Overview

overview

10

Static

static

8

2f5c991550...3c.exe

windows7-x64

10

2f5c991550...3c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    154s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    30-10-2022 21:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2f5c99155016ad6314856e3576ec709a0f3ea8402f5a80582f72dfca3e4f9d3c.exe

  • Size

    255KB

  • MD5

    a164cf8fc65a53993af84a00e8fac670

  • SHA1

    3da37fc78d0a60eda74089579a91af4db2178a9f

  • SHA256

    2f5c99155016ad6314856e3576ec709a0f3ea8402f5a80582f72dfca3e4f9d3c

  • SHA512

    77db764b76984ac80c80c336aab8dbde4d03e756dc70a761b06b4321f7fd9bbe1b4372706fff5a3f0de9065090e5eb83876ee016964c84ca5f7d681722e7c3ba

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJY:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI5

Score
10/10
evasionpersistencetrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • UPX packed file 29 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 5 IoCs
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 12 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2f5c99155016ad6314856e3576ec709a0f3ea8402f5a80582f72dfca3e4f9d3c.exe
    "C:\Users\Admin\AppData\Local\Temp\2f5c99155016ad6314856e3576ec709a0f3ea8402f5a80582f72dfca3e4f9d3c.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2012
    • C:\Windows\SysWOW64\wjfyankwke.exe
      wjfyankwke.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:624
      • C:\Windows\SysWOW64\vjsbpdrs.exe
        C:\Windows\system32\vjsbpdrs.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1940
    • C:\Windows\SysWOW64\bhvacyjgcrjmpwv.exe
      bhvacyjgcrjmpwv.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1748
    • C:\Windows\SysWOW64\vjsbpdrs.exe
      vjsbpdrs.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1532
    • C:\Windows\SysWOW64\ymahhdiwquezy.exe
      ymahhdiwquezy.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1612
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1860
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:308

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
      Filesize

      255KB

      MD5

      62e37f7f871cb13f94f2811784aa8878

      SHA1

      29bc8360e1783729400a88911e92a027c5b3cbdc

      SHA256

      4bb355e79f3ca8fb947e5b1c39ea086f6eb853ce9ab3eff7a75e95f63deb736c

      SHA512

      02649b9c655ee7ea2b25f212812178b50e91e0db110ac29d94cee694be7c128c2626830454afa7c60d46c189e72b68f2bffe213c52c6c81269cd4cd8a7b86fb0

      Download Submit

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
      Filesize

      255KB

      MD5

      be893d44ce79ba5cb1f74b9b4e96b665

      SHA1

      d579696dc868eaf28a7c94c8bf250beb177ca1b6

      SHA256

      3e9c30f7ed7d71aa5c0122dd526175d75fc9eb1977280913318ef55999b397b0

      SHA512

      aa42174dbfde7efceb9b486ca93dbcc4d75a8f41be1b1a485b57b694dc619feacb7b4d5831ae34d611b1ad25ce229f82054b59f030d8fdd27129afd6a6fd234a

      Download Submit

    • C:\Windows\SysWOW64\bhvacyjgcrjmpwv.exe
      Filesize

      255KB

      MD5

      f79a94019c73815cd6107b73c19fa23d

      SHA1

      f96b15a48a2bb6279a13e8bec137abbb78b6386e

      SHA256

      daece16ab1dfb173ec58e7606ef6bfaef322d7e5b6368b8bdae8b5ba5185998d

      SHA512

      43dca3670190d9f3afe6af8b59a781c8bc51b60663c20be9516393cf9e6a3642fc2b6396f9be9871d3122437a1b959fd9d62590da7b2b90f0d823b47745609b9

      Download Submit

    • C:\Windows\SysWOW64\bhvacyjgcrjmpwv.exe
      Filesize

      255KB

      MD5

      f79a94019c73815cd6107b73c19fa23d

      SHA1

      f96b15a48a2bb6279a13e8bec137abbb78b6386e

      SHA256

      daece16ab1dfb173ec58e7606ef6bfaef322d7e5b6368b8bdae8b5ba5185998d

      SHA512

      43dca3670190d9f3afe6af8b59a781c8bc51b60663c20be9516393cf9e6a3642fc2b6396f9be9871d3122437a1b959fd9d62590da7b2b90f0d823b47745609b9

      Download Submit

    • C:\Windows\SysWOW64\vjsbpdrs.exe
      Filesize

      255KB

      MD5

      264558860a2641b6434b0b31837b431e

      SHA1

      899bd6f08f85802dc366323e07ba7df3bd8c5181

      SHA256

      11ace8b2144a20c9da5cd72c5c9d76499672cb24041d3cb66f1d649650dae6af

      SHA512

      9f4edda9bcb6e8932246449a3760b7d7634efdb54634085a9f6b9b107abde93c410a28eb2b19b394bfccc47d828e59a74a1c741e0b3330e059226a8c98689327

      Download Submit

    • C:\Windows\SysWOW64\vjsbpdrs.exe
      Filesize

      255KB

      MD5

      264558860a2641b6434b0b31837b431e

      SHA1

      899bd6f08f85802dc366323e07ba7df3bd8c5181

      SHA256

      11ace8b2144a20c9da5cd72c5c9d76499672cb24041d3cb66f1d649650dae6af

      SHA512

      9f4edda9bcb6e8932246449a3760b7d7634efdb54634085a9f6b9b107abde93c410a28eb2b19b394bfccc47d828e59a74a1c741e0b3330e059226a8c98689327

      Download Submit

    • C:\Windows\SysWOW64\vjsbpdrs.exe
      Filesize

      255KB

      MD5

      264558860a2641b6434b0b31837b431e

      SHA1

      899bd6f08f85802dc366323e07ba7df3bd8c5181

      SHA256

      11ace8b2144a20c9da5cd72c5c9d76499672cb24041d3cb66f1d649650dae6af

      SHA512

      9f4edda9bcb6e8932246449a3760b7d7634efdb54634085a9f6b9b107abde93c410a28eb2b19b394bfccc47d828e59a74a1c741e0b3330e059226a8c98689327

      Download Submit

    • C:\Windows\SysWOW64\wjfyankwke.exe
      Filesize

      255KB

      MD5

      55cf24ee7a945f5dd63e2b0ca89a4414

      SHA1

      1a426a2ca0149c91c7f455bf18b48c107d851345

      SHA256

      c0c538438ccba7db6598502e039a111bd9bcaf3d01181a539a06ad01b2553581

      SHA512

      f4ac4bf7718914c1bf16841e4ea35a6a7632239e20ab29a679b10fc786fb4b8ed272de208b8b9f6a1d0260713af2fc47e4116da6102e7b15994331b11c07e8f0

      Download Submit

    • C:\Windows\SysWOW64\wjfyankwke.exe
      Filesize

      255KB

      MD5

      55cf24ee7a945f5dd63e2b0ca89a4414

      SHA1

      1a426a2ca0149c91c7f455bf18b48c107d851345

      SHA256

      c0c538438ccba7db6598502e039a111bd9bcaf3d01181a539a06ad01b2553581

      SHA512

      f4ac4bf7718914c1bf16841e4ea35a6a7632239e20ab29a679b10fc786fb4b8ed272de208b8b9f6a1d0260713af2fc47e4116da6102e7b15994331b11c07e8f0

      Download Submit

    • C:\Windows\SysWOW64\ymahhdiwquezy.exe
      Filesize

      255KB

      MD5

      6bb6d03057ddf3bc984c2affd127b03a

      SHA1

      66d2bb5c50d93ea160e2438b8ae29bf9bd3db432

      SHA256

      95dca675e14602e313e84d9f33f10d1a78dd89f712c9eb749a7708de45ca1b80

      SHA512

      f961989f04b9939f35f520fe48cf7d1a2a304c74683c0fbb23955b01e73e3fe12a43d91c2f9be7d85e093d4b8886d9e1e1be36455ef3b9b96812ac3a05ff498a

      Download Submit

    • C:\Windows\SysWOW64\ymahhdiwquezy.exe
      Filesize

      255KB

      MD5

      6bb6d03057ddf3bc984c2affd127b03a

      SHA1

      66d2bb5c50d93ea160e2438b8ae29bf9bd3db432

      SHA256

      95dca675e14602e313e84d9f33f10d1a78dd89f712c9eb749a7708de45ca1b80

      SHA512

      f961989f04b9939f35f520fe48cf7d1a2a304c74683c0fbb23955b01e73e3fe12a43d91c2f9be7d85e093d4b8886d9e1e1be36455ef3b9b96812ac3a05ff498a

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • \Windows\SysWOW64\bhvacyjgcrjmpwv.exe
      Filesize

      255KB

      MD5

      f79a94019c73815cd6107b73c19fa23d

      SHA1

      f96b15a48a2bb6279a13e8bec137abbb78b6386e

      SHA256

      daece16ab1dfb173ec58e7606ef6bfaef322d7e5b6368b8bdae8b5ba5185998d

      SHA512

      43dca3670190d9f3afe6af8b59a781c8bc51b60663c20be9516393cf9e6a3642fc2b6396f9be9871d3122437a1b959fd9d62590da7b2b90f0d823b47745609b9

      Download Submit

    • \Windows\SysWOW64\vjsbpdrs.exe
      Filesize

      255KB

      MD5

      264558860a2641b6434b0b31837b431e

      SHA1

      899bd6f08f85802dc366323e07ba7df3bd8c5181

      SHA256

      11ace8b2144a20c9da5cd72c5c9d76499672cb24041d3cb66f1d649650dae6af

      SHA512

      9f4edda9bcb6e8932246449a3760b7d7634efdb54634085a9f6b9b107abde93c410a28eb2b19b394bfccc47d828e59a74a1c741e0b3330e059226a8c98689327

      Download Submit

    • \Windows\SysWOW64\vjsbpdrs.exe
      Filesize

      255KB

      MD5

      264558860a2641b6434b0b31837b431e

      SHA1

      899bd6f08f85802dc366323e07ba7df3bd8c5181

      SHA256

      11ace8b2144a20c9da5cd72c5c9d76499672cb24041d3cb66f1d649650dae6af

      SHA512

      9f4edda9bcb6e8932246449a3760b7d7634efdb54634085a9f6b9b107abde93c410a28eb2b19b394bfccc47d828e59a74a1c741e0b3330e059226a8c98689327

      Download Submit

    • \Windows\SysWOW64\wjfyankwke.exe
      Filesize

      255KB

      MD5

      55cf24ee7a945f5dd63e2b0ca89a4414

      SHA1

      1a426a2ca0149c91c7f455bf18b48c107d851345

      SHA256

      c0c538438ccba7db6598502e039a111bd9bcaf3d01181a539a06ad01b2553581

      SHA512

      f4ac4bf7718914c1bf16841e4ea35a6a7632239e20ab29a679b10fc786fb4b8ed272de208b8b9f6a1d0260713af2fc47e4116da6102e7b15994331b11c07e8f0

      Download Submit

    • \Windows\SysWOW64\ymahhdiwquezy.exe
      Filesize

      255KB

      MD5

      6bb6d03057ddf3bc984c2affd127b03a

      SHA1

      66d2bb5c50d93ea160e2438b8ae29bf9bd3db432

      SHA256

      95dca675e14602e313e84d9f33f10d1a78dd89f712c9eb749a7708de45ca1b80

      SHA512

      f961989f04b9939f35f520fe48cf7d1a2a304c74683c0fbb23955b01e73e3fe12a43d91c2f9be7d85e093d4b8886d9e1e1be36455ef3b9b96812ac3a05ff498a

      Download Submit

    • memory/308-102-0x000007FEFB7E1000-0x000007FEFB7E3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/624-77-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/624-91-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1532-92-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1532-79-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1612-81-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1612-94-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1748-93-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1748-80-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1860-97-0x0000000070D3D000-0x0000000070D48000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1860-96-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1860-100-0x0000000070D3D000-0x0000000070D48000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1860-90-0x000000006FD51000-0x000000006FD53000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1860-89-0x00000000722D1000-0x00000000722D4000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1940-86-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1940-95-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2012-88-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2012-54-0x0000000075841000-0x0000000075843000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2012-78-0x0000000002F40000-0x0000000002FE0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2012-57-0x0000000002F40000-0x0000000002FE0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2012-55-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download