Overview

overview

10

Static

static

5

17ddb4edf5...04.exe

windows7-x64

10

17ddb4edf5...04.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    176s
  • max time network
    178s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-12-2023 23:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    17ddb4edf577c9143cab458936f7fa04.exe

  • Size

    512KB

  • MD5

    17ddb4edf577c9143cab458936f7fa04

  • SHA1

    3fcb06b9c98fe4d8aa4778c33a76353bcbf2af15

  • SHA256

    0f65f212348cc045f8cdd39ac4a2a63f626841eb02e7c50bd73b62567befcc3d

  • SHA512

    bfa99ecad681a5360ec3f2083b9640329a7d7f849173fa4d6c12f2526f9da29dc1dd9ce672f8e3c3cdd4b096559c9eb5f17187a9a2e8ed587c313437ce063a34

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6U:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm59

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 15 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\17ddb4edf577c9143cab458936f7fa04.exe
    "C:\Users\Admin\AppData\Local\Temp\17ddb4edf577c9143cab458936f7fa04.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1588
    • C:\Windows\SysWOW64\gicptjpzjt.exe
      gicptjpzjt.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4952
      • C:\Windows\SysWOW64\zxrrpipn.exe
        C:\Windows\system32\zxrrpipn.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4572
    • C:\Windows\SysWOW64\duklsxeydmaoioe.exe
      duklsxeydmaoioe.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3772
    • C:\Windows\SysWOW64\zxrrpipn.exe
      zxrrpipn.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:332
    • C:\Windows\SysWOW64\nbnahkeoqfsyj.exe
      nbnahkeoqfsyj.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3936
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:3044

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    46KB

    MD5

    927c71560d35d82b8c8dbc3be817e395

    SHA1

    c58beeaf4c80cb5b181b7d18bb1d7e87349f5ba8

    SHA256

    a554bdba12c905c7c760e93ed56846d5c5362a8363e2c7f32310f79fc1717a5e

    SHA512

    4220c9bafedbe77784b7e3c0df1905e4ac4582e306d202dcd47f716ceb508d9f73ead9cf526a875e4a03d52a0fd6e11f19db1281691a4711ccb41d7d62cad756

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    239B

    MD5

    12b138a5a40ffb88d1850866bf2959cd

    SHA1

    57001ba2de61329118440de3e9f8a81074cb28a2

    SHA256

    9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

    SHA512

    9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    b393259e002c8fe24cac32e7a8cac9e2

    SHA1

    0645609720bb4cb6fa5f359d8a66d3d2f3b87c71

    SHA256

    b5e15609ab23a20a739aa0cd6105686ebb9d34617b6ffa7e9c570c213ffaa51e

    SHA512

    946234d74e42d86df3e2a6415fb32e564bc878693901282ec1aa80dac2b6937ef3d149a24fa14dfafcfd44096fdcfa47517eaee1e61b8d8989cd7ca6c5ef7022

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    9bc2a0eab3a0cc8943397f16911b210e

    SHA1

    9b399f51a280cd49843ed37bd6fae5baea2a0c1a

    SHA256

    a9efab44bd9fcd50a4c3775ca4c32921ee40c15b885d2e1654952554379cb828

    SHA512

    bf339c0ba38a5aac47608c19fb42cd0a503e31791d1b096404e87f4f9e7fab5a72cd29f349b1aab410e2901fb303682c794e0d7b747b9a8c76744abb2322af28

    Download Submit

  • C:\Windows\SysWOW64\duklsxeydmaoioe.exe
    Filesize

    160KB

    MD5

    965ad92548a28de292fd6704d0a39ec9

    SHA1

    e48cbff8dca9684b0da7dcb76d993fe96be4d552

    SHA256

    f3513f8f904260a0f9f6f0be06abdc0b9bed1092232311d82a2bb1d0e657965b

    SHA512

    0f4e9af88af2e03972b0efc346a8563bf9cb80b2624351395a44018c725c50ce809d66f28eeef81b6c0cdc0c2a95be02b70d206a0d299fb93f1ed3032065e1a0

    Download Submit

  • C:\Windows\SysWOW64\duklsxeydmaoioe.exe
    Filesize

    205KB

    MD5

    7dd2b0529d50ca68c9f3631f412c2397

    SHA1

    4a33d77405262a92af502b25816ad590f24dc3ec

    SHA256

    0a5c9f655bd133ddfa02017fe73b8d7b310fd040a51d49dee59d7dd532968f32

    SHA512

    04eceb6e44be4c12567d5d33548b9c315c78a7e71056a78c0b075a55fcba805bcd737ca1c0b84b3856a52882e16931390f5ec9b29e396742075e8805133ccb7b

    Download Submit

  • C:\Windows\SysWOW64\gicptjpzjt.exe
    Filesize

    246KB

    MD5

    025d8c98e4716dedd054d200522df29b

    SHA1

    c9506eb8ed8e33ef7bee1203b40ea420a9e56c05

    SHA256

    8303f21c1ed4a96feb931c90a587ee0281ea8271d33c40fcfb90197a36ca4cbd

    SHA512

    33d766eb5757a32a4321827dcd2d84f968493acb5f1ec6ff296c50b962c1681fde535dfe8856729c1392b61d8bc96b77ae56d195669fedd349d17f8cdb83c9bb

    Download Submit

  • C:\Windows\SysWOW64\gicptjpzjt.exe
    Filesize

    400KB

    MD5

    6ce18aaf9c82d98c69f648f5677d2c7d

    SHA1

    4aee54b2c67e73d97cc2923624c5c45df01034f4

    SHA256

    48ba4f7b39d2fecc37927bd2d4e409cc13aab147c57d5bb3edea728ce0de8f4a

    SHA512

    9fcfe93533e1bfe173661cff49f98007db8e702d64b9088cae211e1cadb7cdd5d0f699a514c581824f950ccaeeb7ac5736d5ef46ee297443498028eab3cce501

    Download Submit

  • C:\Windows\SysWOW64\nbnahkeoqfsyj.exe
    Filesize

    148KB

    MD5

    37afe5a9be37dc9d40885297fe363d2f

    SHA1

    1db657ada6a0fab3f29f6d6b1a7247997f53093f

    SHA256

    ee398494f8d231164bf109a9c9c8325b55a341bfaff8fc8eb70466b9de203138

    SHA512

    993975c3b7c429f5d75034b38ac738f0ba91fd22c29875ec0897229d60e2fb530c6431d5673e6e4ae71988d6d9b58ce3e8186d16e27094341efc7707e263ced7

    Download Submit

  • C:\Windows\SysWOW64\nbnahkeoqfsyj.exe
    Filesize

    128KB

    MD5

    d36a559a59f65e901b097c359a5eb7f7

    SHA1

    48942c763856b01cefd157bf8a92c446adf79355

    SHA256

    89d6285e82a2c1c866f46dc16149cb1356bcc9f3e36c81e4178b1b61d80b97ee

    SHA512

    b6d4dad19667d2eb8bd24c0acbcfcf3815d6a433a696418e40ff87614c8801a37d3da61fa710399598921e5129218aa6e75435db7f7ec0161cfdeb7efb138da9

    Download Submit

  • C:\Windows\SysWOW64\zxrrpipn.exe
    Filesize

    111KB

    MD5

    3d508276b86005524103c22483e5357c

    SHA1

    ce398d5b42c33202f600cbd5e7d10bdce848d04e

    SHA256

    670cdf690f3e96fd4c5001bac4b498da7cb201d493480ff9dd279957cd225537

    SHA512

    e72297c23a2b3fb2f998a6959d6d4aff4b99953e506378962ad0318a48cb5b8a5ba75b77960169e0d3caae9bc53a5c52a22c4fc6a9462971ba035dd6c6d11893

    Download Submit

  • C:\Windows\SysWOW64\zxrrpipn.exe
    Filesize

    293KB

    MD5

    ce74e6938a9a1d433646dc51faf0d18c

    SHA1

    405387ad3576cecc1dcdd81bf9dec39781de4dc0

    SHA256

    fe6a3e122da39fb0c627fde7662b5b3386300969609d931274e02c3a2ec5b6ce

    SHA512

    0cdf60a02082be4024255cdf9dbd5fd8661955b004806a15239c3cc41d1fd3aae052efbae225ab6ef76f6e13641d5d082d897fdd3b4cb3ea5d6e4e93dd633720

    Download Submit

  • C:\Windows\SysWOW64\zxrrpipn.exe
    Filesize

    29KB

    MD5

    a68955061c818654ec8f54851e6d0313

    SHA1

    80ee575ac59dd6eb067070d7dee2aa03c1e78dfb

    SHA256

    024771496f7cd16cd2b4e69d03f88b71ba90d9d24cabd19c2dced227f414250a

    SHA512

    5222f02a60b349205c402df25fdfa6f8c362dd58ddf4de9a6dfe7d6a46488725e972cb2af3bdcfcbb7d461f7b81de3096683a3dfdd619342f91d7a975b0d3991

    Download Submit

  • C:\Windows\SysWOW64\zxrrpipn.exe
    Filesize

    235KB

    MD5

    7fe40c29c06e2e61fb3b30a0477f7de3

    SHA1

    7340d8f3badcd3a9534594cb229aa14d711bb744

    SHA256

    7b17cc186690322c57c13635079d31889c8c9b37a830d9695cd630c475a679e8

    SHA512

    4d245bc74a5be79974e5041e0342efc61d7b22cbadf9c6cae31c8bb5738ceec2517d3058a62e877d5b1d08cfa40db272525430bf0e5e8e2e3d9bd47679274690

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • \??\c:\Users\Admin\Downloads\RenameRestart.doc.exe
    Filesize

    239KB

    MD5

    71b562be0e426545b4ff98fcdb17c028

    SHA1

    85a0e5cee63a24ad6eaf421f67bed0fe4d6ef453

    SHA256

    320d0a5c51f1c38a58f0eccb4ffa68277f073df9bdc8d529bd0dd36e12fa542c

    SHA512

    c34cef5480ecaaa5ebf663b294462250dbee079877ad07b5a793bdf1148a19a6eabc86c97b05fb3db3e62a4ac97a49bb43a8e6a3825bfa9e240cae2f56678ae6

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    512f1174aa9015e7bcbe2fe729b9155f

    SHA1

    28a03a1b8b2af47a6a4dec5a34133604409f5e6a

    SHA256

    aecc8b6e10575f17c56a2479fbd03751c1ee783ca19e07d60c50602eb4d844ba

    SHA512

    4c2f6f6635d9ac7a7857712c1d4619f3b87e38d39e59c69f5aae4e37c0f47d94c7b771d868122c25d08e406673fa2ed192dce254119f2923498e4171ae399d45

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    ec11413558e44cd485ed1cc7db85f5ed

    SHA1

    47477bd457c48eb6c69f7525d7eaecec3a27e17c

    SHA256

    3df300fdcd02deede151668e37d46ed9be378ab321ff9c6956bb8001a166e08b

    SHA512

    26651ea37f7d16aa82a664215eb981639bc2e1f04268abffe6d66e4c8562fcacc12c655a6f03e6b36d4acdb108221525bfc63e627f1afe3460dfb02500815d7e

    Download Submit

  • memory/1588-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download

  • memory/3044-37-0x00007FF975390000-0x00007FF9753A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3044-46-0x00007FF9B5310000-0x00007FF9B5505000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3044-42-0x00007FF975390000-0x00007FF9753A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3044-49-0x00007FF9B5310000-0x00007FF9B5505000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3044-36-0x00007FF975390000-0x00007FF9753A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3044-50-0x00007FF972F40000-0x00007FF972F50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3044-51-0x00007FF9B5310000-0x00007FF9B5505000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3044-52-0x00007FF9B5310000-0x00007FF9B5505000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3044-53-0x00007FF9B5310000-0x00007FF9B5505000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3044-55-0x00007FF9B5310000-0x00007FF9B5505000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3044-56-0x00007FF9B5310000-0x00007FF9B5505000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3044-57-0x00007FF9B5310000-0x00007FF9B5505000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3044-58-0x00007FF972F40000-0x00007FF972F50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3044-54-0x00007FF9B5310000-0x00007FF9B5505000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3044-47-0x00007FF9B5310000-0x00007FF9B5505000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3044-48-0x00007FF9B5310000-0x00007FF9B5505000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3044-44-0x00007FF9B5310000-0x00007FF9B5505000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3044-45-0x00007FF9B5310000-0x00007FF9B5505000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3044-43-0x00007FF975390000-0x00007FF9753A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3044-99-0x00007FF9B5310000-0x00007FF9B5505000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3044-100-0x00007FF9B5310000-0x00007FF9B5505000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3044-101-0x00007FF9B5310000-0x00007FF9B5505000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3044-41-0x00007FF9B5310000-0x00007FF9B5505000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3044-40-0x00007FF975390000-0x00007FF9753A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3044-38-0x00007FF9B5310000-0x00007FF9B5505000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3044-138-0x00007FF975390000-0x00007FF9753A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3044-139-0x00007FF975390000-0x00007FF9753A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3044-140-0x00007FF975390000-0x00007FF9753A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3044-141-0x00007FF975390000-0x00007FF9753A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3044-142-0x00007FF9B5310000-0x00007FF9B5505000-memory.dmp

    Filesize

    2.0MB

    Download