Overview

overview

10

Static

static

8

6c827141d0...be.exe

windows7-x64

10

6c827141d0...be.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    155s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 21:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe

  • Size

    255KB

  • MD5

    7d5dc99d15d0b9b3b86665c091fad166

  • SHA1

    c50b78c1dd46fb4a283f1532268390454a7181cf

  • SHA256

    6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be

  • SHA512

    bd0370c6e297c3ed120e1299fb13591b757d563310b6a2a78b97ed4617eebb5c14702a194d76a9840299ca117d1bab6b14ebf44922b776afb567a36ee383d7e3

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJ1:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI6

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • UPX packed file 30 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 11 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe
    "C:\Users\Admin\AppData\Local\Temp\6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1508
    • C:\Windows\SysWOW64\fthnlolboq.exe
      fthnlolboq.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2032
      • C:\Windows\SysWOW64\lxrvdblg.exe
        C:\Windows\system32\lxrvdblg.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1864
    • C:\Windows\SysWOW64\wzghqusirrviimh.exe
      wzghqusirrviimh.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1760
    • C:\Windows\SysWOW64\lxrvdblg.exe
      lxrvdblg.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1636
    • C:\Windows\SysWOW64\azfvcptbxuspr.exe
      azfvcptbxuspr.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1676
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1524
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1648

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
      Filesize

      255KB

      MD5

      9f7f29a2b40a4282a4d9859c113ccc26

      SHA1

      b3b52d3451d2334faf5cda2cf0688386dff06210

      SHA256

      cd544bc88153ad02edd29f228313c4253a77539780feb6dda4023f18e059c4c0

      SHA512

      97e9454df1ecc65aa182aae7a99255c22a193ea3e143ede69c59e77225896a8b294424915dbd42b5255c486bffa9680bb9b2d836d64e45679abfe7a2a874c491

      Download Submit

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
      Filesize

      255KB

      MD5

      8506c8ad1b70a06d7643abda25c9590a

      SHA1

      1a7120f3dd90eb9123916b7af2921e07f6f9a12e

      SHA256

      f95ff37a13da1bd7bb425ff5073d06ba5ed630d661081867eb8b058b0ce57e3c

      SHA512

      2bd43dacfd2371210cfbfff3b37d4a641af322c6887cc7c9a0635d71be4b8bb1e5db10d29dcfb9162a00fada49780d833ed5238dbe9c42f090d679ee7a903b69

      Download Submit

    • C:\Users\Admin\Downloads\ReceiveEnable.doc.exe
      Filesize

      255KB

      MD5

      86dba3571efd3e1e20abde592138ab49

      SHA1

      dec105c7198f6dc6363829467a2f32599b8374a0

      SHA256

      02ac6c5fbf3fae6e168382aef698ebadd7bef9c4b1b113f0e0699bb3e084633d

      SHA512

      a3b1ff70c6eec9d2e93c7fd1984f6e771714b644139dfdb6aa1338c0240593531894f798ff5c35ea0a4137492bdd00ce008dc9c50f1f09f969d7064514c03ebb

      Download Submit

    • C:\Windows\SysWOW64\azfvcptbxuspr.exe
      Filesize

      255KB

      MD5

      fac53a8b70c424b5c256cbca64716254

      SHA1

      5dcd6ab7f08987ab5f227bca70f2972c4d34a637

      SHA256

      fe6709da3e47b3c88955df26c873fb0d1bb5a39ec026a1f83f6aaaa955aa083b

      SHA512

      defa963d2ecd8c82dfb7fd6960ae407f8be2394a75002b353e3c291b8aa8920396bd5a987091048bd1ffc1134c60b2db44b875c94e6330c9ee21f343c5959421

      Download Submit

    • C:\Windows\SysWOW64\azfvcptbxuspr.exe
      Filesize

      255KB

      MD5

      fac53a8b70c424b5c256cbca64716254

      SHA1

      5dcd6ab7f08987ab5f227bca70f2972c4d34a637

      SHA256

      fe6709da3e47b3c88955df26c873fb0d1bb5a39ec026a1f83f6aaaa955aa083b

      SHA512

      defa963d2ecd8c82dfb7fd6960ae407f8be2394a75002b353e3c291b8aa8920396bd5a987091048bd1ffc1134c60b2db44b875c94e6330c9ee21f343c5959421

      Download Submit

    • C:\Windows\SysWOW64\fthnlolboq.exe
      Filesize

      255KB

      MD5

      893f0e19d518843b5336e65fdd7c983b

      SHA1

      7ca41ecabf62aeb1dd4f15b1e08ae9ab686bf65b

      SHA256

      ee1e4f70a21b8184534f356c28c9463ef7b56b1ef2e23b404313b8358016fa63

      SHA512

      452234b3407c8008b473286348cd6ab769d2fa427c3f23ac695489cb2ebd4235deb39be5b6ae7f6f63d7bb7abfb0945c262f9665b5ffbd50c32f39ca2c6314f0

      Download Submit

    • C:\Windows\SysWOW64\fthnlolboq.exe
      Filesize

      255KB

      MD5

      893f0e19d518843b5336e65fdd7c983b

      SHA1

      7ca41ecabf62aeb1dd4f15b1e08ae9ab686bf65b

      SHA256

      ee1e4f70a21b8184534f356c28c9463ef7b56b1ef2e23b404313b8358016fa63

      SHA512

      452234b3407c8008b473286348cd6ab769d2fa427c3f23ac695489cb2ebd4235deb39be5b6ae7f6f63d7bb7abfb0945c262f9665b5ffbd50c32f39ca2c6314f0

      Download Submit

    • C:\Windows\SysWOW64\lxrvdblg.exe
      Filesize

      255KB

      MD5

      5ec6d8a2e922f5ade655ece1e12df490

      SHA1

      4882c57060e5860cf17839da375b7b61ffa8c9a1

      SHA256

      eeec854378cc5befb6efd19148915b9d141ceb736235ed33cdc14fec78328adf

      SHA512

      d48c2547af8e99c65085052fcb3687ef8a9680919991ed6ba199ec12ac5a4cf579bc92cc5fe4c00043badbef38e63405f053e0d89d71a61ab6c7079112891141

      Download Submit

    • C:\Windows\SysWOW64\lxrvdblg.exe
      Filesize

      255KB

      MD5

      5ec6d8a2e922f5ade655ece1e12df490

      SHA1

      4882c57060e5860cf17839da375b7b61ffa8c9a1

      SHA256

      eeec854378cc5befb6efd19148915b9d141ceb736235ed33cdc14fec78328adf

      SHA512

      d48c2547af8e99c65085052fcb3687ef8a9680919991ed6ba199ec12ac5a4cf579bc92cc5fe4c00043badbef38e63405f053e0d89d71a61ab6c7079112891141

      Download Submit

    • C:\Windows\SysWOW64\lxrvdblg.exe
      Filesize

      255KB

      MD5

      5ec6d8a2e922f5ade655ece1e12df490

      SHA1

      4882c57060e5860cf17839da375b7b61ffa8c9a1

      SHA256

      eeec854378cc5befb6efd19148915b9d141ceb736235ed33cdc14fec78328adf

      SHA512

      d48c2547af8e99c65085052fcb3687ef8a9680919991ed6ba199ec12ac5a4cf579bc92cc5fe4c00043badbef38e63405f053e0d89d71a61ab6c7079112891141

      Download Submit

    • C:\Windows\SysWOW64\wzghqusirrviimh.exe
      Filesize

      255KB

      MD5

      8add0a237a18d698731781025a72b950

      SHA1

      314c814ce2bd1cff26204bd31cac753fbb32105c

      SHA256

      43f1a1b88c7d1ac2dde297f69f1087063bf591408a8af3245d39a1df1b3e5daa

      SHA512

      9f71c2fb8df4663c466d7a43eccadaed4a00f58da67869af62914a88e7474640c2322bc4fb73fbb4da29f315768377b50d619cf65c539bef87f8202477d18d75

      Download Submit

    • C:\Windows\SysWOW64\wzghqusirrviimh.exe
      Filesize

      255KB

      MD5

      8add0a237a18d698731781025a72b950

      SHA1

      314c814ce2bd1cff26204bd31cac753fbb32105c

      SHA256

      43f1a1b88c7d1ac2dde297f69f1087063bf591408a8af3245d39a1df1b3e5daa

      SHA512

      9f71c2fb8df4663c466d7a43eccadaed4a00f58da67869af62914a88e7474640c2322bc4fb73fbb4da29f315768377b50d619cf65c539bef87f8202477d18d75

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • \Windows\SysWOW64\azfvcptbxuspr.exe
      Filesize

      255KB

      MD5

      fac53a8b70c424b5c256cbca64716254

      SHA1

      5dcd6ab7f08987ab5f227bca70f2972c4d34a637

      SHA256

      fe6709da3e47b3c88955df26c873fb0d1bb5a39ec026a1f83f6aaaa955aa083b

      SHA512

      defa963d2ecd8c82dfb7fd6960ae407f8be2394a75002b353e3c291b8aa8920396bd5a987091048bd1ffc1134c60b2db44b875c94e6330c9ee21f343c5959421

      Download Submit

    • \Windows\SysWOW64\fthnlolboq.exe
      Filesize

      255KB

      MD5

      893f0e19d518843b5336e65fdd7c983b

      SHA1

      7ca41ecabf62aeb1dd4f15b1e08ae9ab686bf65b

      SHA256

      ee1e4f70a21b8184534f356c28c9463ef7b56b1ef2e23b404313b8358016fa63

      SHA512

      452234b3407c8008b473286348cd6ab769d2fa427c3f23ac695489cb2ebd4235deb39be5b6ae7f6f63d7bb7abfb0945c262f9665b5ffbd50c32f39ca2c6314f0

      Download Submit

    • \Windows\SysWOW64\lxrvdblg.exe
      Filesize

      255KB

      MD5

      5ec6d8a2e922f5ade655ece1e12df490

      SHA1

      4882c57060e5860cf17839da375b7b61ffa8c9a1

      SHA256

      eeec854378cc5befb6efd19148915b9d141ceb736235ed33cdc14fec78328adf

      SHA512

      d48c2547af8e99c65085052fcb3687ef8a9680919991ed6ba199ec12ac5a4cf579bc92cc5fe4c00043badbef38e63405f053e0d89d71a61ab6c7079112891141

      Download Submit

    • \Windows\SysWOW64\lxrvdblg.exe
      Filesize

      255KB

      MD5

      5ec6d8a2e922f5ade655ece1e12df490

      SHA1

      4882c57060e5860cf17839da375b7b61ffa8c9a1

      SHA256

      eeec854378cc5befb6efd19148915b9d141ceb736235ed33cdc14fec78328adf

      SHA512

      d48c2547af8e99c65085052fcb3687ef8a9680919991ed6ba199ec12ac5a4cf579bc92cc5fe4c00043badbef38e63405f053e0d89d71a61ab6c7079112891141

      Download Submit

    • \Windows\SysWOW64\wzghqusirrviimh.exe
      Filesize

      255KB

      MD5

      8add0a237a18d698731781025a72b950

      SHA1

      314c814ce2bd1cff26204bd31cac753fbb32105c

      SHA256

      43f1a1b88c7d1ac2dde297f69f1087063bf591408a8af3245d39a1df1b3e5daa

      SHA512

      9f71c2fb8df4663c466d7a43eccadaed4a00f58da67869af62914a88e7474640c2322bc4fb73fbb4da29f315768377b50d619cf65c539bef87f8202477d18d75

      Download Submit

    • memory/1508-57-0x00000000032F0000-0x0000000003390000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1508-78-0x00000000032F0000-0x0000000003390000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1508-55-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1508-54-0x0000000075451000-0x0000000075453000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1508-88-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1524-107-0x0000000070F1D000-0x0000000070F28000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1524-100-0x0000000070F1D000-0x0000000070F28000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1524-106-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1524-97-0x0000000070F1D000-0x0000000070F28000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1524-90-0x000000006FF31000-0x000000006FF33000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1524-96-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1524-87-0x0000000000000000-mapping.dmp

      Download

    • memory/1524-89-0x00000000724B1000-0x00000000724B4000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1636-68-0x0000000000000000-mapping.dmp

      Download

    • memory/1636-80-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1636-93-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1648-104-0x000007FEFBAB1000-0x000007FEFBAB3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1648-103-0x0000000000000000-mapping.dmp

      Download

    • memory/1676-81-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1676-94-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1676-72-0x0000000000000000-mapping.dmp

      Download

    • memory/1760-79-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1760-92-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1760-63-0x0000000000000000-mapping.dmp

      Download

    • memory/1864-86-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1864-83-0x0000000000000000-mapping.dmp

      Download

    • memory/1864-95-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2032-91-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2032-77-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2032-58-0x0000000000000000-mapping.dmp

      Download