Overview

overview

10

Static

static

8

34836f283a...86.exe

windows7-x64

10

34836f283a...86.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    52s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    29/10/2022, 10:48

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    34836f283ac0089a943a9e228dee9a2a6b8d5a8680f4ff50e537e657dc1bfc86.exe

  • Size

    255KB

  • MD5

    b48741aef73833b877e5ce9002f7eb68

  • SHA1

    569ae012ab188533994acae8a1dde603006291a3

  • SHA256

    34836f283ac0089a943a9e228dee9a2a6b8d5a8680f4ff50e537e657dc1bfc86

  • SHA512

    131a5faa2cd73b353ec9ec937adf58deb1b28cac8b1f51e78243e140ebf8702807ef7bea76679c829aef2519eed678efa43877640a69c4bfafed989d8c00bafd

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJ/:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIi

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • UPX packed file 31 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 15 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 44 IoCs
  • Suspicious use of SendNotifyMessage 32 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\34836f283ac0089a943a9e228dee9a2a6b8d5a8680f4ff50e537e657dc1bfc86.exe
    "C:\Users\Admin\AppData\Local\Temp\34836f283ac0089a943a9e228dee9a2a6b8d5a8680f4ff50e537e657dc1bfc86.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1328
    • C:\Windows\SysWOW64\tfzljwkxev.exe
      tfzljwkxev.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1560
      • C:\Windows\SysWOW64\peovvllk.exe
        C:\Windows\system32\peovvllk.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        PID:884
    • C:\Windows\SysWOW64\zuljwcnviccasic.exe
      zuljwcnviccasic.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1304
    • C:\Windows\SysWOW64\peovvllk.exe
      peovvllk.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:672
    • C:\Windows\SysWOW64\kqlvqeemizwbb.exe
      kqlvqeemizwbb.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:364
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:596
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:928
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x4a8
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1540

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
          Filesize

          255KB

          MD5

          61ce9ecf26c4fc622d89f8bb7dafa9fd

          SHA1

          53b9c510b66fe5243fc79f1da98ef20fc93d4596

          SHA256

          2381e52f9125deaa86c789b8849f6e903b3d56e0fc1c39b4f9b9cc0282bbea39

          SHA512

          9c7a47e42a5009df282fb7668e050754b7ad39d8fb284400d9458a2083e5ca8baa1ff8e2648721a886f345473494fd5b2f8e1f9b3ab3742b370dab447ee242d8

          Download Submit

        • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
          Filesize

          255KB

          MD5

          c2fb2b8d03ee64a159d77bc52f094a0c

          SHA1

          65ca43b7437972b053e85ff5d5eb0728b0617dcb

          SHA256

          b42caecc0a62331c3c3bd24452efb5e5ed56449dbbfe59a6db9692bedcf4d9b4

          SHA512

          ff94452299407fa8d110547231dd6a9e1b98f9b4c546f09a76b717a749546c272da1edd1d619c51cc95e5457833c51844d6c91de62be61b3a4b85e92f15796c5

          Download Submit

        • C:\Users\Admin\Documents\FormatImport.doc.exe
          Filesize

          255KB

          MD5

          a3b427b75357f34bed6b3476db39ddd0

          SHA1

          b54f489807c44b5e873cf9b02ec0667a74613112

          SHA256

          af4796ec1adb32470de44bd2bf3909cf543aac17bf2455af162e3dea6369178d

          SHA512

          cf6f95304b706f7102df5aa4245be139f6d44d51a5b152676fb6aaed4179167be9bd6226ac18d95222b3007c0a041184a1d24890663fc108bc0aefdea994e097

          Download Submit

        • C:\Windows\SysWOW64\kqlvqeemizwbb.exe
          Filesize

          255KB

          MD5

          10b1243715033087683795a6c7571c31

          SHA1

          68bbb3bfcce119ad5feb49d0db7ee82856fb828d

          SHA256

          2beb228351f9e30ffa7e741b13f29edb579d137cfb2972fa5f709a80177533a5

          SHA512

          ca0af6822a23a608693a014e32461b7058f78fbd976bf1ac00badea84dfefaa613c19cf0fbfccbb2c028e10e85c55522cf4dbdd2824705cd3e8348eddfdebcea

          Download Submit

        • C:\Windows\SysWOW64\kqlvqeemizwbb.exe
          Filesize

          255KB

          MD5

          10b1243715033087683795a6c7571c31

          SHA1

          68bbb3bfcce119ad5feb49d0db7ee82856fb828d

          SHA256

          2beb228351f9e30ffa7e741b13f29edb579d137cfb2972fa5f709a80177533a5

          SHA512

          ca0af6822a23a608693a014e32461b7058f78fbd976bf1ac00badea84dfefaa613c19cf0fbfccbb2c028e10e85c55522cf4dbdd2824705cd3e8348eddfdebcea

          Download Submit

        • C:\Windows\SysWOW64\peovvllk.exe
          Filesize

          255KB

          MD5

          3951b8cea0f989e8b361761f5b9fba1b

          SHA1

          17d8f006c97eb9766d16c5beeeb8276063b53694

          SHA256

          7de8655631c8e8734d4ad56774fd73bdec55297275d628703233d82e76d3e3a0

          SHA512

          dca5b9db1e8f8768f6512f226468d6e3bbc0eb7aceeaf9753a92c55e9798dca82984ee90d6688f681b35cf17d9e87a695c9ce4d3e625c9f9a2d554a32f5cdd6b

          Download Submit

        • C:\Windows\SysWOW64\peovvllk.exe
          Filesize

          255KB

          MD5

          3951b8cea0f989e8b361761f5b9fba1b

          SHA1

          17d8f006c97eb9766d16c5beeeb8276063b53694

          SHA256

          7de8655631c8e8734d4ad56774fd73bdec55297275d628703233d82e76d3e3a0

          SHA512

          dca5b9db1e8f8768f6512f226468d6e3bbc0eb7aceeaf9753a92c55e9798dca82984ee90d6688f681b35cf17d9e87a695c9ce4d3e625c9f9a2d554a32f5cdd6b

          Download Submit

        • C:\Windows\SysWOW64\peovvllk.exe
          Filesize

          255KB

          MD5

          3951b8cea0f989e8b361761f5b9fba1b

          SHA1

          17d8f006c97eb9766d16c5beeeb8276063b53694

          SHA256

          7de8655631c8e8734d4ad56774fd73bdec55297275d628703233d82e76d3e3a0

          SHA512

          dca5b9db1e8f8768f6512f226468d6e3bbc0eb7aceeaf9753a92c55e9798dca82984ee90d6688f681b35cf17d9e87a695c9ce4d3e625c9f9a2d554a32f5cdd6b

          Download Submit

        • C:\Windows\SysWOW64\tfzljwkxev.exe
          Filesize

          255KB

          MD5

          d4acc7c9d94b9093a58a882a95f9cdb5

          SHA1

          6d2b6e1c06aa75b7b5bfc46ced437187492e2940

          SHA256

          0a5181c4b0206b242330539f49aa24a59b6e4fa08fe82366115052a5f2bd389b

          SHA512

          b7647c8d9210cc0a07bac15a775be956cb0e0e680affcb1d23e2aed48874619ed3afdc2c1e7c82da5703e39e31099cb114139695a68e440dea2621a17467d1c4

          Download Submit

        • C:\Windows\SysWOW64\tfzljwkxev.exe
          Filesize

          255KB

          MD5

          d4acc7c9d94b9093a58a882a95f9cdb5

          SHA1

          6d2b6e1c06aa75b7b5bfc46ced437187492e2940

          SHA256

          0a5181c4b0206b242330539f49aa24a59b6e4fa08fe82366115052a5f2bd389b

          SHA512

          b7647c8d9210cc0a07bac15a775be956cb0e0e680affcb1d23e2aed48874619ed3afdc2c1e7c82da5703e39e31099cb114139695a68e440dea2621a17467d1c4

          Download Submit

        • C:\Windows\SysWOW64\zuljwcnviccasic.exe
          Filesize

          255KB

          MD5

          3ba7d771df4b9b77b790d590f9f6e178

          SHA1

          932054bf2bc61b07a1e2d029d4e0d5f7035b2a7d

          SHA256

          55ccfd18e08af3f4adf2ba7d0188da0718b0c623c6adeb67090ddabbc02fc79a

          SHA512

          32996ee64b4c492a701c75144977bbe82301a6615fc43439e83a9cdaafaa2cb1ff32a1e9cd01022867160129aeb47ed9ebab6910b4140e95f8892001205d3268

          Download Submit

        • C:\Windows\SysWOW64\zuljwcnviccasic.exe
          Filesize

          255KB

          MD5

          3ba7d771df4b9b77b790d590f9f6e178

          SHA1

          932054bf2bc61b07a1e2d029d4e0d5f7035b2a7d

          SHA256

          55ccfd18e08af3f4adf2ba7d0188da0718b0c623c6adeb67090ddabbc02fc79a

          SHA512

          32996ee64b4c492a701c75144977bbe82301a6615fc43439e83a9cdaafaa2cb1ff32a1e9cd01022867160129aeb47ed9ebab6910b4140e95f8892001205d3268

          Download Submit

        • C:\Windows\mydoc.rtf
          Filesize

          223B

          MD5

          06604e5941c126e2e7be02c5cd9f62ec

          SHA1

          4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

          SHA256

          85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

          SHA512

          803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

          Download Submit

        • \Windows\SysWOW64\kqlvqeemizwbb.exe
          Filesize

          255KB

          MD5

          10b1243715033087683795a6c7571c31

          SHA1

          68bbb3bfcce119ad5feb49d0db7ee82856fb828d

          SHA256

          2beb228351f9e30ffa7e741b13f29edb579d137cfb2972fa5f709a80177533a5

          SHA512

          ca0af6822a23a608693a014e32461b7058f78fbd976bf1ac00badea84dfefaa613c19cf0fbfccbb2c028e10e85c55522cf4dbdd2824705cd3e8348eddfdebcea

          Download Submit

        • \Windows\SysWOW64\peovvllk.exe
          Filesize

          255KB

          MD5

          3951b8cea0f989e8b361761f5b9fba1b

          SHA1

          17d8f006c97eb9766d16c5beeeb8276063b53694

          SHA256

          7de8655631c8e8734d4ad56774fd73bdec55297275d628703233d82e76d3e3a0

          SHA512

          dca5b9db1e8f8768f6512f226468d6e3bbc0eb7aceeaf9753a92c55e9798dca82984ee90d6688f681b35cf17d9e87a695c9ce4d3e625c9f9a2d554a32f5cdd6b

          Download Submit

        • \Windows\SysWOW64\peovvllk.exe
          Filesize

          255KB

          MD5

          3951b8cea0f989e8b361761f5b9fba1b

          SHA1

          17d8f006c97eb9766d16c5beeeb8276063b53694

          SHA256

          7de8655631c8e8734d4ad56774fd73bdec55297275d628703233d82e76d3e3a0

          SHA512

          dca5b9db1e8f8768f6512f226468d6e3bbc0eb7aceeaf9753a92c55e9798dca82984ee90d6688f681b35cf17d9e87a695c9ce4d3e625c9f9a2d554a32f5cdd6b

          Download Submit

        • \Windows\SysWOW64\tfzljwkxev.exe
          Filesize

          255KB

          MD5

          d4acc7c9d94b9093a58a882a95f9cdb5

          SHA1

          6d2b6e1c06aa75b7b5bfc46ced437187492e2940

          SHA256

          0a5181c4b0206b242330539f49aa24a59b6e4fa08fe82366115052a5f2bd389b

          SHA512

          b7647c8d9210cc0a07bac15a775be956cb0e0e680affcb1d23e2aed48874619ed3afdc2c1e7c82da5703e39e31099cb114139695a68e440dea2621a17467d1c4

          Download Submit

        • \Windows\SysWOW64\zuljwcnviccasic.exe
          Filesize

          255KB

          MD5

          3ba7d771df4b9b77b790d590f9f6e178

          SHA1

          932054bf2bc61b07a1e2d029d4e0d5f7035b2a7d

          SHA256

          55ccfd18e08af3f4adf2ba7d0188da0718b0c623c6adeb67090ddabbc02fc79a

          SHA512

          32996ee64b4c492a701c75144977bbe82301a6615fc43439e83a9cdaafaa2cb1ff32a1e9cd01022867160129aeb47ed9ebab6910b4140e95f8892001205d3268

          Download Submit

        • memory/364-102-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

          Download

        • memory/364-85-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

          Download

        • memory/596-91-0x000000005FFF0000-0x0000000060000000-memory.dmp

          Filesize

          64KB

          Download

        • memory/596-105-0x000000007118D000-0x0000000071198000-memory.dmp

          Filesize

          44KB

          Download

        • memory/596-89-0x0000000072721000-0x0000000072724000-memory.dmp

          Filesize

          12KB

          Download

        • memory/596-90-0x00000000701A1000-0x00000000701A3000-memory.dmp

          Filesize

          8KB

          Download

        • memory/596-92-0x000000007118D000-0x0000000071198000-memory.dmp

          Filesize

          44KB

          Download

        • memory/672-107-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

          Download

        • memory/672-101-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

          Download

        • memory/672-84-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

          Download

        • memory/884-86-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

          Download

        • memory/884-106-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

          Download

        • memory/884-104-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

          Download

        • memory/928-108-0x0000000002480000-0x0000000002490000-memory.dmp

          Filesize

          64KB

          Download

        • memory/928-95-0x000007FEFBC31000-0x000007FEFBC33000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1304-82-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

          Download

        • memory/1304-100-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

          Download

        • memory/1328-88-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

          Download

        • memory/1328-83-0x0000000002F50000-0x0000000002FF0000-memory.dmp

          Filesize

          640KB

          Download

        • memory/1328-80-0x0000000002F50000-0x0000000002FF0000-memory.dmp

          Filesize

          640KB

          Download

        • memory/1328-79-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

          Download

        • memory/1328-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1560-99-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

          Download

        • memory/1560-103-0x0000000003CB0000-0x0000000003D50000-memory.dmp

          Filesize

          640KB

          Download

        • memory/1560-81-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

          Download