Overview

overview

10

Static

static

5

54e7789df2...81.exe

windows7-x64

10

54e7789df2...81.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    53s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 09:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    54e7789df27b64bcf0a747c1374c8b91bb8a7e039517c34140a65f6d9fdf2581.exe

  • Size

    512KB

  • MD5

    81417560f7655a7b6e5b5fa6f8d9ef20

  • SHA1

    baff639a3cb84257c15bc3a1b75926e4e42b8bf7

  • SHA256

    54e7789df27b64bcf0a747c1374c8b91bb8a7e039517c34140a65f6d9fdf2581

  • SHA512

    ee8d77c362df3e33287ee2743c8c1c6e22522905e0aa6aded7d32cfef21ea2ba8fbb7496f67b0c252dabff7fe31a4ab78a270b4cc8b9da3d6a6b18feba677213

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6q:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5V

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 20 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 44 IoCs
  • Suspicious use of SendNotifyMessage 33 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\54e7789df27b64bcf0a747c1374c8b91bb8a7e039517c34140a65f6d9fdf2581.exe
    "C:\Users\Admin\AppData\Local\Temp\54e7789df27b64bcf0a747c1374c8b91bb8a7e039517c34140a65f6d9fdf2581.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1288
    • C:\Windows\SysWOW64\pwhaqyvqfg.exe
      pwhaqyvqfg.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1516
      • C:\Windows\SysWOW64\yktbquxc.exe
        C:\Windows\system32\yktbquxc.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        PID:1640
    • C:\Windows\SysWOW64\wzqfoogexlodcxp.exe
      wzqfoogexlodcxp.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:468
    • C:\Windows\SysWOW64\eopnghocbfiqy.exe
      eopnghocbfiqy.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1052
    • C:\Windows\SysWOW64\yktbquxc.exe
      yktbquxc.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1104
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1536
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1952
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x598
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:880

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    7d93193724fdbe11322887e0ecca6cab

    SHA1

    fb0d38a9793c4641923b78a28888a97ad2f63003

    SHA256

    3fc666cabadf9372f764e804dfde0e0005bea6265cc72bd9894ec623dca2cc13

    SHA512

    f9beaf98f282194442a85d19d088cdfaf1065f38012d234f3caff83896db91b0f466596699f342eda65458fe8ee71ac16c41dba80e190ecf5c343c339112927c

    Download Submit

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    c7e897af0fbc644ae56c4873434a3407

    SHA1

    78bcfca3ab7fb5339935bc28c72e4bb099bd5426

    SHA256

    e447823fe58be5162662b6c9009464cb96a271111856f2b4a60b12585693526f

    SHA512

    d50fba6e25ebae47b6e0098ed67befe799fd66a8241afb37109c936fa4c5b5d422c688862baf14165f28d4108e1baaf89f05d6e106ecf0e565f4ee0defdabc1e

    Download Submit

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    c7e897af0fbc644ae56c4873434a3407

    SHA1

    78bcfca3ab7fb5339935bc28c72e4bb099bd5426

    SHA256

    e447823fe58be5162662b6c9009464cb96a271111856f2b4a60b12585693526f

    SHA512

    d50fba6e25ebae47b6e0098ed67befe799fd66a8241afb37109c936fa4c5b5d422c688862baf14165f28d4108e1baaf89f05d6e106ecf0e565f4ee0defdabc1e

    Download Submit

  • C:\Users\Admin\Documents\FormatImport.doc.exe
    Filesize

    512KB

    MD5

    6a25d064c5c09f7d14e1201396d28e2e

    SHA1

    e68974653a6581548fc095c21e6c002e1604b311

    SHA256

    e1605b2b6edb236d0cc155d70a7182a196f5e3331a3c5f1fdbe84a841bd63aad

    SHA512

    cd2ad500b33933b50ef075b2b29ca11cae2e0b9b9eddaac6961f271677ca9a8a31fc211fc9b2329212c7937bcf8882c435ba7212eb888719692c00f6da27a5f1

    Download Submit

  • C:\Users\Admin\Documents\FormatImport.doc.exe
    Filesize

    512KB

    MD5

    6a25d064c5c09f7d14e1201396d28e2e

    SHA1

    e68974653a6581548fc095c21e6c002e1604b311

    SHA256

    e1605b2b6edb236d0cc155d70a7182a196f5e3331a3c5f1fdbe84a841bd63aad

    SHA512

    cd2ad500b33933b50ef075b2b29ca11cae2e0b9b9eddaac6961f271677ca9a8a31fc211fc9b2329212c7937bcf8882c435ba7212eb888719692c00f6da27a5f1

    Download Submit

  • C:\Windows\SysWOW64\eopnghocbfiqy.exe
    Filesize

    512KB

    MD5

    1163762c1435cbefbfd453e5bcacc4e6

    SHA1

    69da346b0239ecb28aa3b4bbf3d75ea7ffa061a0

    SHA256

    166c5b66aa63bad40f7281f859ad2c4c2913954478fd0a15e650270af1f0ebd1

    SHA512

    ffee439e54cd0a0e8430301566668d5214646e1e3c973836435a9c3b6fe48f3f99131bd4c66f53d807bbdea58e9f6b7a2d28ee8d5251cef344df9b854cf7fec3

    Download Submit

  • C:\Windows\SysWOW64\eopnghocbfiqy.exe
    Filesize

    512KB

    MD5

    1163762c1435cbefbfd453e5bcacc4e6

    SHA1

    69da346b0239ecb28aa3b4bbf3d75ea7ffa061a0

    SHA256

    166c5b66aa63bad40f7281f859ad2c4c2913954478fd0a15e650270af1f0ebd1

    SHA512

    ffee439e54cd0a0e8430301566668d5214646e1e3c973836435a9c3b6fe48f3f99131bd4c66f53d807bbdea58e9f6b7a2d28ee8d5251cef344df9b854cf7fec3

    Download Submit

  • C:\Windows\SysWOW64\pwhaqyvqfg.exe
    Filesize

    512KB

    MD5

    8b7449f073ee57489ed2ca8c522b1dac

    SHA1

    76ad25251cfb9fd7a57ad59efb74d199f8c5532b

    SHA256

    b931f52ff68149a5f5af3e6340ce3bcbf3e3290ae0fce06e4dd2d46de5162d78

    SHA512

    3b02e52d947698b23b74b7e1131a17e10b098f611c9d5f9bb89533fdb9bc39cc5d24aca1de1c6cf01c2ec61aa08e7c41c28b8590a6b9ff8eb6d0f8e62cde2bc5

    Download Submit

  • C:\Windows\SysWOW64\pwhaqyvqfg.exe
    Filesize

    512KB

    MD5

    8b7449f073ee57489ed2ca8c522b1dac

    SHA1

    76ad25251cfb9fd7a57ad59efb74d199f8c5532b

    SHA256

    b931f52ff68149a5f5af3e6340ce3bcbf3e3290ae0fce06e4dd2d46de5162d78

    SHA512

    3b02e52d947698b23b74b7e1131a17e10b098f611c9d5f9bb89533fdb9bc39cc5d24aca1de1c6cf01c2ec61aa08e7c41c28b8590a6b9ff8eb6d0f8e62cde2bc5

    Download Submit

  • C:\Windows\SysWOW64\wzqfoogexlodcxp.exe
    Filesize

    512KB

    MD5

    bde3232876cd890abcbcf76c001f7a27

    SHA1

    8d889194ca1823a84c1fc045e778ab9fd2bfdea9

    SHA256

    28d7eaa1d731f7f1b0e709c5716f023650f76553a986a9ebdcb6a3df6b651ef4

    SHA512

    ee7675b993306d7dc4a61c8e703d0674e3eb112430c151d6b852d038222e49a94a8b39e8711ce719a4f3739eff7765167e88b22cf06d00a4c010f4e7b794d96e

    Download Submit

  • C:\Windows\SysWOW64\wzqfoogexlodcxp.exe
    Filesize

    512KB

    MD5

    bde3232876cd890abcbcf76c001f7a27

    SHA1

    8d889194ca1823a84c1fc045e778ab9fd2bfdea9

    SHA256

    28d7eaa1d731f7f1b0e709c5716f023650f76553a986a9ebdcb6a3df6b651ef4

    SHA512

    ee7675b993306d7dc4a61c8e703d0674e3eb112430c151d6b852d038222e49a94a8b39e8711ce719a4f3739eff7765167e88b22cf06d00a4c010f4e7b794d96e

    Download Submit

  • C:\Windows\SysWOW64\yktbquxc.exe
    Filesize

    512KB

    MD5

    511ba5bc4e7a70cbc718ac7c76b0d17b

    SHA1

    502d845a8d4cd82790f045d2c734a7969c4e1368

    SHA256

    5a8666fd1b90e52c46f796fdee15876f77b1ec0cf705d51a7db481a18776833e

    SHA512

    df17d06fdeb38f5a5b6379eb0f5fad2b65c9a3eec720948840ae751d40953118b8a970a3ffc15e8116791d1468e927302f89381a757747ea0192532dc684ecc7

    Download Submit

  • C:\Windows\SysWOW64\yktbquxc.exe
    Filesize

    512KB

    MD5

    511ba5bc4e7a70cbc718ac7c76b0d17b

    SHA1

    502d845a8d4cd82790f045d2c734a7969c4e1368

    SHA256

    5a8666fd1b90e52c46f796fdee15876f77b1ec0cf705d51a7db481a18776833e

    SHA512

    df17d06fdeb38f5a5b6379eb0f5fad2b65c9a3eec720948840ae751d40953118b8a970a3ffc15e8116791d1468e927302f89381a757747ea0192532dc684ecc7

    Download Submit

  • C:\Windows\SysWOW64\yktbquxc.exe
    Filesize

    512KB

    MD5

    511ba5bc4e7a70cbc718ac7c76b0d17b

    SHA1

    502d845a8d4cd82790f045d2c734a7969c4e1368

    SHA256

    5a8666fd1b90e52c46f796fdee15876f77b1ec0cf705d51a7db481a18776833e

    SHA512

    df17d06fdeb38f5a5b6379eb0f5fad2b65c9a3eec720948840ae751d40953118b8a970a3ffc15e8116791d1468e927302f89381a757747ea0192532dc684ecc7

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • \Windows\SysWOW64\eopnghocbfiqy.exe
    Filesize

    512KB

    MD5

    1163762c1435cbefbfd453e5bcacc4e6

    SHA1

    69da346b0239ecb28aa3b4bbf3d75ea7ffa061a0

    SHA256

    166c5b66aa63bad40f7281f859ad2c4c2913954478fd0a15e650270af1f0ebd1

    SHA512

    ffee439e54cd0a0e8430301566668d5214646e1e3c973836435a9c3b6fe48f3f99131bd4c66f53d807bbdea58e9f6b7a2d28ee8d5251cef344df9b854cf7fec3

    Download Submit

  • \Windows\SysWOW64\pwhaqyvqfg.exe
    Filesize

    512KB

    MD5

    8b7449f073ee57489ed2ca8c522b1dac

    SHA1

    76ad25251cfb9fd7a57ad59efb74d199f8c5532b

    SHA256

    b931f52ff68149a5f5af3e6340ce3bcbf3e3290ae0fce06e4dd2d46de5162d78

    SHA512

    3b02e52d947698b23b74b7e1131a17e10b098f611c9d5f9bb89533fdb9bc39cc5d24aca1de1c6cf01c2ec61aa08e7c41c28b8590a6b9ff8eb6d0f8e62cde2bc5

    Download Submit

  • \Windows\SysWOW64\wzqfoogexlodcxp.exe
    Filesize

    512KB

    MD5

    bde3232876cd890abcbcf76c001f7a27

    SHA1

    8d889194ca1823a84c1fc045e778ab9fd2bfdea9

    SHA256

    28d7eaa1d731f7f1b0e709c5716f023650f76553a986a9ebdcb6a3df6b651ef4

    SHA512

    ee7675b993306d7dc4a61c8e703d0674e3eb112430c151d6b852d038222e49a94a8b39e8711ce719a4f3739eff7765167e88b22cf06d00a4c010f4e7b794d96e

    Download Submit

  • \Windows\SysWOW64\yktbquxc.exe
    Filesize

    512KB

    MD5

    511ba5bc4e7a70cbc718ac7c76b0d17b

    SHA1

    502d845a8d4cd82790f045d2c734a7969c4e1368

    SHA256

    5a8666fd1b90e52c46f796fdee15876f77b1ec0cf705d51a7db481a18776833e

    SHA512

    df17d06fdeb38f5a5b6379eb0f5fad2b65c9a3eec720948840ae751d40953118b8a970a3ffc15e8116791d1468e927302f89381a757747ea0192532dc684ecc7

    Download Submit

  • \Windows\SysWOW64\yktbquxc.exe
    Filesize

    512KB

    MD5

    511ba5bc4e7a70cbc718ac7c76b0d17b

    SHA1

    502d845a8d4cd82790f045d2c734a7969c4e1368

    SHA256

    5a8666fd1b90e52c46f796fdee15876f77b1ec0cf705d51a7db481a18776833e

    SHA512

    df17d06fdeb38f5a5b6379eb0f5fad2b65c9a3eec720948840ae751d40953118b8a970a3ffc15e8116791d1468e927302f89381a757747ea0192532dc684ecc7

    Download Submit

  • memory/468-63-0x0000000000000000-mapping.dmp

    Download

  • memory/1052-73-0x0000000000000000-mapping.dmp

    Download

  • memory/1104-68-0x0000000000000000-mapping.dmp

    Download

  • memory/1288-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1288-55-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download

  • memory/1516-57-0x0000000000000000-mapping.dmp

    Download

  • memory/1536-91-0x000000007118D000-0x0000000071198000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1536-88-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1536-87-0x00000000701A1000-0x00000000701A3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1536-86-0x0000000072721000-0x0000000072724000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1536-85-0x0000000000000000-mapping.dmp

    Download

  • memory/1536-98-0x000000007118D000-0x0000000071198000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1640-81-0x0000000000000000-mapping.dmp

    Download

  • memory/1952-92-0x000007FEFBC31000-0x000007FEFBC33000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1952-99-0x0000000002720000-0x0000000002730000-memory.dmp

    Filesize

    64KB

    Download