Overview

overview

10

Static

static

8

1a0ddc66b6...9c.exe

windows7-x64

10

1a0ddc66b6...9c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 21:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1a0ddc66b62771262dd5cb37f834eb6abf77f7cb08184a34e3ecb746443e369c.exe

  • Size

    255KB

  • MD5

    f44a1675a9a7394032ce07ab9f4fd112

  • SHA1

    d4e578dae6f63917cdb886776df3f77ca92fc697

  • SHA256

    1a0ddc66b62771262dd5cb37f834eb6abf77f7cb08184a34e3ecb746443e369c

  • SHA512

    c14eab876165291a62ca3e8faffe7c7751b32acb384e026e4dbba30a7be3b7e6247bfab3d3ee9e9b2fa325f61c95319ef297acbfe2f86fef4826de42e5b3a26a

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJn:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIm

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 6 IoCs
  • UPX packed file 33 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 14 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SendNotifyMessage 21 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1a0ddc66b62771262dd5cb37f834eb6abf77f7cb08184a34e3ecb746443e369c.exe
    "C:\Users\Admin\AppData\Local\Temp\1a0ddc66b62771262dd5cb37f834eb6abf77f7cb08184a34e3ecb746443e369c.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1044
    • C:\Windows\SysWOW64\fsnbaqbzte.exe
      fsnbaqbzte.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2044
      • C:\Windows\SysWOW64\frbtaiop.exe
        C:\Windows\system32\frbtaiop.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:976
    • C:\Windows\SysWOW64\vzpdbertlymcmug.exe
      vzpdbertlymcmug.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1616
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c ngnfthtlpncbu.exe
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:688
        • C:\Windows\SysWOW64\ngnfthtlpncbu.exe
          ngnfthtlpncbu.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:1168
    • C:\Windows\SysWOW64\frbtaiop.exe
      frbtaiop.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1552
    • C:\Windows\SysWOW64\ngnfthtlpncbu.exe
      ngnfthtlpncbu.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1264
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:888
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1772

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
      Filesize

      255KB

      MD5

      2792676326634c2ede9e43caa09ecd31

      SHA1

      5f1169546046111720f192e3d731b68d57212ce8

      SHA256

      1da983e26ec1fdb493ab3ae362df4d3d0124e4a39e2c4dd2c07814bc02cf58c9

      SHA512

      22526b4bf035f16abba1ff31803360d77b31bfc11f3d583524da9dc761c6f1427cc5d5094eac083d2b77ae2673d1e4641374fd6ec52dcc80b975c7752dcc1f2d

      Download Submit

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
      Filesize

      255KB

      MD5

      f41c88bbe03058d7f8467fa78d06b658

      SHA1

      20223a6281e0eaf4c83feaaa7bab8fa331a05fd1

      SHA256

      a3e2417c9cbd74ef99c0281fc7e094a642e47bce544c4acfda7dfd1513cd4cd7

      SHA512

      8f1af26e9cfc42901e1b820cb9d157316a7d690e9f9aef4e118fc8e407c93e44e54de58cd9fa542a0e968b3690f75fd7ffd5d9be9412d241f6672b66cea7e368

      Download Submit

    • C:\Users\Admin\AppData\Roaming\CompleteApprove.doc.exe
      Filesize

      255KB

      MD5

      fd5864ffd7923634738cf96710c65181

      SHA1

      16db2d55bc2e60e3d715f61b041592727fd86b31

      SHA256

      8945831d552a4d5d27361769a8a532ad258a432185f78276adbfbbb7fc5300f1

      SHA512

      8c65cf813130fbab14fc2b534c688142c222af7eef1ee310c473482ce9c5ef9ab449473cdaae3dec2ed7800432a634d8345f7be5d721d90441a82d26230c50bc

      Download Submit

    • C:\Windows\SysWOW64\frbtaiop.exe
      Filesize

      255KB

      MD5

      a031b6c456eeed0846d8fcc6306ef926

      SHA1

      19976dcf9e145dcea483742d18f2a1f330747c63

      SHA256

      57ea6f94f1b45953ccc26cd5093b6023ae192a3f28f91759cf516a1c4125c0dc

      SHA512

      cab1ec9406937755bed8bb614366012c4c8566751f13f831c676ea7ed29bba4c91c26a0a745ae8897771937277994929fee711fe763be24a66b4112018ca6804

      Download Submit

    • C:\Windows\SysWOW64\frbtaiop.exe
      Filesize

      255KB

      MD5

      a031b6c456eeed0846d8fcc6306ef926

      SHA1

      19976dcf9e145dcea483742d18f2a1f330747c63

      SHA256

      57ea6f94f1b45953ccc26cd5093b6023ae192a3f28f91759cf516a1c4125c0dc

      SHA512

      cab1ec9406937755bed8bb614366012c4c8566751f13f831c676ea7ed29bba4c91c26a0a745ae8897771937277994929fee711fe763be24a66b4112018ca6804

      Download Submit

    • C:\Windows\SysWOW64\frbtaiop.exe
      Filesize

      255KB

      MD5

      a031b6c456eeed0846d8fcc6306ef926

      SHA1

      19976dcf9e145dcea483742d18f2a1f330747c63

      SHA256

      57ea6f94f1b45953ccc26cd5093b6023ae192a3f28f91759cf516a1c4125c0dc

      SHA512

      cab1ec9406937755bed8bb614366012c4c8566751f13f831c676ea7ed29bba4c91c26a0a745ae8897771937277994929fee711fe763be24a66b4112018ca6804

      Download Submit

    • C:\Windows\SysWOW64\fsnbaqbzte.exe
      Filesize

      255KB

      MD5

      0732cd7c3a8ee5a52bf8ed37d00e6b2c

      SHA1

      14f25984c8c99e9d33b2171adf03e2e4d37be480

      SHA256

      499123a64aa4f699423899895c0856cde71ba61b0c0be33880286e1f9bd8bf1f

      SHA512

      e15d476786f408a07d8b771c19820b74ef36412411ba9036c34766675f585579bcc1e7ee6fcf10d7739d25de3210f0855bd55f5a8912656d5ffb1e1614ccaad4

      Download Submit

    • C:\Windows\SysWOW64\fsnbaqbzte.exe
      Filesize

      255KB

      MD5

      0732cd7c3a8ee5a52bf8ed37d00e6b2c

      SHA1

      14f25984c8c99e9d33b2171adf03e2e4d37be480

      SHA256

      499123a64aa4f699423899895c0856cde71ba61b0c0be33880286e1f9bd8bf1f

      SHA512

      e15d476786f408a07d8b771c19820b74ef36412411ba9036c34766675f585579bcc1e7ee6fcf10d7739d25de3210f0855bd55f5a8912656d5ffb1e1614ccaad4

      Download Submit

    • C:\Windows\SysWOW64\ngnfthtlpncbu.exe
      Filesize

      255KB

      MD5

      4309e7ef5780d5292b5c739dcf8daad7

      SHA1

      3171e20ba6a238ef90a753665052548e04ec28aa

      SHA256

      ea6fdaab3f1cb36522260ccf10cf7cf07288bfed3db2fae589992ae1e7b2fd92

      SHA512

      b5777c6a38817c2f5353590556aa5bd528e301d1040a0352068dc027f46313ca791c20702bc8be9dde6740798a0cd0743ea764db46e63c2ba083fcfe255c2a9c

      Download Submit

    • C:\Windows\SysWOW64\ngnfthtlpncbu.exe
      Filesize

      255KB

      MD5

      4309e7ef5780d5292b5c739dcf8daad7

      SHA1

      3171e20ba6a238ef90a753665052548e04ec28aa

      SHA256

      ea6fdaab3f1cb36522260ccf10cf7cf07288bfed3db2fae589992ae1e7b2fd92

      SHA512

      b5777c6a38817c2f5353590556aa5bd528e301d1040a0352068dc027f46313ca791c20702bc8be9dde6740798a0cd0743ea764db46e63c2ba083fcfe255c2a9c

      Download Submit

    • C:\Windows\SysWOW64\ngnfthtlpncbu.exe
      Filesize

      255KB

      MD5

      4309e7ef5780d5292b5c739dcf8daad7

      SHA1

      3171e20ba6a238ef90a753665052548e04ec28aa

      SHA256

      ea6fdaab3f1cb36522260ccf10cf7cf07288bfed3db2fae589992ae1e7b2fd92

      SHA512

      b5777c6a38817c2f5353590556aa5bd528e301d1040a0352068dc027f46313ca791c20702bc8be9dde6740798a0cd0743ea764db46e63c2ba083fcfe255c2a9c

      Download Submit

    • C:\Windows\SysWOW64\vzpdbertlymcmug.exe
      Filesize

      255KB

      MD5

      ce6cafa5b8ec7247e2d224678c718b5d

      SHA1

      0690c3fc2b24c9db1c8fda6cc1ff2a1bd4f2ada0

      SHA256

      5d61d5ef22418026d16d240242911bd45fb47f97f3330ffa4bd1d88a61d91df3

      SHA512

      e33f56b337b4738336df535ee301f390631f1107353a50183c9b57e9c1cdfa4b07c2984053da7dda5e1c1b3673de4ae3f7afb5b08ecb0d01f65b41d233bfaa21

      Download Submit

    • C:\Windows\SysWOW64\vzpdbertlymcmug.exe
      Filesize

      255KB

      MD5

      ce6cafa5b8ec7247e2d224678c718b5d

      SHA1

      0690c3fc2b24c9db1c8fda6cc1ff2a1bd4f2ada0

      SHA256

      5d61d5ef22418026d16d240242911bd45fb47f97f3330ffa4bd1d88a61d91df3

      SHA512

      e33f56b337b4738336df535ee301f390631f1107353a50183c9b57e9c1cdfa4b07c2984053da7dda5e1c1b3673de4ae3f7afb5b08ecb0d01f65b41d233bfaa21

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • \Windows\SysWOW64\frbtaiop.exe
      Filesize

      255KB

      MD5

      a031b6c456eeed0846d8fcc6306ef926

      SHA1

      19976dcf9e145dcea483742d18f2a1f330747c63

      SHA256

      57ea6f94f1b45953ccc26cd5093b6023ae192a3f28f91759cf516a1c4125c0dc

      SHA512

      cab1ec9406937755bed8bb614366012c4c8566751f13f831c676ea7ed29bba4c91c26a0a745ae8897771937277994929fee711fe763be24a66b4112018ca6804

      Download Submit

    • \Windows\SysWOW64\frbtaiop.exe
      Filesize

      255KB

      MD5

      a031b6c456eeed0846d8fcc6306ef926

      SHA1

      19976dcf9e145dcea483742d18f2a1f330747c63

      SHA256

      57ea6f94f1b45953ccc26cd5093b6023ae192a3f28f91759cf516a1c4125c0dc

      SHA512

      cab1ec9406937755bed8bb614366012c4c8566751f13f831c676ea7ed29bba4c91c26a0a745ae8897771937277994929fee711fe763be24a66b4112018ca6804

      Download Submit

    • \Windows\SysWOW64\fsnbaqbzte.exe
      Filesize

      255KB

      MD5

      0732cd7c3a8ee5a52bf8ed37d00e6b2c

      SHA1

      14f25984c8c99e9d33b2171adf03e2e4d37be480

      SHA256

      499123a64aa4f699423899895c0856cde71ba61b0c0be33880286e1f9bd8bf1f

      SHA512

      e15d476786f408a07d8b771c19820b74ef36412411ba9036c34766675f585579bcc1e7ee6fcf10d7739d25de3210f0855bd55f5a8912656d5ffb1e1614ccaad4

      Download Submit

    • \Windows\SysWOW64\ngnfthtlpncbu.exe
      Filesize

      255KB

      MD5

      4309e7ef5780d5292b5c739dcf8daad7

      SHA1

      3171e20ba6a238ef90a753665052548e04ec28aa

      SHA256

      ea6fdaab3f1cb36522260ccf10cf7cf07288bfed3db2fae589992ae1e7b2fd92

      SHA512

      b5777c6a38817c2f5353590556aa5bd528e301d1040a0352068dc027f46313ca791c20702bc8be9dde6740798a0cd0743ea764db46e63c2ba083fcfe255c2a9c

      Download Submit

    • \Windows\SysWOW64\ngnfthtlpncbu.exe
      Filesize

      255KB

      MD5

      4309e7ef5780d5292b5c739dcf8daad7

      SHA1

      3171e20ba6a238ef90a753665052548e04ec28aa

      SHA256

      ea6fdaab3f1cb36522260ccf10cf7cf07288bfed3db2fae589992ae1e7b2fd92

      SHA512

      b5777c6a38817c2f5353590556aa5bd528e301d1040a0352068dc027f46313ca791c20702bc8be9dde6740798a0cd0743ea764db46e63c2ba083fcfe255c2a9c

      Download Submit

    • \Windows\SysWOW64\vzpdbertlymcmug.exe
      Filesize

      255KB

      MD5

      ce6cafa5b8ec7247e2d224678c718b5d

      SHA1

      0690c3fc2b24c9db1c8fda6cc1ff2a1bd4f2ada0

      SHA256

      5d61d5ef22418026d16d240242911bd45fb47f97f3330ffa4bd1d88a61d91df3

      SHA512

      e33f56b337b4738336df535ee301f390631f1107353a50183c9b57e9c1cdfa4b07c2984053da7dda5e1c1b3673de4ae3f7afb5b08ecb0d01f65b41d233bfaa21

      Download Submit

    • memory/688-77-0x0000000000000000-mapping.dmp

      Download

    • memory/888-95-0x00000000700F1000-0x00000000700F3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/888-92-0x0000000000000000-mapping.dmp

      Download

    • memory/888-113-0x00000000710DD000-0x00000000710E8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/888-106-0x00000000710DD000-0x00000000710E8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/888-96-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/888-112-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/888-98-0x00000000710DD000-0x00000000710E8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/888-94-0x0000000072671000-0x0000000072674000-memory.dmp

      Filesize

      12KB

      Download

    • memory/976-90-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/976-76-0x0000000000000000-mapping.dmp

      Download

    • memory/976-104-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1044-54-0x0000000075501000-0x0000000075503000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1044-84-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1044-93-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1044-85-0x0000000002E80000-0x0000000002F20000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1168-81-0x0000000000000000-mapping.dmp

      Download

    • memory/1168-91-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1168-105-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1264-89-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1264-103-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1264-69-0x0000000000000000-mapping.dmp

      Download

    • memory/1552-65-0x0000000000000000-mapping.dmp

      Download

    • memory/1552-102-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1552-88-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1616-101-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1616-87-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1616-60-0x0000000000000000-mapping.dmp

      Download

    • memory/1772-110-0x0000000000000000-mapping.dmp

      Download

    • memory/1772-111-0x000007FEFBD21000-0x000007FEFBD23000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2044-100-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2044-86-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2044-56-0x0000000000000000-mapping.dmp

      Download