Overview

overview

10

Static

static

8

eb929610db...61.exe

windows7-x64

10

eb929610db...61.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    41s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    27-11-2022 19:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe

  • Size

    255KB

  • MD5

    9d045523f90461054d82e6af61e6bcd4

  • SHA1

    d1ef34a19e965ff4b195a243f4039f98e774851a

  • SHA256

    eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661

  • SHA512

    8ed926096d41d1885bdd72fceb77bbc5d22f4a29d47a82d363352901e6868e52d4eb36091626bbf474923b0bb95d43623f755a11f148e98445b170d8caf7fa74

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJa:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIT

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • UPX packed file 29 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 12 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe
    "C:\Users\Admin\AppData\Local\Temp\eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1192
    • C:\Windows\SysWOW64\dtxxouwjdl.exe
      dtxxouwjdl.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1812
      • C:\Windows\SysWOW64\pqjldqzu.exe
        C:\Windows\system32\pqjldqzu.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:664
    • C:\Windows\SysWOW64\qparvjizimxzjyu.exe
      qparvjizimxzjyu.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1744
    • C:\Windows\SysWOW64\pqjldqzu.exe
      pqjldqzu.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1604
    • C:\Windows\SysWOW64\qmhzvcomcdifn.exe
      qmhzvcomcdifn.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1984
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1080
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1180

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
      Filesize

      255KB

      MD5

      194b2334d9bfc397a540c10c2b53218d

      SHA1

      898be643276ca77e5d088b10ad813ca92f7092f9

      SHA256

      dcf7f852841642489fcff6f31172bb467461a2355c6db51f33169d45263f7c5f

      SHA512

      94c422f31f65050be30ae04a25de047b1182d92b9dcc6dbc7098294251a211d55210b9f46d97dc22584be84a14ebde9f150eaecc9fb27f8499d1a1e290337d23

      Download Submit

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
      Filesize

      255KB

      MD5

      194b2334d9bfc397a540c10c2b53218d

      SHA1

      898be643276ca77e5d088b10ad813ca92f7092f9

      SHA256

      dcf7f852841642489fcff6f31172bb467461a2355c6db51f33169d45263f7c5f

      SHA512

      94c422f31f65050be30ae04a25de047b1182d92b9dcc6dbc7098294251a211d55210b9f46d97dc22584be84a14ebde9f150eaecc9fb27f8499d1a1e290337d23

      Download Submit

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
      Filesize

      255KB

      MD5

      2b558c04af774ab2f95454520696c70f

      SHA1

      ab6f27b1321990ae36c7abdc4b39ba7f38e3761e

      SHA256

      37faa02401ca7dab2c1c5d469fc3b1134f6db0d3cd443e824a3b838046d670db

      SHA512

      3b45fa46d2fc9846b2939d9e71233749bb01755047bb0bee1c4be9954579b0535edbab8900b4d9d5e6589f714190aa36812bbb25d296918ef8eaa9d4c0f749ba

      Download Submit

    • C:\Windows\SysWOW64\dtxxouwjdl.exe
      Filesize

      255KB

      MD5

      432cae6bc162390390a9cff093aff38f

      SHA1

      ec14f05f4c7e63cd567232860bcc5b44de07761c

      SHA256

      a30a07bac19f39331ef362fce7d4114ffa6ea6be599cfd09a14ab523182da00a

      SHA512

      c44af38960e6d0493ba40e2b5818c19db424fa9e53d72b51ed7dbecbafbaf1a2f6f48d3ec5c78fcb228987d8bf1122f6f69b064f51eff5217870412b5c3cf4a8

      Download Submit

    • C:\Windows\SysWOW64\dtxxouwjdl.exe
      Filesize

      255KB

      MD5

      432cae6bc162390390a9cff093aff38f

      SHA1

      ec14f05f4c7e63cd567232860bcc5b44de07761c

      SHA256

      a30a07bac19f39331ef362fce7d4114ffa6ea6be599cfd09a14ab523182da00a

      SHA512

      c44af38960e6d0493ba40e2b5818c19db424fa9e53d72b51ed7dbecbafbaf1a2f6f48d3ec5c78fcb228987d8bf1122f6f69b064f51eff5217870412b5c3cf4a8

      Download Submit

    • C:\Windows\SysWOW64\pqjldqzu.exe
      Filesize

      255KB

      MD5

      f9e20910f37ae090ef823eb90740a11d

      SHA1

      8bef99a317514f774be748dbb7a27eeb1da4777f

      SHA256

      47353c20c875707ed5f53a1ac0491cffd703e5d4fec66cc90ca8689569556540

      SHA512

      1600f8090c63e289ed0515c8e2433704a96fb89f3dfc98679b2176666dbf421b6560eb2f317596573292a8d0992ff831292e1afa5810116585e3fdf5ba225b5e

      Download Submit

    • C:\Windows\SysWOW64\pqjldqzu.exe
      Filesize

      255KB

      MD5

      f9e20910f37ae090ef823eb90740a11d

      SHA1

      8bef99a317514f774be748dbb7a27eeb1da4777f

      SHA256

      47353c20c875707ed5f53a1ac0491cffd703e5d4fec66cc90ca8689569556540

      SHA512

      1600f8090c63e289ed0515c8e2433704a96fb89f3dfc98679b2176666dbf421b6560eb2f317596573292a8d0992ff831292e1afa5810116585e3fdf5ba225b5e

      Download Submit

    • C:\Windows\SysWOW64\pqjldqzu.exe
      Filesize

      255KB

      MD5

      f9e20910f37ae090ef823eb90740a11d

      SHA1

      8bef99a317514f774be748dbb7a27eeb1da4777f

      SHA256

      47353c20c875707ed5f53a1ac0491cffd703e5d4fec66cc90ca8689569556540

      SHA512

      1600f8090c63e289ed0515c8e2433704a96fb89f3dfc98679b2176666dbf421b6560eb2f317596573292a8d0992ff831292e1afa5810116585e3fdf5ba225b5e

      Download Submit

    • C:\Windows\SysWOW64\qmhzvcomcdifn.exe
      Filesize

      255KB

      MD5

      592a5717096147df1c989cff45b69c3f

      SHA1

      5b5ba0bec439768924ff4e7082fc87daba120147

      SHA256

      4ae2890539aebb38021bfef3770f2a009fa56a486dc73b43800d548f05b97d0c

      SHA512

      c4f93f18c338ee9fdadb9e37741a294da9b81b0ee7533d9542967b00c0ff66f8cbb1144441cba27b67b123798dbccc705035229fa44be034c8708ac7b0ecd70e

      Download Submit

    • C:\Windows\SysWOW64\qmhzvcomcdifn.exe
      Filesize

      255KB

      MD5

      592a5717096147df1c989cff45b69c3f

      SHA1

      5b5ba0bec439768924ff4e7082fc87daba120147

      SHA256

      4ae2890539aebb38021bfef3770f2a009fa56a486dc73b43800d548f05b97d0c

      SHA512

      c4f93f18c338ee9fdadb9e37741a294da9b81b0ee7533d9542967b00c0ff66f8cbb1144441cba27b67b123798dbccc705035229fa44be034c8708ac7b0ecd70e

      Download Submit

    • C:\Windows\SysWOW64\qparvjizimxzjyu.exe
      Filesize

      255KB

      MD5

      35389cdc12a8b4ea60a212d7527a709a

      SHA1

      6ead3c01595f848db5713830d577e1c67424aa77

      SHA256

      0ce54406f67ad382529457add4f40429210e56f0f8b580b11072515bc28526f9

      SHA512

      c4468e4c97c6fc9e9560e2e44e7bef338dabba253d6a373bfc5d70b419869cc82d8fa780950ff15e6a2de8cd839d2e19a149456b1027f03a43ee9ba76efa421e

      Download Submit

    • C:\Windows\SysWOW64\qparvjizimxzjyu.exe
      Filesize

      255KB

      MD5

      35389cdc12a8b4ea60a212d7527a709a

      SHA1

      6ead3c01595f848db5713830d577e1c67424aa77

      SHA256

      0ce54406f67ad382529457add4f40429210e56f0f8b580b11072515bc28526f9

      SHA512

      c4468e4c97c6fc9e9560e2e44e7bef338dabba253d6a373bfc5d70b419869cc82d8fa780950ff15e6a2de8cd839d2e19a149456b1027f03a43ee9ba76efa421e

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • \Windows\SysWOW64\dtxxouwjdl.exe
      Filesize

      255KB

      MD5

      432cae6bc162390390a9cff093aff38f

      SHA1

      ec14f05f4c7e63cd567232860bcc5b44de07761c

      SHA256

      a30a07bac19f39331ef362fce7d4114ffa6ea6be599cfd09a14ab523182da00a

      SHA512

      c44af38960e6d0493ba40e2b5818c19db424fa9e53d72b51ed7dbecbafbaf1a2f6f48d3ec5c78fcb228987d8bf1122f6f69b064f51eff5217870412b5c3cf4a8

      Download Submit

    • \Windows\SysWOW64\pqjldqzu.exe
      Filesize

      255KB

      MD5

      f9e20910f37ae090ef823eb90740a11d

      SHA1

      8bef99a317514f774be748dbb7a27eeb1da4777f

      SHA256

      47353c20c875707ed5f53a1ac0491cffd703e5d4fec66cc90ca8689569556540

      SHA512

      1600f8090c63e289ed0515c8e2433704a96fb89f3dfc98679b2176666dbf421b6560eb2f317596573292a8d0992ff831292e1afa5810116585e3fdf5ba225b5e

      Download Submit

    • \Windows\SysWOW64\pqjldqzu.exe
      Filesize

      255KB

      MD5

      f9e20910f37ae090ef823eb90740a11d

      SHA1

      8bef99a317514f774be748dbb7a27eeb1da4777f

      SHA256

      47353c20c875707ed5f53a1ac0491cffd703e5d4fec66cc90ca8689569556540

      SHA512

      1600f8090c63e289ed0515c8e2433704a96fb89f3dfc98679b2176666dbf421b6560eb2f317596573292a8d0992ff831292e1afa5810116585e3fdf5ba225b5e

      Download Submit

    • \Windows\SysWOW64\qmhzvcomcdifn.exe
      Filesize

      255KB

      MD5

      592a5717096147df1c989cff45b69c3f

      SHA1

      5b5ba0bec439768924ff4e7082fc87daba120147

      SHA256

      4ae2890539aebb38021bfef3770f2a009fa56a486dc73b43800d548f05b97d0c

      SHA512

      c4f93f18c338ee9fdadb9e37741a294da9b81b0ee7533d9542967b00c0ff66f8cbb1144441cba27b67b123798dbccc705035229fa44be034c8708ac7b0ecd70e

      Download Submit

    • \Windows\SysWOW64\qparvjizimxzjyu.exe
      Filesize

      255KB

      MD5

      35389cdc12a8b4ea60a212d7527a709a

      SHA1

      6ead3c01595f848db5713830d577e1c67424aa77

      SHA256

      0ce54406f67ad382529457add4f40429210e56f0f8b580b11072515bc28526f9

      SHA512

      c4468e4c97c6fc9e9560e2e44e7bef338dabba253d6a373bfc5d70b419869cc82d8fa780950ff15e6a2de8cd839d2e19a149456b1027f03a43ee9ba76efa421e

      Download Submit

    • memory/664-97-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/664-81-0x0000000000000000-mapping.dmp

      Download

    • memory/664-85-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1080-90-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1080-106-0x00000000718ED000-0x00000000718F8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1080-105-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1080-102-0x00000000718ED000-0x00000000718F8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1080-86-0x0000000000000000-mapping.dmp

      Download

    • memory/1080-94-0x00000000718ED000-0x00000000718F8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1080-88-0x0000000072E81000-0x0000000072E84000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1080-89-0x0000000070901000-0x0000000070903000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1180-104-0x000007FEFC391000-0x000007FEFC393000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1180-103-0x0000000000000000-mapping.dmp

      Download

    • memory/1192-54-0x0000000076701000-0x0000000076703000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1192-55-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1192-70-0x00000000032B0000-0x0000000003350000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1192-87-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1604-77-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1604-66-0x0000000000000000-mapping.dmp

      Download

    • memory/1604-93-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1744-75-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1744-61-0x0000000000000000-mapping.dmp

      Download

    • memory/1744-92-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1812-91-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1812-57-0x0000000000000000-mapping.dmp

      Download

    • memory/1812-74-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1984-96-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download

    • memory/1984-72-0x0000000000000000-mapping.dmp

      Download

    • memory/1984-84-0x0000000000400000-0x00000000004A0000-memory.dmp

      Filesize

      640KB

      Download