Overview

overview

10

Static

static

5

376040e325...05.exe

windows7-x64

10

376040e325...05.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25-12-2023 19:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    376040e32502b8cde9c9efca7ad92005.exe

  • Size

    512KB

  • MD5

    376040e32502b8cde9c9efca7ad92005

  • SHA1

    89659087bf3821fa9acc1c4975a952e09246ff56

  • SHA256

    def465ab9cfba97805c83c0d9c9050bcde4e659c1c6919910701bf55f2b06002

  • SHA512

    e1698f051feb2e612c4c0c352ca1f976b941ca648550ce084c0d93bb1fdade43db423c7fd8c2173510e00c66266c120488522552905983a6bdc3f72ffe4dd260

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6G:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm51

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 17 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\376040e32502b8cde9c9efca7ad92005.exe
    "C:\Users\Admin\AppData\Local\Temp\376040e32502b8cde9c9efca7ad92005.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2512
    • C:\Windows\SysWOW64\glzwvvgqap.exe
      glzwvvgqap.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2788
      • C:\Windows\SysWOW64\wrhnnzua.exe
        C:\Windows\system32\wrhnnzua.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2612
    • C:\Windows\SysWOW64\lhxifmhiazwkivf.exe
      lhxifmhiazwkivf.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c sybbrkwlqjnzj.exe
        3⤵
          PID:2764
      • C:\Windows\SysWOW64\wrhnnzua.exe
        wrhnnzua.exe
        2⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2600
      • C:\Windows\SysWOW64\sybbrkwlqjnzj.exe
        sybbrkwlqjnzj.exe
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:904
      • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
        2⤵
        • Drops file in Windows directory
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2044
        • C:\Windows\splwow64.exe
          C:\Windows\splwow64.exe 12288
          3⤵
            PID:1944

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
        Filesize

        512KB

        MD5

        553573fe595bee4d07c5f41240a2eaef

        SHA1

        0a093cdaf09dc97a64b43afe2717416ff22bbf61

        SHA256

        cd9c9890661c4644d70714697e4e274e5a5a3d1eea53b2acd6eb55b7369090e7

        SHA512

        9d1ce291f542018f10385ea5929926c8553bed9c74d1513bddc5bdc2f481ac7d29aca69fe1ce0dfbf3aec1c03d35bb3f305c86f10970d5ab56f82fd10c13b945

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
        Filesize

        20KB

        MD5

        68fc66422f907eb0ade3c63ffc61b722

        SHA1

        893d9d1ebeb69dcba99c670ac292c18e8b5bba3c

        SHA256

        967f2d41b457dd5aee71939a97891fe9701803852c0148534e4664a08797fe15

        SHA512

        6c720b4bd9c568fae962282707b10856ca90e049dea6c02da121ebaa541fe275ce9145fecd5da7be01e727d986537a2a9213702ab881fc3def201905bac2eb75

        Download Submit

      • C:\Windows\SysWOW64\glzwvvgqap.exe
        Filesize

        348KB

        MD5

        5c62887b401908b257080e3b20393044

        SHA1

        0b4025f1cbedb56eb7301f06c5772cde2d3a3208

        SHA256

        17e7b77b9ab17e745d7267535a441d924a1561258b7e9bc9e01f2ce64ee722cb

        SHA512

        505242afbb32feb05ee5ef8150d0abed80322dbc3b6a30ff2a5aa2478dc9acf69384e988d59887b4d85a1780adec5fc34ed73ebb5b7a1586491f7205908ab48f

        Download Submit

      • C:\Windows\SysWOW64\glzwvvgqap.exe
        Filesize

        192KB

        MD5

        142de3b77d0d50247bf418a222540a73

        SHA1

        b6a291a807a3d8621e2c2261a5f17c35aea9dee7

        SHA256

        99e93680359b6e1fd0ebefdcda12a6824393cb6484ffbcf18200dda99326e572

        SHA512

        f0ef9b62895a3d665da4ab7d74194dd5cab7bfe12dd2fe4309494cdf9afbd26a2267839f48a317ab64eefe7e751b5e5ff79fdb82db481361ea9a4360a3fc6ab5

        Download Submit

      • C:\Windows\SysWOW64\lhxifmhiazwkivf.exe
        Filesize

        221KB

        MD5

        077f322068f67fcd77989c215a91fa22

        SHA1

        445040d08403cce57defce2c8a18055628cfb6a2

        SHA256

        e64514ecd954b8ed3bc5f26abc7a594b454093917262de76c3d9b75f69511309

        SHA512

        66fbce5308f53dc18ea3dce103c05c5f1a0bb7011b97df3a35d5a96527715b3f218d8506088e4caeda46b497862fb72120b5f6f2047f28f89bba069c6eb35557

        Download Submit

      • C:\Windows\SysWOW64\lhxifmhiazwkivf.exe
        Filesize

        164KB

        MD5

        47c29cc7c22f3a92669620a684de3e7c

        SHA1

        fb946cfa394ca50c98447b0169bc800a8de66cbb

        SHA256

        4729979e0c17ff9b1a4b013e61ca087dccf07a0d93c386b7877fe6affe9469db

        SHA512

        0f60d2d30778cf56fdaff459f09e40e4e3bc474ac90d1490a09472f1162694c0ef44659d3b843c87e2c48b2e9fa8115660c94a8cb11229943baa0cb1da828711

        Download Submit

      • C:\Windows\SysWOW64\lhxifmhiazwkivf.exe
        Filesize

        512KB

        MD5

        a160ce2ad5d7c21686088d0be8bdc79f

        SHA1

        17e3c2388c1f6e9592fe7f33015c5031061c9d76

        SHA256

        60ed7ba24e57d77461517dab346c21356f0af44b2d22dd57fe5833fb612a6043

        SHA512

        5bb32700bd8538af1a4b302ebef4f1b73d45ceae4b70c466d96977e1be86446e9eb0f2122dd169fc8ddf5741fdbd6ed38e7e82352970b3974e29e67101ca52c7

        Download Submit

      • C:\Windows\SysWOW64\sybbrkwlqjnzj.exe
        Filesize

        115KB

        MD5

        67450669d39d1f53a06349c3f20c8057

        SHA1

        b17a8b32506afc2e499718da2608c5f84514551f

        SHA256

        74789a7083330e683a05a678358a64b2076a3982d4c11d1cbbd21abee0dc2ba8

        SHA512

        fac6ff0d70fdcfc3c63336fe6f52bab6e8eafc0c098604916a042d1139f59545a2354d9c4331889646fdf9842cfd39b68d10c376795592153c58e04df6477bc2

        Download Submit

      • C:\Windows\SysWOW64\sybbrkwlqjnzj.exe
        Filesize

        166KB

        MD5

        7e0075aa6322afe28cca6ad899a0704c

        SHA1

        7a82d92237cd614f134b96da954112ac47b2493d

        SHA256

        0c7ea9b35bfc3fef71720ad9815c79e7bc54865a6c6c7bd938e32e5c2d7f5521

        SHA512

        c6449146b4680a15e799932bff2d2925fea77cdf5e913fcc606624b54ff3f3c8418a5d244218c42dc090454af2ebd105baf7efa7fe39087fa650f36104ca45ae

        Download Submit

      • C:\Windows\SysWOW64\wrhnnzua.exe
        Filesize

        202KB

        MD5

        ae4cd0c1a6771c56d209bb182e546c25

        SHA1

        464be34165cc7be61538ee1b254fc363afb6a050

        SHA256

        f1307f2a7c2586213ea357617a98ccce8172c3bb0ef8b9977437bc8224c240dc

        SHA512

        095fdd4bf1e486388f05c1016659ff91bea9cc6ae3142fc505a5ebe2566e84a60e2df552798cef4f516a111c31da43c4d4cac04ad1161f557edd0687e034269b

        Download Submit

      • C:\Windows\SysWOW64\wrhnnzua.exe
        Filesize

        125KB

        MD5

        f52f4ea3c138fa4faa04dbb6a9aec0c4

        SHA1

        d443c388a6374b1ffcdd130ae1f4aaeef2dc367e

        SHA256

        e2e86c2c36634dcb3843ff21b33fad4a38b0a9f93a6c1f7f65c850c1a5dc8580

        SHA512

        617d9af9fdf29dae259318e5689f846cbb398a36281a667e21fc5911792eb4204a0cc44fd326a99e3dd27603b3313dc2c205e0d0a5f48d55b6ca2a063d46a91a

