Overview

overview

10

Static

static

8

0be0404496...39.exe

windows7-x64

10

0be0404496...39.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    191s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    28/10/2022, 18:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe

  • Size

    255KB

  • MD5

    0a4c8c0364ca55889b01f2e5f96640a9

  • SHA1

    0f4378d08797b2151a8e6710bfdc7898689f3237

  • SHA256

    0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139

  • SHA512

    92623092213d9afdd3635c5d44af50f14b54d3a37280daf47f743224570e33ef3069aef8afef919cd48e61dc9efeb5b33ff1944a6ebeca9b493114ef5cfeb0ef

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJ0:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI9

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • UPX packed file 29 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 13 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe
    "C:\Users\Admin\AppData\Local\Temp\0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:916
    • C:\Windows\SysWOW64\uskewmevme.exe
      uskewmevme.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1544
      • C:\Windows\SysWOW64\krwodezn.exe
        C:\Windows\system32\krwodezn.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:564
    • C:\Windows\SysWOW64\vofyhfvqipsrbcu.exe
      vofyhfvqipsrbcu.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1416
    • C:\Windows\SysWOW64\krwodezn.exe
      krwodezn.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1732
    • C:\Windows\SysWOW64\pyaedxnpeagyp.exe
      pyaedxnpeagyp.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1932
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:868
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1764

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
      Filesize

      255KB

      MD5

      ebc60940d056d839b643f5133b16bd46

      SHA1

      198a88c5f96e9403bdee4a10217d9475af15a32c

      SHA256

      3a8bf0601b39576ca3a721fe0aea0e2f7768c22f85da4fa0db4637df142c9e7c

      SHA512

      da6792b4d03f1b3f53cd665590c7e72a591fb3c663d8d526021ed1c2997763be6cfaa6bbbbb7f8845c60232cfe1ca0c9db89fea2c3b7922a46da5484405f634e

      Download Submit

    • C:\Users\Admin\Music\CompareCheckpoint.doc.exe
      Filesize

      255KB

      MD5

      5a1cf40a213bb760060841f17d4d7178

      SHA1

      6924008400eb98febd6163f94c61563d2b5158b1

      SHA256

      9477174ea173802e0919ef3d31c21e3f2506c1f7bef6d1ca0884c2cc9fe97f69

      SHA512

      a3ac9ac1d366be89ea25220f71812d2995b89e48daf8e9f03ea20a2adc0c4c5365b331fcaaac751944ee4854bdfa109d227551cfa90af89f4093742420600e2d

      Download Submit

    • C:\Windows\SysWOW64\krwodezn.exe
      Filesize

      255KB

      MD5

      18d070d4158a7e9cbcea6e11ffc4106b

      SHA1

      82ffbd4ccd1d3d0d2a1d213a5a9001b2faf768f4

      SHA256

      0bd44fc14573dad1fa434bbebe30a467007e0d504cc55bc88e44ef49f4b9817c

      SHA512

      a075d4fc43fc8c3f3f5d1c3d80c0a19e455486b10258cf7ab4ed1e4889479cf63b6d6651864cd187563fcb23dabcf0613ba49701a1759d131d98b14bdb0f60dc

      Download Submit

    • C:\Windows\SysWOW64\krwodezn.exe
      Filesize

      255KB

      MD5

      18d070d4158a7e9cbcea6e11ffc4106b

      SHA1

      82ffbd4ccd1d3d0d2a1d213a5a9001b2faf768f4

      SHA256

      0bd44fc14573dad1fa434bbebe30a467007e0d504cc55bc88e44ef49f4b9817c

      SHA512

      a075d4fc43fc8c3f3f5d1c3d80c0a19e455486b10258cf7ab4ed1e4889479cf63b6d6651864cd187563fcb23dabcf0613ba49701a1759d131d98b14bdb0f60dc

      Download Submit

    • C:\Windows\SysWOW64\krwodezn.exe
      Filesize

      255KB

      MD5

      18d070d4158a7e9cbcea6e11ffc4106b

      SHA1

      82ffbd4ccd1d3d0d2a1d213a5a9001b2faf768f4

      SHA256

      0bd44fc14573dad1fa434bbebe30a467007e0d504cc55bc88e44ef49f4b9817c

      SHA512

      a075d4fc43fc8c3f3f5d1c3d80c0a19e455486b10258cf7ab4ed1e4889479cf63b6d6651864cd187563fcb23dabcf0613ba49701a1759d131d98b14bdb0f60dc

      Download Submit

    • C:\Windows\SysWOW64\pyaedxnpeagyp.exe
      Filesize

      255KB

      MD5

      72a50e09ec4e05a243ba63af8c09b416

      SHA1

      21129d54df96a3bcdb78e6bc7d6306f2fc4119f6

      SHA256

      ec022fd89cc15b5d39530bdfff6af4ef49e2f29fb1c488fe605a5fe6a2f56ff0

      SHA512

      50472edda70cc301e5715275e5e55477f5187966a146879af6f35fb6189afcf4aa561957f9592264cbc6ac035baa2a1c30bbd8845babb964cc425da8974ca088

      Download Submit

    • C:\Windows\SysWOW64\pyaedxnpeagyp.exe
      Filesize

      255KB

      MD5

      72a50e09ec4e05a243ba63af8c09b416

      SHA1

      21129d54df96a3bcdb78e6bc7d6306f2fc4119f6

      SHA256

      ec022fd89cc15b5d39530bdfff6af4ef49e2f29fb1c488fe605a5fe6a2f56ff0

      SHA512

      50472edda70cc301e5715275e5e55477f5187966a146879af6f35fb6189afcf4aa561957f9592264cbc6ac035baa2a1c30bbd8845babb964cc425da8974ca088

      Download Submit

    • C:\Windows\SysWOW64\uskewmevme.exe
      Filesize

      255KB

      MD5

      37a882c6d807a1cb9aa57c30e2575808

      SHA1

      c2f91bfac22aac320149d3f13c76af61cfb67375

      SHA256

      29aa99ac5d404e0f7d341fb04b279bfc58d21fc01fd6f01a4edccf52dd2b0b4a

      SHA512

      26dfded0ef0e6ed0817db35f1d290b00b20dbfaef6cb81956a64f4d3aa728e4b12ceedf392e66185d3386578cb0b6f811613f1f94fc405175e6b69af098f70fd

      Download Submit

    • C:\Windows\SysWOW64\uskewmevme.exe
      Filesize

      255KB

      MD5

      37a882c6d807a1cb9aa57c30e2575808

      SHA1

      c2f91bfac22aac320149d3f13c76af61cfb67375

      SHA256

      29aa99ac5d404e0f7d341fb04b279bfc58d21fc01fd6f01a4edccf52dd2b0b4a

      SHA512

      26dfded0ef0e6ed0817db35f1d290b00b20dbfaef6cb81956a64f4d3aa728e4b12ceedf392e66185d3386578cb0b6f811613f1f94fc405175e6b69af098f70fd

      Download Submit

    • C:\Windows\SysWOW64\vofyhfvqipsrbcu.exe
      Filesize

      255KB

      MD5

      93cadb560ec1a75e812587dd478b88de

      SHA1

      2036e51eeb0f7784b3d6cfe47d45ccbbdb9f6815

      SHA256

      c93de1487e485379ab682b9d56f619bbd0f3a84ab471e979bba651aed40a0bd9

      SHA512

      ef1ecda527e92f8a729ce3490626522580e48cf2cf22d21c3bba43933472d8f49b3bc1c68056d8586309423d237de05ef25bdde1f9845bb6c14b45f25bc9cd9f

      Download Submit

    • C:\Windows\SysWOW64\vofyhfvqipsrbcu.exe
      Filesize

      255KB

      MD5

      93cadb560ec1a75e812587dd478b88de

      SHA1

      2036e51eeb0f7784b3d6cfe47d45ccbbdb9f6815

      SHA256

      c93de1487e485379ab682b9d56f619bbd0f3a84ab471e979bba651aed40a0bd9

      SHA512

      ef1ecda527e92f8a729ce3490626522580e48cf2cf22d21c3bba43933472d8f49b3bc1c68056d8586309423d237de05ef25bdde1f9845bb6c14b45f25bc9cd9f

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • \??\c:\Users\Admin\Music\CompareCheckpoint.doc.exe
      Filesize

      255KB

      MD5

      5a1cf40a213bb760060841f17d4d7178

      SHA1

      6924008400eb98febd6163f94c61563d2b5158b1

      SHA256

      9477174ea173802e0919ef3d31c21e3f2506c1f7bef6d1ca0884c2cc9fe97f69

      SHA512

      a3ac9ac1d366be89ea25220f71812d2995b89e48daf8e9f03ea20a2adc0c4c5365b331fcaaac751944ee4854bdfa109d227551cfa90af89f4093742420600e2d

      Download Submit

    • \Windows\SysWOW64\krwodezn.exe
      Filesize

      255KB

      MD5

      18d070d4158a7e9cbcea6e11ffc4106b

      SHA1

      82ffbd4ccd1d3d0d2a1d213a5a9001b2faf768f4

      SHA256

      0bd44fc14573dad1fa434bbebe30a467007e0d504cc55bc88e44ef49f4b9817c

      SHA512

      a075d4fc43fc8c3f3f5d1c3d80c0a19e455486b10258cf7ab4ed1e4889479cf63b6d6651864cd187563fcb23dabcf0613ba49701a1759d131d98b14bdb0f60dc

      Download Submit

    • \Windows\SysWOW64\krwodezn.exe
      Filesize

      255KB

      MD5

      18d070d4158a7e9cbcea6e11ffc4106b

      SHA1

      82ffbd4ccd1d3d0d2a1d213a5a9001b2faf768f4

      SHA256

      0bd44fc14573dad1fa434bbebe30a467007e0d504cc55bc88e44ef49f4b9817c

      SHA512

      a075d4fc43fc8c3f3f5d1c3d80c0a19e455486b10258cf7ab4ed1e4889479cf63b6d6651864cd187563fcb23dabcf0613ba49701a1759d131d98b14bdb0f60dc

      Download Submit

    • \Windows\SysWOW64\pyaedxnpeagyp.exe
      Filesize

      255KB

      MD5

      72a50e09ec4e05a243ba63af8c09b416

      SHA1

      21129d54df96a3bcdb78e6bc7d6306f2fc4119f6

      SHA256

      ec022fd89cc15b5d39530bdfff6af4ef49e2f29fb1c488fe605a5fe6a2f56ff0

      SHA512

      50472edda70cc301e5715275e5e55477f5187966a146879af6f35fb6189afcf4aa561957f9592264cbc6ac035baa2a1c30bbd8845babb964cc425da8974ca088

      Download Submit

    • \Windows\SysWOW64\uskewmevme.exe
      Filesize

      255KB

      MD5

      37a882c6d807a1cb9aa57c30e2575808

      SHA1

      c2f91bfac22aac320149d3f13c76af61cfb67375

      SHA256

      29aa99ac5d404e0f7d341fb04b279bfc58d21fc01fd6f01a4edccf52dd2b0b4a

      SHA512

      26dfded0ef0e6ed0817db35f1d290b00b20dbfaef6cb81956a64f4d3aa728e4b12ceedf392e66185d3386578cb0b6f811613f1f94fc405175e6b69af098f70fd

      Download Submit

    • \Windows\SysWOW64\vofyhfvqipsrbcu.exe
      Filesize

      255KB

      MD5

      93cadb560ec1a75e812587dd478b88de

      SHA1

      2036e51eeb0f7784b3d6cfe47d45ccbbdb9f6815

      SHA256

      c93de1487e485379ab682b9d56f619bbd0f3a84ab471e979bba651aed40a0bd9

      SHA512

      ef1ecda527e92f8a729ce3490626522580e48cf2cf22d21c3bba43933472d8f49b3bc1c68056d8586309423d237de05ef25bdde1f9845bb6c14b45f25bc9cd9f

      Download Submit

    • memory/564-100-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/564-87-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/868-106-0x0000000070AED000-0x0000000070AF8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/868-92-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/868-91-0x000000006FB01000-0x000000006FB03000-memory.dmp

      Filesize

      8KB

      Download

    • memory/868-90-0x0000000072081000-0x0000000072084000-memory.dmp

      Filesize

      12KB

      Download

    • memory/868-105-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/868-101-0x0000000070AED000-0x0000000070AF8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/868-95-0x0000000070AED000-0x0000000070AF8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/916-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/916-89-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/916-82-0x0000000002300000-0x00000000023A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/916-55-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/916-80-0x0000000002300000-0x00000000023A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1416-83-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1416-97-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1544-81-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1544-96-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1544-86-0x0000000003C70000-0x0000000003D10000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1732-98-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1732-84-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1764-103-0x000007FEFB731000-0x000007FEFB733000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1932-85-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1932-99-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download