Overview

overview

10

Static

static

5

1ad801b4d7...04.exe

windows7-x64

10

1ad801b4d7...04.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    239s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2023, 11:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1ad801b4d7b2a6859ff4280df6c87804.exe

  • Size

    512KB

  • MD5

    1ad801b4d7b2a6859ff4280df6c87804

  • SHA1

    5e0f2497d3b67dbb692adaade0a0e551d88d2c23

  • SHA256

    799657ac1abcb7aeaf780cafbf07aef9d78faf415033941a5df2da27254c77bc

  • SHA512

    b52cc01dd6ac437f592d1c467329a3c7494261ef01b8fb2e23a25b1ee48e7bf70acd6375cfa7a3468656123f9df4fee56bee6008bb860639e7eddae49903bd77

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6l:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5o

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 17 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1ad801b4d7b2a6859ff4280df6c87804.exe
    "C:\Users\Admin\AppData\Local\Temp\1ad801b4d7b2a6859ff4280df6c87804.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2768
    • C:\Windows\SysWOW64\rlxbyguymt.exe
      rlxbyguymt.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1992
      • C:\Windows\SysWOW64\yqewwdyp.exe
        C:\Windows\system32\yqewwdyp.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2508
    • C:\Windows\SysWOW64\yqewwdyp.exe
      yqewwdyp.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1936
    • C:\Windows\SysWOW64\exhcbrawhgookqk.exe
      exhcbrawhgookqk.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1648
    • C:\Windows\SysWOW64\smioeoufdsbvz.exe
      smioeoufdsbvz.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2536
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1480
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2112

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
      Filesize

      512KB

      MD5

      a59b3dcfd1d42acf540b2cc5776c6498

      SHA1

      bb66a3bccf4709ad21ec05bc6ca964da56021e2e

      SHA256

      56c3841f38987c371c271ef2b7fc38ed8a05500b22036d1ef1d03723b1a49b5d

      SHA512

      3a490b1b74c981f2379606e1565aa7937cd903c7751c53a1dbb42b0b270d3c1406d46b091fc1efcc991d661be959c3bdac8f489bf3c26cf789e50c24dcac4372

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      5ef4f3d2a856c607f06d7ff8398d1c2d

      SHA1

      558c87f9e45594c39244033efb5a33ef0a5eddbc

      SHA256

      dc49fd22ec8f2045d0fee39f74f8c516393727b2216d35732e5a1c1fcc1dcc34

      SHA512

      e30d994aa8751d5a060b7ed977b60af3595496e99998dedd5fdc3b30927b858979161d03ac56a1b07fca80a20fb09bae4275832f90696f30d6bfdf65c4386ebe

      Download Submit

    • C:\Windows\SysWOW64\exhcbrawhgookqk.exe
      Filesize

      481KB

      MD5

      b37cab498a02dd865ba6c37d5479446e

      SHA1

      f07604d60f88049c09f2bb131607cec03fffaf20

      SHA256

      25edbc87d35f56a1f08dd60312aac7990c99a99f5b88c4134eb6b690d57a029a

      SHA512

      198a0c379d3332a4db6e85c40fd0a6c91f2351a8c153da447cd1007fbc702d95d4a32c5912e65d60ab40c438211cc78a7e4636a5ff92a2afadff059ba0f10882

      Download Submit

    • C:\Windows\SysWOW64\exhcbrawhgookqk.exe
      Filesize

      328KB

      MD5

      65a7d1696958ebd0704a9ff27c8526f4

      SHA1

      7dc930d77a22e002c34be2aba7bc53a8ea0dcacc

      SHA256

      8c5e500962632f04273d3220845205971043fe4508bbd51a4349044a1168e8de

      SHA512

      7a829dcb81feff163fe9759110e97615471727e4296da4e4437e4dbadc3aab372341b0370e12f59a13d5f51166a857d0573111d4c6566c14b6bd565bfa1047a6

      Download Submit

    • C:\Windows\SysWOW64\exhcbrawhgookqk.exe
      Filesize

      512KB

      MD5

      9ed892ed4550d9b3bf8e91da8e9a4a62

      SHA1

      ac482517662e3b6bb25559c8da4b4a42d3b3370e

      SHA256

      09314afdbff2e7572db9e9e058b452725ca1c1a8f05af3e9155b19e0766a9151

      SHA512

      5c6e3400870e6706c7f5c6ed204e03314badc0e3f74d2a0f2e5d54eae43e77b3b3002d9f80fbefac1cee27d052a025feb7496bff77c7222b239a53737238afda

      Download Submit

    • C:\Windows\SysWOW64\rlxbyguymt.exe
      Filesize

      512KB

      MD5

      ee38d05de676993ca52b5416a4512fdd

      SHA1

      9917c50f0c322a0ece675ab688eec72c82134ee3

      SHA256

      01cb146f2433483204ef97afca2e2ae1a99a1fe268d4c839b8b28d4156b71d06

      SHA512

      01666dc75419b69248925d1e0e043e5d3b445eb4142101e46db7a4999d5fca22596c7edfca644fed6b2be0059004fea861d42070c3477fc915a9fd8aa53c93ae

      Download Submit

    • C:\Windows\SysWOW64\rlxbyguymt.exe
      Filesize

      339KB

      MD5

      59fa91bdcbbe06b2b1039357095c3cd2

      SHA1

      e1ee0a03c7c76d7bef2a9998dbab3a2d9ff2365d

      SHA256

      2ba2d1bd7e6ccc89ee060f2e044086db98846e92ca54902fac14555cb1300671

      SHA512

      19b0dc08270edb7b454b8f65ea19ebfad32278b5a7319b689a58d2a974651dea566e367de6519e1f7b5739ad7f1b69b9e4be7f07e1c3e150a59c22237eca6fac

      Download Submit

    • C:\Windows\SysWOW64\smioeoufdsbvz.exe
      Filesize

      361KB

      MD5

      1e958abd1c71c147241f7485338f24a1

      SHA1

      b88cc67fb408ebc6dbf3ddbc4d24531f25276d2e

      SHA256

      abeb3cf34d9be8cd61baff0fd91b3ce3564d3ba03272fcb557ac5f2735dcb03a

      SHA512

      54abeaf9ac4fa277c03aa25c86942a8da62670ec67a0979ca1705966dfa90842bc5d8534d561d86fecf7dd2fb2ad88ca7707074fa656206b7966c4e8de40054f

      Download Submit

    • C:\Windows\SysWOW64\smioeoufdsbvz.exe
      Filesize

      253KB

      MD5

      017160b03af0b81cdc30677bde89f50a

      SHA1

      7b4b6c73f663aab4d19c041abb0762b20ce8c4a2

      SHA256

      c08e79a279afd533f4e6a4a5fc316b2e839510cca20bfe418cf34a0e2c7dde53

      SHA512

      17d29a03d4ae550650d997272b261af0dc08541c9cd3d04ec8af03d201dcd9b6e50cae43d8408a9ca1eaa4a45b1f51ce8c61d3e38fcda85ed815a5e3e0a4673e

      Download Submit

    • C:\Windows\SysWOW64\yqewwdyp.exe
      Filesize

      337KB

      MD5

      4a056abae8c43b0c9a031d5297c27245

      SHA1

      7900c0e92208e37db2bd9178d9f43ffd74d5bd7a

      SHA256

      c16005d22682e1b86ec740a19df15609263fc8e06703c1feb2dde5e59c9ffc79

      SHA512

      a8dfaceb0540bfbf34c0b27c723639947e396bae0158d1607871b2a376a2df57daa0455f306d29ffdded5c44448a2717f76ce81620946b264de1360333800a15

      Download Submit

    • C:\Windows\SysWOW64\yqewwdyp.exe
      Filesize

      256KB

      MD5

      fb98549a70a153849f270956682db592

      SHA1

      cd886327ce56d0f3ffa2e1b9407c85c38c570704

      SHA256

      0db13b4ab00c434bdb397f90c83264ce31161272e0d842cb6feeb22b457e0d81

      SHA512

      a74b5ee4a18e782ec2b509720ececd6c9e50e769fe739f418ccf25c82b9ce4ec4e6f032fce57ed98786e284e41f64f401c4b54fad1d5d758392c20ce1d0d51f5

