8c3f0a9bb8fc55f0edddd22d8983fb66f712ba9e43c89126b54e1d752c5d8c3f

General

Target

1c74caeacf0bca43de75ba57e5f36032.exe
Size

512KB
MD5

1c74caeacf0bca43de75ba57e5f36032
SHA1

85deaf42a1bf39f0c5d15c0988b89a42a3d37385
SHA256

8c3f0a9bb8fc55f0edddd22d8983fb66f712ba9e43c89126b54e1d752c5d8c3f
SHA512

b8fb038beacaa27a5ebb503491fdf299f094429e8284bd9c77bf337fd70297308181a30b9810661f2b07a8756f1ed7ec44f97a7a959f6edbbb414e46a2820300
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6R:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5k

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	1c74caeacf0bca43de75ba57e5f36032.exe

Executes dropped EXE 4 IoCs

pid	Process
4800	ihrtvfeufy.exe
4652	sgqbjtgffqfmqvc.exe
768	nmucdhfk.exe
3532	mzlmgvapfpghq.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\w:	nmucdhfk.exe
File opened (read-only)	\??\n:	nmucdhfk.exe
File opened (read-only)	\??\t:	nmucdhfk.exe
File opened (read-only)	\??\m:	nmucdhfk.exe
File opened (read-only)	\??\p:	nmucdhfk.exe
File opened (read-only)	\??\r:	nmucdhfk.exe
File opened (read-only)	\??\x:	nmucdhfk.exe
File opened (read-only)	\??\i:	nmucdhfk.exe
File opened (read-only)	\??\k:	nmucdhfk.exe
File opened (read-only)	\??\j:	nmucdhfk.exe
File opened (read-only)	\??\o:	nmucdhfk.exe
File opened (read-only)	\??\q:	nmucdhfk.exe
File opened (read-only)	\??\v:	nmucdhfk.exe
File opened (read-only)	\??\y:	nmucdhfk.exe
File opened (read-only)	\??\e:	nmucdhfk.exe
File opened (read-only)	\??\g:	nmucdhfk.exe
File opened (read-only)	\??\h:	nmucdhfk.exe
File opened (read-only)	\??\l:	nmucdhfk.exe
File opened (read-only)	\??\s:	nmucdhfk.exe
File opened (read-only)	\??\u:	nmucdhfk.exe
File opened (read-only)	\??\z:	nmucdhfk.exe
File opened (read-only)	\??\a:	nmucdhfk.exe
File opened (read-only)	\??\b:	nmucdhfk.exe

AutoIT Executable 5 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/1936-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral2/files/0x00090000000231f0-5.dat	autoit_exe
behavioral2/files/0x00090000000231f0-22.dat	autoit_exe
behavioral2/files/0x00090000000231f0-24.dat	autoit_exe
behavioral2/files/0x000e00000002314f-18.dat	autoit_exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\sgqbjtgffqfmqvc.exe	1c74caeacf0bca43de75ba57e5f36032.exe
File created	C:\Windows\SysWOW64\nmucdhfk.exe	1c74caeacf0bca43de75ba57e5f36032.exe
File opened for modification	C:\Windows\SysWOW64\nmucdhfk.exe	1c74caeacf0bca43de75ba57e5f36032.exe
File created	C:\Windows\SysWOW64\mzlmgvapfpghq.exe	1c74caeacf0bca43de75ba57e5f36032.exe
File opened for modification	C:\Windows\SysWOW64\mzlmgvapfpghq.exe	1c74caeacf0bca43de75ba57e5f36032.exe
File created	C:\Windows\SysWOW64\ihrtvfeufy.exe	1c74caeacf0bca43de75ba57e5f36032.exe
File opened for modification	C:\Windows\SysWOW64\ihrtvfeufy.exe	1c74caeacf0bca43de75ba57e5f36032.exe
File created	C:\Windows\SysWOW64\sgqbjtgffqfmqvc.exe	1c74caeacf0bca43de75ba57e5f36032.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	1c74caeacf0bca43de75ba57e5f36032.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	1c74caeacf0bca43de75ba57e5f36032.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	1c74caeacf0bca43de75ba57e5f36032.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33352C0B9D5282206D4376D670232DDB7DF165AB"	1c74caeacf0bca43de75ba57e5f36032.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCDFACAFE17F1E0837A3A45869C3997B089038A4315034FE2CF45E608A9"	1c74caeacf0bca43de75ba57e5f36032.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC5B15C4492399A53CABAA13293D7CD"	1c74caeacf0bca43de75ba57e5f36032.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFCFC8D482C851C9146D6217D94BC94E134584767406336D6EC"	1c74caeacf0bca43de75ba57e5f36032.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7816BB8FE1B21ACD173D0A58B7F9116"	1c74caeacf0bca43de75ba57e5f36032.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193AC70814E4DAB6B8BE7FE6EDE434CF"	1c74caeacf0bca43de75ba57e5f36032.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1936	1c74caeacf0bca43de75ba57e5f36032.exe
1936	1c74caeacf0bca43de75ba57e5f36032.exe
1936	1c74caeacf0bca43de75ba57e5f36032.exe
1936	1c74caeacf0bca43de75ba57e5f36032.exe
1936	1c74caeacf0bca43de75ba57e5f36032.exe
1936	1c74caeacf0bca43de75ba57e5f36032.exe
1936	1c74caeacf0bca43de75ba57e5f36032.exe
1936	1c74caeacf0bca43de75ba57e5f36032.exe
1936	1c74caeacf0bca43de75ba57e5f36032.exe
1936	1c74caeacf0bca43de75ba57e5f36032.exe
1936	1c74caeacf0bca43de75ba57e5f36032.exe
1936	1c74caeacf0bca43de75ba57e5f36032.exe
1936	1c74caeacf0bca43de75ba57e5f36032.exe
1936	1c74caeacf0bca43de75ba57e5f36032.exe
1936	1c74caeacf0bca43de75ba57e5f36032.exe
1936	1c74caeacf0bca43de75ba57e5f36032.exe
768	nmucdhfk.exe
768	nmucdhfk.exe
768	nmucdhfk.exe
768	nmucdhfk.exe
768	nmucdhfk.exe
768	nmucdhfk.exe
768	nmucdhfk.exe
768	nmucdhfk.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
1936	1c74caeacf0bca43de75ba57e5f36032.exe
1936	1c74caeacf0bca43de75ba57e5f36032.exe
1936	1c74caeacf0bca43de75ba57e5f36032.exe
768	nmucdhfk.exe
768	nmucdhfk.exe
768	nmucdhfk.exe
4800	ihrtvfeufy.exe
4652	sgqbjtgffqfmqvc.exe
3532	mzlmgvapfpghq.exe
4800	ihrtvfeufy.exe
4652	sgqbjtgffqfmqvc.exe
3532	mzlmgvapfpghq.exe
4800	ihrtvfeufy.exe
4652	sgqbjtgffqfmqvc.exe
3532	mzlmgvapfpghq.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
1936	1c74caeacf0bca43de75ba57e5f36032.exe
1936	1c74caeacf0bca43de75ba57e5f36032.exe
1936	1c74caeacf0bca43de75ba57e5f36032.exe
768	nmucdhfk.exe
768	nmucdhfk.exe
768	nmucdhfk.exe
4800	ihrtvfeufy.exe
4652	sgqbjtgffqfmqvc.exe
3532	mzlmgvapfpghq.exe
4800	ihrtvfeufy.exe
4652	sgqbjtgffqfmqvc.exe
3532	mzlmgvapfpghq.exe
4800	ihrtvfeufy.exe
4652	sgqbjtgffqfmqvc.exe
3532	mzlmgvapfpghq.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 4800	1936	1c74caeacf0bca43de75ba57e5f36032.exe	26
PID 1936 wrote to memory of 4800	1936	1c74caeacf0bca43de75ba57e5f36032.exe	26
PID 1936 wrote to memory of 4800	1936	1c74caeacf0bca43de75ba57e5f36032.exe	26
PID 1936 wrote to memory of 4652	1936	1c74caeacf0bca43de75ba57e5f36032.exe	25
PID 1936 wrote to memory of 4652	1936	1c74caeacf0bca43de75ba57e5f36032.exe	25
PID 1936 wrote to memory of 4652	1936	1c74caeacf0bca43de75ba57e5f36032.exe	25
PID 1936 wrote to memory of 768	1936	1c74caeacf0bca43de75ba57e5f36032.exe	24
PID 1936 wrote to memory of 768	1936	1c74caeacf0bca43de75ba57e5f36032.exe	24
PID 1936 wrote to memory of 768	1936	1c74caeacf0bca43de75ba57e5f36032.exe	24
PID 1936 wrote to memory of 3532	1936	1c74caeacf0bca43de75ba57e5f36032.exe	19
PID 1936 wrote to memory of 3532	1936	1c74caeacf0bca43de75ba57e5f36032.exe	19
PID 1936 wrote to memory of 3532	1936	1c74caeacf0bca43de75ba57e5f36032.exe	19
PID 1936 wrote to memory of 3472	1936	1c74caeacf0bca43de75ba57e5f36032.exe	21
PID 1936 wrote to memory of 3472	1936	1c74caeacf0bca43de75ba57e5f36032.exe	21

C:\Users\Admin\AppData\Local\Temp\1c74caeacf0bca43de75ba57e5f36032.exe
"C:\Users\Admin\AppData\Local\Temp\1c74caeacf0bca43de75ba57e5f36032.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Windows\SysWOW64\mzlmgvapfpghq.exe
  mzlmgvapfpghq.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3532
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
  2⤵
  PID:3472
- C:\Windows\SysWOW64\nmucdhfk.exe
  nmucdhfk.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:768
- C:\Windows\SysWOW64\sgqbjtgffqfmqvc.exe
  sgqbjtgffqfmqvc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4652
- C:\Windows\SysWOW64\ihrtvfeufy.exe
  ihrtvfeufy.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4800

C:\Windows\SysWOW64\nmucdhfk.exe
C:\Windows\system32\nmucdhfk.exe
1⤵
PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ihrtvfeufy.exe

Filesize
512KB

MD5
81abebcbcbc7bbe1ba6e38edff4eecee

SHA1
4e0aaac378006027067ce723f9d4fc16bf20155a

SHA256
41497b1c5690e51bb341b7e0d36c0e22d44b3050751362f623630e6d41d41f85

SHA512
67109414387b6cea171481920310c8d9e12cf2d12f0e89f40dd3f7ab06fc52ba59043569beb6a8a080949baa96c4b795cfe8e2ac04294cc6fb063163a4ed167b

Download Submit
C:\Windows\SysWOW64\sgqbjtgffqfmqvc.exe

Filesize
382KB

MD5
badd716c7c48a8241873d9251da496d1

SHA1
6bd2a072c8f64a1780fe75d983cb7b6584985c6d

SHA256
ad4373bfa026f66380b8ce44d6bc300d146770114fb10087019af7c616dc11d7

SHA512
7bf3f09216e2ba376053e668963797cd78f91119467917a84f467dd3110d6bd26592784cdf7cefd293413ff5b6dbe10a996d89627177235d9f109732c05f36c5

Download Submit
C:\Windows\SysWOW64\sgqbjtgffqfmqvc.exe

Filesize
93KB

MD5
257f28bd5bdc2b725434b7ab570814e7

SHA1
972446e0f8d210c5d6f42a57a921391a236d564d

SHA256
d80f45a5995ba038d69dbe87f7c12827ffa2b53e79beedb0bc6ee91c10a61688

SHA512
c27aa91c3c3605941a1a121021c840fc7886cf27d43e9d6b2c371888a276d9dfd39135600a4f933f62dfa3d46cb6e12de6e31b3f8b939676701ff37f8cc61575

Download Submit
C:\Windows\SysWOW64\sgqbjtgffqfmqvc.exe

Filesize
381KB

MD5
30aec9e0b33fbd99234328357879f812

SHA1
3c9d37139d4ccfe2b694afba9633170d0f510a92

SHA256
15aad0daaaeea2f1eb8d19a8999f42844b2885d6bef949f6787feba7dad46563

SHA512
2060f2cc8c90181dd0a9965f0ff3a94aece08c82c4a68454846f66778bc60dade3ba5ddc38be57311ff4a7bd78217b89a9cd09837eee4b5d9893277299dad415

Download Submit
memory/1936-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/3472-48-0x00007FF82D3D0000-0x00007FF82D3E0000-memory.dmp

Filesize
64KB

Download
memory/3472-49-0x00007FF82D3D0000-0x00007FF82D3E0000-memory.dmp

Filesize
64KB

Download
memory/3472-43-0x00007FF82FBD0000-0x00007FF82FBE0000-memory.dmp

Filesize
64KB

Download
memory/3472-41-0x00007FF82FBD0000-0x00007FF82FBE0000-memory.dmp

Filesize
64KB

Download
memory/3472-40-0x00007FF86FB50000-0x00007FF86FD45000-memory.dmp

Filesize
2.0MB

Download
memory/3472-39-0x00007FF82FBD0000-0x00007FF82FBE0000-memory.dmp

Filesize
64KB

Download
memory/3472-38-0x00007FF86FB50000-0x00007FF86FD45000-memory.dmp

Filesize
2.0MB

Download
memory/3472-37-0x00007FF82FBD0000-0x00007FF82FBE0000-memory.dmp

Filesize
64KB

Download
memory/3472-45-0x00007FF86FB50000-0x00007FF86FD45000-memory.dmp

Filesize
2.0MB

Download
memory/3472-42-0x00007FF86FB50000-0x00007FF86FD45000-memory.dmp

Filesize
2.0MB

Download
memory/3472-36-0x00007FF86FB50000-0x00007FF86FD45000-memory.dmp

Filesize
2.0MB

Download
memory/3472-44-0x00007FF86FB50000-0x00007FF86FD45000-memory.dmp

Filesize
2.0MB

Download
memory/3472-35-0x00007FF82FBD0000-0x00007FF82FBE0000-memory.dmp

Filesize
64KB

Download
memory/3472-103-0x00007FF86FB50000-0x00007FF86FD45000-memory.dmp

Filesize
2.0MB

Download
memory/3472-104-0x00007FF86FB50000-0x00007FF86FD45000-memory.dmp

Filesize
2.0MB

Download
memory/3472-105-0x00007FF86FB50000-0x00007FF86FD45000-memory.dmp

Filesize
2.0MB

Download
memory/3472-129-0x00007FF82FBD0000-0x00007FF82FBE0000-memory.dmp

Filesize
64KB

Download
memory/3472-133-0x00007FF86FB50000-0x00007FF86FD45000-memory.dmp

Filesize
2.0MB

Download
memory/3472-134-0x00007FF86FB50000-0x00007FF86FD45000-memory.dmp

Filesize
2.0MB

Download
memory/3472-132-0x00007FF86FB50000-0x00007FF86FD45000-memory.dmp

Filesize
2.0MB

Download
memory/3472-131-0x00007FF82FBD0000-0x00007FF82FBE0000-memory.dmp

Filesize
64KB

Download
memory/3472-130-0x00007FF86FB50000-0x00007FF86FD45000-memory.dmp

Filesize
2.0MB

Download
memory/3472-128-0x00007FF82FBD0000-0x00007FF82FBE0000-memory.dmp

Filesize
64KB

Download
memory/3472-127-0x00007FF82FBD0000-0x00007FF82FBE0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads