Analysis
-
max time kernel
4s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
24-12-2023 16:54
General
-
Target
06c73b612212a1f2e1f7bb3cec148820.exe
-
Size
512KB
-
MD5
06c73b612212a1f2e1f7bb3cec148820
-
SHA1
352b9262894d045be6f743a382905f566f9c0dfd
-
SHA256
87a6780865f90a110b2e39fcda91d7cfa34e748b03a712d8170dd59a2194bedc
-
SHA512
8ebf7d37a47e20dfec0397df7a5c5821cd53af182d31c5db24cf7cecb57ca647d7733bfe78acbaa2d1ab620e2ca66dba7ec76d381594ac5fe96f9a21d568c611
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6+:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5z
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 5 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Windows security modification 2 TTPs 6 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon 2 TTPs 2 IoCs
-
AutoIT Executable 16 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 9 IoCs
-
Drops file in Program Files directory 18 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 20 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of FindShellTrayWindow 18 IoCs
-
Suspicious use of SendNotifyMessage 18 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\06c73b612212a1f2e1f7bb3cec148820.exe"C:\Users\Admin\AppData\Local\Temp\06c73b612212a1f2e1f7bb3cec148820.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\lckjhjmudt.exelckjhjmudt.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\hbsycwxw.exeC:\Windows\system32\hbsycwxw.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
-
C:\Windows\SysWOW64\hgrkkriwtytdd.exehgrkkriwtytdd.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\hbsycwxw.exehbsycwxw.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\oeocdxlneoyjmxz.exeoeocdxlneoyjmxz.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5a384f05f47410f0376b71873cf568003
SHA1ad08b1b5418c48fd2dbd2a38e4efaa24328e2553
SHA256e65fe6682b10c0fe03490974cda9c27b866b768784165b9616ff2e698fce7f40
SHA5126b43fc079796ffa3326a912cdb4700e4b35f4869b3dea275d938c17533624411af272ca1ac7292107b30e6dce7502c897b21723228b8a7eb8ebeb7bf366e5f3e
-
Filesize
512KB
MD51f6f628acdbd7fbd8045ebf78b518eab
SHA17df8095c63f49d95d5ca399e17c827f119aa8255
SHA2565c6ff69f945eda3c7a527c1469621d065eaf016b7ed81f012d05dcd22566560c
SHA512d7fbf3ab3e3b3c9ff6c74fc88d5237f1daf9594f9f71d5b7a7673e7670d765f36dc75ebc72505520e3f6e63731ca5010b62ecd1c86041e6d9410a08a590fd196
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
Filesize
3KB
MD580d9105c8d2aea4188633fedee0fe486
SHA1e9b8bc2e2aa7ef4b9ba904e53eb0d3a9d760ec54
SHA256b6dd6846e5fac981bbaea39ddbedf2a9da01d4128f578375dbb0d782af7e1c04
SHA512bb01a9414ed911f9e52961ab43c85d1efcc659afb5d6afd30505301c2727ca919ae496d1d5a1116b734f68b6ff71cf860ed41719ab469353f06b007598130966
-
Filesize
3KB
MD535272a8b4e4be5cef33dec198644974d
SHA17ade64b1934fe704495fe2894c2996c02f130240
SHA256e25e892595d2a2aa88721ff5abee058d333480d5872d8c818d024af08fbcd202
SHA5126fc63719c681ca076392ac1b4b9024db6a52eaf728e02e43da857b95323199819199ff1ec1148922697bdb8a99d2d3ce2792d0fc8dde654e80aefc7e839dee97
-
Filesize
512KB
MD538ec4134454a8bbf9910de65421d53af
SHA17000e5752c90461c26aadc27eeca512236ef7160
SHA256c1c2a2cc87d6a150333153c24b41a71686d4fe634145fb450fc2b32fe760247b
SHA512bee34c00935133a609a72261c07cefdd43780c1a99a5727a70fcde17d553ff3e377d9801fb78fb2dcb8514dbe7bcb7aabec2fea91eba651c4f582fe5ad1df2cd
-
Filesize
11KB
MD580f0ea8491eccf8487a7ee5e91fb9d69
SHA12565b5952cf69a0a89db30dc8ca3d504681a39a8
SHA25687cbe8aac347ee6e6cc83f23268e776610a87355fb36035349cb57ec6153e34b
