289fb07890b4fbca5d0bd8a9e5e80a8f2e4d29ebc7c937b8b16e50fdeafac831

Analysis

max time kernel
0s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 23:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1af82dcb653fdb7b76bda1abfdedbbfe.exe
Size

512KB
MD5

1af82dcb653fdb7b76bda1abfdedbbfe
SHA1

0a4dc744486aeb247e582bdbae41091cc624bc2a
SHA256

289fb07890b4fbca5d0bd8a9e5e80a8f2e4d29ebc7c937b8b16e50fdeafac831
SHA512

1d3b9a17b2b2419cee8edd4748ad7d8532accc549a69ca4bc5d2922f902c61aae8df9b24ff17dc73d35f41d5fa0eeb092cf3432ce72e57ad100ae88be5f1106e
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6Q:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm55

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
712	mzdorwlnrv.exe
1412	rkzhzvhfxvdiyqi.exe
4060	miptywmc.exe
4736	fjowzsfyqdamy.exe

AutoIT Executable 14 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/1816-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral2/files/0x000700000002324a-18.dat	autoit_exe
behavioral2/files/0x000700000002324d-23.dat	autoit_exe
behavioral2/files/0x0006000000023251-32.dat	autoit_exe
behavioral2/files/0x0006000000023251-31.dat	autoit_exe
behavioral2/files/0x0007000000023250-29.dat	autoit_exe
behavioral2/files/0x0007000000023250-28.dat	autoit_exe
behavioral2/files/0x0007000000023250-35.dat	autoit_exe
behavioral2/files/0x000700000002324d-22.dat	autoit_exe
behavioral2/files/0x000700000002324a-19.dat	autoit_exe
behavioral2/files/0x000700000002324d-5.dat	autoit_exe
behavioral2/files/0x0005000000022720-92.dat	autoit_exe
behavioral2/files/0x00080000000231fe-96.dat	autoit_exe
behavioral2/files/0x00080000000231fe-99.dat	autoit_exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\fjowzsfyqdamy.exe	1af82dcb653fdb7b76bda1abfdedbbfe.exe
File opened for modification	C:\Windows\SysWOW64\fjowzsfyqdamy.exe	1af82dcb653fdb7b76bda1abfdedbbfe.exe
File created	C:\Windows\SysWOW64\mzdorwlnrv.exe	1af82dcb653fdb7b76bda1abfdedbbfe.exe
File opened for modification	C:\Windows\SysWOW64\mzdorwlnrv.exe	1af82dcb653fdb7b76bda1abfdedbbfe.exe
File created	C:\Windows\SysWOW64\rkzhzvhfxvdiyqi.exe	1af82dcb653fdb7b76bda1abfdedbbfe.exe
File opened for modification	C:\Windows\SysWOW64\rkzhzvhfxvdiyqi.exe	1af82dcb653fdb7b76bda1abfdedbbfe.exe
File created	C:\Windows\SysWOW64\miptywmc.exe	1af82dcb653fdb7b76bda1abfdedbbfe.exe
File opened for modification	C:\Windows\SysWOW64\miptywmc.exe	1af82dcb653fdb7b76bda1abfdedbbfe.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	1af82dcb653fdb7b76bda1abfdedbbfe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCEFABFFE67F191847A3A4786EC3997B3FE038B4313034BE2BE459A08A3"	1af82dcb653fdb7b76bda1abfdedbbfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC6B15844EE389F52BEB9D53298D7C5"	1af82dcb653fdb7b76bda1abfdedbbfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8CFF8D482F826F9032D65D7D93BCE4E633594367466333D69D"	1af82dcb653fdb7b76bda1abfdedbbfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F56BB4FF1B22D0D172D1A88A7D9010"	1af82dcb653fdb7b76bda1abfdedbbfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184EC67B15E6DBC3B8CA7C92EDE437BC"	1af82dcb653fdb7b76bda1abfdedbbfe.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	1af82dcb653fdb7b76bda1abfdedbbfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "334E2D0D9C2D83506D3E77D770532CA97CF565DF"	1af82dcb653fdb7b76bda1abfdedbbfe.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1816	1af82dcb653fdb7b76bda1abfdedbbfe.exe
1816	1af82dcb653fdb7b76bda1abfdedbbfe.exe
1816	1af82dcb653fdb7b76bda1abfdedbbfe.exe
1816	1af82dcb653fdb7b76bda1abfdedbbfe.exe
1816	1af82dcb653fdb7b76bda1abfdedbbfe.exe
1816	1af82dcb653fdb7b76bda1abfdedbbfe.exe
1816	1af82dcb653fdb7b76bda1abfdedbbfe.exe
1816	1af82dcb653fdb7b76bda1abfdedbbfe.exe
1816	1af82dcb653fdb7b76bda1abfdedbbfe.exe
1816	1af82dcb653fdb7b76bda1abfdedbbfe.exe
1816	1af82dcb653fdb7b76bda1abfdedbbfe.exe
1816	1af82dcb653fdb7b76bda1abfdedbbfe.exe
1816	1af82dcb653fdb7b76bda1abfdedbbfe.exe
1816	1af82dcb653fdb7b76bda1abfdedbbfe.exe
1816	1af82dcb653fdb7b76bda1abfdedbbfe.exe
1816	1af82dcb653fdb7b76bda1abfdedbbfe.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1816	1af82dcb653fdb7b76bda1abfdedbbfe.exe
1816	1af82dcb653fdb7b76bda1abfdedbbfe.exe
1816	1af82dcb653fdb7b76bda1abfdedbbfe.exe
1412	rkzhzvhfxvdiyqi.exe
712	mzdorwlnrv.exe
1412	rkzhzvhfxvdiyqi.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
1816	1af82dcb653fdb7b76bda1abfdedbbfe.exe
1816	1af82dcb653fdb7b76bda1abfdedbbfe.exe
1816	1af82dcb653fdb7b76bda1abfdedbbfe.exe
1412	rkzhzvhfxvdiyqi.exe
712	mzdorwlnrv.exe
1412	rkzhzvhfxvdiyqi.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 712	1816	1af82dcb653fdb7b76bda1abfdedbbfe.exe	27
PID 1816 wrote to memory of 712	1816	1af82dcb653fdb7b76bda1abfdedbbfe.exe	27
PID 1816 wrote to memory of 712	1816	1af82dcb653fdb7b76bda1abfdedbbfe.exe	27
PID 1816 wrote to memory of 1412	1816	1af82dcb653fdb7b76bda1abfdedbbfe.exe	26
PID 1816 wrote to memory of 1412	1816	1af82dcb653fdb7b76bda1abfdedbbfe.exe	26
PID 1816 wrote to memory of 1412	1816	1af82dcb653fdb7b76bda1abfdedbbfe.exe	26
PID 1816 wrote to memory of 4060	1816	1af82dcb653fdb7b76bda1abfdedbbfe.exe	25
PID 1816 wrote to memory of 4060	1816	1af82dcb653fdb7b76bda1abfdedbbfe.exe	25
PID 1816 wrote to memory of 4060	1816	1af82dcb653fdb7b76bda1abfdedbbfe.exe	25
PID 1816 wrote to memory of 4736	1816	1af82dcb653fdb7b76bda1abfdedbbfe.exe	24
PID 1816 wrote to memory of 4736	1816	1af82dcb653fdb7b76bda1abfdedbbfe.exe	24
PID 1816 wrote to memory of 4736	1816	1af82dcb653fdb7b76bda1abfdedbbfe.exe	24

