Analysis
-
max time kernel
0s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 08:16
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
1167cca48c541a7c546a51ef7b0efd54.exe
Resource
win7-20231215-en
windows7-x64
18 signatures
150 seconds
Behavioral task
behavioral2
Sample
1167cca48c541a7c546a51ef7b0efd54.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
1167cca48c541a7c546a51ef7b0efd54.exe
-
Size
512KB
-
MD5
1167cca48c541a7c546a51ef7b0efd54
-
SHA1
e4bd7e7168c108a2308c6cc400b0b7aa30622677
-
SHA256
40a434f89c653ffee0f23c3ad025dee7eed96b19b963bc56e3f4cb45e3fac426
-
SHA512
17b87a22708abfcaf2767e31f465c0727e5d1dee9949e7c18c7c98db07e9ea0041f7be8ee4d35c2168541c7942b49a19ef41edd4a71e51e167c2b30a9a11291d
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6W:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5F
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" wkwxeenrpx.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" wkwxeenrpx.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" wkwxeenrpx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" wkwxeenrpx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" wkwxeenrpx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" wkwxeenrpx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" wkwxeenrpx.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wkwxeenrpx.exe -
Executes dropped EXE 4 IoCs
pid Process 2964 wkwxeenrpx.exe 2376 ggcodhoyjmbnrlm.exe 2780 ukrciglv.exe 2708 klgizdrpqsbje.exe -
Loads dropped DLL 4 IoCs
pid Process 2496 1167cca48c541a7c546a51ef7b0efd54.exe 2496 1167cca48c541a7c546a51ef7b0efd54.exe 2496 1167cca48c541a7c546a51ef7b0efd54.exe 2496 1167cca48c541a7c546a51ef7b0efd54.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" wkwxeenrpx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" wkwxeenrpx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" wkwxeenrpx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" wkwxeenrpx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" wkwxeenrpx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" wkwxeenrpx.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uvfbpxnl = "wkwxeenrpx.exe" ggcodhoyjmbnrlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xqxpnatp = "ggcodhoyjmbnrlm.exe" ggcodhoyjmbnrlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "klgizdrpqsbje.exe" ggcodhoyjmbnrlm.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" wkwxeenrpx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" wkwxeenrpx.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2496-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x000a00000001224c-17.dat autoit_exe behavioral1/files/0x000c000000015b12-5.dat autoit_exe -
Drops file in System32 directory 8 IoCs
description ioc Process File created C:\Windows\SysWOW64\klgizdrpqsbje.exe 1167cca48c541a7c546a51ef7b0efd54.exe File opened for modification C:\Windows\SysWOW64\klgizdrpqsbje.exe 1167cca48c541a7c546a51ef7b0efd54.exe File created C:\Windows\SysWOW64\wkwxeenrpx.exe 1167cca48c541a7c546a51ef7b0efd54.exe File opened for modification C:\Windows\SysWOW64\wkwxeenrpx.exe 1167cca48c541a7c546a51ef7b0efd54.exe File created C:\Windows\SysWOW64\ggcodhoyjmbnrlm.exe 1167cca48c541a7c546a51ef7b0efd54.exe File opened for modification C:\Windows\SysWOW64\ggcodhoyjmbnrlm.exe 1167cca48c541a7c546a51ef7b0efd54.exe File created C:\Windows\SysWOW64\ukrciglv.exe 1167cca48c541a7c546a51ef7b0efd54.exe File opened for modification C:\Windows\SysWOW64\ukrciglv.exe 1167cca48c541a7c546a51ef7b0efd54.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 1167cca48c541a7c546a51ef7b0efd54.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 19 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" wkwxeenrpx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc wkwxeenrpx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" wkwxeenrpx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" wkwxeenrpx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" wkwxeenrpx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh wkwxeenrpx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs wkwxeenrpx.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 1167cca48c541a7c546a51ef7b0efd54.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32442C0A9D5582576A4276D570512DDC7C8E65A8" 1167cca48c541a7c546a51ef7b0efd54.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AC9FACAF911F19683743B3286ED3E98B0FC02F94311034EE2CC42EC08A7" 1167cca48c541a7c546a51ef7b0efd54.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F468B3FE1D21DAD10BD1A68A0C9166" 1167cca48c541a7c546a51ef7b0efd54.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" wkwxeenrpx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" wkwxeenrpx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB7B1214497399A53BEBAD53299D4B9" 1167cca48c541a7c546a51ef7b0efd54.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFAFF8B482785189032D7587E97BC94E633584467456334D791" 1167cca48c541a7c546a51ef7b0efd54.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1948C7091493DBC2B8CA7CE5ECE537C9" 1167cca48c541a7c546a51ef7b0efd54.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat wkwxeenrpx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf wkwxeenrpx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg wkwxeenrpx.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 2496 1167cca48c541a7c546a51ef7b0efd54.exe 2496 1167cca48c541a7c546a51ef7b0efd54.exe 2496 1167cca48c541a7c546a51ef7b0efd54.exe 2496 1167cca48c541a7c546a51ef7b0efd54.exe 2496 1167cca48c541a7c546a51ef7b0efd54.exe 2496 1167cca48c541a7c546a51ef7b0efd54.exe 2496 1167cca48c541a7c546a51ef7b0efd54.exe 2964 wkwxeenrpx.exe 2964 wkwxeenrpx.exe 2964 wkwxeenrpx.exe 2496 1167cca48c541a7c546a51ef7b0efd54.exe 2964 wkwxeenrpx.exe 2964 wkwxeenrpx.exe 2376 ggcodhoyjmbnrlm.exe 2376 ggcodhoyjmbnrlm.exe 2376 ggcodhoyjmbnrlm.exe 2376 ggcodhoyjmbnrlm.exe 2376 ggcodhoyjmbnrlm.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
pid Process 2496 1167cca48c541a7c546a51ef7b0efd54.exe 2496 1167cca48c541a7c546a51ef7b0efd54.exe 2496 1167cca48c541a7c546a51ef7b0efd54.exe 2964 wkwxeenrpx.exe 2964 wkwxeenrpx.exe 2964 wkwxeenrpx.exe 2376 ggcodhoyjmbnrlm.exe 2376 ggcodhoyjmbnrlm.exe 2376 ggcodhoyjmbnrlm.exe 2780 ukrciglv.exe 2780 ukrciglv.exe 2780 ukrciglv.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 2496 1167cca48c541a7c546a51ef7b0efd54.exe 2496 1167cca48c541a7c546a51ef7b0efd54.exe 2496 1167cca48c541a7c546a51ef7b0efd54.exe 2964 wkwxeenrpx.exe 2964 wkwxeenrpx.exe 2964 wkwxeenrpx.exe 2376 ggcodhoyjmbnrlm.exe 2376 ggcodhoyjmbnrlm.exe 2376 ggcodhoyjmbnrlm.exe 2780 ukrciglv.exe 2780 ukrciglv.exe 2780 ukrciglv.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2496 wrote to memory of 2964 2496 1167cca48c541a7c546a51ef7b0efd54.exe 25 PID 2496 wrote to memory of 2964 2496 1167cca48c541a7c546a51ef7b0efd54.exe 25 PID 2496 wrote to memory of 2964 2496 1167cca48c541a7c546a51ef7b0efd54.exe 25 PID 2496 wrote to memory of 2964 2496 1167cca48c541a7c546a51ef7b0efd54.exe 25 PID 2496 wrote to memory of 2376 2496 1167cca48c541a7c546a51ef7b0efd54.exe 24 PID 2496 wrote to memory of 2376 2496 1167cca48c541a7c546a51ef7b0efd54.exe 24 PID 2496 wrote to memory of 2376 2496 1167cca48c541a7c546a51ef7b0efd54.exe 24 PID 2496 wrote to memory of 2376 2496 1167cca48c541a7c546a51ef7b0efd54.exe 24 PID 2496 wrote to memory of 2780 2496 1167cca48c541a7c546a51ef7b0efd54.exe 23 PID 2496 wrote to memory of 2780 2496 1167cca48c541a7c546a51ef7b0efd54.exe 23 PID 2496 wrote to memory of 2780 2496 1167cca48c541a7c546a51ef7b0efd54.exe 23 PID 2496 wrote to memory of 2780 2496 1167cca48c541a7c546a51ef7b0efd54.exe 23 PID 2376 wrote to memory of 2984 2376 ggcodhoyjmbnrlm.exe 21 PID 2376 wrote to memory of 2984 2376 ggcodhoyjmbnrlm.exe 21 PID 2376 wrote to memory of 2984 2376 ggcodhoyjmbnrlm.exe 21 PID 2376 wrote to memory of 2984 2376 ggcodhoyjmbnrlm.exe 21 PID 2496 wrote to memory of 2708 2496 1167cca48c541a7c546a51ef7b0efd54.exe 19 PID 2496 wrote to memory of 2708 2496 1167cca48c541a7c546a51ef7b0efd54.exe 19 PID 2496 wrote to memory of 2708 2496 1167cca48c541a7c546a51ef7b0efd54.exe 19 PID 2496 wrote to memory of 2708 2496 1167cca48c541a7c546a51ef7b0efd54.exe 19
Processes
-
C:\Users\Admin\AppData\Local\Temp\1167cca48c541a7c546a51ef7b0efd54.exe"C:\Users\Admin\AppData\Local\Temp\1167cca48c541a7c546a51ef7b0efd54.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵PID:1636
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:1524
-
-
-
C:\Windows\SysWOW64\klgizdrpqsbje.exeklgizdrpqsbje.exe2⤵
- Executes dropped EXE
PID:2708
-
-
C:\Windows\SysWOW64\ukrciglv.exeukrciglv.exe2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2780
-
-
C:\Windows\SysWOW64\ggcodhoyjmbnrlm.exeggcodhoyjmbnrlm.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2376
-
-
C:\Windows\SysWOW64\wkwxeenrpx.exewkwxeenrpx.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Modifies WinLogon
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2964
-
-
C:\Windows\SysWOW64\ukrciglv.exeC:\Windows\system32\ukrciglv.exe1⤵PID:2700
-
C:\Windows\SysWOW64\cmd.execmd.exe /c klgizdrpqsbje.exe1⤵PID:2984
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5df2af516f75df6f168999f3c9b46ac65
SHA15b048e82d94f35a17e12159ecc92fcba075dfd69
SHA2562e910def9f00b8c140881dc40b04f4733706a8cfe2c964eb40d9698257966da8
SHA5127b20ad5885206a64b781f1f89e5c47ca9619333b30b0c922e144831e8375c331837ef1fd3476e60a297f74ed5a4375bb7c91ef9431e10af09f30e4bd98605738