Analysis
-
max time kernel
152s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
26-11-2022 22:44
General
-
Target
0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe
-
Size
255KB
-
MD5
ea63f6e9fe4e4d4ee9d2bdc72034443d
-
SHA1
57056e636450ead2c8aa711678a264d4894aeb2f
-
SHA256
0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7
-
SHA512
3294facc56e8936dcc2ffba4605088f553bca1531f64a15f7a1ea2247a01959a0f2222bb006836048bfdc55f614b5d7a47081bb08fe43148354155223e7d155f
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJT:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI2
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 5 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Executes dropped EXE 5 IoCs
-
UPX packed file 23 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 6 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon 2 TTPs 2 IoCs
-
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 9 IoCs
-
Drops file in Program Files directory 15 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 20 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of FindShellTrayWindow 18 IoCs
-
Suspicious use of SendNotifyMessage 18 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe"C:\Users\Admin\AppData\Local\Temp\0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\yrnbrcqtjz.exeyrnbrcqtjz.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\totpcgxh.exeC:\Windows\system32\totpcgxh.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\wxxxpmeymwdmfcw.exewxxxpmeymwdmfcw.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\totpcgxh.exetotpcgxh.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\vljjcakagpngu.exevljjcakagpngu.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hidden Files and Directories
2Modify Registry
6Disabling Security Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exeFilesize
255KB
MD5e2d38c3dc5940b3f9992423332639866
SHA1428279d27b2f76f60f81680c927fd4d0fc0a9b71
SHA2561ed6e7ede1c37c691e669e7da9a80d276b7e41b66053b83e38ffb243e4eacedb
SHA5123ff13c1e0c9a856c0e750fec1f5471d0d6766bab49e6ef69a61a6bba99105b7a9a68db5ecfc7e23e06c4dedf3acc615aab5935b40f90060aee2314e66bbacced
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
255KB
MD5cfce3066d90fb5ccc1d4fddf9cefe324
SHA1c38f0a4b9cfe0bca109ae18577cf9c5eb91e714f
SHA25614c6af38ceb1ab8abc6e3e4c2988f2868673f77f1a05c1edc344f682c06f574c
SHA512d1a9a3c8e97f03475ab4be3de6223ae330659d8f1334e0f2ebf82c177a53a1a65a92eeae7ec88a82f6a5886e1b4c8963080280c387c1fb471faae14a5690e472
-
C:\Windows\SysWOW64\totpcgxh.exeFilesize
255KB
MD529309104646f7cfa52569e152675b29c
SHA127329d494ea863f75ded7e933180fbab9d508594
SHA256b30e2e05070e4a21552375b80f4d071b0ec3bcef73c293e58cc9745469c68f53
SHA512b59845ea6582259b8d5e610bc77fc6fd75d1d7698167a800b41eddf5559c217cdaaff3546b68d4c195586a11008e62c366bddbfbab95885d3ae69bde3a51ba4f
-
C:\Windows\SysWOW64\totpcgxh.exeFilesize
255KB
MD529309104646f7cfa52569e152675b29c
SHA127329d494ea863f75ded7e933180fbab9d508594
SHA256b30e2e05070e4a21552375b80f4d071b0ec3bcef73c293e58cc9745469c68f53
SHA512b59845ea6582259b8d5e610bc77fc6fd75d1d7698167a800b41eddf5559c217cdaaff3546b68d4c195586a11008e62c366bddbfbab95885d3ae69bde3a51ba4f
-
C:\Windows\SysWOW64\totpcgxh.exeFilesize
255KB
MD529309104646f7cfa52569e152675b29c
SHA127329d494ea863f75ded7e933180fbab9d508594
SHA256b30e2e05070e4a21552375b80f4d071b0ec3bcef73c293e58cc9745469c68f53
SHA512b59845ea6582259b8d5e610bc77fc6fd75d1d7698167a800b41eddf5559c217cdaaff3546b68d4c195586a11008e62c366bddbfbab95885d3ae69bde3a51ba4f
-
C:\Windows\SysWOW64\vljjcakagpngu.exeFilesize
255KB
MD50243309849ee7ff2f6de0f1f77aa8f9f
SHA1ed4d1e74a6fccfcae87077d808d20d23377cba84
SHA256029debc1c08be0d1bc279ae240cd78c62c2c0ec741d9d812d172faeb30fb8730
SHA512f75b2bba582fc436cdd4e8b05994131e4f67c3ee44a1cdef92c409eaa1e93ddc79bb4cc5242dff5a7b53e0fd27edd933f1ed0289f4e88e5e7d2169e18526257e
-
C:\Windows\SysWOW64\vljjcakagpngu.exeFilesize
255KB
MD50243309849ee7ff2f6de0f1f77aa8f9f
SHA1ed4d1e74a6fccfcae87077d808d20d23377cba84
SHA256029debc1c08be0d1bc279ae240cd78c62c2c0ec741d9d812d172faeb30fb8730
SHA512f75b2bba582fc436cdd4e8b05994131e4f67c3ee44a1cdef92c409eaa1e93ddc79bb4cc5242dff5a7b53e0fd27edd933f1ed0289f4e88e5e7d2169e18526257e
-
C:\Windows\SysWOW64\wxxxpmeymwdmfcw.exeFilesize
255KB
MD5e21148e3dfd583244856ac176f4ba928
SHA121d653541777fc1299c5b7f67e282a24eaae7025
SHA25681ef63429ec9281659475cad5cebbd587ae5ed86bd380187dd16346200236848
SHA512381c9008bb1bd6c11aeaeac6be2101aa9e26af1c19ccf370730b3a0d2a41b73bbeda0c7e0bd0a76a75bd9f888b66c80a868cb2410907963ebd39571d23dfd64d
-
C:\Windows\SysWOW64\wxxxpmeymwdmfcw.exeFilesize
255KB
MD5e21148e3dfd583244856ac176f4ba928
SHA121d653541777fc1299c5b7f67e282a24eaae7025
SHA25681ef63429ec9281659475cad5cebbd587ae5ed86bd380187dd16346200236848
SHA512381c9008bb1bd6c11aeaeac6be2101aa9e26af1c19ccf370730b3a0d2a41b73bbeda0c7e0bd0a76a75bd9f888b66c80a868cb2410907963ebd39571d23dfd64d
-
C:\Windows\SysWOW64\yrnbrcqtjz.exeFilesize
255KB
MD5a1981f2a3fbf93356dc2faade4f6a9fc
SHA1d43467e037e003a461272a4a8616c5868d7ad4ad
SHA256e307c1109a157e2eeb57092d9debde43cc34852a645264d2e97dfaff2ef4ff6b
SHA512ad303cac8c70f8c3ebca5284675efbc40ec0f048ef6de7b7d46abe11fcc5ec4c945af63b9c22f96a7a3f5ba52db4f9c543f7739e613f33e89ebf7f64e2dd5aba
-
C:\Windows\SysWOW64\yrnbrcqtjz.exeFilesize
255KB
MD5a1981f2a3fbf93356dc2faade4f6a9fc
SHA1d43467e037e003a461272a4a8616c5868d7ad4ad
SHA256e307c1109a157e2eeb57092d9debde43cc34852a645264d2e97dfaff2ef4ff6b
SHA512ad303cac8c70f8c3ebca5284675efbc40ec0f048ef6de7b7d46abe11fcc5ec4c945af63b9c22f96a7a3f5ba52db4f9c543f7739e613f33e89ebf7f64e2dd5aba
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
memory/864-143-0x0000000000000000-mapping.dmp
-
memory/864-152-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/864-167-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1028-168-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1028-153-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1028-149-0x0000000000000000-mapping.dmp
-
memory/2008-133-0x0000000000000000-mapping.dmp
-
memory/2008-165-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/2008-142-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/2368-172-0x00007FFE319B0000-0x00007FFE319C0000-memory.dmpFilesize
64KB
-
memory/2368-162-0x00007FFE2F100000-0x00007FFE2F110000-memory.dmpFilesize
64KB
-
memory/2368-155-0x00007FFE319B0000-0x00007FFE319C0000-memory.dmpFilesize
64KB
-
memory/2368-156-0x00007FFE319B0000-0x00007FFE319C0000-memory.dmpFilesize
64KB
-
memory/2368-157-0x00007FFE319B0000-0x00007FFE319C0000-memory.dmpFilesize
64KB
-
memory/2368-158-0x00007FFE319B0000-0x00007FFE319C0000-memory.dmpFilesize
64KB
-
memory/2368-170-0x00007FFE319B0000-0x00007FFE319C0000-memory.dmpFilesize
64KB
-
memory/2368-173-0x00007FFE319B0000-0x00007FFE319C0000-memory.dmpFilesize
64KB
-
memory/2368-161-0x00007FFE2F100000-0x00007FFE2F110000-memory.dmpFilesize
64KB
-
memory/2368-154-0x00007FFE319B0000-0x00007FFE319C0000-memory.dmpFilesize
64KB
-
memory/2368-171-0x00007FFE319B0000-0x00007FFE319C0000-memory.dmpFilesize
64KB
-
memory/2368-148-0x0000000000000000-mapping.dmp
-
memory/3468-164-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/3468-136-0x0000000000000000-mapping.dmp
-
memory/3468-144-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/4076-132-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/4076-151-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/4580-139-0x0000000000000000-mapping.dmp
-
memory/4580-166-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/4580-147-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB