Analysis
-
max time kernel
151s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
24-11-2022 09:12
General
-
Target
6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe
-
Size
255KB
-
MD5
f33f9a02bf7fc7f49e1841154af69397
-
SHA1
637b5adf70bcecbf856404401af47ddceab442ad
-
SHA256
6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f
-
SHA512
916fcfceb6aa9e08645438834515dead60d221bf5b17b3ae22eed2456d9b098191013bcf7e9d6ef06407bba01116598bdfaa8d271cbdd7a768c84d74cd3a31f7
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJP:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI2
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 5 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Executes dropped EXE 5 IoCs
-
UPX packed file 28 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 6 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon 2 TTPs 2 IoCs
-
AutoIT Executable 12 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 13 IoCs
-
Drops file in Program Files directory 14 IoCs
-
Drops file in Windows directory 19 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 20 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of FindShellTrayWindow 18 IoCs
-
Suspicious use of SendNotifyMessage 18 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe"C:\Users\Admin\AppData\Local\Temp\6c789105f9ab1b1ff024d298764fcb98d0e36338a837e8cf010871f5101b4a6f.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\revtvzscpa.exerevtvzscpa.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ktihbbqr.exeC:\Windows\system32\ktihbbqr.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\bmskwqmkmnruhze.exebmskwqmkmnruhze.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\ktihbbqr.exektihbbqr.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\yvtjsyalhxfdx.exeyvtjsyalhxfdx.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hidden Files and Directories
2Modify Registry
6Disabling Security Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exeFilesize
255KB
MD53f9e88b8918d83c31fd2608edafd3953
SHA1aec0af8db0d63eb95265e834b04341411dc69620
SHA2565e74c992a38cf52bd27b1472ffa139c9c192c56b251a651ef9c303cd01e0ba32
SHA5128fafc134dade4186b82e667d7134cd1251cb5ca49be349feaef6025db597baeae1ea987c04e4974bb7dbbab243cbbac540e21ec9a7b6f90b377c6fa8d6de36b3
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
255KB
MD5d138dbdcac1a42b4da5f6ed1950239f5
SHA1928df3a07c8bbdbee2dd4402885df36f6e654f44
SHA256ce2caa9703d11fb135685f5c37553e48fd2af022af3cc2990b9f118eebe8b375
SHA512f2608c23585845ef623679d2da9c7b8c03470b34abef3e00ba207e672449083a12fd93593af4764dbfb069819817ab6d1017ed6530eac519501328334d2cb219
-
C:\Users\Admin\Documents\ConvertToUnprotect.doc.exeFilesize
255KB
MD52bb4f2e1c75dabc10e8abfeee7ca36cf
SHA17c7f615b02b82742ebb4efb3e49b3a80abc0f2aa
SHA256ba17b2258a459bf6ea3313e5a7e74bfdf22aacacb1ef68416d183e677597e705
SHA512987d9b5bf924bbf2a71bcd2d58fd3477c822ac9ecac06934f58c517453785b736fcd8d20dea6a06742958cefb7f0835082f4e021645a5afed050f23008896651
-
C:\Windows\SysWOW64\bmskwqmkmnruhze.exeFilesize
255KB
MD55337ee7d8fc3bde8095984c49b067057
SHA1608ab2a076e19c02a8897fac26455ecbd289d2e4
SHA2562e9c346e9737894c290040c622fc1deee397cb13dc5eab6d658ae9086e6e18fa
SHA512504c4f701f6ba0f657aef3142e4720f1499954a2165cce1e2caf21f7f19e6d7d6bfdf5266d82f1a6c6e8dc6b7d1c45639f1e32987997696fc41ec0a088cd7c0d
-
C:\Windows\SysWOW64\bmskwqmkmnruhze.exeFilesize
255KB
MD55337ee7d8fc3bde8095984c49b067057
SHA1608ab2a076e19c02a8897fac26455ecbd289d2e4
SHA2562e9c346e9737894c290040c622fc1deee397cb13dc5eab6d658ae9086e6e18fa
SHA512504c4f701f6ba0f657aef3142e4720f1499954a2165cce1e2caf21f7f19e6d7d6bfdf5266d82f1a6c6e8dc6b7d1c45639f1e32987997696fc41ec0a088cd7c0d
-
C:\Windows\SysWOW64\ktihbbqr.exeFilesize
255KB
MD5c94e19d80849b0d6d9699a95ea163f1e
SHA1578ac82c016be68fc9a0a4c27399602ab938a1d6
SHA2569f835151628c506b533b0498084d43d59c80e41832397950805dc5eb0a613f7f
SHA51292586c476a281a01644ef8571ddf5effc8ec21784bdf765cb32292a38e830927de462999976e9a86b85140d86c9a71a0c280b5d85ac7dc23d49381d3926050a0
-
C:\Windows\SysWOW64\ktihbbqr.exeFilesize
255KB
MD5c94e19d80849b0d6d9699a95ea163f1e
SHA1578ac82c016be68fc9a0a4c27399602ab938a1d6
SHA2569f835151628c506b533b0498084d43d59c80e41832397950805dc5eb0a613f7f
SHA51292586c476a281a01644ef8571ddf5effc8ec21784bdf765cb32292a38e830927de462999976e9a86b85140d86c9a71a0c280b5d85ac7dc23d49381d3926050a0
-
C:\Windows\SysWOW64\ktihbbqr.exeFilesize
255KB
MD5c94e19d80849b0d6d9699a95ea163f1e
SHA1578ac82c016be68fc9a0a4c27399602ab938a1d6
SHA2569f835151628c506b533b0498084d43d59c80e41832397950805dc5eb0a613f7f
SHA51292586c476a281a01644ef8571ddf5effc8ec21784bdf765cb32292a38e830927de462999976e9a86b85140d86c9a71a0c280b5d85ac7dc23d49381d3926050a0
-
C:\Windows\SysWOW64\revtvzscpa.exeFilesize
255KB
MD5b66f2d051671c8cd79761c5d7ee5dde8
SHA159525e7710ad6ff8e5ee4abd604f3f4e67b6e0f9
SHA25673b284f235442da299b870dc019854856df375f1c9e6cd6da764001aa49f5fc1
SHA5129c2f513e96adcbf7bcc9c98a59b120fab233511e021ec2b14bb32605937d536983031eb417d951da8ebde371af0822ab9bf08f6bca6a873a72f048150100bc26
-
C:\Windows\SysWOW64\revtvzscpa.exeFilesize
255KB
MD5b66f2d051671c8cd79761c5d7ee5dde8
SHA159525e7710ad6ff8e5ee4abd604f3f4e67b6e0f9
SHA25673b284f235442da299b870dc019854856df375f1c9e6cd6da764001aa49f5fc1
SHA5129c2f513e96adcbf7bcc9c98a59b120fab233511e021ec2b14bb32605937d536983031eb417d951da8ebde371af0822ab9bf08f6bca6a873a72f048150100bc26
-
C:\Windows\SysWOW64\yvtjsyalhxfdx.exeFilesize
255KB
MD5e516069b3335619a4714fbc87b6ec55c
SHA1dc7d6ae6a95e3be8fe15ce6392781fcdbcc91855
SHA25654464e6fbc1f2c2c640b1ed1bf524c00c25205b51bded6f5fe5da1ce3ef06f35
SHA512c45c2e5e7e96acf22e14b6a540b14f761b39dfba38675d80d2513c481125b546ebd798608bc87cfe86aeeed80f4985c08ad881fface1d43ccff2419c58be5cb0
-
C:\Windows\SysWOW64\yvtjsyalhxfdx.exeFilesize
255KB
MD5e516069b3335619a4714fbc87b6ec55c
SHA1dc7d6ae6a95e3be8fe15ce6392781fcdbcc91855
SHA25654464e6fbc1f2c2c640b1ed1bf524c00c25205b51bded6f5fe5da1ce3ef06f35
SHA512c45c2e5e7e96acf22e14b6a540b14f761b39dfba38675d80d2513c481125b546ebd798608bc87cfe86aeeed80f4985c08ad881fface1d43ccff2419c58be5cb0
