Overview

overview

10

Static

static

5

4067195daa...50.exe

windows7-x64

10

4067195daa...50.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    0s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    25-12-2023 22:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4067195daa7c6392d705460325253350.exe

  • Size

    512KB

  • MD5

    4067195daa7c6392d705460325253350

  • SHA1

    dd4bd00ea69c32ce1a88020b0a01add80fcc9456

  • SHA256

    678d26894cc17d30e4f3b4c168065500cb7d86f1d69ac964fc3418683a1eaf5a

  • SHA512

    b2b0d8a3b0ee33c0352eafbe874e0ce61b7829586405374d50d62a5389acac4741ed1b733bc050609bd6a8d7bd516f0e107c376cab463a369c7ac62fc6262b25

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6z:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm58

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 20 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 8 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 19 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of FindShellTrayWindow 12 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\SysWOW64\pgzolssw.exe
    C:\Windows\system32\pgzolssw.exe
    1⤵
      PID:2836
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      1⤵
        PID:2824
        • C:\Windows\splwow64.exe
          C:\Windows\splwow64.exe 12288
          2⤵
            PID:956
        • C:\Windows\SysWOW64\zfkjfewlptgea.exe
          zfkjfewlptgea.exe
          1⤵
          • Executes dropped EXE
          PID:2656
        • C:\Windows\SysWOW64\pgzolssw.exe
          pgzolssw.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:2572
        • C:\Windows\SysWOW64\hzlkzbtcymwwpdu.exe
          hzlkzbtcymwwpdu.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:2820
        • C:\Windows\SysWOW64\dpvqxwjtmq.exe
          dpvqxwjtmq.exe
          1⤵
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Windows security bypass
          • Disables RegEdit via registry modification
          • Executes dropped EXE
          • Windows security modification
          • Modifies WinLogon
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:2544
        • C:\Users\Admin\AppData\Local\Temp\4067195daa7c6392d705460325253350.exe
          "C:\Users\Admin\AppData\Local\Temp\4067195daa7c6392d705460325253350.exe"
          1⤵
          • Loads dropped DLL
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:2216

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
          Filesize

          34KB

          MD5

          2fc630f99729f4b51cae4587adf5305b

          SHA1

          b0199760824a4e6070eada33a3676cdcb293f549

          SHA256

          fa71bce66ec2eaa37181cdd76ac3068dc0237584382d839b735cad1b1dbc58c5

          SHA512

          acf9176ae257df485bdc3b42b870538319aac864bb56c68ebb870d51aa511a2d2e28e68746b5cf01f89aea244011545017095352edcc8d50b4355ad22a928d1a

          Download Submit

        • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
          Filesize

          7KB

          MD5

          41631bbf1612c2712e26deb0c804f08e

          SHA1

          ab00374b40336c7f9cda990617f5e6e9ded0edbb

          SHA256

          e683c5bb65c860d973bb5cea780d1f86f4f98bce75614ce599b7c6bd00a6b166

          SHA512

          c19a48f940f7246669a758a655bb7f038369605c11a6d0533bc9a23adf594f5a43d3339286b82c666ca650b22f7dc98e83a7f3adef5fef81dd5ba05f726b0f3c

          Download Submit

        • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
          Filesize

          58KB

          MD5

          9e9b0f0bfc0051b022365bb94904d822

          SHA1

          a30e803c4d2b4c1998e60d4d07f713d85f615bcb

          SHA256

          b49121559c673b2555c4a2b9ef0c96f92539a82c5f5e9c903f9206ad72e3df99

          SHA512

          ce2bd598000c32108cbb71c80ca90a0c6e1cad23c5d812df0576dc8b3d7070840e894e4c2a92541abb41fb2ed7c308eacbeeb9f89748810417b13ab4349bf3fc

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
          Filesize

          20KB

          MD5

          4168defaa5de401fb3f1962b3795cafc

          SHA1

          adcf43740c36d2b3789e7229641ca530f185de4d

          SHA256

          6d3510f3dc0b1a5b8db96676b4c25f72ff7558a93752b236a7b87e154abb8371

          SHA512

          8b896c6ef0138e5f0a5539f6a4a79bc20f8a53c6dcca88bff8098333979b6906190d55cf917d2e2202430d4e513b5d855736316860327693a85b0d7f6fae78d8

          Download Submit

        • C:\Users\Admin\Documents\PopTest.doc.exe
          Filesize

          1KB

          MD5

          ec89629d437c17787acc7061c89e753c

          SHA1

          c65089b32eba1cf75d3546335718073460c971f9

          SHA256

          87b17909878537f2c3d3bc046f54b9eb382e312fa75d2b177457a978dcc7d83c

          SHA512

          65f02cc30b64e2c33d7287c135bc0bb20abe1e35c7176a03e47403db3e21da28f7e7ec7a13ef748aeb76ac06e5e159a9b4e62196692c3411459a4ae235a1bec9

          Download Submit

        • C:\Windows\SysWOW64\dpvqxwjtmq.exe
          Filesize

          44KB

          MD5

          ed6ebf6e3640d8abdf7dbf83661b5631

          SHA1

          46abb70f20e1066688b6c404b7aff7341bc56c41

          SHA256

          05ff184a7760c15c5f40c8fe638dde30e37336fbb82def6361964aea8eca3e58

          SHA512

          7fd0cef67042ed2a4f0d18c7a1cae97817ecbd9a762f6c546c43ea1450418b6730112d607f89f0d9f7ee16dcc6d078a3a6459f8285fc1b92d22bdb656e7ee3a5

          Download Submit

        • C:\Windows\SysWOW64\dpvqxwjtmq.exe
          Filesize

          65KB

          MD5

          2226f567b5b356c8a2506bd8f385945d

          SHA1

          69802d5c8638549851cffba575cbc8d90e033cd1

          SHA256

          d569d2bb4f1f27e35a7ab326a806ac5228d5d0384ff5e2811ca9b9888317666f

          SHA512

          31a7048bb6b286fdf33ddbfbe27497186711490e9a1b0cf407e273dba184cbd3bde32400a6b80c603b42fb44a2f6479c0447a20b5e9f94739aeaff5fd5c348bc

          Download Submit

        • C:\Windows\SysWOW64\hzlkzbtcymwwpdu.exe
          Filesize

          59KB

          MD5

          4ad55389100acf338988c42cc6fbc54b

          SHA1

          7cbf60046e091866d6c14911280cd50526d96b24

          SHA256

          34bed568799138d9d942adbbe603a66b54b28396c54ea1943cce00c4ad16ead8

          SHA512

          439c0195c3da28e4734f0a3c83e7c63cf0bca001691a94358c37934d751fb334fbff89a3f9a03c71f9aa4d34b2124d712243d227dd1cf74346523d9273fab901

          Download Submit

        • C:\Windows\SysWOW64\hzlkzbtcymwwpdu.exe
          Filesize

          25KB

          MD5

          66631e86b3f75bfa839696b8a622a974

          SHA1

          850dd159b8166840231c1a4a546150671a579e8b

          SHA256

          7b22fd798a3e7feb932546f579dd51438b2858fec49f69c257e2c4bffd0a70cf

          SHA512

          9227109a9dddad3bbdf85fa768cdf1171199f1dbe6ee4c828ed142dea541de92a0095ecfe463dfb4380f60c942b5ccc0ce9c5ce90613385459777e439e369a00

          Download Submit

        • C:\Windows\SysWOW64\hzlkzbtcymwwpdu.exe
          Filesize

          45KB

          MD5

          0e0f5b7945b4890c5bfb4078311fb9f8

          SHA1

          4a827377826e3a27838cb257b52156c25e25bf30

          SHA256

          f3ced41460287c58c881e9c5b124ed9ec07add223b2504e2a9d9ba7636b723e8

          SHA512

          b4825d0c2e271d5639ad276ce8044f451f5e3aeac1f42a0cf29919d1dbc22ae8c34f439556e819beb2b6c9d385e5a545d2050755e1eb51a4d48a138fd45caa4e

          Download Submit

        • C:\Windows\SysWOW64\pgzolssw.exe
          Filesize

          42KB

          MD5

          5545a04e49cded2b765730e408147f20

          SHA1

          e512fe1a993736337fc6b3843b08d641b5cecae4

          SHA256

          c459e2bcc1826e4f0422d8e2ca5a61c859ce0de32222c7189380815cc87ef1f2

          SHA512

          5ad931bb9dd3ff5dbea3de086ae8e1c905a17c32a514aae84f37828e08caaadb5c68145a403b8d1e4df212de6f2ad387914a2ab6d981c68e84a9a7513b539f8e

          Download Submit

        • C:\Windows\SysWOW64\pgzolssw.exe
          Filesize

          21KB

          MD5

          c0c7a953c08732513cbd8278d743a9ff

          SHA1

          7b003e6244b315e6c58d4ddbdb422e6c0637165d

          SHA256

          458e83fd3bd3621706962c06e9cdd456d15d59ce0ce80f920b4c066a991ada74

          SHA512

          c59406cb07ae1d895475368770ad362f4c81f4dfef5648c48ee4333a06d1c2374b3a6e3f2b4a58afa1cfcfe8f2fc28fcc042a45b32ecfd8e93d01c10a9d1701e

          Download Submit

        • C:\Windows\SysWOW64\pgzolssw.exe
          Filesize

          40KB

          MD5

          7a249748683a2ac1d3f1df6a80bda4da

          SHA1

          4d3090801b9a4a95cbb0c26eaad722df203c3d67

          SHA256

          050a30f0eab0ec3c95a77c583c165f40125e6a2996c9e31669f3ac63fcff099d

          SHA512

          eac901ab353b20578040dfaf6e85e67d9e0a1e056bc3ae99effbef8231ee834b5ef15518d25a7db7679317789b21c69abd2d1d26bef21bb009c683bdd40fcc90

          Download Submit

        • C:\Windows\SysWOW64\zfkjfewlptgea.exe
          Filesize

          25KB

          MD5

          6c1e83c3665dfbd7fd5a42a0de9b3d11

          SHA1

          228672babe7ea36dd1e92d98fbf588a54c2ed3ee

          SHA256

          03223f8ef3bebb039b1bb8c4cb6322d724a5d047ddc39c6d4086f813ddeb668c

          SHA512

          d243912d96e6ee2629f4489c6b51d4006de8d5577d1ea51e6dceb78bd04c209e1a8f8eee7c043abce5c2479ecab5510eab9c837f1af20d504501b93c3566964b

          Download Submit

        • C:\Windows\SysWOW64\zfkjfewlptgea.exe
          Filesize

          66KB

          MD5

          e39ee30ec811ae1e3e181970e5a0fb09

          SHA1

          0fd7b697d020f733d7afe495519016c0aa4eab81

          SHA256

          470d7a8aad7db94936cf7803bd8d173f17bf61e3c9eae16bc7c1467b611216cd

          SHA512

          235eaf6eb67b8bab09c7d96714e88d3791aa23ad7267fc8b9bb4871d8fd382292b4be4c11e51c7cb491496021cfdbc759c0f8e75f0dd649fb849f0755eb4bd2f

          Download Submit

        • C:\Windows\mydoc.rtf
          Filesize

          223B

          MD5

          06604e5941c126e2e7be02c5cd9f62ec

          SHA1

          4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

          SHA256

          85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

          SHA512

          803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

          Download Submit

        • \Windows\SysWOW64\dpvqxwjtmq.exe
          Filesize

          29KB

          MD5

          e46efa9c691bb7eadf6de8ba541ebed4

          SHA1

          889e02a5e6d15d4fdc3bda0398ac301206c29375

          SHA256

          ea712506c435f2c61200a937d7e1dd2bcc5bfb2fc7d3c38437980ad28b1a3991

          SHA512

          66075134473a6c0b301393d5cb3e0634ed1cdd294a92e831bb1af9e1372173e204f67805704b46b08a7be31249adf90138e56ef9dce72389a63c9c8f14c1c184

          Download Submit

        • \Windows\SysWOW64\hzlkzbtcymwwpdu.exe
          Filesize

          21KB

          MD5

          4a84430db869b1cceb60aaf291ad826c

          SHA1

          cc7188e995b2834e27741a26fd623df6a50c8c66

          SHA256

          46cea2b1b59913979837a746d1c8d375eec882428e7a4725de0f7f94020a4617

          SHA512

          9f073c0cfd762e85c08ab23e639be69af44049171fba9c7358a2521b603e861996426bae080ae89cf20a3db496cb3b02eca67594cbba2dd097027e289aca9ea4

          Download Submit

        • \Windows\SysWOW64\pgzolssw.exe
          Filesize

          37KB

          MD5

          f0e11dbd2eabf27502dc3863d48385bd

          SHA1

          bb0152ef4126e676c6834bf67d82b555efe64776

          SHA256

          50139f3f7df5c4e7c909b763b2d9fcbe95e0ce759a97b43a0088910cba40c66a

          SHA512

          e5f067020492998926f1be771a616f8fdef51185fc8bbe297f8dfb9b243a7b7760a5d19d46748d93d235e36556365d6ac132659ece032df643826ae911c1474d

          Download Submit

        • \Windows\SysWOW64\pgzolssw.exe
          Filesize

          61KB

          MD5

          1346ecfe1276ea6fdf5818f84976ede8

          SHA1

          5fd5e387b87ef6700c632dc72cf96abe8e36f900

          SHA256

          2022252a86e5ef0d7cda1f17f61605ff1952de97c5020f201c11f0212c89687a

          SHA512

          a7007da462ee59dfcb787792b54770c3ed209a8bfdb631aa0488b7cc4869d7ae25f317b959f89d2b120f289b913fbfbe5e27ff41d32f74eda1899fd06c8f8fec

          Download Submit

        • \Windows\SysWOW64\zfkjfewlptgea.exe
          Filesize

          50KB

          MD5

          8f13d30272f1b6841b19eba35ea87019

          SHA1

          d407e76997ced5360420b57abbd1ad2dffee2f83

          SHA256

          f0d70d71f41b811a3d4d7de455890f10827e2a7bf496129619e1e57ec23bb5fe

          SHA512

          aba814464c9e48939be9a8ac5c037711bb28fa65638821cd97c498904ceae52b88cbc7a0f627d1498f01e0e21a34e0f5c8fc6a225f1fbaeeaeed41a84f2d3cbc

          Download Submit

        • memory/2216-0-0x0000000000400000-0x0000000000496000-memory.dmp

          Filesize

          600KB

          Download

        • memory/2824-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2824-47-0x0000000070AED000-0x0000000070AF8000-memory.dmp

          Filesize

          44KB

          Download

        • memory/2824-45-0x000000002FFC1000-0x000000002FFC2000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2824-76-0x0000000070AED000-0x0000000070AF8000-memory.dmp

          Filesize

          44KB

          Download

        • memory/2824-97-0x000000005FFF0000-0x0000000060000000-memory.dmp

          Filesize

          64KB

          Download