Overview

overview

10

Static

static

5

88189e6657...50.exe

windows7-x64

10

88189e6657...50.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    07/11/2022, 21:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    88189e6657deb8ea831f8f1ca034cff3c052281d3b184267d7c232fcf15c1750.exe

  • Size

    512KB

  • MD5

    0b1f8f2318d8669c44a0ee0b5c287746

  • SHA1

    75188cd60e2874376c63ac3896235d65dccff00f

  • SHA256

    88189e6657deb8ea831f8f1ca034cff3c052281d3b184267d7c232fcf15c1750

  • SHA512

    edd080f4ff33e277247220f7d5ad7edee9a6039561a4a2988ccdcde935a48b3c3a8c7340329c615713c63adb2c0ce2d2ac1ef5713f752a44cb17c23c522a3680

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6l:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5A

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 15 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 44 IoCs
  • Suspicious use of SendNotifyMessage 36 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\88189e6657deb8ea831f8f1ca034cff3c052281d3b184267d7c232fcf15c1750.exe
    "C:\Users\Admin\AppData\Local\Temp\88189e6657deb8ea831f8f1ca034cff3c052281d3b184267d7c232fcf15c1750.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1048
    • C:\Windows\SysWOW64\ijgfflprpx.exe
      ijgfflprpx.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:992
      • C:\Windows\SysWOW64\efrrkpjb.exe
        C:\Windows\system32\efrrkpjb.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:336
    • C:\Windows\SysWOW64\yrftnkojeyutowl.exe
      yrftnkojeyutowl.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1760
    • C:\Windows\SysWOW64\efrrkpjb.exe
      efrrkpjb.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:468
    • C:\Windows\SysWOW64\quspxfcwpdufy.exe
      quspxfcwpdufy.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:892
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1792
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:824
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x590
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1112

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\efrrkpjb.exe
    Filesize

    512KB

    MD5

    4fb0ff4255bf4e177f58d03058dc8aa5

    SHA1

    82e513c34a282ec493dea809318562e6ab72739d

    SHA256

    4772c035bdd9e3757fbffda634cb6aa23eeb862b5dcdeee220f941b09109f11f

    SHA512

    4e1d76f6bc236a0e317b6ccfb9dd09a7cb3a83ca587b3307969b6bd9bf5b8fcf8e450ce313e440956efcb2a2491e12dcf2816e63ab1c1ae02d98f703d1d5ae6d

    Download Submit

  • C:\Windows\SysWOW64\efrrkpjb.exe
    Filesize

    512KB

    MD5

    4fb0ff4255bf4e177f58d03058dc8aa5

    SHA1

    82e513c34a282ec493dea809318562e6ab72739d

    SHA256

    4772c035bdd9e3757fbffda634cb6aa23eeb862b5dcdeee220f941b09109f11f

    SHA512

    4e1d76f6bc236a0e317b6ccfb9dd09a7cb3a83ca587b3307969b6bd9bf5b8fcf8e450ce313e440956efcb2a2491e12dcf2816e63ab1c1ae02d98f703d1d5ae6d

    Download Submit

  • C:\Windows\SysWOW64\efrrkpjb.exe
    Filesize

    512KB

    MD5

    4fb0ff4255bf4e177f58d03058dc8aa5

    SHA1

    82e513c34a282ec493dea809318562e6ab72739d

    SHA256

    4772c035bdd9e3757fbffda634cb6aa23eeb862b5dcdeee220f941b09109f11f

    SHA512

    4e1d76f6bc236a0e317b6ccfb9dd09a7cb3a83ca587b3307969b6bd9bf5b8fcf8e450ce313e440956efcb2a2491e12dcf2816e63ab1c1ae02d98f703d1d5ae6d

    Download Submit

  • C:\Windows\SysWOW64\ijgfflprpx.exe
    Filesize

    512KB

    MD5

    2c0a4d8afa13aad23729e7c8dc8ad1da

    SHA1

    44489a88c42f895433b393fbff8dff446d1e4237

    SHA256

    d2698a4592dd6940780df8925899b78f587c0f53ccfac5602e7e4228ff300c6c

    SHA512

    0d0a7e11edf4dde24d5c8cd1f19c8c57ea6d651a810b779b19702bd8c13e63e5d00b43ec26bd174a31df993b045980f84f7d0121795d4df4b15cddc88c740294

    Download Submit

  • C:\Windows\SysWOW64\ijgfflprpx.exe
    Filesize

    512KB

    MD5

    2c0a4d8afa13aad23729e7c8dc8ad1da

    SHA1

    44489a88c42f895433b393fbff8dff446d1e4237

    SHA256

    d2698a4592dd6940780df8925899b78f587c0f53ccfac5602e7e4228ff300c6c

    SHA512

    0d0a7e11edf4dde24d5c8cd1f19c8c57ea6d651a810b779b19702bd8c13e63e5d00b43ec26bd174a31df993b045980f84f7d0121795d4df4b15cddc88c740294

    Download Submit

  • C:\Windows\SysWOW64\quspxfcwpdufy.exe
    Filesize

    512KB

    MD5

    fa31fac0027d4a1a2d00db73f9c9a865

    SHA1

    bd1be886329315d32a2b43e0d7db7e6fa2a2a425

    SHA256

    82f5c97aed0e80898ef615a1e9ed46b03b63f2f91d557331361d445c80e8c2b6

    SHA512

    97a65b3cf50b3af5944908f5974c10b885a176e0dbb22e5242d06fc4b67079ec3262ad08b6f0445e0dfa27180800be7ef0eaba857ceeacaa7461861f32342de5

    Download Submit

  • C:\Windows\SysWOW64\quspxfcwpdufy.exe
    Filesize

    512KB

    MD5

    fa31fac0027d4a1a2d00db73f9c9a865

    SHA1

    bd1be886329315d32a2b43e0d7db7e6fa2a2a425

    SHA256

    82f5c97aed0e80898ef615a1e9ed46b03b63f2f91d557331361d445c80e8c2b6

    SHA512

    97a65b3cf50b3af5944908f5974c10b885a176e0dbb22e5242d06fc4b67079ec3262ad08b6f0445e0dfa27180800be7ef0eaba857ceeacaa7461861f32342de5

    Download Submit

  • C:\Windows\SysWOW64\yrftnkojeyutowl.exe
    Filesize

    512KB

    MD5

    e17c10259c57d99296dadb84accf390f

    SHA1

    f1b8f69a7771ac025840feffb3a64fc1823671b9

    SHA256

    6f8bfaf49bd61245d336eb9eeb68288b089e49e59a34e415175df841dcc456ee

    SHA512

    923adf732deb39f5de037df56fdf95ed509d6b12c73c16a31caa68ce50e3585de104a9d676973c00937d3533690313e31f2bc5e5a6e7475862261b6150bef778

    Download Submit

  • C:\Windows\SysWOW64\yrftnkojeyutowl.exe
    Filesize

    512KB

    MD5

    e17c10259c57d99296dadb84accf390f

    SHA1

    f1b8f69a7771ac025840feffb3a64fc1823671b9

    SHA256

    6f8bfaf49bd61245d336eb9eeb68288b089e49e59a34e415175df841dcc456ee

    SHA512

    923adf732deb39f5de037df56fdf95ed509d6b12c73c16a31caa68ce50e3585de104a9d676973c00937d3533690313e31f2bc5e5a6e7475862261b6150bef778

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • \Windows\SysWOW64\efrrkpjb.exe
    Filesize

    512KB

    MD5

    4fb0ff4255bf4e177f58d03058dc8aa5

    SHA1

    82e513c34a282ec493dea809318562e6ab72739d

    SHA256

    4772c035bdd9e3757fbffda634cb6aa23eeb862b5dcdeee220f941b09109f11f

    SHA512

    4e1d76f6bc236a0e317b6ccfb9dd09a7cb3a83ca587b3307969b6bd9bf5b8fcf8e450ce313e440956efcb2a2491e12dcf2816e63ab1c1ae02d98f703d1d5ae6d

    Download Submit

  • \Windows\SysWOW64\efrrkpjb.exe
    Filesize

    512KB

    MD5

    4fb0ff4255bf4e177f58d03058dc8aa5

    SHA1

    82e513c34a282ec493dea809318562e6ab72739d

    SHA256

    4772c035bdd9e3757fbffda634cb6aa23eeb862b5dcdeee220f941b09109f11f

    SHA512

    4e1d76f6bc236a0e317b6ccfb9dd09a7cb3a83ca587b3307969b6bd9bf5b8fcf8e450ce313e440956efcb2a2491e12dcf2816e63ab1c1ae02d98f703d1d5ae6d

    Download Submit

  • \Windows\SysWOW64\ijgfflprpx.exe
    Filesize

    512KB

    MD5

    2c0a4d8afa13aad23729e7c8dc8ad1da

    SHA1

    44489a88c42f895433b393fbff8dff446d1e4237

    SHA256

    d2698a4592dd6940780df8925899b78f587c0f53ccfac5602e7e4228ff300c6c

    SHA512

    0d0a7e11edf4dde24d5c8cd1f19c8c57ea6d651a810b779b19702bd8c13e63e5d00b43ec26bd174a31df993b045980f84f7d0121795d4df4b15cddc88c740294

    Download Submit

  • \Windows\SysWOW64\quspxfcwpdufy.exe
    Filesize

    512KB

    MD5

    fa31fac0027d4a1a2d00db73f9c9a865

    SHA1

    bd1be886329315d32a2b43e0d7db7e6fa2a2a425

    SHA256

    82f5c97aed0e80898ef615a1e9ed46b03b63f2f91d557331361d445c80e8c2b6

    SHA512

    97a65b3cf50b3af5944908f5974c10b885a176e0dbb22e5242d06fc4b67079ec3262ad08b6f0445e0dfa27180800be7ef0eaba857ceeacaa7461861f32342de5

    Download Submit

  • \Windows\SysWOW64\yrftnkojeyutowl.exe
    Filesize

    512KB

    MD5

    e17c10259c57d99296dadb84accf390f

    SHA1

    f1b8f69a7771ac025840feffb3a64fc1823671b9

    SHA256

    6f8bfaf49bd61245d336eb9eeb68288b089e49e59a34e415175df841dcc456ee

    SHA512

    923adf732deb39f5de037df56fdf95ed509d6b12c73c16a31caa68ce50e3585de104a9d676973c00937d3533690313e31f2bc5e5a6e7475862261b6150bef778

    Download Submit

  • memory/824-94-0x0000000002C30000-0x0000000002C40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/824-92-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1048-55-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download

  • memory/1048-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1792-86-0x00000000729D1000-0x00000000729D4000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1792-87-0x0000000070451000-0x0000000070453000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1792-88-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1792-91-0x000000007143D000-0x0000000071448000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1792-93-0x000000007143D000-0x0000000071448000-memory.dmp

    Filesize

    44KB

    Download