Analysis
-
max time kernel
160s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
23-11-2022 21:04
General
-
Target
5edb013f68a059db7dc018c5468e51c2fb81c7677f21872230fcbea92ca02b49.exe
-
Size
255KB
-
MD5
3abd70c8cd60300e6377176260cfb128
-
SHA1
b1606d59a29b6210b5848a9f3b265dfa241a50ce
-
SHA256
5edb013f68a059db7dc018c5468e51c2fb81c7677f21872230fcbea92ca02b49
-
SHA512
dcf20d9d5f8af30f909183e209f09cc916f4aa6dcb57b7d22204b1995ae42ae1ff7739fdf6f2f84e0cc0762fbfb6bd88b66cd7e7454933e73e58b72c88f19417
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJz:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIy
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 5 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Executes dropped EXE 5 IoCs
-
UPX packed file 26 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 6 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon 2 TTPs 2 IoCs
-
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 9 IoCs
-
Drops file in Program Files directory 15 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 20 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of FindShellTrayWindow 18 IoCs
-
Suspicious use of SendNotifyMessage 18 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5edb013f68a059db7dc018c5468e51c2fb81c7677f21872230fcbea92ca02b49.exe"C:\Users\Admin\AppData\Local\Temp\5edb013f68a059db7dc018c5468e51c2fb81c7677f21872230fcbea92ca02b49.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ranaztwucb.exeranaztwucb.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\qwjqljca.exeC:\Windows\system32\qwjqljca.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\gajcgeoiinmvnns.exegajcgeoiinmvnns.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\qwjqljca.exeqwjqljca.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\byvfhxevcljvx.exebyvfhxevcljvx.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hidden Files and Directories
2Modify Registry
6Disabling Security Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exeFilesize
255KB
MD5a6f0be4899749f5d9530be087c89291d
SHA1363e83eac2dc82f7996e9c8c21279651b4e9bc18
SHA2569c0c99190d5457c630c8a298e937461c96db110003b4ae1160656115c67556ba
SHA5128ce37a13bb44d429bd78b031caf7322a581693006e14f5aa8c1e47aa4c01e1c63303f6210b04ce13a3fceb9be26b8529f4925fb10fc76742f89d88846254f1f3
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
255KB
MD59af65cc9394617278e2a77f44a9402fb
SHA18e952aadb0469820a62310d111b0ff04e6452c0c
SHA256e23880c24b0ccafe8430282de0802d075f5ec7700c649d9fb15e158d370afdaf
SHA5128b81f272a621327132e8324d7bb3939415d922183869dee1f498ce459420747f9cde4010e950d4e2ff07ba1682755b52be17190cd7fce881fb56de221ac6baf7
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
255KB
MD59af65cc9394617278e2a77f44a9402fb
SHA18e952aadb0469820a62310d111b0ff04e6452c0c
SHA256e23880c24b0ccafe8430282de0802d075f5ec7700c649d9fb15e158d370afdaf
SHA5128b81f272a621327132e8324d7bb3939415d922183869dee1f498ce459420747f9cde4010e950d4e2ff07ba1682755b52be17190cd7fce881fb56de221ac6baf7
-
C:\Users\Admin\Desktop\RenameCompare.doc.exeFilesize
255KB
MD5006b78503851fd0c592b79aa62e70c71
SHA13a4d74f85b0fa8d3d21785ad41bd17ac99750982
SHA2560b614868735b59b66356466dcb81a639ecffbe31824dc276f20356731d4a34dd
SHA512895929ffbebe5779aba21d8e4c5313758cf8a602094cb97a8eedf091e927e4aad282859a9a9643c3140c56966ea92a5c830f71984ffc5e8b91a1f94ba4025ed5
-
C:\Windows\SysWOW64\byvfhxevcljvx.exeFilesize
255KB
MD5dc04974b42781e7a52697fa6d7ec742e
SHA129c6d77d271df784b07f44bd6d88abebb9ad0612
SHA256905ad7892949f907bab95ef543d0c17b3b2c48681372e49eec4f58aa19723b7b
SHA51203f09c0a8ca6ab6ccc80055dcd52cab8570a5ed1b52ac484748f3635fb2b7bc2ce22de8666d5a8671ca4575ad582349eabfa01a917a9a005a92f38d2c1ea151e
-
C:\Windows\SysWOW64\byvfhxevcljvx.exeFilesize
255KB
MD5dc04974b42781e7a52697fa6d7ec742e
SHA129c6d77d271df784b07f44bd6d88abebb9ad0612
SHA256905ad7892949f907bab95ef543d0c17b3b2c48681372e49eec4f58aa19723b7b
SHA51203f09c0a8ca6ab6ccc80055dcd52cab8570a5ed1b52ac484748f3635fb2b7bc2ce22de8666d5a8671ca4575ad582349eabfa01a917a9a005a92f38d2c1ea151e
-
C:\Windows\SysWOW64\gajcgeoiinmvnns.exeFilesize
255KB
MD52e5ef30940e0521d7bc254cca474a749
SHA12c9ae2978f22b2434adf93d225460ca36cae61e8
SHA2561a8e8600dbf18aa744d45ff17846030edf415df58ea7f8b06cffc22c25427a8e
