Analysis
-
max time kernel
157s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
25-12-2023 16:55
General
-
Target
2ed929b937101a7abd4c9d27b4f2e9b7.exe
-
Size
512KB
-
MD5
2ed929b937101a7abd4c9d27b4f2e9b7
-
SHA1
ff8b4df81c7ef99435e195466628568f9e986200
-
SHA256
63ff3392c3f0d9ad1c367e22a7d8144d35ce7879b96dc6bb3b581f7500322b58
-
SHA512
856f8f4da3b9c98ee277ff0d7c090dc8684fc143cebd1cec12fce72b7c8d36b32aeb6078fbe4b1b26fd8d3589df49b72d25eb84bbe1fd8221b0ac39f74878821
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj63:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5Q
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 5 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 6 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon 2 TTPs 2 IoCs
-
AutoIT Executable 16 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 13 IoCs
-
Drops file in Program Files directory 15 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 20 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of FindShellTrayWindow 18 IoCs
-
Suspicious use of SendNotifyMessage 18 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ed929b937101a7abd4c9d27b4f2e9b7.exe"C:\Users\Admin\AppData\Local\Temp\2ed929b937101a7abd4c9d27b4f2e9b7.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\luyjgkxndo.exeluyjgkxndo.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\fedshkqr.exeC:\Windows\system32\fedshkqr.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
-
C:\Windows\SysWOW64\hicikjjxlmhhhko.exehicikjjxlmhhhko.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\hbikwuobhlnhu.exehbikwuobhlnhu.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\fedshkqr.exefedshkqr.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
433KB
MD5e3c7e40d24a79ffb16597a5748156d92
SHA1d049778a8a2e527b9dcaa2176282255b912be116
SHA256e32b8968430238fb901d241fe003f5173b277fd47450d1c6e55f7f925556553e
SHA512d4630891adc3652f93c3ad8839e882c0db254bef1361becb06dce6f4b99257053cbf8c51e24a39caffe52a4f371ad06ab118f9b4013719252f68fd2deebb5f22
-
Filesize
243KB
MD5b37e8a27634b50c6dbcaa1fcb9e805ab
SHA1f690df5ca58177e3ea6bdb8b6b8b859796620686
SHA256516dec2f97941aa18d4c5e5064502309e988d971dfdc244a0e25b3008d90ce29
SHA5127afd2c5dee7472e2b1e381d43e0861a81601f74ad614eb11acc389d65ee5f46838d769e3716e2b52004d5b6887038b500581d7a7cf1cf4302c639deb0af244a8
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
Filesize
3KB
MD54a03ec6e1887d1ce0dde8065e2783f12
SHA198c8ecd79d4e5bb9cf42dbc0cc2a88ebe2525e09
SHA2569c138ec96df17a3ab0b6b0b420522bcd48e7356ad79993394fe60683294afc7d
SHA5123c81b429904b8313b347f4a6e22fefcf20a7815e30a4c38806b77a362853043311a7a7319717e084da1a40144770002adcd40ba80e1d3262bfe2e9895f0fda73
-
Filesize
3KB
MD5fb5808f5c7eb5a28036afbe618d3a04c
SHA1c086add7822f7df7eca6652813d40feafebd2c1a
SHA256dddb1437a3d37b4b2e8bd3389f43aa73a8626bb0523400ffa36acb0f706a609a
SHA5126ee6e588267040c3e0632cb1bb64e5d0e8649ebe266995fedb56f1142e7c617fbc3152cdab240498918b9bb6ae1795d104c32bde7a7266a2cd0d8f069906a696
-
Filesize
512KB
MD500d1579f66f9188e53bd74bffbdfd3f4
SHA19fd3e53ecb6458e78395ce6983a35b0216de0de4
SHA25664cacd907acb324b1aea8cda4776d422430121b0c27f076de72520c262522296
SHA5128d7c5ae22efbc9df35acee194471fba1786ffbf7771f4eff02cb12728d88ecdcfbc3424708aa9cde9ea3e09b5805397b514a3fc7ffffd56b691389848ba507cf
-
Filesize
399KB
MD5613ebdfe79f9997f7be9a8f24e2cd535
SHA1bdfd8da09f8c7d47a3b2a62aac4afbba09868a0e
SHA2565c72487bbca5fd1c10e333688a04e4b5d0cd43da409dfb85cfd33f4ec99bbda2
SHA51207aa22e8cacca89092ceed2c7fd799220db11e4d3b786ccde11c978f2a67535496eec46f32aacdf2d8acbfd100ae1d5c70b60a3d4ad6bd32bc8ca23aedfa1a6a
-
Filesize
433KB
MD5bf24b6440b7f8ed00551501151ba94a5
SHA1be79c9b74f1a10b87dde14078867ea6d2bc9625a
SHA256d750873f9500bac598e6209c0c1c1fdd350883ca033d3818db78ec0b94e47a56
SHA5129db9c9cfa5fe8aef7a3ec100478e7e9c5e2ad4d9f24c5e9a9a6e06d248a3d706498d40b172f31702b4aa2cf7ae2f562bcf8f67e90788e230b7b9cdf5922abfa9
-
Filesize
237KB
MD55668c44375d0100e7eadd8c701188155
SHA129b1af4604e15e8d30b69c320636cafb8e302c57
SHA2562ffb38d10f752892e8760ccb0b049c8fad645a25682ce580411d3ddb8b71d793
SHA512936b22801c6797cd61e7eb2407bde51403b77477b15cd7cb29de010453c7049a25ce8f6a1e073a7768487f01abb7c2fd24db20a6184432aafbdaf0f9663822bf
-
Filesize
366KB
MD58f4369278851ed06e80b67044850776f
SHA1caa29169d0384f18540305898c7e3ce073bbd959
SHA256a8642583e261b6bb92c9ffbab7a7abc3741d2d3391e2eef5172e3b495f69948f
SHA512d00d3f6538298be7f3930ee7569b5d0dc6abf7a533099ef69df0d8dd1f17866b9cf5633451b12bec91e911b374e9392fcd3e741d897b647cd5db3379674fffa5
-
Filesize
512KB
MD5b0c615c7c86a6d1aa7dad473dc96074c
SHA18608c31f0b6da93eff4a09f9227a5ee796e2ca80
SHA2569f7956fe14dcbf65c3b6413b51972ebfffe13d4415c643e46056545c9f6c8d0d
SHA51255a7a8ff090926b978fd416f58f2246c2793edda7137010448adacd5169ae1e0c615e8e93609181205b8eafa8704e896df61fed4f5cd753e1f4c28a6e6acbc5d
-
Filesize
512KB
MD50c7b2242e0364aa4ce79639a75e00ad2
SHA171bc798406433d039a0b4549a0c0fc066fc6ba7a
SHA256f42b4b24274e8b629ad4e226fd0ce0829529b9e7aeedf9e2f5fa11cdceea7409
SHA512b57664c65cd350a59805f9de85931290eeaf88a2fdf9aee49586f17d630be53813b4a98cc11caa7279db3b50b3fb8ffde4022abb382c1429412f5c058aef6332
-
Filesize
176KB
MD5f6e85937e4fbd402c2c6b3795867f866
SHA102595ed34625e9c8e457d8ba530b085eee130933
SHA2560c639ab0e7cf991c4d5e8bf50cb5a3ae85d3d71e1ae3544b8938593dcefd447e
SHA5123447020c7a51178a680e8c9b4fdc39c789ff7813bafde533a74acf84e214ca3e6ea7cc5cd8f288766c5351ab01e670b518845f6ff775befb5ff9846581cc3d9c
-
Filesize
80KB
MD510e03a076308c78af30b85ebf4a89ff4
SHA13680bdcd141147fbcfc63a1df048b7de5b389631
SHA256ab28d3ef8a0aab518ccd6f58bb5d40f950c5a0ee18fdc23fafb43244aa33dffd
SHA5123c586d4f337bd3b3df5a625b7c7b0fecc7c47d36b932f399d2a81bb813dbe2e041c3110b90976cd45feea25fa5d4a1ff70ea45f37e574ac7758b8df381d4a8d8
-
Filesize
65KB
MD56b2d87c29e03c1669c86b13f0e329f27
SHA1fc01a8091ad1488013e09ecabcbb34ebb2729a38
SHA2566cb9102f5b672aa60bab941d44dfac6baa33354a6dbff3a6cf1b7e16f4e1c61c
SHA51262a6d356d9d1393f780e7ebef155962a8261e76e5c6df375d5d35484702607996e9334a0a3788cde9ee44d7d6cbfbd284c2163ff4e9837884a0ae5712b1e0272
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD55af397def3b2ec04ba0879dc2ca42e74
SHA135317209b83c7d5dd57eff64b9eb743c20be2cf7
SHA256185b8529fcee2f7b48abdb56494868af6cfc5016a8ede734dd9f5ef8e98d9d9b
SHA512ad6c4f8382f24ce5dbe71fe2007061c33187ff033403291a8c79cde2f2e5b01143902e614b59820e50206e9a2125d8169265ad2fcafa5d151be3f7739786ccfc
-
Filesize
512KB
MD531007ab401b6235c6f496afcbd055a44
SHA1cc8405d09cd65c94a968f9b5e9303af3c6b2b16c
SHA256bae61031d076359e53f118cda049b7f2645ed64d2cce60c458b96d7f55bc2973
SHA512af9d1b0f2bd88c08a81311415d7bc39e41151fa1a752dd8166bed7a3147796ee53c35c930f46d38ba6d5510ab5998fa2fa5be9d797dfbc906b570fc27871e1bc
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
600KB