Overview

overview

10

Static

static

8

d71d7205f0...df.exe

windows7-x64

10

d71d7205f0...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    159s
  • max time network
    182s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2022 16:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d71d7205f0ae0ba4b8812ddee8c882e1e0d43ca33e580d22a0c5d193751403df.exe

  • Size

    255KB

  • MD5

    024bbce4de7354cf6af71939cc5e3c13

  • SHA1

    bc42a69243b37222f7c97695d0901d1c31ee3d31

  • SHA256

    d71d7205f0ae0ba4b8812ddee8c882e1e0d43ca33e580d22a0c5d193751403df

  • SHA512

    0331eda5e8f8bc42ffea38183c436c0adb64fbbce3f7e4c598b6f12b87ebe37dcecfc4ed36be56c70682b9968a7c000e9fe44bcfb251006ae55b950de2effc96

  • SSDEEP

    6144:1xlZam+akqx6YQJXcNlEHUIQeE3mmBWFv62:Plf5j6zCNa0xeE3mX

Score
10/10
evasionpersistencetrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • UPX packed file 21 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d71d7205f0ae0ba4b8812ddee8c882e1e0d43ca33e580d22a0c5d193751403df.exe
    "C:\Users\Admin\AppData\Local\Temp\d71d7205f0ae0ba4b8812ddee8c882e1e0d43ca33e580d22a0c5d193751403df.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1196
    • C:\Windows\SysWOW64\vmnehfgnjt.exe
      vmnehfgnjt.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2804
      • C:\Windows\SysWOW64\cmmofizv.exe
        C:\Windows\system32\cmmofizv.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3636
    • C:\Windows\SysWOW64\jctyxzdmonqodlh.exe
      jctyxzdmonqodlh.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1400
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c biqzotvdjnpgp.exe
        3⤵
          PID:1380
      • C:\Windows\SysWOW64\cmmofizv.exe
        cmmofizv.exe
        2⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:5052
      • C:\Windows\SysWOW64\biqzotvdjnpgp.exe
        biqzotvdjnpgp.exe
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4176
      • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
        "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
        2⤵
        • Drops file in Windows directory
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:3560

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
      Filesize

      255KB

      MD5

      22a36e0a46db41d3e476ec7116218689

      SHA1

      83a119fb755fcf4c9ec5be6461c8e3a4c406b720

      SHA256

      d00480cbfd3de38a25c0f38c825304d0f9f78c48ffbe66eb8278cc2bcea34af8

      SHA512

      e204f67865f46dede3f29f4fdca5c815237f24b9749ca33c92291e9ee3b8fad667c9ec3cb41b5fb508ac3e17a32da11c03c08a205129c7cd1e7cf8c5de71de1b

      Download Submit

    • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
      Filesize

      255KB

      MD5

      f8828c0dafd55f56468ce915522f19da

      SHA1

      fd34ffc665b6030c7abf5790762f83776dc545ef

      SHA256

      536211d4c45bc0db06d5a0ef32550000ba00b245e1608db84d849eb55203103d

      SHA512

      8a707e99697481c71d570f4eb59ec4c2a0c79f17fac037f05f93ec2f08c1903068ce530ea66e8f207236c75ecabca744d09f8d3876477f977f698fa11a27bea2

      Download Submit

    • C:\Windows\SysWOW64\biqzotvdjnpgp.exe
      Filesize

      255KB

      MD5

      6fb85a2ba161f8a019e66552bba94e4f

      SHA1

      aebf0abbb94c09343f25f13eed4bf954eb0033c4

      SHA256

      cc0fbdc098061496ba608115379a274ae0f51a05995a97f2edfa38cd3d559b54

      SHA512

      f75067de5ed519819e36d646cdaf5f5687524a614fbc37c3e974bb3c9ee085f4efdb29331eb90d37d7d5315a2a00075b7606996ec0c00dd4e88a4655d5716588

      Download Submit

    • C:\Windows\SysWOW64\biqzotvdjnpgp.exe
      Filesize

      255KB

      MD5

      6fb85a2ba161f8a019e66552bba94e4f

      SHA1

      aebf0abbb94c09343f25f13eed4bf954eb0033c4

      SHA256

      cc0fbdc098061496ba608115379a274ae0f51a05995a97f2edfa38cd3d559b54

      SHA512

      f75067de5ed519819e36d646cdaf5f5687524a614fbc37c3e974bb3c9ee085f4efdb29331eb90d37d7d5315a2a00075b7606996ec0c00dd4e88a4655d5716588

      Download Submit

    • C:\Windows\SysWOW64\cmmofizv.exe
      Filesize

      255KB

      MD5

      195e12eeb7e34e26d3247d52282113c5

      SHA1

      acc8d211732187ac823322e7bc329c3c90c93cdb

      SHA256

      980819de5d28dba94d537b6a813785c510ccffaaf2f1ddc2bd04a2045555ec14

      SHA512

      8e70332394a446da1bc190a9a712d3a5e0705fb86b5b81e07092922a9151e4161402324eeff9bcbd6d8617e5760d131de8c462ba3f15d8eecd4180dc59885148

      Download Submit

    • C:\Windows\SysWOW64\cmmofizv.exe
      Filesize

      255KB

      MD5

      195e12eeb7e34e26d3247d52282113c5

      SHA1

      acc8d211732187ac823322e7bc329c3c90c93cdb

      SHA256

      980819de5d28dba94d537b6a813785c510ccffaaf2f1ddc2bd04a2045555ec14

      SHA512

      8e70332394a446da1bc190a9a712d3a5e0705fb86b5b81e07092922a9151e4161402324eeff9bcbd6d8617e5760d131de8c462ba3f15d8eecd4180dc59885148

      Download Submit

    • C:\Windows\SysWOW64\cmmofizv.exe
      Filesize

      255KB

      MD5

      195e12eeb7e34e26d3247d52282113c5

      SHA1

      acc8d211732187ac823322e7bc329c3c90c93cdb

      SHA256

      980819de5d28dba94d537b6a813785c510ccffaaf2f1ddc2bd04a2045555ec14

      SHA512

      8e70332394a446da1bc190a9a712d3a5e0705fb86b5b81e07092922a9151e4161402324eeff9bcbd6d8617e5760d131de8c462ba3f15d8eecd4180dc59885148

      Download Submit

    • C:\Windows\SysWOW64\jctyxzdmonqodlh.exe
      Filesize

      255KB

      MD5

      1267ca70cd861f9f127d73f16002b868

      SHA1

      2a8cee4c69fcb31a92da4fe779512259e51976c6

      SHA256

      2bd12baa3179b1e4ccf45a26ab45a26c72f8f93a8948df8e5bfea0e46954803e

      SHA512

      f2dcdfbcbd373f5444d3e4eea5eb60558fa73aa28513279a1247eb314e938e384d7f36658def0a2a0afbf876872fc6f64393757349c40e4cea5c02ed43f8b698

      Download Submit

    • C:\Windows\SysWOW64\jctyxzdmonqodlh.exe
      Filesize

      255KB

      MD5

      1267ca70cd861f9f127d73f16002b868

      SHA1

      2a8cee4c69fcb31a92da4fe779512259e51976c6

      SHA256

      2bd12baa3179b1e4ccf45a26ab45a26c72f8f93a8948df8e5bfea0e46954803e

      SHA512

      f2dcdfbcbd373f5444d3e4eea5eb60558fa73aa28513279a1247eb314e938e384d7f36658def0a2a0afbf876872fc6f64393757349c40e4cea5c02ed43f8b698

      Download Submit

    • C:\Windows\SysWOW64\vmnehfgnjt.exe
      Filesize

      255KB

      MD5

      94a502251320bda8d7cd2cad60c81a7e

      SHA1

      55f46619161eb85dcd9c6e15ce95dccbd2bad2ec

      SHA256

      6f366fbf3173ab1c17cda45909c03e53c832679b6526f8fd42c2f2d40ba9ca67

      SHA512

      beb380a3e3241de889bed5c4a23df7968ce75ed245371611978e637aa053ebabc1894ceda23cdfb0437b60eba49f3098aacdf7b746e180ea8675cdf7642c219a

      Download Submit

    • C:\Windows\SysWOW64\vmnehfgnjt.exe
      Filesize

      255KB

      MD5

      94a502251320bda8d7cd2cad60c81a7e

      SHA1

      55f46619161eb85dcd9c6e15ce95dccbd2bad2ec

      SHA256

      6f366fbf3173ab1c17cda45909c03e53c832679b6526f8fd42c2f2d40ba9ca67

      SHA512

      beb380a3e3241de889bed5c4a23df7968ce75ed245371611978e637aa053ebabc1894ceda23cdfb0437b60eba49f3098aacdf7b746e180ea8675cdf7642c219a

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • memory/1196-132-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1196-143-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1196-156-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1380-150-0x0000000000000000-mapping.dmp

      Download

    • memory/1400-137-0x0000000000000000-mapping.dmp

      Download

    • memory/1400-144-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2804-136-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/2804-133-0x0000000000000000-mapping.dmp

      Download

    • memory/3560-155-0x0000000000000000-mapping.dmp

      Download

    • memory/3560-165-0x00007FFC39FE0000-0x00007FFC39FF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3560-172-0x00007FFC3C1F0000-0x00007FFC3C200000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3560-171-0x00007FFC3C1F0000-0x00007FFC3C200000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3560-169-0x00007FFC3C1F0000-0x00007FFC3C200000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3560-170-0x00007FFC3C1F0000-0x00007FFC3C200000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3560-164-0x00007FFC39FE0000-0x00007FFC39FF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3560-159-0x00007FFC3C1F0000-0x00007FFC3C200000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3560-160-0x00007FFC3C1F0000-0x00007FFC3C200000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3560-161-0x00007FFC3C1F0000-0x00007FFC3C200000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3560-162-0x00007FFC3C1F0000-0x00007FFC3C200000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3560-163-0x00007FFC3C1F0000-0x00007FFC3C200000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3636-166-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/3636-151-0x0000000000000000-mapping.dmp

      Download

    • memory/3636-154-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/4176-153-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/4176-146-0x0000000000000000-mapping.dmp

      Download

    • memory/4176-149-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/5052-145-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/5052-140-0x0000000000000000-mapping.dmp

      Download