Analysis
-
max time kernel
12s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
-
submitted
24/12/2023, 14:27
General
-
Target
00d5631d7e417272e1c6bbfc3550cf1c.exe
-
Size
512KB
-
MD5
00d5631d7e417272e1c6bbfc3550cf1c
-
SHA1
4d96e053010e3b19a7fffe5a00064bd562248dc4
-
SHA256
016e41014f190f7c79e3a091b3e002eedfea88738fde6b9e40b97390b0f09806
-
SHA512
70ae6474a2f372aa695a7104f9e7a8ab794a742f67b3a13dd5cf04d71b39f4bc6dd2bed92c8e42ee2a73f26ddb2c971b840dd6e8aad2dade59575f76f815dec2
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6T:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5e
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 5 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 6 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon 2 TTPs 2 IoCs
-
AutoIT Executable 20 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 9 IoCs
-
Drops file in Program Files directory 18 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 20 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of FindShellTrayWindow 18 IoCs
-
Suspicious use of SendNotifyMessage 18 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\00d5631d7e417272e1c6bbfc3550cf1c.exe"C:\Users\Admin\AppData\Local\Temp\00d5631d7e417272e1c6bbfc3550cf1c.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wdrughuntt.exewdrughuntt.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\uvxedfzs.exeC:\Windows\system32\uvxedfzs.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
-
C:\Windows\SysWOW64\csevkwtiulbqp.execsevkwtiulbqp.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\uvxedfzs.exeuvxedfzs.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\wipvypriwaloajr.exewipvypriwaloajr.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57KB
MD56b7d06efbfdc9f36e0a690d53b4194d5
SHA173c182c0b9f90b29aed89c589b28b8097acd777d
SHA2566b67299fbba243d1a64a48c12cd9f329d48c04385a419ffc2fe6b200b126c0af
SHA512d2195b43ee95a24723452bca51f1e050c9b45f56ba97cf5933d309f523555a16e63eb3da8592a0358d6dfd705586ca8e5780ec169a879338f1438ed961a8eae5
-
Filesize
45KB
MD5aac1c09f212f48c3c7eae46c3df369b8
SHA18b1cc36184bfcb2e732d8894e541dcd89265bb9f
SHA2569cf6541a05ffbe2b4e439abeedcf4f68ce5f8483bcdb689c6697fac5d6a43b9a
SHA5126e4f3f2087faa37dc43aecdcb6c008669b3ae253af7485890af1783748c0612f7fb6af616011e8c3205e00e4ac895bc4b3b08b21960683908c8b0e6795b28d1a
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
Filesize
3KB
MD5da16e9a19456d7f400b3b814c76de6b4
SHA1d6ddb94a43ae1bb840486394feebc9772b3d61a4
SHA25662922b5dc99ac9e22de4db5a3c647e66d8a61734d16442a29659e5a5de225417
SHA5126b20eead3cc693c73006b3dc58d3efaecccbe28b528f9e4cef4969dc9744e6daffc90a8f28d9c09e88ba957c9a3098f842d248af70146b301ea4e52bc141c52a
-
Filesize
3KB
MD5cf626167a69469131637d0141367edf4
SHA1052d5e99b12784a72ef1093a5c9d906cc608e528
SHA256855dee7570e82802f961f1dd2bdda7391d9cf1808e84d190d97f84c985070d61
SHA512af6cb7f16cc2db48a34000699ea505400784ff027ade1d1aa8fb4a123c4a8ddf6ca0d3e79f9212a5b6d75e8c3c4e10634e958579e290e03e48690ecce4fa503b
-
Filesize
82KB
MD52c0b1fccae255dac6c37237492870f9a
SHA10bd32f5956891d4205ddacd8511b2344369adec3
SHA256b50d9fe29b79b1b459e29eea8b2dcc06e480d5679eb72eafbf19fd1d6866dd78
SHA512772f634386bde85400a567b524d450a9ea9f3fb57e2df9144f6b9f5a27be32eb29d30b39b3fcc57b3b336bbbae04d8110f74b2921eab4114cfa89e91b42c2588
-
Filesize
70KB
MD5f8a080e2bb1796a0eab67780f2465744
SHA185bd2ca14573bb2865a87dd2d92b41920830ecae
SHA256962f80a8a287edc9e55581c10becc1f24472760cd4f8259fe918b41fc0a29793
SHA5123943b0d8898cc9d372ac9fa5bc7f45632157c17e44e46063071016d61e2d134847bc8e7576392154ade9702dde5d720a81b3c36154e32f1367dd648c5d1087dd
-
Filesize
112KB
MD5e10f9ca4d7635a06ec6dd5d20afcac06
SHA1e28ccfa2aea333f99286f57be4d23f6e5fae4668
SHA2560081dce58ec17bf3f7c90669b6ba4f99c556d198631b13005d97969c98a9194d
SHA51277077ad27852820b55f41f937fa54e3d50b2f54bd421baf3b91fca7eb015ecdbe58fb87d11b335daf1f414311e716b53295e39e5bdbddb8b1f8fbceb2565ab98
-
Filesize
69KB
MD5e124ab81dc3efc7a3cde9ff07340b2ad
SHA1b7836a57e2e20c71f9bfeb847af8d54134cdf3be
SHA25665d023a31a0f3907fce0b6cd9262dd8b456929d50a6eef11de2ddda799878821
SHA5123a76bed7853c2e7058abb780ce98947b6df87bcd9876ca5ecd42f3a79a3ff854c9728471bda17b006cd6f06ea7af1d0b22e3fd9c219b3504f2e668a91cc8b043
-
Filesize
71KB
MD50027870a0f4f0df59019e005f5d78fee
SHA10a8d5d3d3fd22310ae41e2c71dc36623d53039b2
SHA2569cded01d6489a908340ee886d3c1bc57b25fdd80526b7c301288dfc8e1166356
SHA512e0cabdf06b6b841f93c25cdb93bd6e372caa860e4bb7587d7a555e9d9f32f85967fa641f0409aa105484a421a22c9b8ed80412b723647c22a0fae1adf93a3070
-
Filesize
56KB
MD5c0991642515966b9ff46556580647da1
SHA123245ff5c879be3e37ccfe54ef6025c28d71e9c1
SHA256b278024c21dc7d6903c7a1df1d83a2c92247e87c48e44748e61f850966518bfc
SHA51242da162dad7650868ebc0bb3cb250ce1df6d5b957a210f1df1421bf6618c84ad0afd1d329ae7134e4530e86191d8a755cb26228ee26ccae1d975b7a984bb0e97
-
Filesize
203KB
MD5504db1af214ae710bc362496658767e3
SHA14ec7a7c6f71106c24e5c86780ffac1aed3fbcd24
SHA2562451e95df25e55baf04b3226e922a9eb9ea96a1832b7abd02cf83d99e23114e0
SHA5127ed8d5b4cced00e5237d6d818828945b38f2b04070e228a48af43cf955caa4926c9d17c4d69ecb9f21e16e8b4b0f39b80336a0dc4143f7168ef0edb44481b903
-
Filesize
143KB
MD5d0d172afe51005467c9cf96c8ff76801
SHA1493a4724e56dc01a68d15148a89e6c0708110bac
SHA256679e5cad2a6fbf9829454d42fc606c84eec58e298aafde7ef568ced3e9bfe65d
SHA512f59b47686e317e14fea3fb2b9961811342a4b19cee7eff7f7e2052b9e46e816314e73cb9691801112682aa388eb940c26ee16009b7b213ad1f99e48b3c25e84d
-
Filesize
76KB
MD5c000b0f70f36a8c4c08db1e85b64069c
SHA1d78e8fae1537e7830c7630fadc0ed35e7c242552
SHA2560650deb67d4a45bbd7eabdf8c89e553b30d24c75af1daf495260fc50ff66fafc
SHA5126724f6e88bf158aa92d4ef36a9ec3bedf8d4be08b15267433e39100352e0a20ce46bc5a05703934ce4b9ea82841127716ca479730dd49e1000bdd219b31cff0c
-
Filesize
109KB
MD56663114ba63a8af8a101aaa1cdf4cd84
SHA11f371607a7376e42b9ac487362864612112dee4e
SHA25653b95c0b2a9b8a454c10ab4af01cb0c63b9345beee673a5b4932ecfdacb57ff5
SHA51232f5737b5e39aa0b12d34bc84f73718bc42028ac258944ef7e3df7e6a3ad0bdbf386bdb76951366c6c283cacb06b90fe741560b6e94a6cd009d662bb5940d8ff
-
Filesize
156KB
MD5ea97e532d268ca9b2808fe80900e3c6b
SHA189646cedea50886c6c2abe3da38f3eec09570840
SHA2564287510c882f6694bb761968221facf5e754b52846137d6d0449a02bb96bd88d
SHA512ca006539c5132057fbda367d21f68aaf2770c6747635b1ac55d0abb25c4628b7108fcfc613f16dce825f9a5ec433dfdb0cf793f0f462de5c77100637998c7e32
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
29KB
MD5ee1aa6d3852d40204dd0d8aeaa1f9925
SHA1c793fd75488310aba6c4e59e0c7f7f35682b8f13
SHA2565d1f13a23adcc2c4e44ea86281f4ea36e4074fce7e818d4baae761677307df72
SHA51274976ad1fdb4ca392c7c924aa3901e494984d2ad2ccfd9a2b88c3908ffc5a15342258741390ecf792f82a64b1ff7922654b53c4a5425dcb60e97caea8db213ec
-
Filesize
68KB
MD590acbc08916f7e3eed1c215035e1525c
SHA1573e16afc2651b39abb9bbea1e3b04937b7829cd
SHA256b9d0855d38088e94cd120ad9e761badd96250f61727f9d434c3904b2d3efe7f2
SHA5127cb95165f4370b97ed06cbc0a1abad03d1629a6486aa4cd285d53ae13136dfa47f486c880a725161dfe5d660a00f9c26cd551d861a1b634fb30cae4df5b47cee
-
Filesize
91KB
MD52aa3eed553a0c780cd1432dad8e538e9
SHA18413d686bad1474b23ac592502a06246fb6d8a99
SHA25604bdbe63a56957235a481eb2a937f1072446a33f51ef8c599eacdbff19ed9677
SHA512570474be18950082945a438a4363798048f51eb25b8073e72a1c39db25c56abe4e0e689830c1344a70000ab2eecd1cc3272409c97e9be2aa7a8704eabc849237
-
Filesize
56KB
MD5d9b154264d7053396f51c7ed06abd688
SHA1d2ed59d4cafadf834873e6e4fe9d46c425251acc
SHA256f4d4e651b1b63d37a6a719bdbdb71afae4bbfbb0e21ffcdf055930066dcb8cac
SHA5126ab33e6d958298ecde15e02c14f8b6bf7ca15f0c109bb824ec3d955cfc8e45f2d2da07b049e5a39d12131b2c2846f9b74e96e0c5d48c2cf92f5bfb61ef670d9d
-
Filesize
8KB
MD53c462f5545d5cd441421fdff7439d76c
SHA12613b4988905f1f6c98e0175859f8d70f18607eb
SHA25653e019c26c05f3687b2baefcf86b470d4d4c88384c073488e7b0afc7d2ada57d
SHA5129f32f04cafc36b0eadeba830493ad3ed6350b017ffcd05525df7cebafdfa167806da137c2f62392701c3e7bbd669f6f93691a3aeb3e4503a329bd0ed7c3f8f42
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
600KB