Overview

overview

10

Static

static

5

1df76fffd8...7b.exe

windows7-x64

10

1df76fffd8...7b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2023, 12:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1df76fffd85fdcb914424f68c21ec57b.exe

  • Size

    512KB

  • MD5

    1df76fffd85fdcb914424f68c21ec57b

  • SHA1

    87553925233cf61720a67788d904fb1767d5b9e9

  • SHA256

    cd40e055e2f92afa14102e1a13ef3b8be2f96e84786f914c3ce8e8a8322139ec

  • SHA512

    d707f53247cd99bf5547e96592f8e3bf2e20fef913beb27f15dd4e4b98acff6c09bde74f8b846f1dfcf7d1b9b92cd0f79aa27314881c1416f5f75c58e251d487

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6z:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm56

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 21 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1df76fffd85fdcb914424f68c21ec57b.exe
    "C:\Users\Admin\AppData\Local\Temp\1df76fffd85fdcb914424f68c21ec57b.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1916
    • C:\Windows\SysWOW64\fgscsplmqn.exe
      fgscsplmqn.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2664
      • C:\Windows\SysWOW64\oivvzeez.exe
        C:\Windows\system32\oivvzeez.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2696
    • C:\Windows\SysWOW64\femxpmzfsnvcvkr.exe
      femxpmzfsnvcvkr.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2732
    • C:\Windows\SysWOW64\elfchzwfyvxrj.exe
      elfchzwfyvxrj.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2968
    • C:\Windows\SysWOW64\oivvzeez.exe
      oivvzeez.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2648
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2536
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2936

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
      Filesize

      352KB

      MD5

      2b6f3e2b69c7fa9ebbebf31846bf2ff0

      SHA1

      63a987196733314abd2330ad81e0bbf145ec77b5

      SHA256

      9d861bff24fb7dec1586d7c555bcfbe2b6b68e596a284ee57b86bc514e1116a4

      SHA512

      7cfe3db660813fa499f2b21bdd5dbfe6afa52e9e198858a790cc77131789a1fe69130447424abae90bcdffea8893957605430498ef233d6df8a378b5a87d77ca

      Download Submit

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
      Filesize

      257KB

      MD5

      b0d01235bc73a093602eff00195098d3

      SHA1

      ed1ed6463006ca96ce6a696776d535f24f1a4537

      SHA256

      1ab4ec56df02bf23e6106deba26c0782a6cd214f776d5d265733c5669159cbbc

      SHA512

      70ec3346aafc8ce6bc3063776752387a5d8453f4252c73a231cbeb6b37a6c85939ce6c11a2625717d2dbddfbccaa0904e3791254ce5d34b42effa57f10841f6a

      Download Submit

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
      Filesize

      383KB

      MD5

      2d6a77962cbbc48396ea104fceffa68f

      SHA1

      a82955732798a857dcacece48087331e1a23e4fd

      SHA256

      93463db2063dabcf4419edbb7fb2bd55688ed4b7a3442e06d971a2b471672243

      SHA512

      3454c787f237ae5291a3a0735225e6d2dc703d87f4ea317e0ce43d9e7ab9be120ac50ad5c2d7b2c41a723cf7357d09e777ab183ea2e08855bb4cc6527235c960

      Download Submit

    • C:\Users\Admin\AppData\Roaming\MergeLock.doc.exe
      Filesize

      512KB

      MD5

      55a0e51cb8598c0430fc283e17e818fb

      SHA1

      5a3a062fcce8cf3bafc56308e9f9f287adf050e8

      SHA256

      31758649ffa0d9fe7a4b214cc29680dbe51ae33f96fcad00b6048944c65f8066

      SHA512

      65fcc2219ab029251778560e4d051849d075a0988b8f95fa198d055aeeccdda69d44cdc7c91e9a4d7dafb299af9e2a1430922c89531fc0ed6e6bb01fb06c9ecf

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      bba4d84b452b8f9838269bb171e292e0

      SHA1

      648d429d66c8d4d4c1ce47e831f882946f6ff03f

      SHA256

      f7926f1fc54f83c1041aa6cf0f24dfc140040e14284d5767967d873f4c82554d

      SHA512

      fe1dcc151b7bea85e5cf02e9ed174ebac079f47a4cb7727873e139be6839fe85e8560c73ee7c819f55b3c8f224f843e189a7e30f8b80fe7ff85a8237feee4272

      Download Submit

    • C:\Users\Admin\Documents\FormatSet.doc.exe
      Filesize

      512KB

      MD5

      7fe5e693953b63c4bd8987bdd21c22bf

      SHA1

      1d76fbeab3498bc5935362856b7058b5a31787b2

      SHA256

      f59c7c7909baa76929b242aee0088e03a038da6ceae8c650f7317c38552557af

      SHA512

      d0e2a14b6fda23178b1c0b62386701a5bad9bd35373474d671ab1dec354e1760753d4d6059ff6d6927c1782677c0316b2d126a9a8cd9878d133cd7a412bce0b7

      Download Submit

    • C:\Windows\SysWOW64\elfchzwfyvxrj.exe
      Filesize

      126KB

      MD5

      35b31added9b50ee8dac8edbb88f3200

      SHA1

      3a360a9b4d6843fb4a1cec8a73a8540b3f0d1555

      SHA256

      6df18dfb1f1cb6a0af3e7e54058435e86ffc41ce6041ff0761932c469f380279

      SHA512

      dde2ffb0f20fe82b81548fb22aff06c16f2b99e3120da10835a6d34f45f8f0d06222517ec8a2b9d40668dccbb4a26f75b7f70649965744c0f5410997b5c44dc5

      Download Submit

    • C:\Windows\SysWOW64\elfchzwfyvxrj.exe
      Filesize

      124KB

      MD5

      657539f5624fb4a225986907b2de9a03

      SHA1

      b2c34697aaeb9075060015d66de8e893605ddce3

      SHA256

      3c6211a8c0cfba039d4fde3df09d3cdf86cc76d2ffb56434cb928159aa67f24e

      SHA512

      6087a5bcdfbc54cbaf3745d02289f76f5b18df1746981d341a284ce4948fe297618ed165349189241b142f78cae14c7cbe003bac05cc2736239d3ee68b1ff6fe

      Download Submit

    • C:\Windows\SysWOW64\femxpmzfsnvcvkr.exe
      Filesize

      223KB

      MD5

      8fc354eb0a4e72f42bc89e2588c7ea65

      SHA1

      b0670e696c723ff8aced95f22408f137847264ca

      SHA256

      700b79437aa46f2396bb07929bb5c79867307bd76311a2b949313bfaeb5c5522

      SHA512

      5e3e567bdf43ee167386e40eb432e16cc78ee0efd73454b0343ce1dcf3262c6065e5c9a5b46c28972bccfa675d8ca02e5a5775cb4137389bb3d1e8c0e8984e1f

      Download Submit

    • C:\Windows\SysWOW64\femxpmzfsnvcvkr.exe
      Filesize

      138KB

      MD5

      324240ba0a7f497ef3889c7ea350568d

      SHA1

      74b3b1f8e22c3279bae72dc6ed790263a59c11e6

      SHA256

      60038c5a0cbeeae6b2b4dd9c38f29c1a1ce8773795bda91d39fe298f18960af5

      SHA512

      e50b5487e05e43f39a211a3be2b3fde73fcbd5cb634dd6d2e4522a622a069c85b0636592b664fd534bcbad4e1b2a5c713ef95d1c8e3f98f7008e8fe52ee70924

      Download Submit

    • C:\Windows\SysWOW64\fgscsplmqn.exe
      Filesize

      310KB

      MD5

      e36c8218b483250c45965d5e32656bf9

      SHA1

      b656db25adc701a8ebf38576e4391cf4abc6d502

      SHA256

      7eed2b8e6344e276765a5841787f45fa8dc5d05596f1c2730f72359ba174284b

      SHA512

      f3768d3377ab05f9e9f8c953ddb9e7f6f70ff17529395cad834e4a0ddcd0967a0ff545701b09b8c818133529c7f2d5d83fcee59fe6b7972fdffca348938a7ea6

      Download Submit

    • C:\Windows\SysWOW64\fgscsplmqn.exe
      Filesize

      63KB

      MD5

      80a2853427f1b4177d31b87a9b80323c

      SHA1

      f0fe55b0a8d8a67de5da4f7e94ea8b1c96324892

      SHA256

      3fe9410d5c07963487d28bd0f2f10a8a4f835748b95bc8805a420bcc60671898

      SHA512

      32197864c3d97118b6576b092e9df0623b4d7be8b56cc5db9d2d69626db5e2567fe994b5e34bd3da8987e8cee53a2a1dd5fdcb9a830df323e8da1127a32d6395

      Download Submit

    • C:\Windows\SysWOW64\oivvzeez.exe
      Filesize

      91KB

      MD5

      d92040455a1eb24d358dfe856dd9e6c6

      SHA1

      29f39c54c2edc3f5282eebb01243f12caab19aee

      SHA256

      5430a89c0fd7eee41b1ab06eda5853d608cdc6892dc107d42a6ebd6a2634ed19

      SHA512

      7d6ffe69b8549e7f036af7796d4d12f4e1ee4479821bb383cf4e28ae3fd12ec20deda26774107368e3da5e6337a841cf6657a8e52193f7cf64fcbd16ba9db143

      Download Submit

    • C:\Windows\SysWOW64\oivvzeez.exe
      Filesize

      62KB

      MD5

      c276525ed52873b280090c7abc7d1e6a

      SHA1

      e98bbb358b24bfe52a6f0dee840d0e5fd5d7c97e

      SHA256

      295036ef0c46cae4c1a0217dd648b9a4e594ad2c7c2f708f891301b9faf7c11e

      SHA512

      7c3f5d2cc039d8ba6e321b4db4f8faf6d3fd8c1985c0697ea1dfa3d952709b245fd1b1e016106f836b40e4614b10751a3b8cf8a9e9b346a59f762344daf09059

      Download Submit

    • C:\Windows\SysWOW64\oivvzeez.exe
      Filesize

      52KB

      MD5

      1f53731c1b44fabd21cbce723e050b38

      SHA1

      08c9422cdf687ece7fa01e4b12de8db4ee113708

      SHA256

      5f66fa3de0809854101bfce515f8016e2da9461b69729e4dce0e3a035d9c0940

      SHA512

      85f1becfdf13b815faf29559c64932490e4d417b1e9ed5662430d5dfd9df38fd5c74f3d53a29f84affdb945fe1a0e77fec589ec4188ebf6272ed90b6fc0ace94

      Download Submit

    • C:\Windows\SysWOW64\oivvzeez.exe
      Filesize

      512KB

      MD5

      a3e2ce2c27b93947c65aa341c3104d0a

      SHA1

      57a66a3d73e842e6e5be38ef4936e8b7aff83ed6

      SHA256

      ba329826f07a8b464be6065841edbde257871caf58a66ec62ad68f1d4c5e2065

      SHA512

      124f6a765e61ed127307836dabd19027f7283704e74f74ed53202132b38c682e6f789c5f21cca3e9dd735ffa0c8169a09e8a66d4d322b37a02e6cedc4b5532b6

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • \Windows\SysWOW64\elfchzwfyvxrj.exe
      Filesize

      88KB

      MD5

      cdd385a346b83a0e9d6342950521995b

      SHA1

      ebc6d27c127c8165926e55db37bc9f7693d66994

      SHA256

      a7e5ca20bf881e06886f1ae50c17e587af661f244f8463dfdd55e5a2f552c0d7

      SHA512

      0fe77107765d4992157d850cfb5a4571bbd203efb9d37ce55c057b80bc567f68203eb08fe1de0d54b46c10eb59c66c95b5c759bdf027518c1ef6a5872c8b1170

      Download Submit

    • \Windows\SysWOW64\femxpmzfsnvcvkr.exe
      Filesize

      208KB

      MD5

      f32d60442b0fe0372df847f2a1ad5f38

      SHA1

      4f70898332ab62f1f5bb4a50d855247d8e8722bf

      SHA256

      e1b2dbb6c010996003191ff5fa1430f86d3733961656d98cb79174901d7a9f69

      SHA512

      5bd0c19db7d6770ebb8f555866fde14e4f8041d805236fbbe2acc1a798f1f9eeed78366c1d16131715527574cb8aea3dac67e25c331cb87adf7a570b3c46bd7e

      Download Submit

    • \Windows\SysWOW64\fgscsplmqn.exe
      Filesize

      388KB

      MD5

      21ac2f4862e8fec7c7499cca9240bf00

      SHA1

      1dc387dc173eb9134337afad3c389588bea829cf

      SHA256

      c0bd54fd32a22c08bf24d4fed2fb42a01aed30cd19f54f7887f7b5a2c8a2b41d

      SHA512

      a2506278dc98c6920fc7085825dbd625f1a92de61cd55f77f699ef291ac3155b2c848d82df093ca2447f9a569f96c81bb16acae61a25c41996fbe7b66324f1c7

      Download Submit

    • \Windows\SysWOW64\oivvzeez.exe
      Filesize

      120KB

      MD5

      f7594e8d0cebcb7a405a32ce50662bbd

      SHA1

      ae6fbf867a690033d991974c46413f0aa9376a0b

      SHA256

      c86140b76b30a07f3e5096e2b33224f11324e7a26e3c84a9a30db8d219abb969

      SHA512

      1e9198ad325bf1d76f23b467ed86c32989cc85fe8aa5cccc0fcefc6fb507432c08acbd9760cffe7037b066dd5ec626278fcd6c7eceffe917e685f934915629d1

      Download Submit

    • \Windows\SysWOW64\oivvzeez.exe
      Filesize

      80KB

      MD5

      37a0a2dacf7281e62ef667a6ac02989e

      SHA1

      2249a6a9ec28e604ed4f93905869e6a9d5cf223b

      SHA256

      dc5de236740642eea82d09f1061646fe0e1e2bec9ff5caaebecc77d8706a6a65

      SHA512

      66678483220de9a753c48187d69c9664cf07d5a80642b583837ba31b916c8696b569b2fc27f966d836de56479fc8747cf1e696d58b26356c4e2744657db763af

      Download Submit

    • memory/1916-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

      Download

    • memory/2536-47-0x0000000070E1D000-0x0000000070E28000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2536-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2536-87-0x0000000070E1D000-0x0000000070E28000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2536-45-0x000000002FAA1000-0x000000002FAA2000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2536-108-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download