Analysis
-
max time kernel
158s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
23-11-2022 21:02
General
-
Target
9770da26e1b20d94ab37a12d4e719dceaa6130fd268482c5d475c196f8ddc94c.exe
-
Size
255KB
-
MD5
5d634f5d3bd9fd9d8c3fcbcc1741b45c
-
SHA1
8e474559c791817ef9a362cfc2a2396157ae9b13
-
SHA256
9770da26e1b20d94ab37a12d4e719dceaa6130fd268482c5d475c196f8ddc94c
-
SHA512
9d4cae4d4547ad903b9978b77bf88459324ae8a14c30dc5b18d61518930ef4341f14011c841e09db68e9d7d9bd7a5990f4b31eaf923b8542f138adb6e8543ac5
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJG:1xlZam+akqx6YQJXcNlEHUIQeE3mmBID
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 5 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Executes dropped EXE 5 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 6 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon 2 TTPs 2 IoCs
-
AutoIT Executable 12 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 12 IoCs
-
Drops file in Program Files directory 14 IoCs
-
Drops file in Windows directory 11 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 20 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of FindShellTrayWindow 18 IoCs
-
Suspicious use of SendNotifyMessage 18 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9770da26e1b20d94ab37a12d4e719dceaa6130fd268482c5d475c196f8ddc94c.exe"C:\Users\Admin\AppData\Local\Temp\9770da26e1b20d94ab37a12d4e719dceaa6130fd268482c5d475c196f8ddc94c.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rpktrtcpvo.exerpktrtcpvo.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ygeflyri.exeC:\Windows\system32\ygeflyri.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
-
C:\Windows\SysWOW64\lgobywmodpnstiu.exelgobywmodpnstiu.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\ygeflyri.exeygeflyri.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\wagcmukoficcg.exewagcmukoficcg.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD56facd519c754d74379a2d458277777ac
SHA1f5f334d97555977c57293f16d7bfacb301c97885
SHA25688e5d2da8da1f85e48e0334efa83b31b556b33acec195510ea9731e34d3756d8
SHA51273905e4bd8c0ecc1be22cc57efebf9b0733533920a6c7eada106363483bc5e4dd0f72d16f4091cbcb2f4535901ab4d89bcf55024f611ae9fc95ff2430b66ae66
-
Filesize
255KB
MD57b872e0ee9bad79f442223a80346bde7
SHA1d369defefde23ad15f663fa5e3f55d994cb77e21
SHA256c5045b9196a058feb825d2698e25d3447f19ebea0c8aa85af95b48f19f9e4203
SHA512543e92812d7cca089abe641f86e27a78c64c297503be9ab6462f3e81609024cf4ce0ed493e0946e17c9b91457db35702b57702013850cae5c24948cd97f5ff99
-
Filesize
255KB
MD57b872e0ee9bad79f442223a80346bde7
SHA1d369defefde23ad15f663fa5e3f55d994cb77e21
SHA256c5045b9196a058feb825d2698e25d3447f19ebea0c8aa85af95b48f19f9e4203
SHA512543e92812d7cca089abe641f86e27a78c64c297503be9ab6462f3e81609024cf4ce0ed493e0946e17c9b91457db35702b57702013850cae5c24948cd97f5ff99
-
Filesize
255KB
MD5f754fb4ba5816972854a68baeeadfac7
SHA18aaa674438f9f83efee039e052ff395e7eb5bcfa
SHA256f3b339740a4494049f06438cd66d0aecfa8524ad02238bc5c100ef93b2fa0c14
SHA512ae90f5fc9c4e4021b603fccb7b104afb14c750a14711e1c58d03b2122acf28793739b82decd68d413cb74980f6c094bfb9a7335fe640400af07875fd8ec0edd8
-
Filesize
255KB
MD5f754fb4ba5816972854a68baeeadfac7
SHA18aaa674438f9f83efee039e052ff395e7eb5bcfa
SHA256f3b339740a4494049f06438cd66d0aecfa8524ad02238bc5c100ef93b2fa0c14
SHA512ae90f5fc9c4e4021b603fccb7b104afb14c750a14711e1c58d03b2122acf28793739b82decd68d413cb74980f6c094bfb9a7335fe640400af07875fd8ec0edd8
-
Filesize
255KB
MD574e769b6cfb88f21b3ee5bd5b3edd3a9
SHA1fd962e51bc984b13892b3437f9fe8876ed5e8482
SHA25695a56dcaad118aafe78334670ae16856e97884586f275bc8ce7cfb0e724c5dab
SHA51275f47e877f6c391c233bf08bbbc3997887aa893bc19899df349798b3b53cfcd11addcdb959f89cd4c92acaa0ca47fe6a4822cb51894c9ffde36a2d4113da0c82
-
Filesize
255KB
MD574e769b6cfb88f21b3ee5bd5b3edd3a9
SHA1fd962e51bc984b13892b3437f9fe8876ed5e8482
SHA25695a56dcaad118aafe78334670ae16856e97884586f275bc8ce7cfb0e724c5dab
SHA51275f47e877f6c391c233bf08bbbc3997887aa893bc19899df349798b3b53cfcd11addcdb959f89cd4c92acaa0ca47fe6a4822cb51894c9ffde36a2d4113da0c82
-
Filesize
255KB
MD513406a7f763cdd4908a17aa692ef24a8
SHA178186572f1572a4da6d47c94fa63de9353620981
SHA256e99e2a63570ce801cbd17d08e6b567db6cbbb76f0cd98a575c89d7351af56e64
SHA512ad38c604898ad447f68650d4e3e6839e55ea6568df9f248c91c9db4f889c17d2fd1251e7e0800c447f9dce16746abb4a95fa0c784a05203d62648f77a77ca056
-
Filesize
255KB
MD513406a7f763cdd4908a17aa692ef24a8
SHA178186572f1572a4da6d47c94fa63de9353620981
SHA256e99e2a63570ce801cbd17d08e6b567db6cbbb76f0cd98a575c89d7351af56e64
SHA512ad38c604898ad447f68650d4e3e6839e55ea6568df9f248c91c9db4f889c17d2fd1251e7e0800c447f9dce16746abb4a95fa0c784a05203d62648f77a77ca056
-
Filesize
255KB
MD513406a7f763cdd4908a17aa692ef24a8
SHA178186572f1572a4da6d47c94fa63de9353620981
SHA256e99e2a63570ce801cbd17d08e6b567db6cbbb76f0cd98a575c89d7351af56e64
SHA512ad38c604898ad447f68650d4e3e6839e55ea6568df9f248c91c9db4f889c17d2fd1251e7e0800c447f9dce16746abb4a95fa0c784a05203d62648f77a77ca056
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD52254c9060f993333a8a4c0289163820e
SHA1c84ac0811cfc4cca2d562881da346903f2c11790
SHA256ec7e44c5b3fc38002f56c973cc336a41227b4380d1bb53b2c962a603238d20e9
SHA512d384c7a3e845555163997f619ffd0b2772ecf82240ee9757614af13df0f798a45f888160125d759108c0aa9b9ee461dfa08ac8b306c5b8953628494c51a9f3b7
-
Filesize
255KB
MD5183420465a48513c73a2d387f8495712
SHA12ada5217a01d04b8f151dd22eceab58e0ae651ef
SHA25643f718d0a2b7cdc8206de5813a1aba33c0dc59acc987227f346542796ec56e01
SHA512f120deca21920de426331a401c395667aaa4802aeb88f2c4ef80144e24fe62dd06a3fcde09170959b71d7b16df86eb3130b41cb3e0d551ed91d8f6ca37faa5de
-
Filesize
255KB
MD5183420465a48513c73a2d387f8495712
SHA12ada5217a01d04b8f151dd22eceab58e0ae651ef
SHA25643f718d0a2b7cdc8206de5813a1aba33c0dc59acc987227f346542796ec56e01
SHA512f120deca21920de426331a401c395667aaa4802aeb88f2c4ef80144e24fe62dd06a3fcde09170959b71d7b16df86eb3130b41cb3e0d551ed91d8f6ca37faa5de
-
Filesize
640KB
-
Filesize
640KB
-
Filesize
640KB
-
-
Filesize
640KB
-
Filesize
640KB
-
-
Filesize
640KB
-
-
Filesize
640KB
-
Filesize
640KB
-
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
-
Filesize
640KB
-
Filesize
640KB
-
Filesize
640KB
-
-
Filesize
640KB