Overview

overview

10

Static

static

8

b1964713a0...fb.exe

windows7-x64

10

b1964713a0...fb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2022, 21:21

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    b1964713a0feed48c132d06d2c6a11f3c41fd700efca283311a5133ba553a2fb.exe

  • Size

    255KB

  • MD5

    4bd5c40959b71c897229aba22ef0f6a1

  • SHA1

    a382a5864ddbc0b8728d18c232b39dd96f50c73f

  • SHA256

    b1964713a0feed48c132d06d2c6a11f3c41fd700efca283311a5133ba553a2fb

  • SHA512

    e44cb9b23645c51b77caebf031ffd981c12939644a911f2fb387612cd4a9951c2274bfb42f5ec06f69002a63a5eccc5c0f8197eef6c147c35c9d62beb270a1c5

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJV:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIw

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • UPX packed file 23 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 11 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b1964713a0feed48c132d06d2c6a11f3c41fd700efca283311a5133ba553a2fb.exe
    "C:\Users\Admin\AppData\Local\Temp\b1964713a0feed48c132d06d2c6a11f3c41fd700efca283311a5133ba553a2fb.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4352
    • C:\Windows\SysWOW64\azpzdtitga.exe
      azpzdtitga.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4124
      • C:\Windows\SysWOW64\cvrfejwt.exe
        C:\Windows\system32\cvrfejwt.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1656
    • C:\Windows\SysWOW64\xuodikmqrnzmrxv.exe
      xuodikmqrnzmrxv.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:824
    • C:\Windows\SysWOW64\cvrfejwt.exe
      cvrfejwt.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3588
    • C:\Windows\SysWOW64\wpwzjuvtdueoo.exe
      wpwzjuvtdueoo.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:5060
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4276

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
          Filesize

          255KB

          MD5

          ab3f6f6cee0647046415924d3e041c17

          SHA1

          e62019c628d96e44580aef979b37f09e58222ba4

          SHA256

          48e7d2bb8bc8e7e20b56cca84ecd97f1eedd7150112a7f3bcbedac90f3018cc8

          SHA512

          4e95adeacaa4049dd3da91803c8309b91bdbc7107a2f453c6e32f66a320d7f7d9614e97ca440005bf2e313f2f5e7856b3a61d9b20a23acced31fd4e3ca7176cc

          Download Submit

        • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
          Filesize

          255KB

          MD5

          0d003e86a1ddda266481f7cc34d8d898

          SHA1

          9f1820ad01910f4062a5ca50cb470f13a2656908

          SHA256

          5126417a05ca7b260d83e7e82655e8fc5a4003ce61b83b61649b7438ed4d50c7

          SHA512

          76359b3c31f65a27d6cff0dfc1c1463ce51e607df6363bcb8628c14b97039263bb4f30f96656863a00b50ccb8062c9c116e658f540e5f308855d9c1058f1eb83

          Download Submit

        • C:\Windows\SysWOW64\azpzdtitga.exe
          Filesize

          255KB

          MD5

          581ba2a14464e7e1b4eb867538d0ff09

          SHA1

          55464a1ffb6f3537d1fe9c4ac607816c2692ab90

          SHA256

          c193ee56da1c811c663d136614706951d80aaeb88a711b9f843387daf824528d

          SHA512

          807a4006834f099f3f9b4f89b2f40134d6ccc4bf2f555e758a11c64f4b551afd8a54fd86cdb569a3dbcc013e43e629d4987b175a56f3c0ed1296c099d7533198

          Download Submit

        • C:\Windows\SysWOW64\azpzdtitga.exe
          Filesize

          255KB

          MD5

          581ba2a14464e7e1b4eb867538d0ff09

          SHA1

          55464a1ffb6f3537d1fe9c4ac607816c2692ab90

          SHA256

          c193ee56da1c811c663d136614706951d80aaeb88a711b9f843387daf824528d

          SHA512

          807a4006834f099f3f9b4f89b2f40134d6ccc4bf2f555e758a11c64f4b551afd8a54fd86cdb569a3dbcc013e43e629d4987b175a56f3c0ed1296c099d7533198

          Download Submit

        • C:\Windows\SysWOW64\cvrfejwt.exe
          Filesize

          255KB

          MD5

          15b23e0a853899cd252d2352b84461a7

          SHA1

          b08ddd389c5b49d2d080a96d98d4e538a707f225

          SHA256

          79e6905d773dc80a5b5b60ba1f5848f740eee4e73788c38a4d06ca28aa446069

          SHA512

          42dbb384b3fcc9eb1228c8691381753945a421447b72a17f8c07748835195774e38a8ca632d8515439645b9ca34df37d0278bd93f4b8e682ae69599d17ff5b29

