Overview

overview

10

Static

static

8

4e88571ea7...3f.exe

windows7-x64

10

4e88571ea7...3f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    193s
  • max time network
    253s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 05:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4e88571ea7b27479b7380546145375462b9839b7c1d595697be06ec04ee9d13f.exe

  • Size

    255KB

  • MD5

    cebc22f552c64fe39370be9ce5c100be

  • SHA1

    12a65f6fb09bbcc5782f12c7974b09350438cc25

  • SHA256

    4e88571ea7b27479b7380546145375462b9839b7c1d595697be06ec04ee9d13f

  • SHA512

    f60f0a1bc2188658a82ce4af01a638af940305d39a961ad346cbc3ed7977db6e2ce4b4185784a43c2c17fcf623d98b060a6653a8cab0f58408556b5b17f02673

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJm:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIl

Score
10/10
evasionpersistencetrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4e88571ea7b27479b7380546145375462b9839b7c1d595697be06ec04ee9d13f.exe
    "C:\Users\Admin\AppData\Local\Temp\4e88571ea7b27479b7380546145375462b9839b7c1d595697be06ec04ee9d13f.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2564
    • C:\Windows\SysWOW64\ffygfmtqkp.exe
      ffygfmtqkp.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:884
      • C:\Windows\SysWOW64\gpkhhwtn.exe
        C:\Windows\system32\gpkhhwtn.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3896
    • C:\Windows\SysWOW64\ijzmngradfwtbdb.exe
      ijzmngradfwtbdb.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3688
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c zzphngkfdgrsj.exe
        3⤵
          PID:2860
      • C:\Windows\SysWOW64\gpkhhwtn.exe
        gpkhhwtn.exe
        2⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4204
      • C:\Windows\SysWOW64\zzphngkfdgrsj.exe
        zzphngkfdgrsj.exe
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1892
      • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
        "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
        2⤵
        • Drops file in Windows directory
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:4012

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
      Filesize

      255KB

      MD5

      a37ab36c704e894392578584a08c77ed

      SHA1

      b254db66e1e2e4085a5e041fdc524b8a5be8089c

      SHA256

      91d196807246a25bbcfa3349f7d5172c0a5da8a8eaf600bf8d38831af5a1b4ce

      SHA512

      3adcf9025eea2163c32b4601de3235ce825abbe8c40f24a0fe9efde3e486fc6fab5f5a7f86a3b3e63ff86c94fec4cf2fafc7ecbbbdde113dc3b9c352a4d11926

      Download Submit

    • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
      Filesize

      255KB

      MD5

      afb0242dd3556be6c3ec7b7ac5da9478

      SHA1

      5e46e812b0dca87f7e5dc3e8bd9d82c94633c7aa

      SHA256

      581de1c54dfaaf03c07a66900b08826f7b6f319fbad5167fadbd7557feb3fe9c

      SHA512

      88567c7ce6c375835d584949cd5aa705ac1215ec333707ba762527ce4590af55e0a558b5a19d5ff941f695faf635e36fa704fb4b4173a55ef2f857909c4c18ea

      Download Submit

    • C:\Windows\SysWOW64\ffygfmtqkp.exe
      Filesize

      255KB

      MD5

      8fff626e68ba425674e4145f0efc113b

      SHA1

      6548ad2c2fbc9b3e7e95e32cc3101c3181fd9387

      SHA256

      530946d7812834fa4203477d94927b0b8b95c7e6c4816dfb78a485ef570dad61

      SHA512

      c9a1c28f39dafd7eafb5169cd32a7e5da7361831ef4a086c89b35922523e4597e3d4497ff8b702e85d27aa0815c4371e4f9e8bf760bf94f6bc4efab80cb4284f

      Download Submit

    • C:\Windows\SysWOW64\ffygfmtqkp.exe
      Filesize

      255KB

      MD5

      8fff626e68ba425674e4145f0efc113b

      SHA1

      6548ad2c2fbc9b3e7e95e32cc3101c3181fd9387

      SHA256

      530946d7812834fa4203477d94927b0b8b95c7e6c4816dfb78a485ef570dad61

      SHA512

      c9a1c28f39dafd7eafb5169cd32a7e5da7361831ef4a086c89b35922523e4597e3d4497ff8b702e85d27aa0815c4371e4f9e8bf760bf94f6bc4efab80cb4284f

      Download Submit

    • C:\Windows\SysWOW64\gpkhhwtn.exe
      Filesize

      255KB

      MD5

      5dde7124f86bbb59cc510b086d5f58ac

      SHA1

      f6ea5695523aae9e8e20dff596a93c80bef0bb68

      SHA256

      a412442f5967789db90ba118786b77995535dde8e495cdc1f81271118133dd6e

      SHA512

      9a87154a239a796923015643626ffcd9fbaa892c9287428b45099a63e31167f8570a35974f10699093b4d1b512e9fae1bef31fca61e55d567344f52a7ba1c7c1

      Download Submit

    • C:\Windows\SysWOW64\gpkhhwtn.exe
      Filesize

      255KB

      MD5

      5dde7124f86bbb59cc510b086d5f58ac

      SHA1

      f6ea5695523aae9e8e20dff596a93c80bef0bb68

      SHA256

      a412442f5967789db90ba118786b77995535dde8e495cdc1f81271118133dd6e

      SHA512

      9a87154a239a796923015643626ffcd9fbaa892c9287428b45099a63e31167f8570a35974f10699093b4d1b512e9fae1bef31fca61e55d567344f52a7ba1c7c1

      Download Submit

    • C:\Windows\SysWOW64\gpkhhwtn.exe
      Filesize

      255KB

      MD5

      5dde7124f86bbb59cc510b086d5f58ac

      SHA1

      f6ea5695523aae9e8e20dff596a93c80bef0bb68

      SHA256

      a412442f5967789db90ba118786b77995535dde8e495cdc1f81271118133dd6e

      SHA512

      9a87154a239a796923015643626ffcd9fbaa892c9287428b45099a63e31167f8570a35974f10699093b4d1b512e9fae1bef31fca61e55d567344f52a7ba1c7c1

      Download Submit

    • C:\Windows\SysWOW64\ijzmngradfwtbdb.exe
      Filesize

      255KB

      MD5

      6c225a91408c2c03bb141b0a14d66599

      SHA1

      e5dac4c5faaa388dc2fa17849ffe8573690cf05a

      SHA256

      0325ae4baded9e3415c43bc7c743e2df6a1ae35a0cbb06b43adb501377fdead1

      SHA512

      14308982d1ff63a8afaf2dd841c848e733dfc775c40d5a6dc7c8344c67ec0f7c82c0ca52ad9c174fe3b5a2c9666c2b4252742dc62a3eaf280da6ab1bd1e7a849

      Download Submit

    • C:\Windows\SysWOW64\ijzmngradfwtbdb.exe
      Filesize

      255KB

      MD5

      6c225a91408c2c03bb141b0a14d66599

      SHA1

      e5dac4c5faaa388dc2fa17849ffe8573690cf05a

      SHA256

      0325ae4baded9e3415c43bc7c743e2df6a1ae35a0cbb06b43adb501377fdead1

      SHA512

      14308982d1ff63a8afaf2dd841c848e733dfc775c40d5a6dc7c8344c67ec0f7c82c0ca52ad9c174fe3b5a2c9666c2b4252742dc62a3eaf280da6ab1bd1e7a849

      Download Submit

    • C:\Windows\SysWOW64\zzphngkfdgrsj.exe
      Filesize

      255KB

      MD5

      efc92849ac9fcd1eec6d30d337cbb96d

      SHA1

      1fdbb3cf03a081339c29e907f0597e180aea20b7

      SHA256

      00cb1a2cf81adb01e6adb2c33e46f59244b9d2f03cf0d544fff68fb094fdfa9f

      SHA512

      713f4a04cf44153597aa8db3d69d202412bf48680e00b53cf291360e0a4fc2ee1d265eb3c89a012e40b45973304ca6fb4a2cb07ac3b2eb4e357f14efc8fdbfd0

      Download Submit

    • C:\Windows\SysWOW64\zzphngkfdgrsj.exe
      Filesize

      255KB

      MD5

      efc92849ac9fcd1eec6d30d337cbb96d

      SHA1

      1fdbb3cf03a081339c29e907f0597e180aea20b7

      SHA256

      00cb1a2cf81adb01e6adb2c33e46f59244b9d2f03cf0d544fff68fb094fdfa9f

      SHA512

      713f4a04cf44153597aa8db3d69d202412bf48680e00b53cf291360e0a4fc2ee1d265eb3c89a012e40b45973304ca6fb4a2cb07ac3b2eb4e357f14efc8fdbfd0

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • memory/884-136-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/884-133-0x0000000000000000-mapping.dmp

      Download

    • memory/884-146-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1892-148-0x0000000000000000-mapping.dmp

      Download

    • memory/1892-152-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2564-145-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2564-154-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2564-132-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2860-151-0x0000000000000000-mapping.dmp

      Download

    • memory/3688-144-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/3688-137-0x0000000000000000-mapping.dmp

      Download

    • memory/3896-141-0x0000000000000000-mapping.dmp

      Download

    • memory/4012-156-0x00007FFF0B3F0000-0x00007FFF0B400000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4012-157-0x00007FFF0B3F0000-0x00007FFF0B400000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4012-158-0x00007FFF0B3F0000-0x00007FFF0B400000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4012-159-0x00007FFF0B3F0000-0x00007FFF0B400000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4012-155-0x00007FFF0B3F0000-0x00007FFF0B400000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4012-153-0x0000000000000000-mapping.dmp

      Download

    • memory/4012-162-0x00007FFF08DB0000-0x00007FFF08DC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4012-163-0x00007FFF08DB0000-0x00007FFF08DC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4204-140-0x0000000000000000-mapping.dmp

      Download