Overview

overview

10

Static

static

5

098f94a702...3d.exe

windows7-x64

10

098f94a702...3d.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    12s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/12/2023, 17:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    098f94a702d5b06ec699099985bee13d.exe

  • Size

    512KB

  • MD5

    098f94a702d5b06ec699099985bee13d

  • SHA1

    63ee716e024d9e9f4b5445207bb03d04a9730506

  • SHA256

    15e03a2b72f9f2814d4d7d18985d0ac76ac3d7b3eabddc73c34d92f8d58ac6e2

  • SHA512

    1364b0fc5ee69e1edf7a5501d007f93be4c3d857adc2a6646dd728003f2bfd76fc80d91f35b903601176f3dddcc7552a66bdc85795d5d75948e54f4675f1af6d

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj64:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm55

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • AutoIT Executable 19 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 8 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of FindShellTrayWindow 15 IoCs
  • Suspicious use of SendNotifyMessage 15 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\098f94a702d5b06ec699099985bee13d.exe
    "C:\Users\Admin\AppData\Local\Temp\098f94a702d5b06ec699099985bee13d.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4048
    • C:\Windows\SysWOW64\buoecuyrcd.exe
      buoecuyrcd.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1720
      • C:\Windows\SysWOW64\ckciihkz.exe
        C:\Windows\system32\ckciihkz.exe
        3⤵
          PID:2912
      • C:\Windows\SysWOW64\ckciihkz.exe
        ckciihkz.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:228
      • C:\Windows\SysWOW64\jyjsxejfmgjao.exe
        jyjsxejfmgjao.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1384
      • C:\Windows\SysWOW64\nyjnnbubssiqyih.exe
        nyjnnbubssiqyih.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2480
      • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
        "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
        2⤵
          PID:3968

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
        Filesize

        60KB

        MD5

        f7b6553f2d9cb1e4335cb6d841904c48

        SHA1

        d7a00e2f0f7ad80d7570144442a2348951d4c662

        SHA256

        40478a439ec537d9a1342aaadbced9d0f7bf3cef097a176692ac2ffd4293df19

        SHA512

        6891d159d5ea6f3337ff69d2d3989f1047a0b21d50ae0ff7fc8eb5d1cd2d9181bf8ebc5271f6945e737a3bfa28b9f9659b26ffcb84a0bfa7e974678c0b9b71f4

        Download Submit

      • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
        Filesize

        89KB

        MD5

        547ebd124f43de5bd82662175673081d

        SHA1

        4624080e4776f5e73f994c98f279176cf93a13c7

        SHA256

        dea4cc46143283b8ab99b1570493131d24152d23e83b55a0ffa80115269b40e1

        SHA512

        219a590b0a1e7eb5a9104cf00c89447367564b4c3f612d350dc1217f80e228c54bd8afeb8f00cb5ac307e29c73eea90dad64545ddf59ca2e0286fa0b91014bbc

        Download Submit

      • C:\Program Files\SaveLimit.doc.exe
        Filesize

        107KB

        MD5

        c50bfe8e82d4eb74825381bcae6ccf71

        SHA1

        45d0152632c119da25130a49d3b22f5b717b9616

        SHA256

        a265f2c7ffe97a7e060c7c338b00b81534ac345bacc2093ffc1945bd60cdacf2

        SHA512

        fcc077efd507a4ec5f86372d438620d9d640ed7fa9e42807fa917dbb5481f9d12846e523d8cb50b877500b582a8772ccb2465d5353201415b43d92d34084098d

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
        Filesize

        239B

        MD5

        12b138a5a40ffb88d1850866bf2959cd

        SHA1

        57001ba2de61329118440de3e9f8a81074cb28a2

        SHA256

        9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

        SHA512

        9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
        Filesize

        3KB

        MD5

        c88a548ee4a014d259f050f99d2beb84

        SHA1

        803ea807c00c0a3f5d806f2ec58709d0e90e92a0

        SHA256

        b9654c748f0f899daf23f6f5259f4884bbb27b864bfa77c278088fb1e8201616

        SHA512

        78b67f898ed31f833aca3e2f92e04fda129de530d530094f671417047aadf97c1b6bb87762ca5faac98bb748b99e7e080e4076327eede730c69d16a024fe978d

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
        Filesize

        3KB

        MD5

        c4916007f099998e641cc36c65671179

        SHA1

        9d5784cb5d48d6dc588b0a7cc25f772f7f19b9a8

        SHA256

        13b8124d7e37447c8a17d1017f2040418e3b9f2f6731c79c1733dfb49fe234d3

        SHA512

        6fca90473e5439f406a9d242121f94caadcbce478e1bcf24445b11a7c4fe7fcb2fbcb9f0634d6fda34bf9703f88774ca6d1ade1ffaeef03c717dffea0625a698

        Download Submit

      • C:\Users\Admin\Documents\MoveSplit.doc.exe
        Filesize

        90KB

        MD5

        1646b867c324165e7e034ac02e1dbcc5

        SHA1

        91a83443b72d019c8b5a3f7710dbfbca2ea19ad1

        SHA256

        bf25a45c3c5faedae892f1b10d2c9988cdb42a3acc29521dc69c0481ddd66e34

        SHA512

        9e6cd6ee10dd02987938fb44f4f93d619aa01900c65f49882ee1d51e2180ba23507ea498abe8631d52bbae721c56da74ce7f9f4bef3d59b7286d9168a751e0b2

        Download Submit

      • C:\Windows\SysWOW64\buoecuyrcd.exe
        Filesize

        351KB

        MD5

        94f5e738375d95432225efb547408236

        SHA1

        134a16f6226eaa991677d1be8df259259cdf890d

        SHA256

        7dab8365ac1a51f2ff903fe11056c129be9a18cbdbe2aa27a80e864e4384a4ba

        SHA512

        2f3f00916bc1b25f22d70d915513806f023a5c172f3e97abb506d550d4d11a11120a8ddb0f8dc35f2167b8a2dcd9571a690b9fc59debc4dc76daba0867174a72

        Download Submit

      • C:\Windows\SysWOW64\buoecuyrcd.exe
        Filesize

        191KB

        MD5

        63bfc4a9560726c27a54c51739a31d2e

        SHA1

        6348de8554ade5de32b1d690d3d9797243902836

        SHA256

        5b1a464a10c7992063a6b780a1b6b26ec979457a8fad33fa288593b9d189c5b4

        SHA512

        98e69c1e044cc492b77e2b56a8c99304f17c2ab5acdbe67525cce1afbfa137b56d09dff6bd9eb9b4d06940875274e6f1059ac19458050ef9b530783a35d568fe

        Download Submit

      • C:\Windows\SysWOW64\ckciihkz.exe
        Filesize

        296KB

        MD5

        b6428fe25a9131a2ef22e9b6213c138b

        SHA1

        a923e96db8e9c99698919b31718f0eb63e9fb600

        SHA256

        75ba1f80c6e78f0c3a4887e5bcad749f5561642402b74c960eeb60b9f9b5c025

        SHA512

        e59d14c6d6666da8ef770eba8fec54f8aa6802c8080246b768927ca4c3e14c0fe0a95279d39631f6400d6889fd360ad4d2ba19715ef989415ac498172766f7e3

        Download Submit

      • C:\Windows\SysWOW64\ckciihkz.exe
        Filesize

        288KB

        MD5

        292b3a2197946dfffc7c1abe7eb48689

        SHA1

        e3b2a8239d76da7b397ef13b6c178331abc5f619

        SHA256

        91e5bf8e71420ef2900023b5dc40beb3ff97d81a9985ecca95b98fc7d433d3fb

        SHA512

        0021b8cba84b25c33385ce20522dad13c9ebe16177064cb25bc9f3667ae338e3528b14f170bdfcdf0c72ee6951198aeb220b99e242db3f0e634a7d7055e9ec09

        Download Submit

      • C:\Windows\SysWOW64\ckciihkz.exe
        Filesize

        1KB

        MD5

        ec89629d437c17787acc7061c89e753c

        SHA1

        c65089b32eba1cf75d3546335718073460c971f9

        SHA256

        87b17909878537f2c3d3bc046f54b9eb382e312fa75d2b177457a978dcc7d83c

        SHA512

        65f02cc30b64e2c33d7287c135bc0bb20abe1e35c7176a03e47403db3e21da28f7e7ec7a13ef748aeb76ac06e5e159a9b4e62196692c3411459a4ae235a1bec9

        Download Submit

      • C:\Windows\SysWOW64\ckciihkz.exe
        Filesize

        419KB

        MD5

        718562823fbd697a368261695d344f60

        SHA1

        fde5add07a2f80e2a2c50d7bb1f9e5dd87a75c12

        SHA256

        7ef412d5fe308dd1c0f119ac6ea3e9e8fdef609b0d140e72178380bf20673ef1

        SHA512

        a0a125230e39c686fb17db26e38106c24e7bcef4047a8ea7b33ba62edc52199aa12efe90de8ebc6fd314801934d8a61eca10500b619a599209db4ac0854c50fc

        Download Submit

      • C:\Windows\SysWOW64\jyjsxejfmgjao.exe
        Filesize

        374KB

        MD5

        b5f4f6f7d64c0b15596bd0a5e3ec54e8

        SHA1

        3506fa2d431c5ea31824dba369c092dc16c712f9

        SHA256

        f2c1e77809becf9ac3979ea29d17375eced8c8c6c01b335290f7a4ea687a8171

        SHA512

        863f5d9832fffe4bac67ebdd500aa64ec9deb88393687f1349ab043e6f8ee261b62577a26ff613de39280cb10864542b21a2c0dec468232c6ae1f638eb59381a

        Download Submit

      • C:\Windows\SysWOW64\jyjsxejfmgjao.exe
        Filesize

        387KB

        MD5

        514310c2c2d72bc9d126f8796b0ca57f

        SHA1

        5cacbbdf3e92eb20d3b6b46ffc5c21268b410c4d

        SHA256

        b00fc11c2a958c230f54ae7d4833aaaecbc554cf47a0564bd7dad350b6c32d10

        SHA512

        3c75af18fa17c3befe5b4ff4af98b04e5777e81fb634706cbca6fbb6d6996312a272bbcb2a17985b399a567cc753ee66c1c3361bd0817b5033dd45735eb08c42

        Download Submit

      • C:\Windows\SysWOW64\nyjnnbubssiqyih.exe
        Filesize

        396KB

        MD5

        a622db39278c64b19501d94f325e4633

        SHA1

        1d3d15c590393a97facf21e873b43274735a7e23

        SHA256

        0eb7a9ee20100e319e87e4adccbe15481d43d7c8f31dac3bb5c5d7fe2fc6bf33

        SHA512

        e68cc63cc0d66c09b9534f5d2abd09bc8082f97a79ab5a2b05f5ac6f068c467881c91285f8b2c796936196000d17fda044405417db250ca9865d575361b8b0ee

        Download Submit

      • C:\Windows\SysWOW64\nyjnnbubssiqyih.exe
        Filesize

        417KB

        MD5

        7dc1c30ce84a5754f22f258fba7476fd

        SHA1

        82737ce68df53d60e663770f340707e06be59240

        SHA256

        f3e1ee029b28d00d99aa1fc3258602749c0114619ff7d0e74270486259fc8aaf

        SHA512

        4ebd32db666ee9ef57ac882588ce54e94bc410b0b1ed9ec191d834bd16535bd749b4500b0a5463603d518197e0198d179d440493744d97785214fd08cb6c0835

        Download Submit

      • C:\Windows\mydoc.rtf
        Filesize

        223B

        MD5

        06604e5941c126e2e7be02c5cd9f62ec

        SHA1

        4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

        SHA256

        85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

        SHA512

        803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

        Download Submit

      • \??\c:\Program Files\SaveLimit.doc.exe
        Filesize

        151KB

        MD5

        cef8c8e880494e0ac535d2117426cf1b

        SHA1

        6282a55d3998503c29d1919be70ba74621271d15

        SHA256

        a0fcbbd8f96dbe50923c32b82b181324189399beffcb63b179fb76a1613c3175

        SHA512

        6029a18e751c228ca8ca9424adb83fee2942eb6a8475413d4f3b56cb7f8680a59055ad378244b68c97a15093e6572e212f68e92a3aaf8716040d84a89943d9cd

        Download Submit

      • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
        Filesize

        60KB

        MD5

        12343c52b4c0056af3f4228ce578aa75

        SHA1

        163abd94370a9969ad0e743968aced28fbcddfdd

        SHA256

        b16444a9ee168175e4bd0e67a4d4a7b6230e608445ebf504580c307e548f39f7

        SHA512

        db10ee51b2f109251e5ff12e2e10bf8a587e5fc982bf7455f2ed2bf5fbcb5c51d1a6057bc18bcd251de345dcb085f2b1e4847dc631cdac0dea48509c064d0c88

        Download Submit

      • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
        Filesize

        24KB

        MD5

        e2469d36d383af0bf54c579d5109feb3

        SHA1

        6a10cf7f0f28876a5e4f3ddd83ad2e9ba614a3f6

        SHA256

        5178c6ec644df4517ed93c19117f80a73697ad6c229d041901ebb25dde64feb0

        SHA512

        2912d0ecc53409cba242eb11bd055810bd590372873f13067f5c2a69f7e9493e0a4d828fec804ded347f1924bba94bfad1ac772f871a6b123ee707dc66194806

        Download Submit

      • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
        Filesize

        84KB

        MD5

        5fc5a7dd499a3eb3cc34bb59d5fb398f

        SHA1

        e73eedb810666c418149b73bb9744fbb1a5cffe1

        SHA256

        3a5dc468f4343429401d7e4047002029a4aa6a821fd13daca9bad3a1838eac00

        SHA512

        28d0a5f5854ec9210b7ace705d0924f437b19804f36c3514c7befedc4bbf126420af5ea6d11272863e51e338c59c1d9c633f9137d59075def9f901ae772065b9

        Download Submit

      • memory/3968-54-0x00007FF848270000-0x00007FF848465000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3968-41-0x00007FF848270000-0x00007FF848465000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3968-51-0x00007FF848270000-0x00007FF848465000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3968-52-0x00007FF848270000-0x00007FF848465000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3968-49-0x00007FF848270000-0x00007FF848465000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3968-55-0x00007FF848270000-0x00007FF848465000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3968-56-0x00007FF848270000-0x00007FF848465000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3968-57-0x00007FF8059F0000-0x00007FF805A00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3968-53-0x00007FF848270000-0x00007FF848465000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3968-58-0x00007FF8059F0000-0x00007FF805A00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3968-48-0x00007FF848270000-0x00007FF848465000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3968-47-0x00007FF848270000-0x00007FF848465000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3968-43-0x00007FF8082F0000-0x00007FF808300000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3968-44-0x00007FF848270000-0x00007FF848465000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3968-42-0x00007FF848270000-0x00007FF848465000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3968-50-0x00007FF848270000-0x00007FF848465000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3968-101-0x00007FF848270000-0x00007FF848465000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3968-102-0x00007FF848270000-0x00007FF848465000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3968-103-0x00007FF848270000-0x00007FF848465000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3968-35-0x00007FF8082F0000-0x00007FF808300000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3968-40-0x00007FF8082F0000-0x00007FF808300000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3968-39-0x00007FF848270000-0x00007FF848465000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3968-36-0x00007FF8082F0000-0x00007FF808300000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3968-147-0x00007FF8082F0000-0x00007FF808300000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3968-149-0x00007FF848270000-0x00007FF848465000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3968-150-0x00007FF848270000-0x00007FF848465000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3968-148-0x00007FF8082F0000-0x00007FF808300000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3968-146-0x00007FF8082F0000-0x00007FF808300000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3968-145-0x00007FF8082F0000-0x00007FF808300000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3968-38-0x00007FF8082F0000-0x00007FF808300000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3968-37-0x00007FF848270000-0x00007FF848465000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4048-0-0x0000000000400000-0x0000000000496000-memory.dmp

        Filesize

        600KB

        Download