Overview

overview

10

Static

static

5

070b287ebd...3d.exe

windows7-x64

10

070b287ebd...3d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/12/2023, 17:00

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    070b287ebdb9b7ee8134708a0ac21b3d.exe

  • Size

    512KB

  • MD5

    070b287ebdb9b7ee8134708a0ac21b3d

  • SHA1

    d588cfbea85c44c2ff033d2ec740c5ba0d4f5bb2

  • SHA256

    2a0dcb5bcc1dd14bd1f4faef3664929de17de3501a4f5fd063a60573b20739a5

  • SHA512

    b77ae944fa1eae643d661e971129c1903500cc31ff020c36a0f42fa359cb2dd48c10e2d4ebd1eccd4abb57f7587f58c38123a056c17ef6f9751d64fc5a9f9b3a

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6H:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5U

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 16 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\070b287ebdb9b7ee8134708a0ac21b3d.exe
    "C:\Users\Admin\AppData\Local\Temp\070b287ebdb9b7ee8134708a0ac21b3d.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:820
    • C:\Windows\SysWOW64\bdvuchtcpv.exe
      bdvuchtcpv.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3728
      • C:\Windows\SysWOW64\dpwqvrrs.exe
        C:\Windows\system32\dpwqvrrs.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:5004
    • C:\Windows\SysWOW64\dpwqvrrs.exe
      dpwqvrrs.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3764
    • C:\Windows\SysWOW64\vqjtgfwtinfih.exe
      vqjtgfwtinfih.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4036
    • C:\Windows\SysWOW64\blgatmxkmhwsxpx.exe
      blgatmxkmhwsxpx.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1540
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:5076

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
          Filesize

          80KB

          MD5

          f6c0328108d87a8ccd526926fc78af96

          SHA1

          5bd5f2d4a332eb90fc0536747c4088f66a4a6bdf

          SHA256

          0d6baa2757917b8614c4c5987a0bbf7cd218ecf0cd68b9e894dc12ef6ed99d29

          SHA512

          72fa0f6b469e389501d3ee33233cf4e7f0375efed93b72c47b98d64dccf225df38009ef87e014e490f889066a4dad948b6d1e9dbb9ad34812bf1f0fd3b0fc709

          Download Submit

        • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
          Filesize

          398KB

          MD5

          098e759e9ab0bc5c1b2605bca8ad1834

          SHA1

          ca05bda31601a022c49bed5dd4a14641e8740e2c

          SHA256

          29f969ec8091a30bc3107e2e446c8fbd761bd0002371a039cc04644039b906e4

          SHA512

          677ebe445c1cb139bb5a5ad59b976e6d21b5753b226b3d3fa58b003905f65231f3182012cf79b832d33bd5c694e04bc21ce9427a714cc0c69a3429533ff02e72

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
          Filesize

          239B

          MD5

          7b89423871a8b3429c0db4483f1e3044

          SHA1

          d305d32237a5792a9b46be8dff420942db6c6def

          SHA256

          4e7c195e29839c46e13df90229a2c801432861f9b5f478cc7b439e0b21cf1217

          SHA512

          b6d83fb39d30af7c75a2569085438fb21f27a1d132646daeebeeae0d15498b4eeaae2c5cfd9f520b329086952803f1da2c932154c198d68a4d5022a34941acf9

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
          Filesize

          3KB

          MD5

          cd700d56891c8c997ec9f04d7306a5f5

          SHA1

          3bacdeb7fcdd13ea835697ba89a966aba94ed179

          SHA256

          0394e27e13cdbe6d55e54e9fc594cc6f4dbfa95789074230b3b9b5461e0949c2

          SHA512

          016b55cc1ec16c9a55c0d53f287559ada07107b9612935ce85e5265f502b5c0ad70876fb79e085fe03173e4fc90e3b892f8ba4e5e34aad7bb3c6ef857c935e56

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
          Filesize

          3KB

          MD5

          2290701a8ef80074c61d4d77c2624535

          SHA1

          c6f51b4a3f6bef578559060ccc1d77c9309302a1

          SHA256

          8c26272a9c2039f75669a05a9cecfb711ce6af0756d14b48e3d3440251a2851e

          SHA512

          bc2ecb00e865dfdbd36b37f3fa43452f7a90900bb32df07e96305ff3cb2f0e5b0d0f5ee307260d73989d6011ff45534ed2aa6c49593bfe609810a1c02d6af145

          Download Submit

        • C:\Users\Admin\Desktop\HideGrant.doc.exe
          Filesize

          219KB

          MD5

          67adb10e3b55d1b3983661da5681d17b

          SHA1

          fec8f33c7dff3cac2bdfc249758118d362cf0ae0

          SHA256

          78ef0c7df814f6104a6e58a569a1f5306eefe115acb55c98b621af2b7420f9ef

          SHA512

          597dd239395084a7ba5fdcfcc7acaa4cc55aadab6a5771b19c845b2610e9f288f7a265c418e8fdec689d2b649c2984638a2cab9f66ff2309a55890c092bd55db

          Download Submit

        • C:\Windows\SysWOW64\bdvuchtcpv.exe
          Filesize

          200KB

          MD5

          dfb9a7c7b37423ab81ee31324dda032b

          SHA1

          4fdbd56478713cfaec13da6b4c728cdb9ce9c069

          SHA256

          07a93948bd7706a031929ce0dd69910044518fd4876a7455f9e9fed7ce6dbd30

          SHA512

          5ec6097f344fa2fdc6e2bbcd64a27e3e39f0122670a924802966fd6310c074c56a39aea9065ff178cb23df71f6e6755f3e3f0fcba713f6b6105a880a10ef1ec2

          Download Submit

        • C:\Windows\SysWOW64\bdvuchtcpv.exe
          Filesize

          349KB

          MD5

          46daf3c248a8770a432c15693549fccf

          SHA1

          ee8d51996042f728f36d2c621246c3e995316bad

          SHA256

          7913c964ee8a7d0b9cd4b8f8efbfabda13d9c70a07808c743a00fd063dbec68c

          SHA512

          182d83ece074cc78ab5d703b3b4e045aeed087b3ecefc7aa55b3c5002fc9de33fbc1e320d7de1bb9397351441084c8908f59b676335bbc3091a565d9fb92e26f

          Download Submit

        • C:\Windows\SysWOW64\blgatmxkmhwsxpx.exe
          Filesize

          386KB

          MD5

          dba0cd29001f0cfcd4e8f1e012d2659a

          SHA1

          b5993a48a16098010bd5153b9ae66ff690080059

          SHA256

          cd9ee3f8ef1260b63c403311d556323c9f37aafc903d83d9f25fd05ab3a872d5

          SHA512

          1a2a4bd100dc334f56e0ec3607465f20da270f2de416380e9737afe4a2787f9a723f488a35bf99fac6e6555889700fdb07a4fedffcf37f9c8a79c16a0ae5cfe0

          Download Submit

        • C:\Windows\SysWOW64\blgatmxkmhwsxpx.exe
          Filesize

          177KB

          MD5

          b6f1ecf819cdc1b9931b22c569dc7c34

          SHA1

          7c899eba20c25683232bdd2caffe35df904e40f4

          SHA256

          3f0b42fe70160b106bbaed02f647cf2e3f4269e2fac7a2ed69f904b04d2f5d4c

          SHA512

          d3c9d89cbdc81ac6843a1a7b9e9a396b00b68d64b15506440573214aa2366a1581afe4a1e22ad229d37ce538aa0f07737826ed6c3bae429f23d2dd506679d532

          Download Submit

        • C:\Windows\SysWOW64\blgatmxkmhwsxpx.exe
          Filesize

          512KB

          MD5

          82800b01333f3534e12611eac8d87e3a

          SHA1

          5a656b14dbe6075a5f84c9b25622d3439e9537ff

          SHA256

          022e7b326750a709dded6d4ea680c7648bf9db58b32c23d7ddc9a3fc0dc4c995

          SHA512

          5582db7df0a7d85de74e2d2c3ffe1b9c2e4be671af29585d113a339277be22bd12340cf2748251b02c9d67959d636155b3e9dd3881e07fcd464d33c44a836318

          Download Submit

        • C:\Windows\SysWOW64\dpwqvrrs.exe
          Filesize

          424KB

          MD5

          5ab68364bf603692ba3120cf058c26d0

          SHA1

          595890399182e53c6037933f4f7b85fe1b8647d5

          SHA256

          ada5c267d2fe199680646e102c3b9ccb63937769e1779e2a3ea046c093c990b0

          SHA512

          785fecf58d27dc0a7b10f728bdad87230955103728d23208743be5695432abab79369f23f1b4fc3f1f05bc1e7ddc216ad3b6c26d6759f34cea014e5605e12d92

          Download Submit

        • C:\Windows\SysWOW64\dpwqvrrs.exe
          Filesize

          320KB

          MD5

          ee7559043f4b666e0c62a3031c75194c

          SHA1

          b7822c74e059d1afc30cdb836b1dee056e9a69d2

          SHA256

          d24316b24208005cdb910a49bda7d18ebc86317037cb0b8f8efa82a3cb901d1c

          SHA512

          eb13b8f0dacab37d7175acd65837ed325743e9e7baee397e884c4a6fe6f9601eb667c0e5a20935dde1bfec28097cdc090d1420f63b708ab256859f5767be1c22

          Download Submit

        • C:\Windows\SysWOW64\dpwqvrrs.exe
          Filesize

          193KB

          MD5

          f8b27ed254ec5480c86a716978878ad3

          SHA1

          dde81b810b66c3fbb847b083c8faa20ba0732287

          SHA256

          d6dcbb318b17f015565cef440f88f94e60303a8631455180f0b754e889f8e467

          SHA512

          4960f649cd5206d058b4a43dd9d5144fbe3bad0be2a20ae676a706d1713a214ecdb1d040011ab06a4b380f75e18434681b92c2c44bc611f33c5be938220a39d7

          Download Submit

        • C:\Windows\SysWOW64\vqjtgfwtinfih.exe
          Filesize

          289KB

          MD5

          a8c2b2cbe953ee612c23ccb31a01acb3

          SHA1

          5ed611a1a2071ad8232bc1dcc473544f129cdaf2

          SHA256

          a69c0a26e8f1932e8d28b2899f03d616fbf08ba4af2ec9885dc76a50e3c42360

          SHA512

          a4e890515fb2482d624235d3c069065cdb7fa66383638f13efc54e804566dad94c23371179f06be6670e13f5aad58150d2821762dd2e12153c67c2b7d2a384b2

          Download Submit

        • C:\Windows\SysWOW64\vqjtgfwtinfih.exe
          Filesize

          354KB

          MD5

          a1387c5c50e056f4024c698690053189

          SHA1

          cdd7dd9ec645e36dfe935cc32e98df5c329a8e88

          SHA256

          cb5e46d9085210b510bf8d1d8dfb6844b8e7a8c6c737cf7e5b04979860faf691

          SHA512

          1b5547330b3c895bd8ee45c6a1ba8977902d5beee2e24a55dfe06f82cadf8c272bf7d74da48be71ea5733742d61dd1ef441042048b11ab7e6b7e6bb0eec21443

          Download Submit

        • C:\Windows\mydoc.rtf
          Filesize

          223B

          MD5

          06604e5941c126e2e7be02c5cd9f62ec

          SHA1

          4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

          SHA256

          85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

          SHA512

          803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

          Download Submit

        • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
          Filesize

          512KB

          MD5

          0bb9b2b9c1b5dfd76a9b436e47f3d7e1

          SHA1

          8627794b79e2a150e6ae5c78f1b60d88aeef4d5a

          SHA256

          2f8a843492af0f8f87c9f1597ae43ba7cc88befd3002a2d696cd7394243e4b02

          SHA512

          a8da62fc3447be1988d3012a3c08368b8765de4663b3fc871fab739a5ba0010881eb8fdda3bff5d6881fdf6072ed4c0d683b738a2fac4a0816bfb8a3693ec975

          Download Submit

        • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
          Filesize

          512KB

          MD5

          a31fb86f7beddd384c3ba9b52e33953e

          SHA1

          514b32df1cf5df63d22fd59f6943210e56a01eab

          SHA256

          76eb5bbfb6fe7e77ad7c6c2f3fd7d7c05a18090957cae140d1ff5e8350fdfc7f

          SHA512

          40280fca0e5bc6f60b4637e72b2d7f554d1605ae4b7a3d7db81f1fb62bae7513568c187ad118be6491769062808269ffbc51b2ba0126f9e63a78586f58ced459

          Download Submit

        • memory/820-0-0x0000000000400000-0x0000000000496000-memory.dmp

          Filesize

          600KB

          Download

        • memory/5076-40-0x00007FF81F3F0000-0x00007FF81F5E5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5076-44-0x00007FF81F3F0000-0x00007FF81F5E5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5076-49-0x00007FF81F3F0000-0x00007FF81F5E5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5076-50-0x00007FF81F3F0000-0x00007FF81F5E5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5076-43-0x00007FF7DF470000-0x00007FF7DF480000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5076-51-0x00007FF81F3F0000-0x00007FF81F5E5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5076-52-0x00007FF81F3F0000-0x00007FF81F5E5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5076-53-0x00007FF81F3F0000-0x00007FF81F5E5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5076-55-0x00007FF81F3F0000-0x00007FF81F5E5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5076-56-0x00007FF81F3F0000-0x00007FF81F5E5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5076-57-0x00007FF81F3F0000-0x00007FF81F5E5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5076-58-0x00007FF81F3F0000-0x00007FF81F5E5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5076-54-0x00007FF7DCFC0000-0x00007FF7DCFD0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5076-59-0x00007FF7DCFC0000-0x00007FF7DCFD0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5076-47-0x00007FF81F3F0000-0x00007FF81F5E5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5076-46-0x00007FF81F3F0000-0x00007FF81F5E5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5076-45-0x00007FF7DF470000-0x00007FF7DF480000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5076-48-0x00007FF81F3F0000-0x00007FF81F5E5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5076-41-0x00007FF7DF470000-0x00007FF7DF480000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5076-42-0x00007FF81F3F0000-0x00007FF81F5E5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5076-39-0x00007FF7DF470000-0x00007FF7DF480000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5076-106-0x00007FF81F3F0000-0x00007FF81F5E5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5076-107-0x00007FF81F3F0000-0x00007FF81F5E5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5076-108-0x00007FF81F3F0000-0x00007FF81F5E5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5076-38-0x00007FF81F3F0000-0x00007FF81F5E5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5076-37-0x00007FF7DF470000-0x00007FF7DF480000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5076-144-0x00007FF7DF470000-0x00007FF7DF480000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5076-145-0x00007FF7DF470000-0x00007FF7DF480000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5076-147-0x00007FF7DF470000-0x00007FF7DF480000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5076-146-0x00007FF7DF470000-0x00007FF7DF480000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5076-148-0x00007FF81F3F0000-0x00007FF81F5E5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5076-150-0x00007FF81F3F0000-0x00007FF81F5E5000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/5076-149-0x00007FF81F3F0000-0x00007FF81F5E5000-memory.dmp

          Filesize

          2.0MB

          Download