Analysis
-
max time kernel
180s -
max time network
210s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
23-11-2022 21:02
General
-
Target
909d25855a6b546bd5bdd737923153e7ba7200c4028c22c44f29c3e1fc9bfbce.exe
-
Size
255KB
-
MD5
9dbc8b2c05f2cd8d5519bbac6cbcc1a0
-
SHA1
cab0e73fe8e6ef0caadd7fc7aeb781dae163ed19
-
SHA256
909d25855a6b546bd5bdd737923153e7ba7200c4028c22c44f29c3e1fc9bfbce
-
SHA512
6062f9086cc50b4c1ca7c8166ca6134ccefaf3ce509d99826eb32166c86626d93088a7c4a1711826e0171fa869baf8dc50326be3bc3aeec0827bec854d5fd309
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJa:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI3
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 5 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Executes dropped EXE 5 IoCs
-
UPX packed file 23 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Windows security modification 2 TTPs 6 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon 2 TTPs 2 IoCs
-
AutoIT Executable 12 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 9 IoCs
-
Drops file in Program Files directory 14 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 20 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of FindShellTrayWindow 18 IoCs
-
Suspicious use of SendNotifyMessage 18 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\909d25855a6b546bd5bdd737923153e7ba7200c4028c22c44f29c3e1fc9bfbce.exe"C:\Users\Admin\AppData\Local\Temp\909d25855a6b546bd5bdd737923153e7ba7200c4028c22c44f29c3e1fc9bfbce.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\eruluauwbo.exeeruluauwbo.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\eealggmo.exeC:\Windows\system32\eealggmo.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\ecagruoqchrsvvn.exeecagruoqchrsvvn.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\eealggmo.exeeealggmo.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\nbtpiwaptnuuv.exenbtpiwaptnuuv.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD548b056b34031e6f56f34d797cdc6e942
SHA17742af507b9187cc7e6d885d8a86af7b523a0ce9
SHA2562655e5721423d7f28c20e88cdccf0425d4f69736a2806783bfda52fdaf05d07b
SHA51203947c9aec3132993e9723518cd6d9df2dfcaadc11c786035e8236ca70a8658d92863036023b5e2692ba29284eb96aa7f5aced8d53eb4788b684ab7f07473f32
-
Filesize
255KB
MD5b81345ab5db252d1407a4e66d839a5ce
SHA110c224ea30400c2a7274499822e90682a204b011
SHA2564318f5cd1254aa3d64b6ca2444f381c25680fd41a1f3764ed1d644cadd90ee3d
SHA512a58c95f3cfe9fc0bdf1fe96145d24f2a7313d0193e419623169f9fd5c02e9951c712babc757aa3fc109f32168c62d0dc447c7449a4a44a26f658e7204cfab65a
-
Filesize
255KB
MD5b81345ab5db252d1407a4e66d839a5ce
SHA110c224ea30400c2a7274499822e90682a204b011
SHA2564318f5cd1254aa3d64b6ca2444f381c25680fd41a1f3764ed1d644cadd90ee3d
SHA512a58c95f3cfe9fc0bdf1fe96145d24f2a7313d0193e419623169f9fd5c02e9951c712babc757aa3fc109f32168c62d0dc447c7449a4a44a26f658e7204cfab65a
-
Filesize
255KB
MD56c651fd860b935ce075aa98234d89780
SHA1b4a0151e865ca4987d9196b4f7228047066b1a01
SHA2565a03bd1ce1d0fa27244766d596fead82f2c3bae486ed0197747ad519e0e086c4
SHA51281f2dff4f311a9b3c5ccae6420825954c88da875e5632b7856c6f2b5f0f910f09c849063400c2aca6d8837a81f7f05f76dbe91ead9202c97bcdfba389f003dd6
-
Filesize
255KB
MD56c651fd860b935ce075aa98234d89780
SHA1b4a0151e865ca4987d9196b4f7228047066b1a01
SHA2565a03bd1ce1d0fa27244766d596fead82f2c3bae486ed0197747ad519e0e086c4
SHA51281f2dff4f311a9b3c5ccae6420825954c88da875e5632b7856c6f2b5f0f910f09c849063400c2aca6d8837a81f7f05f76dbe91ead9202c97bcdfba389f003dd6
-
Filesize
255KB
MD56c651fd860b935ce075aa98234d89780
SHA1b4a0151e865ca4987d9196b4f7228047066b1a01
SHA2565a03bd1ce1d0fa27244766d596fead82f2c3bae486ed0197747ad519e0e086c4
SHA51281f2dff4f311a9b3c5ccae6420825954c88da875e5632b7856c6f2b5f0f910f09c849063400c2aca6d8837a81f7f05f76dbe91ead9202c97bcdfba389f003dd6
-
Filesize
255KB
MD589dd580245ff44d2d55a5531d81a69eb
SHA168fa428649b24f35f932e26aa3a4d8362055afa6
SHA256ca5abd987749bc463658ef3b18d7351ac8d1c8f35ed470d9b71f79894b378d7e
SHA51243aae9e1a90103f3e6eced0c0f79f3d813cd1f0f680b97060720fc42a173227d664d2defcb44a6d36e0dab9ebe8bad2edc56123598b535b768850a77d65da427
-
Filesize
255KB
MD589dd580245ff44d2d55a5531d81a69eb
SHA168fa428649b24f35f932e26aa3a4d8362055afa6
SHA256ca5abd987749bc463658ef3b18d7351ac8d1c8f35ed470d9b71f79894b378d7e
SHA51243aae9e1a90103f3e6eced0c0f79f3d813cd1f0f680b97060720fc42a173227d664d2defcb44a6d36e0dab9ebe8bad2edc56123598b535b768850a77d65da427
-
Filesize
255KB
MD51e250eee377ad02c5cae2803555d036b
SHA1bfef880df08b11e0050d634587f391afa70a6d40
SHA256307e7554559be4f5ba01f3aa40017d00d51fa44e8ed6f0d180303da0afcdee5e
SHA51296f3c1adce6d135d89b6f256d5fbfc2a921eeb5f5b43029ad91431ef2949a42a4ee8f913d36b82c4955e68b134864b423850d4706936e6bfde6318e11e7b7b08
-
Filesize
255KB
MD51e250eee377ad02c5cae2803555d036b
SHA1bfef880df08b11e0050d634587f391afa70a6d40
SHA256307e7554559be4f5ba01f3aa40017d00d51fa44e8ed6f0d180303da0afcdee5e
SHA51296f3c1adce6d135d89b6f256d5fbfc2a921eeb5f5b43029ad91431ef2949a42a4ee8f913d36b82c4955e68b134864b423850d4706936e6bfde6318e11e7b7b08
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
-
Filesize
640KB
-
Filesize
640KB
-
Filesize
640KB
-
-
Filesize
640KB
-
Filesize
640KB
-
Filesize
640KB
-
Filesize
640KB
-
Filesize
64KB
-
Filesize
64KB
-
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
640KB
-
-
Filesize
640KB
-
Filesize
640KB
-
-
Filesize
640KB
-
-
Filesize
640KB
-
Filesize
640KB