Overview

overview

10

Static

static

8

7409499c45...28.exe

windows7-x64

10

7409499c45...28.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    160s
  • max time network
    172s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 21:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7409499c45e353cfeb3857647a336159d9d2e25591eb21d86bcf2c19a6e70528.exe

  • Size

    255KB

  • MD5

    0118fafb572f326409e0a7c487ede3ae

  • SHA1

    59454507736c67fc557bfcb89802c5b407f5c604

  • SHA256

    7409499c45e353cfeb3857647a336159d9d2e25591eb21d86bcf2c19a6e70528

  • SHA512

    70cfbaeaf7fd4ae5be1bfe24e91959f36eb49e4354e243484e8a50d356b33c730cf07a13ecc976578ec8d4f19af73315f92ccc154881fd5e4728fda601aa8924

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJs:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI/

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • UPX packed file 26 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 12 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7409499c45e353cfeb3857647a336159d9d2e25591eb21d86bcf2c19a6e70528.exe
    "C:\Users\Admin\AppData\Local\Temp\7409499c45e353cfeb3857647a336159d9d2e25591eb21d86bcf2c19a6e70528.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1412
    • C:\Windows\SysWOW64\kdbvjkelao.exe
      kdbvjkelao.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2236
      • C:\Windows\SysWOW64\jrdphhhg.exe
        C:\Windows\system32\jrdphhhg.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3172
    • C:\Windows\SysWOW64\ktzgwcoyzoodsaz.exe
      ktzgwcoyzoodsaz.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4720
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c qrduxvrfgizum.exe
        3⤵
          PID:4688
      • C:\Windows\SysWOW64\jrdphhhg.exe
        jrdphhhg.exe
        2⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:212
      • C:\Windows\SysWOW64\qrduxvrfgizum.exe
        qrduxvrfgizum.exe
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1892
      • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
        "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
        2⤵
        • Drops file in Windows directory
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:4088

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
      Filesize

      255KB

      MD5

      27915ec09d6ed2c523d8320df1856b0c

      SHA1

      2bf7f4e856ef5e9a0598d6849969cca3417f913a

      SHA256

      20b08c89432fd2742d385a39fd2ba9fe3c8836fdc3f6a22cc00efeffe4738732

      SHA512

      29afedff7e50e2b813e974159fdf5f5e9f72582feec1067606b9b014102a39fd7461482f7e219001a04eb3cdb3172e04ce7304b1cf832e41788a610cff6e0460

      Download Submit

    • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
      Filesize

      255KB

      MD5

      b8d163241422ef97c499773ebd03d1ec

      SHA1

      402b2b142c90586f509cac6291345efc8bf3e187

      SHA256

      81f22c9fcd9c1527172de269f525269ff11cbf31e337e2e78aba73d0cc0a4a0d

      SHA512

      0a2dcbe547ed2c32f15caa329c6d403b3a2f55d814e8c3a14976b45f9eab8c3faa91640793dd978de46e8381dfdf968ce2a0acbd525b27ec99b365eb483cac16

      Download Submit

    • C:\Users\Admin\Documents\GetStart.doc.exe
      Filesize

      255KB

      MD5

      2bad79516acc7f68256dd587a45dce92

      SHA1

      c22c25141fa1126a90f69c231208c0e640589f35

      SHA256

      2e0280a811307ed303b573e995ff1ad3e8218c299bc9f775c953adba04903381

      SHA512

      cdb5d3358b6ffbd6ba2ef58daeba855d10f69a41e2bbdec96efa180410b846a4c9aaee4d48dc673ac74bb10ba319455a7f01aea272be9635345090e8938ac9d7

      Download Submit

    • C:\Users\Admin\Documents\ResetFormat.doc.exe
      Filesize

      255KB

      MD5

      3948a5fd34a84b21bbedc7e6b99fce7d

      SHA1

      6a71673726d49f19c651afec914869cce28d90f1

      SHA256

      83090cb2d6dc1d2220985458dd6e3bedb33de60675b95df956d8c9d7d9802277

      SHA512

      02f372c35c11dd83fdbd012ac3f960d1a3e86b21a2e9be6d21746a0074588994f2f51cc29f7d4ea5dc5b1f6a9b3126e848fdafb5538d732b0cca6196bbd4f5fe

      Download Submit

    • C:\Windows\SysWOW64\jrdphhhg.exe
      Filesize

      255KB

      MD5

      aa2f3291fe2b9a209fc21560640056c8

      SHA1

      0c95153472cd3609af70d3b6311228597af0dc6e

      SHA256

      a49f2feae31d90c8fd56df53b5097b244332d8cd3f1f6c291e5977426049a106

      SHA512

      fefec382a79d790283d28927ecf271ea09a912b7b24a41bfb21df8f34299b3936289d578bcf927f30a54e80cfcc2ceb0cd22693005260395776ffe091050e83b

      Download Submit

    • C:\Windows\SysWOW64\jrdphhhg.exe
      Filesize

      255KB

      MD5

      aa2f3291fe2b9a209fc21560640056c8

      SHA1

      0c95153472cd3609af70d3b6311228597af0dc6e

      SHA256

      a49f2feae31d90c8fd56df53b5097b244332d8cd3f1f6c291e5977426049a106

      SHA512

      fefec382a79d790283d28927ecf271ea09a912b7b24a41bfb21df8f34299b3936289d578bcf927f30a54e80cfcc2ceb0cd22693005260395776ffe091050e83b

      Download Submit

    • C:\Windows\SysWOW64\jrdphhhg.exe
      Filesize

      255KB

      MD5

      aa2f3291fe2b9a209fc21560640056c8

      SHA1

      0c95153472cd3609af70d3b6311228597af0dc6e

      SHA256

      a49f2feae31d90c8fd56df53b5097b244332d8cd3f1f6c291e5977426049a106

      SHA512

      fefec382a79d790283d28927ecf271ea09a912b7b24a41bfb21df8f34299b3936289d578bcf927f30a54e80cfcc2ceb0cd22693005260395776ffe091050e83b

      Download Submit

    • C:\Windows\SysWOW64\kdbvjkelao.exe
      Filesize

      255KB

      MD5

      a63271ba21ec7575ebef605d39fe09ac

      SHA1

      97c378b2e9f6551d9aaa7015f883f27a113f9efe

      SHA256

      2935661e984d045d0a4318528a3f459057cd4b5f91a6d7a3627bbf19e70fc171

      SHA512

      79d4cc8bb465effab0722f31f2e4899b7f75b605dbef78e69f30b485d61a2b6c05cf160a5996366681767d782388392e154a83409bdc02927bb07396be353213

      Download Submit

    • C:\Windows\SysWOW64\kdbvjkelao.exe
      Filesize

      255KB

      MD5

      a63271ba21ec7575ebef605d39fe09ac

      SHA1

      97c378b2e9f6551d9aaa7015f883f27a113f9efe

      SHA256

      2935661e984d045d0a4318528a3f459057cd4b5f91a6d7a3627bbf19e70fc171

      SHA512

      79d4cc8bb465effab0722f31f2e4899b7f75b605dbef78e69f30b485d61a2b6c05cf160a5996366681767d782388392e154a83409bdc02927bb07396be353213

      Download Submit

    • C:\Windows\SysWOW64\ktzgwcoyzoodsaz.exe
      Filesize

      255KB

      MD5

      98f1257b2d54bf5ddf1155c854d19e20

      SHA1

      d7836e0f70a7611705060559f7c9004003437cbe

      SHA256

      3fb791985a200b4f8720c2d5e9d42a75d2224b2e2992d40e025d13a377e202d3

      SHA512

      816652acdbb7ab4b4058a45b9201fa3469a89c1b71ae86fa487b10ded77a433e6c77546b22adce3b4cd1451b4ed60ed2c99d6ba52becc0eebc5cea61e91dbe92

      Download Submit

    • C:\Windows\SysWOW64\ktzgwcoyzoodsaz.exe
      Filesize

      255KB

      MD5

      98f1257b2d54bf5ddf1155c854d19e20

      SHA1

      d7836e0f70a7611705060559f7c9004003437cbe

      SHA256

      3fb791985a200b4f8720c2d5e9d42a75d2224b2e2992d40e025d13a377e202d3

      SHA512

      816652acdbb7ab4b4058a45b9201fa3469a89c1b71ae86fa487b10ded77a433e6c77546b22adce3b4cd1451b4ed60ed2c99d6ba52becc0eebc5cea61e91dbe92

      Download Submit

    • C:\Windows\SysWOW64\qrduxvrfgizum.exe
      Filesize

      255KB

      MD5

      f64c246cfa2ef410b7a66bd09ff3cbfb

      SHA1

      9964ae1d3ee08f61ff77bf284bd0e77a8bf1f02e

      SHA256

      c6ad8aa7a37557911bd8e3cc0f15a19668e25d641f737b4a1abd13bd7971a417

      SHA512

      89520cea5d8dba8c47d9cba6e721ee241a2ff8c619ba11a2f30474b37a5a2ced4a4c664c1582dbc92589916372948e0143570cff63c4c79d13cb9167c5fb6ffe

      Download Submit

    • C:\Windows\SysWOW64\qrduxvrfgizum.exe
      Filesize

      255KB

      MD5

      f64c246cfa2ef410b7a66bd09ff3cbfb

      SHA1

      9964ae1d3ee08f61ff77bf284bd0e77a8bf1f02e

      SHA256

      c6ad8aa7a37557911bd8e3cc0f15a19668e25d641f737b4a1abd13bd7971a417

      SHA512

      89520cea5d8dba8c47d9cba6e721ee241a2ff8c619ba11a2f30474b37a5a2ced4a4c664c1582dbc92589916372948e0143570cff63c4c79d13cb9167c5fb6ffe

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
      Filesize

      255KB

      MD5

      27915ec09d6ed2c523d8320df1856b0c

      SHA1

      2bf7f4e856ef5e9a0598d6849969cca3417f913a

      SHA256

      20b08c89432fd2742d385a39fd2ba9fe3c8836fdc3f6a22cc00efeffe4738732

      SHA512

      29afedff7e50e2b813e974159fdf5f5e9f72582feec1067606b9b014102a39fd7461482f7e219001a04eb3cdb3172e04ce7304b1cf832e41788a610cff6e0460

      Download Submit

    • memory/212-140-0x0000000000000000-mapping.dmp

      Download

    • memory/212-168-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/212-150-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1412-154-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1412-132-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1892-143-0x0000000000000000-mapping.dmp

      Download

    • memory/1892-169-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1892-151-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2236-133-0x0000000000000000-mapping.dmp

      Download

    • memory/2236-136-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2236-164-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/3172-147-0x0000000000000000-mapping.dmp

      Download

    • memory/3172-152-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/3172-170-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/4088-165-0x00007FFCDB720000-0x00007FFCDB730000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4088-172-0x00007FFCDDAD0000-0x00007FFCDDAE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4088-163-0x00007FFCDB720000-0x00007FFCDB730000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4088-159-0x00007FFCDDAD0000-0x00007FFCDDAE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4088-153-0x0000000000000000-mapping.dmp

      Download

    • memory/4088-155-0x00007FFCDDAD0000-0x00007FFCDDAE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4088-157-0x00007FFCDDAD0000-0x00007FFCDDAE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4088-175-0x00007FFCDDAD0000-0x00007FFCDDAE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4088-158-0x00007FFCDDAD0000-0x00007FFCDDAE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4088-156-0x00007FFCDDAD0000-0x00007FFCDDAE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4088-174-0x00007FFCDDAD0000-0x00007FFCDDAE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4088-173-0x00007FFCDDAD0000-0x00007FFCDDAE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4688-146-0x0000000000000000-mapping.dmp

      Download

    • memory/4720-149-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/4720-137-0x0000000000000000-mapping.dmp

      Download

    • memory/4720-167-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download