52276c108d1e962242065a62e86174f0f396e6e023442f78fbcb187911f2d26e

General

Target

0f55886803145288dc4ac288285d3652.exe
Size

512KB
MD5

0f55886803145288dc4ac288285d3652
SHA1

b002f91d76872de54eafbe2e0f12a15df495cf13
SHA256

52276c108d1e962242065a62e86174f0f396e6e023442f78fbcb187911f2d26e
SHA512

20e112984790c409f4e7a18c7f5826ada0fc20093850c605b5f0da3acd9cd7042907169876c84567c74dac8c4f8ba6d8516a9c9a05fe007b827fe4a6f98a8d48
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6Y:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5Z

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
852	nxysysghku.exe
5092	zjqgbjhcwaonkgy.exe
2888	mchckcub.exe
3800	ijkhjfiqgxdmd.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/912-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral2/files/0x000c000000023153-19.dat	autoit_exe
behavioral2/files/0x000c000000023153-18.dat	autoit_exe
behavioral2/files/0x00090000000231ec-5.dat	autoit_exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\zjqgbjhcwaonkgy.exe	0f55886803145288dc4ac288285d3652.exe
File opened for modification	C:\Windows\SysWOW64\zjqgbjhcwaonkgy.exe	0f55886803145288dc4ac288285d3652.exe
File created	C:\Windows\SysWOW64\mchckcub.exe	0f55886803145288dc4ac288285d3652.exe
File opened for modification	C:\Windows\SysWOW64\mchckcub.exe	0f55886803145288dc4ac288285d3652.exe
File created	C:\Windows\SysWOW64\ijkhjfiqgxdmd.exe	0f55886803145288dc4ac288285d3652.exe
File opened for modification	C:\Windows\SysWOW64\ijkhjfiqgxdmd.exe	0f55886803145288dc4ac288285d3652.exe
File created	C:\Windows\SysWOW64\nxysysghku.exe	0f55886803145288dc4ac288285d3652.exe
File opened for modification	C:\Windows\SysWOW64\nxysysghku.exe	0f55886803145288dc4ac288285d3652.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	0f55886803145288dc4ac288285d3652.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBFFABEFE17F1E7830B3B4B86EC3992B388028A4367034EE1C542E709A3"	0f55886803145288dc4ac288285d3652.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC6B12947E6399A53C5BAD133E9D7C4"	0f55886803145288dc4ac288285d3652.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF8FF8D482B85199132D7217D9CBC97E135583067436333D790"	0f55886803145288dc4ac288285d3652.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F46BC4FE6E21DFD10BD1A68B7C916B"	0f55886803145288dc4ac288285d3652.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184EC70C15E0DBC3B9CD7C92ECE034C8"	0f55886803145288dc4ac288285d3652.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	0f55886803145288dc4ac288285d3652.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33342D0B9D2082256D3577D370212CD67D8565DC"	0f55886803145288dc4ac288285d3652.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
912	0f55886803145288dc4ac288285d3652.exe
912	0f55886803145288dc4ac288285d3652.exe
912	0f55886803145288dc4ac288285d3652.exe
912	0f55886803145288dc4ac288285d3652.exe
912	0f55886803145288dc4ac288285d3652.exe
912	0f55886803145288dc4ac288285d3652.exe
912	0f55886803145288dc4ac288285d3652.exe
912	0f55886803145288dc4ac288285d3652.exe
912	0f55886803145288dc4ac288285d3652.exe
912	0f55886803145288dc4ac288285d3652.exe
912	0f55886803145288dc4ac288285d3652.exe
912	0f55886803145288dc4ac288285d3652.exe
912	0f55886803145288dc4ac288285d3652.exe
912	0f55886803145288dc4ac288285d3652.exe
912	0f55886803145288dc4ac288285d3652.exe
912	0f55886803145288dc4ac288285d3652.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
912	0f55886803145288dc4ac288285d3652.exe
912	0f55886803145288dc4ac288285d3652.exe
912	0f55886803145288dc4ac288285d3652.exe
5092	zjqgbjhcwaonkgy.exe
5092	zjqgbjhcwaonkgy.exe
5092	zjqgbjhcwaonkgy.exe
852	nxysysghku.exe
2888	mchckcub.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
912	0f55886803145288dc4ac288285d3652.exe
912	0f55886803145288dc4ac288285d3652.exe
912	0f55886803145288dc4ac288285d3652.exe
5092	zjqgbjhcwaonkgy.exe
5092	zjqgbjhcwaonkgy.exe
5092	zjqgbjhcwaonkgy.exe
852	nxysysghku.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 912 wrote to memory of 852	912	0f55886803145288dc4ac288285d3652.exe	26
PID 912 wrote to memory of 852	912	0f55886803145288dc4ac288285d3652.exe	26
PID 912 wrote to memory of 852	912	0f55886803145288dc4ac288285d3652.exe	26
PID 912 wrote to memory of 5092	912	0f55886803145288dc4ac288285d3652.exe	17
PID 912 wrote to memory of 5092	912	0f55886803145288dc4ac288285d3652.exe	17
PID 912 wrote to memory of 5092	912	0f55886803145288dc4ac288285d3652.exe	17
PID 912 wrote to memory of 2888	912	0f55886803145288dc4ac288285d3652.exe	25
PID 912 wrote to memory of 2888	912	0f55886803145288dc4ac288285d3652.exe	25
PID 912 wrote to memory of 2888	912	0f55886803145288dc4ac288285d3652.exe	25
PID 912 wrote to memory of 3800	912	0f55886803145288dc4ac288285d3652.exe	24
PID 912 wrote to memory of 3800	912	0f55886803145288dc4ac288285d3652.exe	24
PID 912 wrote to memory of 3800	912	0f55886803145288dc4ac288285d3652.exe	24

C:\Users\Admin\AppData\Local\Temp\0f55886803145288dc4ac288285d3652.exe
"C:\Users\Admin\AppData\Local\Temp\0f55886803145288dc4ac288285d3652.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:912
- C:\Windows\SysWOW64\zjqgbjhcwaonkgy.exe
  zjqgbjhcwaonkgy.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5092
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
  2⤵
  PID:4120
- C:\Windows\SysWOW64\ijkhjfiqgxdmd.exe
  ijkhjfiqgxdmd.exe
  2⤵
  - Executes dropped EXE
  PID:3800
- C:\Windows\SysWOW64\mchckcub.exe
  mchckcub.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:2888
- C:\Windows\SysWOW64\nxysysghku.exe
  nxysysghku.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:852

C:\Windows\SysWOW64\mchckcub.exe
C:\Windows\system32\mchckcub.exe
1⤵
PID:3812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\nxysysghku.exe

Filesize
21KB

MD5
6062a146d22fc588dcc5317fd341d393

SHA1
533a2f06ee5ea0e27c5ef2ecee4fb8d5d95c481a

SHA256
da5e5b8ca2eaa9d2c141c48a12881bfb6f43b02f5c0748a99310819d989d4413

SHA512
64444d4ded84926bf7a8020c60c450804d45249c13c54d8bc8f2be6c406f4017d1950c2c067eb45f49e271f66b95dc0085338a8eeefcfa0a035f42dff023b9b9

Download Submit
C:\Windows\SysWOW64\zjqgbjhcwaonkgy.exe

Filesize
124KB

MD5
0e9198c0b6da501de7454fdc0fc8641e

SHA1
06832b1e2bc1ec8f34eae005c7261197d8f9e630

SHA256
240ae8cc10da37a42bd3164704bbf08176243fc3718d710fc3326ced66891c3e

SHA512
95c3828450d8faf73f527efac0278b071013a2c29583787ab36aa599011155bef965696a534e08959c31ab1b17a9365c0a4df2e66c9734c66446b917a72bc59b

Download Submit
memory/912-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/4120-60-0x00007FFA34D10000-0x00007FFA34F05000-memory.dmp

Filesize
2.0MB

Download
memory/4120-42-0x00007FFA34D10000-0x00007FFA34F05000-memory.dmp

Filesize
2.0MB

Download
memory/4120-53-0x00007FFA34D10000-0x00007FFA34F05000-memory.dmp

Filesize
2.0MB

Download
memory/4120-55-0x00007FFA34D10000-0x00007FFA34F05000-memory.dmp

Filesize
2.0MB

Download
memory/4120-57-0x00007FFA34D10000-0x00007FFA34F05000-memory.dmp

Filesize
2.0MB

Download
memory/4120-49-0x00007FFA34D10000-0x00007FFA34F05000-memory.dmp

Filesize
2.0MB

Download
memory/4120-61-0x00007FFA34D10000-0x00007FFA34F05000-memory.dmp

Filesize
2.0MB

Download
memory/4120-59-0x00007FFA34D10000-0x00007FFA34F05000-memory.dmp

Filesize
2.0MB

Download
memory/4120-56-0x00007FFA34D10000-0x00007FFA34F05000-memory.dmp

Filesize
2.0MB

Download
memory/4120-54-0x00007FFA34D10000-0x00007FFA34F05000-memory.dmp

Filesize
2.0MB

Download
memory/4120-51-0x00007FFA34D10000-0x00007FFA34F05000-memory.dmp

Filesize
2.0MB

Download
memory/4120-50-0x00007FFA34D10000-0x00007FFA34F05000-memory.dmp

Filesize
2.0MB

Download
memory/4120-46-0x00007FFA34D10000-0x00007FFA34F05000-memory.dmp

Filesize
2.0MB

Download
memory/4120-45-0x00007FF9F2430000-0x00007FF9F2440000-memory.dmp

Filesize
64KB

Download
memory/4120-43-0x00007FFA34D10000-0x00007FFA34F05000-memory.dmp

Filesize
2.0MB

Download
memory/4120-52-0x00007FF9F2430000-0x00007FF9F2440000-memory.dmp

Filesize
64KB

Download
memory/4120-39-0x00007FF9F4D90000-0x00007FF9F4DA0000-memory.dmp

Filesize
64KB

Download
memory/4120-38-0x00007FF9F4D90000-0x00007FF9F4DA0000-memory.dmp

Filesize
64KB

Download
memory/4120-37-0x00007FF9F4D90000-0x00007FF9F4DA0000-memory.dmp

Filesize
64KB

Download
memory/4120-36-0x00007FF9F4D90000-0x00007FF9F4DA0000-memory.dmp

Filesize
64KB

Download
memory/4120-35-0x00007FF9F4D90000-0x00007FF9F4DA0000-memory.dmp

Filesize
64KB

Download
memory/4120-48-0x00007FFA34D10000-0x00007FFA34F05000-memory.dmp

Filesize
2.0MB

Download
memory/4120-41-0x00007FFA34D10000-0x00007FFA34F05000-memory.dmp

Filesize
2.0MB

Download
memory/4120-40-0x00007FFA34D10000-0x00007FFA34F05000-memory.dmp

Filesize
2.0MB

Download
memory/4120-127-0x00007FFA34D10000-0x00007FFA34F05000-memory.dmp

Filesize
2.0MB

Download
memory/4120-151-0x00007FF9F4D90000-0x00007FF9F4DA0000-memory.dmp

Filesize
64KB

Download
memory/4120-155-0x00007FFA34D10000-0x00007FFA34F05000-memory.dmp

Filesize
2.0MB

Download
memory/4120-154-0x00007FFA34D10000-0x00007FFA34F05000-memory.dmp

Filesize
2.0MB

Download
memory/4120-153-0x00007FFA34D10000-0x00007FFA34F05000-memory.dmp

Filesize
2.0MB

Download
memory/4120-152-0x00007FF9F4D90000-0x00007FF9F4DA0000-memory.dmp

Filesize
64KB

Download
memory/4120-150-0x00007FF9F4D90000-0x00007FF9F4DA0000-memory.dmp

Filesize
64KB

Download
memory/4120-149-0x00007FF9F4D90000-0x00007FF9F4DA0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing