Analysis
-
max time kernel
142s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
25/12/2023, 09:55
General
-
Target
157ab05ba574f362fb37dbda4271dccd.exe
-
Size
512KB
-
MD5
157ab05ba574f362fb37dbda4271dccd
-
SHA1
a939556a3b4711d75e6a875f2a1e36f99075b2bd
-
SHA256
2d2bdb61f4c674f4e3fff91954919c0ad9c6d0432cefa36a0d1fa159c68e4fcd
-
SHA512
ed574173d3da042d63aab2bf36f91320795a63164dc34d2d75976193adebd7f0fd890c03744c810ce1f9e7fa9eac8e32adbc60efd6a37a92f0751a2b90c71a90
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6O:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5p
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 5 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 6 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon 2 TTPs 2 IoCs
-
AutoIT Executable 19 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 13 IoCs
-
Drops file in Program Files directory 15 IoCs
-
Drops file in Windows directory 19 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 20 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of FindShellTrayWindow 18 IoCs
-
Suspicious use of SendNotifyMessage 18 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\157ab05ba574f362fb37dbda4271dccd.exe"C:\Users\Admin\AppData\Local\Temp\157ab05ba574f362fb37dbda4271dccd.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\bnpnxojqwiopk.exebnpnxojqwiopk.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\cqavvzbs.execqavvzbs.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\qahjfgdbbaldykh.exeqahjfgdbbaldykh.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\soxohnfsbq.exesoxohnfsbq.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\cqavvzbs.exeC:\Windows\system32\cqavvzbs.exe1⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39KB
MD5d549d7c7c769392137f07e08e5ca157a
SHA1fd22b5992ee668703e26975bc677c330ae2f7955
SHA256b7f42e8a1c81931506fe29eb545f92bb64b26a8726c3e825b37311cd74c9ab7f
SHA5122c4d2efd972c96e8a4845d64f204534070ac644c071f4d2d778f86322bb9b062dd97ca49e39d33c5ec27a8cfa584f950caf99291e6c08e41afa0084bbd411cb8
-
Filesize
55KB
MD50742f007ddf1376b63b3c37b7960cd51
SHA19e19f704a995502a0ec06a2704c4a792c2e1c974
SHA256e171a4c661739f7e56929c5a03f79fb0a01dcd2b416de87fa409001d287b39b7
SHA5121109f544645ecefb82bca3c4c8d73bdb0ca766157eecd32c4d4fcd5f5fe1eb7f58e9fc2c937920288f520e16b5a5d81cd4c9e33e48694775e45591c361f0fcb0
-
Filesize
239B
MD5361ba5cdfe246f4303b0a1638e0daf43
SHA1eced7199b1af3c8e92209a68cb9a925ff3f369a3
SHA256507143acb38e64408d03a0dd98e16bd34ca557294c466ae8ec9c7c763eb3a2a5
SHA51281b9d124396d138717aea4dc71cec59426a3b65b47eaa0d13523adf030c5e3df9fa670ed48f7634d0301812d4b546dd43bc5bf863b58112570a2ab049bc7ab54