          Download Submit

        • C:\Windows\SysWOW64\cvrfejwt.exe
          Filesize

          255KB

          MD5

          15b23e0a853899cd252d2352b84461a7

          SHA1

          b08ddd389c5b49d2d080a96d98d4e538a707f225

          SHA256

          79e6905d773dc80a5b5b60ba1f5848f740eee4e73788c38a4d06ca28aa446069

          SHA512

          42dbb384b3fcc9eb1228c8691381753945a421447b72a17f8c07748835195774e38a8ca632d8515439645b9ca34df37d0278bd93f4b8e682ae69599d17ff5b29

          Download Submit

        • C:\Windows\SysWOW64\cvrfejwt.exe
          Filesize

          255KB

          MD5

          15b23e0a853899cd252d2352b84461a7

          SHA1

          b08ddd389c5b49d2d080a96d98d4e538a707f225

          SHA256

          79e6905d773dc80a5b5b60ba1f5848f740eee4e73788c38a4d06ca28aa446069

          SHA512

          42dbb384b3fcc9eb1228c8691381753945a421447b72a17f8c07748835195774e38a8ca632d8515439645b9ca34df37d0278bd93f4b8e682ae69599d17ff5b29

          Download Submit

        • C:\Windows\SysWOW64\wpwzjuvtdueoo.exe
          Filesize

          255KB

          MD5

          292955b255bbc233cbf119b439a5cd1d

          SHA1

          839f7bce7f5e2e7273a4745da4ab6e393bf26e85

          SHA256

          0eccd337adc36ffe8a3ad1e6206b6eea4966648314568fdd99bbd1ebcb467f6f

          SHA512

          b2dc3e9cb64e6aff84a959e844b867f16d35534e46bbc72f1c469003c9d87ca58adfa97b899cafc6357bfba6f0aadba7cfa226568886584b6ce1abf3fb7c6742

          Download Submit

        • C:\Windows\SysWOW64\wpwzjuvtdueoo.exe
          Filesize

          255KB

          MD5

          292955b255bbc233cbf119b439a5cd1d

          SHA1

          839f7bce7f5e2e7273a4745da4ab6e393bf26e85

          SHA256

          0eccd337adc36ffe8a3ad1e6206b6eea4966648314568fdd99bbd1ebcb467f6f

          SHA512

          b2dc3e9cb64e6aff84a959e844b867f16d35534e46bbc72f1c469003c9d87ca58adfa97b899cafc6357bfba6f0aadba7cfa226568886584b6ce1abf3fb7c6742

          Download Submit

        • C:\Windows\SysWOW64\xuodikmqrnzmrxv.exe
          Filesize

          255KB

          MD5

          45f803a229102880784f29b58144b7a8

          SHA1

          cef334114675f412c03b1ca518c70c7ec3aa3f71

          SHA256

          c8d43926ff525aed5abb3eb3e6e7a2693fe5fd953d857e8567658075f34a3087

          SHA512

          2350d7df83f29e429ade7edd17f42593a48e2f42cfe82e9cfdc710b78febad3ced9750aab710b4a5f677c8399e82a0cec4d0dda56855d9c6c647968a3eeb9040

          Download Submit

        • C:\Windows\SysWOW64\xuodikmqrnzmrxv.exe
          Filesize

          255KB

          MD5

          45f803a229102880784f29b58144b7a8

          SHA1

          cef334114675f412c03b1ca518c70c7ec3aa3f71

          SHA256

          c8d43926ff525aed5abb3eb3e6e7a2693fe5fd953d857e8567658075f34a3087

          SHA512

          2350d7df83f29e429ade7edd17f42593a48e2f42cfe82e9cfdc710b78febad3ced9750aab710b4a5f677c8399e82a0cec4d0dda56855d9c6c647968a3eeb9040

          Download Submit

        • C:\Windows\mydoc.rtf
          Filesize

          223B

          MD5

          06604e5941c126e2e7be02c5cd9f62ec

          SHA1

          4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

          SHA256

          85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

          SHA512

          803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

          Download Submit

        • memory/824-165-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

          Download

        • memory/824-146-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

          Download

        • memory/1656-168-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

          Download

        • memory/1656-153-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

          Download

        • memory/3588-166-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

          Download

        • memory/3588-147-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

          Download

        • memory/4124-145-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

          Download

        • memory/4124-164-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

          Download

        • memory/4276-162-0x00007FFE74320000-0x00007FFE74330000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4276-158-0x00007FFE76630000-0x00007FFE76640000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4276-156-0x00007FFE76630000-0x00007FFE76640000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4276-155-0x00007FFE76630000-0x00007FFE76640000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4276-161-0x00007FFE74320000-0x00007FFE74330000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4276-171-0x00007FFE76630000-0x00007FFE76640000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4276-154-0x00007FFE76630000-0x00007FFE76640000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4276-173-0x00007FFE76630000-0x00007FFE76640000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4276-157-0x00007FFE76630000-0x00007FFE76640000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4276-172-0x00007FFE76630000-0x00007FFE76640000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4276-170-0x00007FFE76630000-0x00007FFE76640000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4352-152-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

          Download

        • memory/4352-132-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

          Download

        • memory/5060-167-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

          Download

        • memory/5060-148-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

          Download