Overview

overview

10

Static

static

5

19955cd736...fc.exe

windows7-x64

10

19955cd736...fc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    214s
  • max time network
    160s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25-12-2023 11:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    19955cd73613e751555da60dc245ebfc.exe

  • Size

    512KB

  • MD5

    19955cd73613e751555da60dc245ebfc

  • SHA1

    859f559cd270011e56a350b84427fddb62cf8b6a

  • SHA256

    6903753ff33ae8e45b87c5457558bb573194d1aadd26d1963e99e768f50a42c2

  • SHA512

    c72a909c57dbdce715fc287bce1c694c7760435fb43802bde29ebaee892e39c3a5e470e3f8085de10cba214ce32e37d37bb5ece188103b8be45b625ca8a1557a

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6+:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5L

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 3 IoCs
    persistence
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\19955cd73613e751555da60dc245ebfc.exe
    "C:\Users\Admin\AppData\Local\Temp\19955cd73613e751555da60dc245ebfc.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2588
    • C:\Windows\SysWOW64\vpylulmfme.exe
      vpylulmfme.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2560
      • C:\Windows\SysWOW64\htjlwtcn.exe
        C:\Windows\system32\htjlwtcn.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1644
    • C:\Windows\SysWOW64\htjlwtcn.exe
      htjlwtcn.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2936
    • C:\Windows\SysWOW64\cnynawuzamwkyub.exe
      cnynawuzamwkyub.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2948
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c coqaftoffatxl.exe
        3⤵
          PID:2644
      • C:\Windows\SysWOW64\coqaftoffatxl.exe
        coqaftoffatxl.exe
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:600
      • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
        2⤵
        • Drops file in Windows directory
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1144
        • C:\Windows\splwow64.exe
          C:\Windows\splwow64.exe 12288
          3⤵
            PID:1776
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:680
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x594
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2056
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:724
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2976

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
        Filesize

        512KB

        MD5

        2b990aa5b5ef0d165a33b55301dd865b

        SHA1

        d836c18c059deafd0a25fd3999b028ce632b4436

        SHA256

        6d94e2d7898b64eb8539e874e06555236799b3a394bb5d884b10d1d621cfe96e

        SHA512

        ee5539f4e7d3a2488070e978071431c26aee57de266ca5f26a88d42d0d4200faa18996bad010d4b6530b14642285b9469ded51115ac5566abba9d9e46a91141b

        Download Submit

      • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
        Filesize

        512KB

        MD5

        f8b054e06e73e8a00758e9eaef84068d

        SHA1

        f12313e060bfeb01a42c70a47eac24857406b344

        SHA256

        59d39b3bccb1c419c92de092c58dc2bdc018681803639d4f81cd951011877717

        SHA512

        15718424b1fd74f7f96d658e3b06c98159dbaacdeca83dfee63c70255e33c4ed49a1544cab6300769caad431cfe792dc9c8aaa37569568ff11c0f72869c40fc5

        Download Submit

      • C:\Windows\SysWOW64\cnynawuzamwkyub.exe
        Filesize

        512KB

        MD5

        16435c9a0cb56302d008505e4a217f2e

        SHA1

        c70e0d9c6e4a89aa6a99ca543331455d49b2310f

        SHA256

        13494dfa3cfffc32a6ba7f8d5cd7f63973c5434f94884d06f6636b0d89d16c21

        SHA512

        2d50ecb2b91a200f110dbe72d68aeb2274a5c777bd4fe89d1c4ff7aee56b959de0235f99d5be5e0fe7096fad084d53678d022cbac85cb3ac15abda1d9cb7faf8

        Download Submit

      • C:\Windows\mydoc.rtf
        Filesize

        223B

        MD5

        06604e5941c126e2e7be02c5cd9f62ec

        SHA1

        4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

        SHA256

        85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

        SHA512

        803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

        Download Submit

      • \Windows\SysWOW64\coqaftoffatxl.exe
        Filesize

        512KB

        MD5

        153af562febb1bb90c9b0ad479d84af9

        SHA1

        01215dd6c8654fac4569fe3144f135c7fa317e1a

        SHA256

        c9844c51b42551039013af0d579a3619a46a1f5513f99ee0d1089db67b2e8f36

        SHA512

        5a89252a3d99e5546e56df38d278492abcfbf3a1a350fb99513761fe4188686d7aebe86181d3726d1c876ba6493e7b1cb7e871c4eb5dc5379e0b38821294ab34

        Download Submit

      • \Windows\SysWOW64\htjlwtcn.exe
        Filesize

        512KB

        MD5

        7f772dbab15486820b38af260db58820

        SHA1

        f0cce83bb65e2f7de7d7d36e160ed3c16cbfcc1b

        SHA256

        4f216b3cd64492b522e6d00280cb08ad24ab7d0eb808d5b98c3c150dd259af07

        SHA512

        bcee81ffb4b11b99b3bc14910011179a94bc4f43a3aa563c1d0e11c13a90cc1b369fd4ec81f716e740d838a7fbbc49ad193a9b3836e09e813cb9d7504d88eb41

        Download Submit

      • \Windows\SysWOW64\vpylulmfme.exe
        Filesize

        512KB

        MD5

        e5e7f8ccb9471440e7c7d87359ba550c

        SHA1

        bbfb2a2c429723c89aeafce6f0a0cae4a5e4565e

        SHA256

        202b4f79df737ddd02625b35b58947091feffe46f37e0a0bd915f773766a47ba

        SHA512

        4c122e1d9a5689e4fdaaed76bbfd1864c4dbef434616a177b3c87bb53f05d12f758ad9a7fe492a0b597a06957e429f1579b66606265bdbaa2e3107e56f0c9e56

        Download Submit

      • memory/680-42-0x0000000004270000-0x0000000004271000-memory.dmp

        Filesize

        4KB

        Download

      • memory/724-62-0x0000000003F50000-0x0000000003F51000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1144-48-0x000000007164D000-0x0000000071658000-memory.dmp

        Filesize

        44KB

        Download

      • memory/1144-65-0x000000007164D000-0x0000000071658000-memory.dmp

        Filesize

        44KB

        Download

      • memory/1144-47-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1144-46-0x000000002F691000-0x000000002F692000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2588-0-0x0000000000400000-0x0000000000496000-memory.dmp

        Filesize

        600KB

        Download

      • memory/2976-63-0x0000000003A80000-0x0000000003A81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2976-70-0x0000000003A80000-0x0000000003A81000-memory.dmp

        Filesize

        4KB

        Download