C:\Users\Admin\AppData\Local\Temp\1af82dcb653fdb7b76bda1abfdedbbfe.exe
"C:\Users\Admin\AppData\Local\Temp\1af82dcb653fdb7b76bda1abfdedbbfe.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
  2⤵
  PID:1128
- C:\Windows\SysWOW64\fjowzsfyqdamy.exe
  fjowzsfyqdamy.exe
  2⤵
  - Executes dropped EXE
  PID:4736
- C:\Windows\SysWOW64\miptywmc.exe
  miptywmc.exe
  2⤵
  - Executes dropped EXE
  PID:4060
- C:\Windows\SysWOW64\rkzhzvhfxvdiyqi.exe
  rkzhzvhfxvdiyqi.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1412
- C:\Windows\SysWOW64\mzdorwlnrv.exe
  mzdorwlnrv.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:712

C:\Windows\SysWOW64\miptywmc.exe
C:\Windows\system32\miptywmc.exe
1⤵
PID:5088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\fjowzsfyqdamy.exe

Filesize
81KB

MD5
e3aaed29ff934c291341b74b6a8ee6ad

SHA1
d2bc00371c572fc958e65e2591d7411bd4e8ec6c

SHA256
2b33774a7c1a27ded26eaee92f1df3ffab95538e9396274606da1d3b9ff121ac

SHA512
8a01edf692761d97be4f94b6cf7bc2a50177af67e57410020c11de5045048e929d040c96a2c359984cfe1ec3af2b8711e48ed74a259e9d2125b804ea3615787d

Download Submit
C:\Windows\SysWOW64\fjowzsfyqdamy.exe

Filesize
92KB

MD5
6662b185f19fbf697c56a25c92de7961

SHA1
0df0c0df0de3724258df2549c583e3c934aca726

SHA256
c11edb9e97848e20319fba876d9382c7193f68323eff1f7ed805bb04303bdc86

SHA512
c6e2cb83f68a63ca299dae843d2697d41dab8b565fb4005755b0d255b388779b6c1dad97375009c995f0a3d2e0acb4cc820090ca5dc24ee11e1a3de5b1a4921f

Download Submit
C:\Windows\SysWOW64\miptywmc.exe

Filesize
96KB

MD5
cc727bf87e75e50d52a07aae13046485

SHA1
1e3f482c3e5ce033458667b8600f90037a39f88c

SHA256
a030d652d6e7aa73d0ee0f3cdc1c4c4de60b34c67e8ad81e9dccaf28e833871b

SHA512
a724410143e813afcfba5b3033840a919bc1205f8a9cfbcfc8191d241051f10fa3d11bbaa5beabadb9b4456c717ec541013d42e125216620f2988a0f6acee44e

Download Submit
C:\Windows\SysWOW64\miptywmc.exe

Filesize
71KB

MD5
1f562aae2a0ea88f256e851e704cebae

SHA1
16d9bb0c4f3b2c8f57dcb24816a0b53d56fb04ca

SHA256
16c160153f158a890e3c68f66acc6c21bb4b1837d6c591277c60580b7572e5b8

SHA512
fb135c915eee85720fbcf4c06cb8c540ace69d9321e8ad087966abb05d143f65e2dd55415364ea5eaf1da5e9cd395a7c8efa9d976fcac8e20e9476270e0b2b53

Download Submit
C:\Windows\SysWOW64\miptywmc.exe

Filesize
171KB

MD5
0da0d75b4b5f2d2fa716391fc84f83d2

SHA1
b92930407cfcdb6fb16816b4d818b480abb82ae8

SHA256
010833237e2adc66cbbe7acd69899e6f25211e7623b3c21ff2813b09dd182e06

SHA512
729f441e76b1339563e2a0248298c386b9246c38d637114c34bc51f3e3ff88daf5a81a78264fb5f78430425d2952a2a8b48296f3b00509c719c89e93f99d2349

Download Submit
C:\Windows\SysWOW64\mzdorwlnrv.exe

Filesize
103KB

MD5
15dfb4a50bad09a6bd3f330da99dd9ca

SHA1
90e127747dfe6d612dc4456ec44cccb4fa643ba9

SHA256
8dbce28d825c1828477ad6bf5873598151589de7d91012a56310909441ee4511

SHA512
13a056505504dfdb8aaaf0b3b1f95efce7cd8ec012f2b7333aa239c0d2b9f086aa5001dd12a3499537679e9d3223214631af0eefd0f02d12ee0e6f88505e6f9b

Download Submit
C:\Windows\SysWOW64\mzdorwlnrv.exe

Filesize
304KB

MD5
22dad3301f9f3fb0cc958ca1ec8cbbb3

SHA1
34bdedf0666e633f06f52f22fda0bc0cae7df99e

SHA256
5d051988b5c7c289843bafe761733c6f885301dcf111cf8b3b7395759cc0b6d0

SHA512
18ed3c36d115b771da80600fce29e107699a1c29c819d2179153cc0ab8257ee1654a3d3963e6f7f5ad23dd2de020ea1ab815ffe214995aa3d32b2d0e067e828e

Download Submit
C:\Windows\SysWOW64\rkzhzvhfxvdiyqi.exe

Filesize
322KB

MD5
bc544e9fa2aaba3ed6798e43b94add9e

SHA1
5a141626aba5264a4a0e4400210ffb245eb0f498

SHA256
c8f0f9bf5386d049f155c5365a455cefaf32f8df962c3f4c4889118678404644

SHA512
a778b1ae96d23d74fae2c82305a6e9fc841365e3c394ab59fb4dd4bd6ebc62dc8a1b76fcb6591773dc9a3e20cb1ba93dfcaf95068f43d62624e6eb36fea5d22e

Download Submit
C:\Windows\SysWOW64\rkzhzvhfxvdiyqi.exe

Filesize
241KB

MD5
095e6dfc24d54b5fb11df81e767a287f

SHA1
362009368e440674ff2ef61ddd79fef9ce092f90

SHA256
0e7b9b90a4b66d235dc6adfaa9a4745de738421d679c87af52ce4fa7c368df98

SHA512
bb6808006b81e86f68cec133120b6cf9d879e6bce30889636efb50a3bbf003a76146e8d284a9f6c8b8b0c7b8d70d773b2c330acde191de1e990b2d708aaf5612

Download Submit
C:\Windows\SysWOW64\rkzhzvhfxvdiyqi.exe

Filesize
267KB

MD5
ca24c7ad7a8ed2c8b4e7b9ad4143f0a9

SHA1
828e7acd54ea8754a2b6a9cee57a9c86be56acb7

SHA256
3f5e4efb307b554efc4e4de9b437b7d616fe97a8d6d8a8bcedeeafd189b56140

SHA512
fb364e0f1769d871b4646d97a2ef340fa02dc4fd9953b84b52f8bd865dce164b923146e3f4f7decea32cc2aaa4e8b90e01cd46d565ed2b907244d51a60131232

Download Submit
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

Filesize
9KB

MD5
b35b1f4c5eb499f62524766be9a3f580

SHA1
f3a95cd805d4d178906b33d01887e100ac31639f

SHA256
e311cc9039f96406b84412246561aed0aa49832d741b137e342843fe26d45b3d

SHA512
885bb3047c46cd65081975934aad7936ca99e4c146f0eeae98e36adb5b52c92c7a2a1cc8e645f50b8445dd5aa9d88e1db0ef860bb24c5f7122a87dd2b586a5a7

Download Submit
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

Filesize
5KB

MD5
8b75f548f625f5bcdefd8a002b413126

SHA1
cb30cad9b1eaab56528f063957982cd90c824589

SHA256
c8aedcde02051e1e93dda61a7e73daafdaf8ea9ff0458bc7ba8674a8bea7058b

SHA512
20212c80e77f458f4593d3b550a5b9a63dd0a34c6cb10dd0d450c0499da530baaee1839f5ae328313fc416ccf0b51d11205a90e576f43794f18af895b08be1b8

Download Submit
memory/1128-51-0x00007FFCD54D0000-0x00007FFCD54E0000-memory.dmp

Filesize
64KB

Download
memory/1128-38-0x00007FFCD7530000-0x00007FFCD7540000-memory.dmp

Filesize
64KB

Download
memory/1128-59-0x00007FFD174B0000-0x00007FFD176A5000-memory.dmp

Filesize
2.0MB

Download
memory/1128-60-0x00007FFD174B0000-0x00007FFD176A5000-memory.dmp

Filesize
2.0MB

Download
memory/1128-58-0x00007FFCD54D0000-0x00007FFCD54E0000-memory.dmp

Filesize
64KB

Download
memory/1128-55-0x00007FFD174B0000-0x00007FFD176A5000-memory.dmp

Filesize
2.0MB

Download
memory/1128-53-0x00007FFD174B0000-0x00007FFD176A5000-memory.dmp

Filesize
2.0MB

Download
memory/1128-52-0x00007FFD174B0000-0x00007FFD176A5000-memory.dmp

Filesize
2.0MB

Download
memory/1128-50-0x00007FFD174B0000-0x00007FFD176A5000-memory.dmp

Filesize
2.0MB

Download
memory/1128-49-0x00007FFD174B0000-0x00007FFD176A5000-memory.dmp

Filesize
2.0MB

Download
memory/1128-47-0x00007FFD174B0000-0x00007FFD176A5000-memory.dmp

Filesize
2.0MB

Download
memory/1128-46-0x00007FFD174B0000-0x00007FFD176A5000-memory.dmp

Filesize
2.0MB

Download
memory/1128-44-0x00007FFD174B0000-0x00007FFD176A5000-memory.dmp

Filesize
2.0MB

Download
memory/1128-43-0x00007FFD174B0000-0x00007FFD176A5000-memory.dmp

Filesize
2.0MB

Download
memory/1128-42-0x00007FFCD7530000-0x00007FFCD7540000-memory.dmp

Filesize
64KB

Download
memory/1128-41-0x00007FFD174B0000-0x00007FFD176A5000-memory.dmp

Filesize
2.0MB

Download
memory/1128-40-0x00007FFCD7530000-0x00007FFCD7540000-memory.dmp

Filesize
64KB

Download
memory/1128-57-0x00007FFD174B0000-0x00007FFD176A5000-memory.dmp

Filesize
2.0MB

Download
memory/1128-37-0x00007FFCD7530000-0x00007FFCD7540000-memory.dmp

Filesize
64KB

Download
memory/1128-56-0x00007FFD174B0000-0x00007FFD176A5000-memory.dmp

Filesize
2.0MB

Download
memory/1128-54-0x00007FFD174B0000-0x00007FFD176A5000-memory.dmp

Filesize
2.0MB

Download
memory/1128-134-0x00007FFCD7530000-0x00007FFCD7540000-memory.dmp

Filesize
64KB

Download
memory/1128-48-0x00007FFD174B0000-0x00007FFD176A5000-memory.dmp

Filesize
2.0MB

Download
memory/1128-45-0x00007FFD174B0000-0x00007FFD176A5000-memory.dmp

Filesize
2.0MB

Download
memory/1128-39-0x00007FFCD7530000-0x00007FFCD7540000-memory.dmp

Filesize
64KB

Download
memory/1128-114-0x00007FFD174B0000-0x00007FFD176A5000-memory.dmp

Filesize
2.0MB

Download
memory/1128-138-0x00007FFD174B0000-0x00007FFD176A5000-memory.dmp

Filesize
2.0MB

Download
memory/1128-139-0x00007FFD174B0000-0x00007FFD176A5000-memory.dmp

Filesize
2.0MB

Download
memory/1128-140-0x00007FFD174B0000-0x00007FFD176A5000-memory.dmp

Filesize
2.0MB

Download
memory/1128-137-0x00007FFCD7530000-0x00007FFCD7540000-memory.dmp

Filesize
64KB

Download
memory/1128-136-0x00007FFCD7530000-0x00007FFCD7540000-memory.dmp

Filesize
64KB

Download
memory/1128-135-0x00007FFCD7530000-0x00007FFCD7540000-memory.dmp

Filesize
64KB

Download
memory/1816-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download