91d944830b919cac3fcfa702ae2ed53fd57c729297ca91cad28d1f2718119875

General

Target

3422a45d905c4a8f257ed8d0a4cd9f7e.exe
Size

512KB
MD5

3422a45d905c4a8f257ed8d0a4cd9f7e
SHA1

c474f88ad31a15b5e0d5c75d97c1e5e30673e6ef
SHA256

91d944830b919cac3fcfa702ae2ed53fd57c729297ca91cad28d1f2718119875
SHA512

dde3645a1d905e9b9cd557291a085cb33dc3c6dad192bae775c28d9896d75b7252728d692aec83eeeb3b8fcfd7c5e54e81b02dfe13422efee00236da9e5c5268
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6S:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5V

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4648	cyjmfngvks.exe
1868	fmozkpgbwcmggpr.exe
4132	caplerop.exe
4696	oejnmhktkfndz.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/2924-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\caplerop.exe	3422a45d905c4a8f257ed8d0a4cd9f7e.exe
File created	C:\Windows\SysWOW64\oejnmhktkfndz.exe	3422a45d905c4a8f257ed8d0a4cd9f7e.exe
File opened for modification	C:\Windows\SysWOW64\oejnmhktkfndz.exe	3422a45d905c4a8f257ed8d0a4cd9f7e.exe
File created	C:\Windows\SysWOW64\cyjmfngvks.exe	3422a45d905c4a8f257ed8d0a4cd9f7e.exe
File opened for modification	C:\Windows\SysWOW64\cyjmfngvks.exe	3422a45d905c4a8f257ed8d0a4cd9f7e.exe
File created	C:\Windows\SysWOW64\fmozkpgbwcmggpr.exe	3422a45d905c4a8f257ed8d0a4cd9f7e.exe
File opened for modification	C:\Windows\SysWOW64\fmozkpgbwcmggpr.exe	3422a45d905c4a8f257ed8d0a4cd9f7e.exe
File created	C:\Windows\SysWOW64\caplerop.exe	3422a45d905c4a8f257ed8d0a4cd9f7e.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	3422a45d905c4a8f257ed8d0a4cd9f7e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFEFF82482A851F9135D72F7DE5BC90E146594167326343D69E"	3422a45d905c4a8f257ed8d0a4cd9f7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F36BC5FE1821ACD273D0A88A0C9062"	3422a45d905c4a8f257ed8d0a4cd9f7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184AC67A15EDDAB3B9BC7FE2ED9034CC"	3422a45d905c4a8f257ed8d0a4cd9f7e.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	3422a45d905c4a8f257ed8d0a4cd9f7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33402D089C2383526A4376A570212DD87D8565DA"	3422a45d905c4a8f257ed8d0a4cd9f7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACAFAB9F962F293837B3A41869C3993B388028C4365033EE1C9459909A8"	3422a45d905c4a8f257ed8d0a4cd9f7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB1B12B44EE39EE53CBB9D0329AD4BF"	3422a45d905c4a8f257ed8d0a4cd9f7e.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2924	3422a45d905c4a8f257ed8d0a4cd9f7e.exe
2924	3422a45d905c4a8f257ed8d0a4cd9f7e.exe
2924	3422a45d905c4a8f257ed8d0a4cd9f7e.exe
2924	3422a45d905c4a8f257ed8d0a4cd9f7e.exe
2924	3422a45d905c4a8f257ed8d0a4cd9f7e.exe
2924	3422a45d905c4a8f257ed8d0a4cd9f7e.exe
2924	3422a45d905c4a8f257ed8d0a4cd9f7e.exe
2924	3422a45d905c4a8f257ed8d0a4cd9f7e.exe
2924	3422a45d905c4a8f257ed8d0a4cd9f7e.exe
2924	3422a45d905c4a8f257ed8d0a4cd9f7e.exe
2924	3422a45d905c4a8f257ed8d0a4cd9f7e.exe
2924	3422a45d905c4a8f257ed8d0a4cd9f7e.exe
2924	3422a45d905c4a8f257ed8d0a4cd9f7e.exe
2924	3422a45d905c4a8f257ed8d0a4cd9f7e.exe
2924	3422a45d905c4a8f257ed8d0a4cd9f7e.exe
2924	3422a45d905c4a8f257ed8d0a4cd9f7e.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
2924	3422a45d905c4a8f257ed8d0a4cd9f7e.exe
2924	3422a45d905c4a8f257ed8d0a4cd9f7e.exe
2924	3422a45d905c4a8f257ed8d0a4cd9f7e.exe
4648	cyjmfngvks.exe
4648	cyjmfngvks.exe
4648	cyjmfngvks.exe
4132	caplerop.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
2924	3422a45d905c4a8f257ed8d0a4cd9f7e.exe
2924	3422a45d905c4a8f257ed8d0a4cd9f7e.exe
2924	3422a45d905c4a8f257ed8d0a4cd9f7e.exe
4648	cyjmfngvks.exe
4648	cyjmfngvks.exe
4648	cyjmfngvks.exe
4132	caplerop.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 4648	2924	3422a45d905c4a8f257ed8d0a4cd9f7e.exe	37
PID 2924 wrote to memory of 4648	2924	3422a45d905c4a8f257ed8d0a4cd9f7e.exe	37
PID 2924 wrote to memory of 4648	2924	3422a45d905c4a8f257ed8d0a4cd9f7e.exe	37
PID 2924 wrote to memory of 1868	2924	3422a45d905c4a8f257ed8d0a4cd9f7e.exe	36
PID 2924 wrote to memory of 1868	2924	3422a45d905c4a8f257ed8d0a4cd9f7e.exe	36
PID 2924 wrote to memory of 1868	2924	3422a45d905c4a8f257ed8d0a4cd9f7e.exe	36
PID 2924 wrote to memory of 4132	2924	3422a45d905c4a8f257ed8d0a4cd9f7e.exe	35
PID 2924 wrote to memory of 4132	2924	3422a45d905c4a8f257ed8d0a4cd9f7e.exe	35
PID 2924 wrote to memory of 4132	2924	3422a45d905c4a8f257ed8d0a4cd9f7e.exe	35
PID 2924 wrote to memory of 4696	2924	3422a45d905c4a8f257ed8d0a4cd9f7e.exe	28
PID 2924 wrote to memory of 4696	2924	3422a45d905c4a8f257ed8d0a4cd9f7e.exe	28
PID 2924 wrote to memory of 4696	2924	3422a45d905c4a8f257ed8d0a4cd9f7e.exe	28