-
Filesize
3KB
MD5092e8b444c86db2d9f2eedeef5573b85
SHA196e52912cfed1b8879d934d627a309694b0dee02
SHA256676a9322549189e03442260a1566ec1972be8c2829115e2a2aacb4a62fd70d19
SHA5120be39cccc4f53d1ea3fa1e9e2be4db3f3fd3cbbbbcba359ab4bc4321c8cbf41f9e8aea1d24efdb6859e2126b3c065bb85320ebf322c62270514ad9cd4c3e47f1
-
Filesize
3KB
MD5254d7b81dbd67c54fa54d24d42fe2f79
SHA11574e6fa867e3f223b17af119711854f0dcc513f
SHA256ccd3d88ef80d338e08fc4268aadb23b10d829f28a0bcab3630c771b47aba6ea8
SHA5122f31909623fc61f4915ddfe7c150d2a50d2a5b836a389ea392729c17fd9d8ed3ffb696d3651efb4411de0472efe96b45f9bdaf1616590e9d96ccf9e982c29d22
-
Filesize
45KB
MD52a8b3bc74b12f792e50b13fa7aa57316
SHA18c88157add9ddb38013489a782637727cebc97ea
SHA256b7a34bc9e0757647a613854f15ef8ec8aa7c1c1b4517cf148c200f98dd0383ce
SHA512425af8d24bdcd0eae95d9130f4e31540784e7682196d4ceae926914ed29968049cba9cbede29abe2370b471307f2de95c33d2acec2bb1058816c53bc9367f777
-
Filesize
64KB
MD5d76d22b81130bc9206c7c947d7a9ea5e
SHA15956e88a6ec7949ce5a350e21703307d855f34b1
SHA256b96acd28ea28c51de470bf63ebbc33a346440fe63e236ab9f092e0cb3035b870
SHA512112f4f23127929556f27e12a7979ebd1536af790c92f8ff7870a5b39470bd02d83fbf1697e7ab3eccebd71c44ae7bfbd1dac9c39fefa6e15a488baf840b8aaf1
-
Filesize
74KB
MD58a3a575873da23be457ac304e049ef98
SHA1067029b4d6691081fca6fd853a30d82886c96e1c
SHA25698e27d8bb37f40c185a3a7a67bfd72358b04914b494c5aa629c730dd3f939414
SHA5120e735dbe07df67770f3ec721983ab42e0ddad4866f0f5fb0ce1bb8990c6a93e971df9ef58645c9f8cd07018d9fee16887910f9ac26ecc132dbbce473215280ee
-
Filesize
92KB
MD5f009a3219c413113a4fd23bb6a7641c6
SHA1687306a48820bf86b2df51fd2cdcfd351b54abe1
SHA2567cbf5afa247b827d9b81f7cd59d4ec13b607719b96821051441a3d6d095ed061
SHA5128bcb29da503b1d7c4ee3864682d9f168ee77075c01c1751d5993ef862b3813f321781dd9611a8c01046305aaf29368623fc3f21955cb3facfe8f14510edb9b71
-
Filesize
91KB
MD583375e238a4f77dc0a4377b174028c65
SHA1e19be6c38be7dfca2dba0512fe0958af632edd1a
SHA2562bfacccf0db861774687871a587412cd5e0716a399dfe31d8dad5e2b61f7900f
SHA512c8109ea19b8a194819f607f0144fb45977d47f9d4ae4028986f167d65b348ccfbea44eaa8e66a9abcab1d1fc7ff036a5bae5fcd36ecae9b3d1dac0c286414609
-
Filesize
103KB
MD52f56a0cf40e06cdb4bb91a847710f5e0
SHA1a901b343bece49e5c33974811ae10b48c81ca531
SHA25645ae82251b0c75c80a935a98a4770c9a469ea5b5930288df2fa4112e67d53a35
SHA512cf99ea7267a60922c2197380ab198a49ff09effb5af13ecc5900e077a5714447bc202921fff7725ae5707e7b2189c84c1b6833352c42b2c997ffe60458417ed0
-
Filesize
62KB
MD5c0d2b514329c8cff3a77ac524c28533b
SHA1cd0ebd481473c65dad150a92c7d89fabdcf09751
SHA2566f23e02827c6d17bc7f85f5c831a7ab0e9a9327473af591fea3da203d1980d47
