Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
24/12/2023, 17:10
General
-
Target
079f3253f17e2200643ff7ad837b8df9.exe
-
Size
512KB
-
MD5
079f3253f17e2200643ff7ad837b8df9
-
SHA1
045f7fe427e53d00d321901c3627207327bda38a
-
SHA256
e6f4ec9b8f849d593309c434cbd9f45abcb8df5599df64dc9f23a10de5e0745b
-
SHA512
143fa806353b125b5891c7263bd7f618c0340617262f12d973860ffc578da01c7e235b59eb1fd25d4e3981b70860d1f6e8bb1bdada5ea31830dc9e70e1b0a2e8
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj67:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5G
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 5 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 6 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon 2 TTPs 2 IoCs
-
AutoIT Executable 16 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 13 IoCs
-
Drops file in Program Files directory 14 IoCs
-
Drops file in Windows directory 19 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 20 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of FindShellTrayWindow 18 IoCs
-
Suspicious use of SendNotifyMessage 18 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\079f3253f17e2200643ff7ad837b8df9.exe"C:\Users\Admin\AppData\Local\Temp\079f3253f17e2200643ff7ad837b8df9.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\hulvhwaomz.exehulvhwaomz.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\zyjxtsln.exeC:\Windows\system32\zyjxtsln.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
-
C:\Windows\SysWOW64\zyjxtsln.exezyjxtsln.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\ociyvalbqqmym.exeociyvalbqqmym.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\hoqnfnylgomdihu.exehoqnfnylgomdihu.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD5e05c8bfc3fe0ccda802f2a312a9e4eb7
SHA19d05f4c48c95f6e53c3af817eb502181320a07a5
SHA25629e7893f511e552626dc94916506e23a494a69c371ad1416365b1258c32c1a53
SHA51230dc479aa93f28c3ec0d6012a38a445678e840b6e79453489b792db6b3b1a6a927ae196ca3b08f8938fce7fa40f1d5bfd3e72bb2427e61a1b871a2dccd1bac6f
-
Filesize
31KB
MD529c771aa8e9e6803ee408ba9237b9f2e
SHA1af8f9920cc2b988090500b4ccdb29bead94ad32d
SHA256f44fb138562a90b60204bee38c0e23bb255586f8d061187cea1898f3ff086b7a
SHA5126d3e6192ad02de6625070ad5893a222f9dacbe506e0d98d87de6a341077bacaf8687d4973991e75d8276dcea346f15249d9b14e4da5e61d821542c6e05c19168
-
Filesize
373KB
MD5b7f1d56faf55242e922ad2661a8dc828
SHA1bb0a4ef95eee1e00b0df2d1e95828f3560952af1
SHA256b724dee09df2395c2271d563b048208d3ba4058a3e527f44357c213ae39257bc
SHA512bb28fdd8ee9fb43b8dfae821335a69cf6e3ff33b60f0f8fec76156e33fbd4b01cf84543fc119d2a4bbaef32c6b90cad3dace25ea2757886c64dfa0d462e6cd2b
-
Filesize
209B
MD5b1cefafb03065339e24eed313a0fac7f
SHA1a5dc7d197c29dcef1c5aa03d901b5bd8d5bbb42d
SHA256a49f061a098c0f192f2bf918cd7c54e6c4223c96ba3846afa429e7d16a8e8317
SHA512f731e7b2046d0158610e291f2ef86c0f86b22b809fb1dc635aa55446579ba1a6ca2f9636d64d48556494e05bac7749011f4e84330c82da5bcfcea7e9867c4415
-
Filesize
3KB
MD546da8fa0b71747eda4ffb544489094aa
SHA17d0af42605b504f721fc4601b77b36a4d18d4d7f
SHA2561532ede3af5229487e373105342487d2282a029ea5952f3adbee44378f20e9f1
SHA5123738b2f42133353d359c20b873330d8395b9e1132f0ca00300aba4946f5c7fe14dc85f12c72044c60b4e28f624ced31666d0885139b1be4db1f5980a79a09431
-
Filesize
3KB
MD584ad45f8e69dec6dab27c6fb31d4f0a3
SHA180a7c4c521f34fb02719e1860941dbc5350b527a
SHA2565f9ca2b876f294fdfe47ebc01984134895276d91d28691bd3a8474b9f2dc97f5
SHA51244c8ebab2618a6c72cd3a5313bd20f9ef5bf0da8ccb886a56dc142276993ee3e748ebf03eae4091205176fb035ba751e774ff4673e9de2e3db74bc2aef12bcca
-
Filesize
129KB
MD5787e5b674f51b50f2fcc87b9b1327edf
SHA13f79f80af66cb496fa626caac4495ac2f5f98686
SHA2569c7956d0e8f3515377f642961a31183d33458e4f63ea336fa694bdd054e8355f
SHA512007a70b15ba56cb2b708e2837b6fb70db3a3c243340698f95d623570acc0856bc613b1c6b4d56909385c20d7631f4556947f95a3895a0127a87dec864c231ca5
-
Filesize
125KB
MD50b1a0bf4330826c97209a2438ce117ee
SHA13a7711a4bf6441ba7b56afc9c4d50a0b9ed15e12
SHA25604ca9f1aac32e987198180a3ef0a298b44b0d549b0f965bd5563da2b7c9f9159
SHA51203835d9b2e8276cbc0d7bcb302553dca620159e323bf0e447848670b7a32593ccfa6201a0cf60f5d229726ac5759bbab3f161179fc479589617974992ccc9d19
-
Filesize
173KB
MD5252f4e525286ad0b10f407c84fdc6e5b
SHA1c45f6befe2df73a7a166ea3d5404c37d8e1a1426
SHA2569fff67714550bad8e0172c860c57f8b55e506e0f434b9a22dff541c1f597f6db
SHA512c338c84f4d722d77bf97eba5b0927cd538fa08bcb593b5921b81a821c81342291a53c7a803b8778c214439b544ceb5a1b4a760024341f99ac6067d929523f529
-
Filesize
147KB
MD5098d880cb5df5360e5e05067b40a9617
SHA1c2a4fc84c41d16e6bc7c6e3bc3bbdc261952d471
SHA2566aad9f737af18f9754ee2806ae69ecf656ddefa4468d6aecb5301b6d315a17e2
SHA512a2d99aa4b1edd44dc62cdfb34e97416d414838464847ea0975c17da6a9d0caf9a6edacd8203d18e6a97d38f317ec89e300f22d79549aa47614e5a9df61965af4
-
Filesize
235KB
MD562a450d2d31f9741de098a15e41967ba
SHA1fec6bf4e53f66d77d192e1d3fe9affb1d6eb2537
SHA256eff0b281009e53863398ce942f905399c33c30a867e403adc2c5fc849e5cee3d
SHA5124b2cc8e399d98b20cc18ef5ce25ef19c9aa846eefcb801187ca468559c8256fbad532e4a9391a86ce2205539a03c4481de322e517c86e0c35930954a0238d173
-
Filesize
114KB
MD5040e5e80eba1d44b36642ccd1c0f7600
SHA1a42eee8e3d0eb3133cf34427480cdccc07d70474
SHA2561a81cc0fcd41667cbae6ac29c45f0ace40753893a9bb237581a18944ec8cbbf9
SHA51267e5966991e122cc331ba348f3d6561641a9219a90f153467900e38ca5255bbff9eb0dfa3a03e7682f367730ec08ee0998ba0ad72ad0ee3b0b4a686cb3c7cb7c
-
Filesize
165KB
MD5e980059ebd0a1bf086d0af8cd8b94e72
SHA1853fd887786ccfa00a819394af0467d0cc67d27c
SHA2566f70c5a55ff79f822aef7d624c10d93726f4f0e44136088761187e9604a789a8
SHA512720407a0a7fc025ba895863b8e386bba5295a5139f070fa14ac0d604660fc3365f39b36db7b30a849dbb20ea5bba6f399a37d8bc11eb166e56c883441afa2f99
-
Filesize
66KB
MD511e7ee3de2035747ceaee986ff87bd79
SHA1cc639a0e84f4cea79ad0390b90a3b3c5239f1734
SHA2562129c15112642c214cea9b48fffe4de58a22299c962a659ce5c78a8509b9dc9c
SHA51223169bf31fc21f9b04e94b80f832dd369ff8403e564db853b0e57171a2b565698638b06d894869e68f73c191e18ec7d9252ddd369f4fb1b2f535d1461184483e
-
Filesize
87KB
MD5daa67e311e94e180ad05cfd18ecc25d7
SHA152accabc55a489bc59489be9f07e383eb28f6aa5
SHA2568a752ddd82316fc9e5c699e9fdeb46cbd64bc4abb238ff9b16c3f23417e648db
SHA512510658f0b3f954ba3706241be12fe9f1686bdce429d6cc8840fbb17b0f285337d1c80dfaacaaa19a19b52504a6a49509029472a6ee4980640d21239fcb141cdc
-
Filesize
49KB
MD54416f86b0dcace328554f96468d8ac38
SHA17826f9f41f463009ca2c29d45d7671627cf9f8ea
SHA2567b96b0dfce5ccd165126a5bcd9de124f9392272d7ab412aad26442ee79be0025
SHA51274b6d84c7784be5ddc6f4cc76578d732e9b01c10ef90e87328d136fed351c3e9c298e15b943a67d98424544807ada2156b65cb66ef0d7b5d88e94da4b27f5a13
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5d82d96d152716aabcb8a298b0521c837
SHA1f17b0191beab7725070f484b0dc0f053fe17b434
SHA2561275e22b8f6f1495c94be0e92d7cc6b93a49b21248369658d676464d1d2902f4
SHA512b88f5bafbccf3a38610b48ad60efcc1da97face9e319960b3885c8a7aadd265b3aac4211c0b4a297395971c11bacef8a83840d98679f28e74cfa987fdef97714
-
Filesize
512KB
MD51beaf61e3cf5101586f05c1fe7d4da55
SHA1d8c8ed7f9551a82f9e75c62ed082439330f0d430
SHA256e5a0fee84d86f4a6194e8c720cf039991d3fcb1b4a94765e6f1d9e65ebb8b0f2
SHA512ac2f4ae89705299cb7537cc98c549cf04e099a1575c8dd01cd1e2b22e6a81b20b8c2bfdff1b39b8ca7b4f710f999a1d6b4a452feee9955c70e164920d435820e
-
Filesize
600KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.8MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.8MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.8MB