Overview

overview

10

Static

static

8

33c2506ac1...bb.exe

windows7-x64

10

33c2506ac1...bb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2022 01:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    33c2506ac112791a7bf4bbd4ca6207477c5e03693d40a28a170090504307f8bb.exe

  • Size

    255KB

  • MD5

    9d9100137cbbdbbbd067fa86f31f3cad

  • SHA1

    4850ff91328a6b7fa5895cc251c68011aed9feba

  • SHA256

    33c2506ac112791a7bf4bbd4ca6207477c5e03693d40a28a170090504307f8bb

  • SHA512

    490ee466e8d288a70a167b05da97e334d9816c36c51a43ac3c57fdda899629c03942f199a2e79eafe40d6b6d6b089feb271e261e199192a981b4ef9ed13d22f1

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJV:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIk

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • UPX packed file 29 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 14 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\33c2506ac112791a7bf4bbd4ca6207477c5e03693d40a28a170090504307f8bb.exe
    "C:\Users\Admin\AppData\Local\Temp\33c2506ac112791a7bf4bbd4ca6207477c5e03693d40a28a170090504307f8bb.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4752
    • C:\Windows\SysWOW64\hfhvjmwfec.exe
      hfhvjmwfec.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:820
      • C:\Windows\SysWOW64\wslbtlrh.exe
        C:\Windows\system32\wslbtlrh.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3752
    • C:\Windows\SysWOW64\agwwvqqhuxyiplq.exe
      agwwvqqhuxyiplq.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4024
    • C:\Windows\SysWOW64\wslbtlrh.exe
      wslbtlrh.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:644
    • C:\Windows\SysWOW64\tjuizorjoucmr.exe
      tjuizorjoucmr.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1812
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1972

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    255KB

    MD5

    84c3d3243c580618182b5c534983638b

    SHA1

    5ddfc6c3cd37ca2be5b73309900bb9f2fa1b684f

    SHA256

    c5d88fd14fb764be34644910ef8cb5959023e5811a1c32d502490ea95d99389b

    SHA512

    78e51c3547dc5346b21b1d71873d8816deee6e6d7686032b441fcdffe0fbff77c5747eaca928673d2c207be9c419fb96e74c7e370e35c046c54e4299ed561933

    Download Submit

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    255KB

    MD5

    fdb18ffd586cdb1f72f1046c61868913

    SHA1

    f7d872ea65e6f13d6dcdc7a104e3c5729e0e3124

    SHA256

    56f273d2cd057bb34da2921eaed90068d108ff934de0537b9ed7d1eedf0fe350

    SHA512

    609699d67e63d702af0a9638df89c776a795033c2e8e16f07411e3581653cd9c10c867fc7a530e6f4dfb6eacb3d90bc348590e10a01b84594bd54504139cdc12

    Download Submit

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    255KB

    MD5

    fdb18ffd586cdb1f72f1046c61868913

    SHA1

    f7d872ea65e6f13d6dcdc7a104e3c5729e0e3124

    SHA256

    56f273d2cd057bb34da2921eaed90068d108ff934de0537b9ed7d1eedf0fe350

    SHA512

    609699d67e63d702af0a9638df89c776a795033c2e8e16f07411e3581653cd9c10c867fc7a530e6f4dfb6eacb3d90bc348590e10a01b84594bd54504139cdc12

    Download Submit

  • C:\Users\Admin\Documents\SetRequest.doc.exe
    Filesize

    255KB

    MD5

    559cbc41835686533d226cb0749bda5d

    SHA1

    457ac565f5715ff8b19293ce3dbddd06b05b9e26

    SHA256

    1ab98a5fe78868fc08fe2e35070aa383852f82d8f903f61dd837d1e4f5feb10f

    SHA512

    83c3886212fa9430a91a512c3fa4180e86db6b2d9cce46089d0e3959d08a2913a28ffc0247e21adcc02fcee72e9ac47cd91a8cec018051e462df7a3d1ae23a62

    Download Submit

  • C:\Windows\SysWOW64\agwwvqqhuxyiplq.exe
    Filesize

    255KB

    MD5

    81715e27621f2776639f5a0d9a48ac8f

    SHA1

    036492c8a0e4d4c929f323b9bec6830bcc77079a

    SHA256

    854dd1e642cd5d0f3bc4cdf15c1d7d29cf079bd2b30d23cf6e548759281b1f0d

    SHA512

    7bf39061c63a5d177081388658b93bd6bfe95dc4dc8a791b7e60735d479da8363c763200efb4c9c508d88009ead42329509fab31eeea560bec24da0ac5e11493

    Download Submit

  • C:\Windows\SysWOW64\agwwvqqhuxyiplq.exe
    Filesize

    255KB

    MD5

    81715e27621f2776639f5a0d9a48ac8f

    SHA1

    036492c8a0e4d4c929f323b9bec6830bcc77079a

    SHA256

    854dd1e642cd5d0f3bc4cdf15c1d7d29cf079bd2b30d23cf6e548759281b1f0d

    SHA512

    7bf39061c63a5d177081388658b93bd6bfe95dc4dc8a791b7e60735d479da8363c763200efb4c9c508d88009ead42329509fab31eeea560bec24da0ac5e11493

    Download Submit

  • C:\Windows\SysWOW64\hfhvjmwfec.exe
    Filesize

    255KB

    MD5

    0a0af86230cc485b2231410aded7809c

    SHA1

    afca88272ff12f1300c0781a74fdbb6a5036324c

    SHA256

    b9ccde63daa9f2baf37a42e9578290a7eba7ddbf5ee65d104448286efc828a45

    SHA512

    3bf9e1d6f67eb1708040e258fd105aa84e26523cd9ef9baf05627d9e06107bef71bb15d79d67af8fbf5dd88770110104383347dd52f30a8b663c212d89a298f6

    Download Submit

  • C:\Windows\SysWOW64\hfhvjmwfec.exe
    Filesize

    255KB

    MD5

    0a0af86230cc485b2231410aded7809c

    SHA1

    afca88272ff12f1300c0781a74fdbb6a5036324c

    SHA256

    b9ccde63daa9f2baf37a42e9578290a7eba7ddbf5ee65d104448286efc828a45

    SHA512

    3bf9e1d6f67eb1708040e258fd105aa84e26523cd9ef9baf05627d9e06107bef71bb15d79d67af8fbf5dd88770110104383347dd52f30a8b663c212d89a298f6

    Download Submit

  • C:\Windows\SysWOW64\tjuizorjoucmr.exe
    Filesize

    255KB

    MD5

    7e18db62aa9df4d0d695c9e7503d8a95

    SHA1

    767a58f13dff42c17b21d7caaeb18df081f1b273

    SHA256

    646e65ea92957434223260ab0f5db5b193b09b4f7d2b4a3a895cdc0b93e6bdbb

    SHA512

    432915402b3c022bf57ce75adb449dde8108d67001979293b047f56196c88041ccda2634e1ba18d7934469a5508fc2612f388bf56402d575d7b8ffcd3d1f4fcb

    Download Submit

  • C:\Windows\SysWOW64\tjuizorjoucmr.exe
    Filesize

    255KB

    MD5

    7e18db62aa9df4d0d695c9e7503d8a95

    SHA1

    767a58f13dff42c17b21d7caaeb18df081f1b273

    SHA256

    646e65ea92957434223260ab0f5db5b193b09b4f7d2b4a3a895cdc0b93e6bdbb

    SHA512

    432915402b3c022bf57ce75adb449dde8108d67001979293b047f56196c88041ccda2634e1ba18d7934469a5508fc2612f388bf56402d575d7b8ffcd3d1f4fcb

    Download Submit

  • C:\Windows\SysWOW64\wslbtlrh.exe
    Filesize

    255KB

    MD5

    7734dcb6e116a9cc7b00d9e8f5b762cd

    SHA1

    35a029c59a6585971eea79e2b9609a65edcda9d9

    SHA256

    f5bc2d820a07c55d2d3f99c37c8240aa436dd498a5d024a17c4b645f0b19dc5b

    SHA512

    91e681a2871e9e4d395e230184e45eff7bcb1f157abfacc5e29dfde4c7bf8aaf1980e48c4c3b4cb5d6dcd3ad39ed499ab9e84ed62bda82452e3b1aa9e846ad3d

    Download Submit

  • C:\Windows\SysWOW64\wslbtlrh.exe
    Filesize

    255KB

    MD5

    7734dcb6e116a9cc7b00d9e8f5b762cd

    SHA1

    35a029c59a6585971eea79e2b9609a65edcda9d9

    SHA256

    f5bc2d820a07c55d2d3f99c37c8240aa436dd498a5d024a17c4b645f0b19dc5b

    SHA512

    91e681a2871e9e4d395e230184e45eff7bcb1f157abfacc5e29dfde4c7bf8aaf1980e48c4c3b4cb5d6dcd3ad39ed499ab9e84ed62bda82452e3b1aa9e846ad3d

    Download Submit

  • C:\Windows\SysWOW64\wslbtlrh.exe
    Filesize

    255KB

    MD5

    7734dcb6e116a9cc7b00d9e8f5b762cd

    SHA1

    35a029c59a6585971eea79e2b9609a65edcda9d9

    SHA256

    f5bc2d820a07c55d2d3f99c37c8240aa436dd498a5d024a17c4b645f0b19dc5b

    SHA512

    91e681a2871e9e4d395e230184e45eff7bcb1f157abfacc5e29dfde4c7bf8aaf1980e48c4c3b4cb5d6dcd3ad39ed499ab9e84ed62bda82452e3b1aa9e846ad3d

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    255KB

    MD5

    97f1c072dc6a1682a83b6b5d79066c4c

    SHA1

    ead2fbbc505580ac9a4365962ceab6f918bf0cdc

    SHA256

    e49e84c106915a7d4e91a351965ea83baee82154815f1ac1ba4d4973074030a6

    SHA512

    4de30efd8cba751f3bea17c9503afd6d34b2c4ad76f8fc3639d6ae60ae3a179a09d66845a90d1c66c37d06b45bf87ad8051f9b5976b40f0169ae69a7376c8f09

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    255KB

    MD5

    c5a33c405938e716cad00faa9a192f01

    SHA1

    858625d34f10965108fea2a641430eddaac6856c

    SHA256

    01ae108ccaa1178c6b14196afd2ae7858f1b0a9d09d4d88af61616b6a6765ea8

    SHA512

    b83e852fbebac3244fca2b17b45012f3c24aa354db2bd44352b29d8ea2d4ed3f058565190953a5e429d4e99ca391df4cf9f71e8db0b982cc2318eb92656da26b

    Download Submit

  • memory/644-167-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/644-138-0x0000000000000000-mapping.dmp

    Download

  • memory/644-179-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/644-151-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/820-166-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/820-132-0x0000000000000000-mapping.dmp

    Download

  • memory/820-143-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1812-152-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1812-168-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1812-142-0x0000000000000000-mapping.dmp

    Download

  • memory/1972-158-0x00007FFE73230000-0x00007FFE73240000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1972-156-0x00007FFE73230000-0x00007FFE73240000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1972-160-0x00007FFE708D0000-0x00007FFE708E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1972-174-0x00007FFE73230000-0x00007FFE73240000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1972-154-0x00007FFE73230000-0x00007FFE73240000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1972-177-0x00007FFE73230000-0x00007FFE73240000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1972-147-0x0000000000000000-mapping.dmp

    Download

  • memory/1972-176-0x00007FFE73230000-0x00007FFE73240000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1972-175-0x00007FFE73230000-0x00007FFE73240000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1972-157-0x00007FFE73230000-0x00007FFE73240000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1972-159-0x00007FFE708D0000-0x00007FFE708E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1972-155-0x00007FFE73230000-0x00007FFE73240000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3752-178-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/3752-169-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/3752-149-0x0000000000000000-mapping.dmp

    Download

  • memory/3752-153-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4024-144-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4024-165-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4024-135-0x0000000000000000-mapping.dmp

    Download

  • memory/4752-148-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4752-139-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download