Overview

overview

10

Static

static

8

6fd331710b...10.exe

windows7-x64

10

6fd331710b...10.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 21:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6fd331710ba2ba95c8da836a4804f2de20b76452e40803d2022fda04176acd10.exe

  • Size

    255KB

  • MD5

    5914feb2b958d5cf6ff20bc83c5ed5fa

  • SHA1

    ca150f84117f57342ca485b018e18a0ff721ef98

  • SHA256

    6fd331710ba2ba95c8da836a4804f2de20b76452e40803d2022fda04176acd10

  • SHA512

    3998dac53f551169afbb6c8b6dc3b87c08effc4c1d5c7fc3fccbe003f254b6203ac076b095d6c2bf6e06e86b3b29ada556964db2e378010d32462d8ac8db2f1a

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJb:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIK

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Modifies Installed Components in the registry 2 TTPs 3 IoCs
    persistence
  • UPX packed file 27 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 12 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 62 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6fd331710ba2ba95c8da836a4804f2de20b76452e40803d2022fda04176acd10.exe
    "C:\Users\Admin\AppData\Local\Temp\6fd331710ba2ba95c8da836a4804f2de20b76452e40803d2022fda04176acd10.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Windows\SysWOW64\jkwghjfuxi.exe
      jkwghjfuxi.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1536
      • C:\Windows\SysWOW64\tbocsvgz.exe
        C:\Windows\system32\tbocsvgz.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1776
    • C:\Windows\SysWOW64\wxqyrrravkbmggt.exe
      wxqyrrravkbmggt.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1340
    • C:\Windows\SysWOW64\tbocsvgz.exe
      tbocsvgz.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1148
    • C:\Windows\SysWOW64\feqokbceasmgv.exe
      feqokbceasmgv.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:896
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:556
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1672
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x594
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:820
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1584
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1872

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Documents\NewRevoke.doc.exe
    Filesize

    255KB

    MD5

    5498780560d76912e2f7dec01fbc4158

    SHA1

    8c7beaa8c7cb8624be9344ffc22264ded2e197bb

    SHA256

    f46cda4aaaf3608c2e756f80e50bc50b6a6c6c54eff4fd0f97610dab9ac5b812

    SHA512

    ff89be92d4080c2645dc67c151ae3891ffa114bd75b90ad9a8227ba468df6c0c634666d5b8d7b4be539441987dc4a6622f29f3a81ff49c57a31f60e77275399f

    Download Submit

  • C:\Windows\SysWOW64\feqokbceasmgv.exe
    Filesize

    255KB

    MD5

    8644a12278ac36cb0a3fc021110505cd

    SHA1

    48e3946da837958d65e3e023b611e8a987bc80e1

    SHA256

    58f492173aefca2090a5feb967867b7b646630adee51008740ca7c01959045fc

    SHA512

    2746cf750787fdc8554164740b404088615cc7c2fa750ef390e6683f235f1b1e453fb0df874e138e55c6edc45fe02fc85cc4e537ae4ede59ae7c127d8428bfd8

    Download Submit

  • C:\Windows\SysWOW64\feqokbceasmgv.exe
    Filesize

    255KB

    MD5

    8644a12278ac36cb0a3fc021110505cd

    SHA1

    48e3946da837958d65e3e023b611e8a987bc80e1

    SHA256

    58f492173aefca2090a5feb967867b7b646630adee51008740ca7c01959045fc

    SHA512

    2746cf750787fdc8554164740b404088615cc7c2fa750ef390e6683f235f1b1e453fb0df874e138e55c6edc45fe02fc85cc4e537ae4ede59ae7c127d8428bfd8

    Download Submit

  • C:\Windows\SysWOW64\jkwghjfuxi.exe
    Filesize

    255KB

    MD5

    449c4294933dfdf3a17673f1e415b610

    SHA1

    71fadc1414fc736e8b08b3bb5bb8009a942c36a4

    SHA256

    8a8378a4514279cecc4f58f06640e6febdd56f1cb28da26ee4796c96bdcd0398

    SHA512

    95ddff7cc1c60afc58c3c9a72685a64cee7e024a8d971db57842ce4339f3a3486578783f877c3f43e219678587431580b260d08d09df69adfabc4c68f56bfca4

    Download Submit

  • C:\Windows\SysWOW64\jkwghjfuxi.exe
    Filesize

    255KB

    MD5

    449c4294933dfdf3a17673f1e415b610

    SHA1

    71fadc1414fc736e8b08b3bb5bb8009a942c36a4

    SHA256

    8a8378a4514279cecc4f58f06640e6febdd56f1cb28da26ee4796c96bdcd0398

    SHA512

    95ddff7cc1c60afc58c3c9a72685a64cee7e024a8d971db57842ce4339f3a3486578783f877c3f43e219678587431580b260d08d09df69adfabc4c68f56bfca4

    Download Submit

  • C:\Windows\SysWOW64\tbocsvgz.exe
    Filesize

    255KB

    MD5

    aa51558c8e6d43fb291b3a53f57315c3

    SHA1

    c44eb2a4303ceaf3a9217e384e7d32b0f4519ddd

    SHA256

    4dc4f57ecb1504c26ab39e3a89c5d9700f80fc77c85023386dd3dca9d7010b8e

    SHA512

    8a151c92a15053e83fd29e010835059b3d80acfe62ae22206e5c8b7b28d6c392898478ee39ad2c31a4a6c0dc2053c46f846256bbe11fabc11c8ca8bfd70875fe

    Download Submit

  • C:\Windows\SysWOW64\tbocsvgz.exe
    Filesize

    255KB

    MD5

    aa51558c8e6d43fb291b3a53f57315c3

    SHA1

    c44eb2a4303ceaf3a9217e384e7d32b0f4519ddd

    SHA256

    4dc4f57ecb1504c26ab39e3a89c5d9700f80fc77c85023386dd3dca9d7010b8e

    SHA512

    8a151c92a15053e83fd29e010835059b3d80acfe62ae22206e5c8b7b28d6c392898478ee39ad2c31a4a6c0dc2053c46f846256bbe11fabc11c8ca8bfd70875fe

    Download Submit

  • C:\Windows\SysWOW64\tbocsvgz.exe
    Filesize

    255KB

    MD5

    aa51558c8e6d43fb291b3a53f57315c3

    SHA1

    c44eb2a4303ceaf3a9217e384e7d32b0f4519ddd

    SHA256

    4dc4f57ecb1504c26ab39e3a89c5d9700f80fc77c85023386dd3dca9d7010b8e

    SHA512

    8a151c92a15053e83fd29e010835059b3d80acfe62ae22206e5c8b7b28d6c392898478ee39ad2c31a4a6c0dc2053c46f846256bbe11fabc11c8ca8bfd70875fe

    Download Submit

  • C:\Windows\SysWOW64\wxqyrrravkbmggt.exe
    Filesize

    255KB

    MD5

    3d276e912427b77e920dddf9f78e1b67

    SHA1

    2ce5e3f0a2469b5226de5660bfe9ac328e9d95c1

    SHA256

    bc980d2f4557fefa4f36eed5ce0c2eba1418bda2c54d58e86d39fd7dc7726c4b

    SHA512

    2d75b982cf94df3d37a0adf6391d06f67cfbda7ccf0afb751d5aef99f68334c24e3459140b9a0b5ee0855cc190db3e3b628bf8a5c54b07ba045f08df18f76424

    Download Submit

  • C:\Windows\SysWOW64\wxqyrrravkbmggt.exe
    Filesize

    255KB

    MD5

    3d276e912427b77e920dddf9f78e1b67

    SHA1

    2ce5e3f0a2469b5226de5660bfe9ac328e9d95c1

    SHA256

    bc980d2f4557fefa4f36eed5ce0c2eba1418bda2c54d58e86d39fd7dc7726c4b

    SHA512

    2d75b982cf94df3d37a0adf6391d06f67cfbda7ccf0afb751d5aef99f68334c24e3459140b9a0b5ee0855cc190db3e3b628bf8a5c54b07ba045f08df18f76424

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • \Windows\SysWOW64\feqokbceasmgv.exe
    Filesize

    255KB

    MD5

    8644a12278ac36cb0a3fc021110505cd

    SHA1

    48e3946da837958d65e3e023b611e8a987bc80e1

    SHA256

    58f492173aefca2090a5feb967867b7b646630adee51008740ca7c01959045fc

    SHA512

    2746cf750787fdc8554164740b404088615cc7c2fa750ef390e6683f235f1b1e453fb0df874e138e55c6edc45fe02fc85cc4e537ae4ede59ae7c127d8428bfd8

    Download Submit

  • \Windows\SysWOW64\jkwghjfuxi.exe
    Filesize

    255KB

    MD5

    449c4294933dfdf3a17673f1e415b610

    SHA1

    71fadc1414fc736e8b08b3bb5bb8009a942c36a4

    SHA256

    8a8378a4514279cecc4f58f06640e6febdd56f1cb28da26ee4796c96bdcd0398

    SHA512

    95ddff7cc1c60afc58c3c9a72685a64cee7e024a8d971db57842ce4339f3a3486578783f877c3f43e219678587431580b260d08d09df69adfabc4c68f56bfca4

    Download Submit

  • \Windows\SysWOW64\tbocsvgz.exe
    Filesize

    255KB

    MD5

    aa51558c8e6d43fb291b3a53f57315c3

    SHA1

    c44eb2a4303ceaf3a9217e384e7d32b0f4519ddd

    SHA256

    4dc4f57ecb1504c26ab39e3a89c5d9700f80fc77c85023386dd3dca9d7010b8e

    SHA512

    8a151c92a15053e83fd29e010835059b3d80acfe62ae22206e5c8b7b28d6c392898478ee39ad2c31a4a6c0dc2053c46f846256bbe11fabc11c8ca8bfd70875fe

    Download Submit

  • \Windows\SysWOW64\tbocsvgz.exe
    Filesize

    255KB

    MD5

    aa51558c8e6d43fb291b3a53f57315c3

    SHA1

    c44eb2a4303ceaf3a9217e384e7d32b0f4519ddd

    SHA256

    4dc4f57ecb1504c26ab39e3a89c5d9700f80fc77c85023386dd3dca9d7010b8e

    SHA512

    8a151c92a15053e83fd29e010835059b3d80acfe62ae22206e5c8b7b28d6c392898478ee39ad2c31a4a6c0dc2053c46f846256bbe11fabc11c8ca8bfd70875fe

    Download Submit

  • \Windows\SysWOW64\wxqyrrravkbmggt.exe
    Filesize

    255KB

    MD5

    3d276e912427b77e920dddf9f78e1b67

    SHA1

    2ce5e3f0a2469b5226de5660bfe9ac328e9d95c1

    SHA256

    bc980d2f4557fefa4f36eed5ce0c2eba1418bda2c54d58e86d39fd7dc7726c4b

    SHA512

    2d75b982cf94df3d37a0adf6391d06f67cfbda7ccf0afb751d5aef99f68334c24e3459140b9a0b5ee0855cc190db3e3b628bf8a5c54b07ba045f08df18f76424

    Download Submit

  • memory/556-93-0x0000000071A6D000-0x0000000071A78000-memory.dmp

    Filesize

    44KB

    Download

  • memory/556-88-0x0000000073001000-0x0000000073004000-memory.dmp

    Filesize

    12KB

    Download

  • memory/556-89-0x0000000070A81000-0x0000000070A83000-memory.dmp

    Filesize

    8KB

    Download

  • memory/556-101-0x0000000071A6D000-0x0000000071A78000-memory.dmp

    Filesize

    44KB

    Download

  • memory/556-86-0x0000000000000000-mapping.dmp

    Download

  • memory/556-90-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/896-84-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/896-71-0x0000000000000000-mapping.dmp

    Download

  • memory/896-98-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1148-97-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1148-83-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1148-66-0x0000000000000000-mapping.dmp

    Download

  • memory/1340-82-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1340-96-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1340-62-0x0000000000000000-mapping.dmp

    Download

  • memory/1536-57-0x0000000000000000-mapping.dmp

    Download

  • memory/1536-95-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1536-80-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1672-94-0x000007FEFC511000-0x000007FEFC513000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1776-76-0x0000000000000000-mapping.dmp

    Download

  • memory/1776-85-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1776-99-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1976-55-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1976-81-0x00000000033C0000-0x0000000003460000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1976-54-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1976-87-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download