SHA51228ec393dea62ab952f660eb873b8fb43b03998417f095c1a36aeb46a0f6b4d021e50a12fa64b60338afed009fe9b68a51d96c196ead18df284b3a7ef0b7e25d3
-
Filesize
14KB
MD56d582514853aac59526a6b7416bc0b90
SHA1ca7d3280fc98e5dabc5171b3d8c7fa852f971c58
SHA256d14e0d10f2cfe9ad8a6da814fb3343446b032be18b12559228c1b627e9de84b3
SHA5127dc25cd80422e770124b8eac24eefaf739e85244e0e8342c9d461ac7566bc2171670eba375aabf32727b6dd9a645fee1fba4d5c7a6801dcd10612d2fb9762062
-
Filesize
21KB
MD5fc4c935e0af0741b37cd4a3a0cf7fc5d
SHA1b934cc80ad63f6a3fd219c03a4218165e0c6bbc7
SHA2560e82504b5bded7ed79aa6f73761f5b76657335e5c417f8de580451da40fae4c9
SHA51272b6253eaf654e08c277a3490f8f5ba076df50aa98834972250293b9442030e0585a0ca47a338844b9f9117b85f0d9c8bee5e8a837b29cebbde4ae0731b2ad75
-
Filesize
30KB
MD5104e138f00e00c3bdab813ac26978fce
SHA1e2ae0a96601b2e7aedf6e0bd6e6a2b085c34985b
SHA256e62879fd3e3e9d415308ecaa58867540184792c591643e8a004bde67e1289494
SHA5126ec5c215585e83e76bc99d9be96548c47e7325ef0adf7a31d8f3b2180173acc79ddc5ea3b0b402063af425290e5094b33ed823a22d8814c4d88f3fcea5ad8a91
-
Filesize
28KB
MD5e8bc3386a156eaf48437574643e3bc10
SHA16da14ba6859dcd6fd2a526ba03ddac7482b413ac
SHA256158c724e5195d55749bd753cef283deb6b3a9df57c37d671b37ed0c6c64e7d84
SHA5129d1cee821977e512046e9fe9ab33640b5b921aac7cfd4bf84deeadaee6248d8f5f39f6660a926cd3934eabf7d709dd3f862f584eba5132657967a4f6e6694b75
-
Filesize
5KB
MD54218d293ed3612d8982614d241dce0cc
SHA115388b63642a6838393deb28fa18b077e24d49d8
SHA2566d0bdb0ae5753df5ec4c6fec380b19657a4a3f092e68a2e6ade4e0a3427d65f2
SHA512033fd49279c5eb84aaf0a775b8d26de13ee10694b6922d04ac2b1a281fb0473ee2efe8114d52a2525dab8f7d057b79aefb06c6d952394bb316b49db4d2d00703
-
Filesize
18KB
MD560ce87997281eecd418156b34310209f
SHA19d19c0d2a436433de9f7754bb17757e09e40de9f
SHA2566df7028dcb2cd6022320d18a2465191fd22983705e55e6ecdaa407ba5dbb4b7b
SHA5128a144d3931a68bd52125f6ec09461a0ffcb0002eb2c0e9bda230ece6a26766282c85cb09dbc39760192e89cf80f837b32818c5bd646325420887c6b558b1c406
-
Filesize
20KB
MD55601df4ae38efd4bd97a4518a835d84e
SHA16e17cec41d2d49365b9da8c8d78010711b3a2b4a
SHA25658b57bd682c7f7894235b73b7a59656c79cafc0ec17243a262e7dec1cd4b620c
SHA512ca5cb08a7c4dd597958ce54324ea17ac2882301736833cd46cb3c4b9b94b210b3d05309fc99fd485b4b21699507ec72a2a8ac525c2a5d98398177ad2ddf757f3
-
Filesize
9KB
MD58159001f4b221ce49036830746c5b74d
SHA17d5d83361a7f81f5e6bafea78e60e3617de464cc
SHA2562e3d86dbe05bc6d4c489a8eb630333c319f9d68f894e5cb1da7aaf5dd7675918
SHA512848a0b656afd33182b5be3e94e981fdd341c6befb7f8a614083340f3ff7ff3d62506e8be80582d804d3e26f95a919b7dcdbaaa4888320f2f22c6ddb73a5ad0d8
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5c1afb7f519c723d2e12577b1972cde85
SHA1d7f9efc72c13ade8f8568724bf3e91175c8daef9
SHA25697a963bcb3b7d2e33fb170100ff5fb40fa8646a6763b19538e2c4220cac6ec48
SHA5129fe1c68a115c90e9df54ec06c1832c6bfb85acef76005d48001ad933547a6046b97438ce57e1d235d9346574c720aeef2f6450059661e58a28b3d85e1b2fabc0
-
Filesize
75KB
MD52c11dcc948e73f5c0a233ee49943df35
SHA11813131a4c0f7536519fca365189d3cef5d4f17c
SHA2566e3a511d3cb621c5dba8c6e0990588bdfe289eddf351cd90b826a370bffd7974
SHA51291d5e3cf19b8d1c8532bf5c636e7ba21ef75b9b3827eb05700df2a825dea2bb4cbfa963d34d8ca9aab9f5b2438680b0acf91c40fc6bdf80a93144bcd2a490b53
-
Filesize
43KB
MD5cf69e43891a4e795c527a5eff4cd7013
SHA119aaafad7ace367efbfa857ef1a90bb72773f21d
SHA25673a24628edda7f815fb3720f47e0ac8a694d786d8790ebf9591e0309a0d1c681
SHA512dcdf0f60c33ed3a8fcf163e0ed135b83acd505fe3c7384e4199091d6aa24b71548f80fbc4e524bbb6b1e7f6c564fecd11f124d136bcf3a36dbee6d80ddf19e8f
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
600KB