a15ba3af76642a31241ff399c567e6aa80c2e65282f31208731cba

        SHA512

        b9b78dfaee94e74332cfab408a840ba5d0e024ef209c62a3373173b6af26d97e606f0e11113f4aabd3f955d7c1993ad635b561ffc3c5f31813a69bd3e8b783b1

        Download Submit

      • \Windows\SysWOW64\jvtdptcebqnausl.exe
        Filesize

        255KB

        MD5

        c37486ec071ccb330f38738c2465eef4

        SHA1

        46146dde96074e8d572b5ebefd33140879a8d6c9

        SHA256

        b55b4f2bac3f381ee79bc63d3cbc82de5c0b4c5429e08643209be3bfa1a54d70

        SHA512

        772000afbd4052320191f5bfdadc7a3667ca4c971800e0d0312ec6f9e882ebb4ea279100905217a789ec3655be449dacc94dee0cf4033b35c19af0c2af3a9c4a

        Download Submit

      • \Windows\SysWOW64\nwmetfus.exe
        Filesize

        255KB

        MD5

        eb670aa491a0ea06681298fdd403485b

        SHA1

        a9e77477da8d725f7b1c7dbe61f4be5bfdf3178e

        SHA256

        763b6ad9d543d149b390261048d1ea43b2535d2e6dd9d4d2ac9ddd70c04ee8fd

        SHA512

        e4ba69983c520f90fe5038fd354ef927f27b4dec3238319b348a74c8a1c95ce102669b54ea3c3661590906b888e63d3cb508b2f8a37973892bad9f0567899409

        Download Submit

      • \Windows\SysWOW64\nwmetfus.exe
        Filesize

        255KB

        MD5

        eb670aa491a0ea06681298fdd403485b

        SHA1

        a9e77477da8d725f7b1c7dbe61f4be5bfdf3178e

        SHA256

        763b6ad9d543d149b390261048d1ea43b2535d2e6dd9d4d2ac9ddd70c04ee8fd

        SHA512

        e4ba69983c520f90fe5038fd354ef927f27b4dec3238319b348a74c8a1c95ce102669b54ea3c3661590906b888e63d3cb508b2f8a37973892bad9f0567899409

        Download Submit

      • \Windows\SysWOW64\sdztrwpqlavnf.exe
        Filesize

        255KB

        MD5

        eac2b257b86522a6d49cce8c499e5632

        SHA1

        fedd8305938c9dc5b97db01f15cd27f788d7c247

        SHA256

        f8d14621dcb705f0e6d5623ea16de6dd98e861afd34b528102d7f7ec13191f71

        SHA512

        409b1b6e1b04ecb0a32af378fa3eadc12924270c2a494544a3b1f25217d4f0c2704b283d8aa772454c6055d2885e01f26476a76ed3408190edaaec9ab2f359ba

        Download Submit

      • memory/1012-103-0x000007FEFB761000-0x000007FEFB763000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1288-93-0x0000000000400000-0x00000000004A0000-memory.dmp

        Filesize

        640KB

        Download

      • memory/1288-81-0x0000000000400000-0x00000000004A0000-memory.dmp

        Filesize

        640KB

        Download

      • memory/1320-87-0x0000000000400000-0x00000000004A0000-memory.dmp

        Filesize

        640KB

        Download

      • memory/1320-96-0x0000000000400000-0x00000000004A0000-memory.dmp

        Filesize

        640KB

        Download

      • memory/1504-90-0x0000000072251000-0x0000000072254000-memory.dmp

        Filesize

        12KB

        Download

      • memory/1504-95-0x000000006FCD1000-0x000000006FCD3000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1504-101-0x0000000070CBD000-0x0000000070CC8000-memory.dmp

        Filesize

        44KB

        Download

      • memory/1504-97-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1504-98-0x0000000070CBD000-0x0000000070CC8000-memory.dmp

        Filesize

        44KB

        Download

      • memory/1684-91-0x0000000000400000-0x00000000004A0000-memory.dmp

        Filesize

        640KB

        Download

      • memory/1684-78-0x0000000000400000-0x00000000004A0000-memory.dmp

        Filesize

        640KB

        Download

      • memory/1708-82-0x0000000000400000-0x00000000004A0000-memory.dmp

        Filesize

        640KB

        Download

      • memory/1708-94-0x0000000000400000-0x00000000004A0000-memory.dmp

        Filesize

        640KB

        Download

      • memory/1744-80-0x0000000000400000-0x00000000004A0000-memory.dmp

        Filesize

        640KB

        Download

      • memory/1744-92-0x0000000000400000-0x00000000004A0000-memory.dmp

        Filesize

        640KB

        Download

      • memory/2000-89-0x0000000000400000-0x00000000004A0000-memory.dmp

        Filesize

        640KB

        Download

      • memory/2000-54-0x00000000754E1000-0x00000000754E3000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2000-79-0x0000000002F90000-0x0000000003030000-memory.dmp

        Filesize

        640KB

        Download

      • memory/2000-57-0x0000000002F90000-0x0000000003030000-memory.dmp

        Filesize

        640KB

        Download

      • memory/2000-55-0x0000000000400000-0x00000000004A0000-memory.dmp

        Filesize

        640KB

        Download