Overview

overview

10

Static

static

8

7696a68e36...81.exe

windows7-x64

10

7696a68e36...81.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    187s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-10-2022 20:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe

  • Size

    255KB

  • MD5

    a1981732e7f8dd511707e7b3f5ab7711

  • SHA1

    1ef34d7b1561aba00fb338e61e02046ad073a29e

  • SHA256

    7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481

  • SHA512

    f4a4201ea00cae54acaa45641821431ebf1992a3d61ef3194eb8b36ea8ceec1ffe2da4540a94417106128cf938b3953f57be41d280fb42b808e28f52f4838310

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJA:1xlZam+akqx6YQJXcNlEHUIQeE3mmBID

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • UPX packed file 25 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 12 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe
    "C:\Users\Admin\AppData\Local\Temp\7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4340
    • C:\Windows\SysWOW64\qbmaucvsra.exe
      qbmaucvsra.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1484
      • C:\Windows\SysWOW64\wcyohppj.exe
        C:\Windows\system32\wcyohppj.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1108
    • C:\Windows\SysWOW64\plvqdwrcyuvdbeh.exe
      plvqdwrcyuvdbeh.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4628
    • C:\Windows\SysWOW64\wcyohppj.exe
      wcyohppj.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2668
    • C:\Windows\SysWOW64\qyyczhoavjqww.exe
      qyyczhoavjqww.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:5056
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:5008

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    255KB

    MD5

    a9e7b47218b04b8894d4540016d95ff5

    SHA1

    713327aae934da69690c269332441a978fbbdb4a

    SHA256

    f9b8c19f18ea1538a37b0e10741dd94320c9e12cd0b87f04c3ac84400b2c3f88

    SHA512

    c6af51b4c18b82d6f690e60e6f118f64c356b9826ba174efb80f0b94d7de431ff982951ddc8b18cb0a5e8b99016e4178ce0e1b4a80361e50c0433de3c310f086

    Download Submit

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    255KB

    MD5

    5a9bf61c82ec7405352f24e846c98c9a

    SHA1

    237ec25c15d0306f56eb6a600afac8ed732e6215

    SHA256

    83631a2e5d96687aa074d08a183c34c3d7a074db61a38847083dcf44f1186d2a

    SHA512

    10f6c7bcab6504619f54401c2120f914151def40833ea005a28bdfa1174aacf177882987684be7acb28b44a714d94e57d5c6a2705eb1de830e133a18eec903fe

    Download Submit

  • C:\Users\Admin\Music\DisableMove.doc.exe
    Filesize

    255KB

    MD5

    3ef4f4059b392b4e5bf42e8410d16934

    SHA1

    3b6e4191e90ae8cf1e88f5a80baba7b56c0eae50

    SHA256

    7492e0fd1a90aaf83d9feea3da001d2611b002c86c10ee9e656a3084f99cef1f

    SHA512

    73fcf4e6cd762d04abf12051d4c22fe0e8418f14088d7975bd556414dda2a7121e3a8368b9f8e4033bd1dc16a085859504dfb41238a3338635237c4320e90376

    Download Submit

  • C:\Windows\SysWOW64\plvqdwrcyuvdbeh.exe
    Filesize

    255KB

    MD5

    38d87ce12d528be5a02058925db55543

    SHA1

    a7b9b47739eb5bd85097f1c30ab15d88f6db2a85

    SHA256

    88c126a28f03ec547dbc493ede45535bc79cb2b3931d7641694515ec8e63d1fc

    SHA512

    7124a596777b49192a3ca84157686fcb35dc4f5b65d39162c9a74e61d7318b58973f5775e9a3eb73ac1864f831b881d58c92df203b09cacb85df97d18a627954

    Download Submit

  • C:\Windows\SysWOW64\plvqdwrcyuvdbeh.exe
    Filesize

    255KB

    MD5

    38d87ce12d528be5a02058925db55543

    SHA1

    a7b9b47739eb5bd85097f1c30ab15d88f6db2a85

    SHA256

    88c126a28f03ec547dbc493ede45535bc79cb2b3931d7641694515ec8e63d1fc

    SHA512

    7124a596777b49192a3ca84157686fcb35dc4f5b65d39162c9a74e61d7318b58973f5775e9a3eb73ac1864f831b881d58c92df203b09cacb85df97d18a627954

    Download Submit

  • C:\Windows\SysWOW64\qbmaucvsra.exe
    Filesize

    255KB

    MD5

    216fd166a531f91fb017fec3610ebe15

    SHA1

    eda943ba8453117abb9cfe7fb1f8bfaface61d62

    SHA256

    5c60a55f522bda0d3bb2a8d4020b26b2013a1cab3f38d6a27b8531d8953cd7df

    SHA512

    8c31fa181fcbe5dcdee9f474efb24f1c73bd7812078e2d1b4038f4408ccc7526be2b54b189b1f55e59140bedd3091ec87ea13bbcd59725da01b99b6a4dceb20b

    Download Submit

  • C:\Windows\SysWOW64\qbmaucvsra.exe
    Filesize

    255KB

    MD5

    216fd166a531f91fb017fec3610ebe15

    SHA1

    eda943ba8453117abb9cfe7fb1f8bfaface61d62

    SHA256

    5c60a55f522bda0d3bb2a8d4020b26b2013a1cab3f38d6a27b8531d8953cd7df

    SHA512

    8c31fa181fcbe5dcdee9f474efb24f1c73bd7812078e2d1b4038f4408ccc7526be2b54b189b1f55e59140bedd3091ec87ea13bbcd59725da01b99b6a4dceb20b

    Download Submit

  • C:\Windows\SysWOW64\qyyczhoavjqww.exe
    Filesize

    255KB

    MD5

    0ef19534bd8f0496e90510686f1c4943

    SHA1

    022234d12b639368123895884d6459f3183bfe99

    SHA256

    aa7a1183a9ad45b7c31de8347b289b89d841da85ccceba9846dcd8cadc3162b2

    SHA512

    f5f39330855dd6417451a96c9d225776b39e4456c98ecef142d1a95788a9bba350434b4f20e49a9e2b7b41921b3801ea6b47ebf73afc48c64c838784c30f7da1

    Download Submit

  • C:\Windows\SysWOW64\qyyczhoavjqww.exe
    Filesize

    255KB

    MD5

    0ef19534bd8f0496e90510686f1c4943

    SHA1

    022234d12b639368123895884d6459f3183bfe99

    SHA256

    aa7a1183a9ad45b7c31de8347b289b89d841da85ccceba9846dcd8cadc3162b2

    SHA512

    f5f39330855dd6417451a96c9d225776b39e4456c98ecef142d1a95788a9bba350434b4f20e49a9e2b7b41921b3801ea6b47ebf73afc48c64c838784c30f7da1

    Download Submit

  • C:\Windows\SysWOW64\wcyohppj.exe
    Filesize

    255KB

    MD5

    17bfbf000fe388d0f892450cc6ab0966

    SHA1

    3c7c3019584bd5bca1267f308a2c3e59be591d2a

    SHA256

    9b473c28ab318cac250f4882d93c774932d24f68ee7337299c928f3b67cf7858

    SHA512

    7e52e4ca04713bda73f1732783d71d2f8f654f85aec9095e742ddd761bf9744e4b1253fc5ee03e8310ddf746380a30cb1a9305b7be2e2851aba81eb57537b3ef

    Download Submit

  • C:\Windows\SysWOW64\wcyohppj.exe
    Filesize

    255KB

    MD5

    17bfbf000fe388d0f892450cc6ab0966

    SHA1

    3c7c3019584bd5bca1267f308a2c3e59be591d2a

    SHA256

    9b473c28ab318cac250f4882d93c774932d24f68ee7337299c928f3b67cf7858

    SHA512

    7e52e4ca04713bda73f1732783d71d2f8f654f85aec9095e742ddd761bf9744e4b1253fc5ee03e8310ddf746380a30cb1a9305b7be2e2851aba81eb57537b3ef

    Download Submit

  • C:\Windows\SysWOW64\wcyohppj.exe
    Filesize

    255KB

    MD5

    17bfbf000fe388d0f892450cc6ab0966

    SHA1

    3c7c3019584bd5bca1267f308a2c3e59be591d2a

    SHA256

    9b473c28ab318cac250f4882d93c774932d24f68ee7337299c928f3b67cf7858

    SHA512

    7e52e4ca04713bda73f1732783d71d2f8f654f85aec9095e742ddd761bf9744e4b1253fc5ee03e8310ddf746380a30cb1a9305b7be2e2851aba81eb57537b3ef

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    255KB

    MD5

    a9e7b47218b04b8894d4540016d95ff5

    SHA1

    713327aae934da69690c269332441a978fbbdb4a

    SHA256

    f9b8c19f18ea1538a37b0e10741dd94320c9e12cd0b87f04c3ac84400b2c3f88

    SHA512

    c6af51b4c18b82d6f690e60e6f118f64c356b9826ba174efb80f0b94d7de431ff982951ddc8b18cb0a5e8b99016e4178ce0e1b4a80361e50c0433de3c310f086

    Download Submit

  • memory/1108-153-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1108-161-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1484-145-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1484-157-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2668-147-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2668-159-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4340-132-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4340-152-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4628-146-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4628-158-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/5008-162-0x00007FFA22010000-0x00007FFA22020000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-167-0x00007FFA1FBA0000-0x00007FFA1FBB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-163-0x00007FFA22010000-0x00007FFA22020000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-164-0x00007FFA22010000-0x00007FFA22020000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-165-0x00007FFA22010000-0x00007FFA22020000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-166-0x00007FFA22010000-0x00007FFA22020000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-175-0x00007FFA22010000-0x00007FFA22020000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-168-0x00007FFA1FBA0000-0x00007FFA1FBB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-174-0x00007FFA22010000-0x00007FFA22020000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-173-0x00007FFA22010000-0x00007FFA22020000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-172-0x00007FFA22010000-0x00007FFA22020000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5056-148-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/5056-160-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download