Overview

overview

10

Static

static

5

10b2c82d39...a9.exe

windows7-x64

10

10b2c82d39...a9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2023, 08:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    10b2c82d394f3f0c970c6be5aac992a9.exe

  • Size

    512KB

  • MD5

    10b2c82d394f3f0c970c6be5aac992a9

  • SHA1

    a92a08480ba0ebfd5a2b632e9af9dbf6c7d8bbf7

  • SHA256

    3bff0a4d21fdf581545ff002eaf76b8d12ffb35f1053bb7155989767696f13a1

  • SHA512

    2b006e5265aab765621847ae8ba8d6c4709f97e4f752d4aabd49c39861ed82648591c6d0187a10ba9de44d436afa86fff64748d1f46fb2fb76684f8bf5fa092e

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj64:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5v

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 12 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\10b2c82d394f3f0c970c6be5aac992a9.exe
    "C:\Users\Admin\AppData\Local\Temp\10b2c82d394f3f0c970c6be5aac992a9.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1880
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2660
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1908
      • C:\Windows\SysWOW64\fwxhhzzuzwhhv.exe
        fwxhhzzuzwhhv.exe
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:624
      • C:\Windows\SysWOW64\wpzgvfju.exe
        wpzgvfju.exe
        2⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:788
      • C:\Windows\SysWOW64\wvljavejskvhzxe.exe
        wvljavejskvhzxe.exe
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:536
      • C:\Windows\SysWOW64\kqvactotuz.exe
        kqvactotuz.exe
        2⤵
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Windows security bypass
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Loads dropped DLL
        • Windows security modification
        • Enumerates connected drives
        • Modifies WinLogon
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:1972
    • C:\Windows\SysWOW64\wpzgvfju.exe
      C:\Windows\system32\wpzgvfju.exe
      1⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2600

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
      Filesize

      512KB

      MD5

      ad5e5ea93b9728466eb45b03e5025407

      SHA1

      27c5f986b3865c9125cf61dda18675c2f0c52631

      SHA256

      cf4e269b0132157479bddff85e7e37f6f7bcbb07d015e24e76d1b38354262dc0

      SHA512

      244a039398023577cfaea4609509bd638a343faf21f23737439bf4226a47eea7a1efce44db0fafce760c0d6a5b624bed653ffc04b3e097c47493634594a0951e

      Download Submit

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
      Filesize

      512KB

      MD5

      bcbd32f9b25aae8fd54d15c1cbe30bb6

      SHA1

      8b443a11f45e5a08e9c3f8bc32d4efe1eca4927a

      SHA256

      6b2ced78e84e7da3e9e4a19b8f813a313b0606ecde7dc50efd3f186d442bda44

      SHA512

      558bd29dcc0d7289c2df645d522e127a433b0bb953ebbc9cfd211ca4ea55289cce5d61320964ba72a9a571f5b8432901d9dbbab51867aa14033164c067901b44

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      982185f47294d57a68940bb950fcdbf2

      SHA1

      d4ab5051849684ab715f71be58fbe43767a6022a

      SHA256

      47df9ad530a34104ab5bf0a4f0e655f028931d9e2907c20a702657063e640bda

      SHA512

      e8923dc4071e6a57061f1ffb4143a9b091b8815f0b268823c089a7560bc4c8c5530c96440ef7222fcf646f6ddb91f378051703124b8eae17594b51ed0cda9fec

      Download Submit

    • C:\Users\Admin\Downloads\UnblockMeasure.doc.exe
      Filesize

      512KB

      MD5

      a68023e702d371beb36297266a0cfc74

      SHA1

      29bbf7275bd6dbef792104f9d0f36d7290cbea98

      SHA256

      8a3141d13c0bdb21ff9e4bdf21b66d3729519655ff156f2f8b5c323a441d2a8e

      SHA512

      ebe5154cc4fd5ae74eacc6a87c236592808ab07bf922d726a68b4ac437f4e98de29803c0d1a2aebb17bb2048a58e0054987144c29349cd84d8a7babc6f876bd8

      Download Submit

    • C:\Users\Admin\Downloads\UnblockMeasure.doc.exe
      Filesize

      318KB

      MD5

      0e2ce776adbc6cebab34119956b038c2

      SHA1

      25d7bb73ede804b11153c504411162ad75497b85

      SHA256

      1d43ecf452793896d1ef599d3c4962298f6ef7fb49bd28d208ee6ee1566433cd

      SHA512

      436d5b2c519dc5a45155d25f0a073bf27a2659b38f591066538bfccea504a65a594f0408b55446cd9b1fc894d755b0ea23b30ba0b39cfa1dfcc2fae14c657ef2

      Download Submit

    • C:\Windows\SysWOW64\fwxhhzzuzwhhv.exe
      Filesize

      121KB

      MD5

      f081db4dee51e79ef9e32caccdffceef

      SHA1

      315736b5b1fee3b97fdcbdd18bb30aa44d7ca80c

      SHA256

      eadb004bc85b814fcc736d03f417fc85f2d190591e3b0b53eecbae848211868e

      SHA512

      e52312935f101cc7f22dbd59ff647b03569dcae57f743c0a0b5b5443a062f2f028a36481d5b3da0649ed214682423c2e9907a524b77b67c2d40e764160ab11ff

      Download Submit

    • C:\Windows\SysWOW64\kqvactotuz.exe
      Filesize

      413KB

      MD5

      03045c71c5eec72fc6c16e4a197effeb

      SHA1

      af1e2de4e9251d5cd9a9a60929cfa8a6981fabc0

      SHA256

      f13e3cceac688327161b3b5b9b34e32e5aa73d48a11e02809b8b169cb7e53f6b

      SHA512

      b0a4694209dcb1d7588e7baf61c501c84ec55fec500fb4fe4162fcf6acbc580e650f63c3116e8d894488f30e275d806b6033f5c3e67950cdcf6851c65b1ef4d4

      Download Submit

    • C:\Windows\SysWOW64\wpzgvfju.exe
      Filesize

      92KB

      MD5

      6662b185f19fbf697c56a25c92de7961

      SHA1

      0df0c0df0de3724258df2549c583e3c934aca726

      SHA256

      c11edb9e97848e20319fba876d9382c7193f68323eff1f7ed805bb04303bdc86

      SHA512

      c6e2cb83f68a63ca299dae843d2697d41dab8b565fb4005755b0d255b388779b6c1dad97375009c995f0a3d2e0acb4cc820090ca5dc24ee11e1a3de5b1a4921f

      Download Submit

    • C:\Windows\SysWOW64\wvljavejskvhzxe.exe
      Filesize

      512KB

      MD5

      4241b72f7d7f33861f2044ee09f22071

      SHA1

      f57e30859490dc160eeba15fab25f3f20ec85582

      SHA256

      b4829ee64259b7564f45a4ed39ec2f1fa3e15ce8e43cefdb4095b2650a9832e1

      SHA512

      891836bda3e6c35166a750e85f41d0955801d93efb2e7ce50b46ab4bbb8a3bf56cb3783526b6854ef908b45a1d14c10339fc707bccdc301dabee2e791180c930

      Download Submit

    • \Windows\SysWOW64\kqvactotuz.exe
      Filesize

      512KB

      MD5

      1154ab5f77daa4ac6b8be46fec20e77e

      SHA1

      cba063196e21846159e7f9fad4c9950a313e2bcb

      SHA256

      e36ce43987770e67d96e68a7e848e953bf8948d2d7ec978011d9b96ece831c66

      SHA512

      d86f93caf484dcf3066c155c2c99b76bd902051ae9d3c53407ee7fa7101568f0a4bad56ab9b77c5bf1d5e8161243b76333d05bc79d6c005403e0e7d2ddf959e8

      Download Submit

    • \Windows\SysWOW64\wpzgvfju.exe
      Filesize

      230KB

      MD5

      8f48eb759102731cdffa1a87cfc5532f

      SHA1

      d913373c2ef441a40a0c340dd26f88a3ee494739

      SHA256

      98090410c0877e67b2770261d9695040309bd875ab351f55df7b22d9bd3529f3

      SHA512

      f8a4851eaed48f05b81d88d041241365356be4ca0460a687a9a9e72386ae438fe30996d4d255dd4f60a9c491f4bf614dd513881769f0fc2b8862d4a84c142a21

      Download Submit

    • memory/1880-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

      Download

    • memory/2660-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2660-47-0x0000000070D4D000-0x0000000070D58000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2660-45-0x000000002F051000-0x000000002F052000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2660-80-0x0000000070D4D000-0x0000000070D58000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2660-101-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download