Overview

overview

10

Static

static

8

e547ef098e...ad.exe

windows7-x64

10

e547ef098e...ad.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    23/11/2022, 21:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e547ef098e13e08f460bec2084d52ecdf917c09335b127230e8d3d46d8de7aad.exe

  • Size

    255KB

  • MD5

    66325741c41537be5dea5191258de684

  • SHA1

    411fc09f90a75a8e8707fd611659a34b75e8572b

  • SHA256

    e547ef098e13e08f460bec2084d52ecdf917c09335b127230e8d3d46d8de7aad

  • SHA512

    a3c276afc37361bd40fa39327647c292281feb4d62b87bf8a47ac3da5730475238588a855128e9d3880e16599883705f94776b85ceeff052814dd82142eaee17

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJ3:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIE

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • UPX packed file 32 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 14 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 33 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of FindShellTrayWindow 56 IoCs
  • Suspicious use of SendNotifyMessage 37 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e547ef098e13e08f460bec2084d52ecdf917c09335b127230e8d3d46d8de7aad.exe
    "C:\Users\Admin\AppData\Local\Temp\e547ef098e13e08f460bec2084d52ecdf917c09335b127230e8d3d46d8de7aad.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1712
    • C:\Windows\SysWOW64\bpbcddzwql.exe
      bpbcddzwql.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:804
      • C:\Windows\SysWOW64\smgrrqjr.exe
        C:\Windows\system32\smgrrqjr.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        PID:984
    • C:\Windows\SysWOW64\vpoggymtuwpxnkr.exe
      vpoggymtuwpxnkr.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:552
    • C:\Windows\SysWOW64\smgrrqjr.exe
      smgrrqjr.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1148
    • C:\Windows\SysWOW64\dlufvofwninmc.exe
      dlufvofwninmc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:872
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:676
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1216
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x5a8
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:540

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
    Filesize

    255KB

    MD5

    a75256733f1838ac6311a9224aba6044

    SHA1

    b17fd85b9adea78063c562fb384e21e0ee0543cf

    SHA256

    5783e882fdd7681055d9935af317fd079a2b4de4c609dd16eff4b03cb20dc714

    SHA512

    2a9f94fcd6999b865fe796abd4300cadc6c6f9cfd502194499e2e984760704dfcec7a8bf6845512eef96a8b5ec76b0020337ee46a52308b19790c7b338476c58

    Download Submit

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
    Filesize

    255KB

    MD5

    6581f361d1df31857177c4160c05ee33

    SHA1

    1fd76b42079e28c635664feadeaf11b9310e39e3

    SHA256

    05f63c15024c0fda353ed1517878ee4b467822cbbc13abfea70b14cd27c50632

    SHA512

    8d649af63d2a0aecb2f9fbbd7f6219970757a5fa7c3c8e20161eef064abd32bc3a9ae3397fd24de4fcb3cc6ab90308e7a5e8bc0ded456033412c8396ef8b7e57

    Download Submit

  • C:\Users\Admin\AppData\Roaming\OpenStart.doc.exe
    Filesize

    255KB

    MD5

    92314016e079020a3928d58041019125

    SHA1

    c5d5b68315c0e6e41b9e804ccfa55367124b92bc

    SHA256

    daf0373ef093fd1367dbea6cf06abdf76d06e227368709aace7609f8879e7f4c

    SHA512

    e798b77c1eed3518ab20a36e3ccdfb22de944a91ea878f25d57a428f72172a950f3d0e7b92820e85a187ad0046028cb107ea0d8bb6b13ad10a4838208bef94af

    Download Submit

  • C:\Users\Admin\Downloads\JoinExport.doc.exe
    Filesize

    255KB

    MD5

    d930a18521eba4f5ff5a3048b4a9e429

    SHA1

    af368af58efc1bb2c2a1b5fb94c734a696d2e680

    SHA256

    e5ab010ef126c978f64f301d931dea14d163ce8a300b758825e2c2377e9b6440

    SHA512

    f2b6afca5d9ba013b67320efb2554aa5a0afbe9e30adae1f798e6c9b3fb1a96a26492d69af91381b3a59052f77948474bc1603ec139db9d06d62337131f33eb2

    Download Submit

  • C:\Windows\SysWOW64\bpbcddzwql.exe
    Filesize

    255KB

    MD5

    85f2cf92422a591fd137b32c5dfc325e

    SHA1

    7a37489419edfeefd70411d19c94dd50b6cd9501

    SHA256

    763baae2a4f5768511f93109899f04b74530c4b7748b3fb1f9cc6e5b42a36932

    SHA512

    640e5ca27ebf942773bebf90bcc16338db9f092272d3a16926e82a8dd1885c37328d4408204c3eed7c4e84a6effe508637255a41e08fa0583d06c04cca993e06

    Download Submit

  • C:\Windows\SysWOW64\bpbcddzwql.exe
    Filesize

    255KB

    MD5

    85f2cf92422a591fd137b32c5dfc325e

    SHA1

    7a37489419edfeefd70411d19c94dd50b6cd9501

    SHA256

    763baae2a4f5768511f93109899f04b74530c4b7748b3fb1f9cc6e5b42a36932

    SHA512

    640e5ca27ebf942773bebf90bcc16338db9f092272d3a16926e82a8dd1885c37328d4408204c3eed7c4e84a6effe508637255a41e08fa0583d06c04cca993e06

    Download Submit

  • C:\Windows\SysWOW64\dlufvofwninmc.exe
    Filesize

    255KB

    MD5

    81cd5ac9d8ad3c7349b426d60cea4d7b

    SHA1

    1de958132f1901abbc014192082beb0943258207

    SHA256

    5176bf5c162483150f0895dbc92cbb97369b5310f8e763544a0804a1d6989db9

    SHA512

    e5aff5f8a024afd2739fa92d9579a8df1aabce178f8243c1040311c2cee178a2fc8024d22c0a55f20906b50a67b65e516faa0f00fe43980d2572e5b9ed271a85

    Download Submit

  • C:\Windows\SysWOW64\dlufvofwninmc.exe
    Filesize

    255KB

    MD5

    81cd5ac9d8ad3c7349b426d60cea4d7b

    SHA1

    1de958132f1901abbc014192082beb0943258207

    SHA256

    5176bf5c162483150f0895dbc92cbb97369b5310f8e763544a0804a1d6989db9

    SHA512

    e5aff5f8a024afd2739fa92d9579a8df1aabce178f8243c1040311c2cee178a2fc8024d22c0a55f20906b50a67b65e516faa0f00fe43980d2572e5b9ed271a85

    Download Submit

  • C:\Windows\SysWOW64\smgrrqjr.exe
    Filesize

    255KB

    MD5

    3ea660013035673fe8f3ffb1547ced2e

    SHA1

    92c426b25c00139017d7b3b43eaf3e085077fe75

    SHA256

    b82cf25b5c117e30d1ee4a4af002ce4ee8940a9947f7838ed17d098f49254810

    SHA512

    6d3000ef6b1f901c50ac99b3224d236cbda0b31553aafaa1cff7ee3afc6c3d469dd9713966adb70e94132b5dfc9b0507f96f65409f0945b11dd2ab928f028e78

    Download Submit

  • C:\Windows\SysWOW64\smgrrqjr.exe
    Filesize

    255KB

    MD5

    3ea660013035673fe8f3ffb1547ced2e

    SHA1

    92c426b25c00139017d7b3b43eaf3e085077fe75

    SHA256

    b82cf25b5c117e30d1ee4a4af002ce4ee8940a9947f7838ed17d098f49254810

    SHA512

    6d3000ef6b1f901c50ac99b3224d236cbda0b31553aafaa1cff7ee3afc6c3d469dd9713966adb70e94132b5dfc9b0507f96f65409f0945b11dd2ab928f028e78

    Download Submit

  • C:\Windows\SysWOW64\smgrrqjr.exe
    Filesize

    255KB

    MD5

    3ea660013035673fe8f3ffb1547ced2e

    SHA1

    92c426b25c00139017d7b3b43eaf3e085077fe75

    SHA256

    b82cf25b5c117e30d1ee4a4af002ce4ee8940a9947f7838ed17d098f49254810

    SHA512

    6d3000ef6b1f901c50ac99b3224d236cbda0b31553aafaa1cff7ee3afc6c3d469dd9713966adb70e94132b5dfc9b0507f96f65409f0945b11dd2ab928f028e78

    Download Submit

  • C:\Windows\SysWOW64\vpoggymtuwpxnkr.exe
    Filesize

    255KB

    MD5

    d3933334523358ec90e9e82ce019b178

    SHA1

    e40899650a16999a677a37b1bb794913196cf3bb

    SHA256

    48cf971c7846f360dfd7eee3676a553776d178b1cb0f1860f4964b888844d2c9

    SHA512

    9147dc251e45fbf0e3dcd379b040232c32155b2f98902eb59faeb4f54acea6b9cfbe8fc2811215fb6fbcfcc7218fb4a33750579edb5f092d99f643dd6d04bd0e

    Download Submit

  • C:\Windows\SysWOW64\vpoggymtuwpxnkr.exe
    Filesize

    255KB

    MD5

    d3933334523358ec90e9e82ce019b178

    SHA1

    e40899650a16999a677a37b1bb794913196cf3bb

    SHA256

    48cf971c7846f360dfd7eee3676a553776d178b1cb0f1860f4964b888844d2c9

    SHA512

    9147dc251e45fbf0e3dcd379b040232c32155b2f98902eb59faeb4f54acea6b9cfbe8fc2811215fb6fbcfcc7218fb4a33750579edb5f092d99f643dd6d04bd0e

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • \Windows\SysWOW64\bpbcddzwql.exe
    Filesize

    255KB

    MD5

    85f2cf92422a591fd137b32c5dfc325e

    SHA1

    7a37489419edfeefd70411d19c94dd50b6cd9501

    SHA256

    763baae2a4f5768511f93109899f04b74530c4b7748b3fb1f9cc6e5b42a36932

    SHA512

    640e5ca27ebf942773bebf90bcc16338db9f092272d3a16926e82a8dd1885c37328d4408204c3eed7c4e84a6effe508637255a41e08fa0583d06c04cca993e06

    Download Submit

  • \Windows\SysWOW64\dlufvofwninmc.exe
    Filesize

    255KB

    MD5

    81cd5ac9d8ad3c7349b426d60cea4d7b

    SHA1

    1de958132f1901abbc014192082beb0943258207

    SHA256

    5176bf5c162483150f0895dbc92cbb97369b5310f8e763544a0804a1d6989db9

    SHA512

    e5aff5f8a024afd2739fa92d9579a8df1aabce178f8243c1040311c2cee178a2fc8024d22c0a55f20906b50a67b65e516faa0f00fe43980d2572e5b9ed271a85

    Download Submit

  • \Windows\SysWOW64\smgrrqjr.exe
    Filesize

    255KB

    MD5

    3ea660013035673fe8f3ffb1547ced2e

    SHA1

    92c426b25c00139017d7b3b43eaf3e085077fe75

    SHA256

    b82cf25b5c117e30d1ee4a4af002ce4ee8940a9947f7838ed17d098f49254810

    SHA512

    6d3000ef6b1f901c50ac99b3224d236cbda0b31553aafaa1cff7ee3afc6c3d469dd9713966adb70e94132b5dfc9b0507f96f65409f0945b11dd2ab928f028e78

    Download Submit

  • \Windows\SysWOW64\smgrrqjr.exe
    Filesize

    255KB

    MD5

    3ea660013035673fe8f3ffb1547ced2e

    SHA1

    92c426b25c00139017d7b3b43eaf3e085077fe75

    SHA256

    b82cf25b5c117e30d1ee4a4af002ce4ee8940a9947f7838ed17d098f49254810

    SHA512

    6d3000ef6b1f901c50ac99b3224d236cbda0b31553aafaa1cff7ee3afc6c3d469dd9713966adb70e94132b5dfc9b0507f96f65409f0945b11dd2ab928f028e78

    Download Submit

  • \Windows\SysWOW64\vpoggymtuwpxnkr.exe
    Filesize

    255KB

    MD5

    d3933334523358ec90e9e82ce019b178

    SHA1

    e40899650a16999a677a37b1bb794913196cf3bb

    SHA256

    48cf971c7846f360dfd7eee3676a553776d178b1cb0f1860f4964b888844d2c9

    SHA512

    9147dc251e45fbf0e3dcd379b040232c32155b2f98902eb59faeb4f54acea6b9cfbe8fc2811215fb6fbcfcc7218fb4a33750579edb5f092d99f643dd6d04bd0e

    Download Submit

  • memory/552-97-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/552-78-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/676-89-0x0000000072A01000-0x0000000072A04000-memory.dmp

    Filesize

    12KB

    Download

  • memory/676-95-0x000000007146D000-0x0000000071478000-memory.dmp

    Filesize

    44KB

    Download

  • memory/676-92-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/676-106-0x000000007146D000-0x0000000071478000-memory.dmp

    Filesize

    44KB

    Download

  • memory/676-90-0x0000000070481000-0x0000000070483000-memory.dmp

    Filesize

    8KB

    Download

  • memory/804-100-0x0000000003CD0000-0x0000000003D70000-memory.dmp

    Filesize

    640KB

    Download

  • memory/804-96-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/804-85-0x0000000003CD0000-0x0000000003D70000-memory.dmp

    Filesize

    640KB

    Download

  • memory/804-77-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/872-99-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/872-80-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/984-86-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/984-101-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/984-107-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1148-79-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1148-98-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1148-108-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1216-91-0x000007FEFBA51000-0x000007FEFBA53000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1216-109-0x0000000002610000-0x0000000002620000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1712-88-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1712-76-0x0000000002F80000-0x0000000003020000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1712-54-0x00000000765B1000-0x00000000765B3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1712-55-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download