Analysis
-
max time kernel
0s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 08:16
Static task
static1
Behavioral task
behavioral1
Sample
1167cca48c541a7c546a51ef7b0efd54.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
1167cca48c541a7c546a51ef7b0efd54.exe
Resource
win10v2004-20231215-en
General
-
Target
1167cca48c541a7c546a51ef7b0efd54.exe
-
Size
512KB
-
MD5
1167cca48c541a7c546a51ef7b0efd54
-
SHA1
e4bd7e7168c108a2308c6cc400b0b7aa30622677
-
SHA256
40a434f89c653ffee0f23c3ad025dee7eed96b19b963bc56e3f4cb45e3fac426
-
SHA512
17b87a22708abfcaf2767e31f465c0727e5d1dee9949e7c18c7c98db07e9ea0041f7be8ee4d35c2168541c7942b49a19ef41edd4a71e51e167c2b30a9a11291d
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6W:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5F
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 3664 ljneadillf.exe 5076 zfzksofsueruxtx.exe 2440 guydzjuh.exe 1584 cwnphpvtxlkza.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/968-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000c000000023160-19.dat autoit_exe behavioral2/files/0x000c000000023160-18.dat autoit_exe -
Drops file in System32 directory 8 IoCs
description ioc Process File created C:\Windows\SysWOW64\ljneadillf.exe 1167cca48c541a7c546a51ef7b0efd54.exe File opened for modification C:\Windows\SysWOW64\ljneadillf.exe 1167cca48c541a7c546a51ef7b0efd54.exe File created C:\Windows\SysWOW64\zfzksofsueruxtx.exe 1167cca48c541a7c546a51ef7b0efd54.exe File opened for modification C:\Windows\SysWOW64\zfzksofsueruxtx.exe 1167cca48c541a7c546a51ef7b0efd54.exe File created C:\Windows\SysWOW64\guydzjuh.exe 1167cca48c541a7c546a51ef7b0efd54.exe File opened for modification C:\Windows\SysWOW64\guydzjuh.exe 1167cca48c541a7c546a51ef7b0efd54.exe File created C:\Windows\SysWOW64\cwnphpvtxlkza.exe 1167cca48c541a7c546a51ef7b0efd54.exe File opened for modification C:\Windows\SysWOW64\cwnphpvtxlkza.exe 1167cca48c541a7c546a51ef7b0efd54.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 1167cca48c541a7c546a51ef7b0efd54.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 7 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBFFAC9FE67F19284083B37869D3E92B38A02F14211023CE2BD459D09A2" 1167cca48c541a7c546a51ef7b0efd54.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB5B02F44E7399F52C4BAA733E9D7CE" 1167cca48c541a7c546a51ef7b0efd54.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8BFCFB482E826A9130D65C7E93BC90E643594B67356234D7EC" 1167cca48c541a7c546a51ef7b0efd54.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F56BC3FF6E22DBD173D0D48A7A9162" 1167cca48c541a7c546a51ef7b0efd54.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1939C70814E1DAC0B8C17CE3ED9734BC" 1167cca48c541a7c546a51ef7b0efd54.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 1167cca48c541a7c546a51ef7b0efd54.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "334F2C0D9C2783236A4676D4702F2CAB7D8264DF" 1167cca48c541a7c546a51ef7b0efd54.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 968 1167cca48c541a7c546a51ef7b0efd54.exe 968 1167cca48c541a7c546a51ef7b0efd54.exe 968 1167cca48c541a7c546a51ef7b0efd54.exe 968 1167cca48c541a7c546a51ef7b0efd54.exe 968 1167cca48c541a7c546a51ef7b0efd54.exe 968 1167cca48c541a7c546a51ef7b0efd54.exe 968 1167cca48c541a7c546a51ef7b0efd54.exe 968 1167cca48c541a7c546a51ef7b0efd54.exe 968 1167cca48c541a7c546a51ef7b0efd54.exe 968 1167cca48c541a7c546a51ef7b0efd54.exe 968 1167cca48c541a7c546a51ef7b0efd54.exe 968 1167cca48c541a7c546a51ef7b0efd54.exe 968 1167cca48c541a7c546a51ef7b0efd54.exe 968 1167cca48c541a7c546a51ef7b0efd54.exe 968 1167cca48c541a7c546a51ef7b0efd54.exe 968 1167cca48c541a7c546a51ef7b0efd54.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 968 1167cca48c541a7c546a51ef7b0efd54.exe 968 1167cca48c541a7c546a51ef7b0efd54.exe 968 1167cca48c541a7c546a51ef7b0efd54.exe 3664 ljneadillf.exe 3664 ljneadillf.exe 3664 ljneadillf.exe -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 968 1167cca48c541a7c546a51ef7b0efd54.exe 968 1167cca48c541a7c546a51ef7b0efd54.exe 968 1167cca48c541a7c546a51ef7b0efd54.exe 3664 ljneadillf.exe 3664 ljneadillf.exe 3664 ljneadillf.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 968 wrote to memory of 3664 968 1167cca48c541a7c546a51ef7b0efd54.exe 30 PID 968 wrote to memory of 3664 968 1167cca48c541a7c546a51ef7b0efd54.exe 30 PID 968 wrote to memory of 3664 968 1167cca48c541a7c546a51ef7b0efd54.exe 30 PID 968 wrote to memory of 5076 968 1167cca48c541a7c546a51ef7b0efd54.exe 29 PID 968 wrote to memory of 5076 968 1167cca48c541a7c546a51ef7b0efd54.exe 29 PID 968 wrote to memory of 5076 968 1167cca48c541a7c546a51ef7b0efd54.exe 29 PID 968 wrote to memory of 2440 968 1167cca48c541a7c546a51ef7b0efd54.exe 21 PID 968 wrote to memory of 2440 968 1167cca48c541a7c546a51ef7b0efd54.exe 21 PID 968 wrote to memory of 2440 968 1167cca48c541a7c546a51ef7b0efd54.exe 21 PID 968 wrote to memory of 1584 968 1167cca48c541a7c546a51ef7b0efd54.exe 27 PID 968 wrote to memory of 1584 968 1167cca48c541a7c546a51ef7b0efd54.exe 27 PID 968 wrote to memory of 1584 968 1167cca48c541a7c546a51ef7b0efd54.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\1167cca48c541a7c546a51ef7b0efd54.exe"C:\Users\Admin\AppData\Local\Temp\1167cca48c541a7c546a51ef7b0efd54.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\SysWOW64\guydzjuh.exeguydzjuh.exe2⤵
- Executes dropped EXE
PID:2440
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵PID:1684
-
-
C:\Windows\SysWOW64\cwnphpvtxlkza.execwnphpvtxlkza.exe2⤵
- Executes dropped EXE
PID:1584
-
-
C:\Windows\SysWOW64\zfzksofsueruxtx.exezfzksofsueruxtx.exe2⤵
- Executes dropped EXE
PID:5076
-
-
C:\Windows\SysWOW64\ljneadillf.exeljneadillf.exe2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3664
-
-
C:\Windows\SysWOW64\guydzjuh.exeC:\Windows\system32\guydzjuh.exe1⤵PID:2684
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD559ebf1358a9b829f5709baaedeeee6fa
SHA11409fd65da1b814db0a08feae54366dfca196f1c
SHA256d251f3126813d9f42461b0d23153c37c405979347a47fb0f04e0503beaf31a06
SHA512a2d71b94a087aa6d376f4f065d9f7ff987fd50ea93949372fa9ef5b6692b45cef7ae267c88376b9d2953e4476496f67af1173e9f0f8ba81101dc94c6872cf417