Overview

overview

10

Static

static

8

332c464efb...97.exe

windows7-x64

10

332c464efb...97.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    181s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    27-11-2022 16:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    332c464efb4db606d95ac6457519b58db4c1bc715d0641c802534b5b56112a97.exe

  • Size

    255KB

  • MD5

    d255718aa60e1d6b71388e7f048faed3

  • SHA1

    9f1b201ad15c6fb2f2abcf12c80fa73806a9d0a8

  • SHA256

    332c464efb4db606d95ac6457519b58db4c1bc715d0641c802534b5b56112a97

  • SHA512

    2c95c2cd8839773517dd3b7e8f18e27ba0d246a9968ff3d1056474a0a5185001736825de529033ed586dc71e779d142cd444c804d24523b4e2e95446a0aa442a

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJc:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIP

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 6 IoCs
  • UPX packed file 31 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 14 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SendNotifyMessage 21 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\332c464efb4db606d95ac6457519b58db4c1bc715d0641c802534b5b56112a97.exe
    "C:\Users\Admin\AppData\Local\Temp\332c464efb4db606d95ac6457519b58db4c1bc715d0641c802534b5b56112a97.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1140
    • C:\Windows\SysWOW64\dihyjxlehs.exe
      dihyjxlehs.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:524
      • C:\Windows\SysWOW64\wiuncjkd.exe
        C:\Windows\system32\wiuncjkd.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:548
    • C:\Windows\SysWOW64\xcqltsqkwiefame.exe
      xcqltsqkwiefame.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:268
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c doeeyscjvfgob.exe
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1812
        • C:\Windows\SysWOW64\doeeyscjvfgob.exe
          doeeyscjvfgob.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:1216
    • C:\Windows\SysWOW64\wiuncjkd.exe
      wiuncjkd.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1144
    • C:\Windows\SysWOW64\doeeyscjvfgob.exe
      doeeyscjvfgob.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1356
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1536
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1972

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Hidden Files and Directories

    2
    T1158

    Registry Run Keys / Startup Folder

    1
    T1060

    Winlogon Helper DLL

    1
    T1004

    Privilege Escalation

    Defense Evasion

    Hidden Files and Directories

    2
    T1158

    Modify Registry

    7
    T1112

    Disabling Security Tools

    2
    T1089

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
      Filesize

      255KB

      MD5

      d5a387aa6f51902cd2adfd3c4dcdf6ab

      SHA1

      76d85910777f2107861624d878f3e36fed69c390

      SHA256

      40d2f957a7236a235fcfdbb9b1a1be0f340ce404fb0ae1532e7c9e28c3078e76

      SHA512

      4e023ae729bbbeb4f63f9b5f2fcc5cc82096d4dddb738f3f378e81c58a8f9bc8be2f054cee6dd941395c41d9b0ff1022a1b64154730964b757aeef6d68f8cdc1

      Download Submit
    • C:\Windows\SysWOW64\dihyjxlehs.exe
      Filesize

      255KB

      MD5

      7e0cae0a95cce1d503df4bcc2735c375

      SHA1

      866207b0a552a09677167db7ed2d40f2708b9a05

      SHA256

      9a162c8c93c5d51f6d3a3607d51862508b7185ea237021fc4b1acb0ee526d288

      SHA512

      d074679729c892553a7d0d4c91d24c906a06fbd133e82c5b8add49841440ae4247804330db711fb8865a6d849f7ed9ad4c5bc958079fa423e3e81550daf57916

      Download Submit
    • C:\Windows\SysWOW64\dihyjxlehs.exe
      Filesize

      255KB

      MD5

      7e0cae0a95cce1d503df4bcc2735c375

      SHA1

      866207b0a552a09677167db7ed2d40f2708b9a05

      SHA256

      9a162c8c93c5d51f6d3a3607d51862508b7185ea237021fc4b1acb0ee526d288

      SHA512

      d074679729c892553a7d0d4c91d24c906a06fbd133e82c5b8add49841440ae4247804330db711fb8865a6d849f7ed9ad4c5bc958079fa423e3e81550daf57916

      Download Submit
    • C:\Windows\SysWOW64\doeeyscjvfgob.exe
      Filesize

      255KB

      MD5

      ca281fb99b4b716635bf284a3f093070

      SHA1

      18d9b13f70c504337e81e363b9c3ae1a45ca9ce7

      SHA256

      58436b20cfd1bf265c3938bdc61f5266d8d1cabc82c17c5fdfa94332beb7c8bd

      SHA512

      caeb5890ff5da53c4a12d93010d7399c6b693c4ac7414fd8a45c0c51d28451a69fa8d55eff4b50cd1f77df9d718f67bdc5aad65f5d710f6ec43ca9b5f7100fe0

      Download Submit
    • C:\Windows\SysWOW64\doeeyscjvfgob.exe
      Filesize

      255KB

      MD5

      ca281fb99b4b716635bf284a3f093070

      SHA1

      18d9b13f70c504337e81e363b9c3ae1a45ca9ce7

      SHA256

      58436b20cfd1bf265c3938bdc61f5266d8d1cabc82c17c5fdfa94332beb7c8bd

      SHA512

      caeb5890ff5da53c4a12d93010d7399c6b693c4ac7414fd8a45c0c51d28451a69fa8d55eff4b50cd1f77df9d718f67bdc5aad65f5d710f6ec43ca9b5f7100fe0

      Download Submit
    • C:\Windows\SysWOW64\doeeyscjvfgob.exe
      Filesize

      255KB

      MD5

      ca281fb99b4b716635bf284a3f093070

      SHA1

      18d9b13f70c504337e81e363b9c3ae1a45ca9ce7

      SHA256

      58436b20cfd1bf265c3938bdc61f5266d8d1cabc82c17c5fdfa94332beb7c8bd

      SHA512

      caeb5890ff5da53c4a12d93010d7399c6b693c4ac7414fd8a45c0c51d28451a69fa8d55eff4b50cd1f77df9d718f67bdc5aad65f5d710f6ec43ca9b5f7100fe0

      Download Submit
    • C:\Windows\SysWOW64\wiuncjkd.exe
      Filesize

      255KB

      MD5

      89ad266dd4ec3baf32c36208801d94b2

      SHA1

      1e23ae264771960f0ae985802359208f0c8049c2

      SHA256

      0c3e23542476324296cf465452a520b4b7896f236c818b113af69284ccb076fb

      SHA512

      da966a58cfecc2494730c9f486a90a5227ded64b2f4d35c70535e44347575bfe218dfd478c36a2a63261f034c76a66d7da5144761fcee858dff4ddc37fea02c2

      Download Submit
    • C:\Windows\SysWOW64\wiuncjkd.exe
      Filesize

      255KB

      MD5

      89ad266dd4ec3baf32c36208801d94b2

      SHA1

      1e23ae264771960f0ae985802359208f0c8049c2

      SHA256

      0c3e23542476324296cf465452a520b4b7896f236c818b113af69284ccb076fb

      SHA512

      da966a58cfecc2494730c9f486a90a5227ded64b2f4d35c70535e44347575bfe218dfd478c36a2a63261f034c76a66d7da5144761fcee858dff4ddc37fea02c2

      Download Submit
    • C:\Windows\SysWOW64\wiuncjkd.exe
      Filesize

      255KB

      MD5

      89ad266dd4ec3baf32c36208801d94b2

      SHA1

      1e23ae264771960f0ae985802359208f0c8049c2

      SHA256

      0c3e23542476324296cf465452a520b4b7896f236c818b113af69284ccb076fb

      SHA512

      da966a58cfecc2494730c9f486a90a5227ded64b2f4d35c70535e44347575bfe218dfd478c36a2a63261f034c76a66d7da5144761fcee858dff4ddc37fea02c2

      Download Submit
    • C:\Windows\SysWOW64\xcqltsqkwiefame.exe
      Filesize

      255KB

      MD5

      bfa77640859efcebaf136d3e9972e7d1

      SHA1

      964cd19df5457e5b2c3edffd053211da4c15f0a1

      SHA256

      6e0d42be1879f53d4e830c8fec1909405a53d9c24f6c7069a50f6fa334772424

      SHA512

      7120aecfb7f3236d4f425502ed29676677af06b09791d8b368a6b41fea32241d9732d35cafc26d4b0227bb79e2b9c1b33267887e7c2bf61340a4b9d8f8e4d5da

      Download Submit
    • C:\Windows\SysWOW64\xcqltsqkwiefame.exe
      Filesize

      255KB

      MD5

      bfa77640859efcebaf136d3e9972e7d1

      SHA1

      964cd19df5457e5b2c3edffd053211da4c15f0a1

      SHA256

      6e0d42be1879f53d4e830c8fec1909405a53d9c24f6c7069a50f6fa334772424

      SHA512

      7120aecfb7f3236d4f425502ed29676677af06b09791d8b368a6b41fea32241d9732d35cafc26d4b0227bb79e2b9c1b33267887e7c2bf61340a4b9d8f8e4d5da

      Download Submit
    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit
    • \Windows\SysWOW64\dihyjxlehs.exe
      Filesize

      255KB

      MD5

      7e0cae0a95cce1d503df4bcc2735c375

      SHA1

      866207b0a552a09677167db7ed2d40f2708b9a05

      SHA256

      9a162c8c93c5d51f6d3a3607d51862508b7185ea237021fc4b1acb0ee526d288

      SHA512

      d074679729c892553a7d0d4c91d24c906a06fbd133e82c5b8add49841440ae4247804330db711fb8865a6d849f7ed9ad4c5bc958079fa423e3e81550daf57916

      Download Submit
    • \Windows\SysWOW64\doeeyscjvfgob.exe
      Filesize

      255KB

      MD5

      ca281fb99b4b716635bf284a3f093070

      SHA1

      18d9b13f70c504337e81e363b9c3ae1a45ca9ce7

      SHA256

      58436b20cfd1bf265c3938bdc61f5266d8d1cabc82c17c5fdfa94332beb7c8bd

      SHA512

      caeb5890ff5da53c4a12d93010d7399c6b693c4ac7414fd8a45c0c51d28451a69fa8d55eff4b50cd1f77df9d718f67bdc5aad65f5d710f6ec43ca9b5f7100fe0

      Download Submit
    • \Windows\SysWOW64\doeeyscjvfgob.exe
      Filesize

      255KB

      MD5

      ca281fb99b4b716635bf284a3f093070

      SHA1

      18d9b13f70c504337e81e363b9c3ae1a45ca9ce7

      SHA256

      58436b20cfd1bf265c3938bdc61f5266d8d1cabc82c17c5fdfa94332beb7c8bd

      SHA512

      caeb5890ff5da53c4a12d93010d7399c6b693c4ac7414fd8a45c0c51d28451a69fa8d55eff4b50cd1f77df9d718f67bdc5aad65f5d710f6ec43ca9b5f7100fe0

      Download Submit
    • \Windows\SysWOW64\wiuncjkd.exe
      Filesize

      255KB

      MD5

      89ad266dd4ec3baf32c36208801d94b2

      SHA1

      1e23ae264771960f0ae985802359208f0c8049c2

      SHA256

      0c3e23542476324296cf465452a520b4b7896f236c818b113af69284ccb076fb

      SHA512

      da966a58cfecc2494730c9f486a90a5227ded64b2f4d35c70535e44347575bfe218dfd478c36a2a63261f034c76a66d7da5144761fcee858dff4ddc37fea02c2

      Download Submit
    • \Windows\SysWOW64\wiuncjkd.exe
      Filesize

      255KB

      MD5

      89ad266dd4ec3baf32c36208801d94b2

      SHA1

      1e23ae264771960f0ae985802359208f0c8049c2

      SHA256

      0c3e23542476324296cf465452a520b4b7896f236c818b113af69284ccb076fb

      SHA512

      da966a58cfecc2494730c9f486a90a5227ded64b2f4d35c70535e44347575bfe218dfd478c36a2a63261f034c76a66d7da5144761fcee858dff4ddc37fea02c2

      Download Submit
    • \Windows\SysWOW64\xcqltsqkwiefame.exe
      Filesize

      255KB

      MD5

      bfa77640859efcebaf136d3e9972e7d1

      SHA1

      964cd19df5457e5b2c3edffd053211da4c15f0a1

      SHA256

      6e0d42be1879f53d4e830c8fec1909405a53d9c24f6c7069a50f6fa334772424

      SHA512

      7120aecfb7f3236d4f425502ed29676677af06b09791d8b368a6b41fea32241d9732d35cafc26d4b0227bb79e2b9c1b33267887e7c2bf61340a4b9d8f8e4d5da

      Download Submit
    • memory/268-61-0x0000000000000000-mapping.dmp
      Download
    • memory/268-88-0x0000000000400000-0x00000000004A0000-memory.dmp
      Filesize

      640KB

      Download
    • memory/268-104-0x0000000000400000-0x00000000004A0000-memory.dmp
      Filesize

      640KB

      Download
    • memory/524-103-0x0000000000400000-0x00000000004A0000-memory.dmp
      Filesize

      640KB

      Download
    • memory/524-57-0x0000000000000000-mapping.dmp
      Download
    • memory/524-86-0x0000000000400000-0x00000000004A0000-memory.dmp
      Filesize

      640KB

      Download
    • memory/524-92-0x0000000003860000-0x0000000003900000-memory.dmp
      Filesize

      640KB

      Download
    • memory/548-78-0x0000000000000000-mapping.dmp
      Download
    • memory/548-107-0x0000000000400000-0x00000000004A0000-memory.dmp
      Filesize

      640KB

      Download
    • memory/548-93-0x0000000000400000-0x00000000004A0000-memory.dmp
      Filesize

      640KB

      Download
    • memory/1140-85-0x00000000032E0000-0x0000000003380000-memory.dmp
      Filesize

      640KB

      Download
    • memory/1140-90-0x00000000032E0000-0x0000000003380000-memory.dmp
      Filesize

      640KB

      Download
    • memory/1140-87-0x00000000032E0000-0x0000000003380000-memory.dmp
      Filesize

      640KB

      Download
    • memory/1140-55-0x0000000000400000-0x00000000004A0000-memory.dmp
      Filesize

      640KB

      Download
    • memory/1140-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1140-96-0x0000000000400000-0x00000000004A0000-memory.dmp
      Filesize

      640KB

      Download
    • memory/1144-105-0x0000000000400000-0x00000000004A0000-memory.dmp
      Filesize

      640KB

      Download
    • memory/1144-89-0x0000000000400000-0x00000000004A0000-memory.dmp
      Filesize

      640KB

      Download
    • memory/1144-66-0x0000000000000000-mapping.dmp
      Download
    • memory/1216-108-0x0000000000400000-0x00000000004A0000-memory.dmp
      Filesize

      640KB

      Download
    • memory/1216-94-0x0000000000400000-0x00000000004A0000-memory.dmp
      Filesize

      640KB

      Download
    • memory/1216-80-0x0000000000000000-mapping.dmp
      Download
    • memory/1356-71-0x0000000000000000-mapping.dmp
      Download
    • memory/1356-106-0x0000000000400000-0x00000000004A0000-memory.dmp
      Filesize

      640KB

      Download
    • memory/1356-91-0x0000000000400000-0x00000000004A0000-memory.dmp
      Filesize

      640KB

      Download
    • memory/1536-101-0x000000007175D000-0x0000000071768000-memory.dmp
      Filesize

      44KB

      Download
    • memory/1536-99-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1536-98-0x0000000070771000-0x0000000070773000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1536-97-0x0000000072CF1000-0x0000000072CF4000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1536-95-0x0000000000000000-mapping.dmp
      Download
    • memory/1536-112-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1536-109-0x000000007175D000-0x0000000071768000-memory.dmp
      Filesize

      44KB

      Download
    • memory/1536-113-0x000000007175D000-0x0000000071768000-memory.dmp
      Filesize

      44KB

      Download
    • memory/1812-76-0x0000000000000000-mapping.dmp
      Download
    • memory/1972-111-0x000007FEFC201000-0x000007FEFC203000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1972-110-0x0000000000000000-mapping.dmp
      Download