Overview

overview

10

Static

static

8

6b07fc7cab...ef.exe

windows7-x64

10

6b07fc7cab...ef.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    177s
  • max time network
    194s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 21:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6b07fc7cab4ffc7709df9abdd1fa205558ab984cb393011464e44c8b84997bef.exe

  • Size

    255KB

  • MD5

    c96b1a6425dc6b623667bc9547b3ebdb

  • SHA1

    7af07d088f0e79b5075d3babb913e707002e66fb

  • SHA256

    6b07fc7cab4ffc7709df9abdd1fa205558ab984cb393011464e44c8b84997bef

  • SHA512

    62d3534e01ccf955d7d5d622be8d58d2b07f8b20afd61e8f6110a64ea3364bcc6558f7fd6ee166d6149b0db4ace27593259586d98319c3bdb9a55624b510dfa2

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJC:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI/

Score
10/10
evasionpersistencetrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • UPX packed file 23 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 12 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6b07fc7cab4ffc7709df9abdd1fa205558ab984cb393011464e44c8b84997bef.exe
    "C:\Users\Admin\AppData\Local\Temp\6b07fc7cab4ffc7709df9abdd1fa205558ab984cb393011464e44c8b84997bef.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:544
    • C:\Windows\SysWOW64\aysdpzhcqi.exe
      aysdpzhcqi.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4604
      • C:\Windows\SysWOW64\vznmmmdj.exe
        C:\Windows\system32\vznmmmdj.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4652
    • C:\Windows\SysWOW64\zdgexajzlbvwqfg.exe
      zdgexajzlbvwqfg.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1712
    • C:\Windows\SysWOW64\cciavxhajwbdw.exe
      cciavxhajwbdw.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1444
    • C:\Windows\SysWOW64\vznmmmdj.exe
      vznmmmdj.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3592
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:3848

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    255KB

    MD5

    24ea1d21c882be246617e6bd97fc7557

    SHA1

    fb0047f92aff3708d1864e46fe2c454303c5d17d

    SHA256

    8fd6e62f261092f16f4e46f70ab26b778b4fb332824d6224a54ad21108519631

    SHA512

    4bf4d989bf21a0a66be2216594f8d6cdb6ca952ae92c5f4bfc0ec71958694979bb356a5b91b541d7ff0c3659a2ca0640375ad3a99dd76f6e37f6f543bfec390f

    Download Submit

  • C:\Windows\SysWOW64\aysdpzhcqi.exe
    Filesize

    255KB

    MD5

    499782ba8e020333a45e7c28bd46a328

    SHA1

    2761a429c123e59efc7250a26be3466f7fa08e2a

    SHA256

    a1817c69a53582c2c953e23f88457413157d94f7c00bda537c92f60ed1ded5fa

    SHA512

    0ecc5cb29144a52b371e28263ddeb6c80a6bd41186fd0a74c23976bf75c533f8d5db37e246e3a88b0b0acf252f5501d53236258c959cdea6625b9740d4d4c22f

    Download Submit

  • C:\Windows\SysWOW64\aysdpzhcqi.exe
    Filesize

    255KB

    MD5

    499782ba8e020333a45e7c28bd46a328

    SHA1

    2761a429c123e59efc7250a26be3466f7fa08e2a

    SHA256

    a1817c69a53582c2c953e23f88457413157d94f7c00bda537c92f60ed1ded5fa

    SHA512

    0ecc5cb29144a52b371e28263ddeb6c80a6bd41186fd0a74c23976bf75c533f8d5db37e246e3a88b0b0acf252f5501d53236258c959cdea6625b9740d4d4c22f

    Download Submit

  • C:\Windows\SysWOW64\cciavxhajwbdw.exe
    Filesize

    255KB

    MD5

    6022df5a210c11ffce51dd81b600671c

    SHA1

    93b0e47d21767b5bc669ddf17cb4356a59444f99

    SHA256

    01ee49e901ad968aef6ef430f218dbad653d317790317cfaa105aadbec20c043

    SHA512

    d5a1fd4dc6091eac23c96c2676cc6bb34c035906921ac5d6044312090de861122a37158e575b92d6c06026a14486b7408f77e0ecf102c08749ca95fc8aa234ec

    Download Submit

  • C:\Windows\SysWOW64\cciavxhajwbdw.exe
    Filesize

    255KB

    MD5

    6022df5a210c11ffce51dd81b600671c

    SHA1

    93b0e47d21767b5bc669ddf17cb4356a59444f99

    SHA256

    01ee49e901ad968aef6ef430f218dbad653d317790317cfaa105aadbec20c043

    SHA512

    d5a1fd4dc6091eac23c96c2676cc6bb34c035906921ac5d6044312090de861122a37158e575b92d6c06026a14486b7408f77e0ecf102c08749ca95fc8aa234ec

    Download Submit

  • C:\Windows\SysWOW64\vznmmmdj.exe
    Filesize

    255KB

    MD5

    e461fb25d34f98c2c151d2f1f780251a

    SHA1

    a7c9f0f7414dda0c2b16104d78b84fe4f1b8e897

    SHA256

    03a8c9ba9fc9c2acd9fe689048504e43a82c75238ec1bd9257ecfbb4deb060bc

    SHA512

    959c79040c9063433d1eb4cb6006b5746b03c6932eceebe351a78fea0146b89f2f43a3efc040b22d13e4a70088b017c7adf52770917522ddcb19343f7a6f28f7

    Download Submit

  • C:\Windows\SysWOW64\vznmmmdj.exe
    Filesize

    255KB

    MD5

    e461fb25d34f98c2c151d2f1f780251a

    SHA1

    a7c9f0f7414dda0c2b16104d78b84fe4f1b8e897

    SHA256

    03a8c9ba9fc9c2acd9fe689048504e43a82c75238ec1bd9257ecfbb4deb060bc

    SHA512

    959c79040c9063433d1eb4cb6006b5746b03c6932eceebe351a78fea0146b89f2f43a3efc040b22d13e4a70088b017c7adf52770917522ddcb19343f7a6f28f7

    Download Submit

  • C:\Windows\SysWOW64\vznmmmdj.exe
    Filesize

    255KB

    MD5

    e461fb25d34f98c2c151d2f1f780251a

    SHA1

    a7c9f0f7414dda0c2b16104d78b84fe4f1b8e897

    SHA256

    03a8c9ba9fc9c2acd9fe689048504e43a82c75238ec1bd9257ecfbb4deb060bc

    SHA512

    959c79040c9063433d1eb4cb6006b5746b03c6932eceebe351a78fea0146b89f2f43a3efc040b22d13e4a70088b017c7adf52770917522ddcb19343f7a6f28f7

    Download Submit

  • C:\Windows\SysWOW64\zdgexajzlbvwqfg.exe
    Filesize

    255KB

    MD5

    11c6916d120dd4a4cfe81fb54fb6144f

    SHA1

    ff6778cc7a212ec32e0cde5c94a6692ddc726e20

    SHA256

    3ff97f19dd6dd0d2cdc905e0389f383a214084f4ec7d563531429709a56da182

    SHA512

    102143e18a6c130885a3fe3722af9e78b4ec99da2aaa460f23b1d2835f63dd8e8842902ac0828987538f39a1c0d0e49256b13d0fdeed60ee30baf1cf1523c683

    Download Submit

  • C:\Windows\SysWOW64\zdgexajzlbvwqfg.exe
    Filesize

    255KB

    MD5

    11c6916d120dd4a4cfe81fb54fb6144f

    SHA1

    ff6778cc7a212ec32e0cde5c94a6692ddc726e20

    SHA256

    3ff97f19dd6dd0d2cdc905e0389f383a214084f4ec7d563531429709a56da182

    SHA512

    102143e18a6c130885a3fe3722af9e78b4ec99da2aaa460f23b1d2835f63dd8e8842902ac0828987538f39a1c0d0e49256b13d0fdeed60ee30baf1cf1523c683

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • memory/544-150-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/544-132-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/544-152-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1444-155-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1444-148-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1444-142-0x0000000000000000-mapping.dmp

    Download

  • memory/1712-146-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1712-136-0x0000000000000000-mapping.dmp

    Download

  • memory/1712-153-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/3592-139-0x0000000000000000-mapping.dmp

    Download

  • memory/3592-147-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/3592-154-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/3848-162-0x00007FFB94410000-0x00007FFB94420000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3848-149-0x0000000000000000-mapping.dmp

    Download

  • memory/3848-165-0x00007FFB923B0000-0x00007FFB923C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3848-164-0x00007FFB923B0000-0x00007FFB923C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3848-159-0x00007FFB94410000-0x00007FFB94420000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3848-160-0x00007FFB94410000-0x00007FFB94420000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3848-161-0x00007FFB94410000-0x00007FFB94420000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3848-163-0x00007FFB94410000-0x00007FFB94420000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4604-151-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4604-145-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4604-133-0x0000000000000000-mapping.dmp

    Download

  • memory/4652-156-0x0000000000000000-mapping.dmp

    Download

  • memory/4652-158-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4652-168-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download