Overview

overview

10

Static

static

8

b62374321c...1b.exe

windows7-x64

10

b62374321c...1b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 21:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b62374321cbc31b0989ff0cebcaef98aab301e90326e856e0d744fd26dcd8e1b.exe

  • Size

    255KB

  • MD5

    855fa2fe0d782cbd256466662a9dc7a1

  • SHA1

    7ca032553c54862e9db8bbb0d632c32254e61802

  • SHA256

    b62374321cbc31b0989ff0cebcaef98aab301e90326e856e0d744fd26dcd8e1b

  • SHA512

    731d79d9099d0a675198fa9e11da1e538dd17581a89caf833ea92711bb66ffb0b337bdfced5d449471f7f8f20ac0bbba72d050f3f778d05d767e524b7cfa5a58

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJn:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIG

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • UPX packed file 30 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 12 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of FindShellTrayWindow 40 IoCs
  • Suspicious use of SendNotifyMessage 37 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b62374321cbc31b0989ff0cebcaef98aab301e90326e856e0d744fd26dcd8e1b.exe
    "C:\Users\Admin\AppData\Local\Temp\b62374321cbc31b0989ff0cebcaef98aab301e90326e856e0d744fd26dcd8e1b.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:868
    • C:\Windows\SysWOW64\gajdqzcrpa.exe
      gajdqzcrpa.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1900
      • C:\Windows\SysWOW64\osroeyun.exe
        C:\Windows\system32\osroeyun.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        PID:1080
    • C:\Windows\SysWOW64\hkchscdmxhiynda.exe
      hkchscdmxhiynda.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2044
    • C:\Windows\SysWOW64\osroeyun.exe
      osroeyun.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1916
    • C:\Windows\SysWOW64\jnreuhgpwkjgf.exe
      jnreuhgpwkjgf.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1828
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1744
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1356
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x5ac
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2028

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
    Filesize

    255KB

    MD5

    4f81da58c5e323bd2a03c64ed29ec3ab

    SHA1

    7e4ad8c523c2c5031eecb37f51ac1bf96ef85c05

    SHA256

    f51658f72bc717fb849a81cd6bb0cc33c119c68a112b9d120c83446714c1e604

    SHA512

    76e60022350c6d83e458fbab5e055857b36eccc37c2426d732384c9f815481789e2ae74009e858a9723d27740772c5825d48d09e285e7c8b5d499dbb07f2c378

    Download Submit

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
    Filesize

    255KB

    MD5

    176b6b65a2af02fdbf599bf275580e89

    SHA1

    c6ce4217100d8ebb2ee0df661a1769e7e09f11d2

    SHA256

    d011fe65be2f81fde9d0d11254c552b9b42ccbbdde013fe97a1dbba494f2f8ff

    SHA512

    d71f49049ec218f157dbebc685bdb49c7034aad6cec6574150146400ccb7634c39a56f183bd302523b506a08d4151218e57a29ecc77e52c82e622e6dec798577

    Download Submit

  • C:\Users\Admin\Documents\MountSearch.doc.exe
    Filesize

    255KB

    MD5

    03cc5492fa9a39fe90c63fd706ac91df

    SHA1

    9c7c27f6b3f5b585fe234c538acbb1d868bd05c4

    SHA256

    663f6cf54c36c50607779dc0bbfd25c59aa5d33b2be1aa3d212d3b1fff6c20cd

    SHA512

    620776b88619cf69ca6a26a08af52c2a542597363f9a7e0ad1efd89d2e4405fca12198561575daf8efd05f3443a55c22c97c15871ac61b8ce96639877ad91129

    Download Submit

  • C:\Windows\SysWOW64\gajdqzcrpa.exe
    Filesize

    255KB

    MD5

    289e4fc5b480fb6e2ca782ad49808254

    SHA1

    8a1258d4f25ceedce5f01fc4c7a624658c21bf69

    SHA256

    de6ac6c7c883eeb5155d260c216fe9df6ef8133b660813e3635649da36c2c5fb

    SHA512

    6530ccf9d6c96847de41b7adf3cae1929959ce433ecd26d124d84dc2ad9bceb0f3924f2ab8e55b1287c86e3be023938411e9d94f5159a12e9fec50f435509bbf

    Download Submit

  • C:\Windows\SysWOW64\gajdqzcrpa.exe
    Filesize

    255KB

    MD5

    289e4fc5b480fb6e2ca782ad49808254

    SHA1

    8a1258d4f25ceedce5f01fc4c7a624658c21bf69

    SHA256

    de6ac6c7c883eeb5155d260c216fe9df6ef8133b660813e3635649da36c2c5fb

    SHA512

    6530ccf9d6c96847de41b7adf3cae1929959ce433ecd26d124d84dc2ad9bceb0f3924f2ab8e55b1287c86e3be023938411e9d94f5159a12e9fec50f435509bbf

    Download Submit

  • C:\Windows\SysWOW64\hkchscdmxhiynda.exe
    Filesize

    255KB

    MD5

    c482e7f7f9a7c6d3a043f7bdbaf4c33a

    SHA1

    4f32649a33b22bcf9559dfadffacb383636d939a

    SHA256

    5571973193a3315dadbbdedff1876e1f4f620be32a09b4756d9436cb8b1331e5

    SHA512

    09dd8997d5d4ac546fb89901de1579aec518cc09e7b699fe10e65d6dcf30b3bda969986a6ed9a047b39892abdf7858cc5668505f15d767bdb7328084c62491e8

    Download Submit

  • C:\Windows\SysWOW64\hkchscdmxhiynda.exe
    Filesize

    255KB

    MD5

    c482e7f7f9a7c6d3a043f7bdbaf4c33a

    SHA1

    4f32649a33b22bcf9559dfadffacb383636d939a

    SHA256

    5571973193a3315dadbbdedff1876e1f4f620be32a09b4756d9436cb8b1331e5

    SHA512

    09dd8997d5d4ac546fb89901de1579aec518cc09e7b699fe10e65d6dcf30b3bda969986a6ed9a047b39892abdf7858cc5668505f15d767bdb7328084c62491e8

    Download Submit

  • C:\Windows\SysWOW64\jnreuhgpwkjgf.exe
    Filesize

    255KB

    MD5

    f55597fe141dcba79af049977fbaba75

    SHA1

    0223641849104e77eb97ff228b098d1c6e7076a7

    SHA256

    6eac58d1204f9069fe78bb756b249af221113151d1c23a3d9fb761bafee76e2d

    SHA512

    7332abfc5864623aa3097f905dca9ecc60a0362d06f04eb7e72b40f9606ca609c9ff60bd60262c1e83edb7a65408270b15aeda5250d23bf9ef2942193bccf2b6

    Download Submit

  • C:\Windows\SysWOW64\jnreuhgpwkjgf.exe
    Filesize

    255KB

    MD5

    f55597fe141dcba79af049977fbaba75

    SHA1

    0223641849104e77eb97ff228b098d1c6e7076a7

    SHA256

    6eac58d1204f9069fe78bb756b249af221113151d1c23a3d9fb761bafee76e2d

    SHA512

    7332abfc5864623aa3097f905dca9ecc60a0362d06f04eb7e72b40f9606ca609c9ff60bd60262c1e83edb7a65408270b15aeda5250d23bf9ef2942193bccf2b6

    Download Submit

  • C:\Windows\SysWOW64\osroeyun.exe
    Filesize

    255KB

    MD5

    56b27b4c6869496d19eaafc8dc65484f

    SHA1

    c69d14ab52ae2665e56a43f2d89b0448203e709b

    SHA256

    c23afcc5b9845f878662f27727c22ed4faf44f5d8c87b3f0f69661129b9860f3

    SHA512

    9351e954e83a35ab3553a94f8390c1b7052a7e62a04cb54a2580bf61aa957b838f4b513ecf153c19ab9ce501d06cd721b6a3fa8940fd60d12ff1add6245aea11

    Download Submit

  • C:\Windows\SysWOW64\osroeyun.exe
    Filesize

    255KB

    MD5

    56b27b4c6869496d19eaafc8dc65484f

    SHA1

    c69d14ab52ae2665e56a43f2d89b0448203e709b

    SHA256

    c23afcc5b9845f878662f27727c22ed4faf44f5d8c87b3f0f69661129b9860f3

    SHA512

    9351e954e83a35ab3553a94f8390c1b7052a7e62a04cb54a2580bf61aa957b838f4b513ecf153c19ab9ce501d06cd721b6a3fa8940fd60d12ff1add6245aea11

    Download Submit

  • C:\Windows\SysWOW64\osroeyun.exe
    Filesize

    255KB

    MD5

    56b27b4c6869496d19eaafc8dc65484f

    SHA1

    c69d14ab52ae2665e56a43f2d89b0448203e709b

    SHA256

    c23afcc5b9845f878662f27727c22ed4faf44f5d8c87b3f0f69661129b9860f3

    SHA512

    9351e954e83a35ab3553a94f8390c1b7052a7e62a04cb54a2580bf61aa957b838f4b513ecf153c19ab9ce501d06cd721b6a3fa8940fd60d12ff1add6245aea11

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • \Windows\SysWOW64\gajdqzcrpa.exe
    Filesize

    255KB

    MD5

    289e4fc5b480fb6e2ca782ad49808254

    SHA1

    8a1258d4f25ceedce5f01fc4c7a624658c21bf69

    SHA256

    de6ac6c7c883eeb5155d260c216fe9df6ef8133b660813e3635649da36c2c5fb

    SHA512

    6530ccf9d6c96847de41b7adf3cae1929959ce433ecd26d124d84dc2ad9bceb0f3924f2ab8e55b1287c86e3be023938411e9d94f5159a12e9fec50f435509bbf

    Download Submit

  • \Windows\SysWOW64\hkchscdmxhiynda.exe
    Filesize

    255KB

    MD5

    c482e7f7f9a7c6d3a043f7bdbaf4c33a

    SHA1

    4f32649a33b22bcf9559dfadffacb383636d939a

    SHA256

    5571973193a3315dadbbdedff1876e1f4f620be32a09b4756d9436cb8b1331e5

    SHA512

    09dd8997d5d4ac546fb89901de1579aec518cc09e7b699fe10e65d6dcf30b3bda969986a6ed9a047b39892abdf7858cc5668505f15d767bdb7328084c62491e8

    Download Submit

  • \Windows\SysWOW64\jnreuhgpwkjgf.exe
    Filesize

    255KB

    MD5

    f55597fe141dcba79af049977fbaba75

    SHA1

    0223641849104e77eb97ff228b098d1c6e7076a7

    SHA256

    6eac58d1204f9069fe78bb756b249af221113151d1c23a3d9fb761bafee76e2d

    SHA512

    7332abfc5864623aa3097f905dca9ecc60a0362d06f04eb7e72b40f9606ca609c9ff60bd60262c1e83edb7a65408270b15aeda5250d23bf9ef2942193bccf2b6

    Download Submit

  • \Windows\SysWOW64\osroeyun.exe
    Filesize

    255KB

    MD5

    56b27b4c6869496d19eaafc8dc65484f

    SHA1

    c69d14ab52ae2665e56a43f2d89b0448203e709b

    SHA256

    c23afcc5b9845f878662f27727c22ed4faf44f5d8c87b3f0f69661129b9860f3

    SHA512

    9351e954e83a35ab3553a94f8390c1b7052a7e62a04cb54a2580bf61aa957b838f4b513ecf153c19ab9ce501d06cd721b6a3fa8940fd60d12ff1add6245aea11

    Download Submit

  • \Windows\SysWOW64\osroeyun.exe
    Filesize

    255KB

    MD5

    56b27b4c6869496d19eaafc8dc65484f

    SHA1

    c69d14ab52ae2665e56a43f2d89b0448203e709b

    SHA256

    c23afcc5b9845f878662f27727c22ed4faf44f5d8c87b3f0f69661129b9860f3

    SHA512

    9351e954e83a35ab3553a94f8390c1b7052a7e62a04cb54a2580bf61aa957b838f4b513ecf153c19ab9ce501d06cd721b6a3fa8940fd60d12ff1add6245aea11

    Download Submit

  • memory/868-69-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/868-85-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/868-54-0x0000000075131000-0x0000000075133000-memory.dmp

    Filesize

    8KB

    Download

  • memory/868-70-0x0000000003320000-0x00000000033C0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1080-101-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1080-81-0x0000000000000000-mapping.dmp

    Download

  • memory/1080-90-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1356-95-0x000007FEFB6B1000-0x000007FEFB6B3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1744-84-0x0000000000000000-mapping.dmp

    Download

  • memory/1744-91-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1744-87-0x000000006FC21000-0x000000006FC23000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1744-102-0x0000000070C0D000-0x0000000070C18000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1744-86-0x00000000721A1000-0x00000000721A4000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1744-94-0x0000000070C0D000-0x0000000070C18000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1828-99-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1828-73-0x0000000000000000-mapping.dmp

    Download

  • memory/1828-88-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1900-89-0x0000000003840000-0x00000000038E0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1900-97-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1900-74-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1900-100-0x0000000003840000-0x00000000038E0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1900-56-0x0000000000000000-mapping.dmp

    Download

  • memory/1916-96-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1916-76-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1916-65-0x0000000000000000-mapping.dmp

    Download

  • memory/2044-98-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2044-75-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2044-60-0x0000000000000000-mapping.dmp

    Download