Overview

overview

10

Static

static

8

74a8727f83...07.exe

windows7-x64

10

74a8727f83...07.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    154s
  • max time network
    178s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 21:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    74a8727f832233c76a36fe100fc505e98265f5c5c0231c10ca28e2b0496a3007.exe

  • Size

    255KB

  • MD5

    e81ae6bf902b5f9948886395b8bcbe80

  • SHA1

    eff4bf340bba164d00e05a3d575c68634669f920

  • SHA256

    74a8727f832233c76a36fe100fc505e98265f5c5c0231c10ca28e2b0496a3007

  • SHA512

    4bab12495fb5b4f07bd8a85234f14590c365f6159eb35d79879b88bd3c43af9948ca468b53cee2f1bfc9c8e5d9a390fc058fb1fb13dd6d7fef34877c7da27ef6

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJ5:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI+

Score
10/10
evasionpersistencetrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • UPX packed file 23 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 13 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 19 IoCs
  • Suspicious use of SendNotifyMessage 19 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\74a8727f832233c76a36fe100fc505e98265f5c5c0231c10ca28e2b0496a3007.exe
    "C:\Users\Admin\AppData\Local\Temp\74a8727f832233c76a36fe100fc505e98265f5c5c0231c10ca28e2b0496a3007.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1808
    • C:\Windows\SysWOW64\xgpxqavxlb.exe
      xgpxqavxlb.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4932
      • C:\Windows\SysWOW64\hxoczmjp.exe
        C:\Windows\system32\hxoczmjp.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2820
    • C:\Windows\SysWOW64\yoljoryyheuhjwh.exe
      yoljoryyheuhjwh.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1748
    • C:\Windows\SysWOW64\fgonkpzdpuiks.exe
      fgonkpzdpuiks.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1688
    • C:\Windows\SysWOW64\hxoczmjp.exe
      hxoczmjp.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3704
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4980

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    255KB

    MD5

    f071648453c9a295790898483500fe79

    SHA1

    5f7c06456dd7f458c14713a3eb885473a8aa5628

    SHA256

    079e5c3d4f527eb9029e2a4543b7236a749b04507d2e628f760275caa8b2d97d

    SHA512

    f1538ae051504599d3b7722e4d23525922e2c6ac0916cdf99fbece13f407f62abd8f226ecc2efff27468b89c79366da29e0bc56df1fdc2f9b9559e75625e645b

    Download Submit

  • C:\Windows\SysWOW64\fgonkpzdpuiks.exe
    Filesize

    255KB

    MD5

    a018ea6b4ac42c5055c5b91ab3f53b19

    SHA1

    2a3de1fa068f077af1ef03419f1b755fd8ab63f6

    SHA256

    94d1674877a02b78a824da3296c21d3bf5f95336a203c994c451a2c403b7ca86

    SHA512

    fd633347bf4f0db65fb847c007e4e83f603b51a2947d27144482a546fac5fd5f161ff829b38c3629acd099e9f4075e3632e6742b8a7409d6e9bc2ce0329c1d8a

    Download Submit

  • C:\Windows\SysWOW64\fgonkpzdpuiks.exe
    Filesize

    255KB

    MD5

    a018ea6b4ac42c5055c5b91ab3f53b19

    SHA1

    2a3de1fa068f077af1ef03419f1b755fd8ab63f6

    SHA256

    94d1674877a02b78a824da3296c21d3bf5f95336a203c994c451a2c403b7ca86

    SHA512

    fd633347bf4f0db65fb847c007e4e83f603b51a2947d27144482a546fac5fd5f161ff829b38c3629acd099e9f4075e3632e6742b8a7409d6e9bc2ce0329c1d8a

    Download Submit

  • C:\Windows\SysWOW64\hxoczmjp.exe
    Filesize

    255KB

    MD5

    a878d30356ba032ab65a865563790205

    SHA1

    a26d8bd2033e93acc3a9476ea1cf79dfd52513c1

    SHA256

    88408df55a7e6649f262f6643ff8a33a9d7378089828220d46ea67f363765a35

    SHA512

    9c00d65a4d88373d9d7ed4471f0e0f4ff88b78db9d6033c9963ee08d286a93f9711acc3c23e943402f0839d3c066cdbb7445ce1ad56cf145880fafb8ac33b4c8

    Download Submit

  • C:\Windows\SysWOW64\hxoczmjp.exe
    Filesize

    255KB

    MD5

    a878d30356ba032ab65a865563790205

    SHA1

    a26d8bd2033e93acc3a9476ea1cf79dfd52513c1

    SHA256

    88408df55a7e6649f262f6643ff8a33a9d7378089828220d46ea67f363765a35

    SHA512

    9c00d65a4d88373d9d7ed4471f0e0f4ff88b78db9d6033c9963ee08d286a93f9711acc3c23e943402f0839d3c066cdbb7445ce1ad56cf145880fafb8ac33b4c8

    Download Submit

  • C:\Windows\SysWOW64\hxoczmjp.exe
    Filesize

    255KB

    MD5

    a878d30356ba032ab65a865563790205

    SHA1

    a26d8bd2033e93acc3a9476ea1cf79dfd52513c1

    SHA256

    88408df55a7e6649f262f6643ff8a33a9d7378089828220d46ea67f363765a35

    SHA512

    9c00d65a4d88373d9d7ed4471f0e0f4ff88b78db9d6033c9963ee08d286a93f9711acc3c23e943402f0839d3c066cdbb7445ce1ad56cf145880fafb8ac33b4c8

    Download Submit

  • C:\Windows\SysWOW64\xgpxqavxlb.exe
    Filesize

    255KB

    MD5

    21e63fa0a3aeec38c2bef4013cfcdfe2

    SHA1

    5fe17b2846cbc5ef46b6d54e9caba2f77ced02cb

    SHA256

    26933c5ca27e176a881b69ec9a30859f7d8a865ce2d283a34bfc4a754cbe6d06

    SHA512

    6d3a319cd07964515d340a2f6a4fb2c362e07f89c0801956834062aeda95e78392624647a4cbdcd6b5fccf94a43241d0ea40178c90ee7802209fec5e3a776ee4

    Download Submit

  • C:\Windows\SysWOW64\xgpxqavxlb.exe
    Filesize

    255KB

    MD5

    21e63fa0a3aeec38c2bef4013cfcdfe2

    SHA1

    5fe17b2846cbc5ef46b6d54e9caba2f77ced02cb

    SHA256

    26933c5ca27e176a881b69ec9a30859f7d8a865ce2d283a34bfc4a754cbe6d06

    SHA512

    6d3a319cd07964515d340a2f6a4fb2c362e07f89c0801956834062aeda95e78392624647a4cbdcd6b5fccf94a43241d0ea40178c90ee7802209fec5e3a776ee4

    Download Submit

  • C:\Windows\SysWOW64\yoljoryyheuhjwh.exe
    Filesize

    255KB

    MD5

    a0a384ee18de79972fbc06490fb2f3d9

    SHA1

    893e90ce5b0159d39aab0cd1564013d9e83f8745

    SHA256

    da4abc39be081a4fdfc79751f46fc88e1cb8c2ff739a4d6a9699fbfed0a5edda

    SHA512

    ffa31da21282c64c3cb2957085d209f68f9c69392ebfa9cb404f8f7c20f293fe5fab95384d0976bd083268c666b624ebdc39b1584b52a6d1b78d848a8cf774cb

    Download Submit

  • C:\Windows\SysWOW64\yoljoryyheuhjwh.exe
    Filesize

    255KB

    MD5

    a0a384ee18de79972fbc06490fb2f3d9

    SHA1

    893e90ce5b0159d39aab0cd1564013d9e83f8745

    SHA256

    da4abc39be081a4fdfc79751f46fc88e1cb8c2ff739a4d6a9699fbfed0a5edda

    SHA512

    ffa31da21282c64c3cb2957085d209f68f9c69392ebfa9cb404f8f7c20f293fe5fab95384d0976bd083268c666b624ebdc39b1584b52a6d1b78d848a8cf774cb

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • memory/1688-153-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1688-143-0x0000000000000000-mapping.dmp

    Download

  • memory/1688-148-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1748-146-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1748-135-0x0000000000000000-mapping.dmp

    Download

  • memory/1748-151-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1808-136-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1808-157-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1808-149-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2820-159-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2820-158-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2820-154-0x0000000000000000-mapping.dmp

    Download

  • memory/3704-139-0x0000000000000000-mapping.dmp

    Download

  • memory/3704-152-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/3704-147-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4932-132-0x0000000000000000-mapping.dmp

    Download

  • memory/4932-150-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4932-140-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4980-156-0x0000000000000000-mapping.dmp

    Download

  • memory/4980-160-0x00007FFA56390000-0x00007FFA563A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4980-161-0x00007FFA56390000-0x00007FFA563A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4980-162-0x00007FFA56390000-0x00007FFA563A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4980-163-0x00007FFA56390000-0x00007FFA563A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4980-164-0x00007FFA56390000-0x00007FFA563A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4980-166-0x00007FFA542A0000-0x00007FFA542B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4980-167-0x00007FFA542A0000-0x00007FFA542B0000-memory.dmp

    Filesize

    64KB

    Download