SHA5124da208ce6d3949ffabe04d0500ac2c95f4296bc19c7173e2a2530f0c0f2e8c29d439bb8897a95cc2ce8c4a823f39e234410aab20cff7cd68f301e8c93ec68ef5
-
C:\Windows\SysWOW64\gajcgeoiinmvnns.exeFilesize
255KB
MD52e5ef30940e0521d7bc254cca474a749
SHA12c9ae2978f22b2434adf93d225460ca36cae61e8
SHA2561a8e8600dbf18aa744d45ff17846030edf415df58ea7f8b06cffc22c25427a8e
SHA5124da208ce6d3949ffabe04d0500ac2c95f4296bc19c7173e2a2530f0c0f2e8c29d439bb8897a95cc2ce8c4a823f39e234410aab20cff7cd68f301e8c93ec68ef5
-
C:\Windows\SysWOW64\qwjqljca.exeFilesize
255KB
MD5305fab6dd7d79df1b1b14618bad6e54a
SHA1570b7ab381afa12c242647f32f9bd6842a1d5216
SHA256e423a191acf22971266008ec1b678b55dece971b5e1d247a499d5d4617a7e683
SHA512446500f262355d3f9176b474047fadd0fb9aba5c99576b08b42d9202757be9299df68c4898081976d934583bd3a449eac5b64e4f6fb52a1291e3c905b70cb222
-
C:\Windows\SysWOW64\qwjqljca.exeFilesize
255KB
MD5305fab6dd7d79df1b1b14618bad6e54a
SHA1570b7ab381afa12c242647f32f9bd6842a1d5216
SHA256e423a191acf22971266008ec1b678b55dece971b5e1d247a499d5d4617a7e683
SHA512446500f262355d3f9176b474047fadd0fb9aba5c99576b08b42d9202757be9299df68c4898081976d934583bd3a449eac5b64e4f6fb52a1291e3c905b70cb222
-
C:\Windows\SysWOW64\qwjqljca.exeFilesize
255KB
MD5305fab6dd7d79df1b1b14618bad6e54a
SHA1570b7ab381afa12c242647f32f9bd6842a1d5216
SHA256e423a191acf22971266008ec1b678b55dece971b5e1d247a499d5d4617a7e683
SHA512446500f262355d3f9176b474047fadd0fb9aba5c99576b08b42d9202757be9299df68c4898081976d934583bd3a449eac5b64e4f6fb52a1291e3c905b70cb222
-
C:\Windows\SysWOW64\ranaztwucb.exeFilesize
255KB
MD534370bcb999c121bbf98a2380e2d50cf
SHA1c7e160c93e93dfa2a5a1e9ea88149cf794fb614e
SHA2567b4414f73ea42c3a513f7933fb30868e934c84e10bb0ac8a39a54814deda5e36
SHA512a16c83120112d0dcdb80edb60f24bf004ff8d5a635ab28123a2e7d7e1ad2d4553d393a243e93588afef1a570ebc743183882eaf7b117a8c4a07f8b7c9f1e9918
-
C:\Windows\SysWOW64\ranaztwucb.exeFilesize
255KB
MD534370bcb999c121bbf98a2380e2d50cf
SHA1c7e160c93e93dfa2a5a1e9ea88149cf794fb614e
SHA2567b4414f73ea42c3a513f7933fb30868e934c84e10bb0ac8a39a54814deda5e36
SHA512a16c83120112d0dcdb80edb60f24bf004ff8d5a635ab28123a2e7d7e1ad2d4553d393a243e93588afef1a570ebc743183882eaf7b117a8c4a07f8b7c9f1e9918
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
memory/1264-154-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1264-152-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1264-132-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/2784-133-0x0000000000000000-mapping.dmp
-
memory/2784-136-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/2784-155-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/2872-168-0x00007FFEB5DC0000-0x00007FFEB5DD0000-memory.dmpFilesize
64KB
-
memory/2872-164-0x00007FFEB8610000-0x00007FFEB8620000-memory.dmpFilesize
64KB
-
memory/2872-176-0x00007FFEB8610000-0x00007FFEB8620000-memory.dmpFilesize
64KB
-
memory/2872-175-0x00007FFEB8610000-0x00007FFEB8620000-memory.dmpFilesize
64KB
-
memory/2872-174-0x00007FFEB8610000-0x00007FFEB8620000-memory.dmpFilesize
64KB
-
memory/2872-173-0x00007FFEB8610000-0x00007FFEB8620000-memory.dmpFilesize
64KB
-
memory/2872-153-0x0000000000000000-mapping.dmp
-
memory/2872-169-0x00007FFEB5DC0000-0x00007FFEB5DD0000-memory.dmpFilesize
64KB
-
memory/2872-167-0x00007FFEB8610000-0x00007FFEB8620000-memory.dmpFilesize
64KB
-
memory/2872-166-0x00007FFEB8610000-0x00007FFEB8620000-memory.dmpFilesize
64KB
-
memory/2872-165-0x00007FFEB8610000-0x00007FFEB8620000-memory.dmpFilesize
64KB
-
memory/2872-163-0x00007FFEB8610000-0x00007FFEB8620000-memory.dmpFilesize
64KB
-
memory/4304-158-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/4304-148-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/4304-143-0x0000000000000000-mapping.dmp
-
memory/4352-137-0x0000000000000000-mapping.dmp
-
memory/4352-156-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/4352-146-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/4888-162-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/4888-149-0x0000000000000000-mapping.dmp
-
memory/4888-151-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/5080-140-0x0000000000000000-mapping.dmp
-
memory/5080-147-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/5080-157-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB