Overview

overview

10

Static

static

8

fee9315fb1...9e.exe

windows7-x64

10

fee9315fb1...9e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    169s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    27/11/2022, 17:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fee9315fb1af4647e7a47424f257fc5906baa309d03f269fe6e6d51237a5099e.exe

  • Size

    255KB

  • MD5

    0cadf663b283d3e9bc221edfd019a34d

  • SHA1

    ed420474c281304b83447b73c16e59293adf2e0f

  • SHA256

    fee9315fb1af4647e7a47424f257fc5906baa309d03f269fe6e6d51237a5099e

  • SHA512

    37e208bef3554fc9ca132051d5803038db36b74a8907ea1ea7ee8e34e4ec647c82e77b48113edfa6d9c2bde3487e36462fd7a2ab860e78f228188fdd113d8d88

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJN:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI+

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 6 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • UPX packed file 33 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 14 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 33 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of FindShellTrayWindow 59 IoCs
  • Suspicious use of SendNotifyMessage 37 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fee9315fb1af4647e7a47424f257fc5906baa309d03f269fe6e6d51237a5099e.exe
    "C:\Users\Admin\AppData\Local\Temp\fee9315fb1af4647e7a47424f257fc5906baa309d03f269fe6e6d51237a5099e.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:656
    • C:\Windows\SysWOW64\ymcfnmlfjc.exe
      ymcfnmlfjc.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2036
      • C:\Windows\SysWOW64\olffbsik.exe
        C:\Windows\system32\olffbsik.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        PID:1068
    • C:\Windows\SysWOW64\jdvcgexauhdjnzn.exe
      jdvcgexauhdjnzn.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1964
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c lawbwmechunnp.exe
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1664
        • C:\Windows\SysWOW64\lawbwmechunnp.exe
          lawbwmechunnp.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          PID:888
    • C:\Windows\SysWOW64\olffbsik.exe
      olffbsik.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1904
    • C:\Windows\SysWOW64\lawbwmechunnp.exe
      lawbwmechunnp.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1204
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:924
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1724
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x5b8
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1376

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
    Filesize

    255KB

    MD5

    4dc77a52a95cfd12f890414c6ee382cb

    SHA1

    3803c22dc75d9e0e31de3fd8483400cfa66cead0

    SHA256

    e66595a35d15dc594000e11a292fa7825c583f84c2c47a1de5995fa3b28ad28d

    SHA512

    f42b10eea7d604270016f69e73e88468b849d032c88061d2eb150f9bd708384fc6764ca66c734da3fb705c3395ecb70e5fd65a5c5ecf55bec5d45b4971ca7e3a

    Download Submit

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
    Filesize

    255KB

    MD5

    20ef4c5be49238e0369311895aa3667c

    SHA1

    1f30a20148e3575ef78a3ad8e22cf825a5b8b4db

    SHA256

    8b4a98a54b95ba97dbf9ce2869193a8dc01c23c4681d3b03bba45ec8bb346543

    SHA512

    4ea86560d98e1653683506869e9fbac3d2d8200550cd7c618fc1c19c4be06fd2ff2c4582a1e513ea7a372dd2ebfc96ba09556e8996df167eb3bad85855984905

    Download Submit

  • C:\Users\Admin\Documents\SendMeasure.doc.exe
    Filesize

    255KB

    MD5

    eae9ae8a3bee11fd2e189ead48ddc56b

    SHA1

    c4f3d41a0258fb0a22eee96997ed67eb99bf5914

    SHA256

    42f454c8e654c20c10a1ba8052e6b22039ba691cec8d7b9d0ad7d3983b6d7b5e

    SHA512

    8923affa2e953001fcafd3198a0528507cfaaf34fa489f9676f18738d434884393a709e8ecb44e077e96ae8e3feef4f45a9b69f5721119144984e7536eac6010

    Download Submit

  • C:\Windows\SysWOW64\jdvcgexauhdjnzn.exe
    Filesize

    255KB

    MD5

    5c039e6ee6870f6fb26ddc9e7eb5898a

    SHA1

    6ad35317f477d78ff0f81652f89b5f9c3b03a193

    SHA256

    c5d2ab3eda7762bfda92793071e332cdf1f2616ac672fec3a3d3b8dade0ecbff

    SHA512

    f320e92536590e04b8e9fb5b1516a0493698c562f5b748e736c7072b59b02393049546f81a5ee20e9255744dbf640b4b2515036dac4467456f4436266adcfb66

    Download Submit

  • C:\Windows\SysWOW64\jdvcgexauhdjnzn.exe
    Filesize

    255KB

    MD5

    5c039e6ee6870f6fb26ddc9e7eb5898a

    SHA1

    6ad35317f477d78ff0f81652f89b5f9c3b03a193

    SHA256

    c5d2ab3eda7762bfda92793071e332cdf1f2616ac672fec3a3d3b8dade0ecbff

    SHA512

    f320e92536590e04b8e9fb5b1516a0493698c562f5b748e736c7072b59b02393049546f81a5ee20e9255744dbf640b4b2515036dac4467456f4436266adcfb66

    Download Submit

  • C:\Windows\SysWOW64\lawbwmechunnp.exe
    Filesize

    255KB

    MD5

    2690819c889183e42cb077000f82804d

    SHA1

    e23eba4ff68660df2e2aec19d3640b57dae27f9f

    SHA256

    da2e5a3654163e00d41ac86d9f5134420ec91616e7a359f60898cc9bc7e5b5e6

    SHA512

    725cfcca7975c69c445b5188105a0b4f9f62a79361c14b017c03fc4d97e29cf8d3ddd1c7960d5f1067289caa0e5d4d8a3891cb73051b17ca3c8085e822fbb88b

    Download Submit

  • C:\Windows\SysWOW64\lawbwmechunnp.exe
    Filesize

    255KB

    MD5

    2690819c889183e42cb077000f82804d

    SHA1

    e23eba4ff68660df2e2aec19d3640b57dae27f9f

    SHA256

    da2e5a3654163e00d41ac86d9f5134420ec91616e7a359f60898cc9bc7e5b5e6

    SHA512

    725cfcca7975c69c445b5188105a0b4f9f62a79361c14b017c03fc4d97e29cf8d3ddd1c7960d5f1067289caa0e5d4d8a3891cb73051b17ca3c8085e822fbb88b

    Download Submit

  • C:\Windows\SysWOW64\lawbwmechunnp.exe
    Filesize

    255KB

    MD5

    2690819c889183e42cb077000f82804d

    SHA1

    e23eba4ff68660df2e2aec19d3640b57dae27f9f

    SHA256

    da2e5a3654163e00d41ac86d9f5134420ec91616e7a359f60898cc9bc7e5b5e6

    SHA512

    725cfcca7975c69c445b5188105a0b4f9f62a79361c14b017c03fc4d97e29cf8d3ddd1c7960d5f1067289caa0e5d4d8a3891cb73051b17ca3c8085e822fbb88b

    Download Submit

  • C:\Windows\SysWOW64\olffbsik.exe
    Filesize

    255KB

    MD5

    9bd7e63e04c6047395d25782cdfb8a6c

    SHA1

    1ab22c78af25167582f0c2bd9cb9bd4f487bd794

    SHA256

    6cb7087b6e47050a53bc9a4b2656773c09f00fcb40aada6b1aae20a42aac8a81

    SHA512

    7bc7d83a83a32abda0f7b90b2cf1c95f13f15e36570ba95b5af3b49c79194f4fa37ac489a367c0aa08f913c0910f714851f795a083664620b9f2bc471d6ead57

    Download Submit

  • C:\Windows\SysWOW64\olffbsik.exe
    Filesize

    255KB

    MD5

    9bd7e63e04c6047395d25782cdfb8a6c

    SHA1

    1ab22c78af25167582f0c2bd9cb9bd4f487bd794

    SHA256

    6cb7087b6e47050a53bc9a4b2656773c09f00fcb40aada6b1aae20a42aac8a81

    SHA512

    7bc7d83a83a32abda0f7b90b2cf1c95f13f15e36570ba95b5af3b49c79194f4fa37ac489a367c0aa08f913c0910f714851f795a083664620b9f2bc471d6ead57

    Download Submit

  • C:\Windows\SysWOW64\olffbsik.exe
    Filesize

    255KB

    MD5

    9bd7e63e04c6047395d25782cdfb8a6c

    SHA1

    1ab22c78af25167582f0c2bd9cb9bd4f487bd794

    SHA256

    6cb7087b6e47050a53bc9a4b2656773c09f00fcb40aada6b1aae20a42aac8a81

    SHA512

    7bc7d83a83a32abda0f7b90b2cf1c95f13f15e36570ba95b5af3b49c79194f4fa37ac489a367c0aa08f913c0910f714851f795a083664620b9f2bc471d6ead57

    Download Submit

  • C:\Windows\SysWOW64\ymcfnmlfjc.exe
    Filesize

    255KB

    MD5

    68ca8051df53a835757a8963f8ff6caa

    SHA1

    5dc4b290dd68e09df54d200a8d4986be4f5239b6

    SHA256

    a3ab72280b5aeeb1d426dd9114747d48a42b610906e31c61d7c1e2d1e192233d

    SHA512

    3e6868c67103acff607329d9acfcfaf89bd55f07af0b160ac83451f19d732ffe829d2e6d1f6ed06bdca83f7ae1699bcdb4c75ead7086631415624e3af1f579cc

    Download Submit

  • C:\Windows\SysWOW64\ymcfnmlfjc.exe
    Filesize

    255KB

    MD5

    68ca8051df53a835757a8963f8ff6caa

    SHA1

    5dc4b290dd68e09df54d200a8d4986be4f5239b6

    SHA256

    a3ab72280b5aeeb1d426dd9114747d48a42b610906e31c61d7c1e2d1e192233d

    SHA512

    3e6868c67103acff607329d9acfcfaf89bd55f07af0b160ac83451f19d732ffe829d2e6d1f6ed06bdca83f7ae1699bcdb4c75ead7086631415624e3af1f579cc

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • \Windows\SysWOW64\jdvcgexauhdjnzn.exe
    Filesize

    255KB

    MD5

    5c039e6ee6870f6fb26ddc9e7eb5898a

    SHA1

    6ad35317f477d78ff0f81652f89b5f9c3b03a193

    SHA256

    c5d2ab3eda7762bfda92793071e332cdf1f2616ac672fec3a3d3b8dade0ecbff

    SHA512

    f320e92536590e04b8e9fb5b1516a0493698c562f5b748e736c7072b59b02393049546f81a5ee20e9255744dbf640b4b2515036dac4467456f4436266adcfb66

    Download Submit

  • \Windows\SysWOW64\lawbwmechunnp.exe
    Filesize

    255KB

    MD5

    2690819c889183e42cb077000f82804d

    SHA1

    e23eba4ff68660df2e2aec19d3640b57dae27f9f

    SHA256

    da2e5a3654163e00d41ac86d9f5134420ec91616e7a359f60898cc9bc7e5b5e6

    SHA512

    725cfcca7975c69c445b5188105a0b4f9f62a79361c14b017c03fc4d97e29cf8d3ddd1c7960d5f1067289caa0e5d4d8a3891cb73051b17ca3c8085e822fbb88b

    Download Submit

  • \Windows\SysWOW64\lawbwmechunnp.exe
    Filesize

    255KB

    MD5

    2690819c889183e42cb077000f82804d

    SHA1

    e23eba4ff68660df2e2aec19d3640b57dae27f9f

    SHA256

    da2e5a3654163e00d41ac86d9f5134420ec91616e7a359f60898cc9bc7e5b5e6

    SHA512

    725cfcca7975c69c445b5188105a0b4f9f62a79361c14b017c03fc4d97e29cf8d3ddd1c7960d5f1067289caa0e5d4d8a3891cb73051b17ca3c8085e822fbb88b

    Download Submit

  • \Windows\SysWOW64\olffbsik.exe
    Filesize

    255KB

    MD5

    9bd7e63e04c6047395d25782cdfb8a6c

    SHA1

    1ab22c78af25167582f0c2bd9cb9bd4f487bd794

    SHA256

    6cb7087b6e47050a53bc9a4b2656773c09f00fcb40aada6b1aae20a42aac8a81

    SHA512

    7bc7d83a83a32abda0f7b90b2cf1c95f13f15e36570ba95b5af3b49c79194f4fa37ac489a367c0aa08f913c0910f714851f795a083664620b9f2bc471d6ead57

    Download Submit

  • \Windows\SysWOW64\olffbsik.exe
    Filesize

    255KB

    MD5

    9bd7e63e04c6047395d25782cdfb8a6c

    SHA1

    1ab22c78af25167582f0c2bd9cb9bd4f487bd794

    SHA256

    6cb7087b6e47050a53bc9a4b2656773c09f00fcb40aada6b1aae20a42aac8a81

    SHA512

    7bc7d83a83a32abda0f7b90b2cf1c95f13f15e36570ba95b5af3b49c79194f4fa37ac489a367c0aa08f913c0910f714851f795a083664620b9f2bc471d6ead57

    Download Submit

  • \Windows\SysWOW64\ymcfnmlfjc.exe
    Filesize

    255KB

    MD5

    68ca8051df53a835757a8963f8ff6caa

    SHA1

    5dc4b290dd68e09df54d200a8d4986be4f5239b6

    SHA256

    a3ab72280b5aeeb1d426dd9114747d48a42b610906e31c61d7c1e2d1e192233d

    SHA512

    3e6868c67103acff607329d9acfcfaf89bd55f07af0b160ac83451f19d732ffe829d2e6d1f6ed06bdca83f7ae1699bcdb4c75ead7086631415624e3af1f579cc

    Download Submit

  • memory/656-87-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/656-55-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/656-54-0x0000000075131000-0x0000000075133000-memory.dmp

    Filesize

    8KB

    Download

  • memory/888-109-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/888-94-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/924-95-0x0000000072261000-0x0000000072264000-memory.dmp

    Filesize

    12KB

    Download

  • memory/924-100-0x0000000070CCD000-0x0000000070CD8000-memory.dmp

    Filesize

    44KB

    Download

  • memory/924-97-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/924-110-0x0000000070CCD000-0x0000000070CD8000-memory.dmp

    Filesize

    44KB

    Download

  • memory/924-96-0x000000006FCE1000-0x000000006FCE3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1068-108-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1068-93-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1204-91-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1204-107-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1724-84-0x000007FEFB9A1000-0x000007FEFB9A3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1724-111-0x00000000026E0000-0x00000000026F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1904-90-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1904-106-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1964-105-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1964-89-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2036-104-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2036-88-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2036-92-0x00000000038A0000-0x0000000003940000-memory.dmp

    Filesize

    640KB

    Download