Overview

overview

10

Static

static

8

1470edd33a...6e.exe

windows7-x64

10

1470edd33a...6e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    29-10-2022 11:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1470edd33a76b937781b6bf4911b29309d20205b7aa91e424fdc7725a80fb66e.exe

  • Size

    255KB

  • MD5

    cb84e85ff46441d7599261aeca8faf72

  • SHA1

    ad808f191df4623d104fa065b52cbacd93f02eef

  • SHA256

    1470edd33a76b937781b6bf4911b29309d20205b7aa91e424fdc7725a80fb66e

  • SHA512

    75423b78184be9a6e9f4e32ce6d938da40da30e98ca46c99fd4975702bc5081ef9f394c7662a25ac8bdddf7f4d70b1c38f91fcc99f19fad160e9135908ed25ed

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJj:1xlZam+akqx6YQJXcNlEHUIQeE3mmBII

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • UPX packed file 26 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 10 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1470edd33a76b937781b6bf4911b29309d20205b7aa91e424fdc7725a80fb66e.exe
    "C:\Users\Admin\AppData\Local\Temp\1470edd33a76b937781b6bf4911b29309d20205b7aa91e424fdc7725a80fb66e.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1736
    • C:\Windows\SysWOW64\lbnrprtgwt.exe
      lbnrprtgwt.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1928
      • C:\Windows\SysWOW64\ssgmkwxf.exe
        C:\Windows\system32\ssgmkwxf.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:896
    • C:\Windows\SysWOW64\hmlitfdyvdxauqk.exe
      hmlitfdyvdxauqk.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1176
    • C:\Windows\SysWOW64\ssgmkwxf.exe
      ssgmkwxf.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1324
    • C:\Windows\SysWOW64\btypskootmdqk.exe
      btypskootmdqk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1116
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1000
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1960

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Downloads\DismountImport.doc.exe
      Filesize

      255KB

      MD5

      544ae62fe15a8f09b2b5210f7aa980fb

      SHA1

      55063991ea26b8292974ea0c99eb6c796da2b29c

      SHA256

      ba17d654bc8894ffbd80cb5502c18359538beb313c7536600d6a1fff41a20447

      SHA512

      011b868be7ba941a74dcbaf8a9d2f5ee6af12d66704bb482c5849aad108a041a7ce6bf1c2915c16fc3f545da9c79fdda3fe447757e905d912524e721e0512764

      Download Submit

    • C:\Windows\SysWOW64\btypskootmdqk.exe
      Filesize

      255KB

      MD5

      538ad88bf311d7f650dc3a53bab55692

      SHA1

      79a065437342ae06cb850563534c94c3d3d11237

      SHA256

      94f2f7922adb2af70b2768245877d686c5f1e5ea8c1110aaedfc0967fb72a508

      SHA512

      cc4cfa2167c8c7125a8fc2239223fcf7f73b9e58c6ceb25a011d3a2c740d32a8e350314a5cac5cbb0c7cb7d4173d7e1d9a5503ecfa15163c8663c269d4d7e1e9

      Download Submit

    • C:\Windows\SysWOW64\btypskootmdqk.exe
      Filesize

      255KB

      MD5

      538ad88bf311d7f650dc3a53bab55692

      SHA1

      79a065437342ae06cb850563534c94c3d3d11237

      SHA256

      94f2f7922adb2af70b2768245877d686c5f1e5ea8c1110aaedfc0967fb72a508

      SHA512

      cc4cfa2167c8c7125a8fc2239223fcf7f73b9e58c6ceb25a011d3a2c740d32a8e350314a5cac5cbb0c7cb7d4173d7e1d9a5503ecfa15163c8663c269d4d7e1e9

      Download Submit

    • C:\Windows\SysWOW64\hmlitfdyvdxauqk.exe
      Filesize

      255KB

      MD5

      0624b17658ce3969430aa439f689aeac

      SHA1

      e7c5a58716c0606758f96d83dae158b2057d3697

      SHA256

      4ce34c54b93508e072926f7e8671edee982ca407d3e7fda66d26e3ef5171344a

      SHA512

      fdd8ae709ee3dd88f8287cfc1fcfa1e33f337f5cd97fa79aee016f384c8feeed1c4ed7139a10f2ee1ce2782d531225ee514ae6f4218fd852318b20b6e67a9f30

      Download Submit

    • C:\Windows\SysWOW64\hmlitfdyvdxauqk.exe
      Filesize

      255KB

      MD5

      0624b17658ce3969430aa439f689aeac

      SHA1

      e7c5a58716c0606758f96d83dae158b2057d3697

      SHA256

      4ce34c54b93508e072926f7e8671edee982ca407d3e7fda66d26e3ef5171344a

      SHA512

      fdd8ae709ee3dd88f8287cfc1fcfa1e33f337f5cd97fa79aee016f384c8feeed1c4ed7139a10f2ee1ce2782d531225ee514ae6f4218fd852318b20b6e67a9f30

      Download Submit

    • C:\Windows\SysWOW64\lbnrprtgwt.exe
      Filesize

      255KB

      MD5

      4e6ef0753acea2ae976311a82c88623d

      SHA1

      cf1e67b92375bad55bd7fc93baf7d49a38b66ee1

      SHA256

      4098fa2039a603b40142270541f575d67410ba345d55bb04939f1b8a4578a86e

      SHA512

      079aab80b5f4ea68ae904c3c5dfdf54549e2fdb0500e6a05c7bd5d0c1f671d7c6ebabf2f51d926312341cfd43b494ac5aba923177b543223a38dab1bfc7660bc

      Download Submit

    • C:\Windows\SysWOW64\lbnrprtgwt.exe
      Filesize

      255KB

      MD5

      4e6ef0753acea2ae976311a82c88623d

      SHA1

      cf1e67b92375bad55bd7fc93baf7d49a38b66ee1

      SHA256

      4098fa2039a603b40142270541f575d67410ba345d55bb04939f1b8a4578a86e

      SHA512

      079aab80b5f4ea68ae904c3c5dfdf54549e2fdb0500e6a05c7bd5d0c1f671d7c6ebabf2f51d926312341cfd43b494ac5aba923177b543223a38dab1bfc7660bc

      Download Submit

    • C:\Windows\SysWOW64\ssgmkwxf.exe
      Filesize

      255KB

      MD5

      c8cd339d50654d56235bdec0d8b77afb

      SHA1

      d614d224fa3a61e927a70ba0880ae4aad0aa97de

      SHA256

      5bd1e0dcb2b8288eb3e00c0547c3142e269edf8bf1c916356951ffd07e5eccf0

      SHA512

      b60a422a7511326aad6cc4440cdf76777f19f0d59b24622c5dfd816f9bcaaaecb207bca504b3b2639da0ec2024d1b61f964730e2519bfa45c81dd0959d7fccbe

      Download Submit

    • C:\Windows\SysWOW64\ssgmkwxf.exe
      Filesize

      255KB

      MD5

      c8cd339d50654d56235bdec0d8b77afb

      SHA1

      d614d224fa3a61e927a70ba0880ae4aad0aa97de

      SHA256

      5bd1e0dcb2b8288eb3e00c0547c3142e269edf8bf1c916356951ffd07e5eccf0

      SHA512

      b60a422a7511326aad6cc4440cdf76777f19f0d59b24622c5dfd816f9bcaaaecb207bca504b3b2639da0ec2024d1b61f964730e2519bfa45c81dd0959d7fccbe

      Download Submit

    • C:\Windows\SysWOW64\ssgmkwxf.exe
      Filesize

      255KB

      MD5

      c8cd339d50654d56235bdec0d8b77afb

      SHA1

      d614d224fa3a61e927a70ba0880ae4aad0aa97de

      SHA256

      5bd1e0dcb2b8288eb3e00c0547c3142e269edf8bf1c916356951ffd07e5eccf0

      SHA512

      b60a422a7511326aad6cc4440cdf76777f19f0d59b24622c5dfd816f9bcaaaecb207bca504b3b2639da0ec2024d1b61f964730e2519bfa45c81dd0959d7fccbe

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • \Windows\SysWOW64\btypskootmdqk.exe
      Filesize

      255KB

      MD5

      538ad88bf311d7f650dc3a53bab55692

      SHA1

      79a065437342ae06cb850563534c94c3d3d11237

      SHA256

      94f2f7922adb2af70b2768245877d686c5f1e5ea8c1110aaedfc0967fb72a508

      SHA512

      cc4cfa2167c8c7125a8fc2239223fcf7f73b9e58c6ceb25a011d3a2c740d32a8e350314a5cac5cbb0c7cb7d4173d7e1d9a5503ecfa15163c8663c269d4d7e1e9

      Download Submit

    • \Windows\SysWOW64\hmlitfdyvdxauqk.exe
      Filesize

      255KB

      MD5

      0624b17658ce3969430aa439f689aeac

      SHA1

      e7c5a58716c0606758f96d83dae158b2057d3697

      SHA256

      4ce34c54b93508e072926f7e8671edee982ca407d3e7fda66d26e3ef5171344a

      SHA512

      fdd8ae709ee3dd88f8287cfc1fcfa1e33f337f5cd97fa79aee016f384c8feeed1c4ed7139a10f2ee1ce2782d531225ee514ae6f4218fd852318b20b6e67a9f30

      Download Submit

    • \Windows\SysWOW64\lbnrprtgwt.exe
      Filesize

      255KB

      MD5

      4e6ef0753acea2ae976311a82c88623d

      SHA1

      cf1e67b92375bad55bd7fc93baf7d49a38b66ee1

      SHA256

      4098fa2039a603b40142270541f575d67410ba345d55bb04939f1b8a4578a86e

      SHA512

      079aab80b5f4ea68ae904c3c5dfdf54549e2fdb0500e6a05c7bd5d0c1f671d7c6ebabf2f51d926312341cfd43b494ac5aba923177b543223a38dab1bfc7660bc

      Download Submit

    • \Windows\SysWOW64\ssgmkwxf.exe
      Filesize

      255KB

      MD5

      c8cd339d50654d56235bdec0d8b77afb

      SHA1

      d614d224fa3a61e927a70ba0880ae4aad0aa97de

      SHA256

      5bd1e0dcb2b8288eb3e00c0547c3142e269edf8bf1c916356951ffd07e5eccf0

      SHA512

      b60a422a7511326aad6cc4440cdf76777f19f0d59b24622c5dfd816f9bcaaaecb207bca504b3b2639da0ec2024d1b61f964730e2519bfa45c81dd0959d7fccbe

      Download Submit

    • \Windows\SysWOW64\ssgmkwxf.exe
      Filesize

      255KB

      MD5

      c8cd339d50654d56235bdec0d8b77afb

      SHA1

      d614d224fa3a61e927a70ba0880ae4aad0aa97de

      SHA256

      5bd1e0dcb2b8288eb3e00c0547c3142e269edf8bf1c916356951ffd07e5eccf0

      SHA512

      b60a422a7511326aad6cc4440cdf76777f19f0d59b24622c5dfd816f9bcaaaecb207bca504b3b2639da0ec2024d1b61f964730e2519bfa45c81dd0959d7fccbe

      Download Submit

    • memory/896-87-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/896-79-0x0000000000000000-mapping.dmp

      Download

    • memory/896-96-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1000-97-0x0000000070CCD000-0x0000000070CD8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1000-92-0x0000000070CCD000-0x0000000070CD8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1000-103-0x0000000070CCD000-0x0000000070CD8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1000-102-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1000-83-0x0000000000000000-mapping.dmp

      Download

    • memory/1000-89-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1000-86-0x0000000072261000-0x0000000072264000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1000-88-0x000000006FCE1000-0x000000006FCE3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1116-70-0x0000000000000000-mapping.dmp

      Download

    • memory/1116-85-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1176-93-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1176-77-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1176-61-0x0000000000000000-mapping.dmp

      Download

    • memory/1324-65-0x0000000000000000-mapping.dmp

      Download

    • memory/1324-80-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1324-95-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1736-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1736-84-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1736-73-0x00000000032D0000-0x0000000003370000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1736-72-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1928-76-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1928-94-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1928-56-0x0000000000000000-mapping.dmp

      Download

    • memory/1960-100-0x000007FEFB741000-0x000007FEFB743000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1960-99-0x0000000000000000-mapping.dmp

      Download