Overview

overview

10

Static

static

8

604235a892...5b.exe

windows7-x64

10

604235a892...5b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    268s
  • max time network
    290s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 01:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    604235a8923bcc41529c7662f5dc0b5e3be2f720e9b9ff15344f453cc9b3115b.exe

  • Size

    255KB

  • MD5

    36aced954a82292490e98f4ce0ca5720

  • SHA1

    857fd81aa5a71b6e1e47e121eace3a968f2ee374

  • SHA256

    604235a8923bcc41529c7662f5dc0b5e3be2f720e9b9ff15344f453cc9b3115b

  • SHA512

    ee2a10e5e8832919390ffe7659113aac5f1693e768cfa7d584c7390bffcf1ce5b3cde195bcace85bb0934ae7f7ae00580fd2e184871f47f56fa34acbb05c68ef

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJY:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIH

Score
10/10
evasionpersistencetrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • UPX packed file 22 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 10 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 20 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\604235a8923bcc41529c7662f5dc0b5e3be2f720e9b9ff15344f453cc9b3115b.exe
    "C:\Users\Admin\AppData\Local\Temp\604235a8923bcc41529c7662f5dc0b5e3be2f720e9b9ff15344f453cc9b3115b.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2396
    • C:\Windows\SysWOW64\egapkvazaa.exe
      egapkvazaa.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2416
      • C:\Windows\SysWOW64\tqrbioqm.exe
        C:\Windows\system32\tqrbioqm.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:5044
    • C:\Windows\SysWOW64\tnyxmqrgctvommx.exe
      tnyxmqrgctvommx.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4368
    • C:\Windows\SysWOW64\tqrbioqm.exe
      tqrbioqm.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4320
    • C:\Windows\SysWOW64\doevrsootfbbz.exe
      doevrsootfbbz.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2976
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:3024

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    255KB

    MD5

    0f54ad67251f1e5c64424b278f4c7b94

    SHA1

    9406a2370817d5fcf1123c3df8b41ec81b343e80

    SHA256

    1472d3691dd18c6e25a90a4de0d6af8f95344ed7ccb695375e0aeef41d357b7e

    SHA512

    e2138bf64f9c924e4c8d0f6849b1b835baa21ac96610085986c4e6fc297b93cc517c317a6620f6664cda042c451738edaa2b60ec98b2416319f72cc06ea919b3

    Download Submit

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    255KB

    MD5

    40f99a618f70e6514636992dcba0c907

    SHA1

    b5bb3986ae4339648d3043ea46c8471fa3e93d2b

    SHA256

    8a49883f7aef54e25fff6b5110ad585c2b182f0aa3aba68c79f749b8c021c9e4

    SHA512

    ad79d750d20216962ce50e9dafd9c370baf4306c8d1398aa35b22577a5212c1b6f75b4fe1ec5231ac0a21638a2bba764a7441732382ac893f3dac576f86f0ccb

    Download Submit

  • C:\Windows\SysWOW64\doevrsootfbbz.exe
    Filesize

    255KB

    MD5

    841e48a9062607a95456751f6a3ea7b4

    SHA1

    3d60faa49fc19f29a34b9b605639fcd9958481b7

    SHA256

    cff705437e45bfdc014c248060ece51ea113bc7bfda43b92e35fba341755cb78

    SHA512

    43c7745a6aa38351d4e301aefa95104e9827be198c6b9cae5b584508c2d6386a4f765a57094535091330e75343e14f10835937418e0d880e5c21a9c1f173aa4f

    Download Submit

  • C:\Windows\SysWOW64\doevrsootfbbz.exe
    Filesize

    255KB

    MD5

    841e48a9062607a95456751f6a3ea7b4

    SHA1

    3d60faa49fc19f29a34b9b605639fcd9958481b7

    SHA256

    cff705437e45bfdc014c248060ece51ea113bc7bfda43b92e35fba341755cb78

    SHA512

    43c7745a6aa38351d4e301aefa95104e9827be198c6b9cae5b584508c2d6386a4f765a57094535091330e75343e14f10835937418e0d880e5c21a9c1f173aa4f

    Download Submit

  • C:\Windows\SysWOW64\egapkvazaa.exe
    Filesize

    255KB

    MD5

    1cd446183eb914923ad345bb9a71f033

    SHA1

    c3a301b2ae400a72bc515183e1dc10bbd8528171

    SHA256

    6cb0ebe4c1260f3328d6a8566b823e44115c4328fc17ca85183b9a7cd0d5d8c1

    SHA512

    53d5a483d10ca6c6e5b9360aac843b1304092034a53964f518fe551cc1884c3389d28a97c548f4fe312e7008289e221a0dab308dd10efb56d83201726c7847df

    Download Submit

  • C:\Windows\SysWOW64\egapkvazaa.exe
    Filesize

    255KB

    MD5

    1cd446183eb914923ad345bb9a71f033

    SHA1

    c3a301b2ae400a72bc515183e1dc10bbd8528171

    SHA256

    6cb0ebe4c1260f3328d6a8566b823e44115c4328fc17ca85183b9a7cd0d5d8c1

    SHA512

    53d5a483d10ca6c6e5b9360aac843b1304092034a53964f518fe551cc1884c3389d28a97c548f4fe312e7008289e221a0dab308dd10efb56d83201726c7847df

    Download Submit

  • C:\Windows\SysWOW64\tnyxmqrgctvommx.exe
    Filesize

    255KB

    MD5

    6b08d4e5bef0ba4dbf1a79d30da0602e

    SHA1

    fdeddc41bf8e2268dc01fe6f43dc24f4e44dcc95

    SHA256

    a18fdec21231eff1316e4b1ae29a1265bd7f465741b3710080e24075e567ea04

    SHA512

    f75c12e1dcd79dd50fcaac1d229585b57970c97e2dd8bbaa44e4887e83961a7b21c9b9ce14a8f4263f05a56e9b38e538c339b21e72675bed40cccd30475358d2

    Download Submit

  • C:\Windows\SysWOW64\tnyxmqrgctvommx.exe
    Filesize

    255KB

    MD5

    6b08d4e5bef0ba4dbf1a79d30da0602e

    SHA1

    fdeddc41bf8e2268dc01fe6f43dc24f4e44dcc95

    SHA256

    a18fdec21231eff1316e4b1ae29a1265bd7f465741b3710080e24075e567ea04

    SHA512

    f75c12e1dcd79dd50fcaac1d229585b57970c97e2dd8bbaa44e4887e83961a7b21c9b9ce14a8f4263f05a56e9b38e538c339b21e72675bed40cccd30475358d2

    Download Submit

  • C:\Windows\SysWOW64\tqrbioqm.exe
    Filesize

    255KB

    MD5

    d62c16b167d33ce84abb5289fb0e949b

    SHA1

    9a5f8042ff14e983fb8d190e4df4a6077e496273

    SHA256

    bf3bf84494d501e73562db5be81a29bfd0f75047cb8d1d8ebb4661aa8cb71638

    SHA512

    0f46616bbe8c3fd3fb4ac565d858c79fb131fa8e883e1d7b6e7bfa39d8d6e8bfd2fd304bd542b0810e286514c343c3bd90cca5c98afb4a2bb16ecf6195dca66f

    Download Submit

  • C:\Windows\SysWOW64\tqrbioqm.exe
    Filesize

    255KB

    MD5

    d62c16b167d33ce84abb5289fb0e949b

    SHA1

    9a5f8042ff14e983fb8d190e4df4a6077e496273

    SHA256

    bf3bf84494d501e73562db5be81a29bfd0f75047cb8d1d8ebb4661aa8cb71638

    SHA512

    0f46616bbe8c3fd3fb4ac565d858c79fb131fa8e883e1d7b6e7bfa39d8d6e8bfd2fd304bd542b0810e286514c343c3bd90cca5c98afb4a2bb16ecf6195dca66f

    Download Submit

  • C:\Windows\SysWOW64\tqrbioqm.exe
    Filesize

    255KB

    MD5

    d62c16b167d33ce84abb5289fb0e949b

    SHA1

    9a5f8042ff14e983fb8d190e4df4a6077e496273

    SHA256

    bf3bf84494d501e73562db5be81a29bfd0f75047cb8d1d8ebb4661aa8cb71638

    SHA512

    0f46616bbe8c3fd3fb4ac565d858c79fb131fa8e883e1d7b6e7bfa39d8d6e8bfd2fd304bd542b0810e286514c343c3bd90cca5c98afb4a2bb16ecf6195dca66f

    Download Submit

  • memory/2396-150-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2396-132-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2416-154-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2416-133-0x0000000000000000-mapping.dmp

    Download

  • memory/2416-145-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2976-141-0x0000000000000000-mapping.dmp

    Download

  • memory/2976-148-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2976-157-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/3024-162-0x00007FF866290000-0x00007FF8662A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3024-166-0x00007FF864080000-0x00007FF864090000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3024-161-0x00007FF866290000-0x00007FF8662A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3024-165-0x00007FF864080000-0x00007FF864090000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3024-160-0x00007FF866290000-0x00007FF8662A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3024-159-0x00007FF866290000-0x00007FF8662A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3024-149-0x0000000000000000-mapping.dmp

    Download

  • memory/3024-158-0x00007FF866290000-0x00007FF8662A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4320-156-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4320-147-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4320-138-0x0000000000000000-mapping.dmp

    Download

  • memory/4368-155-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4368-146-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4368-136-0x0000000000000000-mapping.dmp

    Download

  • memory/5044-153-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/5044-151-0x0000000000000000-mapping.dmp

    Download