5a8ec0678de15b15c7487c50e88c674fc04536a761d2bf68983719c42b23659a

General

Target

219ebc93e9b1737f3aee4ac1812eaeaf.exe
Size

512KB
MD5

219ebc93e9b1737f3aee4ac1812eaeaf
SHA1

6874c77d5bca0f146f570fb6e6028d9b9fcee86a
SHA256

5a8ec0678de15b15c7487c50e88c674fc04536a761d2bf68983719c42b23659a
SHA512

2d45322ee17b8cc8366e70d009a72dd2754140cb3c804165421423ac7c1f81f1f91b0197f1696ab4c9c4a3c16a63a1cbbf45eef1ab56e0f969122d53f2f41681
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6a:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm59

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3936	mivgbcvxxv.exe
1176	bgilnvlseijqgro.exe
3588	imjiwzpn.exe
4760	pojkxreijoxer.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/4944-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral2/files/0x0007000000023201-23.dat	autoit_exe
behavioral2/files/0x0007000000023201-22.dat	autoit_exe
behavioral2/files/0x00070000000231fe-19.dat	autoit_exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mivgbcvxxv.exe	219ebc93e9b1737f3aee4ac1812eaeaf.exe
File opened for modification	C:\Windows\SysWOW64\mivgbcvxxv.exe	219ebc93e9b1737f3aee4ac1812eaeaf.exe
File created	C:\Windows\SysWOW64\bgilnvlseijqgro.exe	219ebc93e9b1737f3aee4ac1812eaeaf.exe
File opened for modification	C:\Windows\SysWOW64\bgilnvlseijqgro.exe	219ebc93e9b1737f3aee4ac1812eaeaf.exe
File created	C:\Windows\SysWOW64\imjiwzpn.exe	219ebc93e9b1737f3aee4ac1812eaeaf.exe
File opened for modification	C:\Windows\SysWOW64\imjiwzpn.exe	219ebc93e9b1737f3aee4ac1812eaeaf.exe
File created	C:\Windows\SysWOW64\pojkxreijoxer.exe	219ebc93e9b1737f3aee4ac1812eaeaf.exe
File opened for modification	C:\Windows\SysWOW64\pojkxreijoxer.exe	219ebc93e9b1737f3aee4ac1812eaeaf.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	219ebc93e9b1737f3aee4ac1812eaeaf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8EFF88482A851A9030D65A7D90BDE4E1415931664F6344D6ED"	219ebc93e9b1737f3aee4ac1812eaeaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0866BC6FF6721D0D27FD1A68A0E9117"	219ebc93e9b1737f3aee4ac1812eaeaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193EC67B1490DAB7B8BE7FE1ECE537CD"	219ebc93e9b1737f3aee4ac1812eaeaf.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	219ebc93e9b1737f3aee4ac1812eaeaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "334E2C089D5683586A3E76D377202DD67C8665DF"	219ebc93e9b1737f3aee4ac1812eaeaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACEFACAF964F195837E3A4786973E92B08A02FD43620238E1C9459B08A5"	219ebc93e9b1737f3aee4ac1812eaeaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC2B15C47E439EB52C9B9A733EED7C8"	219ebc93e9b1737f3aee4ac1812eaeaf.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4944	219ebc93e9b1737f3aee4ac1812eaeaf.exe
4944	219ebc93e9b1737f3aee4ac1812eaeaf.exe
4944	219ebc93e9b1737f3aee4ac1812eaeaf.exe
4944	219ebc93e9b1737f3aee4ac1812eaeaf.exe
4944	219ebc93e9b1737f3aee4ac1812eaeaf.exe
4944	219ebc93e9b1737f3aee4ac1812eaeaf.exe
4944	219ebc93e9b1737f3aee4ac1812eaeaf.exe
4944	219ebc93e9b1737f3aee4ac1812eaeaf.exe
4944	219ebc93e9b1737f3aee4ac1812eaeaf.exe
4944	219ebc93e9b1737f3aee4ac1812eaeaf.exe
4944	219ebc93e9b1737f3aee4ac1812eaeaf.exe
4944	219ebc93e9b1737f3aee4ac1812eaeaf.exe
4944	219ebc93e9b1737f3aee4ac1812eaeaf.exe
4944	219ebc93e9b1737f3aee4ac1812eaeaf.exe
4944	219ebc93e9b1737f3aee4ac1812eaeaf.exe
4944	219ebc93e9b1737f3aee4ac1812eaeaf.exe

Suspicious use of FindShellTrayWindow 14 IoCs

pid	Process
4944	219ebc93e9b1737f3aee4ac1812eaeaf.exe
4944	219ebc93e9b1737f3aee4ac1812eaeaf.exe
4944	219ebc93e9b1737f3aee4ac1812eaeaf.exe
1176	bgilnvlseijqgro.exe
3936	mivgbcvxxv.exe
4760	pojkxreijoxer.exe
1176	bgilnvlseijqgro.exe
3936	mivgbcvxxv.exe
3588	imjiwzpn.exe
4760	pojkxreijoxer.exe
1176	bgilnvlseijqgro.exe
3936	mivgbcvxxv.exe
3588	imjiwzpn.exe
4760	pojkxreijoxer.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
4944	219ebc93e9b1737f3aee4ac1812eaeaf.exe
4944	219ebc93e9b1737f3aee4ac1812eaeaf.exe
4944	219ebc93e9b1737f3aee4ac1812eaeaf.exe
1176	bgilnvlseijqgro.exe
3936	mivgbcvxxv.exe
4760	pojkxreijoxer.exe
1176	bgilnvlseijqgro.exe
3936	mivgbcvxxv.exe
3588	imjiwzpn.exe
4760	pojkxreijoxer.exe
1176	bgilnvlseijqgro.exe
3936	mivgbcvxxv.exe
3588	imjiwzpn.exe
4760	pojkxreijoxer.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 3936	4944	219ebc93e9b1737f3aee4ac1812eaeaf.exe	18
PID 4944 wrote to memory of 3936	4944	219ebc93e9b1737f3aee4ac1812eaeaf.exe	18
PID 4944 wrote to memory of 3936	4944	219ebc93e9b1737f3aee4ac1812eaeaf.exe	18
PID 4944 wrote to memory of 1176	4944	219ebc93e9b1737f3aee4ac1812eaeaf.exe	28
PID 4944 wrote to memory of 1176	4944	219ebc93e9b1737f3aee4ac1812eaeaf.exe	28
PID 4944 wrote to memory of 1176	4944	219ebc93e9b1737f3aee4ac1812eaeaf.exe	28
PID 4944 wrote to memory of 3588	4944	219ebc93e9b1737f3aee4ac1812eaeaf.exe	27
PID 4944 wrote to memory of 3588	4944	219ebc93e9b1737f3aee4ac1812eaeaf.exe	27
PID 4944 wrote to memory of 3588	4944	219ebc93e9b1737f3aee4ac1812eaeaf.exe	27
PID 4944 wrote to memory of 4760	4944	219ebc93e9b1737f3aee4ac1812eaeaf.exe	19
PID 4944 wrote to memory of 4760	4944	219ebc93e9b1737f3aee4ac1812eaeaf.exe	19
PID 4944 wrote to memory of 4760	4944	219ebc93e9b1737f3aee4ac1812eaeaf.exe	19

C:\Users\Admin\AppData\Local\Temp\219ebc93e9b1737f3aee4ac1812eaeaf.exe
"C:\Users\Admin\AppData\Local\Temp\219ebc93e9b1737f3aee4ac1812eaeaf.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Windows\SysWOW64\mivgbcvxxv.exe
  mivgbcvxxv.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3936
- - C:\Windows\SysWOW64\imjiwzpn.exe
    C:\Windows\system32\imjiwzpn.exe
    3⤵
    PID:3700
- C:\Windows\SysWOW64\pojkxreijoxer.exe
  pojkxreijoxer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4760
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
  2⤵
  PID:3976
- C:\Windows\SysWOW64\imjiwzpn.exe
  imjiwzpn.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3588
- C:\Windows\SysWOW64\bgilnvlseijqgro.exe
  bgilnvlseijqgro.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\bgilnvlseijqgro.exe

Filesize
512KB

MD5
176d0f13f196efefd6f00f27a319a3ad

SHA1
0c0bb611479534cadd1b09a5c20c10b5077f1254

SHA256
c6aff62c3c875e98ae2b4bd453567d77127fc659258fa3fab675a044b35fcb6d

SHA512
d9b7958eb6e275a1a877f878fb626af9aa8a9a57f2f35d73e890ec239714631657e2f55eb4da61a372e87f1d6747f4f2bda3494a0104316f6190c608986a97d3

Download Submit
C:\Windows\SysWOW64\bgilnvlseijqgro.exe

Filesize
93KB

MD5
257f28bd5bdc2b725434b7ab570814e7

SHA1
972446e0f8d210c5d6f42a57a921391a236d564d

SHA256
d80f45a5995ba038d69dbe87f7c12827ffa2b53e79beedb0bc6ee91c10a61688

SHA512
c27aa91c3c3605941a1a121021c840fc7886cf27d43e9d6b2c371888a276d9dfd39135600a4f933f62dfa3d46cb6e12de6e31b3f8b939676701ff37f8cc61575

Download Submit
C:\Windows\SysWOW64\mivgbcvxxv.exe

Filesize
512KB

MD5
42a4d60a5a5eed641fa3099cb8fccf6d

SHA1
a7753d9f4d1702618f0715aeaf4510e9cd78a5fd

SHA256
0a1831dc2783f6dd83a106797701b50da9b64f06e0e0d1014ed06c8aff581508

SHA512
1a5f2efe81d54e2d3463aa8e0dfcb6533c128e14fdcf341cbffecff5bd8d61d4964b0ab08198a1d59e264248602cf172b3c5c8b6e18bca7a01b6ff57f6b525f9

Download Submit
memory/3976-56-0x00007FFAA0910000-0x00007FFAA0B05000-memory.dmp

Filesize
2.0MB

Download
memory/3976-141-0x00007FFA60990000-0x00007FFA609A0000-memory.dmp

Filesize
64KB

Download
memory/3976-47-0x00007FFAA0910000-0x00007FFAA0B05000-memory.dmp

Filesize
2.0MB

Download
memory/3976-50-0x00007FFAA0910000-0x00007FFAA0B05000-memory.dmp

Filesize
2.0MB

Download
memory/3976-52-0x00007FFAA0910000-0x00007FFAA0B05000-memory.dmp

Filesize
2.0MB

Download
memory/3976-45-0x00007FFA60990000-0x00007FFA609A0000-memory.dmp

Filesize
64KB

Download
memory/3976-41-0x00007FFA60990000-0x00007FFA609A0000-memory.dmp

Filesize
64KB

Download
memory/3976-57-0x00007FFA5E030000-0x00007FFA5E040000-memory.dmp

Filesize
64KB

Download
memory/3976-54-0x00007FFAA0910000-0x00007FFAA0B05000-memory.dmp

Filesize
2.0MB

Download
memory/3976-53-0x00007FFA5E030000-0x00007FFA5E040000-memory.dmp

Filesize
64KB

Download
memory/3976-51-0x00007FFAA0910000-0x00007FFAA0B05000-memory.dmp

Filesize
2.0MB

Download
memory/3976-49-0x00007FFAA0910000-0x00007FFAA0B05000-memory.dmp

Filesize
2.0MB

Download
memory/3976-48-0x00007FFAA0910000-0x00007FFAA0B05000-memory.dmp

Filesize
2.0MB

Download
memory/3976-46-0x00007FFAA0910000-0x00007FFAA0B05000-memory.dmp

Filesize
2.0MB

Download
memory/3976-139-0x00007FFA60990000-0x00007FFA609A0000-memory.dmp

Filesize
64KB

Download
memory/3976-43-0x00007FFA60990000-0x00007FFA609A0000-memory.dmp

Filesize
64KB

Download
memory/3976-55-0x00007FFAA0910000-0x00007FFAA0B05000-memory.dmp

Filesize
2.0MB

Download
memory/3976-40-0x00007FFAA0910000-0x00007FFAA0B05000-memory.dmp

Filesize
2.0MB

Download
memory/3976-37-0x00007FFA60990000-0x00007FFA609A0000-memory.dmp

Filesize
64KB

Download
memory/3976-44-0x00007FFAA0910000-0x00007FFAA0B05000-memory.dmp

Filesize
2.0MB

Download
memory/3976-39-0x00007FFA60990000-0x00007FFA609A0000-memory.dmp

Filesize
64KB

Download
memory/3976-38-0x00007FFAA0910000-0x00007FFAA0B05000-memory.dmp

Filesize
2.0MB

Download
memory/3976-115-0x00007FFAA0910000-0x00007FFAA0B05000-memory.dmp

Filesize
2.0MB

Download
memory/3976-116-0x00007FFAA0910000-0x00007FFAA0B05000-memory.dmp

Filesize
2.0MB

Download
memory/3976-117-0x00007FFAA0910000-0x00007FFAA0B05000-memory.dmp

Filesize
2.0MB

Download
memory/3976-143-0x00007FFAA0910000-0x00007FFAA0B05000-memory.dmp

Filesize
2.0MB

Download
memory/3976-144-0x00007FFAA0910000-0x00007FFAA0B05000-memory.dmp

Filesize
2.0MB

Download
memory/3976-145-0x00007FFAA0910000-0x00007FFAA0B05000-memory.dmp

Filesize
2.0MB

Download
memory/3976-142-0x00007FFA60990000-0x00007FFA609A0000-memory.dmp

Filesize
64KB

Download
memory/3976-42-0x00007FFAA0910000-0x00007FFAA0B05000-memory.dmp

Filesize
2.0MB

Download
memory/3976-140-0x00007FFA60990000-0x00007FFA609A0000-memory.dmp

Filesize
64KB

Download
memory/4944-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download

Analysis

Sharing