        Download Submit

      • C:\Windows\SysWOW64\wrhnnzua.exe
        Filesize

        74KB

        MD5

        020eb0fb92d750cdb1af0c5f642e73b0

        SHA1

        0456f0cbbfed7c9d03a697ec764cf64e304aa5c7

        SHA256

        386fb957b2e908702f855240d8ffb2382565c5ecac91815c65b5bd24afbe99ec

        SHA512

        b2099cb93f74ca3e9545b2f11cf379caa3d95e0b4748eb41a1d47e28737718ff91fa1c4e9b12c450dac4bccc3ae3ad8520b8a55b3e4ae7e7ef4fc63cd67e4068

        Download Submit

      • C:\Windows\mydoc.rtf
        Filesize

        223B

        MD5

        06604e5941c126e2e7be02c5cd9f62ec

        SHA1

        4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

        SHA256

        85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

        SHA512

        803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

        Download Submit

      • \Windows\SysWOW64\glzwvvgqap.exe
        Filesize

        49KB

        MD5

        4416f86b0dcace328554f96468d8ac38

        SHA1

        7826f9f41f463009ca2c29d45d7671627cf9f8ea

        SHA256

        7b96b0dfce5ccd165126a5bcd9de124f9392272d7ab412aad26442ee79be0025

        SHA512

        74b6d84c7784be5ddc6f4cc76578d732e9b01c10ef90e87328d136fed351c3e9c298e15b943a67d98424544807ada2156b65cb66ef0d7b5d88e94da4b27f5a13

        Download Submit

      • \Windows\SysWOW64\lhxifmhiazwkivf.exe
        Filesize

        170KB

        MD5

        dc8fb3979de516466953e7c8ecfcb7d0

        SHA1

        b222cb1ddf856b9f19eef947925b1ae3952bdfd4

        SHA256

        39704ed4c0f8ce1066ff4550a53fca40a8e145e250a5ca57bd67c5eec7c25052

        SHA512

        2dce43de9b9f8af273836e39535c9a689c42323592abc0c237483866888050018bf443661acd5ab2937d94690eed8331643e1909ac13d92ab269850332a86873

        Download Submit

      • \Windows\SysWOW64\sybbrkwlqjnzj.exe
        Filesize

        209KB

        MD5

        827339cdeb3ee5e0fb027468f4466490

        SHA1

        55b7a24c76a6c1e2621a6fab8ea942d99e649275

        SHA256

        3b1694c1ba4824fae6129c3bc9048bee00b7a89c380558cf65b3a013814251b1

        SHA512

        f4bc4f50d22a00597256641de1192da2d6abf75b9711128d80789c7e058c30f37a7a8dbd0406b86fcc83a9aed125c7fa5da5efea2a1ee156c012f12162de6ed6

        Download Submit

      • \Windows\SysWOW64\wrhnnzua.exe
        Filesize

        187KB

        MD5

        2a89e194e851731a0b989a1b8348c4cb

        SHA1

        2eb29938b63b4ce21a242ff3110754f43c90f56c

        SHA256

        256eea8ac999e23460eea6d80af6be8f4e56c0ab6a2a5ee1ee1240e7a3ce3f29

        SHA512

        0eae32ef710df500113e141f8e472ec798ed2c8cedc265942e167ab53fa6aebd6fd16b85c73ce600e633977ab33e86928615a899175b44afe5005d5a22ee8de0

        Download Submit

      • \Windows\SysWOW64\wrhnnzua.exe
        Filesize

        108KB

        MD5

        678c470cc8c2e02c89e0bfb04612ac6c

        SHA1

        30b3412137d5e942c001419878d5953a77270133

        SHA256

        827a4cee13927df31b8976f119f2a3b355f0250d369fe7eba3856d333e56b96e

        SHA512

        dd6f158e4a0faaff7d4e0b6b6d10066bf4e0c75407857ae18c155102040c8a4505c3cddd4422c9b70d11d96feb415d1fe43cd35e6f20bd67c60f5aed9acccc94

        Download Submit

      • memory/2044-65-0x00000000717ED000-0x00000000717F8000-memory.dmp

        Filesize

        44KB

        Download

      • memory/2044-47-0x00000000717ED000-0x00000000717F8000-memory.dmp

        Filesize

        44KB

        Download

      • memory/2044-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2044-45-0x000000002F801000-0x000000002F802000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2044-97-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2044-98-0x00000000717ED000-0x00000000717F8000-memory.dmp

        Filesize

        44KB

        Download

      • memory/2512-0-0x0000000000400000-0x0000000000496000-memory.dmp

        Filesize

        600KB

        Download