Overview

overview

10

Static

static

5

21683aef18...e9.exe

windows7-x64

10

21683aef18...e9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    154s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25-12-2023 13:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    21683aef181b87eb95f9bd10a7c129e9.exe

  • Size

    512KB

  • MD5

    21683aef181b87eb95f9bd10a7c129e9

  • SHA1

    f62e26da896e841e6c96615add344170e3dc67ca

  • SHA256

    1ba03c3750f8cddea31a0bb897cf00eec2c5102a676dc70fc4e93464425dc547

  • SHA512

    1d7dcd0b77c962611a51a29483e0d72c7ad57df087b8f959ad04b9d992ebbdae080cfee3118aeb045e04976d1c2273f8ca92708595519a8290bb915efe85ddf5

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6Q:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5r

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 18 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\21683aef181b87eb95f9bd10a7c129e9.exe
    "C:\Users\Admin\AppData\Local\Temp\21683aef181b87eb95f9bd10a7c129e9.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2108
    • C:\Windows\SysWOW64\ipyfjguvvc.exe
      ipyfjguvvc.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2852
      • C:\Windows\SysWOW64\duhwrzkg.exe
        C:\Windows\system32\duhwrzkg.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2572
    • C:\Windows\SysWOW64\hnfjbcjymcjeewi.exe
      hnfjbcjymcjeewi.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2732
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c ynnbgbcidxfdy.exe
        3⤵
          PID:2036
      • C:\Windows\SysWOW64\duhwrzkg.exe
        duhwrzkg.exe
        2⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2584
      • C:\Windows\SysWOW64\ynnbgbcidxfdy.exe
        ynnbgbcidxfdy.exe
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2952
      • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
        2⤵
        • Drops file in Windows directory
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2656
        • C:\Windows\splwow64.exe
          C:\Windows\splwow64.exe 12288
          3⤵
            PID:1808

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
        Filesize

        512KB

        MD5

        a7e32def91a6b91139ac8a58fe920bac

        SHA1

        f42210d17c17ef13c03df7a2aad2735a0813ab8a

        SHA256

        629a935ab044098f107b317c5dd540bd1115d3cac64d18ad35b50ef1614b83d3

        SHA512

        069f536b0ec7e082e0505f84d79934fcd5aab63e5f70e4f02a94ec69145c8936eac7e12c87a7777864dd1ee3e0bfa01578cb0c3858dead0eae85d758bb135c80

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
        Filesize

        20KB

        MD5

        bba2b2ba99c84816c21e7e0da0d4ae81

        SHA1

        36e0d29b81ca468d06835288a6999965dee66c46

        SHA256

        711adab2e4c2e3a51bf739a068293785e932068718d490d5320f53c299caf2d1

        SHA512

        eb8c7d51ffff88e842cc66c6b659b0f790fbc8b6ab86dfa46f28d0160c716faa76047eaef49c076f5ea00b96468ae4b16a5c4d418bb3d75d42d7c27ca435a9ba

        Download Submit

      • C:\Users\Admin\Downloads\LimitAssert.doc.exe
        Filesize

        512KB

        MD5

        35cb53840bdd94ad1958c3c1e9d00177

        SHA1

        e1a6e227e4e247d2a604508a32cd3397cb3501a4

        SHA256

        c21f0180dce055366723cb277789455f9ef4efd7d08827cd3bc4ec6a095f4414

        SHA512

        bba4cfe3b19ff5d55400216b02ecb69a4e3f5ab872d09e1f7f9ce257fae14522a205fe0f5c3a77db0acc441ee821d51cfab0d0763e29b5dba0daa9c069cc5af1

        Download Submit

      • C:\Windows\SysWOW64\duhwrzkg.exe
        Filesize

        302KB

        MD5

        8a0b4f997b90b6f1ee675c6825074958

        SHA1

        099d906aab1e6e01b242f0ddcc4af2ea3254277e

        SHA256

        c9a74d7f78d5e7016da526407021c5c9dfc8853269bf42d388c52432be12c01d

        SHA512

        b5de29dc9401df2913e167d935b2632e689fd050d020ff873b607986a5f2c991435f10ddd8c2eca4c5c2684a6f2e819f0ae82e2a358636c62c87ce98c6f4b76d

        Download Submit

      • C:\Windows\SysWOW64\duhwrzkg.exe
        Filesize

        387KB

        MD5

        3e5aa6b390c912452008d5077c95523e

        SHA1

        e0485a6014f22652aefcb738a313693d2a6a7d34

        SHA256

        deb989858935fee23b0642d8efc74a4c33e17d2298353a6f5ac71b8fbbdd2bd1

        SHA512

        a374ae0d79553605aedf609eb10e87674628dd3edefe0bb52a1cc10c104c1e4812410ecb5989a34aca4eda8a249f008b02cbc710a9d45993c6b62c6685e3a684

        Download Submit

      • C:\Windows\SysWOW64\duhwrzkg.exe
        Filesize

        173KB

        MD5

        0bb4c4a32bdd05c9a881de15eec1c9be

        SHA1

        c1422161a96da8bfa3480b462c89a1b9e338a69e

        SHA256

        28e7c49395f61051de2513b7451eb44f94db74b325de848aa77dbed1a4883d0d

        SHA512

        4cf336bdbc1458afa0a0446d4b8e0fad46187fd838cb1403acaf5f2770e28c4c7a55426675664445b2673862168fb19cd1236d33cdbe6599d0a7f22462192ccc

        Download Submit

      • C:\Windows\SysWOW64\hnfjbcjymcjeewi.exe
        Filesize

        403KB

        MD5

        b4b3f2f201d13f83f34b7fbb27b1e899

        SHA1

        181da33dc262cb8732122e5c3f2e589ee814e048

        SHA256

        20d46314c9b23200b2fc098d56bf4b567cf4a15f4c832f4a8ab7b09ec523c134

        SHA512

        2e525cce92a6ba89a29057f60446bae9c44b68a2ae38f4e94362c645af9203fef261f89a97aea087da048a438ae165f88e717cd3d44cfe49a6960ae9793956fa

        Download Submit

      • C:\Windows\SysWOW64\hnfjbcjymcjeewi.exe
        Filesize

        292KB

        MD5

        5cc477822518cc70883533c739e78cc2

        SHA1

        ea0979c2e0c8fbea3d8a97ed9cf7b3a14bd55d11

        SHA256

        ec15b4e34ed252b66ef24914b1da4568e0d7c1ba3299d4d96abc48525e7cc7c8

        SHA512

        29ea90d842c62a4b6237a501c56b4662a87caaf976bdc9d6f52267af4d15c79faf3fe76640b0ef925021237d2aa9b82a529324a4c998f21e9bd91a417e526ad9

        Download Submit

      • C:\Windows\SysWOW64\hnfjbcjymcjeewi.exe
        Filesize

        288KB

        MD5

        8343c5f665a60efdf222d45258ba136f

        SHA1

        d6c94fe91a8987b510b11fdf85153ed0d2611db4

        SHA256

        6b2aff2ed21ae54311ef3d4758da4c25d2530276e9a293d571fb81d08ea508f3

        SHA512

        9e1757be5c3545ec9455b087066e41a2f896952eaaeb79f4fc36633a9c9e1234cc90375c9894490c57be453e8f1167b972ed4d3f1b5e0a8b7a34582543e88376

        Download Submit

      • C:\Windows\SysWOW64\ipyfjguvvc.exe
        Filesize

        302KB

        MD5

        cb4c4ca1bc2881f6f865a965bfa3059e

        SHA1

        170d4a43e70516ed176c66e11333ba9556685a15

        SHA256

        de856dd7530ac967d68ce3587a5430908d503212e0361f7964ee98412aaf117d

        SHA512

        feb3fa9cb76b13cc79531c2c16bd7917bae927eed19a303394810673262e54b85b6a5231b62bbbf963779b4b5f9d2f0df08d950b8d1b632aece3d872889cf63d

        Download Submit

      • C:\Windows\SysWOW64\ipyfjguvvc.exe
        Filesize

        287KB

        MD5

        3cfbf4fb56d2cd36749433fe2c83b69c

        SHA1

        9ca3eebd589b5327167eccdb6387ae09b409e532

        SHA256

        12d0206ac6e36a177adffdbb8ef0eb3e2ccc4bbc48c079229f36acd5c6a1ff41

        SHA512

        1242dd2a9ba2ad965b4f4abfa7d3dfe270d6888788d7dc6fc380a84b5b20421a50f26d6b679a8215c787528264fc7a430712e3084c39fa56b58d8e5b4ef74866

        Download Submit

      • C:\Windows\SysWOW64\ynnbgbcidxfdy.exe
        Filesize

        227KB

        MD5

        f9f4de7f46b63d0b639b21fd6a987d93

        SHA1

        300a7ee30a65f5af9e59ce518587287b19088594

        SHA256

        1167bd6a246bc34781adf7e9cdaef85df4ccb7f743874cf39a46c5057e412560

        SHA512

        11e4ae55897bb94fc0006203587ffd79bb2cc1a1d207eef85d6938a72b5c233eff400cb845ec4ecc8305efbfb68e5d6fde7ffcaa29fe998bb43d0446f14215ee

        Download Submit

      • C:\Windows\SysWOW64\ynnbgbcidxfdy.exe
        Filesize

        82KB

        MD5

        55b6798327346bca45a341e1da9f71d9

        SHA1

        9b568dccefa44d6068d4760de36fbfbc111d4429

        SHA256

        7b846f6dc460f6543637026005c37d4ad5f728e94447ef472d6304bb7b1ced90

        SHA512

        dfb97f89bdf09f557a1b1011ce4ddf9f49ac82152f3290e0f69ce4f6a15ef864d00c82eb0690cf60232dc1d2097372cb3e6aced7b31eb4e95fba7afdd0c362aa

        Download Submit

      • C:\Windows\mydoc.rtf
        Filesize

        223B

        MD5

        06604e5941c126e2e7be02c5cd9f62ec

        SHA1

        4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

        SHA256

        85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

        SHA512

        803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

        Download Submit

      • \Windows\SysWOW64\duhwrzkg.exe
        Filesize

        297KB

        MD5

        cfa7060ce00af2f61d07e6af3d9cae0f

        SHA1

        feb18f7a9fa8c5e76e3a18b9c5c00f1cb5a74120

        SHA256

        ff8c017de19c4d9d40fe46bc600e9ebe6366d46ab80e3a95bcdde0dbf3a07802

        SHA512

        32613bf51ed2215eafe528bc697f97b55cc21dbf9a8bf6c048133349f6b243da1900e37a87fa24afdba1c582d555a351557423ed42c0347c07b056e0c4223b10

        Download Submit

      • \Windows\SysWOW64\duhwrzkg.exe
        Filesize

        114KB

        MD5

        ae74ba6cb0a3f4fa2edcd2590efd6107

        SHA1

        ae27beddc82e6f7906790efedf2267d420de01af

        SHA256

        cb37c7aad746470de3f362f27770615b4df63f7f4114509fb08e18811bd6d3af

        SHA512

        6c8f7c6db4fc52a4b9f352681ea094444961c62f074335cfe387bae518a09c74863b0b3c71386cab05f79ecb897ebb1f74775f463e0645a81ef87ba1a7a4751f

        Download Submit

      • \Windows\SysWOW64\hnfjbcjymcjeewi.exe
        Filesize

        343KB

        MD5

        633781d15d03c566602be598cf79da32

        SHA1

        b6db66af8f222791a27a7f607904d60b30452c68

        SHA256

        875eddde307abff699e54f5108f568843c30bac9b3713f0fdc1418d4c0e83e29

        SHA512

        7908e6666b277a7d2cb6786f40626eb9afc2c923e66bf1a831b5ea71861b9e92ab2b366a1ca6a048e6c5c94ded8d0e6b8ae9cf38973f822c978cbdfbd09631d2

        Download Submit

      • \Windows\SysWOW64\ipyfjguvvc.exe
        Filesize

        324KB

        MD5

        3f46cdb44ce4e7b7f9c7d5cb6005d34d

        SHA1

        653280896631245cfe9537ce9a8ca9b0db10a880

        SHA256

        bde461b4c97c2dd9f2fd62f611a5ae29196118801bffd0489b1d413525ed095d

        SHA512

        9248964d8841a0a8ba9ebd19db42ab85448ad68f7307f54559692a83770f4f1db90cb9d045f05e74e04fbff6280429446ddedb09d6c55e28b9d1db60e8e49803

        Download Submit

      • \Windows\SysWOW64\ynnbgbcidxfdy.exe
        Filesize

        262KB

        MD5

        a0f3337f55e7976e451213a18b44c597

        SHA1

        44357c8434b8793bf1cda0c657c155ad15870734

        SHA256

        a7145c31feb0ce16a0f6612a2cb788da1d7b3764c588f753c87d931b74962027

        SHA512

        5640aa0707c9fddc36729cdb9a12c1b67c81d9ac2ad52d07eabdd590ef51cd6025d9cf16c8806e3d09dae6da618acf9296c6da31f5ecacdfacd9fba18a32e38d

        Download Submit

      • memory/2108-0-0x0000000000400000-0x0000000000496000-memory.dmp

        Filesize

        600KB

        Download

      • memory/2656-47-0x000000007130D000-0x0000000071318000-memory.dmp

        Filesize

        44KB

        Download

      • memory/2656-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2656-44-0x000000002F931000-0x000000002F932000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2656-90-0x000000007130D000-0x0000000071318000-memory.dmp

        Filesize

        44KB

        Download

      • memory/2656-111-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download