Overview

overview

10

Static

static

8

8c8f0dac5b...56.exe

windows7-x64

10

8c8f0dac5b...56.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    156s
  • max time network
    174s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/11/2022, 16:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe

  • Size

    256KB

  • MD5

    044d5ca7daafeca66ac936cf582f1ab0

  • SHA1

    cc219e015dad31d9bc1f4b9cc9f5f778233feb27

  • SHA256

    8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56

  • SHA512

    1cd579c8521845c83c35645f49e971cdf6b7577367a700dd6a0f8983f8b18e63aee8a001c7837759bc1695a395a0777ef8ce811cc89a1a824c85203114c85e79

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJz:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIA

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • UPX packed file 25 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 12 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe
    "C:\Users\Admin\AppData\Local\Temp\8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:660
    • C:\Windows\SysWOW64\pmnzmbqtrn.exe
      pmnzmbqtrn.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3208
      • C:\Windows\SysWOW64\adglqpaw.exe
        C:\Windows\system32\adglqpaw.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4900
    • C:\Windows\SysWOW64\jdabzoxdbtufhav.exe
      jdabzoxdbtufhav.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:820
    • C:\Windows\SysWOW64\adglqpaw.exe
      adglqpaw.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:5084
    • C:\Windows\SysWOW64\xkiscybwgaspv.exe
      xkiscybwgaspv.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4292
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1740

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    256KB

    MD5

    8253be5aaeddc5dea6427d986d141acb

    SHA1

    3170a09eb5d4fabd1348d8e61a94a16d3fefdc19

    SHA256

    325cde9103ea94731c6150a3dbf7878be21e245781fe2801ffc9854b8a938dea

    SHA512

    636dabee49a6c51ee15c27978924024e877ca185f8129da954ed2d95180051af19de4cd6f46e156153c8b05abdc74a79840fd3a422e67276b482806f8a897834

    Download Submit

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    256KB

    MD5

    dd5c5563f85932672d7ffc5177f5b90f

    SHA1

    292aac15745521354634a839613fab5ebbf1ef6e

    SHA256

    5696d374f3747c8b64abbefb3c1992cec954b101f8cae89dc39df289513367af

    SHA512

    4bc66cd4840312efc87565b2fc079c164843d7965a322753acac4e5ca0b78e7ecaa50660710faea598bc7a2935ad4e13322044df075e45826306dcac45376560

    Download Submit

  • C:\Users\Admin\AppData\Roaming\MergeSend.doc.exe
    Filesize

    256KB

    MD5

    7a51b51985e8d207361a37d1976e0122

    SHA1

    ba3902459fe4df5f090562b067196990460c1352

    SHA256

    cf951a3c64e19da470d29020a9d79d578dd0cd044e3d796042322fbd758526f1

    SHA512

    a94f91b3ba3fa3598eb868e8ca051880a00570013bd4f5310c9a25f44866803914ffc8230ddfb07ff1b8ef6d73a84df60295230b97c669fcbf11d4a26204241c

    Download Submit

  • C:\Users\Admin\Downloads\CompleteTrace.doc.exe
    Filesize

    256KB

    MD5

    2af03a0810c3d61e7d02743f8f2fc55e

    SHA1

    949f90cb6b4061e58bb63f31e2a32fdab5b3c998

    SHA256

    3841f42bf86c43f2661545379ae4ec1348b62678b24f64ec66d980266767569e

    SHA512

    01b2fd2614fd59280c8b6a6b6e139d5ca56b2db7d1377386b9e18c3f4b918c0d2b1f0087e56c101f3e03e877af5cf9150ea77d9eac2d7c988d637a6b8cf02c82

    Download Submit

  • C:\Windows\SysWOW64\adglqpaw.exe
    Filesize

    256KB

    MD5

    fef52678fdfd646666f0cf2741d8f6c4

    SHA1

    a86d6a4d21fb3630818c666c48b1af267683a322

    SHA256

    a5eeadffb8b0745383c841b85cdb730a236df416ffbdfd6a077e1f0843ad3473

    SHA512

    7d81d9407fd2052259a9b1c7982bcc2dfe337da9de8490186a0afcb587afdb46838f81a2e1aae9e6abf734732236010747005e27b1e336647b32d3bb4251480e

    Download Submit

  • C:\Windows\SysWOW64\adglqpaw.exe
    Filesize

    256KB

    MD5

    fef52678fdfd646666f0cf2741d8f6c4

    SHA1

    a86d6a4d21fb3630818c666c48b1af267683a322

    SHA256

    a5eeadffb8b0745383c841b85cdb730a236df416ffbdfd6a077e1f0843ad3473

    SHA512

    7d81d9407fd2052259a9b1c7982bcc2dfe337da9de8490186a0afcb587afdb46838f81a2e1aae9e6abf734732236010747005e27b1e336647b32d3bb4251480e

    Download Submit

  • C:\Windows\SysWOW64\adglqpaw.exe
    Filesize

    256KB

    MD5

    fef52678fdfd646666f0cf2741d8f6c4

    SHA1

    a86d6a4d21fb3630818c666c48b1af267683a322

    SHA256

    a5eeadffb8b0745383c841b85cdb730a236df416ffbdfd6a077e1f0843ad3473

    SHA512

    7d81d9407fd2052259a9b1c7982bcc2dfe337da9de8490186a0afcb587afdb46838f81a2e1aae9e6abf734732236010747005e27b1e336647b32d3bb4251480e

    Download Submit

  • C:\Windows\SysWOW64\jdabzoxdbtufhav.exe
    Filesize

    256KB

    MD5

    59b5a7d3b404711bc160b165f319e1b5

    SHA1

    e84ca9dd467f272268203c33bb54f051ebfc0f9b

    SHA256

    840523c27bbacccbc0f3c6ba003b760362e3c167f9c0693f863c014bdb5b6c02

    SHA512

    3dbe50ad091463d12188151b5d4332a077e200d5e6990ca00c64e435cf31b5fe04f05ed969a58773d27aa42c3437417084a062b873bf0a5d8696dc90870db14e

    Download Submit

  • C:\Windows\SysWOW64\jdabzoxdbtufhav.exe
    Filesize

    256KB

    MD5

    59b5a7d3b404711bc160b165f319e1b5

    SHA1

    e84ca9dd467f272268203c33bb54f051ebfc0f9b

    SHA256

    840523c27bbacccbc0f3c6ba003b760362e3c167f9c0693f863c014bdb5b6c02

    SHA512

    3dbe50ad091463d12188151b5d4332a077e200d5e6990ca00c64e435cf31b5fe04f05ed969a58773d27aa42c3437417084a062b873bf0a5d8696dc90870db14e

    Download Submit

  • C:\Windows\SysWOW64\pmnzmbqtrn.exe
    Filesize

    256KB

    MD5

    edddb9fe58d0962136215a6a6843a9ba

    SHA1

    dadfa5e17fcae236d937eaee682f8d3cff7757d7

    SHA256

    9362b61b095d1275fe3bf82a4a307d1540cc0752a7595a033de63c8a909b4169

    SHA512

    52be0bc08d7cbefccf80d9deea02b2b00574e0ef3208ab97883cc1714d29933f25e2ceefd781aa6988ca33d74f0de56f37821f8d3e3dd380870a052ba303afd1

    Download Submit

  • C:\Windows\SysWOW64\pmnzmbqtrn.exe
    Filesize

    256KB

    MD5

    edddb9fe58d0962136215a6a6843a9ba

    SHA1

    dadfa5e17fcae236d937eaee682f8d3cff7757d7

    SHA256

    9362b61b095d1275fe3bf82a4a307d1540cc0752a7595a033de63c8a909b4169

    SHA512

    52be0bc08d7cbefccf80d9deea02b2b00574e0ef3208ab97883cc1714d29933f25e2ceefd781aa6988ca33d74f0de56f37821f8d3e3dd380870a052ba303afd1

    Download Submit

  • C:\Windows\SysWOW64\xkiscybwgaspv.exe
    Filesize

    256KB

    MD5

    71023c7ee69970fb9dddcb0f24a95b2b

    SHA1

    7de6e3021a957ae7c32cd9047d629ee8fbea70b0

    SHA256

    08c14f28b63472b2134cd569f2c9ba8301b00206a4c3f9e9ae5e20e64d6a4314

    SHA512

    51a17d454349d85713ab8dbd12a0734d87bccc0ee364b434a97371b8d088e5b4dadb6f263917c199df70904b2db985d10550fec3dc3269c06d93a8f9fbe92769

    Download Submit

  • C:\Windows\SysWOW64\xkiscybwgaspv.exe
    Filesize

    256KB

    MD5

    71023c7ee69970fb9dddcb0f24a95b2b

    SHA1

    7de6e3021a957ae7c32cd9047d629ee8fbea70b0

    SHA256

    08c14f28b63472b2134cd569f2c9ba8301b00206a4c3f9e9ae5e20e64d6a4314

    SHA512

    51a17d454349d85713ab8dbd12a0734d87bccc0ee364b434a97371b8d088e5b4dadb6f263917c199df70904b2db985d10550fec3dc3269c06d93a8f9fbe92769

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • memory/660-152-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/660-132-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/820-146-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/820-163-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1740-174-0x00007FFBF61B0000-0x00007FFBF61C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1740-167-0x00007FFBF3960000-0x00007FFBF3970000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1740-156-0x00007FFBF61B0000-0x00007FFBF61C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1740-157-0x00007FFBF61B0000-0x00007FFBF61C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1740-155-0x00007FFBF61B0000-0x00007FFBF61C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1740-158-0x00007FFBF61B0000-0x00007FFBF61C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1740-154-0x00007FFBF61B0000-0x00007FFBF61C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1740-172-0x00007FFBF61B0000-0x00007FFBF61C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1740-173-0x00007FFBF61B0000-0x00007FFBF61C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1740-161-0x00007FFBF3960000-0x00007FFBF3970000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1740-175-0x00007FFBF61B0000-0x00007FFBF61C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3208-162-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/3208-145-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4292-165-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4292-148-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4900-166-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4900-153-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/5084-164-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/5084-147-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download