Analysis
-
max time kernel
151s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
24-11-2022 08:43
General
-
Target
9c3442578839fdcc3fe5ecb0503788c52ccee99171d076ccd0c812536b277f89.exe
-
Size
255KB
-
MD5
b876a282afc6d42c41a4b8509e679fbd
-
SHA1
96527f85478c7addbe31bd5986b63f0fb66f4d22
-
SHA256
9c3442578839fdcc3fe5ecb0503788c52ccee99171d076ccd0c812536b277f89
-
SHA512
449b653eaef2778a4f2799561342523661c6a08a079cae8251dbddb7ac3a8c54d350aca4656a0ac5ee0e11152d216471983805d9ed5ecc8806d610ddabc01a90
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJc:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI9
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 5 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Executes dropped EXE 5 IoCs
-
UPX packed file 27 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 6 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon 2 TTPs 2 IoCs
-
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 12 IoCs
-
Drops file in Program Files directory 14 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 20 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of FindShellTrayWindow 18 IoCs
-
Suspicious use of SendNotifyMessage 18 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c3442578839fdcc3fe5ecb0503788c52ccee99171d076ccd0c812536b277f89.exe"C:\Users\Admin\AppData\Local\Temp\9c3442578839fdcc3fe5ecb0503788c52ccee99171d076ccd0c812536b277f89.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\eapgyqzdqi.exeeapgyqzdqi.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\teervgmj.exeC:\Windows\system32\teervgmj.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cgcyrfrfzlrxktk.execgcyrfrfzlrxktk.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\teervgmj.exeteervgmj.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\nwaqspuvsbqdf.exenwaqspuvsbqdf.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5e32518e7f1ee6fcce437065bd19f3d19
SHA1e20b92c1be6350eee8b3c2cc7e455d2daec7580f
SHA256d61ced2768002568ddcfd9b909f5833bb2927f507fcc9f1262f0b087ff12e1a4
SHA51262cb992f1e29c34e2b2883049bb65b9c4e2823feeddc1e87ee4726f6e6237936f40c2b3ae4fcafc880c5e58895b20a5d6e073e9f4191a5ef397c7cd67b7e0f2c
-
Filesize
255KB
MD5e57740f4678d21a2ff2c4b0768106cca
SHA1001e615b57a122836dd08414913cf72c64e791da
SHA25662717ec48aec04ed8b30730992c66b57e6d5dcd8284fa583203394f8ae914799
SHA512bc46cdd125f67991f3cdc64c5d578e8cea9895421ecf81af6ac540198bec20baad0f4afc27ce4a4befedded34c4674147dea78c6f60edffcf2c16cfd2f0532c5
-
Filesize
255KB
MD55f3dc7aa38fab7dbed7c27e83c5f9899
SHA1c91639f5c554c831903ddc528049d359c7cbae2d
SHA25626573251add7fcde42bf5f95d3221b59259cddff3827d46761903f34247852b5
SHA51235e05c23bcdb720e8b3b20f63ca66ecc50e703d705c05179892b841353a99094af0d99e2ed9cdd6b50c3b89833f49cd2064624f969be744f2c5a36e866435c12
-
Filesize
255KB
MD55f3dc7aa38fab7dbed7c27e83c5f9899
SHA1c91639f5c554c831903ddc528049d359c7cbae2d
SHA25626573251add7fcde42bf5f95d3221b59259cddff3827d46761903f34247852b5
SHA51235e05c23bcdb720e8b3b20f63ca66ecc50e703d705c05179892b841353a99094af0d99e2ed9cdd6b50c3b89833f49cd2064624f969be744f2c5a36e866435c12
-
Filesize
255KB
MD58e1a41cd50e611eec56867a2e27425c0
SHA1a04416e511b299a6e45519a082262c7cdf2cd89d
SHA256b4b0c557f41be5bb9643cdc9c7111799ed25a40d4efdf70378517b71d32d5c37
SHA512b239f9fba560ce88ba7d916d9d51a36dd38411cc7ac5ae236fa77c12590450fdd39dc5ebf2e1747ce4971ec6c197b92e0286a15d8399bc46e857a31448673e7c
