Overview

overview

10

Static

static

8

236f632c6d...e7.exe

windows7-x64

10

236f632c6d...e7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    207s
  • max time network
    216s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 21:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    236f632c6d7ef073225c01a49f554c7b56604e1895bd097522e9dc7a510822e7.exe

  • Size

    255KB

  • MD5

    fe0dd9cb32d051ea951039e26bb4caaa

  • SHA1

    480ad468a290f7742f985ef8e7e7faa671ee8ac2

  • SHA256

    236f632c6d7ef073225c01a49f554c7b56604e1895bd097522e9dc7a510822e7

  • SHA512

    730feb5233dd5e3ad1532d5fd179005e90c21dde18d6b3a289e6f696f14583f8557517bf8f84ac881adfb2fe298d8e7b137232b98d79183aa983382405c8aa77

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJh:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI8

Score
10/10
evasionpersistencetrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • UPX packed file 24 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 12 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\236f632c6d7ef073225c01a49f554c7b56604e1895bd097522e9dc7a510822e7.exe
    "C:\Users\Admin\AppData\Local\Temp\236f632c6d7ef073225c01a49f554c7b56604e1895bd097522e9dc7a510822e7.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3928
    • C:\Windows\SysWOW64\wcudyxjqra.exe
      wcudyxjqra.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3632
      • C:\Windows\SysWOW64\kxabwtnp.exe
        C:\Windows\system32\kxabwtnp.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4604
    • C:\Windows\SysWOW64\qfflbufrhiysssw.exe
      qfflbufrhiysssw.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4568
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c saoykvmdawktp.exe
        3⤵
          PID:4660
      • C:\Windows\SysWOW64\kxabwtnp.exe
        kxabwtnp.exe
        2⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:116
      • C:\Windows\SysWOW64\saoykvmdawktp.exe
        saoykvmdawktp.exe
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1172
      • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
        "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
        2⤵
        • Drops file in Windows directory
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:1700

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
      Filesize

      255KB

      MD5

      d599802a14821a87f968635a0546d3a4

      SHA1

      2b04cd0b178e59ea05b9e22d8507cfdeddbd1a37

      SHA256

      02711fb034b2bf4b355b7d18f1a73bbba8a897901a057d61ec66ef1346bcaea8

      SHA512

      bc5e5a53f3cc0baf60cd054c02b38f79a544c4af3f25245bec62f33f045f250254f1e88ca75a3bed073b714d77c309a0b43ce9f0a1a56592560c7d2cd2756730

      Download Submit

    • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
      Filesize

      255KB

      MD5

      6a00e1d009faa3ab96cc63e61c026440

      SHA1

      47a77f0f4e2a6c785e978e2c5a2f3fddb319f099

      SHA256

      3cd0539f21ea322c13c8ab5b88c58b618f7fb3543453de04bb9ff51b0817c630

      SHA512

      97b64a2bf78a62ccd5c50b11ca2f7668d993a3b5e1414debe8205057a83b2edb55459018d841d582abf0785224e559224626aa3a2f0b116387f0d041b2afc9e6

      Download Submit

    • C:\Windows\SysWOW64\kxabwtnp.exe
      Filesize

      255KB

      MD5

      5f03a0faf382808f6e28c975cbb58cef

      SHA1

      125b096c10c2c1993dda465611a935db122e6ed1

      SHA256

      0df042a975d8cfd536cc53559e1b26cb04f22c421e051115956ebf45fc86352d

      SHA512

      c8a723d74b282c03791350422a400e570dfbdb9199d208ef6ab5bae9954d7ac25efeda9240513e05e8b119dda825ec9f5a4cea7a6bdc979599d232da5678806a

      Download Submit

    • C:\Windows\SysWOW64\kxabwtnp.exe
      Filesize

      255KB

      MD5

      5f03a0faf382808f6e28c975cbb58cef

      SHA1

      125b096c10c2c1993dda465611a935db122e6ed1

      SHA256

      0df042a975d8cfd536cc53559e1b26cb04f22c421e051115956ebf45fc86352d

      SHA512

      c8a723d74b282c03791350422a400e570dfbdb9199d208ef6ab5bae9954d7ac25efeda9240513e05e8b119dda825ec9f5a4cea7a6bdc979599d232da5678806a

      Download Submit

    • C:\Windows\SysWOW64\kxabwtnp.exe
      Filesize

      255KB

      MD5

      5f03a0faf382808f6e28c975cbb58cef

      SHA1

      125b096c10c2c1993dda465611a935db122e6ed1

      SHA256

      0df042a975d8cfd536cc53559e1b26cb04f22c421e051115956ebf45fc86352d

      SHA512

      c8a723d74b282c03791350422a400e570dfbdb9199d208ef6ab5bae9954d7ac25efeda9240513e05e8b119dda825ec9f5a4cea7a6bdc979599d232da5678806a

      Download Submit

    • C:\Windows\SysWOW64\qfflbufrhiysssw.exe
      Filesize

      255KB

      MD5

      295dfdfa9589a509a95f0d0204542e8f

      SHA1

      bb8d5029dc44764e7849ec6eb09c73ae7356fac2

      SHA256

      d8c54511eef8bd46cddca9481abf6f3ec8b01ff9278a57f53e938f772c40985c

      SHA512

      43241ed4ba46aaaf61f55c706ecc648b6f21e40314361290024e6d982c2f4044716e4c49de90f1fc6591f6041f79b8b5ac19576fb233b71e1fcb8eba1e28ec17

      Download Submit

    • C:\Windows\SysWOW64\qfflbufrhiysssw.exe
      Filesize

      255KB

      MD5

      295dfdfa9589a509a95f0d0204542e8f

      SHA1

      bb8d5029dc44764e7849ec6eb09c73ae7356fac2

      SHA256

      d8c54511eef8bd46cddca9481abf6f3ec8b01ff9278a57f53e938f772c40985c

      SHA512

      43241ed4ba46aaaf61f55c706ecc648b6f21e40314361290024e6d982c2f4044716e4c49de90f1fc6591f6041f79b8b5ac19576fb233b71e1fcb8eba1e28ec17

      Download Submit

    • C:\Windows\SysWOW64\saoykvmdawktp.exe
      Filesize

      255KB

      MD5

      36bea45b6e7e063b0763c730bb3d04d4

      SHA1

      454bbea782734b001ae1d73e88762eafde0dd60f

      SHA256

      83e1629b7b35c620ed0d6291fc59d2f4dbe64e97a8956a367f5d20fa89516193

      SHA512

      d5ad086e01fe6e7b23cee5ad3ec4915dc3bf3cc2478a94cbc908d2c246401fc62ce96ff44883e5a51d1b77e034958905514813dd1b4744c157418afc820cdff3

      Download Submit

    • C:\Windows\SysWOW64\saoykvmdawktp.exe
      Filesize

      255KB

      MD5

      36bea45b6e7e063b0763c730bb3d04d4

      SHA1

      454bbea782734b001ae1d73e88762eafde0dd60f

      SHA256

      83e1629b7b35c620ed0d6291fc59d2f4dbe64e97a8956a367f5d20fa89516193

      SHA512

      d5ad086e01fe6e7b23cee5ad3ec4915dc3bf3cc2478a94cbc908d2c246401fc62ce96ff44883e5a51d1b77e034958905514813dd1b4744c157418afc820cdff3

      Download Submit

    • C:\Windows\SysWOW64\wcudyxjqra.exe
      Filesize

      255KB

      MD5

      87affb14be6c07623dd81d4bfe72405e

      SHA1

      9acd5ea8d8dc022ae699151808bf78f32e7d692e

      SHA256

      12d60023dd16e9f4cb765df0b153854c9f0d8fe9c222db9d02df05b8060455c8

      SHA512

      f913eb7b0c34d90d7c55987ebe7eb3b22d42bcdcc71cf79db9eb342d5c76fa70fb30cd186d9535c1f3cf3e4186bdef12253b46f7208c96e3afd7b4f9f83f06c7

      Download Submit

    • C:\Windows\SysWOW64\wcudyxjqra.exe
      Filesize

      255KB

      MD5

      87affb14be6c07623dd81d4bfe72405e

      SHA1

      9acd5ea8d8dc022ae699151808bf78f32e7d692e

      SHA256

      12d60023dd16e9f4cb765df0b153854c9f0d8fe9c222db9d02df05b8060455c8

      SHA512

      f913eb7b0c34d90d7c55987ebe7eb3b22d42bcdcc71cf79db9eb342d5c76fa70fb30cd186d9535c1f3cf3e4186bdef12253b46f7208c96e3afd7b4f9f83f06c7

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • memory/116-142-0x0000000000000000-mapping.dmp

      Download

    • memory/116-149-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/116-167-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1172-168-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1172-150-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1172-146-0x0000000000000000-mapping.dmp

      Download

    • memory/1700-154-0x0000000000000000-mapping.dmp

      Download

    • memory/1700-172-0x00007FFBEFBD0000-0x00007FFBEFBE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1700-174-0x00007FFBEFBD0000-0x00007FFBEFBE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1700-162-0x00007FFBEFBD0000-0x00007FFBEFBE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1700-173-0x00007FFBEFBD0000-0x00007FFBEFBE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1700-175-0x00007FFBEFBD0000-0x00007FFBEFBE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1700-164-0x00007FFBEDA70000-0x00007FFBEDA80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1700-163-0x00007FFBEDA70000-0x00007FFBEDA80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1700-158-0x00007FFBEFBD0000-0x00007FFBEFBE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1700-159-0x00007FFBEFBD0000-0x00007FFBEFBE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1700-160-0x00007FFBEFBD0000-0x00007FFBEFBE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1700-161-0x00007FFBEFBD0000-0x00007FFBEFBE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3632-140-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/3632-134-0x0000000000000000-mapping.dmp

      Download

    • memory/3632-165-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/3928-155-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/3928-133-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/3928-132-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/4568-137-0x0000000000000000-mapping.dmp

      Download

    • memory/4568-166-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/4568-141-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/4604-153-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/4604-169-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/4604-151-0x0000000000000000-mapping.dmp

      Download

    • memory/4660-144-0x0000000000000000-mapping.dmp

      Download