40a434f89c653ffee0f23c3ad025dee7eed96b19b963bc56e3f4cb45e3fac426

General

Target

1167cca48c541a7c546a51ef7b0efd54.exe
Size

512KB
MD5

1167cca48c541a7c546a51ef7b0efd54
SHA1

e4bd7e7168c108a2308c6cc400b0b7aa30622677
SHA256

40a434f89c653ffee0f23c3ad025dee7eed96b19b963bc56e3f4cb45e3fac426
SHA512

17b87a22708abfcaf2767e31f465c0727e5d1dee9949e7c18c7c98db07e9ea0041f7be8ee4d35c2168541c7942b49a19ef41edd4a71e51e167c2b30a9a11291d
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6W:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5F

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3664	ljneadillf.exe
5076	zfzksofsueruxtx.exe
2440	guydzjuh.exe
1584	cwnphpvtxlkza.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/968-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral2/files/0x000c000000023160-19.dat	autoit_exe
behavioral2/files/0x000c000000023160-18.dat	autoit_exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ljneadillf.exe	1167cca48c541a7c546a51ef7b0efd54.exe
File opened for modification	C:\Windows\SysWOW64\ljneadillf.exe	1167cca48c541a7c546a51ef7b0efd54.exe
File created	C:\Windows\SysWOW64\zfzksofsueruxtx.exe	1167cca48c541a7c546a51ef7b0efd54.exe
File opened for modification	C:\Windows\SysWOW64\zfzksofsueruxtx.exe	1167cca48c541a7c546a51ef7b0efd54.exe
File created	C:\Windows\SysWOW64\guydzjuh.exe	1167cca48c541a7c546a51ef7b0efd54.exe
File opened for modification	C:\Windows\SysWOW64\guydzjuh.exe	1167cca48c541a7c546a51ef7b0efd54.exe
File created	C:\Windows\SysWOW64\cwnphpvtxlkza.exe	1167cca48c541a7c546a51ef7b0efd54.exe
File opened for modification	C:\Windows\SysWOW64\cwnphpvtxlkza.exe	1167cca48c541a7c546a51ef7b0efd54.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	1167cca48c541a7c546a51ef7b0efd54.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBFFAC9FE67F19284083B37869D3E92B38A02F14211023CE2BD459D09A2"	1167cca48c541a7c546a51ef7b0efd54.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB5B02F44E7399F52C4BAA733E9D7CE"	1167cca48c541a7c546a51ef7b0efd54.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8BFCFB482E826A9130D65C7E93BC90E643594B67356234D7EC"	1167cca48c541a7c546a51ef7b0efd54.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F56BC3FF6E22DBD173D0D48A7A9162"	1167cca48c541a7c546a51ef7b0efd54.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1939C70814E1DAC0B8C17CE3ED9734BC"	1167cca48c541a7c546a51ef7b0efd54.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	1167cca48c541a7c546a51ef7b0efd54.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "334F2C0D9C2783236A4676D4702F2CAB7D8264DF"	1167cca48c541a7c546a51ef7b0efd54.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
968	1167cca48c541a7c546a51ef7b0efd54.exe
968	1167cca48c541a7c546a51ef7b0efd54.exe
968	1167cca48c541a7c546a51ef7b0efd54.exe
968	1167cca48c541a7c546a51ef7b0efd54.exe
968	1167cca48c541a7c546a51ef7b0efd54.exe
968	1167cca48c541a7c546a51ef7b0efd54.exe
968	1167cca48c541a7c546a51ef7b0efd54.exe
968	1167cca48c541a7c546a51ef7b0efd54.exe
968	1167cca48c541a7c546a51ef7b0efd54.exe
968	1167cca48c541a7c546a51ef7b0efd54.exe
968	1167cca48c541a7c546a51ef7b0efd54.exe
968	1167cca48c541a7c546a51ef7b0efd54.exe
968	1167cca48c541a7c546a51ef7b0efd54.exe
968	1167cca48c541a7c546a51ef7b0efd54.exe
968	1167cca48c541a7c546a51ef7b0efd54.exe
968	1167cca48c541a7c546a51ef7b0efd54.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
968	1167cca48c541a7c546a51ef7b0efd54.exe
968	1167cca48c541a7c546a51ef7b0efd54.exe
968	1167cca48c541a7c546a51ef7b0efd54.exe
3664	ljneadillf.exe
3664	ljneadillf.exe
3664	ljneadillf.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
968	1167cca48c541a7c546a51ef7b0efd54.exe
968	1167cca48c541a7c546a51ef7b0efd54.exe
968	1167cca48c541a7c546a51ef7b0efd54.exe
3664	ljneadillf.exe
3664	ljneadillf.exe
3664	ljneadillf.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 968 wrote to memory of 3664	968	1167cca48c541a7c546a51ef7b0efd54.exe	30
PID 968 wrote to memory of 3664	968	1167cca48c541a7c546a51ef7b0efd54.exe	30
PID 968 wrote to memory of 3664	968	1167cca48c541a7c546a51ef7b0efd54.exe	30
PID 968 wrote to memory of 5076	968	1167cca48c541a7c546a51ef7b0efd54.exe	29
PID 968 wrote to memory of 5076	968	1167cca48c541a7c546a51ef7b0efd54.exe	29
PID 968 wrote to memory of 5076	968	1167cca48c541a7c546a51ef7b0efd54.exe	29
PID 968 wrote to memory of 2440	968	1167cca48c541a7c546a51ef7b0efd54.exe	21
PID 968 wrote to memory of 2440	968	1167cca48c541a7c546a51ef7b0efd54.exe	21
PID 968 wrote to memory of 2440	968	1167cca48c541a7c546a51ef7b0efd54.exe	21
PID 968 wrote to memory of 1584	968	1167cca48c541a7c546a51ef7b0efd54.exe	27
PID 968 wrote to memory of 1584	968	1167cca48c541a7c546a51ef7b0efd54.exe	27
PID 968 wrote to memory of 1584	968	1167cca48c541a7c546a51ef7b0efd54.exe	27

C:\Users\Admin\AppData\Local\Temp\1167cca48c541a7c546a51ef7b0efd54.exe
"C:\Users\Admin\AppData\Local\Temp\1167cca48c541a7c546a51ef7b0efd54.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:968
- C:\Windows\SysWOW64\guydzjuh.exe
  guydzjuh.exe
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
  2⤵
  PID:1684
- C:\Windows\SysWOW64\cwnphpvtxlkza.exe
  cwnphpvtxlkza.exe
  2⤵
  - Executes dropped EXE
  PID:1584
- C:\Windows\SysWOW64\zfzksofsueruxtx.exe
  zfzksofsueruxtx.exe
  2⤵
  - Executes dropped EXE
  PID:5076
- C:\Windows\SysWOW64\ljneadillf.exe
  ljneadillf.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3664

C:\Windows\SysWOW64\guydzjuh.exe
C:\Windows\system32\guydzjuh.exe
1⤵
PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ljneadillf.exe

Filesize
92KB

MD5
59ebf1358a9b829f5709baaedeeee6fa

SHA1
1409fd65da1b814db0a08feae54366dfca196f1c

SHA256
d251f3126813d9f42461b0d23153c37c405979347a47fb0f04e0503beaf31a06

SHA512
a2d71b94a087aa6d376f4f065d9f7ff987fd50ea93949372fa9ef5b6692b45cef7ae267c88376b9d2953e4476496f67af1173e9f0f8ba81101dc94c6872cf417

Download Submit
memory/968-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/1684-52-0x00007FFC16A30000-0x00007FFC16C25000-memory.dmp

Filesize
2.0MB

Download
memory/1684-39-0x00007FFC16A30000-0x00007FFC16C25000-memory.dmp

Filesize
2.0MB

Download
memory/1684-51-0x00007FFBD48F0000-0x00007FFBD4900000-memory.dmp

Filesize
64KB

Download
memory/1684-45-0x00007FFC16A30000-0x00007FFC16C25000-memory.dmp

Filesize
2.0MB

Download
memory/1684-50-0x00007FFC16A30000-0x00007FFC16C25000-memory.dmp

Filesize
2.0MB

Download
memory/1684-53-0x00007FFBD48F0000-0x00007FFBD4900000-memory.dmp

Filesize
64KB

Download
memory/1684-49-0x00007FFC16A30000-0x00007FFC16C25000-memory.dmp

Filesize
2.0MB

Download
memory/1684-48-0x00007FFC16A30000-0x00007FFC16C25000-memory.dmp

Filesize
2.0MB

Download
memory/1684-46-0x00007FFC16A30000-0x00007FFC16C25000-memory.dmp

Filesize
2.0MB

Download
memory/1684-44-0x00007FFBD6AB0000-0x00007FFBD6AC0000-memory.dmp

Filesize
64KB

Download
memory/1684-43-0x00007FFC16A30000-0x00007FFC16C25000-memory.dmp

Filesize
2.0MB

Download
memory/1684-47-0x00007FFC16A30000-0x00007FFC16C25000-memory.dmp

Filesize
2.0MB

Download
memory/1684-38-0x00007FFBD6AB0000-0x00007FFBD6AC0000-memory.dmp

Filesize
64KB

Download
memory/1684-37-0x00007FFC16A30000-0x00007FFC16C25000-memory.dmp

Filesize
2.0MB

Download
memory/1684-35-0x00007FFBD6AB0000-0x00007FFBD6AC0000-memory.dmp

Filesize
64KB

Download
memory/1684-42-0x00007FFBD6AB0000-0x00007FFBD6AC0000-memory.dmp

Filesize
64KB

Download
memory/1684-36-0x00007FFBD6AB0000-0x00007FFBD6AC0000-memory.dmp

Filesize
64KB

Download
memory/1684-117-0x00007FFC16A30000-0x00007FFC16C25000-memory.dmp

Filesize
2.0MB

Download
memory/1684-118-0x00007FFC16A30000-0x00007FFC16C25000-memory.dmp

Filesize
2.0MB

Download
memory/1684-144-0x00007FFC16A30000-0x00007FFC16C25000-memory.dmp

Filesize
2.0MB

Download
memory/1684-143-0x00007FFBD6AB0000-0x00007FFBD6AC0000-memory.dmp

Filesize
64KB

Download
memory/1684-142-0x00007FFBD6AB0000-0x00007FFBD6AC0000-memory.dmp

Filesize
64KB

Download
memory/1684-141-0x00007FFBD6AB0000-0x00007FFBD6AC0000-memory.dmp

Filesize
64KB

Download
memory/1684-140-0x00007FFBD6AB0000-0x00007FFBD6AC0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing