Overview

overview

10

Static

static

8

ef6663a386...06.exe

windows7-x64

10

ef6663a386...06.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    30/10/2022, 00:56

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    ef6663a386947c3a2dfb1b0ec51050ef2b4b6d1e5cde8264e17c92282a159506.exe

  • Size

    255KB

  • MD5

    a33e8a8c3463ad0c7f3962d4f6179880

  • SHA1

    b850af32ab7d09da67c0caef424c718cecf0ad71

  • SHA256

    ef6663a386947c3a2dfb1b0ec51050ef2b4b6d1e5cde8264e17c92282a159506

  • SHA512

    2ea72ecc7a8030f15369807fb15b7aa2f1d6a6377bce01dd126cbc0e5f6863ad2b1bec34d341f051e29caa577c7860dda67028ed71b49f360f6ab65479af5877

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJ/:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIg

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • UPX packed file 29 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 14 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ef6663a386947c3a2dfb1b0ec51050ef2b4b6d1e5cde8264e17c92282a159506.exe
    "C:\Users\Admin\AppData\Local\Temp\ef6663a386947c3a2dfb1b0ec51050ef2b4b6d1e5cde8264e17c92282a159506.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Windows\SysWOW64\yzwcthonbf.exe
      yzwcthonbf.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:828
      • C:\Windows\SysWOW64\vqdhvenr.exe
        C:\Windows\system32\vqdhvenr.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1720
    • C:\Windows\SysWOW64\yjbdhmsmkfymsyn.exe
      yjbdhmsmkfymsyn.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:980
    • C:\Windows\SysWOW64\vqdhvenr.exe
      vqdhvenr.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:764
    • C:\Windows\SysWOW64\hwbtgnqiehmji.exe
      hwbtgnqiehmji.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1736
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1488
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1908

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
            Filesize

            255KB

            MD5

            feb6f2a1659ef693cd2b0894f308ad2d

            SHA1

            467062f44f8593cbdec1e86ad9cce2c09a9d57fa

            SHA256

            69c7bfd1c359d7d59113cd7e2558948c63cc2b336d34bd35d50d60ea47e870a5

            SHA512

            c997cec2799f9b84e66383feb54bb3742a2866266073fc5008f05028961f915018fe7beeac447f5d62aaeb4ba7c660ba81a28c47cafa946c3ba95811a4655e8a

            Download Submit

          • C:\Windows\SysWOW64\hwbtgnqiehmji.exe
            Filesize

            255KB

            MD5

            3d16ff62f57e0b448a75700491dc8ef9

            SHA1

            46a6eff7a987ac7bb5ba2bcfd132997f5bcc4a32

            SHA256

            77042a91011599088e1601a5b516a6b2f7882c19360c2bd08899ce64afb3ec65

            SHA512

            eeaee22803060eecee82a316ea962106b05de81f34d8fa465c8cecafb2e734df1cbf6487e6fb485ccce2f7ad637e06aa07dccb9f83baada5d67d62b616d12e13

            Download Submit

          • C:\Windows\SysWOW64\hwbtgnqiehmji.exe
            Filesize

            255KB

            MD5

            3d16ff62f57e0b448a75700491dc8ef9

            SHA1

            46a6eff7a987ac7bb5ba2bcfd132997f5bcc4a32

            SHA256

            77042a91011599088e1601a5b516a6b2f7882c19360c2bd08899ce64afb3ec65

            SHA512

            eeaee22803060eecee82a316ea962106b05de81f34d8fa465c8cecafb2e734df1cbf6487e6fb485ccce2f7ad637e06aa07dccb9f83baada5d67d62b616d12e13

            Download Submit

          • C:\Windows\SysWOW64\vqdhvenr.exe
            Filesize

            255KB

            MD5

            2a85c0c1525d7ab7acac0106dfdedd4d

            SHA1

            2a34a1c7784933bcc4315f86410b76fe8e05767d

            SHA256

            8685e338ac609f55d7e12b843c161187eabf2da05cb733cf4ca87a7b60a0a9a6

            SHA512

            e38e79223daa162dc700c88c3a6a560cf1fee6b439a64ffb8cee7562d0fdee3f281b00762d1a7ff4b9ccb9cb962835c7a69c9cc22a1d791ec4506716dc9f5a58

            Download Submit

          • C:\Windows\SysWOW64\vqdhvenr.exe
            Filesize

            255KB

            MD5

            2a85c0c1525d7ab7acac0106dfdedd4d

            SHA1

            2a34a1c7784933bcc4315f86410b76fe8e05767d

            SHA256

            8685e338ac609f55d7e12b843c161187eabf2da05cb733cf4ca87a7b60a0a9a6

            SHA512

            e38e79223daa162dc700c88c3a6a560cf1fee6b439a64ffb8cee7562d0fdee3f281b00762d1a7ff4b9ccb9cb962835c7a69c9cc22a1d791ec4506716dc9f5a58

            Download Submit

          • C:\Windows\SysWOW64\vqdhvenr.exe
            Filesize

            255KB

            MD5

            2a85c0c1525d7ab7acac0106dfdedd4d

            SHA1

            2a34a1c7784933bcc4315f86410b76fe8e05767d

            SHA256

            8685e338ac609f55d7e12b843c161187eabf2da05cb733cf4ca87a7b60a0a9a6

            SHA512

            e38e79223daa162dc700c88c3a6a560cf1fee6b439a64ffb8cee7562d0fdee3f281b00762d1a7ff4b9ccb9cb962835c7a69c9cc22a1d791ec4506716dc9f5a58

            Download Submit

          • C:\Windows\SysWOW64\yjbdhmsmkfymsyn.exe
            Filesize

            255KB

            MD5

            8e79b8641a4a15e9997e21acb3a3fa4c

            SHA1

            044ec871719abf966c7485aec5ee788e4d845979

            SHA256

            3c91d38e15d52301dd0e50322fdf68516ce220757ee152f61885dcfeb5cd762e

            SHA512

            aab2dc2bd91b926add07daecb422e7c6a722e084662830f59e7f980fa11d497a9793c050897f271fc571c880a14e6888ef69a4865828193e4a340962c444889d

            Download Submit

          • C:\Windows\SysWOW64\yjbdhmsmkfymsyn.exe
            Filesize

            255KB

            MD5

            8e79b8641a4a15e9997e21acb3a3fa4c

            SHA1

            044ec871719abf966c7485aec5ee788e4d845979

            SHA256

            3c91d38e15d52301dd0e50322fdf68516ce220757ee152f61885dcfeb5cd762e

            SHA512

            aab2dc2bd91b926add07daecb422e7c6a722e084662830f59e7f980fa11d497a9793c050897f271fc571c880a14e6888ef69a4865828193e4a340962c444889d

            Download Submit

          • C:\Windows\SysWOW64\yzwcthonbf.exe
            Filesize

            255KB

            MD5

            ba879bc29e04a52f76332440487a57de

            SHA1

            50351d1aebeabd9ac37b2b333b7cf86abc50ef93

            SHA256

            a7ca178a0460b7d33b614df2da2261988b37686de175eed64785eba4503defc1

            SHA512

            229823aa5a210429d69a117c7c2e81e2699012ca571cb42c1acddde42003d298b7c5a81c7850264fde042c359c81e96cb0d40356aa3f69e11f8b5a2aef2cd5f9

            Download Submit

          • C:\Windows\SysWOW64\yzwcthonbf.exe
            Filesize

            255KB

            MD5

            ba879bc29e04a52f76332440487a57de

            SHA1

            50351d1aebeabd9ac37b2b333b7cf86abc50ef93

            SHA256

            a7ca178a0460b7d33b614df2da2261988b37686de175eed64785eba4503defc1

            SHA512

            229823aa5a210429d69a117c7c2e81e2699012ca571cb42c1acddde42003d298b7c5a81c7850264fde042c359c81e96cb0d40356aa3f69e11f8b5a2aef2cd5f9

            Download Submit

          • C:\Windows\mydoc.rtf
            Filesize

            223B

            MD5

            06604e5941c126e2e7be02c5cd9f62ec

            SHA1

            4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

            SHA256

            85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

            SHA512

            803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

            Download Submit

          • \Windows\SysWOW64\hwbtgnqiehmji.exe
            Filesize

            255KB

            MD5

            3d16ff62f57e0b448a75700491dc8ef9

            SHA1

            46a6eff7a987ac7bb5ba2bcfd132997f5bcc4a32

            SHA256

            77042a91011599088e1601a5b516a6b2f7882c19360c2bd08899ce64afb3ec65

            SHA512

            eeaee22803060eecee82a316ea962106b05de81f34d8fa465c8cecafb2e734df1cbf6487e6fb485ccce2f7ad637e06aa07dccb9f83baada5d67d62b616d12e13

            Download Submit

          • \Windows\SysWOW64\vqdhvenr.exe
            Filesize

            255KB

            MD5

            2a85c0c1525d7ab7acac0106dfdedd4d

            SHA1

            2a34a1c7784933bcc4315f86410b76fe8e05767d

            SHA256

            8685e338ac609f55d7e12b843c161187eabf2da05cb733cf4ca87a7b60a0a9a6

            SHA512

            e38e79223daa162dc700c88c3a6a560cf1fee6b439a64ffb8cee7562d0fdee3f281b00762d1a7ff4b9ccb9cb962835c7a69c9cc22a1d791ec4506716dc9f5a58

            Download Submit

          • \Windows\SysWOW64\vqdhvenr.exe
            Filesize

            255KB

            MD5

            2a85c0c1525d7ab7acac0106dfdedd4d

            SHA1

            2a34a1c7784933bcc4315f86410b76fe8e05767d

            SHA256

            8685e338ac609f55d7e12b843c161187eabf2da05cb733cf4ca87a7b60a0a9a6

            SHA512

            e38e79223daa162dc700c88c3a6a560cf1fee6b439a64ffb8cee7562d0fdee3f281b00762d1a7ff4b9ccb9cb962835c7a69c9cc22a1d791ec4506716dc9f5a58

            Download Submit

          • \Windows\SysWOW64\yjbdhmsmkfymsyn.exe
            Filesize

            255KB

            MD5

            8e79b8641a4a15e9997e21acb3a3fa4c

            SHA1

            044ec871719abf966c7485aec5ee788e4d845979

            SHA256

            3c91d38e15d52301dd0e50322fdf68516ce220757ee152f61885dcfeb5cd762e

            SHA512

            aab2dc2bd91b926add07daecb422e7c6a722e084662830f59e7f980fa11d497a9793c050897f271fc571c880a14e6888ef69a4865828193e4a340962c444889d

            Download Submit

          • \Windows\SysWOW64\yzwcthonbf.exe
            Filesize

            255KB

            MD5

            ba879bc29e04a52f76332440487a57de

            SHA1

            50351d1aebeabd9ac37b2b333b7cf86abc50ef93

            SHA256

            a7ca178a0460b7d33b614df2da2261988b37686de175eed64785eba4503defc1

            SHA512

            229823aa5a210429d69a117c7c2e81e2699012ca571cb42c1acddde42003d298b7c5a81c7850264fde042c359c81e96cb0d40356aa3f69e11f8b5a2aef2cd5f9

            Download Submit

          • memory/764-105-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/764-97-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/764-83-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/828-81-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/828-95-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/980-82-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/980-96-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1488-93-0x000000007184D000-0x0000000071858000-memory.dmp

            Filesize

            44KB

            Download

          • memory/1488-104-0x000000007184D000-0x0000000071858000-memory.dmp

            Filesize

            44KB

            Download

          • memory/1488-100-0x000000007184D000-0x0000000071858000-memory.dmp

            Filesize

            44KB

            Download

          • memory/1488-88-0x0000000072DE1000-0x0000000072DE4000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1488-89-0x0000000070861000-0x0000000070863000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1488-90-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1488-103-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1720-85-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1720-99-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1720-106-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1736-84-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1736-98-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/1908-102-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2032-79-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2032-80-0x0000000003420000-0x00000000034C0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2032-54-0x0000000075A71000-0x0000000075A73000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2032-87-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download