Overview

overview

10

Static

static

8

b2046a5021...ac.exe

windows7-x64

10

b2046a5021...ac.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    189s
  • max time network
    199s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 21:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b2046a50217f1abc5559204d47791c7137637371230737be4340dd9e470835ac.exe

  • Size

    255KB

  • MD5

    6a904955e5d93b6249e15884922aed13

  • SHA1

    7d34143401e1f7ab5d90a7859a59f9c2e16aaa57

  • SHA256

    b2046a50217f1abc5559204d47791c7137637371230737be4340dd9e470835ac

  • SHA512

    526926da856da97ee14d6362fb5658708e76dc5688eae14ad4c29fbe38383dd53dad46ce5796b5be2fe8251b8b9d64dccdc679d3dba3730badfc283b9cc97c83

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJR:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI2

Score
10/10
evasionpersistencetrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • UPX packed file 23 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 11 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b2046a50217f1abc5559204d47791c7137637371230737be4340dd9e470835ac.exe
    "C:\Users\Admin\AppData\Local\Temp\b2046a50217f1abc5559204d47791c7137637371230737be4340dd9e470835ac.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4612
    • C:\Windows\SysWOW64\ghibehrqty.exe
      ghibehrqty.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2156
      • C:\Windows\SysWOW64\lilwzxyy.exe
        C:\Windows\system32\lilwzxyy.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4408
    • C:\Windows\SysWOW64\hdndzyoqixrtjef.exe
      hdndzyoqixrtjef.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4472
    • C:\Windows\SysWOW64\lilwzxyy.exe
      lilwzxyy.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1044
    • C:\Windows\SysWOW64\lmugoautznmam.exe
      lmugoautznmam.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4452
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4692

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    255KB

    MD5

    e616dd373c94dca2867752c0cfdc4b35

    SHA1

    7e4384fa27273a3f5ecf516e9216c47b18da6d39

    SHA256

    e73a61ce00e6093a61afa3848bfd980de17a1950e97956d8eec8187ed8ce0f92

    SHA512

    8c86674bb59054b4c5875459a695c955d2aec421883efbc38bfcf8f38d6f51b23e0076297ac8a4ed7de173a3b31b37bc73ec605df41a1d7b0f2db5de01c67bd9

    Download Submit

  • C:\Windows\SysWOW64\ghibehrqty.exe
    Filesize

    255KB

    MD5

    1d976815d5fe88dfbb3f5baaf11926de

    SHA1

    c4ecaa1e603bb356e2cde3bf62b7dda89d63e522

    SHA256

    52af0bde7d7b6fbb3ac8dc37feddad580ae2de98517e312824343107d5de752c

    SHA512

    48487db9141890128d3ec25df36a52e5f9d1970fba67872f1204f91d9b776d2e6f7d665686d956b552d3cc2ddfd8b9a02b9e0c4a9637fe86e247977b90e32f69

    Download Submit

  • C:\Windows\SysWOW64\ghibehrqty.exe
    Filesize

    255KB

    MD5

    1d976815d5fe88dfbb3f5baaf11926de

    SHA1

    c4ecaa1e603bb356e2cde3bf62b7dda89d63e522

    SHA256

    52af0bde7d7b6fbb3ac8dc37feddad580ae2de98517e312824343107d5de752c

    SHA512

    48487db9141890128d3ec25df36a52e5f9d1970fba67872f1204f91d9b776d2e6f7d665686d956b552d3cc2ddfd8b9a02b9e0c4a9637fe86e247977b90e32f69

    Download Submit

  • C:\Windows\SysWOW64\hdndzyoqixrtjef.exe
    Filesize

    255KB

    MD5

    d4d9217d89477f0994ff547914018aae

    SHA1

    e27e81447d6299ec17cb67ad383513045b3d5ccd

    SHA256

    66746a7e58cb7606ac6df7f75ab49e9f531f37a2e158e74d6180ac9989ebbc54

    SHA512

    5860625c5ff717c2d4cc6a5901f43b2d822ab19e9ea27e9e45e50ffabaf2aad909cb537991c7a18d3eb848531dfe1def783befe7c46295efc612afdc69bac0e8

    Download Submit

  • C:\Windows\SysWOW64\hdndzyoqixrtjef.exe
    Filesize

    255KB

    MD5

    d4d9217d89477f0994ff547914018aae

    SHA1

    e27e81447d6299ec17cb67ad383513045b3d5ccd

    SHA256

    66746a7e58cb7606ac6df7f75ab49e9f531f37a2e158e74d6180ac9989ebbc54

    SHA512

    5860625c5ff717c2d4cc6a5901f43b2d822ab19e9ea27e9e45e50ffabaf2aad909cb537991c7a18d3eb848531dfe1def783befe7c46295efc612afdc69bac0e8

    Download Submit

  • C:\Windows\SysWOW64\lilwzxyy.exe
    Filesize

    255KB

    MD5

    5a41d3b6964fc8355d8cff8d6aaf8a97

    SHA1

    331f2f0628f9f97ed305c2e0d78faf9745e224d5

    SHA256

    de6a9f390b817fda3b699786c2e7188da2c2517173d2dd8f3fe705af43098c37

    SHA512

    6d07007f2e2346780a3cb5b34ef49a8764f444f6fb9e601fbc1d3434019dd9dd02ab0676b09da2760bb3e8298ac5a3a130cacbde6f5b0683df59cfc22333a9f7

    Download Submit

  • C:\Windows\SysWOW64\lilwzxyy.exe
    Filesize

    255KB

    MD5

    5a41d3b6964fc8355d8cff8d6aaf8a97

    SHA1

    331f2f0628f9f97ed305c2e0d78faf9745e224d5

    SHA256

    de6a9f390b817fda3b699786c2e7188da2c2517173d2dd8f3fe705af43098c37

    SHA512

    6d07007f2e2346780a3cb5b34ef49a8764f444f6fb9e601fbc1d3434019dd9dd02ab0676b09da2760bb3e8298ac5a3a130cacbde6f5b0683df59cfc22333a9f7

    Download Submit

  • C:\Windows\SysWOW64\lilwzxyy.exe
    Filesize

    255KB

    MD5

    5a41d3b6964fc8355d8cff8d6aaf8a97

    SHA1

    331f2f0628f9f97ed305c2e0d78faf9745e224d5

    SHA256

    de6a9f390b817fda3b699786c2e7188da2c2517173d2dd8f3fe705af43098c37

    SHA512

    6d07007f2e2346780a3cb5b34ef49a8764f444f6fb9e601fbc1d3434019dd9dd02ab0676b09da2760bb3e8298ac5a3a130cacbde6f5b0683df59cfc22333a9f7

    Download Submit

  • C:\Windows\SysWOW64\lmugoautznmam.exe
    Filesize

    255KB

    MD5

    3b8fbcae0a56337b6e3dab9099419dea

    SHA1

    7bced4b155c42f6470e815aae79f44c1681713a9

    SHA256

    298e5d74fc1e820f40bf01fc9b26ed1acdb9d532a1d9375d9c8edf742a526c41

    SHA512

    b29c7a77cf541b785b66c008172654d269485743682e423503229012535b188e06f54e911bac0878a6130c3e4e2502499390e18df583fb5040e80a8f0a1e03b6

    Download Submit

  • C:\Windows\SysWOW64\lmugoautznmam.exe
    Filesize

    255KB

    MD5

    3b8fbcae0a56337b6e3dab9099419dea

    SHA1

    7bced4b155c42f6470e815aae79f44c1681713a9

    SHA256

    298e5d74fc1e820f40bf01fc9b26ed1acdb9d532a1d9375d9c8edf742a526c41

    SHA512

    b29c7a77cf541b785b66c008172654d269485743682e423503229012535b188e06f54e911bac0878a6130c3e4e2502499390e18df583fb5040e80a8f0a1e03b6

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    255KB

    MD5

    e616dd373c94dca2867752c0cfdc4b35

    SHA1

    7e4384fa27273a3f5ecf516e9216c47b18da6d39

    SHA256

    e73a61ce00e6093a61afa3848bfd980de17a1950e97956d8eec8187ed8ce0f92

    SHA512

    8c86674bb59054b4c5875459a695c955d2aec421883efbc38bfcf8f38d6f51b23e0076297ac8a4ed7de173a3b31b37bc73ec605df41a1d7b0f2db5de01c67bd9

    Download Submit

  • memory/1044-166-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1044-139-0x0000000000000000-mapping.dmp

    Download

  • memory/1044-151-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2156-164-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2156-147-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2156-133-0x0000000000000000-mapping.dmp

    Download

  • memory/4408-153-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4408-168-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4408-148-0x0000000000000000-mapping.dmp

    Download

  • memory/4452-152-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4452-142-0x0000000000000000-mapping.dmp

    Download

  • memory/4452-167-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4472-136-0x0000000000000000-mapping.dmp

    Download

  • memory/4472-165-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4472-149-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4612-146-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4612-132-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4692-158-0x00007FFB04130000-0x00007FFB04140000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4692-162-0x00007FFB01E50000-0x00007FFB01E60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4692-161-0x00007FFB01E50000-0x00007FFB01E60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4692-145-0x0000000000000000-mapping.dmp

    Download

  • memory/4692-154-0x00007FFB04130000-0x00007FFB04140000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4692-157-0x00007FFB04130000-0x00007FFB04140000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4692-156-0x00007FFB04130000-0x00007FFB04140000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4692-155-0x00007FFB04130000-0x00007FFB04140000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4692-170-0x00007FFB04130000-0x00007FFB04140000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4692-172-0x00007FFB04130000-0x00007FFB04140000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4692-173-0x00007FFB04130000-0x00007FFB04140000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4692-171-0x00007FFB04130000-0x00007FFB04140000-memory.dmp

    Filesize

    64KB

    Download