Overview

overview

10

Static

static

8

74a8727f83...07.exe

windows7-x64

10

74a8727f83...07.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 21:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    74a8727f832233c76a36fe100fc505e98265f5c5c0231c10ca28e2b0496a3007.exe

  • Size

    255KB

  • MD5

    e81ae6bf902b5f9948886395b8bcbe80

  • SHA1

    eff4bf340bba164d00e05a3d575c68634669f920

  • SHA256

    74a8727f832233c76a36fe100fc505e98265f5c5c0231c10ca28e2b0496a3007

  • SHA512

    4bab12495fb5b4f07bd8a85234f14590c365f6159eb35d79879b88bd3c43af9948ca468b53cee2f1bfc9c8e5d9a390fc058fb1fb13dd6d7fef34877c7da27ef6

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJ5:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI+

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • UPX packed file 28 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 13 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\74a8727f832233c76a36fe100fc505e98265f5c5c0231c10ca28e2b0496a3007.exe
    "C:\Users\Admin\AppData\Local\Temp\74a8727f832233c76a36fe100fc505e98265f5c5c0231c10ca28e2b0496a3007.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1912
    • C:\Windows\SysWOW64\xhjfbvcpcf.exe
      xhjfbvcpcf.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:240
      • C:\Windows\SysWOW64\jawrscfr.exe
        C:\Windows\system32\jawrscfr.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:980
    • C:\Windows\SysWOW64\jzhacxthqaidxqy.exe
      jzhacxthqaidxqy.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1368
    • C:\Windows\SysWOW64\jawrscfr.exe
      jawrscfr.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1528
    • C:\Windows\SysWOW64\vujevagelgkio.exe
      vujevagelgkio.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1552
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1776
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1708

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Hidden Files and Directories

    2
    T1158

    Registry Run Keys / Startup Folder

    1
    T1060

    Winlogon Helper DLL

    1
    T1004

    Privilege Escalation

    Defense Evasion

    Hidden Files and Directories

    2
    T1158

    Modify Registry

    7
    T1112

    Disabling Security Tools

    2
    T1089

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Documents\CompressDeny.doc.exe
      Filesize

      255KB

      MD5

      44e79825331a5cb1137147122724055a

      SHA1

      a08c051e229166b35956c73d0293e3d6122fc95d

      SHA256

      edec0733367629cb3200f2dcbd12b32f68792c2680bd99d7a80e842af21ee558

      SHA512

      4979067c51100fd46681c9655e46c4cc67592101ce1e2d0b1c3c73732665d81dd0fe7c679dfaa7f1497146017c418256d433248c43b73822bdb4cff98fb350ec

      Download Submit
    • C:\Users\Admin\Documents\OutSubmit.doc.exe
      Filesize

      255KB

      MD5

      93b8c1a82f88ed9dd9e425a4fec9b19c

      SHA1

      4fd1dd8bbb5b481224aa385cae71fd6f4ce5176c

      SHA256

      6f5380819ef800d7d5356bc25689667e8ed50b847a5efd30f73fccbd98d6a865

      SHA512

      9b2a79dacbc6bbadbbb3387597b4e084f77109f56c4d3dd387b5b79cfc328465cb94b7ec5212d30c88b5eea76c602cbfde23db1a71a75ab109a80f85b441e3a8

      Download Submit
    • C:\Windows\SysWOW64\jawrscfr.exe
      Filesize

      255KB

      MD5

      172f218ab0db4fd3b28afd67c62e7a8b

      SHA1

      2ec622650b75c2d5f9a3e0ade25ee847a0b09ee1

      SHA256

      8c9e0ef854597131bb5bdfc30b6ebad81aabfee5015b70de21056bf48b7752ce

      SHA512

      a941feedfca3ef4b2862cca228c50f290a0f3bca1e006b490e79cc873ecaa815d6f480549bb0555c9588746572d8dd580d9cab0e27f82205dee399687398c7bb

      Download Submit
    • C:\Windows\SysWOW64\jawrscfr.exe
      Filesize

      255KB

      MD5

      172f218ab0db4fd3b28afd67c62e7a8b

      SHA1

      2ec622650b75c2d5f9a3e0ade25ee847a0b09ee1

      SHA256

      8c9e0ef854597131bb5bdfc30b6ebad81aabfee5015b70de21056bf48b7752ce

      SHA512

      a941feedfca3ef4b2862cca228c50f290a0f3bca1e006b490e79cc873ecaa815d6f480549bb0555c9588746572d8dd580d9cab0e27f82205dee399687398c7bb

      Download Submit
    • C:\Windows\SysWOW64\jawrscfr.exe
      Filesize

      255KB

      MD5

      172f218ab0db4fd3b28afd67c62e7a8b

      SHA1

      2ec622650b75c2d5f9a3e0ade25ee847a0b09ee1

      SHA256

      8c9e0ef854597131bb5bdfc30b6ebad81aabfee5015b70de21056bf48b7752ce

      SHA512

      a941feedfca3ef4b2862cca228c50f290a0f3bca1e006b490e79cc873ecaa815d6f480549bb0555c9588746572d8dd580d9cab0e27f82205dee399687398c7bb

      Download Submit
    • C:\Windows\SysWOW64\jzhacxthqaidxqy.exe
      Filesize

      255KB

      MD5

      d5bee022a3172e7be149fb5c92deb057

      SHA1

      001bdef0a4dd81ce2b9725f412675d6b022ea604

      SHA256

      b5c6bf63b9dbed546e8b7933a6096d5e8123e7dec61f09be8734cff3c089d230

      SHA512

      66bfb5bed4316d04f77a72b9cea638ecffb5c1b0222b7e95cc12b0cb2dcb84914f455add5490f3f2a78bb48f2b5856b50d7eab4f81c07f58f2139e24c1c44470

      Download Submit
    • C:\Windows\SysWOW64\jzhacxthqaidxqy.exe
      Filesize

      255KB

      MD5

      d5bee022a3172e7be149fb5c92deb057

      SHA1

      001bdef0a4dd81ce2b9725f412675d6b022ea604

      SHA256

      b5c6bf63b9dbed546e8b7933a6096d5e8123e7dec61f09be8734cff3c089d230

      SHA512

      66bfb5bed4316d04f77a72b9cea638ecffb5c1b0222b7e95cc12b0cb2dcb84914f455add5490f3f2a78bb48f2b5856b50d7eab4f81c07f58f2139e24c1c44470

      Download Submit
    • C:\Windows\SysWOW64\vujevagelgkio.exe
      Filesize

      255KB

      MD5

      5bf82bc3956f6866ac901ee018df3432

      SHA1

      b267997cf166598e585af53b8f3b77825937bc86

      SHA256

      166b7a257a6621f80e51b3684247fb8a48b9a75ae9d098eccc7add55e9794c71

      SHA512

      48f7c74e004f559566bf5c391b0327517800fc7688a15b3af8e300b0004dea9a5ecc64e3814464da50c3ca44f08aea493c89acdaf178eb26eb26ef22dbf2a262

      Download Submit
    • C:\Windows\SysWOW64\vujevagelgkio.exe
      Filesize

      255KB

      MD5

      5bf82bc3956f6866ac901ee018df3432

      SHA1

      b267997cf166598e585af53b8f3b77825937bc86

      SHA256

      166b7a257a6621f80e51b3684247fb8a48b9a75ae9d098eccc7add55e9794c71

      SHA512

      48f7c74e004f559566bf5c391b0327517800fc7688a15b3af8e300b0004dea9a5ecc64e3814464da50c3ca44f08aea493c89acdaf178eb26eb26ef22dbf2a262

      Download Submit
    • C:\Windows\SysWOW64\xhjfbvcpcf.exe
      Filesize

      255KB

      MD5

      0e4b88adcc9aa71ccf01df42a1b74288

      SHA1

      8e4ffa47e5a39ce144a1fc0d347e716f0f02657e

      SHA256

      fd5de1f935ba9f110c60c7bdbf0b01b5d45fe6b8c38ca61903db725f3b72d6b7

      SHA512

      f98acc53ea8bc528a06c57a675a983e6afe29a70a2574ec9d214d10738555a5c8c432b9889ef86988e6cd144d7330dd22fcebb343724676cb39bb3e051f9416f

      Download Submit
    • C:\Windows\SysWOW64\xhjfbvcpcf.exe
      Filesize

      255KB

      MD5

      0e4b88adcc9aa71ccf01df42a1b74288

      SHA1

      8e4ffa47e5a39ce144a1fc0d347e716f0f02657e

      SHA256

      fd5de1f935ba9f110c60c7bdbf0b01b5d45fe6b8c38ca61903db725f3b72d6b7

      SHA512

      f98acc53ea8bc528a06c57a675a983e6afe29a70a2574ec9d214d10738555a5c8c432b9889ef86988e6cd144d7330dd22fcebb343724676cb39bb3e051f9416f

      Download Submit
    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit
    • \Windows\SysWOW64\jawrscfr.exe
      Filesize

      255KB

      MD5

      172f218ab0db4fd3b28afd67c62e7a8b

      SHA1

      2ec622650b75c2d5f9a3e0ade25ee847a0b09ee1

      SHA256

      8c9e0ef854597131bb5bdfc30b6ebad81aabfee5015b70de21056bf48b7752ce

      SHA512

      a941feedfca3ef4b2862cca228c50f290a0f3bca1e006b490e79cc873ecaa815d6f480549bb0555c9588746572d8dd580d9cab0e27f82205dee399687398c7bb

      Download Submit
    • \Windows\SysWOW64\jawrscfr.exe
      Filesize

      255KB

      MD5

      172f218ab0db4fd3b28afd67c62e7a8b

      SHA1

      2ec622650b75c2d5f9a3e0ade25ee847a0b09ee1

      SHA256

      8c9e0ef854597131bb5bdfc30b6ebad81aabfee5015b70de21056bf48b7752ce

      SHA512

      a941feedfca3ef4b2862cca228c50f290a0f3bca1e006b490e79cc873ecaa815d6f480549bb0555c9588746572d8dd580d9cab0e27f82205dee399687398c7bb

      Download Submit
    • \Windows\SysWOW64\jzhacxthqaidxqy.exe
      Filesize

      255KB

      MD5

      d5bee022a3172e7be149fb5c92deb057

      SHA1

      001bdef0a4dd81ce2b9725f412675d6b022ea604

      SHA256

      b5c6bf63b9dbed546e8b7933a6096d5e8123e7dec61f09be8734cff3c089d230

      SHA512

      66bfb5bed4316d04f77a72b9cea638ecffb5c1b0222b7e95cc12b0cb2dcb84914f455add5490f3f2a78bb48f2b5856b50d7eab4f81c07f58f2139e24c1c44470

      Download Submit
    • \Windows\SysWOW64\vujevagelgkio.exe
      Filesize

      255KB

      MD5

      5bf82bc3956f6866ac901ee018df3432

      SHA1

      b267997cf166598e585af53b8f3b77825937bc86

      SHA256

      166b7a257a6621f80e51b3684247fb8a48b9a75ae9d098eccc7add55e9794c71

      SHA512

      48f7c74e004f559566bf5c391b0327517800fc7688a15b3af8e300b0004dea9a5ecc64e3814464da50c3ca44f08aea493c89acdaf178eb26eb26ef22dbf2a262

      Download Submit
    • \Windows\SysWOW64\xhjfbvcpcf.exe
      Filesize

      255KB

      MD5

      0e4b88adcc9aa71ccf01df42a1b74288

      SHA1

      8e4ffa47e5a39ce144a1fc0d347e716f0f02657e

      SHA256

      fd5de1f935ba9f110c60c7bdbf0b01b5d45fe6b8c38ca61903db725f3b72d6b7

      SHA512

      f98acc53ea8bc528a06c57a675a983e6afe29a70a2574ec9d214d10738555a5c8c432b9889ef86988e6cd144d7330dd22fcebb343724676cb39bb3e051f9416f

      Download Submit
    • memory/240-77-0x0000000000400000-0x00000000004A0000-memory.dmp
      Filesize

      640KB

      Download
    • memory/240-56-0x0000000000000000-mapping.dmp
      Download
    • memory/240-95-0x0000000000400000-0x00000000004A0000-memory.dmp
      Filesize

      640KB

      Download
    • memory/240-89-0x0000000003860000-0x0000000003900000-memory.dmp
      Filesize

      640KB

      Download
    • memory/980-90-0x0000000000400000-0x00000000004A0000-memory.dmp
      Filesize

      640KB

      Download
    • memory/980-82-0x0000000000000000-mapping.dmp
      Download
    • memory/980-99-0x0000000000400000-0x00000000004A0000-memory.dmp
      Filesize

      640KB

      Download
    • memory/1368-79-0x0000000000400000-0x00000000004A0000-memory.dmp
      Filesize

      640KB

      Download
    • memory/1368-60-0x0000000000000000-mapping.dmp
      Download
    • memory/1368-97-0x0000000000400000-0x00000000004A0000-memory.dmp
      Filesize

      640KB

      Download
    • memory/1528-78-0x0000000000400000-0x00000000004A0000-memory.dmp
      Filesize

      640KB

      Download
    • memory/1528-96-0x0000000000400000-0x00000000004A0000-memory.dmp
      Filesize

      640KB

      Download
    • memory/1528-63-0x0000000000000000-mapping.dmp
      Download
    • memory/1552-67-0x0000000000000000-mapping.dmp
      Download
    • memory/1552-98-0x0000000000400000-0x00000000004A0000-memory.dmp
      Filesize

      640KB

      Download
    • memory/1552-80-0x0000000000400000-0x00000000004A0000-memory.dmp
      Filesize

      640KB

      Download
    • memory/1708-103-0x0000000000000000-mapping.dmp
      Download
    • memory/1708-104-0x000007FEFBB81000-0x000007FEFBB83000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1776-91-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1776-93-0x0000000070FED000-0x0000000070FF8000-memory.dmp
      Filesize

      44KB

      Download
    • memory/1776-87-0x0000000072581000-0x0000000072584000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1776-88-0x0000000070001000-0x0000000070003000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1776-85-0x0000000000000000-mapping.dmp
      Download
    • memory/1776-106-0x0000000070FED000-0x0000000070FF8000-memory.dmp
      Filesize

      44KB

      Download
    • memory/1776-105-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1776-100-0x0000000070FED000-0x0000000070FF8000-memory.dmp
      Filesize

      44KB

      Download
    • memory/1912-86-0x0000000000400000-0x00000000004A0000-memory.dmp
      Filesize

      640KB

      Download
    • memory/1912-54-0x0000000076041000-0x0000000076043000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1912-75-0x0000000000400000-0x00000000004A0000-memory.dmp
      Filesize

      640KB

      Download
    • memory/1912-76-0x0000000002460000-0x0000000002500000-memory.dmp
      Filesize

      640KB

      Download