      Download Submit

    • C:\Windows\SysWOW64\yqewwdyp.exe
      Filesize

      357KB

      MD5

      593de7cb68db1efc52ca74ff9dc0ae12

      SHA1

      7b6bd2c66eefe8facfcb92311ff9fd4a84833b7f

      SHA256

      6c844d79f49916421ab2ae948fd17a5b6744d03a1598fe595bf1746f12dc7a10

      SHA512

      ced07edaeca9a4a0ac3ffdcfd89ec7a22918d5ab4bee4f750f3ad27e93dbd6f1364418ed6e37ca4ce9a35efa191b98176126113d98d81fb7eaefced44fdc5985

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
      Filesize

      512KB

      MD5

      ea6998ec077327f303207b72bf7ae92d

      SHA1

      39ff3d5cfdef0034c394e009ea0e500949debf86

      SHA256

      f7b8f29193ec2a1d5581f1072c2fe94fa224fa848a33b6356433d706fed3332e

      SHA512

      c65b489a5d038a57bf18b34d5c4df70acceb93cb8e313c699630a1d302d63914c9268b0cfb6dd6806a4843da897661c6eaf083aeeef4aa5f5c60902d3fe00594

      Download Submit

    • \Windows\SysWOW64\rlxbyguymt.exe
      Filesize

      25KB

      MD5

      653386ff863cf8117a3a0b96a162bff2

      SHA1

      6fba087e2e0996370a2de9b8c0b189a4969937ec

      SHA256

      3c27576824f0b8c367c62b79d36595e644dbf1a8dcd41866d41df4ce07e84c1e

      SHA512

      3ad69964cac87ba22a45c9f55fb464d4777c6689484a1313037e5b7238af380909dc92a3b1ea605144f092c96d3019fade6453749b26d46d062f346e3a9bc28f

      Download Submit

    • \Windows\SysWOW64\smioeoufdsbvz.exe
      Filesize

      268KB

      MD5

      f1116fcad746690a1cfc6b392f1d35c2

      SHA1

      460034186f55ba959286a8419c12e0bab2f3e91c

      SHA256

      70a3e932c20ceed6d83f81f3f2a675edfcab9a003ab02fe0f84cded831464903

      SHA512

      0935969add789d18abf7cfd50677d4b7e270f7ef627c7417786c8ff19c7b9d3eb841aeb86500bbc3f47b18fa3f0d92cb0d7c2e9bcc28b2a76584d83f4a0f2d31

      Download Submit

    • \Windows\SysWOW64\yqewwdyp.exe
      Filesize

      512KB

      MD5

      15b62427bc31f09fe893afd0198249c3

      SHA1

      de08ab0400c3192e5dcab12230cb25937d33407a

      SHA256

      8b2e260504510a022b7c2de00a4386d659a510118633d5bc452912a8e1c6f1c1

      SHA512

      1f9eb5c2a940967aae86068dbe3912adc66918ae5c591943a56c90377d89a0fb84e172b04a65c0be57146150144a569ee07c9ac138bddc15554b479f269fe363

      Download Submit

    • \Windows\SysWOW64\yqewwdyp.exe
      Filesize

      255KB

      MD5

      20ef7338f59802452313b1391173479e

      SHA1

      e0b32e38834c97aa74b829d2cea50e8ea364963b

      SHA256

      314fbb48a29cf90358c6b85f15d9d90ccad2956750da165ae22dfba8c58f1d9f

      SHA512

      29bbc76e4d9066b95da765d90edf3563a7de0cfa03db8dfc9c85e503bf8b1d14a69e9b95b9ba70b61e51cbc7f4c366b16c928bd4537f1b136f11d3deee8814a9

      Download Submit

    • memory/1480-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1480-62-0x0000000070A9D000-0x0000000070AA8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1480-47-0x0000000070A9D000-0x0000000070AA8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1480-87-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1480-88-0x0000000070A9D000-0x0000000070AA8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1480-45-0x000000002F381000-0x000000002F382000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2768-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

      Download