Overview

overview

10

Static

static

8

2c6a0836c1...39.exe

windows7-x64

10

2c6a0836c1...39.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 21:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2c6a0836c143cbf05286be296ddaa5e4a2b92c4e1138bd8729e4f7afbe8b0439.exe

  • Size

    255KB

  • MD5

    8be341eaf35bac80ed683063e0f9bf78

  • SHA1

    e64f112c382130e37133419a350c681633a368db

  • SHA256

    2c6a0836c143cbf05286be296ddaa5e4a2b92c4e1138bd8729e4f7afbe8b0439

  • SHA512

    b7f4f36949483546c6868f3d46adde869fd6963b870d849b977353494dfefdc227c9ec067c843d2272bf3d6adb1197f85b612229bd0e70615dd89e46ae03f73a

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJ0:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIF

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • UPX packed file 32 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 13 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2c6a0836c143cbf05286be296ddaa5e4a2b92c4e1138bd8729e4f7afbe8b0439.exe
    "C:\Users\Admin\AppData\Local\Temp\2c6a0836c143cbf05286be296ddaa5e4a2b92c4e1138bd8729e4f7afbe8b0439.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1236
    • C:\Windows\SysWOW64\jwbnyftgwr.exe
      jwbnyftgwr.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1544
      • C:\Windows\SysWOW64\tstddwdt.exe
        C:\Windows\system32\tstddwdt.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:884
    • C:\Windows\SysWOW64\lxhvacfiellovcy.exe
      lxhvacfiellovcy.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:652
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c nwnpobsydjyia.exe
        3⤵
          PID:1560
      • C:\Windows\SysWOW64\tstddwdt.exe
        tstddwdt.exe
        2⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2040
      • C:\Windows\SysWOW64\nwnpobsydjyia.exe
        nwnpobsydjyia.exe
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1824
      • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
        2⤵
        • Drops file in Windows directory
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1820
        • C:\Windows\splwow64.exe
          C:\Windows\splwow64.exe 12288
          3⤵
            PID:1728

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
        Filesize

        255KB

        MD5

        3cd2342d0c6d7db74689a4fe33ce6d89

        SHA1

        b813921ca7f2581d62569ba61910cf4976fd8fdc

        SHA256

        b5b2d898ecbe9cc5621cd193f5a2e7af2b28f2e8bab902b748567274e82a7086

        SHA512

        c98f1982809f3a2a40404b3024bfaffc9ec98e0e3f4e937221d1223635985f0ae314596fb2e990545bde3a6077f2f44284af8d790692a1b30d9e63512a0cc266

        Download Submit

      • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
        Filesize

        255KB

        MD5

        3cd2342d0c6d7db74689a4fe33ce6d89

        SHA1

        b813921ca7f2581d62569ba61910cf4976fd8fdc

        SHA256

        b5b2d898ecbe9cc5621cd193f5a2e7af2b28f2e8bab902b748567274e82a7086

        SHA512

        c98f1982809f3a2a40404b3024bfaffc9ec98e0e3f4e937221d1223635985f0ae314596fb2e990545bde3a6077f2f44284af8d790692a1b30d9e63512a0cc266

        Download Submit

      • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
        Filesize

        255KB

        MD5

        5c0797d7dff1e27bbeeb6b01571c569e

        SHA1

        5a05abf371c3aa44529e977b1357877bb4c75f2b

        SHA256

        70f89cb36eafb27fb95a029845c277e9a055b5d69438dfa816a17046cd81eded

        SHA512

        788155293a6bdafe1a7bab230a81e34a95d0411920a0e91ac40a29ad3924630bcb0f889f9b0b35bfbbc6e5f4b204bf0a4524318fd9e82873330b1e193c8f6298

        Download Submit

      • C:\Users\Admin\AppData\Roaming\TestExport.doc.exe
        Filesize

        255KB

        MD5

        d457e1d9019ded49736ca2f5f24d2de0

        SHA1

        1ddd136bad1429f40ce09514f240e8973ceb563d

        SHA256

        f913e32a5329dab37b63535c7ec24dc96904d157940c53eb734f5de92ec2083d

        SHA512

        54beb1938420e77ed8a77791da87c92e0bc8acf744f4e2453800ae8c978e2dfb1286cbb97705548dfa85966e073df5c20251b77009b6d6b607c7b0359d21964a

        Download Submit

      • C:\Windows\SysWOW64\jwbnyftgwr.exe
        Filesize

        255KB

        MD5

        a0408bf1fd484b6e33e4b220e827df7d

        SHA1

        2513d4503e32edfa3b5b300a3918b853f9cc3957

        SHA256

        bc65110855327d4c5a8e989707bce28bb9059f741ff63c8289d87b69611e8b5b

        SHA512

        2b57400946414e7397d12532fe408f75e6d74025f6e872e1414717101fb3a163b926b11e55d096c6f0f347942770fc18efc7b742a097118faac06fa3211a0ee9

        Download Submit

      • C:\Windows\SysWOW64\jwbnyftgwr.exe
        Filesize

        255KB

        MD5

        a0408bf1fd484b6e33e4b220e827df7d

        SHA1

        2513d4503e32edfa3b5b300a3918b853f9cc3957

        SHA256

        bc65110855327d4c5a8e989707bce28bb9059f741ff63c8289d87b69611e8b5b

        SHA512

        2b57400946414e7397d12532fe408f75e6d74025f6e872e1414717101fb3a163b926b11e55d096c6f0f347942770fc18efc7b742a097118faac06fa3211a0ee9

        Download Submit

      • C:\Windows\SysWOW64\lxhvacfiellovcy.exe
        Filesize

        255KB

        MD5

        dee5f44558c1bc5d3da2539f55c35ae4

        SHA1

        aee95aad79168e650336fd2889344179c2ecddd5

        SHA256

        ecdb7e0576752476ab93b7bab31cb2ce93a6551ddedccbb16742b67da3ab3c9f

        SHA512

        2eb50d72af48c8491028fea9e1b80c4e90dc89a0ee26e2bea0a88f05bcf6d8f19b8174b755ea597eed97470e109fd13315fef8580cde32450f51d335e4083b39

        Download Submit

      • C:\Windows\SysWOW64\lxhvacfiellovcy.exe
        Filesize

        255KB

        MD5

        dee5f44558c1bc5d3da2539f55c35ae4

        SHA1

        aee95aad79168e650336fd2889344179c2ecddd5

        SHA256

        ecdb7e0576752476ab93b7bab31cb2ce93a6551ddedccbb16742b67da3ab3c9f

        SHA512

        2eb50d72af48c8491028fea9e1b80c4e90dc89a0ee26e2bea0a88f05bcf6d8f19b8174b755ea597eed97470e109fd13315fef8580cde32450f51d335e4083b39

        Download Submit

      • C:\Windows\SysWOW64\nwnpobsydjyia.exe
        Filesize

        255KB

        MD5

        e7f64d999d3795a03ddd5179c7c15039

        SHA1

        139c75d3699c17d4db5a204bba4b7816cead9cee

        SHA256

        16aac1bf6fe7b8d981365456d697b1b79621eed88940bbe82bfe0c4647413efc

        SHA512

        1a421306faa400b9e9d8433d66adfe980a0d65b48e9f8f0568b9143a13e14d845531e1f616cef068d46f35017aae702a4150598027ff8f0297a76af7e7f8845b

        Download Submit

      • C:\Windows\SysWOW64\nwnpobsydjyia.exe
        Filesize

        255KB

        MD5

        e7f64d999d3795a03ddd5179c7c15039

        SHA1

        139c75d3699c17d4db5a204bba4b7816cead9cee

        SHA256

        16aac1bf6fe7b8d981365456d697b1b79621eed88940bbe82bfe0c4647413efc

        SHA512

        1a421306faa400b9e9d8433d66adfe980a0d65b48e9f8f0568b9143a13e14d845531e1f616cef068d46f35017aae702a4150598027ff8f0297a76af7e7f8845b

        Download Submit

      • C:\Windows\SysWOW64\tstddwdt.exe
        Filesize

        255KB

        MD5

        503c806176b20ebb56053b3a839ce94f

        SHA1

        1ff0469ce9fefc52512348d39a6f642dd5c372b6

        SHA256

        e8c4134e684d895239812c3072e0e3dda654be8a16c06bb94185d10b7602ac29

        SHA512

        e2288dee27a1d2fe9d91369be2887f93531f92dbfaba5cb531f83a89828d1a1c5d0125db9d954f6801d67c27b765877105a29c0a443a1823918d3b12de220e12

        Download Submit

      • C:\Windows\SysWOW64\tstddwdt.exe
        Filesize

        255KB

        MD5

        503c806176b20ebb56053b3a839ce94f

        SHA1

        1ff0469ce9fefc52512348d39a6f642dd5c372b6

        SHA256

        e8c4134e684d895239812c3072e0e3dda654be8a16c06bb94185d10b7602ac29

        SHA512

        e2288dee27a1d2fe9d91369be2887f93531f92dbfaba5cb531f83a89828d1a1c5d0125db9d954f6801d67c27b765877105a29c0a443a1823918d3b12de220e12

        Download Submit

      • C:\Windows\SysWOW64\tstddwdt.exe
        Filesize

        255KB

        MD5

        503c806176b20ebb56053b3a839ce94f

        SHA1

        1ff0469ce9fefc52512348d39a6f642dd5c372b6

        SHA256

        e8c4134e684d895239812c3072e0e3dda654be8a16c06bb94185d10b7602ac29

        SHA512

        e2288dee27a1d2fe9d91369be2887f93531f92dbfaba5cb531f83a89828d1a1c5d0125db9d954f6801d67c27b765877105a29c0a443a1823918d3b12de220e12

        Download Submit

      • C:\Windows\mydoc.rtf
        Filesize

        223B

        MD5

        06604e5941c126e2e7be02c5cd9f62ec

        SHA1

        4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

        SHA256

        85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

        SHA512

        803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

        Download Submit

      • \Windows\SysWOW64\jwbnyftgwr.exe
        Filesize

        255KB

        MD5

        a0408bf1fd484b6e33e4b220e827df7d

        SHA1

        2513d4503e32edfa3b5b300a3918b853f9cc3957

        SHA256

        bc65110855327d4c5a8e989707bce28bb9059f741ff63c8289d87b69611e8b5b

        SHA512

        2b57400946414e7397d12532fe408f75e6d74025f6e872e1414717101fb3a163b926b11e55d096c6f0f347942770fc18efc7b742a097118faac06fa3211a0ee9

        Download Submit

      • \Windows\SysWOW64\lxhvacfiellovcy.exe
        Filesize

        255KB

        MD5

        dee5f44558c1bc5d3da2539f55c35ae4

        SHA1

        aee95aad79168e650336fd2889344179c2ecddd5

        SHA256

        ecdb7e0576752476ab93b7bab31cb2ce93a6551ddedccbb16742b67da3ab3c9f

        SHA512

        2eb50d72af48c8491028fea9e1b80c4e90dc89a0ee26e2bea0a88f05bcf6d8f19b8174b755ea597eed97470e109fd13315fef8580cde32450f51d335e4083b39

        Download Submit

      • \Windows\SysWOW64\nwnpobsydjyia.exe
        Filesize

        255KB

        MD5

        e7f64d999d3795a03ddd5179c7c15039

        SHA1

        139c75d3699c17d4db5a204bba4b7816cead9cee

        SHA256

        16aac1bf6fe7b8d981365456d697b1b79621eed88940bbe82bfe0c4647413efc

        SHA512

        1a421306faa400b9e9d8433d66adfe980a0d65b48e9f8f0568b9143a13e14d845531e1f616cef068d46f35017aae702a4150598027ff8f0297a76af7e7f8845b

        Download Submit

      • \Windows\SysWOW64\tstddwdt.exe
        Filesize

        255KB

        MD5

        503c806176b20ebb56053b3a839ce94f

        SHA1

        1ff0469ce9fefc52512348d39a6f642dd5c372b6

        SHA256

        e8c4134e684d895239812c3072e0e3dda654be8a16c06bb94185d10b7602ac29

        SHA512

        e2288dee27a1d2fe9d91369be2887f93531f92dbfaba5cb531f83a89828d1a1c5d0125db9d954f6801d67c27b765877105a29c0a443a1823918d3b12de220e12

        Download Submit

      • \Windows\SysWOW64\tstddwdt.exe
        Filesize

        255KB

        MD5

        503c806176b20ebb56053b3a839ce94f

        SHA1

        1ff0469ce9fefc52512348d39a6f642dd5c372b6

        SHA256

        e8c4134e684d895239812c3072e0e3dda654be8a16c06bb94185d10b7602ac29

        SHA512

        e2288dee27a1d2fe9d91369be2887f93531f92dbfaba5cb531f83a89828d1a1c5d0125db9d954f6801d67c27b765877105a29c0a443a1823918d3b12de220e12

        Download Submit

      • memory/652-94-0x0000000000400000-0x00000000004A0000-memory.dmp

        Filesize

        640KB

        Download

      • memory/652-64-0x0000000000000000-mapping.dmp

        Download

      • memory/652-79-0x0000000000400000-0x00000000004A0000-memory.dmp

        Filesize

        640KB

        Download

      • memory/884-93-0x0000000000400000-0x00000000004A0000-memory.dmp

        Filesize

        640KB

        Download

      • memory/884-101-0x0000000000400000-0x00000000004A0000-memory.dmp

        Filesize

        640KB

        Download

      • memory/884-86-0x0000000000000000-mapping.dmp

        Download

      • memory/1236-80-0x0000000002290000-0x0000000002330000-memory.dmp

        Filesize

        640KB

        Download

      • memory/1236-54-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1236-84-0x0000000000400000-0x00000000004A0000-memory.dmp

        Filesize

        640KB

        Download

      • memory/1236-61-0x0000000000400000-0x00000000004A0000-memory.dmp

        Filesize

        640KB

        Download

      • memory/1236-62-0x0000000002290000-0x0000000002330000-memory.dmp

        Filesize

        640KB

        Download

      • memory/1544-63-0x0000000000400000-0x00000000004A0000-memory.dmp

        Filesize

        640KB

        Download

      • memory/1544-56-0x0000000000000000-mapping.dmp

        Download

      • memory/1544-91-0x0000000000400000-0x00000000004A0000-memory.dmp

        Filesize

        640KB

        Download

      • memory/1544-92-0x0000000003CD0000-0x0000000003D70000-memory.dmp

        Filesize

        640KB

        Download

      • memory/1560-76-0x0000000000000000-mapping.dmp

        Download

      • memory/1728-104-0x000007FEFB8F1000-0x000007FEFB8F3000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1728-103-0x0000000000000000-mapping.dmp

        Download

      • memory/1820-109-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1820-97-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1820-110-0x0000000070E7D000-0x0000000070E88000-memory.dmp

        Filesize

        44KB

        Download

      • memory/1820-100-0x0000000070E7D000-0x0000000070E88000-memory.dmp

        Filesize

        44KB

        Download

      • memory/1820-90-0x000000006FE91000-0x000000006FE93000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1820-102-0x0000000070E7D000-0x0000000070E88000-memory.dmp

        Filesize

        44KB

        Download

      • memory/1820-89-0x0000000072411000-0x0000000072414000-memory.dmp

        Filesize

        12KB

        Download

      • memory/1820-83-0x0000000000000000-mapping.dmp

        Download

      • memory/1824-82-0x0000000000400000-0x00000000004A0000-memory.dmp

        Filesize

        640KB

        Download

      • memory/1824-96-0x0000000000400000-0x00000000004A0000-memory.dmp

        Filesize

        640KB

        Download

      • memory/1824-74-0x0000000000000000-mapping.dmp

        Download

      • memory/2040-95-0x0000000000400000-0x00000000004A0000-memory.dmp

        Filesize

        640KB

        Download

      • memory/2040-81-0x0000000000400000-0x00000000004A0000-memory.dmp

        Filesize

        640KB

        Download

      • memory/2040-69-0x0000000000000000-mapping.dmp

        Download