Overview

overview

10

Static

static

8

7085afb197...37.exe

windows7-x64

10

7085afb197...37.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 21:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7085afb19783f55fbced2866e84a2821844a009919449bbbd2010c9a98b2a837.exe

  • Size

    255KB

  • MD5

    5c68735ba52464db85df70858967d36b

  • SHA1

    19d9a8d363dc9851aade058645567a600d1b2246

  • SHA256

    7085afb19783f55fbced2866e84a2821844a009919449bbbd2010c9a98b2a837

  • SHA512

    40989030de16f6a2799ad83114c2c122f97b035ccb8a184ace4de0c9db01a3d9b7ab877bb6397e0d03ddc785ab26f77dffd23ddf6ec83c9b135eea22febad514

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJu:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIH

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • UPX packed file 29 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 12 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7085afb19783f55fbced2866e84a2821844a009919449bbbd2010c9a98b2a837.exe
    "C:\Users\Admin\AppData\Local\Temp\7085afb19783f55fbced2866e84a2821844a009919449bbbd2010c9a98b2a837.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1952
    • C:\Windows\SysWOW64\stdvuoenhp.exe
      stdvuoenhp.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1020
      • C:\Windows\SysWOW64\yjakaetc.exe
        C:\Windows\system32\yjakaetc.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:768
    • C:\Windows\SysWOW64\unnqxigcovksary.exe
      unnqxigcovksary.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1928
    • C:\Windows\SysWOW64\yjakaetc.exe
      yjakaetc.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1080
    • C:\Windows\SysWOW64\rxuiytkayluyl.exe
      rxuiytkayluyl.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1048
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1832
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:936

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Hidden Files and Directories

    2
    T1158

    Registry Run Keys / Startup Folder

    1
    T1060

    Winlogon Helper DLL

    1
    T1004

    Privilege Escalation

    Defense Evasion

    Hidden Files and Directories

    2
    T1158

    Modify Registry

    7
    T1112

    Disabling Security Tools

    2
    T1089

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
      Filesize

      255KB

      MD5

      f0b6a0abfbbafdd43e4e4f270cf0febd

      SHA1

      df227869efffe68a7e0a9f94445fe78f40278b8e

      SHA256

      e9a38b211fdec40c576a2819db873b62ac63fa31cd9ba1a804ef99fd8bfe4ae3

      SHA512

      56061d0383b581fd46ffe59bd871ccfdc32142af11e105a7b05cd56c2b56483961ff0f5e880cd1492e8283703e4b5dcb6e240f4718b170b4701d23cd00337648

      Download Submit
    • C:\Users\Admin\AppData\Roaming\SaveConvertFrom.doc.exe
      Filesize

      255KB

      MD5

      f26ad9873cffff73bf2dac48635d14ff

      SHA1

      13505654882c12944c15fcbb06ade4a957ec43ce

      SHA256

      7cf4987a04b7c55d4159b2d191dbb3b117d5c9037c71450174b3bf317ecebc58

      SHA512

      42b151fac480f051a618cc4fa0e33cb1d0301f62099897e7ccd1e04427145616859887cc4bdd171c23c190d4703b4eeea2e1852b23aa993c1d463e1b7f0a46c5

      Download Submit
    • C:\Users\Admin\Downloads\AssertMerge.doc.exe
      Filesize

      255KB

      MD5

      845c070becb0a0537f8e62feaece8f40

      SHA1

      d2c0fb66a1a76c999837a2f05004b7b762efa0e7

      SHA256

      6af2420af92c85826ec5642b3db6a65de5d60f30884e24785d8628e48f4b4173

      SHA512

      5d1486f64f01b32cf12dadc7db12d2a4145d5286cf0e6fade5a44e73f2679b96ff3dc2572501f86043b6991e07a2b4e9e0e6df72458cdfd6e65a45f032c51cc3

      Download Submit
    • C:\Windows\SysWOW64\rxuiytkayluyl.exe
      Filesize

      255KB

      MD5

      9ea2246f09a25b6530d6eae6ac776833

      SHA1

      6a2835ba1ef207e95224766a9d27308a053b4e65

      SHA256

      4eb05f43d2dd866080191923dd8058bcee662c792c43cf3f2dbffffbc846f079

      SHA512

      508194e6c22873028c46af7afaa6c3d18f6fec289a024d288c6e33f48b572ed4f9340f9afb0e8dde3245773e0d5a59189f09dfb22fadab212deef2493d1fe7c7

      Download Submit
    • C:\Windows\SysWOW64\rxuiytkayluyl.exe
      Filesize

      255KB

      MD5

      9ea2246f09a25b6530d6eae6ac776833

      SHA1

      6a2835ba1ef207e95224766a9d27308a053b4e65

      SHA256

      4eb05f43d2dd866080191923dd8058bcee662c792c43cf3f2dbffffbc846f079

      SHA512

      508194e6c22873028c46af7afaa6c3d18f6fec289a024d288c6e33f48b572ed4f9340f9afb0e8dde3245773e0d5a59189f09dfb22fadab212deef2493d1fe7c7

      Download Submit
    • C:\Windows\SysWOW64\stdvuoenhp.exe
      Filesize

      255KB

      MD5

      475be40b1b2e62b9732c3e58c1727784

      SHA1

      7d01d0994835e71444e0f58e5eae8ec25aa5c706

      SHA256

      6c3ddd9c8ccacf3680859c982204aec1aa1d174523cc01d67137aa134cebdd04

      SHA512

      c4154410ef59baf9428a4415d29f2055e0c0a986c78ff07f93c66719371c9771387e9480e546c3f95cc35cd3a25d90dcdef71cebed4aece038a2b27580337ff0

      Download Submit
    • C:\Windows\SysWOW64\stdvuoenhp.exe
      Filesize

      255KB

      MD5

      475be40b1b2e62b9732c3e58c1727784

      SHA1

      7d01d0994835e71444e0f58e5eae8ec25aa5c706

      SHA256

      6c3ddd9c8ccacf3680859c982204aec1aa1d174523cc01d67137aa134cebdd04

      SHA512

      c4154410ef59baf9428a4415d29f2055e0c0a986c78ff07f93c66719371c9771387e9480e546c3f95cc35cd3a25d90dcdef71cebed4aece038a2b27580337ff0

      Download Submit
    • C:\Windows\SysWOW64\unnqxigcovksary.exe
      Filesize

      255KB

      MD5

      dda95d723d5385dfc00e2dcb93669151

      SHA1

      9bef47abe3e6ffde2f92518a3ff1daa176e8d086

      SHA256

      1720007c716f031b7c0aed492d0de3c0d65a61fbdb05d638b0f8f0e274265b82

      SHA512

      fe1ad62f76b8495088b096b1359f99339b446a1e65e246bcb4b13e445c214b52a4934f48365ae4032e5e8db2e961ed135176f7709c1337cd9ca57982d7d3b14b

      Download Submit
    • C:\Windows\SysWOW64\unnqxigcovksary.exe
      Filesize

      255KB

      MD5

      dda95d723d5385dfc00e2dcb93669151

      SHA1

      9bef47abe3e6ffde2f92518a3ff1daa176e8d086

      SHA256

      1720007c716f031b7c0aed492d0de3c0d65a61fbdb05d638b0f8f0e274265b82

      SHA512

      fe1ad62f76b8495088b096b1359f99339b446a1e65e246bcb4b13e445c214b52a4934f48365ae4032e5e8db2e961ed135176f7709c1337cd9ca57982d7d3b14b

      Download Submit
    • C:\Windows\SysWOW64\yjakaetc.exe
      Filesize

      255KB

      MD5

      efae1df29b1cc06c592e4bf862ea0e42

      SHA1

      101693402c56ce8375e720c99bdd2f0e22c39b6c

      SHA256

      8110ab5752e697cd0fd4d40d745e9698796107383f425d2255e864586ca9505f

      SHA512

      eecd3fb0dd6e48955cffb64a40cc2068e7e5ffeb8d412699203d7039b11cea2aedb8ba7b7b573e56cfda0d62c4b6084a00a77e015525d5709fc8a22e48f6e831

      Download Submit
    • C:\Windows\SysWOW64\yjakaetc.exe
      Filesize

      255KB

      MD5

      efae1df29b1cc06c592e4bf862ea0e42

      SHA1

      101693402c56ce8375e720c99bdd2f0e22c39b6c

      SHA256

      8110ab5752e697cd0fd4d40d745e9698796107383f425d2255e864586ca9505f

      SHA512

      eecd3fb0dd6e48955cffb64a40cc2068e7e5ffeb8d412699203d7039b11cea2aedb8ba7b7b573e56cfda0d62c4b6084a00a77e015525d5709fc8a22e48f6e831

      Download Submit
    • C:\Windows\SysWOW64\yjakaetc.exe
      Filesize

      255KB

      MD5

      efae1df29b1cc06c592e4bf862ea0e42

      SHA1

      101693402c56ce8375e720c99bdd2f0e22c39b6c

      SHA256

      8110ab5752e697cd0fd4d40d745e9698796107383f425d2255e864586ca9505f

      SHA512

      eecd3fb0dd6e48955cffb64a40cc2068e7e5ffeb8d412699203d7039b11cea2aedb8ba7b7b573e56cfda0d62c4b6084a00a77e015525d5709fc8a22e48f6e831

      Download Submit
    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit
    • \Windows\SysWOW64\rxuiytkayluyl.exe
      Filesize

      255KB

      MD5

      9ea2246f09a25b6530d6eae6ac776833

      SHA1

      6a2835ba1ef207e95224766a9d27308a053b4e65

      SHA256

      4eb05f43d2dd866080191923dd8058bcee662c792c43cf3f2dbffffbc846f079

      SHA512

      508194e6c22873028c46af7afaa6c3d18f6fec289a024d288c6e33f48b572ed4f9340f9afb0e8dde3245773e0d5a59189f09dfb22fadab212deef2493d1fe7c7

      Download Submit
    • \Windows\SysWOW64\stdvuoenhp.exe
      Filesize

      255KB

      MD5

      475be40b1b2e62b9732c3e58c1727784

      SHA1

      7d01d0994835e71444e0f58e5eae8ec25aa5c706

      SHA256

      6c3ddd9c8ccacf3680859c982204aec1aa1d174523cc01d67137aa134cebdd04

      SHA512

      c4154410ef59baf9428a4415d29f2055e0c0a986c78ff07f93c66719371c9771387e9480e546c3f95cc35cd3a25d90dcdef71cebed4aece038a2b27580337ff0

      Download Submit
    • \Windows\SysWOW64\unnqxigcovksary.exe
      Filesize

      255KB

      MD5

      dda95d723d5385dfc00e2dcb93669151

      SHA1

      9bef47abe3e6ffde2f92518a3ff1daa176e8d086

      SHA256

      1720007c716f031b7c0aed492d0de3c0d65a61fbdb05d638b0f8f0e274265b82

      SHA512

      fe1ad62f76b8495088b096b1359f99339b446a1e65e246bcb4b13e445c214b52a4934f48365ae4032e5e8db2e961ed135176f7709c1337cd9ca57982d7d3b14b

      Download Submit
    • \Windows\SysWOW64\yjakaetc.exe
      Filesize

      255KB

      MD5

      efae1df29b1cc06c592e4bf862ea0e42

      SHA1

      101693402c56ce8375e720c99bdd2f0e22c39b6c

      SHA256

      8110ab5752e697cd0fd4d40d745e9698796107383f425d2255e864586ca9505f

      SHA512

      eecd3fb0dd6e48955cffb64a40cc2068e7e5ffeb8d412699203d7039b11cea2aedb8ba7b7b573e56cfda0d62c4b6084a00a77e015525d5709fc8a22e48f6e831

      Download Submit
    • \Windows\SysWOW64\yjakaetc.exe
      Filesize

      255KB

      MD5

      efae1df29b1cc06c592e4bf862ea0e42

      SHA1

      101693402c56ce8375e720c99bdd2f0e22c39b6c

      SHA256

      8110ab5752e697cd0fd4d40d745e9698796107383f425d2255e864586ca9505f

      SHA512

      eecd3fb0dd6e48955cffb64a40cc2068e7e5ffeb8d412699203d7039b11cea2aedb8ba7b7b573e56cfda0d62c4b6084a00a77e015525d5709fc8a22e48f6e831

      Download Submit
    • memory/768-87-0x0000000000400000-0x00000000004A0000-memory.dmp
      Filesize

      640KB

      Download
    • memory/768-98-0x0000000000400000-0x00000000004A0000-memory.dmp
      Filesize

      640KB

      Download
    • memory/768-82-0x0000000000000000-mapping.dmp
      Download
    • memory/936-104-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/936-103-0x0000000000000000-mapping.dmp
      Download
    • memory/1020-77-0x0000000000400000-0x00000000004A0000-memory.dmp
      Filesize

      640KB

      Download
    • memory/1020-56-0x0000000000000000-mapping.dmp
      Download
    • memory/1020-94-0x0000000000400000-0x00000000004A0000-memory.dmp
      Filesize

      640KB

      Download
    • memory/1048-80-0x0000000000400000-0x00000000004A0000-memory.dmp
      Filesize

      640KB

      Download
    • memory/1048-69-0x0000000000000000-mapping.dmp
      Download
    • memory/1048-97-0x0000000000400000-0x00000000004A0000-memory.dmp
      Filesize

      640KB

      Download
    • memory/1080-79-0x0000000000400000-0x00000000004A0000-memory.dmp
      Filesize

      640KB

      Download
    • memory/1080-65-0x0000000000000000-mapping.dmp
      Download
    • memory/1080-96-0x0000000000400000-0x00000000004A0000-memory.dmp
      Filesize

      640KB

      Download
    • memory/1832-92-0x0000000070D6D000-0x0000000070D78000-memory.dmp
      Filesize

      44KB

      Download
    • memory/1832-99-0x0000000070D6D000-0x0000000070D78000-memory.dmp
      Filesize

      44KB

      Download
    • memory/1832-106-0x0000000070D6D000-0x0000000070D78000-memory.dmp
      Filesize

      44KB

      Download
    • memory/1832-105-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1832-90-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1832-89-0x000000006FD81000-0x000000006FD83000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1832-88-0x0000000072301000-0x0000000072304000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1832-85-0x0000000000000000-mapping.dmp
      Download
    • memory/1928-60-0x0000000000000000-mapping.dmp
      Download
    • memory/1928-78-0x0000000000400000-0x00000000004A0000-memory.dmp
      Filesize

      640KB

      Download
    • memory/1928-95-0x0000000000400000-0x00000000004A0000-memory.dmp
      Filesize

      640KB

      Download
    • memory/1952-76-0x00000000032B0000-0x0000000003350000-memory.dmp
      Filesize

      640KB

      Download
    • memory/1952-75-0x0000000000400000-0x00000000004A0000-memory.dmp
      Filesize

      640KB

      Download
    • memory/1952-54-0x0000000075981000-0x0000000075983000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1952-86-0x0000000000400000-0x00000000004A0000-memory.dmp
      Filesize

      640KB

      Download