Overview

overview

10

Static

static

8

3a592b61d1...c4.exe

windows7-x64

10

3a592b61d1...c4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    32s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    26/11/2022, 23:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3a592b61d15d727295230c83577db358a55c5304cb4e919d3385487189addfc4.exe

  • Size

    255KB

  • MD5

    8dc30e039d1da94726f6c3b93d1ea4e4

  • SHA1

    b87e6719437bebed4ca45b7dd2f0837b523f97ca

  • SHA256

    3a592b61d15d727295230c83577db358a55c5304cb4e919d3385487189addfc4

  • SHA512

    8ff689ccbe31f64cd798adc9b00a5382aef658869204103a1bacc27fee45ce5b73f8a5c14a4878def33781541367d3814943e3602b0eecb117f50327215a94d9

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJB:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIk

Score
10/10
evasionpersistencetrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • UPX packed file 24 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 5 IoCs
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 10 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 15 IoCs
  • Suspicious use of SendNotifyMessage 15 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a592b61d15d727295230c83577db358a55c5304cb4e919d3385487189addfc4.exe
    "C:\Users\Admin\AppData\Local\Temp\3a592b61d15d727295230c83577db358a55c5304cb4e919d3385487189addfc4.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1308
    • C:\Windows\SysWOW64\lulqbxakwd.exe
      lulqbxakwd.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:872
      • C:\Windows\SysWOW64\rlrveheh.exe
        C:\Windows\system32\rlrveheh.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1500
    • C:\Windows\SysWOW64\usbvljnwrmfxanc.exe
      usbvljnwrmfxanc.exe
      2⤵
      • Executes dropped EXE
      PID:1508
    • C:\Windows\SysWOW64\tdxlsivixmwwm.exe
      tdxlsivixmwwm.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1556
    • C:\Windows\SysWOW64\rlrveheh.exe
      rlrveheh.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:468
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1584
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:896

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\lulqbxakwd.exe
      Filesize

      255KB

      MD5

      990da228ebc93bfe50b69e42af58c3e2

      SHA1

      b0f820957041eb7064b9cae31ebc9a426fd3c881

      SHA256

      43081330e39c739a3ebbb601648775c535056b8129f707883627e67c07523f88

      SHA512

      07bce37063625bb86fabc1007aa23758f369beb08c89fef90331cec1061b9ba4ac9117fa22e02bd513ef6e1e24b000196b2d333fdb8e0b5efe5474d0a848e88e

      Download Submit

    • C:\Windows\SysWOW64\lulqbxakwd.exe
      Filesize

      255KB

      MD5

      990da228ebc93bfe50b69e42af58c3e2

      SHA1

      b0f820957041eb7064b9cae31ebc9a426fd3c881

      SHA256

      43081330e39c739a3ebbb601648775c535056b8129f707883627e67c07523f88

      SHA512

      07bce37063625bb86fabc1007aa23758f369beb08c89fef90331cec1061b9ba4ac9117fa22e02bd513ef6e1e24b000196b2d333fdb8e0b5efe5474d0a848e88e

      Download Submit

    • C:\Windows\SysWOW64\rlrveheh.exe
      Filesize

      255KB

      MD5

      8b4b95bffb251df99a5d8b52a4059a76

      SHA1

      b18b8e423d7cf43826eaf0b11a79d6627cd24ffe

      SHA256

      af4376f97d059568992a51e4631ee206a702f4930419bf7b5f2a0ad357ec2780

      SHA512

      836ece886f45383b7de8a96cb361cc6e2eea8d7eb8d7e0e78f01d7300ad5613d23058875e3574027cb4041533cd5593fb0347ba07a9b67989e3525185b4d3452

      Download Submit

    • C:\Windows\SysWOW64\rlrveheh.exe
      Filesize

      255KB

      MD5

      8b4b95bffb251df99a5d8b52a4059a76

      SHA1

      b18b8e423d7cf43826eaf0b11a79d6627cd24ffe

      SHA256

      af4376f97d059568992a51e4631ee206a702f4930419bf7b5f2a0ad357ec2780

      SHA512

      836ece886f45383b7de8a96cb361cc6e2eea8d7eb8d7e0e78f01d7300ad5613d23058875e3574027cb4041533cd5593fb0347ba07a9b67989e3525185b4d3452

      Download Submit

    • C:\Windows\SysWOW64\rlrveheh.exe
      Filesize

      255KB

      MD5

      8b4b95bffb251df99a5d8b52a4059a76

      SHA1

      b18b8e423d7cf43826eaf0b11a79d6627cd24ffe

      SHA256

      af4376f97d059568992a51e4631ee206a702f4930419bf7b5f2a0ad357ec2780

      SHA512

      836ece886f45383b7de8a96cb361cc6e2eea8d7eb8d7e0e78f01d7300ad5613d23058875e3574027cb4041533cd5593fb0347ba07a9b67989e3525185b4d3452

      Download Submit

    • C:\Windows\SysWOW64\tdxlsivixmwwm.exe
      Filesize

      255KB

      MD5

      7cf99b0fefc88a38da42d7de5f2666f0

      SHA1

      5cb9f2f38cc139673f6a07351328195a28255354

      SHA256

      47f1e0e4f947c55ff0c75df3ef9f0cf5cfd2b258c5c00194661a5a089f6a9e33

      SHA512

      7ccbd1f0f619eb806b8b29a4b2a119232e44d75f50039cd2b27f3883c6f685531caf529bed38c450ec2e1ad2565058083a4747b9aa43c9700d5fdff77497a9dc

      Download Submit

    • C:\Windows\SysWOW64\tdxlsivixmwwm.exe
      Filesize

      255KB

      MD5

      7cf99b0fefc88a38da42d7de5f2666f0

      SHA1

      5cb9f2f38cc139673f6a07351328195a28255354

      SHA256

      47f1e0e4f947c55ff0c75df3ef9f0cf5cfd2b258c5c00194661a5a089f6a9e33

      SHA512

      7ccbd1f0f619eb806b8b29a4b2a119232e44d75f50039cd2b27f3883c6f685531caf529bed38c450ec2e1ad2565058083a4747b9aa43c9700d5fdff77497a9dc

      Download Submit

    • C:\Windows\SysWOW64\usbvljnwrmfxanc.exe
      Filesize

      255KB

      MD5

      8ee2df300e719aeb84f01bfa75e980c1

      SHA1

      9c8b87150c603f80df596a82906544a20607c862

      SHA256

      2759f050fe299203c1dba4dc1b352063ed34fb79ecfae4c7d78f860fe4c64cef

      SHA512

      9c099245c1eaf077f68587587f92bb42e275f911fcd105fa4be7cd8b41f5920985d1c7803699190ba83195d0fdd42ebe77169687643c417891ab63986277ec86

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • \Windows\SysWOW64\lulqbxakwd.exe
      Filesize

      255KB

      MD5

      990da228ebc93bfe50b69e42af58c3e2

      SHA1

      b0f820957041eb7064b9cae31ebc9a426fd3c881

      SHA256

      43081330e39c739a3ebbb601648775c535056b8129f707883627e67c07523f88

      SHA512

      07bce37063625bb86fabc1007aa23758f369beb08c89fef90331cec1061b9ba4ac9117fa22e02bd513ef6e1e24b000196b2d333fdb8e0b5efe5474d0a848e88e

      Download Submit

    • \Windows\SysWOW64\rlrveheh.exe
      Filesize

      255KB

      MD5

      8b4b95bffb251df99a5d8b52a4059a76

      SHA1

      b18b8e423d7cf43826eaf0b11a79d6627cd24ffe

      SHA256

      af4376f97d059568992a51e4631ee206a702f4930419bf7b5f2a0ad357ec2780

      SHA512

      836ece886f45383b7de8a96cb361cc6e2eea8d7eb8d7e0e78f01d7300ad5613d23058875e3574027cb4041533cd5593fb0347ba07a9b67989e3525185b4d3452

      Download Submit

    • \Windows\SysWOW64\rlrveheh.exe
      Filesize

      255KB

      MD5

      8b4b95bffb251df99a5d8b52a4059a76

      SHA1

      b18b8e423d7cf43826eaf0b11a79d6627cd24ffe

      SHA256

      af4376f97d059568992a51e4631ee206a702f4930419bf7b5f2a0ad357ec2780

      SHA512

      836ece886f45383b7de8a96cb361cc6e2eea8d7eb8d7e0e78f01d7300ad5613d23058875e3574027cb4041533cd5593fb0347ba07a9b67989e3525185b4d3452

      Download Submit

    • \Windows\SysWOW64\tdxlsivixmwwm.exe
      Filesize

      255KB

      MD5

      7cf99b0fefc88a38da42d7de5f2666f0

      SHA1

      5cb9f2f38cc139673f6a07351328195a28255354

      SHA256

      47f1e0e4f947c55ff0c75df3ef9f0cf5cfd2b258c5c00194661a5a089f6a9e33

      SHA512

      7ccbd1f0f619eb806b8b29a4b2a119232e44d75f50039cd2b27f3883c6f685531caf529bed38c450ec2e1ad2565058083a4747b9aa43c9700d5fdff77497a9dc

      Download Submit

    • \Windows\SysWOW64\usbvljnwrmfxanc.exe
      Filesize

      255KB

      MD5

      8ee2df300e719aeb84f01bfa75e980c1

      SHA1

      9c8b87150c603f80df596a82906544a20607c862

      SHA256

      2759f050fe299203c1dba4dc1b352063ed34fb79ecfae4c7d78f860fe4c64cef

      SHA512

      9c099245c1eaf077f68587587f92bb42e275f911fcd105fa4be7cd8b41f5920985d1c7803699190ba83195d0fdd42ebe77169687643c417891ab63986277ec86

      Download Submit

    • memory/468-93-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/468-82-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/872-92-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/872-79-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/896-98-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1308-86-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1308-80-0x00000000033B0000-0x0000000003450000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1308-54-0x00000000766F1000-0x00000000766F3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1308-55-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1500-84-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1500-95-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1508-81-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1556-94-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1556-83-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1584-91-0x0000000071A3D000-0x0000000071A48000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1584-89-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1584-88-0x0000000070A51000-0x0000000070A53000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1584-87-0x0000000072FD1000-0x0000000072FD4000-memory.dmp

      Filesize

      12KB

      Download