Overview

overview

10

Static

static

8

9790c3a24a...93.exe

windows7-x64

10

9790c3a24a...93.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    42s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    29-10-2022 02:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe

  • Size

    255KB

  • MD5

    58a946d1880ea8da4f20ed522434cf53

  • SHA1

    91ae70936bf7d0c42e81779de7ec8e9ac37944ca

  • SHA256

    9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93

  • SHA512

    064b7ba2ccba3dc207d4644bc4476d01d68e58343abe480d2393112a6064e4355ad757fb6606c41926f41e080d2ca34fcc4eb0ba7012490f14b28c758216d76a

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJD:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIo

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 6 IoCs
  • UPX packed file 33 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 14 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SendNotifyMessage 21 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe
    "C:\Users\Admin\AppData\Local\Temp\9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1160
    • C:\Windows\SysWOW64\wzsoruaghu.exe
      wzsoruaghu.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1416
      • C:\Windows\SysWOW64\vagfgmcz.exe
        C:\Windows\system32\vagfgmcz.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1536
    • C:\Windows\SysWOW64\btbtzqmmtyvnfpb.exe
      btbtzqmmtyvnfpb.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1872
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c bydcpzvzgchnw.exe
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2020
        • C:\Windows\SysWOW64\bydcpzvzgchnw.exe
          bydcpzvzgchnw.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:1884
    • C:\Windows\SysWOW64\vagfgmcz.exe
      vagfgmcz.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1788
    • C:\Windows\SysWOW64\bydcpzvzgchnw.exe
      bydcpzvzgchnw.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:616
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:624
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1664

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
      Filesize

      255KB

      MD5

      5de8e702c9cdfad422ff871b226d984d

      SHA1

      a2c277bc3c72dd4d50b4bdabf588e514e92dab7f

      SHA256

      ad6e19c591ceba8c6e1cf837e741419b21ae881f065cf5d898828506ce1403a0

      SHA512

      de64819320a63419dfcc35487470ffd5e5739ca51efd38e698eebe3b001a7048ddaca614602340ef40a4552edc31c637ee81ef9a9c57c00310381c141ad1c950

      Download Submit

    • C:\Windows\SysWOW64\btbtzqmmtyvnfpb.exe
      Filesize

      255KB

      MD5

      7e48da92fb0f49a5527d3eda10499f6b

      SHA1

      007e5ac8b3c94af1b94a717e0fcaf8e0a89d2980

      SHA256

      499d7e6e5946f93427cd1c4ac3fa7f06b001b949909dba1e4d66c9a0f4b7c41c

      SHA512

      091b74af8b447d7124d0541f33d8d3ce0b743b1def7d2a6997ab2ac747ba1918e1f52c008d9727cf7959cc987b92734feac747c26a292843f475889ae5720c42

      Download Submit

    • C:\Windows\SysWOW64\btbtzqmmtyvnfpb.exe
      Filesize

      255KB

      MD5

      7e48da92fb0f49a5527d3eda10499f6b

      SHA1

      007e5ac8b3c94af1b94a717e0fcaf8e0a89d2980

      SHA256

      499d7e6e5946f93427cd1c4ac3fa7f06b001b949909dba1e4d66c9a0f4b7c41c

      SHA512

      091b74af8b447d7124d0541f33d8d3ce0b743b1def7d2a6997ab2ac747ba1918e1f52c008d9727cf7959cc987b92734feac747c26a292843f475889ae5720c42

      Download Submit

    • C:\Windows\SysWOW64\bydcpzvzgchnw.exe
      Filesize

      255KB

      MD5

      b4ee6ecfcf17f630faea5a8c7ef56684

      SHA1

      9aa0433a92e4ab0bffc9b267eef016076f5d4d2c

      SHA256

      df56ae44c94f9747062988a69dc8bdb8cc781ffa6a388dc3f80c585d85de7eb1

      SHA512

      9f74e8159d5dfe5fdb41bd4b9b8dd8c92bb9a7ae31334ca3cabd25b8d43156ba35759cf48a233b2a5b356bda5bf82d7878b49e7b76d70ca2c06e6246b9f00a76

      Download Submit

    • C:\Windows\SysWOW64\bydcpzvzgchnw.exe
      Filesize

      255KB

      MD5

      b4ee6ecfcf17f630faea5a8c7ef56684

      SHA1

      9aa0433a92e4ab0bffc9b267eef016076f5d4d2c

      SHA256

      df56ae44c94f9747062988a69dc8bdb8cc781ffa6a388dc3f80c585d85de7eb1

      SHA512

      9f74e8159d5dfe5fdb41bd4b9b8dd8c92bb9a7ae31334ca3cabd25b8d43156ba35759cf48a233b2a5b356bda5bf82d7878b49e7b76d70ca2c06e6246b9f00a76

      Download Submit

    • C:\Windows\SysWOW64\bydcpzvzgchnw.exe
      Filesize

      255KB

      MD5

      b4ee6ecfcf17f630faea5a8c7ef56684

      SHA1

      9aa0433a92e4ab0bffc9b267eef016076f5d4d2c

      SHA256

      df56ae44c94f9747062988a69dc8bdb8cc781ffa6a388dc3f80c585d85de7eb1

      SHA512

      9f74e8159d5dfe5fdb41bd4b9b8dd8c92bb9a7ae31334ca3cabd25b8d43156ba35759cf48a233b2a5b356bda5bf82d7878b49e7b76d70ca2c06e6246b9f00a76

      Download Submit

    • C:\Windows\SysWOW64\vagfgmcz.exe
      Filesize

      255KB

      MD5

      451981e7244753d4cf1069aef9117a85

      SHA1

      7355fada7625aecdd096c6addc1fee6ca0ca3cc0

      SHA256

      2507419a0329bb3479fae0d0f4d4fadcbf73e45e17d3df5839bb97c206ef874f

      SHA512

      c525f380a8109cf9e1606c44f7644cb40c0dcad19e12816f26791509785283d00dc790f40d796bdabaa6007c1ca630bd4229355e409f483f67482b2b51c34292

      Download Submit

    • C:\Windows\SysWOW64\vagfgmcz.exe
      Filesize

      255KB

      MD5

      451981e7244753d4cf1069aef9117a85

      SHA1

      7355fada7625aecdd096c6addc1fee6ca0ca3cc0

      SHA256

      2507419a0329bb3479fae0d0f4d4fadcbf73e45e17d3df5839bb97c206ef874f

      SHA512

      c525f380a8109cf9e1606c44f7644cb40c0dcad19e12816f26791509785283d00dc790f40d796bdabaa6007c1ca630bd4229355e409f483f67482b2b51c34292

      Download Submit

    • C:\Windows\SysWOW64\vagfgmcz.exe
      Filesize

      255KB

      MD5

      451981e7244753d4cf1069aef9117a85

      SHA1

      7355fada7625aecdd096c6addc1fee6ca0ca3cc0

      SHA256

      2507419a0329bb3479fae0d0f4d4fadcbf73e45e17d3df5839bb97c206ef874f

      SHA512

      c525f380a8109cf9e1606c44f7644cb40c0dcad19e12816f26791509785283d00dc790f40d796bdabaa6007c1ca630bd4229355e409f483f67482b2b51c34292

      Download Submit

    • C:\Windows\SysWOW64\wzsoruaghu.exe
      Filesize

      255KB

      MD5

      7eade36109873f2742247dc7279681c8

      SHA1

      3931c354dc24029d77ae674e0960cf8193a9eefe

      SHA256

      e04e048ca59d6c6c2b9c9815953787c84103480b7de920eb3bacc4873825c1ca

      SHA512

      b262a499186e9668705ff4d183281b7cc925060e8b7ee55529257b8ba600e46e993e458d20aff1aa8d1e7e20db7c2ffc56a1c017cc706e3ea934d86d7b014ae7

      Download Submit

    • C:\Windows\SysWOW64\wzsoruaghu.exe
      Filesize

      255KB

      MD5

      7eade36109873f2742247dc7279681c8

      SHA1

      3931c354dc24029d77ae674e0960cf8193a9eefe

      SHA256

      e04e048ca59d6c6c2b9c9815953787c84103480b7de920eb3bacc4873825c1ca

      SHA512

      b262a499186e9668705ff4d183281b7cc925060e8b7ee55529257b8ba600e46e993e458d20aff1aa8d1e7e20db7c2ffc56a1c017cc706e3ea934d86d7b014ae7

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
      Filesize

      255KB

      MD5

      d780d53adc293a28e406e3ddd0424175

      SHA1

      69730aaf6ff72654504192693c45a5246b3609e4

      SHA256

      1d546fe555f747ed4ce7f81028dfcf862baf2e25d0ab72e9605fdd590fd87762

      SHA512

      1784c975aa18cdad330e0e059c8a1ee95b0c0d7d24515fd232abbd326b0af312f102908148a68258b8c8415ca6a5339f2a2127bd1c449aa4b1271ce99f883946

      Download Submit

    • \Windows\SysWOW64\btbtzqmmtyvnfpb.exe
      Filesize

      255KB

      MD5

      7e48da92fb0f49a5527d3eda10499f6b

      SHA1

      007e5ac8b3c94af1b94a717e0fcaf8e0a89d2980

      SHA256

      499d7e6e5946f93427cd1c4ac3fa7f06b001b949909dba1e4d66c9a0f4b7c41c

      SHA512

      091b74af8b447d7124d0541f33d8d3ce0b743b1def7d2a6997ab2ac747ba1918e1f52c008d9727cf7959cc987b92734feac747c26a292843f475889ae5720c42

      Download Submit

    • \Windows\SysWOW64\bydcpzvzgchnw.exe
      Filesize

      255KB

      MD5

      b4ee6ecfcf17f630faea5a8c7ef56684

      SHA1

      9aa0433a92e4ab0bffc9b267eef016076f5d4d2c

      SHA256

      df56ae44c94f9747062988a69dc8bdb8cc781ffa6a388dc3f80c585d85de7eb1

      SHA512

      9f74e8159d5dfe5fdb41bd4b9b8dd8c92bb9a7ae31334ca3cabd25b8d43156ba35759cf48a233b2a5b356bda5bf82d7878b49e7b76d70ca2c06e6246b9f00a76

      Download Submit

    • \Windows\SysWOW64\bydcpzvzgchnw.exe
      Filesize

      255KB

      MD5

      b4ee6ecfcf17f630faea5a8c7ef56684

      SHA1

      9aa0433a92e4ab0bffc9b267eef016076f5d4d2c

      SHA256

      df56ae44c94f9747062988a69dc8bdb8cc781ffa6a388dc3f80c585d85de7eb1

      SHA512

      9f74e8159d5dfe5fdb41bd4b9b8dd8c92bb9a7ae31334ca3cabd25b8d43156ba35759cf48a233b2a5b356bda5bf82d7878b49e7b76d70ca2c06e6246b9f00a76

      Download Submit

    • \Windows\SysWOW64\vagfgmcz.exe
      Filesize

      255KB

      MD5

      451981e7244753d4cf1069aef9117a85

      SHA1

      7355fada7625aecdd096c6addc1fee6ca0ca3cc0

      SHA256

      2507419a0329bb3479fae0d0f4d4fadcbf73e45e17d3df5839bb97c206ef874f

      SHA512

      c525f380a8109cf9e1606c44f7644cb40c0dcad19e12816f26791509785283d00dc790f40d796bdabaa6007c1ca630bd4229355e409f483f67482b2b51c34292

      Download Submit

    • \Windows\SysWOW64\vagfgmcz.exe
      Filesize

      255KB

      MD5

      451981e7244753d4cf1069aef9117a85

      SHA1

      7355fada7625aecdd096c6addc1fee6ca0ca3cc0

      SHA256

      2507419a0329bb3479fae0d0f4d4fadcbf73e45e17d3df5839bb97c206ef874f

      SHA512

      c525f380a8109cf9e1606c44f7644cb40c0dcad19e12816f26791509785283d00dc790f40d796bdabaa6007c1ca630bd4229355e409f483f67482b2b51c34292

      Download Submit

    • \Windows\SysWOW64\wzsoruaghu.exe
      Filesize

      255KB

      MD5

      7eade36109873f2742247dc7279681c8

      SHA1

      3931c354dc24029d77ae674e0960cf8193a9eefe

      SHA256

      e04e048ca59d6c6c2b9c9815953787c84103480b7de920eb3bacc4873825c1ca

      SHA512

      b262a499186e9668705ff4d183281b7cc925060e8b7ee55529257b8ba600e46e993e458d20aff1aa8d1e7e20db7c2ffc56a1c017cc706e3ea934d86d7b014ae7

      Download Submit

    • memory/616-103-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/616-87-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/624-99-0x0000000070EDD000-0x0000000070EE8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/624-108-0x0000000070EDD000-0x0000000070EE8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/624-98-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/624-97-0x000000006FEF1000-0x000000006FEF3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/624-96-0x0000000072471000-0x0000000072474000-memory.dmp

      Filesize

      12KB

      Download

    • memory/624-114-0x0000000070EDD000-0x0000000070EE8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/624-113-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1160-95-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1160-54-0x0000000075A91000-0x0000000075A93000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1160-82-0x0000000002E90000-0x0000000002F30000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1160-85-0x0000000002E90000-0x0000000002F30000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1160-55-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1160-57-0x0000000002E90000-0x0000000002F30000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1416-100-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1416-83-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1536-106-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1536-93-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1664-110-0x000007FEFBB21000-0x000007FEFBB23000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1788-102-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1788-86-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1872-101-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1872-84-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1884-104-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1884-88-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download