Overview

overview

10

Static

static

8

8ad6e4f0b1...f8.exe

windows7-x64

10

8ad6e4f0b1...f8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    209s
  • max time network
    215s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/11/2022, 19:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8ad6e4f0b1e07db95297de63b193bdd90fc9070b3f852658d218b958407d06f8.exe

  • Size

    255KB

  • MD5

    e2c04a30160326d3dd99f42e7a98ed22

  • SHA1

    3eb971e21654e3b02ec1a5307469f12bbc6c6f35

  • SHA256

    8ad6e4f0b1e07db95297de63b193bdd90fc9070b3f852658d218b958407d06f8

  • SHA512

    3ca676c2908fce970ab8c142591b03d78929ee1a7a51efaa0df2031b41fe894c3a25b8c07445d94986823a89c9e2cc7fc3a4bda0ea6bb73b827a58d133fac058

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJJ:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI8

Score
10/10
evasionpersistencetrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • UPX packed file 23 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 11 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8ad6e4f0b1e07db95297de63b193bdd90fc9070b3f852658d218b958407d06f8.exe
    "C:\Users\Admin\AppData\Local\Temp\8ad6e4f0b1e07db95297de63b193bdd90fc9070b3f852658d218b958407d06f8.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1872
    • C:\Windows\SysWOW64\wzhaovyeym.exe
      wzhaovyeym.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3736
      • C:\Windows\SysWOW64\mwglasty.exe
        C:\Windows\system32\mwglasty.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4688
    • C:\Windows\SysWOW64\uctpdlgtpcalkjz.exe
      uctpdlgtpcalkjz.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3188
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c jonswnnkuaffh.exe
        3⤵
          PID:4520
      • C:\Windows\SysWOW64\mwglasty.exe
        mwglasty.exe
        2⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4548
      • C:\Windows\SysWOW64\jonswnnkuaffh.exe
        jonswnnkuaffh.exe
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4264
      • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
        "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
        2⤵
        • Drops file in Windows directory
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:3920

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
      Filesize

      255KB

      MD5

      920aac32cbb44eaa5156b8698d004a7d

      SHA1

      3dd9071e9eeed35d49cf70a5bd4b0b3d66a9f4fc

      SHA256

      5bd5f9a3816dd66884a0b34d8b1024adb5841cbf34fe88fb4a7e5feca22a27bd

      SHA512

      db333cfba0914804fa89e07524f7c83f8247897c7620daa763c6890e19b005564761cf586f720a8f6c4941aba1fd2d1baf395848e9a8ee6d42bf672d530dfda1

      Download Submit

    • C:\Windows\SysWOW64\jonswnnkuaffh.exe
      Filesize

      255KB

      MD5

      80aa9570a0fcbead10ae33615c31a1bf

      SHA1

      ddf2a4ab067d8d488bf64896897b134bfa5b3a4d

      SHA256

      56df546e1fcaf11f0c099759ff09730cc02cc131cd0deff53e458b509bfee669

      SHA512

      cc8e73bb8c6e74004fedfa171118b878630b85144d951c47e307d9b38ddb97dd1448a96e27f2c383546c569d506324a306f75bc5259666880fdd77b029aa10c8

      Download Submit

    • C:\Windows\SysWOW64\jonswnnkuaffh.exe
      Filesize

      255KB

      MD5

      80aa9570a0fcbead10ae33615c31a1bf

      SHA1

      ddf2a4ab067d8d488bf64896897b134bfa5b3a4d

      SHA256

      56df546e1fcaf11f0c099759ff09730cc02cc131cd0deff53e458b509bfee669

      SHA512

      cc8e73bb8c6e74004fedfa171118b878630b85144d951c47e307d9b38ddb97dd1448a96e27f2c383546c569d506324a306f75bc5259666880fdd77b029aa10c8

      Download Submit

    • C:\Windows\SysWOW64\mwglasty.exe
      Filesize

      255KB

      MD5

      3eace816139ae7f2ba06fad380d410c2

      SHA1

      d6391eb95633bd4fec2b204d0058aa3cda335d1a

      SHA256

      4762d0b1109472a15ac9bb24054c34db64357ddad59b4b160bde1355eaee6a8f

      SHA512

      4ec8549af9cda9086f7c825f2d195fdb4f0d338eed78c070ccd9ad699e0df5cc41a89d3117a12677e38af6c39f23084b6b02627e423d9c05af7601cea8416a5c

      Download Submit

    • C:\Windows\SysWOW64\mwglasty.exe
      Filesize

      255KB

      MD5

      3eace816139ae7f2ba06fad380d410c2

      SHA1

      d6391eb95633bd4fec2b204d0058aa3cda335d1a

      SHA256

      4762d0b1109472a15ac9bb24054c34db64357ddad59b4b160bde1355eaee6a8f

      SHA512

      4ec8549af9cda9086f7c825f2d195fdb4f0d338eed78c070ccd9ad699e0df5cc41a89d3117a12677e38af6c39f23084b6b02627e423d9c05af7601cea8416a5c

      Download Submit

    • C:\Windows\SysWOW64\mwglasty.exe
      Filesize

      255KB

      MD5

      3eace816139ae7f2ba06fad380d410c2

      SHA1

      d6391eb95633bd4fec2b204d0058aa3cda335d1a

      SHA256

      4762d0b1109472a15ac9bb24054c34db64357ddad59b4b160bde1355eaee6a8f

      SHA512

      4ec8549af9cda9086f7c825f2d195fdb4f0d338eed78c070ccd9ad699e0df5cc41a89d3117a12677e38af6c39f23084b6b02627e423d9c05af7601cea8416a5c

      Download Submit

    • C:\Windows\SysWOW64\uctpdlgtpcalkjz.exe
      Filesize

      255KB

      MD5

      8c04d67482ff2bb77222ec7d3f6ec2b5

      SHA1

      ff0f74dc9c9341aa82c4f514659f8c7de7ead3e0

      SHA256

      99458b23e6de1861dd4c39c27cfd77d4a60b52759dd39ee272147df47f2df867

      SHA512

      bff2a36329b728fb7e906ac69be7133977cf822744b0132f7b7eb71700ab88bb4aa8bf1f41ec8a63654811bea5a904b17d86a8f26f533482d7fdab55d7115265

      Download Submit

    • C:\Windows\SysWOW64\uctpdlgtpcalkjz.exe
      Filesize

      255KB

      MD5

      8c04d67482ff2bb77222ec7d3f6ec2b5

      SHA1

      ff0f74dc9c9341aa82c4f514659f8c7de7ead3e0

      SHA256

      99458b23e6de1861dd4c39c27cfd77d4a60b52759dd39ee272147df47f2df867

      SHA512

      bff2a36329b728fb7e906ac69be7133977cf822744b0132f7b7eb71700ab88bb4aa8bf1f41ec8a63654811bea5a904b17d86a8f26f533482d7fdab55d7115265

      Download Submit

    • C:\Windows\SysWOW64\wzhaovyeym.exe
      Filesize

      255KB

      MD5

      f340dcd18d4e8afc5aa72a0e186cac57

      SHA1

      1975eb0cb8285c8350f4b0b408219ad650705452

      SHA256

      996929dbec081cd1a661925a2b9fe18e29693822fcd307ba11634ed113dba0eb

      SHA512

      65a70886f8aaa3951a2b2d57f406a003748b7ef196c4371235e9d86ac04686c27e0c7ccbb864dd528d280e5fa571adc3f21c8ef497f0d78b0f540ed6c586a2e6

      Download Submit

    • C:\Windows\SysWOW64\wzhaovyeym.exe
      Filesize

      255KB

      MD5

      f340dcd18d4e8afc5aa72a0e186cac57

      SHA1

      1975eb0cb8285c8350f4b0b408219ad650705452

      SHA256

      996929dbec081cd1a661925a2b9fe18e29693822fcd307ba11634ed113dba0eb

      SHA512

      65a70886f8aaa3951a2b2d57f406a003748b7ef196c4371235e9d86ac04686c27e0c7ccbb864dd528d280e5fa571adc3f21c8ef497f0d78b0f540ed6c586a2e6

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
      Filesize

      255KB

      MD5

      630ee8c6f72bf2b648f4e5876203909f

      SHA1

      f58ec91bc1509bac272a4bf8336ef07fc0bc9209

      SHA256

      9dbec191ae400a5166cf02ec6fa2348e6da9d0d9f8604a4ef867432275aaac7d

      SHA512

      da8a0e5cefd8447d95cfe60df11379446d20e07f1d6a38acd3c64f9157d95a52e4b36aa08a43c36bda7bb272d7d1b2c7a015760e4f84d3e0902c9feef0bac2be

      Download Submit

    • memory/1872-132-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1872-151-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/3188-165-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/3188-141-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/3736-139-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/3736-166-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/3920-162-0x00007FFD54480000-0x00007FFD54490000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3920-163-0x00007FFD54480000-0x00007FFD54490000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3920-174-0x00007FFD56A30000-0x00007FFD56A40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3920-155-0x00007FFD56A30000-0x00007FFD56A40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3920-156-0x00007FFD56A30000-0x00007FFD56A40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3920-157-0x00007FFD56A30000-0x00007FFD56A40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3920-158-0x00007FFD56A30000-0x00007FFD56A40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3920-159-0x00007FFD56A30000-0x00007FFD56A40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3920-173-0x00007FFD56A30000-0x00007FFD56A40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3920-172-0x00007FFD56A30000-0x00007FFD56A40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3920-171-0x00007FFD56A30000-0x00007FFD56A40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4264-168-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/4264-153-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/4548-167-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/4548-152-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/4688-169-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/4688-154-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download