-
Filesize
255KB
MD58e1a41cd50e611eec56867a2e27425c0
SHA1a04416e511b299a6e45519a082262c7cdf2cd89d
SHA256b4b0c557f41be5bb9643cdc9c7111799ed25a40d4efdf70378517b71d32d5c37
SHA512b239f9fba560ce88ba7d916d9d51a36dd38411cc7ac5ae236fa77c12590450fdd39dc5ebf2e1747ce4971ec6c197b92e0286a15d8399bc46e857a31448673e7c
-
Filesize
255KB
MD5562c3be406180adda3431b6e2034de50
SHA1ddad602b4768fd72f285ad7d93abc4593bcda678
SHA256822646a3fa3468f13854a4dcb4fee7cb0ac1725a190404fdbd14f008c39fcdad
SHA512aefe1fa93b3b9eebbb19f144943e0647b5a56e3e53366a2565e0316e72004537caf7f8f7a762a3e0ae2a25c134dbe1daaf25615624332f9da80db4aeb049ffbc
-
Filesize
255KB
MD5562c3be406180adda3431b6e2034de50
SHA1ddad602b4768fd72f285ad7d93abc4593bcda678
SHA256822646a3fa3468f13854a4dcb4fee7cb0ac1725a190404fdbd14f008c39fcdad
SHA512aefe1fa93b3b9eebbb19f144943e0647b5a56e3e53366a2565e0316e72004537caf7f8f7a762a3e0ae2a25c134dbe1daaf25615624332f9da80db4aeb049ffbc
-
Filesize
255KB
MD5e51d9e3544d44124b4dfa14c631d59fa
SHA17e3580faea3745ceaa952354f09f6719437c9034
SHA256022a70981baad820c7a060f29ab8655ede06e232d882d81ee2b84bcab6372f96
SHA512f71128e173bab91f2a4741a4fe951e52c9c935d29486717e66d628f07a1eb720c9c5f769ab1347b4ffdcb2734579040dd970ebd2485086d1ecf35a8e0470a6c6
-
Filesize
255KB
MD5e51d9e3544d44124b4dfa14c631d59fa
SHA17e3580faea3745ceaa952354f09f6719437c9034
SHA256022a70981baad820c7a060f29ab8655ede06e232d882d81ee2b84bcab6372f96
SHA512f71128e173bab91f2a4741a4fe951e52c9c935d29486717e66d628f07a1eb720c9c5f769ab1347b4ffdcb2734579040dd970ebd2485086d1ecf35a8e0470a6c6
-
Filesize
255KB
MD5e51d9e3544d44124b4dfa14c631d59fa
SHA17e3580faea3745ceaa952354f09f6719437c9034
SHA256022a70981baad820c7a060f29ab8655ede06e232d882d81ee2b84bcab6372f96
SHA512f71128e173bab91f2a4741a4fe951e52c9c935d29486717e66d628f07a1eb720c9c5f769ab1347b4ffdcb2734579040dd970ebd2485086d1ecf35a8e0470a6c6
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD5e57740f4678d21a2ff2c4b0768106cca
SHA1001e615b57a122836dd08414913cf72c64e791da
SHA25662717ec48aec04ed8b30730992c66b57e6d5dcd8284fa583203394f8ae914799
SHA512bc46cdd125f67991f3cdc64c5d578e8cea9895421ecf81af6ac540198bec20baad0f4afc27ce4a4befedded34c4674147dea78c6f60edffcf2c16cfd2f0532c5
-
Filesize
255KB
MD5ffadb73375f12d5714b7b3e9b562a593
SHA1661c0a1f1a8b3abc4c17b27e48683b19b7568a37
SHA256824fcd3d42d2c18ac32b32186c5e771a5cad197ff9de4b7d31e208146931e3be
SHA512fff1bdc8adb2fd632a25266e23d202eb139dbeb3a1f69d2c43fc7823abbbe710847500e521f719a2b43fc27cf953876cb43c5ca9b2b9e49981153542b33baaaf
-
Filesize
255KB
MD5196a022a46cd9f1875bef5454c3a1b92
SHA1e0935d8a26cc0a805afe184e2ee6f09342e7eef7
SHA256279111e2d5156a8353419de314a2919a5cc80b7b83bbd0b699485b551057ecaa
SHA512fb04887d017aab7e5d35ed5725f9203696d1a447cf10cd41e9e69b0234f9120538d922c1cc52dbf0155285d85a1b30d5842bef2e774ba35224f496ef567241c1
-
Filesize
255KB
MD5196a022a46cd9f1875bef5454c3a1b92
SHA1e0935d8a26cc0a805afe184e2ee6f09342e7eef7
SHA256279111e2d5156a8353419de314a2919a5cc80b7b83bbd0b699485b551057ecaa
SHA512fb04887d017aab7e5d35ed5725f9203696d1a447cf10cd41e9e69b0234f9120538d922c1cc52dbf0155285d85a1b30d5842bef2e774ba35224f496ef567241c1
-
Filesize
640KB
-
-
Filesize
640KB
-
Filesize
640KB
-
-
Filesize
640KB
-
Filesize
640KB
-
Filesize
640KB
-
-
-
Filesize
640KB
-
Filesize
640KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
-
Filesize
640KB
-
Filesize
640KB
-
-
Filesize
640KB
-
Filesize
640KB