Overview

overview

10

Static

static

8

2dda7d6491...5f.exe

windows7-x64

10

2dda7d6491...5f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    170s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-10-2022 02:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2dda7d6491fd1ad5bf4065f523e5c44d2978a940d2865b31a4e364675fe64a5f.exe

  • Size

    255KB

  • MD5

    739c0bcdcb87e2e7f1cb3bf84b04ff60

  • SHA1

    ae809db1099c94a66d5edffc0353a35a700d5c29

  • SHA256

    2dda7d6491fd1ad5bf4065f523e5c44d2978a940d2865b31a4e364675fe64a5f

  • SHA512

    a815bceabbc34c79ae2764de7a463831d46f1cd74fa8d8f1d482b4eb404fad3a4796021cb3475fff3ec4c33d0a8851c5240e208b1e9325dc13a7392414b19b14

  • SSDEEP

    6144:1xlZam+akqx6YQJXcNlEHUIQeE3mmBWFv6Y:Plf5j6zCNa0xeE3mt

Score
10/10
evasionpersistencetrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • UPX packed file 25 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 13 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 19 IoCs
  • Suspicious use of SendNotifyMessage 19 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2dda7d6491fd1ad5bf4065f523e5c44d2978a940d2865b31a4e364675fe64a5f.exe
    "C:\Users\Admin\AppData\Local\Temp\2dda7d6491fd1ad5bf4065f523e5c44d2978a940d2865b31a4e364675fe64a5f.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4808
    • C:\Windows\SysWOW64\fpqevnchag.exe
      fpqevnchag.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4752
      • C:\Windows\SysWOW64\aajpeqvj.exe
        C:\Windows\system32\aajpeqvj.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3696
    • C:\Windows\SysWOW64\jfrpkhdijrnaepq.exe
      jfrpkhdijrnaepq.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:620
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c blihkhyxsvkyx.exe
        3⤵
          PID:2284
      • C:\Windows\SysWOW64\aajpeqvj.exe
        aajpeqvj.exe
        2⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3384
      • C:\Windows\SysWOW64\blihkhyxsvkyx.exe
        blihkhyxsvkyx.exe
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1612
      • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
        "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
        2⤵
        • Drops file in Windows directory
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:2916

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
      Filesize

      255KB

      MD5

      bff4ebccf9c0f79d7870f67daa743606

      SHA1

      70e0847356444b24ed533a231bbd1056b6af8705

      SHA256

      4ff012e4f9a0dbdb9ea3b47b54c3d1d191c65f58bb6641d542eb9136d64461b1

      SHA512

      7820bb3cb671927edbcad162d5c135eaa98f58ae820d0ac1089aa204f8d392d73f2fe482755ab4e8046cafefc58f4c0c41b36b973bdf57872559bced382e36e0

      Download Submit

    • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
      Filesize

      255KB

      MD5

      bff4ebccf9c0f79d7870f67daa743606

      SHA1

      70e0847356444b24ed533a231bbd1056b6af8705

      SHA256

      4ff012e4f9a0dbdb9ea3b47b54c3d1d191c65f58bb6641d542eb9136d64461b1

      SHA512

      7820bb3cb671927edbcad162d5c135eaa98f58ae820d0ac1089aa204f8d392d73f2fe482755ab4e8046cafefc58f4c0c41b36b973bdf57872559bced382e36e0

      Download Submit

    • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
      Filesize

      255KB

      MD5

      c3c5963f1241305fad398c211cb2d6dd

      SHA1

      14f05db478173a8eca7ccd0a9188636ada62e300

      SHA256

      51424245afadd111c6b92b84ffe4e2ce9362547badc9fddd0065b94474bcc91c

      SHA512

      1176bbf13ad7e45f1f93399c54daf7f4f9b14b794fc01051256a2066e837f4f8b2e29d29557f5fcae74cafaeae4edc4ec99fffece9c450dc388db0f9764080c5

      Download Submit

    • C:\Windows\SysWOW64\aajpeqvj.exe
      Filesize

      255KB

      MD5

      1d7f4d07b9e1aae708989bc3d408471a

      SHA1

      06efc3346c8f7a7766a4ea4a9b43975f575fcd4a

      SHA256

      2e45489b71d79aad36ebb68faae5c1028c946c240db9c465197c709bb9a648cd

      SHA512

      a402df7349b643156add828f4020c1c5cfaf78f797ad31f3bba538cc9eb341e6ea65c137311bf75d6e1fdd70d204e32836f573bc06d9efb358ac976ac9c5023c

      Download Submit

    • C:\Windows\SysWOW64\aajpeqvj.exe
      Filesize

      255KB

      MD5

      1d7f4d07b9e1aae708989bc3d408471a

      SHA1

      06efc3346c8f7a7766a4ea4a9b43975f575fcd4a

      SHA256

      2e45489b71d79aad36ebb68faae5c1028c946c240db9c465197c709bb9a648cd

      SHA512

      a402df7349b643156add828f4020c1c5cfaf78f797ad31f3bba538cc9eb341e6ea65c137311bf75d6e1fdd70d204e32836f573bc06d9efb358ac976ac9c5023c

      Download Submit

    • C:\Windows\SysWOW64\aajpeqvj.exe
      Filesize

      255KB

      MD5

      1d7f4d07b9e1aae708989bc3d408471a

      SHA1

      06efc3346c8f7a7766a4ea4a9b43975f575fcd4a

      SHA256

      2e45489b71d79aad36ebb68faae5c1028c946c240db9c465197c709bb9a648cd

      SHA512

      a402df7349b643156add828f4020c1c5cfaf78f797ad31f3bba538cc9eb341e6ea65c137311bf75d6e1fdd70d204e32836f573bc06d9efb358ac976ac9c5023c

      Download Submit

    • C:\Windows\SysWOW64\blihkhyxsvkyx.exe
      Filesize

      255KB

      MD5

      8d0e8d7d216b78abd4d105fde9f0ba2a

      SHA1

      2215174236845fba85801487f1cb6d40fa2e218b

      SHA256

      55a135039f392224ad51b2fb260d3d98fdd80751f7d4fe8412d44dd124a32c22

      SHA512

      01fc09b3243c90c91b7561d04ce2555f13141ed04ee289d6b8097ccaa836b09611158d717e23b144e04bc1f658c9909f8b07c974956df9a922b106f1eb050500

      Download Submit

    • C:\Windows\SysWOW64\blihkhyxsvkyx.exe
      Filesize

      255KB

      MD5

      8d0e8d7d216b78abd4d105fde9f0ba2a

      SHA1

      2215174236845fba85801487f1cb6d40fa2e218b

      SHA256

      55a135039f392224ad51b2fb260d3d98fdd80751f7d4fe8412d44dd124a32c22

      SHA512

      01fc09b3243c90c91b7561d04ce2555f13141ed04ee289d6b8097ccaa836b09611158d717e23b144e04bc1f658c9909f8b07c974956df9a922b106f1eb050500

      Download Submit

    • C:\Windows\SysWOW64\fpqevnchag.exe
      Filesize

      255KB

      MD5

      8f6ed8bfb02da8e6784aa986e4a5db2f

      SHA1

      77b9e0dc85bd263f080a8c55c21c25ebd1a42340

      SHA256

      eac1a8a6618f10ee5cd7e5a8dd9e39b1c8a40a99972e03889f3e6ab620a1e97e

      SHA512

      ad5b9e213c06a506ea297bccc6c268d20b54dea7215bce4a54ad0d778f22e5b34143d59999b7d9a69c97874ba8718543de83ccb3d5c54fcd7077258377afe42d

      Download Submit

    • C:\Windows\SysWOW64\fpqevnchag.exe
      Filesize

      255KB

      MD5

      8f6ed8bfb02da8e6784aa986e4a5db2f

      SHA1

      77b9e0dc85bd263f080a8c55c21c25ebd1a42340

      SHA256

      eac1a8a6618f10ee5cd7e5a8dd9e39b1c8a40a99972e03889f3e6ab620a1e97e

      SHA512

      ad5b9e213c06a506ea297bccc6c268d20b54dea7215bce4a54ad0d778f22e5b34143d59999b7d9a69c97874ba8718543de83ccb3d5c54fcd7077258377afe42d

      Download Submit

    • C:\Windows\SysWOW64\jfrpkhdijrnaepq.exe
      Filesize

      255KB

      MD5

      5908f67b3669016b6237cf4981cc1c63

      SHA1

      c5491057798fd401547d1bf6acc8ac592f929d56

      SHA256

      fb7be186a4fc743d0d3a2daf5c19766693bf4316ae2183c980f7f708aff93a30

      SHA512

      4b76e5adc32ed385c38950a595cda2b719c8fc3e347ab19c203f763b20f028018df115e4aca2d338723a097c00771a043679cce4ad4f060dffb778183591b447

      Download Submit

    • C:\Windows\SysWOW64\jfrpkhdijrnaepq.exe
      Filesize

      255KB

      MD5

      5908f67b3669016b6237cf4981cc1c63

      SHA1

      c5491057798fd401547d1bf6acc8ac592f929d56

      SHA256

      fb7be186a4fc743d0d3a2daf5c19766693bf4316ae2183c980f7f708aff93a30

      SHA512

      4b76e5adc32ed385c38950a595cda2b719c8fc3e347ab19c203f763b20f028018df115e4aca2d338723a097c00771a043679cce4ad4f060dffb778183591b447

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • memory/620-152-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/620-140-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1612-149-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1612-154-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2916-160-0x00007FF873990000-0x00007FF8739A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2916-168-0x00007FF871810000-0x00007FF871820000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2916-170-0x00007FF871810000-0x00007FF871820000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2916-164-0x00007FF873990000-0x00007FF8739A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2916-163-0x00007FF873990000-0x00007FF8739A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2916-162-0x00007FF873990000-0x00007FF8739A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2916-161-0x00007FF873990000-0x00007FF8739A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3384-153-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/3384-148-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/3696-159-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/3696-169-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/4752-139-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/4752-151-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/4808-158-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/4808-132-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/4808-150-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download