Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/10/2022, 18:39

General

  • Target

    933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe

  • Size

    255KB

  • MD5

    0bbff655e34f4c0e5dfa533aa75f0ee0

  • SHA1

    42094006d3935665659f3bf9c4598612b1557b58

  • SHA256

    933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b

  • SHA512

    9a514e59b588e2752f0553538ae252fef59b6c5d925634b726c59382398f48c0ad3d6d831374b9e746d99a27a11cd865102681b322bb9f902c1112441b2cb66e

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJh:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIK

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 5 IoCs
  • UPX packed file 27 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 13 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe
    "C:\Users\Admin\AppData\Local\Temp\933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2188
    • C:\Windows\SysWOW64\afzlkchzft.exe
      afzlkchzft.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:856
      • C:\Windows\SysWOW64\zqhzpzqm.exe
        C:\Windows\system32\zqhzpzqm.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:204
    • C:\Windows\SysWOW64\pppxysidjfnytqp.exe
      pppxysidjfnytqp.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1396
    • C:\Windows\SysWOW64\zqhzpzqm.exe
      zqhzpzqm.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:5048
    • C:\Windows\SysWOW64\oecefyrozeoqy.exe
      oecefyrozeoqy.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1220
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4440

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

    Filesize

    255KB

    MD5

    e51087f2092a41729a29ab5582151056

    SHA1

    f6c5988c0b53e886048bbdff7766036d5b8d953f

    SHA256

    7ce90c81a482c0bffc5c9648971324725c446ca85dbc082b087c5fd6c11b9139

    SHA512

    a4c3fccb4d9f2f34d1c188f7ade269e3e9c0e83242a70819d1a5bcbaec8f8fa7ae6dbb39b521de2036b658096819098113d1cec8d7ee8e7cf3b18aac2a8c0999

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

    Filesize

    255KB

    MD5

    36a2bd619b03f6aa50834164aae81fd0

    SHA1

    9a7005b54f60319677be78d69cbd202fd887dafc

    SHA256

    31a1ddaa17b06f9337ad6b6555beb89cdd86e1f8ab3c0462bbc08e8c28d900d6

    SHA512

    17aa9ac9ae1c17b107eb8f91b59ce8a287b706a75fac4bf5a46d75ee7ce18758c5015635808a6a752aa87699134616c7e9d35d0bcc225797f764bce1606faf15

  • C:\Windows\SysWOW64\afzlkchzft.exe

    Filesize

    255KB

    MD5

    0d54f52ec46c5f569f351a6ee01fa755

    SHA1

    422a7f3f8c19a7f1682b2148d84d4323d2808b31

    SHA256

    4cea29f54c5d2a5d73fc537244d7ca494c83070c2d04e6c511a8b20af9389659

    SHA512

    17379b8825bd8b397de321b5d37b660b5be0c4baf1264639c92203acbcff74c6229a69d615f796c2214994dc86c8f060cd7e5797bdb8d3598f0933cf265d59ea

  • C:\Windows\SysWOW64\afzlkchzft.exe

    Filesize

    255KB

    MD5

    0d54f52ec46c5f569f351a6ee01fa755

    SHA1

    422a7f3f8c19a7f1682b2148d84d4323d2808b31

    SHA256

    4cea29f54c5d2a5d73fc537244d7ca494c83070c2d04e6c511a8b20af9389659

    SHA512

    17379b8825bd8b397de321b5d37b660b5be0c4baf1264639c92203acbcff74c6229a69d615f796c2214994dc86c8f060cd7e5797bdb8d3598f0933cf265d59ea

  • C:\Windows\SysWOW64\oecefyrozeoqy.exe

    Filesize

    255KB

    MD5

    16068637193f3bdb9bd4d378c11406f9

    SHA1

    3912890c20c7534d46c0f594f8f613d74423d77b

    SHA256

    a3a9b4e2fde15c01de6ab48ad907835e4ca07e8bdd5f30cf41b37972a7eaef02

    SHA512

    f9f962d8028d1daeb292c0a51b8ef1745c3c0da328911b5314c4d3c5b8dbaf9b4fa14b558e56854a84a3736dc046c77eeffbba08c4b49ea4a5e265bc11eb3e4c

  • C:\Windows\SysWOW64\oecefyrozeoqy.exe

    Filesize

    255KB

    MD5

    16068637193f3bdb9bd4d378c11406f9

    SHA1

    3912890c20c7534d46c0f594f8f613d74423d77b

    SHA256

    a3a9b4e2fde15c01de6ab48ad907835e4ca07e8bdd5f30cf41b37972a7eaef02

    SHA512

    f9f962d8028d1daeb292c0a51b8ef1745c3c0da328911b5314c4d3c5b8dbaf9b4fa14b558e56854a84a3736dc046c77eeffbba08c4b49ea4a5e265bc11eb3e4c

  • C:\Windows\SysWOW64\pppxysidjfnytqp.exe

    Filesize

    255KB

    MD5

    ebf91cdfc69204e7d206f436d7bc1c09

    SHA1

    da9012209fdc2f3ae91a5a38345594c12c02d72c

    SHA256

    eab05fbac8cb0d504e6a94d9ee08b6ce54d3f374c0a59f55c62d9386f35ba23a

    SHA512

    9882e90d05b7c144a909d6ae629a1740a28d2befb27e1ffd7bd5ab6b86f480028600f33c5fa5ad1dcf947da8d3c7577ddee64bf1bec51266d298f324eaf6d3d1

  • C:\Windows\SysWOW64\pppxysidjfnytqp.exe

    Filesize

    255KB

    MD5

    ebf91cdfc69204e7d206f436d7bc1c09

    SHA1

    da9012209fdc2f3ae91a5a38345594c12c02d72c

    SHA256

    eab05fbac8cb0d504e6a94d9ee08b6ce54d3f374c0a59f55c62d9386f35ba23a

    SHA512

    9882e90d05b7c144a909d6ae629a1740a28d2befb27e1ffd7bd5ab6b86f480028600f33c5fa5ad1dcf947da8d3c7577ddee64bf1bec51266d298f324eaf6d3d1

  • C:\Windows\SysWOW64\zqhzpzqm.exe

    Filesize

    255KB

    MD5

    95631db2092bbb81a5f0b8e7edea4634

    SHA1

    94696abab3dacadb4250ffef5db884988df00317

    SHA256

    ab363ce59117f5fcc6228202a59b5fa482c978f06d72cb913fc8c34234d0faf5

    SHA512

    3e1fe51794049c6143fa03cb9c09278f2f2fc0bb771045323fc39fd9d872d5f0d3311b42d5126d7ef1c78a00d08b6ab6ffb0f19f5456b213a1e97e07e1f63f07

  • C:\Windows\SysWOW64\zqhzpzqm.exe

    Filesize

    255KB

    MD5

    95631db2092bbb81a5f0b8e7edea4634

    SHA1

    94696abab3dacadb4250ffef5db884988df00317

    SHA256

    ab363ce59117f5fcc6228202a59b5fa482c978f06d72cb913fc8c34234d0faf5

    SHA512

    3e1fe51794049c6143fa03cb9c09278f2f2fc0bb771045323fc39fd9d872d5f0d3311b42d5126d7ef1c78a00d08b6ab6ffb0f19f5456b213a1e97e07e1f63f07

  • C:\Windows\SysWOW64\zqhzpzqm.exe

    Filesize

    255KB

    MD5

    95631db2092bbb81a5f0b8e7edea4634

    SHA1

    94696abab3dacadb4250ffef5db884988df00317

    SHA256

    ab363ce59117f5fcc6228202a59b5fa482c978f06d72cb913fc8c34234d0faf5

    SHA512

    3e1fe51794049c6143fa03cb9c09278f2f2fc0bb771045323fc39fd9d872d5f0d3311b42d5126d7ef1c78a00d08b6ab6ffb0f19f5456b213a1e97e07e1f63f07

  • C:\Windows\mydoc.rtf

    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

    Filesize

    255KB

    MD5

    dd5cc4734e0bf489e21f8f235405c18a

    SHA1

    f753f673b8d5903178153793e6c63a9140c9f0fe

    SHA256

    f0065d79ec150707bb9c44b62422d737156ee61df2e5668a65e2cf0efb838312

    SHA512

    107538992fd289d6a2fe05c429e10820740f5bed22b8bed325a3bf6b78fcc2e8cd46bbd6cfa1928c2f0a4ee99a91a56fdd8c292ed1f8837f15c257c4ecdb3c0a

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

    Filesize

    256KB

    MD5

    77634c8389a6a22647787f79e348cf21

    SHA1

    6ee984a4b99bda88ab42b8c8b1c0f1c7824e0f82

    SHA256

    083ca0d0dc1644712d87f137b134cfc7707d0067001f6bd06f3016f050ff1419

    SHA512

    667aa88f5940e4a5364e92720958f4badf8b97f49a4fffc6f9d12164a1ed5b667be28e9641c2322db7202e0223d42817d88d10aea70a5699fa79182cf3e5c5e9

  • memory/204-179-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

  • memory/204-171-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

  • memory/204-156-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

  • memory/856-167-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

  • memory/856-148-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

  • memory/1220-151-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

  • memory/1220-170-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

  • memory/1396-168-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

  • memory/1396-149-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

  • memory/2188-153-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

  • memory/2188-135-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

  • memory/4440-175-0x00007FFCCDEB0000-0x00007FFCCDEC0000-memory.dmp

    Filesize

    64KB

  • memory/4440-157-0x00007FFCCDEB0000-0x00007FFCCDEC0000-memory.dmp

    Filesize

    64KB

  • memory/4440-158-0x00007FFCCDEB0000-0x00007FFCCDEC0000-memory.dmp

    Filesize

    64KB

  • memory/4440-159-0x00007FFCCDEB0000-0x00007FFCCDEC0000-memory.dmp

    Filesize

    64KB

  • memory/4440-160-0x00007FFCCDEB0000-0x00007FFCCDEC0000-memory.dmp

    Filesize

    64KB

  • memory/4440-161-0x00007FFCCDEB0000-0x00007FFCCDEC0000-memory.dmp

    Filesize

    64KB

  • memory/4440-178-0x00007FFCCDEB0000-0x00007FFCCDEC0000-memory.dmp

    Filesize

    64KB

  • memory/4440-162-0x00007FFCCB810000-0x00007FFCCB820000-memory.dmp

    Filesize

    64KB

  • memory/4440-177-0x00007FFCCDEB0000-0x00007FFCCDEC0000-memory.dmp

    Filesize

    64KB

  • memory/4440-165-0x00007FFCCB810000-0x00007FFCCB820000-memory.dmp

    Filesize

    64KB

  • memory/4440-176-0x00007FFCCDEB0000-0x00007FFCCDEC0000-memory.dmp

    Filesize

    64KB

  • memory/5048-150-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

  • memory/5048-180-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

  • memory/5048-169-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB