Analysis
-
max time kernel
190s -
max time network
193s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
23-11-2022 21:00
General
-
Target
f0dce4e70883b0a8d109311526c099a4148dd0fe973c717d77c649a75727e1bd.exe
-
Size
255KB
-
MD5
e862d78540d17a6f4b37197ad349c6b1
-
SHA1
afda1a1cc10690e31e41b4e76e146d9d3f2cb0cf
-
SHA256
f0dce4e70883b0a8d109311526c099a4148dd0fe973c717d77c649a75727e1bd
-
SHA512
e871d6fb821d23c9af4db00b8b519f742d36901e30bee3e56db2fd599a2f03f0c61ea0eb2fd4228b708fc743bca5892b1b55813b3ac352807651890fbd251427
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJo:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIV
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 5 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Executes dropped EXE 5 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 6 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon 2 TTPs 2 IoCs
-
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 9 IoCs
-
Drops file in Program Files directory 18 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 20 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of FindShellTrayWindow 18 IoCs
-
Suspicious use of SendNotifyMessage 18 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0dce4e70883b0a8d109311526c099a4148dd0fe973c717d77c649a75727e1bd.exe"C:\Users\Admin\AppData\Local\Temp\f0dce4e70883b0a8d109311526c099a4148dd0fe973c717d77c649a75727e1bd.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\gkdgucnrli.exegkdgucnrli.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vhliplto.exeC:\Windows\system32\vhliplto.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\dkyvfdofxbouqkj.exedkyvfdofxbouqkj.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\vhliplto.exevhliplto.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\xrikidhjkorba.exexrikidhjkorba.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD56bee31f2a243344199bcd51427c42cc9
SHA14951d3df339e02ba61873c82d42c62332009c6cc
SHA2566385a5b87720dc1aecb6c689dfdf9a0c9f1ac390fb51af033bbbb36363460812
SHA512b48bedf9e19acd1e03aee9ada1923610b32f85a5deef910ab6ee3eaee0a6066a414a24d0f3336afd844ee3d2fcbb04c7c5c3078352867ebfd4a0cca1bc2be7a7
-
Filesize
255KB
MD5409b0012f091a60af15a75cc79080d80
SHA1d59df0e2b33a564885c04bf51018f246714a83fe
SHA25676176214b1e1ec0cf9409f4c0f076ecdebbde4dd10e256fd737e303247d53e0c
SHA5122ca2dcd6adcf59c9aa292dbcc34f6236aaf639ff89236765d6c746ee395de126bf72aed2e38dabfe5953ed8f4acd869f0e8b8446e781dd84cd772beab03fb8f4
-
Filesize
255KB
MD55a777f15f15a6ff4d8e1a2f5cc111c34
SHA1fbf843f8a95c192c0b53ee771d969e8c18141a18
SHA256c695a80c2ab8ab86b550ed69bebb9f3de62036571aa32a70e030fa5c5cce95a2
SHA512ab5c5ba576701fbc5df6342c0103163371f364023026c8cbe5b9bea6799ce3933cf9975022b1f58d7eb747ccc29dacbf8093f24951390bf246c1d86d9066e6a3
-
Filesize
255KB
MD54e7bf3ab05f2cfae0f54f08be7e91c56
SHA1de8110218baa549ea79465522c106559a3117a19
SHA256629dc5158e751f91bf7e29ee85dca8127257e6589bcfe3118a279b274675d89e
SHA51249c187dca064819de0e5b17abc6ea61caa51f1d72e8616f18661211f718ffe48f78e6ae47751bf779ff61facf4cc877ee7f6ed85a11f68c2e37b9dd79d856a14
-
Filesize
255KB
MD54e7bf3ab05f2cfae0f54f08be7e91c56
SHA1de8110218baa549ea79465522c106559a3117a19
SHA256629dc5158e751f91bf7e29ee85dca8127257e6589bcfe3118a279b274675d89e
SHA51249c187dca064819de0e5b17abc6ea61caa51f1d72e8616f18661211f718ffe48f78e6ae47751bf779ff61facf4cc877ee7f6ed85a11f68c2e37b9dd79d856a14
-
Filesize
255KB
MD53aeca3ee7011d8fbec87a66deae69c12
SHA1acbf11175c6dac1a61c1a6034af96f9a69ebfb4c
SHA2565b5c11a8ae77a4e756c3812f13b7a13097dfe2499f672e2976f9bb31dd148813
SHA5124a46b60b011ca072be1a0f1d7d80a81c332315bb37113ee730c1b98092817505bb99518f5aaabe066957b3ce1bd0a0628f4e1ca0bec952c64dd544936a44ba71
-
Filesize
255KB
MD53aeca3ee7011d8fbec87a66deae69c12
SHA1acbf11175c6dac1a61c1a6034af96f9a69ebfb4c
SHA2565b5c11a8ae77a4e756c3812f13b7a13097dfe2499f672e2976f9bb31dd148813
SHA5124a46b60b011ca072be1a0f1d7d80a81c332315bb37113ee730c1b98092817505bb99518f5aaabe066957b3ce1bd0a0628f4e1ca0bec952c64dd544936a44ba71
-
Filesize
255KB
MD556a956ab00d7d45f1e9ac54c8ff63fb8
SHA1c7d548814ebf8142083e6486fb68ae7ede6f805e
SHA2560c59c68e4219caf6a4709afbba5a253ebd6ba36fa3f6952917c556f3b51f8f14
SHA51242f7535d44c902749f56c1be6058d0507e3c61aba7792db3882706604bfc5fac321313c0398285c64891a7a30f91c8401078db5bf0f72362a5120cc8d8340cad
-
Filesize
255KB
MD556a956ab00d7d45f1e9ac54c8ff63fb8
SHA1c7d548814ebf8142083e6486fb68ae7ede6f805e
SHA2560c59c68e4219caf6a4709afbba5a253ebd6ba36fa3f6952917c556f3b51f8f14
SHA51242f7535d44c902749f56c1be6058d0507e3c61aba7792db3882706604bfc5fac321313c0398285c64891a7a30f91c8401078db5bf0f72362a5120cc8d8340cad
-
Filesize
255KB
MD556a956ab00d7d45f1e9ac54c8ff63fb8
SHA1c7d548814ebf8142083e6486fb68ae7ede6f805e
SHA2560c59c68e4219caf6a4709afbba5a253ebd6ba36fa3f6952917c556f3b51f8f14
SHA51242f7535d44c902749f56c1be6058d0507e3c61aba7792db3882706604bfc5fac321313c0398285c64891a7a30f91c8401078db5bf0f72362a5120cc8d8340cad
-
Filesize
255KB
MD5603e08cac8a05cc30803711b2cb4ed6d
SHA11a34e4754af52806c4f01174055ccd0546ef096a
SHA256261b0faa3fceb671543c012c9559334f7de5092b630425bce9d569d25ec771f3
SHA512ab76973ea20c5315b6a02627eace91b6764c316839aa5449e767b27b94c4c3b7c54d880f2c75422bef761f2e78d7f4078f8739119ce1a919634db3343ed6dc7d
-
Filesize
255KB
MD5603e08cac8a05cc30803711b2cb4ed6d
SHA11a34e4754af52806c4f01174055ccd0546ef096a
SHA256261b0faa3fceb671543c012c9559334f7de5092b630425bce9d569d25ec771f3
SHA512ab76973ea20c5315b6a02627eace91b6764c316839aa5449e767b27b94c4c3b7c54d880f2c75422bef761f2e78d7f4078f8739119ce1a919634db3343ed6dc7d
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD5a49370d84702000a810672c910072488
SHA166d2174d8fb494ed6102294d70fd7ca669df7a64
SHA256f3014c18ef4c3578e5ea884353604ffdcfd030664580c0b03d879b127f00800e
SHA512b0957ee2e97e030f4ecb3edb801fd79af5c8581ba0a26c5b798b80300bdec57a4947498ce519cd3eb9fc415056365c4cdd2ca992e2ed597f199b810cdb5774fd
-
-
Filesize
640KB
-
Filesize
640KB
-
Filesize
640KB
-
Filesize
640KB
-
-
Filesize
640KB
-
-
Filesize
640KB
-
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
640KB
-
Filesize
640KB
-
Filesize
640KB
-
Filesize
640KB
-
-
Filesize
640KB
-
Filesize
640KB
-