SHA512ea55719b0014fe52585310a889bb087c64da2ba68e778177885df6dce5d767caba7ef7f024b9eb6648811b346799467b374a66d093d4ebd4796d73b87885320c
-
Filesize
76KB
MD5781a56bbe3a1055408b08addcfa66d60
SHA11daff34b98e3a9332a782d550202fb31f2ab4647
SHA2565b99962b47259fdfb4d9d17563814f9cdd1b83c1d556e34b9c89c6fcb3295e34
SHA512e81ea1998b9cecb163823cac745761c75225389c05a3679e28d8a568dfb436a96d9a944979f0bbc11e6a313fe1515cf45a24bae574504fb2a5f2a99af5a1a257
-
Filesize
149KB
MD55a1366d811460096a3c3f9960094826e
SHA173404ca8a2aad03e5abf7adeb6cbb311b2cf6a0a
SHA2564e9231d36d7c9aadd6a627de644ddf942629f80c1d33739a9cdded3380bfca92
SHA51295d7b50fe24e86d40df88c6c7c2c57c1e2a9575c3922316dc842e3cf41712b8f511a6602e83aa43b45e819dd85a0b853340e47055ea5d8e00794344328cb58e1
-
Filesize
134KB
MD5ae2b5950d808513b612c07a2ae347746
SHA1e80bc2b43e08de2500139341a1b08f68583d2c3a
SHA2569227af69e3873500d892ef5b6eb8f157243e2afe36f173a8e6495b5d0df43c8b
SHA51209ec689226bbc817d911dc317e72655cf053f785c1746fec4daf60deca5b15ec23508c1c18817e9c0e19eb64de9ac062b6a556a16e9a472badeb679c4f781675
-
Filesize
134KB
MD5b770725057d15d48b271966fc539a50a
SHA10c98ce6518ced8f4785ac9ab22c913428997e962
SHA2563893a7fe80ad61700ff3bd14dceae2ddd58240bcc85f7a0f9210c574f82fe940
SHA51270da14b1f47ab59f850eea8ba223a41f9f76157ea9ad78b250547a9ae3d778fbe64546b341abc62057240685fa59a5368247ed727f28aeecd1f64ac8ebe8eed4
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
73KB
MD52b439d90f97610dae2e2e658c7e199bc
SHA12bef490c2fd9dcf4fc0958f8060c429f8f0f90d1
SHA256deae83dc5f5682a8ae038b8f91c3b5f18584be7c509e2a541b836463cd405249
SHA51296a8e709da1fa248567d5d84bbda9f89b47b12f46c18f87eec407bdd6984798a722f2ac85ea258f80c94de89b4b74c2309b0d1c443d3003a433a31aa39481d26
-
Filesize
71KB
MD50783b790e1d4d9c2b9a16103b9f2faa7
SHA1a2e8ae2fd283c4cac37d5761ba129241212b427c
SHA256b3e1d3e404065f24cad9ae1d950984f2648f1d9bdc0113cc32ef03cb26133a34
SHA51209d97084708a6ab304ea0ee55b24304f18d27bc8da13b48bfd5dc2b577191e86874edbd56bb5410f5522164a95776134550bf001f26354e314b0a2d5c2fc2a72
-
Filesize
30KB
MD5dd5a517511dff3b0e5fb721ab38da376
SHA1323c350beab884edef35d3b15392e34317f56b43
SHA2564a0996065ce2754ebd5b9fc19f50d09b23c3e53fd61da055520a805d3b01eae6
SHA512538d116164ef7372970f578e12faeaca7081687492e846ad2bee5575d2892ad07f993c21b871c4e43bdab5adf26e6468fa6829d1db28432978286c85bcf0bd2f
-
Filesize
42KB
MD535385d020ba01cac0bbe78a4e9ce3e56
SHA1cd1a1a9c3a86953b58c30a457c3b010363a73a78
SHA256a121d3877545b2878bc78c244fa04607ca8a5583a6ae64a04b9110788c79397d
SHA51212293bab191b491d8cf9f105c3a55b779f8f588540de8c013c36c88ab480c935cfcf6816efd57ce48360d56e91a82e453ebb76b4432b3e6fb58c8ed6cf465c90
-
Filesize
600KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB