Overview

overview

10

Static

static

8

6a667d5454...e5.exe

windows7-x64

10

6a667d5454...e5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    210s
  • max time network
    215s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2022 16:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe

  • Size

    255KB

  • MD5

    445ebea2dac416aaec5cc891c9bdd5e0

  • SHA1

    8741e82486f5e5d1216f5e8d654d97e489f894a2

  • SHA256

    6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5

  • SHA512

    250f9c800c57de35e524e8dfa9d2dfeeb15f48f61ca6bed3875489b9c66228dc78b4f886fe2231da6cbaba0eeed8a74f18b90903f85d9984b5a2a38da24e1fb8

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJj:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIq

Score
10/10
evasionpersistencetrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • UPX packed file 25 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 13 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe
    "C:\Users\Admin\AppData\Local\Temp\6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4640
    • C:\Windows\SysWOW64\pyohjxcint.exe
      pyohjxcint.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:224
      • C:\Windows\SysWOW64\eqpwmmmc.exe
        C:\Windows\system32\eqpwmmmc.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3060
    • C:\Windows\SysWOW64\kpuvqrhaulpjfne.exe
      kpuvqrhaulpjfne.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2764
    • C:\Windows\SysWOW64\eqpwmmmc.exe
      eqpwmmmc.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4584
    • C:\Windows\SysWOW64\atyyblijfwyoa.exe
      atyyblijfwyoa.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4276
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:5000

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2
T1158

Registry Run Keys / Startup Folder

1
T1060

Winlogon Helper DLL

1
T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

2
T1158

Modify Registry

6
T1112

Disabling Security Tools

2
T1089

Credential Access

Discovery

Query Registry

4
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    255KB

    MD5

    ea53205d2b2a90ea96a7e5e55b9eb949

    SHA1

    35bdf60c940549dec37a477746f8552f7089e6cb

    SHA256

    7e97ad58fcc9e6c052c493669e12b21b7938bed07f50709ad08750e2353d178b

    SHA512

    7063a37160cb78a1a7e57a65d294abdd59344495b320702ba35624ea15908f2fb48a62e24c799f0d6db8bef565816d5e2a7a6e1de3c09713931eaf52f4f6b8dc

    Download Submit
  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    255KB

    MD5

    5b41e7913c11289d72daecac0c95fb60

    SHA1

    2e748fbfda2a4e1448b7145822a4344bdf8bae63

    SHA256

    d18503463cb6482b667164cd22254b4c95959e0c9930c0c4f54144607c9b10b3

    SHA512

    2df25ef385c9832659d8dc60d668d37b710b7033323bb38fa637c164b817c88436e7c764c0e9ec38d1cb44ef3a8745762c9e3e6eff0ed0653718212deedcdb7e

    Download Submit
  • C:\Windows\SysWOW64\atyyblijfwyoa.exe
    Filesize

    255KB

    MD5

    1a44fb48c122dc096abfc4e72662cee6

    SHA1

    99433c155d1123a4aeacbd4e7cd0c4aff1ec2170

    SHA256

    20e1530eb14431a9737556bfc38a27b3e3cae739a3c7ed7447f95ae9440581c7

    SHA512

    06827571a2d229fac762b813857f6037795f4b7fbf8606464175527df0f237a013245287fac16d218279f5ce4f28d5440f45d81f961f5e5b4c63d116b5dcbe1f

    Download Submit
  • C:\Windows\SysWOW64\atyyblijfwyoa.exe
    Filesize

    255KB

    MD5

    1a44fb48c122dc096abfc4e72662cee6

    SHA1

    99433c155d1123a4aeacbd4e7cd0c4aff1ec2170

    SHA256

    20e1530eb14431a9737556bfc38a27b3e3cae739a3c7ed7447f95ae9440581c7

    SHA512

    06827571a2d229fac762b813857f6037795f4b7fbf8606464175527df0f237a013245287fac16d218279f5ce4f28d5440f45d81f961f5e5b4c63d116b5dcbe1f

    Download Submit
  • C:\Windows\SysWOW64\eqpwmmmc.exe
    Filesize

    255KB

    MD5

    c77764de35c80cbb374efb0ee9f234cf

    SHA1

    c0773aaea01ecb29a29f5b9f65cce3e5dac8f691

    SHA256

    b8c99fda6e9af5b29a240fea76fc3b0bfdfd6a3486b833aad6c34bc6dc08bf01

    SHA512

    2b4b27b4be9e4b7ff9069c98640cb580c855c91fc41eef554c13922c01568e81137ca84e07acded3856cc40d1c671c4ae93d96a9d460f5390ed902d659acc455

    Download Submit
  • C:\Windows\SysWOW64\eqpwmmmc.exe
    Filesize

    255KB

    MD5

    c77764de35c80cbb374efb0ee9f234cf

    SHA1

    c0773aaea01ecb29a29f5b9f65cce3e5dac8f691

    SHA256

    b8c99fda6e9af5b29a240fea76fc3b0bfdfd6a3486b833aad6c34bc6dc08bf01

    SHA512

    2b4b27b4be9e4b7ff9069c98640cb580c855c91fc41eef554c13922c01568e81137ca84e07acded3856cc40d1c671c4ae93d96a9d460f5390ed902d659acc455

    Download Submit
  • C:\Windows\SysWOW64\eqpwmmmc.exe
    Filesize

    255KB

    MD5

    c77764de35c80cbb374efb0ee9f234cf

    SHA1

    c0773aaea01ecb29a29f5b9f65cce3e5dac8f691

    SHA256

    b8c99fda6e9af5b29a240fea76fc3b0bfdfd6a3486b833aad6c34bc6dc08bf01

    SHA512

    2b4b27b4be9e4b7ff9069c98640cb580c855c91fc41eef554c13922c01568e81137ca84e07acded3856cc40d1c671c4ae93d96a9d460f5390ed902d659acc455

    Download Submit
  • C:\Windows\SysWOW64\kpuvqrhaulpjfne.exe
    Filesize

    255KB

    MD5

    4c55517fa9bf0691e2e0508786755010

    SHA1

    24d3062a33f1d207b40059e5f03130f28c27c97d

    SHA256

    7ae9954030ff3d47ff24a8e1bb9379b7c48d8d067a6e506469f6f1414aaf1945

    SHA512

    08218cc34f5e3dcdd804b484c02f893ec198bf7114636fc5e66fc791b2e1654f74852c360aa5653c6383d3430aabd43d81b96cdafa6d7fb1b373525a28b5855b

    Download Submit
  • C:\Windows\SysWOW64\kpuvqrhaulpjfne.exe
    Filesize

    255KB

    MD5

    4c55517fa9bf0691e2e0508786755010

    SHA1

    24d3062a33f1d207b40059e5f03130f28c27c97d

    SHA256

    7ae9954030ff3d47ff24a8e1bb9379b7c48d8d067a6e506469f6f1414aaf1945

    SHA512

    08218cc34f5e3dcdd804b484c02f893ec198bf7114636fc5e66fc791b2e1654f74852c360aa5653c6383d3430aabd43d81b96cdafa6d7fb1b373525a28b5855b

    Download Submit
  • C:\Windows\SysWOW64\pyohjxcint.exe
    Filesize

    255KB

    MD5

    d2cb4c60f1540bc4b92427439220f9d7

    SHA1

    642507c3ac289329a0d89ea2420003e8851bf630

    SHA256

    ba1e2496d0293bed95d1dcd2a528b00e3835a9a266d7e1d36397342225d93700

    SHA512

    51a051296bf45e3d98ff088680ab30de70f9a9b8831748eae230c359a7043deee9566ee7eed50bde486d7be3dfa14bbe2bc54ba1b33d199dec6edbea3c5a70cf

    Download Submit
  • C:\Windows\SysWOW64\pyohjxcint.exe
    Filesize

    255KB

    MD5

    d2cb4c60f1540bc4b92427439220f9d7

    SHA1

    642507c3ac289329a0d89ea2420003e8851bf630

    SHA256

    ba1e2496d0293bed95d1dcd2a528b00e3835a9a266d7e1d36397342225d93700

    SHA512

    51a051296bf45e3d98ff088680ab30de70f9a9b8831748eae230c359a7043deee9566ee7eed50bde486d7be3dfa14bbe2bc54ba1b33d199dec6edbea3c5a70cf

    Download Submit
  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit
  • \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    255KB

    MD5

    ea53205d2b2a90ea96a7e5e55b9eb949

    SHA1

    35bdf60c940549dec37a477746f8552f7089e6cb

    SHA256

    7e97ad58fcc9e6c052c493669e12b21b7938bed07f50709ad08750e2353d178b

    SHA512

    7063a37160cb78a1a7e57a65d294abdd59344495b320702ba35624ea15908f2fb48a62e24c799f0d6db8bef565816d5e2a7a6e1de3c09713931eaf52f4f6b8dc

    Download Submit
  • memory/224-145-0x0000000000400000-0x00000000004A0000-memory.dmp
    Filesize

    640KB

    Download
  • memory/224-133-0x0000000000000000-mapping.dmp
    Download
  • memory/224-153-0x0000000000400000-0x00000000004A0000-memory.dmp
    Filesize

    640KB

    Download
  • memory/2764-136-0x0000000000000000-mapping.dmp
    Download
  • memory/2764-146-0x0000000000400000-0x00000000004A0000-memory.dmp
    Filesize

    640KB

    Download
  • memory/2764-154-0x0000000000400000-0x00000000004A0000-memory.dmp
    Filesize

    640KB

    Download
  • memory/3060-151-0x0000000000400000-0x00000000004A0000-memory.dmp
    Filesize

    640KB

    Download
  • memory/3060-157-0x0000000000400000-0x00000000004A0000-memory.dmp
    Filesize

    640KB

    Download
  • memory/3060-149-0x0000000000000000-mapping.dmp
    Download
  • memory/4276-148-0x0000000000400000-0x00000000004A0000-memory.dmp
    Filesize

    640KB

    Download
  • memory/4276-142-0x0000000000000000-mapping.dmp
    Download
  • memory/4276-156-0x0000000000400000-0x00000000004A0000-memory.dmp
    Filesize

    640KB

    Download
  • memory/4584-155-0x0000000000400000-0x00000000004A0000-memory.dmp
    Filesize

    640KB

    Download
  • memory/4584-139-0x0000000000000000-mapping.dmp
    Download
  • memory/4584-147-0x0000000000400000-0x00000000004A0000-memory.dmp
    Filesize

    640KB

    Download
  • memory/4640-152-0x0000000000400000-0x00000000004A0000-memory.dmp
    Filesize

    640KB

    Download
  • memory/4640-159-0x0000000000400000-0x00000000004A0000-memory.dmp
    Filesize

    640KB

    Download
  • memory/4640-132-0x0000000000400000-0x00000000004A0000-memory.dmp
    Filesize

    640KB

    Download
  • memory/5000-161-0x00007FF9D4C70000-0x00007FF9D4C80000-memory.dmp
    Filesize

    64KB

    Download
  • memory/5000-164-0x00007FF9D4C70000-0x00007FF9D4C80000-memory.dmp
    Filesize

    64KB

    Download
  • memory/5000-163-0x00007FF9D4C70000-0x00007FF9D4C80000-memory.dmp
    Filesize

    64KB

    Download
  • memory/5000-162-0x00007FF9D4C70000-0x00007FF9D4C80000-memory.dmp
    Filesize

    64KB

    Download
  • memory/5000-158-0x0000000000000000-mapping.dmp
    Download
  • memory/5000-168-0x00007FF9D24F0000-0x00007FF9D2500000-memory.dmp
    Filesize

    64KB

    Download
  • memory/5000-169-0x00007FF9D24F0000-0x00007FF9D2500000-memory.dmp
    Filesize

    64KB

    Download
  • memory/5000-160-0x00007FF9D4C70000-0x00007FF9D4C80000-memory.dmp
    Filesize

    64KB

    Download