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Users\Admin\Documents\ConvertToUnprotect.doc.exeFilesize
255KB
MD52bb4f2e1c75dabc10e8abfeee7ca36cf
SHA17c7f615b02b82742ebb4efb3e49b3a80abc0f2aa
SHA256ba17b2258a459bf6ea3313e5a7e74bfdf22aacacb1ef68416d183e677597e705
SHA512987d9b5bf924bbf2a71bcd2d58fd3477c822ac9ecac06934f58c517453785b736fcd8d20dea6a06742958cefb7f0835082f4e021645a5afed050f23008896651
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
255KB
MD52e1db41f2a842ef8cbb0b78acaa569e1
SHA1f65f1b1476ca5978e7d029a66dbf73d3dae3cc38
SHA256a6f83361796d9b06f5fe7683d4118bee41155197f0f86057ef1774d806a864b7
SHA5120894ed4b591faa6d0e8628d0a6215dec7a9184589c67efb46aed361f2f347c1d0bf3b3bac4a012b8e9e062c071ff242d590b6505569d81647108fb01a047fad7
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
255KB
MD56d2c4b4a9ba3d6fc570c5c8ba1a7e52d
SHA12a60350ac5d0d3fb5e53ad43dc4c384591afab67
SHA25691304b3e652157de90c2d561f046b21d3a1a4689df9f078f4af7683cd40c9221
SHA5122de9eadf6f3d6aa16eec1bf7ea1633f9135c248cdc91aec02a28c6c85d432bde81bc7cd8816620798e5ed21f5a9ec6c477aead45c5689f38cc1c8716e996d0fe
-
memory/1736-141-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1736-163-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1736-133-0x0000000000000000-mapping.dmp
-
memory/1912-148-0x0000000000000000-mapping.dmp
-
memory/1912-167-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1912-152-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1912-177-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/2128-164-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/2128-136-0x0000000000000000-mapping.dmp
-
memory/2128-142-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/2532-151-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/2532-132-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/3872-178-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/3872-139-0x0000000000000000-mapping.dmp
-
memory/3872-165-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/4712-166-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/4712-147-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/4712-143-0x0000000000000000-mapping.dmp
-
memory/4764-160-0x00007FFC2FA10000-0x00007FFC2FA20000-memory.dmpFilesize
64KB
-
memory/4764-150-0x0000000000000000-mapping.dmp
-
memory/4764-156-0x00007FFC32230000-0x00007FFC32240000-memory.dmpFilesize
64KB
-
memory/4764-161-0x00007FFC2FA10000-0x00007FFC2FA20000-memory.dmpFilesize
64KB
-
memory/4764-153-0x00007FFC32230000-0x00007FFC32240000-memory.dmpFilesize
64KB
-
memory/4764-154-0x00007FFC32230000-0x00007FFC32240000-memory.dmpFilesize
64KB
-
memory/4764-173-0x00007FFC32230000-0x00007FFC32240000-memory.dmpFilesize
64KB
-
memory/4764-174-0x00007FFC32230000-0x00007FFC32240000-memory.dmpFilesize
64KB
-
memory/4764-175-0x00007FFC32230000-0x00007FFC32240000-memory.dmpFilesize
64KB
-
memory/4764-176-0x00007FFC32230000-0x00007FFC32240000-memory.dmpFilesize
64KB
-
memory/4764-155-0x00007FFC32230000-0x00007FFC32240000-memory.dmpFilesize
64KB
-
memory/4764-157-0x00007FFC32230000-0x00007FFC32240000-memory.dmpFilesize
64KB