Overview

overview

10

Static

static

8

5c63e77a75...5f.exe

windows7-x64

10

5c63e77a75...5f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    185s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 12:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5c63e77a75bd9264970edae63a5657e27f93d214cbea78fd90e0dd8317bbf35f.exe

  • Size

    255KB

  • MD5

    e25e188a2b9b16f1b605be8cb694b3af

  • SHA1

    98d4eaa48f286105158e2dae3169e6eec08a61d8

  • SHA256

    5c63e77a75bd9264970edae63a5657e27f93d214cbea78fd90e0dd8317bbf35f

  • SHA512

    c256dd916766dcb3020b4d3b0bd1cc581602ce0dbdfd9afb44bd441a70c70a5522480a30bf0256302beb5b40c70cf6a962b5466c8cbe521de7e093dd14bf8cff

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJ/:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIu

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • UPX packed file 25 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 12 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 18 IoCs
  • Drops file in Windows directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5c63e77a75bd9264970edae63a5657e27f93d214cbea78fd90e0dd8317bbf35f.exe
    "C:\Users\Admin\AppData\Local\Temp\5c63e77a75bd9264970edae63a5657e27f93d214cbea78fd90e0dd8317bbf35f.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1632
    • C:\Windows\SysWOW64\yvayhaiqvp.exe
      yvayhaiqvp.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3336
      • C:\Windows\SysWOW64\yjbahmim.exe
        C:\Windows\system32\yjbahmim.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4748
    • C:\Windows\SysWOW64\toopeqvgslztfkm.exe
      toopeqvgslztfkm.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4740
    • C:\Windows\SysWOW64\yjbahmim.exe
      yjbahmim.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4404
    • C:\Windows\SysWOW64\xvhjouzvqsdhx.exe
      xvhjouzvqsdhx.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3496
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4812

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    255KB

    MD5

    573197f138b06690eca588d235d167fc

    SHA1

    e028c1434eccaf3efd2ef5201f96a331ab48c637

    SHA256

    2bc761e0e9da6bc26b5fb1f7b11a9823d1a72dec97eb9eef72053d8d3e6700b2

    SHA512

    df1c7a72972dcc4a9182ef56c929639bda8a8e40ce380b9f52350d30c96363cf1a7d843710cb914f1ea56278f0a681f65e4cb22a1647fc39448efcac1d3fa31c

    Download Submit

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    255KB

    MD5

    a9107c75fd10ba64868c7ce8791c1d44

    SHA1

    89baaf7d94f54441ef558cf81596280a4b5a686d

    SHA256

    a6d30e7cf933c84ddc2b2f2360cda3bde755b99fe6b2d5e6f3b28d3b9c7211ac

    SHA512

    bba6c30f38096a319b70a19c92b12ca853d941d50c9b5dc9e667058569c55700d400e811b2cc30e47097875cf661bff8061123798d18d729c512eb05ac1d2785

    Download Submit

  • C:\Windows\SysWOW64\toopeqvgslztfkm.exe
    Filesize

    255KB

    MD5

    c55bbca8617c73627fb57f6d286ef3dc

    SHA1

    421015e0739a9617c099defbb9c90a652f9841d2

    SHA256

    069d8242f7225e229189a18ce757fc4046e9267db676df7ccb98965a36114f2a

    SHA512

    8ca5cbe9baf2823957ea7cdb0c3f371e0ce216b169bca211597236d518ba43238f597278c5173576da92ad459bc74f0b0e15add4aea8a46faf1f02ca9b3ed00d

    Download Submit

  • C:\Windows\SysWOW64\toopeqvgslztfkm.exe
    Filesize

    255KB

    MD5

    c55bbca8617c73627fb57f6d286ef3dc

    SHA1

    421015e0739a9617c099defbb9c90a652f9841d2

    SHA256

    069d8242f7225e229189a18ce757fc4046e9267db676df7ccb98965a36114f2a

    SHA512

    8ca5cbe9baf2823957ea7cdb0c3f371e0ce216b169bca211597236d518ba43238f597278c5173576da92ad459bc74f0b0e15add4aea8a46faf1f02ca9b3ed00d

    Download Submit

  • C:\Windows\SysWOW64\xvhjouzvqsdhx.exe
    Filesize

    255KB

    MD5

    8866c0f7fc9edf63c57f1ea1b7ff4474

    SHA1

    78fc337e4b3d4a17575e9b0f8ac838a46622a280

    SHA256

    dfc9babcb2ccbe22131e9eb94625bad686154d12dd8093426fc0791cc57f4056

    SHA512

    d71ead3d8259d8c0b67da6b0f24b7e481e64dfd7284dd86f819448e5074296a3f9c5329613eec9f6b796f7c15a0361eae340d7abf5102feab6de028450b1edb4

    Download Submit

  • C:\Windows\SysWOW64\xvhjouzvqsdhx.exe
    Filesize

    255KB

    MD5

    8866c0f7fc9edf63c57f1ea1b7ff4474

    SHA1

    78fc337e4b3d4a17575e9b0f8ac838a46622a280

    SHA256

    dfc9babcb2ccbe22131e9eb94625bad686154d12dd8093426fc0791cc57f4056

    SHA512

    d71ead3d8259d8c0b67da6b0f24b7e481e64dfd7284dd86f819448e5074296a3f9c5329613eec9f6b796f7c15a0361eae340d7abf5102feab6de028450b1edb4

    Download Submit

  • C:\Windows\SysWOW64\yjbahmim.exe
    Filesize

    255KB

    MD5

    cdb0e3f8eacadce1253e945bd683be4e

    SHA1

    1bbfe398df72fe2801112e62a22df32985095a58

    SHA256

    30a9b38293305cee05948c51646a89f627b148b4db581f25a0bacea133098db2

    SHA512

    3e0723389b1770263753f354c6bbe5c61087e0373b20bc257a02208b4f4599e0698ccb7a61de6889a3de6f8c4017123baf9b4d51ca1a2c8943b5cfd3c6314c78

    Download Submit

  • C:\Windows\SysWOW64\yjbahmim.exe
    Filesize

    255KB

    MD5

    cdb0e3f8eacadce1253e945bd683be4e

    SHA1

    1bbfe398df72fe2801112e62a22df32985095a58

    SHA256

    30a9b38293305cee05948c51646a89f627b148b4db581f25a0bacea133098db2

    SHA512

    3e0723389b1770263753f354c6bbe5c61087e0373b20bc257a02208b4f4599e0698ccb7a61de6889a3de6f8c4017123baf9b4d51ca1a2c8943b5cfd3c6314c78

    Download Submit

  • C:\Windows\SysWOW64\yjbahmim.exe
    Filesize

    255KB

    MD5

    cdb0e3f8eacadce1253e945bd683be4e

    SHA1

    1bbfe398df72fe2801112e62a22df32985095a58

    SHA256

    30a9b38293305cee05948c51646a89f627b148b4db581f25a0bacea133098db2

    SHA512

    3e0723389b1770263753f354c6bbe5c61087e0373b20bc257a02208b4f4599e0698ccb7a61de6889a3de6f8c4017123baf9b4d51ca1a2c8943b5cfd3c6314c78

    Download Submit

  • C:\Windows\SysWOW64\yvayhaiqvp.exe
    Filesize

    255KB

    MD5

    8184f8577835ce0283b7f688313bf55b

    SHA1

    6f131abba357737e2c6395fed864fa94462b120a

    SHA256

    35e7c12d9b6054b034b9c1c90894ca05c506363b05c7a8a51f6fe834caa69132

    SHA512

    f5a9cf290ab4d2431f17c96d9bfe671ca8074359b1738130bdc1752d55a8528337bc10d84b55e06bdabb7d038ed2606f0fbc37592330c9079dd13ce8511521c3

    Download Submit

  • C:\Windows\SysWOW64\yvayhaiqvp.exe
    Filesize

    255KB

    MD5

    8184f8577835ce0283b7f688313bf55b

    SHA1

    6f131abba357737e2c6395fed864fa94462b120a

    SHA256

    35e7c12d9b6054b034b9c1c90894ca05c506363b05c7a8a51f6fe834caa69132

    SHA512

    f5a9cf290ab4d2431f17c96d9bfe671ca8074359b1738130bdc1752d55a8528337bc10d84b55e06bdabb7d038ed2606f0fbc37592330c9079dd13ce8511521c3

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    255KB

    MD5

    45708c093b7abe67572d4e5ea8a22822

    SHA1

    51042ead178bab2e193642c6c014769f5d3107cb

    SHA256

    6f572cf6da50154b5ea03a2a25548430f9ec48240c7756c5455b5f771fdcac10

    SHA512

    18f5409ab96c97e5aa381a980676e3e6eb9f6dab69631fb78a73fcaeadc7a5f49ae3ac338c598e45b5ff63dd46244d5b335225ebc36b52311a2f8a9eaaa0a7ee

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    255KB

    MD5

    fdd7d98d5acf9dbf74646c11b2f050a3

    SHA1

    c47c4b50a7224356bdc0bdc5873795bd419956ce

    SHA256

    24271d91b25903f688789f0fd4d174aa58f28dab63f7227d94bb6b72415d4c8f

    SHA512

    915b0b62302bc0ebdce0bb59cf006aea292536830f9d2af8278d82c2647b02b89eeb14b21610498394b91283bf23b7b2a27729a3788251e6f1e4ba7e1ba1d87a

    Download Submit

  • memory/1632-132-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1632-152-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/3336-164-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/3336-145-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/3336-133-0x0000000000000000-mapping.dmp

    Download

  • memory/3496-148-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/3496-167-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/3496-142-0x0000000000000000-mapping.dmp

    Download

  • memory/4404-139-0x0000000000000000-mapping.dmp

    Download

  • memory/4404-166-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4404-147-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4740-136-0x0000000000000000-mapping.dmp

    Download

  • memory/4740-146-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4740-165-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4748-149-0x0000000000000000-mapping.dmp

    Download

  • memory/4748-153-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4748-168-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4812-162-0x00007FF9EC8D0000-0x00007FF9EC8E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4812-151-0x0000000000000000-mapping.dmp

    Download

  • memory/4812-158-0x00007FF9EEA10000-0x00007FF9EEA20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4812-157-0x00007FF9EEA10000-0x00007FF9EEA20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4812-156-0x00007FF9EEA10000-0x00007FF9EEA20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4812-161-0x00007FF9EC8D0000-0x00007FF9EC8E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4812-160-0x00007FF9EEA10000-0x00007FF9EEA20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4812-159-0x00007FF9EEA10000-0x00007FF9EEA20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4812-172-0x00007FF9EEA10000-0x00007FF9EEA20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4812-173-0x00007FF9EEA10000-0x00007FF9EEA20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4812-174-0x00007FF9EEA10000-0x00007FF9EEA20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4812-175-0x00007FF9EEA10000-0x00007FF9EEA20000-memory.dmp

    Filesize

    64KB

    Download