Analysis
-
max time kernel
227s -
max time network
243s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
23-11-2022 21:06
General
-
Target
2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe
-
Size
255KB
-
MD5
72eb5945bda4d97f6d24459274c9df40
-
SHA1
bdab67f20e8a28fe9218f9da5412ff4495e7983d
-
SHA256
2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec
-
SHA512
48f0c7acafd8f52d2c276f521a733af3b01d0f0a1c8a228728ec9096d1f5f6198bed95c3ddfe9d404a2782915b8d47c0186220282e229c7e90a3cf95f4027c2f
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJb:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIq
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 5 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Executes dropped EXE 5 IoCs
-
UPX packed file 23 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Windows security modification 2 TTPs 6 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon 2 TTPs 2 IoCs
-
AutoIT Executable 12 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 9 IoCs
-
Drops file in Program Files directory 14 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 5 IoCs
-
Modifies registry class 53 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of FindShellTrayWindow 18 IoCs
-
Suspicious use of SendNotifyMessage 18 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe"C:\Users\Admin\AppData\Local\Temp\2194386471f859a5180bad7a31a490ef0ccfb673da1446ffa78766823e7b33ec.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\oamxlqfkyw.exeoamxlqfkyw.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\lfireosa.exeC:\Windows\system32\lfireosa.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
-
C:\Windows\SysWOW64\ggvnyevobmocrmm.exeggvnyevobmocrmm.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\lfireosa.exelfireosa.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\mtabpmafctfms.exemtabpmafctfms.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5d74d78b143e4aa07e477cfc391a837d8
SHA108624c85e8e7e545fc9eb3c63af4992adf2e4903
SHA256a82b403bd12283595d05bb8ce2aceba6c2a81f1cdf738928e3970939aa3649da
SHA51264c8ffd7737a3d442357f3e23ef8a3dfe858aa806933f6c4fa8afa250b21819896f63a978cd9ae17ee65caf6a1273951f4cca542fb7288be6f524228b1d7720c
-
Filesize
255KB
MD5b92fd5f6968d921d36bb76d813583a66
SHA12ec3a9c6567110ad928a2cb950e4e0e04a64fba4
SHA2562bdab67b8570062c759b6fedc6796bba01cf478544eaaa129be99119a902a03d
SHA5123d232c8c1fe13b6437dfdbd89a7ad21ae95759cb1c2ed66dba39582f354490ebdc8c9692976898123acb6c5ea91080b6130aabe70206a6a9f764d18bfa77d45d
-
Filesize
255KB
MD577885496a97f71093ae31b95b75b15de
SHA1dc9dbcd43dd7e15d9406e850e664c1e6965d69f7
SHA256dc14f59f00cefc5abb6416ce4a988a272ffe26d6d09bb56e380808737300869a
SHA51253d67e377bec7b24a992c22de1353e94096c4295160838360386a336e4329346e9851da76210b38fd442460ecf139dd461d2377adafc614834adaea0cee68391
-
Filesize
255KB
MD577885496a97f71093ae31b95b75b15de
SHA1dc9dbcd43dd7e15d9406e850e664c1e6965d69f7
SHA256dc14f59f00cefc5abb6416ce4a988a272ffe26d6d09bb56e380808737300869a
SHA51253d67e377bec7b24a992c22de1353e94096c4295160838360386a336e4329346e9851da76210b38fd442460ecf139dd461d2377adafc614834adaea0cee68391
-
Filesize
255KB
MD5b62da09d564f760531aa1378b2f2f4a4
SHA1f9089eeb61211974d5690f531e9b780c27eb40d4
SHA256d027085a732bb9122dfeebeedab3487d539a3555299d1b1890acff831c192f34
SHA5121072e2b817cdad1754cfe8e19f9908c44d5423a08ba829ebb46ad34a4712e9180ecf30e92af8b34c334017f82fd722df411003c92efda9709d13995b71969f02
-
Filesize
255KB
MD5b62da09d564f760531aa1378b2f2f4a4
SHA1f9089eeb61211974d5690f531e9b780c27eb40d4
SHA256d027085a732bb9122dfeebeedab3487d539a3555299d1b1890acff831c192f34
SHA5121072e2b817cdad1754cfe8e19f9908c44d5423a08ba829ebb46ad34a4712e9180ecf30e92af8b34c334017f82fd722df411003c92efda9709d13995b71969f02
-
Filesize
255KB
MD5b62da09d564f760531aa1378b2f2f4a4
SHA1f9089eeb61211974d5690f531e9b780c27eb40d4
SHA256d027085a732bb9122dfeebeedab3487d539a3555299d1b1890acff831c192f34
SHA5121072e2b817cdad1754cfe8e19f9908c44d5423a08ba829ebb46ad34a4712e9180ecf30e92af8b34c334017f82fd722df411003c92efda9709d13995b71969f02
-
Filesize
255KB
MD5385e9a9080a8e6fc6559afb95a914700
SHA1c5c5a65e7af1489246307bbf5e6efa34dc30360f
SHA256fa616a8d1c7b5dc702e3304a11c08646512def032dc70ba4a46c1a72ed227954
SHA51285c253e7c0cdf427f4cea8ea8657da13ae476163f8f7ab6453d73b2f94e708d3bf3a6cd3c7e51daddaaffede3a8b2c5268f76fcb39f9020f12ac71e7747a07fb
-
Filesize
255KB
MD5385e9a9080a8e6fc6559afb95a914700
SHA1c5c5a65e7af1489246307bbf5e6efa34dc30360f
SHA256fa616a8d1c7b5dc702e3304a11c08646512def032dc70ba4a46c1a72ed227954
SHA51285c253e7c0cdf427f4cea8ea8657da13ae476163f8f7ab6453d73b2f94e708d3bf3a6cd3c7e51daddaaffede3a8b2c5268f76fcb39f9020f12ac71e7747a07fb
-
Filesize
255KB
MD55eedada677d71388d52b5c3bea43be57
SHA1269df5f5bb1f036e5a85efbed900927b56fbf73c
SHA256db10b5b8afd7f42a1141dc5549c649f6f04549a46b9264f2b1cfc49ef4a7fa82
SHA5120c752df1ea3d7766d06e26e4dba56d4a05ee71d0a8f736af9545a65e7f0e836be1a887ed090559bd2d45832bfb3b0de7da0de44230a384c306e7959818c90235
-
Filesize
255KB
MD55eedada677d71388d52b5c3bea43be57
SHA1269df5f5bb1f036e5a85efbed900927b56fbf73c
SHA256db10b5b8afd7f42a1141dc5549c649f6f04549a46b9264f2b1cfc49ef4a7fa82
SHA5120c752df1ea3d7766d06e26e4dba56d4a05ee71d0a8f736af9545a65e7f0e836be1a887ed090559bd2d45832bfb3b0de7da0de44230a384c306e7959818c90235
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
-
Filesize
640KB
-
Filesize
640KB
-
Filesize
640KB
-
Filesize
640KB
-
Filesize
640KB
-
Filesize
640KB
-
-
Filesize
640KB
-
Filesize
640KB
-
-
Filesize
16KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
16KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
12KB
-
Filesize
12KB
-
Filesize
16KB
-
Filesize
12KB
-
Filesize
16KB
-
Filesize
16KB
-
-
Filesize
640KB
-
Filesize
640KB
-
Filesize
640KB
-
Filesize
640KB
-