Overview

overview

10

Static

static

8

4fc362a942...de.exe

windows7-x64

10

4fc362a942...de.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 21:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4fc362a942b27468efc2c852cacc200952b5f7a170928fa4036900c657d5b4de.exe

  • Size

    255KB

  • MD5

    a9d7cbb5181378efc439ff9b2119c7ec

  • SHA1

    9bc8b8bf39e1132d075421c3af939bb9e7f476f4

  • SHA256

    4fc362a942b27468efc2c852cacc200952b5f7a170928fa4036900c657d5b4de

  • SHA512

    61281358f96e9e8bbfdf4844a095facfe26e0082beb83f90b7b61b86cfae9f82ce428b2d9ff35ff96d5caea253fddc52a2b1fd292f6bca5e30794230c2c7027a

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJv:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI2

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • UPX packed file 27 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 10 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 28 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 15 IoCs
  • Suspicious use of SendNotifyMessage 15 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4fc362a942b27468efc2c852cacc200952b5f7a170928fa4036900c657d5b4de.exe
    "C:\Users\Admin\AppData\Local\Temp\4fc362a942b27468efc2c852cacc200952b5f7a170928fa4036900c657d5b4de.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:956
    • C:\Windows\SysWOW64\usdebbxwqn.exe
      usdebbxwqn.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:276
      • C:\Windows\SysWOW64\qbdcfmxc.exe
        C:\Windows\system32\qbdcfmxc.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1216
    • C:\Windows\SysWOW64\umwneyxbqrjjizd.exe
      umwneyxbqrjjizd.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1392
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c dtrqbrfbvsifa.exe
        3⤵
          PID:1536
      • C:\Windows\SysWOW64\qbdcfmxc.exe
        qbdcfmxc.exe
        2⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:668
      • C:\Windows\SysWOW64\dtrqbrfbvsifa.exe
        dtrqbrfbvsifa.exe
        2⤵
        • Executes dropped EXE
        PID:1824
      • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
        2⤵
        • Drops file in Windows directory
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:672
        • C:\Windows\splwow64.exe
          C:\Windows\splwow64.exe 12288
          3⤵
            PID:1744

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\EditUnprotect.doc.exe
        Filesize

        255KB

        MD5

        5f91399bf71c11e0bb6dd2e1f2281a48

        SHA1

        7a3ac7ffdb3255f2f9426e1a72b49b37d517805f

        SHA256

        6b44a92ff390eeffffeb34b7cf4621d7994cd21f96706094dc2bd5ac334e9956

        SHA512

        4a1aba8d0b8bec00b36a3aec0d3b0f7a91414c7c892a3eeead370d6a2c2148c2bb24c018f41f6603612800b516a443c66009ad45cf3032748dd01d55c9f8be27

        Download Submit
      • C:\Program Files\EnterTrace.doc.exe
        Filesize

        255KB

        MD5

        6cffb29a2ece43353ede7ad81e6adb2d

        SHA1

        3027658297e4055222fbc0dc33139fb1a2ffb226

        SHA256

        7c33f980c9cd79ccea42efeb7468e0323422549d1dccac495f661240956e37f3

        SHA512

        4f83341d8d27b2aef41b8d1af26634489a74306fca99547b28d72453f0b72178c56eac9353a8c7055b3d1e45e42d08986f6deeb661c55a68bfcddf36831845b6

        Download Submit
      • C:\Users\Admin\AppData\Roaming\UpdateSplit.doc.exe
        Filesize

        255KB

        MD5

        50d5fdae320299a6762b343ea268c21e

        SHA1

        3e64de7c2acc449b76078fe927e7f609d790c8f3

        SHA256

        1d58366f7ef93522709ed58b02a78de139c7b0393d864de326d0f5726110fdc5

        SHA512

        3bb5a289788e2adeff413222b7b382beaaa451d6257da8df12e7dd12648eaa5df0f97faaa15781f82bc0382b4f890ba0a4b39ca29bc5a17e95bc21d2fb1ce9fe

        Download Submit
      • C:\Windows\SysWOW64\dtrqbrfbvsifa.exe
        Filesize

        255KB

        MD5

        0942ee56edaf2a44d300f1635dd4f8b8

        SHA1

        972571ee9f3f5ebdaa0361e916b0b587f7f4f989

        SHA256

        80481c7fc3e6cb3cc5bbd9a8afbb8d0e4bcb31b4817a6b8cff8820bebccf918b

        SHA512

        a8eb4cfabc3438611079f4963e0619244133be38d01c91ab1f8ef753b1d140b3efc779c11e5af971632259c83e8a4462cc8044d3aa450b519756c3f5477a9a20

        Download Submit
      • C:\Windows\SysWOW64\qbdcfmxc.exe
        Filesize

        255KB

        MD5

        0f6f7f3c7a9f3ea8411c6822dbb0bccd

        SHA1

        a2580c4c565317381aaf45ddc3900b3b9df431a2

        SHA256

        fc868c23b734063a53a27d92b10a8bf71a2be6527a07918bf3e353d05e60d952

        SHA512

        eded3ed47d1d02d6aa4906da3d55347f961936d4abb453395550fdd4375a097d4aa8d8497bceaebd9734ef19d8fd3019f0ca8e8c4f2e2187829afd87bcb64ac8

        Download Submit
      • C:\Windows\SysWOW64\qbdcfmxc.exe
        Filesize

        255KB

        MD5

        0f6f7f3c7a9f3ea8411c6822dbb0bccd

        SHA1

        a2580c4c565317381aaf45ddc3900b3b9df431a2

        SHA256

        fc868c23b734063a53a27d92b10a8bf71a2be6527a07918bf3e353d05e60d952

        SHA512

        eded3ed47d1d02d6aa4906da3d55347f961936d4abb453395550fdd4375a097d4aa8d8497bceaebd9734ef19d8fd3019f0ca8e8c4f2e2187829afd87bcb64ac8

        Download Submit
      • C:\Windows\SysWOW64\qbdcfmxc.exe
        Filesize

        255KB

        MD5

        0f6f7f3c7a9f3ea8411c6822dbb0bccd

        SHA1

        a2580c4c565317381aaf45ddc3900b3b9df431a2

        SHA256

        fc868c23b734063a53a27d92b10a8bf71a2be6527a07918bf3e353d05e60d952

        SHA512

        eded3ed47d1d02d6aa4906da3d55347f961936d4abb453395550fdd4375a097d4aa8d8497bceaebd9734ef19d8fd3019f0ca8e8c4f2e2187829afd87bcb64ac8

        Download Submit
      • C:\Windows\SysWOW64\umwneyxbqrjjizd.exe
        Filesize

        255KB

        MD5

        67f3d0af162b28d72e6d2e0e9a9f471b

        SHA1

        f63a64a5b86fded847c80aeaf31f700d039135ce

        SHA256

        2e066d07cdbd2bbc4122c421f1ace8307ccf62b9a78ede6e36b3328acb1ab9ce

        SHA512

        c3dedb691cc5446cb831571424d6d323af42212ba123c8c13c07c3bbb53841a75538a421b427d377c66cda87ae1c0f269bbe662c9a49280b823e1ad09eea0540

        Download Submit
      • C:\Windows\SysWOW64\umwneyxbqrjjizd.exe
        Filesize

        255KB

        MD5

        67f3d0af162b28d72e6d2e0e9a9f471b

        SHA1

        f63a64a5b86fded847c80aeaf31f700d039135ce

        SHA256

        2e066d07cdbd2bbc4122c421f1ace8307ccf62b9a78ede6e36b3328acb1ab9ce

        SHA512

        c3dedb691cc5446cb831571424d6d323af42212ba123c8c13c07c3bbb53841a75538a421b427d377c66cda87ae1c0f269bbe662c9a49280b823e1ad09eea0540

        Download Submit
      • C:\Windows\SysWOW64\usdebbxwqn.exe
        Filesize

        255KB

        MD5

        84e8de73c5c4841ff4438d6d84185dd2

        SHA1

        eb3f32d7c25a036f0b10e3c83c2e666d5d91f5f7

        SHA256

        f29eb195fbd58849b48fc1a825808f85dd7bffc945ee9777d4319892bbc801b8

        SHA512

        f48bfe5cfbc7bf0065125cba4a091ee07dbdba0233a7959f5e036f99f9443a0af31148c0d45e067a50a54531cef96de8a70899e5e076f94a718c307852ebcf49

        Download Submit
      • C:\Windows\SysWOW64\usdebbxwqn.exe
        Filesize

        255KB

        MD5

        84e8de73c5c4841ff4438d6d84185dd2

        SHA1

        eb3f32d7c25a036f0b10e3c83c2e666d5d91f5f7

        SHA256

        f29eb195fbd58849b48fc1a825808f85dd7bffc945ee9777d4319892bbc801b8

        SHA512

        f48bfe5cfbc7bf0065125cba4a091ee07dbdba0233a7959f5e036f99f9443a0af31148c0d45e067a50a54531cef96de8a70899e5e076f94a718c307852ebcf49

        Download Submit
      • C:\Windows\mydoc.rtf
        Filesize

        223B

        MD5

        06604e5941c126e2e7be02c5cd9f62ec

        SHA1

        4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

        SHA256

        85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

        SHA512

        803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

        Download Submit
      • \Windows\SysWOW64\dtrqbrfbvsifa.exe
        Filesize

        255KB

        MD5

        0942ee56edaf2a44d300f1635dd4f8b8

        SHA1

        972571ee9f3f5ebdaa0361e916b0b587f7f4f989

        SHA256

        80481c7fc3e6cb3cc5bbd9a8afbb8d0e4bcb31b4817a6b8cff8820bebccf918b

        SHA512

        a8eb4cfabc3438611079f4963e0619244133be38d01c91ab1f8ef753b1d140b3efc779c11e5af971632259c83e8a4462cc8044d3aa450b519756c3f5477a9a20

        Download Submit
      • \Windows\SysWOW64\qbdcfmxc.exe
        Filesize

        255KB

        MD5

        0f6f7f3c7a9f3ea8411c6822dbb0bccd

        SHA1

        a2580c4c565317381aaf45ddc3900b3b9df431a2

        SHA256

        fc868c23b734063a53a27d92b10a8bf71a2be6527a07918bf3e353d05e60d952

        SHA512

        eded3ed47d1d02d6aa4906da3d55347f961936d4abb453395550fdd4375a097d4aa8d8497bceaebd9734ef19d8fd3019f0ca8e8c4f2e2187829afd87bcb64ac8

        Download Submit
      • \Windows\SysWOW64\qbdcfmxc.exe
        Filesize

        255KB

        MD5

        0f6f7f3c7a9f3ea8411c6822dbb0bccd

        SHA1

        a2580c4c565317381aaf45ddc3900b3b9df431a2

        SHA256

        fc868c23b734063a53a27d92b10a8bf71a2be6527a07918bf3e353d05e60d952

        SHA512

        eded3ed47d1d02d6aa4906da3d55347f961936d4abb453395550fdd4375a097d4aa8d8497bceaebd9734ef19d8fd3019f0ca8e8c4f2e2187829afd87bcb64ac8

        Download Submit
      • \Windows\SysWOW64\umwneyxbqrjjizd.exe
        Filesize

        255KB

        MD5

        67f3d0af162b28d72e6d2e0e9a9f471b

        SHA1

        f63a64a5b86fded847c80aeaf31f700d039135ce

        SHA256

        2e066d07cdbd2bbc4122c421f1ace8307ccf62b9a78ede6e36b3328acb1ab9ce

        SHA512

        c3dedb691cc5446cb831571424d6d323af42212ba123c8c13c07c3bbb53841a75538a421b427d377c66cda87ae1c0f269bbe662c9a49280b823e1ad09eea0540

        Download Submit
      • \Windows\SysWOW64\usdebbxwqn.exe
        Filesize

        255KB

        MD5

        84e8de73c5c4841ff4438d6d84185dd2

        SHA1

        eb3f32d7c25a036f0b10e3c83c2e666d5d91f5f7

        SHA256

        f29eb195fbd58849b48fc1a825808f85dd7bffc945ee9777d4319892bbc801b8

        SHA512

        f48bfe5cfbc7bf0065125cba4a091ee07dbdba0233a7959f5e036f99f9443a0af31148c0d45e067a50a54531cef96de8a70899e5e076f94a718c307852ebcf49

        Download Submit
      • memory/276-56-0x0000000000000000-mapping.dmp
        Download
      • memory/276-71-0x0000000000400000-0x00000000004A0000-memory.dmp
        Filesize

        640KB

        Download
      • memory/276-98-0x0000000000400000-0x00000000004A0000-memory.dmp
        Filesize

        640KB

        Download
      • memory/668-99-0x0000000000400000-0x00000000004A0000-memory.dmp
        Filesize

        640KB

        Download
      • memory/668-65-0x0000000000000000-mapping.dmp
        Download
      • memory/668-74-0x0000000000400000-0x00000000004A0000-memory.dmp
        Filesize

        640KB

        Download
      • memory/672-96-0x00000000714DD000-0x00000000714E8000-memory.dmp
        Filesize

        44KB

        Download
      • memory/672-101-0x00000000714DD000-0x00000000714E8000-memory.dmp
        Filesize

        44KB

        Download
      • memory/672-105-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/672-93-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/672-92-0x00000000704F1000-0x00000000704F3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/672-91-0x0000000072A71000-0x0000000072A74000-memory.dmp
        Filesize

        12KB

        Download
      • memory/672-87-0x0000000000000000-mapping.dmp
        Download
      • memory/672-106-0x00000000714DD000-0x00000000714E8000-memory.dmp
        Filesize

        44KB

        Download
      • memory/956-67-0x0000000003350000-0x00000000033F0000-memory.dmp
        Filesize

        640KB

        Download
      • memory/956-84-0x0000000003350000-0x00000000033F0000-memory.dmp
        Filesize

        640KB

        Download
      • memory/956-88-0x0000000000400000-0x00000000004A0000-memory.dmp
        Filesize

        640KB

        Download
      • memory/956-66-0x0000000000400000-0x00000000004A0000-memory.dmp
        Filesize

        640KB

        Download
      • memory/956-54-0x0000000076561000-0x0000000076563000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1216-86-0x0000000000400000-0x00000000004A0000-memory.dmp
        Filesize

        640KB

        Download
      • memory/1216-81-0x0000000000000000-mapping.dmp
        Download
      • memory/1216-100-0x0000000000400000-0x00000000004A0000-memory.dmp
        Filesize

        640KB

        Download
      • memory/1392-72-0x0000000000400000-0x00000000004A0000-memory.dmp
        Filesize

        640KB

        Download
      • memory/1392-60-0x0000000000000000-mapping.dmp
        Download
      • memory/1392-97-0x0000000000400000-0x00000000004A0000-memory.dmp
        Filesize

        640KB

        Download
      • memory/1536-79-0x0000000000000000-mapping.dmp
        Download
      • memory/1744-103-0x0000000000000000-mapping.dmp
        Download
      • memory/1744-104-0x000007FEFBF81000-0x000007FEFBF83000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1824-69-0x0000000000000000-mapping.dmp
        Download
      • memory/1824-85-0x0000000000400000-0x00000000004A0000-memory.dmp
        Filesize

        640KB

        Download