Overview

overview

10

Static

static

8

571e2519db...bb.exe

windows7-x64

10

571e2519db...bb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    187s
  • max time network
    181s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/11/2022, 19:26

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    571e2519db3e6fcd3b7925c5c07c2730eb41a4e26c4adda853d6406a910211bb.exe

  • Size

    255KB

  • MD5

    b959e15aa4c84058d7d220fa6ef3a2a1

  • SHA1

    4e31dc9e03ea4c77086c378d6640e54cbd04a215

  • SHA256

    571e2519db3e6fcd3b7925c5c07c2730eb41a4e26c4adda853d6406a910211bb

  • SHA512

    7b12c813549a4661961e62e759abe8724a236d477619cb710d1f4157411eef422a772babf59b78fce6cab59116c19d98ffd60f55df3cb389d5945269a2151343

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJS:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIh

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • UPX packed file 24 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 12 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\571e2519db3e6fcd3b7925c5c07c2730eb41a4e26c4adda853d6406a910211bb.exe
    "C:\Users\Admin\AppData\Local\Temp\571e2519db3e6fcd3b7925c5c07c2730eb41a4e26c4adda853d6406a910211bb.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4864
    • C:\Windows\SysWOW64\hjdewcgnbm.exe
      hjdewcgnbm.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2992
      • C:\Windows\SysWOW64\tbohyrms.exe
        C:\Windows\system32\tbohyrms.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4448
    • C:\Windows\SysWOW64\xfnlczxqiavoqhn.exe
      xfnlczxqiavoqhn.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3292
    • C:\Windows\SysWOW64\tbohyrms.exe
      tbohyrms.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1280
    • C:\Windows\SysWOW64\jfsybmnwthrxv.exe
      jfsybmnwthrxv.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:980
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:3376

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
          Filesize

          255KB

          MD5

          52c32aa5ddc2a693fd398055b1d81ced

          SHA1

          58b8a8f5d35dd955b115813b0aaa47007ab2bffb

          SHA256

          6b01d40853a811cae6df5ad1b94e4c04eef434d8d223a84c71a666f7b66cd9b7

          SHA512

          1c14e52f4944bc4989934e17ac7929f167d6bbeaab5e76d86e97fab843f74d3a1793119bf978be1e27ea2637e0d521284cb9ee166ea4953fbe92cb438fd0c642

          Download Submit

        • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
          Filesize

          255KB

          MD5

          491529ce6c0a88be9be30c639e2d8c28

          SHA1

          7b0c91c3d10b6a9f292bb9aa5f358261360fb903

          SHA256

          7bd347f301b02f3417d1d687cf489ea29391492316f68c7cea53746e7b76280a

          SHA512

          5a52586ede2969d4d7c07fcc495787137b5254a4ece6c46ac47e6e9ebd85c5066421309e9ba6b473839e4fe6316584e4bcf7325ecf1c552e9e0dfb8569db9491

          Download Submit

        • C:\Users\Admin\Downloads\GroupClose.doc.exe
          Filesize

          255KB

          MD5

          d366758b6a52b5f053b37a089c655bae

          SHA1

          093687b56cb67aead2db0d5e31cb3e5ec37d692f

          SHA256

          de5f7d8492231ee6a8b64c3b9bdf97e64d48e74228c8c837595cc00eb1de9281

          SHA512

          34d495e25feb0cfdea9b1d273e358c1e71e7c1802a8109792ef4fe66a8d1bcd48ea7f7fa7b37e1b5edcd326c6aaa880de34a517adc421e87c3a65c6dbe5d0ff2

          Download Submit

        • C:\Windows\SysWOW64\hjdewcgnbm.exe
          Filesize

          255KB

          MD5

          0a704e821c76225823421f2450b01039

          SHA1

          35133aaf1e895fd81b01e53ea4d0223a87a23e37

          SHA256

          96afba32cf51d877e2ab58221f420964e5d9246bdefab08e3cfb533ffa28e2c3

          SHA512

          90d2fd2e876bfbe2b6e40bfc87550d4a38275daf1368c85ba2261a6b7e3701074872a754a91006079297048d4463d822d4bfc1f93c0d79203518f4459c27ded6

          Download Submit

        • C:\Windows\SysWOW64\hjdewcgnbm.exe
          Filesize

          255KB

          MD5

          0a704e821c76225823421f2450b01039

          SHA1

          35133aaf1e895fd81b01e53ea4d0223a87a23e37

          SHA256

          96afba32cf51d877e2ab58221f420964e5d9246bdefab08e3cfb533ffa28e2c3

          SHA512

          90d2fd2e876bfbe2b6e40bfc87550d4a38275daf1368c85ba2261a6b7e3701074872a754a91006079297048d4463d822d4bfc1f93c0d79203518f4459c27ded6

          Download Submit

        • C:\Windows\SysWOW64\jfsybmnwthrxv.exe
          Filesize

          255KB

          MD5

          7637f6e04f12343285b40b2a9bf47388

          SHA1

          4e4f18ea1eb1492c0dbe6d5edcbb01f3c74dadd7

          SHA256

          684eaedcf404348b82595fba92d69de58de52208f97818395604ab63edea8558

          SHA512

          50e1c9959ea5f7c0d16fdb0413018a0b21ef7676fcd47b4a0615e863d8403db3b84fc89e0a4ce4c427c201314aafc24124aee041f85ad899e8c1943295f5271f

          Download Submit

        • C:\Windows\SysWOW64\jfsybmnwthrxv.exe
          Filesize

          255KB

          MD5

          7637f6e04f12343285b40b2a9bf47388

          SHA1

          4e4f18ea1eb1492c0dbe6d5edcbb01f3c74dadd7

          SHA256

          684eaedcf404348b82595fba92d69de58de52208f97818395604ab63edea8558

          SHA512

          50e1c9959ea5f7c0d16fdb0413018a0b21ef7676fcd47b4a0615e863d8403db3b84fc89e0a4ce4c427c201314aafc24124aee041f85ad899e8c1943295f5271f

          Download Submit

        • C:\Windows\SysWOW64\tbohyrms.exe
          Filesize

          255KB

          MD5

          9d0553cc3ce51837448caba802909316

          SHA1

          dd3016a8e6d7733be3388996a29463c2a81329f4

          SHA256

          2a9dc2682f52979b98096d8f83b976a099ed148a6fe2b49b4af8554bdfcf6eb7

          SHA512

          700db87c6b08949fd2f7d13bf3c3a7a51cfe5f850c9c5170fc1a4c007a27ab3c0bb6ed2bded5ed00a0cf202fafb380fe6e80fa1f35c52c8a55fb04087508135d

          Download Submit

        • C:\Windows\SysWOW64\tbohyrms.exe
          Filesize

          255KB

          MD5

          9d0553cc3ce51837448caba802909316

          SHA1

          dd3016a8e6d7733be3388996a29463c2a81329f4

          SHA256

          2a9dc2682f52979b98096d8f83b976a099ed148a6fe2b49b4af8554bdfcf6eb7

          SHA512

          700db87c6b08949fd2f7d13bf3c3a7a51cfe5f850c9c5170fc1a4c007a27ab3c0bb6ed2bded5ed00a0cf202fafb380fe6e80fa1f35c52c8a55fb04087508135d

          Download Submit

        • C:\Windows\SysWOW64\tbohyrms.exe
          Filesize

          255KB

          MD5

          9d0553cc3ce51837448caba802909316

          SHA1

          dd3016a8e6d7733be3388996a29463c2a81329f4

          SHA256

          2a9dc2682f52979b98096d8f83b976a099ed148a6fe2b49b4af8554bdfcf6eb7

          SHA512

          700db87c6b08949fd2f7d13bf3c3a7a51cfe5f850c9c5170fc1a4c007a27ab3c0bb6ed2bded5ed00a0cf202fafb380fe6e80fa1f35c52c8a55fb04087508135d

          Download Submit

        • C:\Windows\SysWOW64\xfnlczxqiavoqhn.exe
          Filesize

          255KB

          MD5

          f28d46081f222bcfc6af8758bdd78b23

          SHA1

          f705ff7247461d979553cff3345305786afbcaa4

          SHA256

          51c648efe48dfb844b054dcc41114bc5520e59449c6f97cd71c55c24c6367346

          SHA512

          b62fb2cacfa49e1b1fa0c7aad3fd9f70bc58df9b7dacde9363a14a1ac4743f709cd9e5123b0a9bf9d233a6f1a4d7c2a1745a715af828220722b6e793ce94b473

          Download Submit

        • C:\Windows\SysWOW64\xfnlczxqiavoqhn.exe
          Filesize

          255KB

          MD5

          f28d46081f222bcfc6af8758bdd78b23

          SHA1

          f705ff7247461d979553cff3345305786afbcaa4

          SHA256

          51c648efe48dfb844b054dcc41114bc5520e59449c6f97cd71c55c24c6367346

          SHA512

          b62fb2cacfa49e1b1fa0c7aad3fd9f70bc58df9b7dacde9363a14a1ac4743f709cd9e5123b0a9bf9d233a6f1a4d7c2a1745a715af828220722b6e793ce94b473

          Download Submit

        • C:\Windows\mydoc.rtf
          Filesize

          223B

          MD5

          06604e5941c126e2e7be02c5cd9f62ec

          SHA1

          4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

          SHA256

          85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

          SHA512

          803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

          Download Submit

        • memory/980-153-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

          Download

        • memory/980-168-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

          Download

        • memory/1280-167-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

          Download

        • memory/1280-145-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

          Download

        • memory/2992-165-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

          Download

        • memory/2992-143-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

          Download

        • memory/3292-144-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

          Download

        • memory/3292-166-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

          Download

        • memory/3376-156-0x00007FFBBAEF0000-0x00007FFBBAF00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3376-160-0x00007FFBB8690000-0x00007FFBB86A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3376-161-0x00007FFBB8690000-0x00007FFBB86A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3376-155-0x00007FFBBAEF0000-0x00007FFBBAF00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3376-174-0x00007FFBBAEF0000-0x00007FFBBAF00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3376-173-0x00007FFBBAEF0000-0x00007FFBBAF00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3376-159-0x00007FFBBAEF0000-0x00007FFBBAF00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3376-158-0x00007FFBBAEF0000-0x00007FFBBAF00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3376-172-0x00007FFBBAEF0000-0x00007FFBBAF00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3376-175-0x00007FFBBAEF0000-0x00007FFBBAF00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3376-157-0x00007FFBBAEF0000-0x00007FFBBAF00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4448-169-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

          Download

        • memory/4448-154-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

          Download

        • memory/4864-152-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

          Download

        • memory/4864-142-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

          Download