Overview

overview

10

Static

static

8

045ffe688e...ad.exe

windows7-x64

10

045ffe688e...ad.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/10/2022, 20:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    045ffe688ea2a65ddec136151f868445a7f6e97f7515101031e723be556c15ad.exe

  • Size

    256KB

  • MD5

    a19e86bcc2a7e337772b0a4b872cf600

  • SHA1

    dddfce9b3b20046267f1513510867da139881b90

  • SHA256

    045ffe688ea2a65ddec136151f868445a7f6e97f7515101031e723be556c15ad

  • SHA512

    3d8b7d2f6dcb7699970b3ea1c72438b1dd2f35d0c7278544d9bcf177f3fa70b4f60e079a7678f77764fff09cf20fdd0983a2e915b9272ed67ea20b407799dcf2

  • SSDEEP

    6144:1xlZam+akqx6YQJXcNlEHUIQeE3mmBWFv6k:Plf5j6zCNa0xeE3mR

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • UPX packed file 26 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 11 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\045ffe688ea2a65ddec136151f868445a7f6e97f7515101031e723be556c15ad.exe
    "C:\Users\Admin\AppData\Local\Temp\045ffe688ea2a65ddec136151f868445a7f6e97f7515101031e723be556c15ad.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:852
    • C:\Windows\SysWOW64\lgvklbaqwa.exe
      lgvklbaqwa.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2432
      • C:\Windows\SysWOW64\npdynssl.exe
        C:\Windows\system32\npdynssl.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4936
    • C:\Windows\SysWOW64\anmwgslhddceean.exe
      anmwgslhddceean.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4088
    • C:\Windows\SysWOW64\npdynssl.exe
      npdynssl.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1268
    • C:\Windows\SysWOW64\mnatztjpilqaw.exe
      mnatztjpilqaw.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3416
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4912

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    256KB

    MD5

    b26b5fa4c66b8c029b80c62221ba4e2d

    SHA1

    401ebb3f13ce1ae8d5d96938eb52faf437269a0f

    SHA256

    ccfe18d49711df70320778b013716433e0d9ccdecab6805da83d041c4d53fe50

    SHA512

    39b17a9729543410b75c48cf949c1b926e986e77b3aba3f5d71670a707ea35c0e5fa01e94f086a39312531098b0195a2167829a1892781e1ec57fffe774f6465

    Download Submit

  • C:\Windows\SysWOW64\anmwgslhddceean.exe
    Filesize

    256KB

    MD5

    29739dd8f3b357cbb504b072765ef462

    SHA1

    09430d29bc136271df2c416db7de861724b4628d

    SHA256

    3ac0e9196a537d352111a766314e1ea2ea25e8834153224787d0aa6d257d9a18

    SHA512

    5161573038f73ba506c7589cc1163bd674b21b19319a62c6558d01bb8ec8d218fe9c0701bc2c608553722cfa064cbec230991b8474a9c94eaa5bb7e6b89ab756

    Download Submit

  • C:\Windows\SysWOW64\anmwgslhddceean.exe
    Filesize

    256KB

    MD5

    29739dd8f3b357cbb504b072765ef462

    SHA1

    09430d29bc136271df2c416db7de861724b4628d

    SHA256

    3ac0e9196a537d352111a766314e1ea2ea25e8834153224787d0aa6d257d9a18

    SHA512

    5161573038f73ba506c7589cc1163bd674b21b19319a62c6558d01bb8ec8d218fe9c0701bc2c608553722cfa064cbec230991b8474a9c94eaa5bb7e6b89ab756

    Download Submit

  • C:\Windows\SysWOW64\lgvklbaqwa.exe
    Filesize

    256KB

    MD5

    81472b4ddf1c52699a0ff7cc7ae3df2b

    SHA1

    34806c31bb59c3d40166719632583efbbf228b5f

    SHA256

    3e0ad4b5bf44d1ea23ceac1a91da47775e374923765ea7421cdf2065631d06ca

    SHA512

    6cd0d47f710b128f84da8e2b9d558700150a1cb5a2c6cd4df3e5bbae8a43356a3a4b3f9c9f7c941e6d6d00f0a4a2ca1a40b5f72a579e0b1a78ef1e9afc1158dd

    Download Submit

  • C:\Windows\SysWOW64\lgvklbaqwa.exe
    Filesize

    256KB

    MD5

    81472b4ddf1c52699a0ff7cc7ae3df2b

    SHA1

    34806c31bb59c3d40166719632583efbbf228b5f

    SHA256

    3e0ad4b5bf44d1ea23ceac1a91da47775e374923765ea7421cdf2065631d06ca

    SHA512

    6cd0d47f710b128f84da8e2b9d558700150a1cb5a2c6cd4df3e5bbae8a43356a3a4b3f9c9f7c941e6d6d00f0a4a2ca1a40b5f72a579e0b1a78ef1e9afc1158dd

    Download Submit

  • C:\Windows\SysWOW64\mnatztjpilqaw.exe
    Filesize

    256KB

    MD5

    cffe0226bb4afa52ed4b5be165bd3cbb

    SHA1

    85cabd91bc1e8c7ac881e5d5388ff77bd0f75e82

    SHA256

    c83751fabb1f1e8244cae5bc2087fb1619b1e17f250e1c4cbd9b6c077ae1dc3d

    SHA512

    ef152fcd9257194fdea2f3e5fd4aef49970742153117d65c54dd0e873e2b4d7fad7a4b5a2b01959c13bb37da44aac76c2c860ba18b896cf8f584b50f4d98670b

    Download Submit

  • C:\Windows\SysWOW64\mnatztjpilqaw.exe
    Filesize

    256KB

    MD5

    cffe0226bb4afa52ed4b5be165bd3cbb

    SHA1

    85cabd91bc1e8c7ac881e5d5388ff77bd0f75e82

    SHA256

    c83751fabb1f1e8244cae5bc2087fb1619b1e17f250e1c4cbd9b6c077ae1dc3d

    SHA512

    ef152fcd9257194fdea2f3e5fd4aef49970742153117d65c54dd0e873e2b4d7fad7a4b5a2b01959c13bb37da44aac76c2c860ba18b896cf8f584b50f4d98670b

    Download Submit

  • C:\Windows\SysWOW64\npdynssl.exe
    Filesize

    256KB

    MD5

    476aed645dd4cc5b8c0ba352cec58e85

    SHA1

    bd93d7ed7225756a62e9d9642fd64af27dda1f2d

    SHA256

    69922be802f4c3cbb06ca8130b4cb6ac1e13d4480ed055ace22486b741cb9953

    SHA512

    f3ae88d8924a0fc3612e9bc2292c1d1e84229ad736af88b676d2e569dda9dcbe11469b0d992c68922cba53fb956219a52d9c9c7a875bfd8d3b6672967007f733

    Download Submit

  • C:\Windows\SysWOW64\npdynssl.exe
    Filesize

    256KB

    MD5

    476aed645dd4cc5b8c0ba352cec58e85

    SHA1

    bd93d7ed7225756a62e9d9642fd64af27dda1f2d

    SHA256

    69922be802f4c3cbb06ca8130b4cb6ac1e13d4480ed055ace22486b741cb9953

    SHA512

    f3ae88d8924a0fc3612e9bc2292c1d1e84229ad736af88b676d2e569dda9dcbe11469b0d992c68922cba53fb956219a52d9c9c7a875bfd8d3b6672967007f733

    Download Submit

  • C:\Windows\SysWOW64\npdynssl.exe
    Filesize

    256KB

    MD5

    476aed645dd4cc5b8c0ba352cec58e85

    SHA1

    bd93d7ed7225756a62e9d9642fd64af27dda1f2d

    SHA256

    69922be802f4c3cbb06ca8130b4cb6ac1e13d4480ed055ace22486b741cb9953

    SHA512

    f3ae88d8924a0fc3612e9bc2292c1d1e84229ad736af88b676d2e569dda9dcbe11469b0d992c68922cba53fb956219a52d9c9c7a875bfd8d3b6672967007f733

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    256KB

    MD5

    7f09cb92e3a4aaca929eae02114516df

    SHA1

    67ce394ce7c89adac7664a49b1c88c458de3f232

    SHA256

    e72beee1e8ac2d0c5cdb2455b9bb580b26202caf593f74857aa7d3ff32446508

    SHA512

    526c24a1b60772b9c53a0019ec6cc998f1beba7957fd841c1e5d9d049d91fd2ad70d96204e85a7dbf883d1143903e7cad655790d3df1219105ea79c7d10460e8

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    256KB

    MD5

    7f09cb92e3a4aaca929eae02114516df

    SHA1

    67ce394ce7c89adac7664a49b1c88c458de3f232

    SHA256

    e72beee1e8ac2d0c5cdb2455b9bb580b26202caf593f74857aa7d3ff32446508

    SHA512

    526c24a1b60772b9c53a0019ec6cc998f1beba7957fd841c1e5d9d049d91fd2ad70d96204e85a7dbf883d1143903e7cad655790d3df1219105ea79c7d10460e8

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    256KB

    MD5

    7f09cb92e3a4aaca929eae02114516df

    SHA1

    67ce394ce7c89adac7664a49b1c88c458de3f232

    SHA256

    e72beee1e8ac2d0c5cdb2455b9bb580b26202caf593f74857aa7d3ff32446508

    SHA512

    526c24a1b60772b9c53a0019ec6cc998f1beba7957fd841c1e5d9d049d91fd2ad70d96204e85a7dbf883d1143903e7cad655790d3df1219105ea79c7d10460e8

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    256KB

    MD5

    4b47296679e7870629faf4baf493fd73

    SHA1

    a8df3bb7a3cb7c2641d8e852fe02b3c041ccf943

    SHA256

    f9fa1bf267408099aacf334c3f7d6093e5873e4aae39a46721d6fc7f4a215f7e

    SHA512

    6cf57b349f00cbbfe12391fef032a3580ea22cf42ea8d83613b39e74048be03a6d525209ce2e07bebf634c63b19bd05ea44ff80476d4e5ae9070ea077911f627

    Download Submit

  • memory/852-132-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/852-152-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1268-165-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1268-147-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2432-145-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2432-163-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/3416-148-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/3416-166-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4088-146-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4088-164-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4912-156-0x00007FFD677B0000-0x00007FFD677C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4912-169-0x00007FFD677B0000-0x00007FFD677C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4912-160-0x00007FFD656B0000-0x00007FFD656C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4912-158-0x00007FFD677B0000-0x00007FFD677C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4912-157-0x00007FFD677B0000-0x00007FFD677C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4912-154-0x00007FFD677B0000-0x00007FFD677C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4912-161-0x00007FFD656B0000-0x00007FFD656C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4912-170-0x00007FFD677B0000-0x00007FFD677C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4912-171-0x00007FFD677B0000-0x00007FFD677C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4912-172-0x00007FFD677B0000-0x00007FFD677C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4912-155-0x00007FFD677B0000-0x00007FFD677C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4936-167-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4936-153-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download