Analysis
-
max time kernel
122s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
-
submitted
24/12/2023, 22:35
General
-
Target
1624dc9535d5a83f542323e1d0a34e3a.exe
-
Size
512KB
-
MD5
1624dc9535d5a83f542323e1d0a34e3a
-
SHA1
08426e094d6c34ad38d9fd39d83b02e23b6c53c1
-
SHA256
a025cb33d356a0395c4e098f8f66800ac4bb02eddbd049a26c8957b5bd6a4705
-
SHA512
9ce3c6f26cedcc4c51aabf7315d734374eb5928349927652389aa836510141a70c6b71461b19fd57d5840c63bbaf37200d57d91b97c2e61666829a4b823d4167
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj60:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5d
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 5 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 6 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon 2 TTPs 2 IoCs
-
AutoIT Executable 16 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 12 IoCs
-
Drops file in Program Files directory 15 IoCs
-
Drops file in Windows directory 19 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 20 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of FindShellTrayWindow 18 IoCs
-
Suspicious use of SendNotifyMessage 18 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1624dc9535d5a83f542323e1d0a34e3a.exe"C:\Users\Admin\AppData\Local\Temp\1624dc9535d5a83f542323e1d0a34e3a.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\yndfluwwvb.exeyndfluwwvb.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\werexxja.exeC:\Windows\system32\werexxja.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
-
C:\Windows\SysWOW64\wtkjesapeanix.exewtkjesapeanix.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\werexxja.exewerexxja.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\eczsgpckokngbih.exeeczsgpckokngbih.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
161KB
MD590e278ad63348582ab33c6dd2a73a202
SHA1c21f75610781d09a58387b5d0d39754ff2f337b9
SHA2560e7b302ea819ace68fca4635bfbb7da1f0def43205499f43d72f5382bf86e29f
SHA512d3067e71d1d7de9d352ac2bf637dcead04b448e6c11d2c75e141f7cf37265840b26233f27102f2b0b1736d0f6299dbd7fc821197e4c2a8f4dd1ff0735aa120a5
-
Filesize
55KB
MD5153caa6f6039fa7d6c325b6c3b14e743
SHA1796b096bc2558068aac392754724296b313e9493
SHA25645bf7592e80793db476839043277f2dfc99d9c1dc12794635761aef040af26b7
SHA512c42239cd4287c44d605fc25bc7be2c49c33117c62847d152419d616a99484b47de113d92d02f73f4a7c06954000e100f719e29db0281c768be5f194e48fab027
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
Filesize
3KB
MD5c12473b9de1ca395e6d62045b3318b78
SHA1e3341d8f65623ac8ebc6302668c6511c20f38486
SHA256012c0dd66e27fae5757e670e60fd5326eb7edde14d16d55cff2d256caa137e2a
SHA512dd649e2a7eb501c19be6932409d13623e91a0d9d26f37e32bfcdb762773e77c1aa37d8fa1d5c645bfbdd7f90d6e2237e9c8d3b393db5443e39c52677f979fff0
-
Filesize
3KB
MD5345defab6f6c22abcdc043bf57eb878f
SHA12cc92a349b7280df734d85844c9a67b73864defe
SHA25673a5a81445eccbf23cf34ee291fe5b11d31176944c476f0f80edb431249fa791
SHA512a2fb12d29a5dd39c7f85e5c26716dbf70885d9035ee3489d8784ceb8817c8f0df46175fda93954cbb7d1989004eadf08e3b839ec7b9b60356b6a317936e9c430
-
Filesize
133KB
MD529ca890d704b1294ee6b46b729232cd9
SHA1a694c2971aa32f719fa682ce8974922eda6ed585
SHA25633c269b98fea445abf5a0b7882aacced959a2b9601dfb52528800abfa5e78afb
SHA512250b68bec713ef4728eddb6e76b98d4e1e5a0305a02fde1580559d2271016d4157e14b24283067fec7e367dbcb91891764b35ac5715766431cee0dbf7f2b2ab0
-
Filesize
135KB
MD5e162b044a7661c3c80e397970261361f
SHA1e809653110d867733c9a38e26d09388bda277741
SHA256dc70910a15f628e95a29415b0da84d4495b46a8733b99ef4598182a1e894f779
SHA512d59f69928000ac568b68e050727e0e949fe34b1dc50890f8a3a6c7b9704b5aaf94cf6f8e65159190b2c4da3d4e79398673e66e9a2ae0935a27e9ff85d130bbd8
-
Filesize
161KB
MD5584b5d0de34b7ca984b4d6a41d0c1a9d
SHA17af0a25cd11db0615adfea4707caba04f052599f
SHA2562a13279776792f046890251ee3ff74c50392ecfb5e150c122e3f3c325b6e8b5f
SHA5122735e0792b766451b8c9bd70e16065fce4d97dab8d3d62c7878966c3464e089d6b637cc31b8c3a30c92cf02716f386f48a037ce0aa6dd7aa27bb2bdce8ba9b7e
-
Filesize
189KB
MD5d33c1742404d2faf3da6269b58655e11
SHA1cb92d227ca527afe0b200a65caa155b9b82c78cc
SHA2563bb42ee345a96dff5a102995ee56f64623278468c606b2f19de8104fac6dbd88
SHA51254a05a66f23de90960bd25ed3f876485509e730c8b443068d930d87251ff3fa7b9404f5d6e36d608de40c65aea15fe9224fd8cdfcc0c5a4af6d34028d98042d1
-
Filesize
110KB
MD5d76e4e9a0bb0da4c9d5bb26939fa7455
SHA12f8f01924fc47e050d8548982f6d4f1c8179f9f1
SHA256083425e6bdf8b2c1ca88ddc53a202cd51fe8f5a6f3f3b03700ad6d73a56af2a2
SHA512aebd758c951a02b901f42123346809fc537766108b658c0eeec503bfdb27c2de9a707a29bc88938991d0bf7f96d896e7e75af14a16f5258aec51c3dac761b7d9
-
Filesize
126KB
MD5a8c5ea190488595074b153fac510739b
SHA1594bc32a18172c5d537eee6f3a808cd84d0ecc58
SHA2560e1c4b99789af38000ce7229d108d9457fae90ae08b732b8f2e09cbec875e074
SHA512e40f4d235f3658c87d80e99925c97b8186114a0cc66de5b6cfa1766909b65e67f7aef63b1897b0fa211381f8a178286b6fb60c9eddc881aea4c8c78029c43ce3
-
Filesize
93KB
MD5735aa5ed020ea05c9f6baaf973c2c7c6
SHA1dfbf7234fbb64fc3754b345cc3a321bca0873b07
SHA2567b9cc38abd08e5bb3981bae842c5bc1fad5bc5212de47860c92a741f373ce29f
SHA512c321de34f14a5a2fe3914b755d1f469d04cc0a743269c9cc9b28fd4dc31947b4424fc29efedc792af27d3cfc3bbe631c46ab1f9b010baabb5aef2f0f131b35a6
-
Filesize
131KB
MD57976fa46a1aca6bc5b26898afe501c2a
SHA1c54ba59a75b0a2d9daef13d468eee42092909ea2
SHA2567eae9d206fe2d00452963ba539e70c12cb55cafe6cd6d93c7f3bf17f414672fa
SHA5124d46814f80716f67e558a0f78c3cc6c853bf39abdb1eb68397434e042d1ae3bf48402e597dc154fa664e5160c0b221a7623676bd2bf10310a1bfce3c01126ab3
-
Filesize
57KB
MD53a81bb7f89fff51fd80d1e9e1e60471f
SHA17c04e73b47855108f7cb0f1f8e76b71078d74158
SHA2567afee2b09ec479879bca80da134ceff2df40ad8eff99ed5b1461e6b64e3c474e
SHA512d8500626b99b14b8e441c88b9a8431db9188b5dea17610b1d5ff35a199195026f6c9961281e7c3a4babe8c88b1a949a03a42c6872e2eb0ec1761f65095f777cc
-
Filesize
201KB
MD5372de1c2047fa78a5e0cf88605dddd1a
SHA10ef4690d50b79e7d2e4d7a08393cbbb7d74733c0
SHA2564a0326d823070ab43e5d01fabf2a86a1eae975f1ca8a1ff1c13ce9be671b1d1b
SHA51256619018fa260535a34a303003d7e39350c5a733b7cb3102c7a0f7347a3d45f9f843ca965c274df04262589d2f0ff219508739b87794d03232ff7cf56236029a
-
Filesize
129KB
MD568bb161e9b64cf1cba18ec95607f9ba5
SHA18cbb85cb2457f19887c95d7c1d4f0b9980962a33
SHA256e0086964b283f71e6751282f02648fb70201d4031785a43bf7b64280ebef11db
SHA5122e862f46cd1a822672efd62afedca2d60dfa3d39485953c163f9bb71e7ec5240de8b12989cf6212f6c05a6cd3a6c82e643e11534823b9064cee4da65e9dec2f3
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
118KB
MD5770406a828ac0dd82009b3a852719f73
SHA1ddf455a25537a89df0d748cfe5bdf3cf49f42252
SHA256a653f031602a729fa407de282a2f9b411556ae1915633d81e2d72e6c11b9d13c
SHA512a9817032aeff7d0177109715109fd0279bfdb261d6c0f8b4ee38608d8951184f4a682190b5f9ec81538daff18b54ff5f8a3f2d5b3bf503a9875b9b87fc540acb
-
Filesize
18KB
MD53ff7b0ad97271715535eabe7ebe9d07d
SHA1e4f191c22ab5bd1a00f7ef0e3f48e00f1a0e6404
SHA256a2c5e1d7011b184876783cfc0e0971f946720edd1ba947b312d7894f10f9b9ce
SHA512b6e9f441e5082589e6ec60ca37771a2224bf49e896ef33822f852bf63fb049a061ae14ae0e93c9d9bf1c73fbfe5c174525b4149ec9f1a187c490d900281d8473
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
600KB