Overview

overview

10

Static

static

8

1c1235b2a3...ff.exe

windows7-x64

10

1c1235b2a3...ff.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/11/2022, 01:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1c1235b2a3876e07761c73df1712a5339a6791226623ba3511e8dfe3422a61ff.exe

  • Size

    255KB

  • MD5

    673b0c17d383425b15975e13b093a2a6

  • SHA1

    2fbfe60d07a1366a114df1a370bb024683dfc32c

  • SHA256

    1c1235b2a3876e07761c73df1712a5339a6791226623ba3511e8dfe3422a61ff

  • SHA512

    28682150287b318e0c0a09eb9acd5822d2c1fc0a128723c1252cf336d937f112e870718c27a2405d723e7690e77426f5764e83d84200dee463e66237a3d976fc

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJp:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIg

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • UPX packed file 24 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 12 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1c1235b2a3876e07761c73df1712a5339a6791226623ba3511e8dfe3422a61ff.exe
    "C:\Users\Admin\AppData\Local\Temp\1c1235b2a3876e07761c73df1712a5339a6791226623ba3511e8dfe3422a61ff.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4952
    • C:\Windows\SysWOW64\icyanzawhu.exe
      icyanzawhu.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4556
      • C:\Windows\SysWOW64\zktmbowc.exe
        C:\Windows\system32\zktmbowc.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1764
    • C:\Windows\SysWOW64\ukptpfxbtetvudm.exe
      ukptpfxbtetvudm.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1316
    • C:\Windows\SysWOW64\zktmbowc.exe
      zktmbowc.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3440
    • C:\Windows\SysWOW64\mpedrnmeafnke.exe
      mpedrnmeafnke.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:5064
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:3088

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    255KB

    MD5

    e50c783da6def79a18023181d2dd04c1

    SHA1

    91381d1ddf1d9e712fa492b456ccd5e9a363d5e0

    SHA256

    617b0b61f29aaebd24cdd422e2d0b35543b5ef4be6befdc7b688aa7bb9bf7d18

    SHA512

    aef92d65335057cba2be0e0052b3e9ba7cd9e068e7d4b330e86f28bf6ccf8d19f34f76828be19ce12ca2a4685a483627a637f712255ae5453b5ec195e0316262

    Download Submit

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    255KB

    MD5

    6f0b715c3822ce1da35958adff9b437a

    SHA1

    14a7ad3f08e154e19008ad5420a5f49fc1380086

    SHA256

    2cd978acc5a271c272048a053b9cf2f5dccc710db2116caa761f35332c76c662

    SHA512

    bef64dbee594964afcf2065c6a026f47f6c22298fe67f27dc9cb4e450ff72b20609d30e692d86ec136d80368ac216d5b56cc457e88eae8d67a7656fc91d1a403

    Download Submit

  • C:\Users\Admin\Documents\StartUnlock.doc.exe
    Filesize

    255KB

    MD5

    83a859878b82d2293e5f595c0070d904

    SHA1

    1529aa3e99db51d20df37dc30581f256f7fc501e

    SHA256

    f7b1c33f33065b5f72b87c54eb2188e8912b16d11c8256eb37d8abc55b0fb5b2

    SHA512

    91a09151ef635d6fe8067f4b1f51c139ddfa4db746d0a8281a3836ef804341c3e9a086143d020ab46c3c5e124f307d07c5f81ceacab5b0fc132b0808458e868b

    Download Submit

  • C:\Windows\SysWOW64\icyanzawhu.exe
    Filesize

    255KB

    MD5

    c82f5ebb02ce73e342ab32a42b030f74

    SHA1

    317bf2b98478297f767efc4e7e39c50882129c37

    SHA256

    8bedaa59d9a873ca9fb701637d460b6dd15e458f7c58a2d95eac4a1df462701b

    SHA512

    0ea95576c47175b0a2c2be02144453573acb4aa28bb8ddb52bbf322768f5c4be257796b9afbac9c678430432825df37a09a805016c69a7eef200719a400f11c2

    Download Submit

  • C:\Windows\SysWOW64\icyanzawhu.exe
    Filesize

    255KB

    MD5

    c82f5ebb02ce73e342ab32a42b030f74

    SHA1

    317bf2b98478297f767efc4e7e39c50882129c37

    SHA256

    8bedaa59d9a873ca9fb701637d460b6dd15e458f7c58a2d95eac4a1df462701b

    SHA512

    0ea95576c47175b0a2c2be02144453573acb4aa28bb8ddb52bbf322768f5c4be257796b9afbac9c678430432825df37a09a805016c69a7eef200719a400f11c2

    Download Submit

  • C:\Windows\SysWOW64\mpedrnmeafnke.exe
    Filesize

    255KB

    MD5

    12046d7d3fc2198de9a1ec4010e42f7e

    SHA1

    c5806929fa7bf7217bffe8607fecbebdbe391495

    SHA256

    df4b6c176ccd5b0aae96899de244d16293ed5d19563f86215d085580e219f0e2

    SHA512

    e2d2adfb630ed725c704d1fdbeab30602c3652e842bf9f763dc6f42f1fabe908fb33e895063db4330a34fec90ae8066762abb4a1d5a53cf719d6538f7151a047

    Download Submit

  • C:\Windows\SysWOW64\mpedrnmeafnke.exe
    Filesize

    255KB

    MD5

    12046d7d3fc2198de9a1ec4010e42f7e

    SHA1

    c5806929fa7bf7217bffe8607fecbebdbe391495

    SHA256

    df4b6c176ccd5b0aae96899de244d16293ed5d19563f86215d085580e219f0e2

    SHA512

    e2d2adfb630ed725c704d1fdbeab30602c3652e842bf9f763dc6f42f1fabe908fb33e895063db4330a34fec90ae8066762abb4a1d5a53cf719d6538f7151a047

    Download Submit

  • C:\Windows\SysWOW64\ukptpfxbtetvudm.exe
    Filesize

    255KB

    MD5

    9df020eb3a6f0ce68dfadb2c9f1514d7

    SHA1

    db62d1a31295d82f8928417e07147f4c88ad3181

    SHA256

    0f4c9064971f4b222ea43202a24241cd5f39d110a08d3a65239bc20a1b01abee

    SHA512

    178959acc2522b76e1e614e73899d2d21a58c429860a0a372fd45091dcc2ce0085e25589ab2a9b57af4acc3cec6092db163e0a54cad47f8146ce939edd481340

    Download Submit

  • C:\Windows\SysWOW64\ukptpfxbtetvudm.exe
    Filesize

    255KB

    MD5

    9df020eb3a6f0ce68dfadb2c9f1514d7

    SHA1

    db62d1a31295d82f8928417e07147f4c88ad3181

    SHA256

    0f4c9064971f4b222ea43202a24241cd5f39d110a08d3a65239bc20a1b01abee

    SHA512

    178959acc2522b76e1e614e73899d2d21a58c429860a0a372fd45091dcc2ce0085e25589ab2a9b57af4acc3cec6092db163e0a54cad47f8146ce939edd481340

    Download Submit

  • C:\Windows\SysWOW64\zktmbowc.exe
    Filesize

    255KB

    MD5

    7e4088ddf7ced396ec83a16d4d95e842

    SHA1

    5de567317f22a9f6b6a2c03314c79fd1a7501375

    SHA256

    98ac58b259c27ef5a31b68ffe5e081bbe0f55894d3eadd9877d1f0ce2fc48bd8

    SHA512

    643a3ca796417a065e535d5a07c15dc88fe6011c50e2494f404a89968e151e9e9020b119d0cd26a5494a068b0a510fe4d04fa13a872fddeb43ebedbde7d37dd2

    Download Submit

  • C:\Windows\SysWOW64\zktmbowc.exe
    Filesize

    255KB

    MD5

    7e4088ddf7ced396ec83a16d4d95e842

    SHA1

    5de567317f22a9f6b6a2c03314c79fd1a7501375

    SHA256

    98ac58b259c27ef5a31b68ffe5e081bbe0f55894d3eadd9877d1f0ce2fc48bd8

    SHA512

    643a3ca796417a065e535d5a07c15dc88fe6011c50e2494f404a89968e151e9e9020b119d0cd26a5494a068b0a510fe4d04fa13a872fddeb43ebedbde7d37dd2

    Download Submit

  • C:\Windows\SysWOW64\zktmbowc.exe
    Filesize

    255KB

    MD5

    7e4088ddf7ced396ec83a16d4d95e842

    SHA1

    5de567317f22a9f6b6a2c03314c79fd1a7501375

    SHA256

    98ac58b259c27ef5a31b68ffe5e081bbe0f55894d3eadd9877d1f0ce2fc48bd8

    SHA512

    643a3ca796417a065e535d5a07c15dc88fe6011c50e2494f404a89968e151e9e9020b119d0cd26a5494a068b0a510fe4d04fa13a872fddeb43ebedbde7d37dd2

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • memory/1316-165-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1316-146-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1764-151-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1764-168-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/3088-162-0x00007FFA4A2F0000-0x00007FFA4A300000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3088-174-0x00007FFA4CB50000-0x00007FFA4CB60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3088-173-0x00007FFA4CB50000-0x00007FFA4CB60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3088-172-0x00007FFA4CB50000-0x00007FFA4CB60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3088-156-0x00007FFA4CB50000-0x00007FFA4CB60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3088-157-0x00007FFA4CB50000-0x00007FFA4CB60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3088-158-0x00007FFA4CB50000-0x00007FFA4CB60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3088-159-0x00007FFA4CB50000-0x00007FFA4CB60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3088-160-0x00007FFA4CB50000-0x00007FFA4CB60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3088-161-0x00007FFA4A2F0000-0x00007FFA4A300000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3088-171-0x00007FFA4CB50000-0x00007FFA4CB60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3440-166-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/3440-147-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4556-145-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4556-164-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4952-132-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/4952-153-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/5064-167-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/5064-148-0x0000000000400000-0x00000000004A0000-memory.dmp

    Filesize

    640KB

    Download