C:\Users\Admin\AppData\Local\Temp\3422a45d905c4a8f257ed8d0a4cd9f7e.exe
"C:\Users\Admin\AppData\Local\Temp\3422a45d905c4a8f257ed8d0a4cd9f7e.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\SysWOW64\oejnmhktkfndz.exe
  oejnmhktkfndz.exe
  2⤵
  - Executes dropped EXE
  PID:4696
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
  2⤵
  PID:4352
- C:\Windows\SysWOW64\caplerop.exe
  caplerop.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4132
- C:\Windows\SysWOW64\fmozkpgbwcmggpr.exe
  fmozkpgbwcmggpr.exe
  2⤵
  - Executes dropped EXE
  PID:1868
- C:\Windows\SysWOW64\cyjmfngvks.exe
  cyjmfngvks.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4648

C:\Windows\SysWOW64\caplerop.exe
C:\Windows\system32\caplerop.exe
1⤵
PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2924-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/4352-39-0x00007FFEE04B0000-0x00007FFEE06A5000-memory.dmp

Filesize
2.0MB

Download
memory/4352-44-0x00007FFEE04B0000-0x00007FFEE06A5000-memory.dmp

Filesize
2.0MB

Download
memory/4352-47-0x00007FFEE04B0000-0x00007FFEE06A5000-memory.dmp

Filesize
2.0MB

Download
memory/4352-48-0x00007FFEE04B0000-0x00007FFEE06A5000-memory.dmp

Filesize
2.0MB

Download
memory/4352-50-0x00007FFEE04B0000-0x00007FFEE06A5000-memory.dmp

Filesize
2.0MB

Download
memory/4352-54-0x00007FFEE04B0000-0x00007FFEE06A5000-memory.dmp

Filesize
2.0MB

Download
memory/4352-56-0x00007FFEE04B0000-0x00007FFEE06A5000-memory.dmp

Filesize
2.0MB

Download
memory/4352-55-0x00007FFEE04B0000-0x00007FFEE06A5000-memory.dmp

Filesize
2.0MB

Download
memory/4352-59-0x00007FFEE04B0000-0x00007FFEE06A5000-memory.dmp

Filesize
2.0MB

Download
memory/4352-58-0x00007FFE9E330000-0x00007FFE9E340000-memory.dmp

Filesize
64KB

Download
memory/4352-57-0x00007FFEE04B0000-0x00007FFEE06A5000-memory.dmp

Filesize
2.0MB

Download
memory/4352-53-0x00007FFEE04B0000-0x00007FFEE06A5000-memory.dmp

Filesize
2.0MB

Download
memory/4352-52-0x00007FFE9E330000-0x00007FFE9E340000-memory.dmp

Filesize
64KB

Download
memory/4352-51-0x00007FFEE04B0000-0x00007FFEE06A5000-memory.dmp

Filesize
2.0MB

Download
memory/4352-49-0x00007FFEE04B0000-0x00007FFEE06A5000-memory.dmp

Filesize
2.0MB

Download
memory/4352-45-0x00007FFEA0530000-0x00007FFEA0540000-memory.dmp

Filesize
64KB

Download
memory/4352-46-0x00007FFEE04B0000-0x00007FFEE06A5000-memory.dmp

Filesize
2.0MB

Download
memory/4352-43-0x00007FFEA0530000-0x00007FFEA0540000-memory.dmp

Filesize
64KB

Download
memory/4352-42-0x00007FFEE04B0000-0x00007FFEE06A5000-memory.dmp

Filesize
2.0MB

Download
memory/4352-41-0x00007FFEA0530000-0x00007FFEA0540000-memory.dmp

Filesize
64KB

Download
memory/4352-40-0x00007FFEA0530000-0x00007FFEA0540000-memory.dmp

Filesize
64KB

Download
memory/4352-38-0x00007FFEE04B0000-0x00007FFEE06A5000-memory.dmp

Filesize
2.0MB

Download
memory/4352-35-0x00007FFEA0530000-0x00007FFEA0540000-memory.dmp

Filesize
64KB

Download
memory/4352-123-0x00007FFEE04B0000-0x00007FFEE06A5000-memory.dmp

Filesize
2.0MB

Download
memory/4352-124-0x00007FFEE04B0000-0x00007FFEE06A5000-memory.dmp

Filesize
2.0MB

Download
memory/4352-125-0x00007FFEE04B0000-0x00007FFEE06A5000-memory.dmp

Filesize
2.0MB

Download
memory/4352-148-0x00007FFEA0530000-0x00007FFEA0540000-memory.dmp

Filesize
64KB

Download
memory/4352-150-0x00007FFEE04B0000-0x00007FFEE06A5000-memory.dmp

Filesize
2.0MB

Download
memory/4352-152-0x00007FFEE04B0000-0x00007FFEE06A5000-memory.dmp

Filesize
2.0MB

Download
memory/4352-154-0x00007FFEE04B0000-0x00007FFEE06A5000-memory.dmp

Filesize
2.0MB

Download
memory/4352-153-0x00007FFEE04B0000-0x00007FFEE06A5000-memory.dmp

Filesize
2.0MB

Download
memory/4352-151-0x00007FFEA0530000-0x00007FFEA0540000-memory.dmp

Filesize
64KB

Download
memory/4352-149-0x00007FFEA0530000-0x00007FFEA0540000-memory.dmp

Filesize
64KB

Download
memory/4352-147-0x00007FFEA0530000-0x00007FFEA0540000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing