Analysis
-
max time kernel
161s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
25/12/2023, 19:19
General
-
Target
376040e32502b8cde9c9efca7ad92005.exe
-
Size
512KB
-
MD5
376040e32502b8cde9c9efca7ad92005
-
SHA1
89659087bf3821fa9acc1c4975a952e09246ff56
-
SHA256
def465ab9cfba97805c83c0d9c9050bcde4e659c1c6919910701bf55f2b06002
-
SHA512
e1698f051feb2e612c4c0c352ca1f976b941ca648550ce084c0d93bb1fdade43db423c7fd8c2173510e00c66266c120488522552905983a6bdc3f72ffe4dd260
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6G:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm51
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 5 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 6 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon 2 TTPs 2 IoCs
-
AutoIT Executable 16 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 12 IoCs
-
Drops file in Program Files directory 15 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 20 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of FindShellTrayWindow 18 IoCs
-
Suspicious use of SendNotifyMessage 18 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\376040e32502b8cde9c9efca7ad92005.exe"C:\Users\Admin\AppData\Local\Temp\376040e32502b8cde9c9efca7ad92005.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dmdwozwsgs.exedmdwozwsgs.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\btxqkrhp.exeC:\Windows\system32\btxqkrhp.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
-
C:\Windows\SysWOW64\btxqkrhp.exebtxqkrhp.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\chuemyqechegdvn.exechuemyqechegdvn.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\ghifzmhhyitne.exeghifzmhhyitne.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD58ded4569f18d8636a4f54f5c2dfe55fd
SHA14bd796f0800032af75d2f73544b4145b3929e3b3
SHA2563e5bcf62e52a70993d7d61a281c10340109135dcb76ec1e51d9aa217718dcdb1
SHA512a4e5c03bbf535f6db8f02ac60dbec5ca712e68f6f8e438267d9be952e169030ccc429d2953468d88a1e477c3086e251c435f6c76e65b2be99e38a256389c7b8f
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
Filesize
3KB
MD5dae491be3f7d21b99cc6f10483416974
SHA1a89889f6f26719bba3090e36081fb01cee0b9b80
SHA25634ddbe30f903dc5871cdd958ee387771cb3f45d935fe171b7a5a00378d6216b8
SHA51218c39944501cb0dfd61a3b4b90ba6a20e7b95efaaeb9b412f1c21406dc2e370827f15e3f51d7d814132102e8e0a075e96810cc0d7c627a5d327b8ac0f36db289
-
Filesize
3KB
MD5035a9cfdc1175619394c1848fa4eaacd
SHA1ce58aeda393cf89bd8862acf2d68ca8bbe542f54
SHA256ba721272f9c5b5df008df8086aaa1ecd50829dbd4268f8ecb375a5631e05fdda
SHA5123b3c0f0e6aefc3921f8d4220b72e751a92b7dea3850f5f1ce8a16aec926b07d6756d5e2c7a6918306c5e31c89665037e840964210cc46570069c4663e65184ea
-
Filesize
69KB
MD534d74cec8a38ed3909766a907d6ccbd3
SHA1d2aa5bd691ebe4c069aa5f45847d889a2746a5e1
SHA2562b48555d246255ec55e9ce2bcb3241a037f978645ba0cb0aa739d0ca083fe591
SHA5124283a9219c69f6890fbbd06cdca32a3acb263dd7a96b99d4d6362dd54627ee3e015d59271c2f557dd301aaffcbba1b5df91945403b78b407b3f985d6cfd17aed
-
Filesize
25KB
MD5166e0b5145eff0e3104b14a974d83fe2
SHA1eadadbfb4dfd1b0f47a4cbf5e91f4c5d96872c58
SHA2560cda4be464b77c7c2fc20758186d4c9b6df5c755e67df3e573f82ec525c79c14
SHA51266f9015b214d243e27e257bf4f6de8966a3258b2483b9712645acff5d55c022452411f6e7fa02d793548e1e6a4989e875e192b97220a90618a11e5871aede8fc
-
Filesize
207KB
MD554ac885edfcabebfa47952e577771f67
SHA1bebc3c6c6556e697571d18ad632bbdc549d0a1bb
SHA256d205286d0fe7b4e893a87489a408e985d2e24d726bca9bda5fed1277f6b448e6
SHA512521f4acc2d4c6268ea2bc838b26872bc68aedfd9fcdbf3ae6cfa01c7c5abd7cac0f03c5d86133a598e5b12856ac8bc0764f606fd23301193677b6cc4418810aa
-
Filesize
38KB
MD580d0bf5d45079c7342b35b4b9d20f5f9
SHA130a690211f2a16a262a051b3dae4ba75a43f0889
SHA25651ce9c70e2b0b31fc54904a5e06063a7ee60f56f74f15010b82be4f29c49bba4
SHA5122f298f353479e5bc8b45fd35e446e7bc5eb3d7fdc69fed4108df643da9395d4c27ba27d7747480a6b3bf40e27b5aa4d511e20cbeb212095912433f9e1aab32f5
-
Filesize
9KB
MD561d8cb30c81ad3b845266aed54dfd637
SHA19d9457972829c6440059af13650d8b6491f90181
SHA256835a272a1b7ad17a7f5a6c8f5fb101cfe46eebb21b07098b5bbbd552362461e2
SHA51238d8b0c96e5f0c33a17ef9c6ad47edb2c4d17d3ecabd59242896068cf89473c5874a647316dca287e19e3004dc65385d5572e977c8ba050aa97c915d324047c7
-
Filesize
512KB
MD5ca8e98775f0b555dc984494313090221
SHA1f7154848f1a8f2b3605d0d6c3166c0145d708e99
SHA256edc6427fbb602e2c995cee52f975cdac592685e5616c4b5e95cfbf8094275c58
SHA512943870d276eee76eef1ba19aaa8ebd8211ba40d0706729b253da119943e5980ffc42f2e38f408706f552efec23e623ca4a0bb5618464ab126c029b09cdb12b49
-
Filesize
379KB
MD579fdd796935dad592b5dcf524014ab68
SHA1ebc85a32afe71fec89bdade019fa7c4749573cb3
SHA2561cba5148dc43c16d412c9ef5cb0b0a6863754b3fd8f5bdab0f27c0247f5fa11b
SHA5129838acec641be4f608ac48cb14fcb6560c40b11460a469d8a8fbe932320d3dab934d9356f76b3a75b69bc3c6d5ba6d82ba9bfee900b65468797918871ef05c7b
-
Filesize
384KB
MD587014ac0a0ede0be1863fb97a2642d1e
SHA191d237d300821c183f4af439616f10f11fe49cce
SHA2566ebf8e4bf71b4dfaa15e0c6dd46358f25ba8fc52ce55410ee91a32d220d638f5
SHA512cbb848fd878f36d207874fa90d95fead7a4c05a33de65bab079f87ba9b97df0b14b643f0f23b6ee7a6087e6b468057d33737b27523c68483a1131ecb8fae100e
-
Filesize
29KB
MD592eadd7e2dea6626a5ef17926ec62528
SHA1c8ac71f8c7e942647f858671ede99278acd5a4f4
SHA2560dbf4bac4f962275234afbe77d22a1376885627609870451e9cef14c331a0449
SHA512cf5bf2267e051c8a242fb602ada895f6abdebc284b12e34c0b21580148c919bfe9db68ea374af038e40b6a328009d51b1ac1ca22e60e5f7407720598533e8dd4
-
Filesize
8KB
MD50a1e2815ee32f2caf36518e3d6a84bf2
SHA18e58315f5642f1ad7280bab803b1699a3aed181c
SHA25647e6d6b16feb91ab181f17d686b57fe193c71c78c32ec72dccdbbded06a64b63
SHA512c68701e06a67f23f8f316ccd2a47d66dd3b02901ee7b5b0eec167162085a0a72e0fcc8c9bd9df2dbaa02c1a5f352321538071df301b613f99cc4d4db62c9056f
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5c4f6941ac163cd9ed0ad1828cbf90f5d
SHA1b0f1dfe1b0d323f5745726d0e61027a5373a9b41
SHA256337d042847d21a771b3b2a21ab0708d7c2064ebcfc7481d37f0746f3999de896
SHA512f3cccb9e09c02454fee82dd2ded38703cce82f52949dde0eaa4c011a45d2c24898562982a2d918fa64c72189dc1a367224ed86bd1b4443fc925041073a0dcd1c
-
Filesize
483KB
MD5a541cfe3364903644a0e8817bb00a59d
SHA1a75d9238ca00a2960c8c3d0675f87ec0d8889ed8
SHA25641a1ac49037fa66cb7f87f2746b020b3cef212bf6d3b954449570d823b551814
SHA5120cc20ba3a58d3d93a0dd0888984baf5cad57a45acd5dc17477a9e27eb2878faa096be54479df8c616af2fa272313c125b5f2a325bef091897b55fb445066622a
-
Filesize
72KB
MD51eb10424029ca267d2fe23fee2e76eb1
SHA19f230f34eb58577b79f29b84f68c1dcd984f35c9
SHA256db718b3cfcd5dddbdc78e365c388fc6ea1017b96be044ba9fe4dd5c147e48542
SHA512eae396afeb11ffad9f5add8f9b88e4a8c14b5b8695884d2ff748c53f5c252c42c8dfcfd7bb42a6c4951bc686afa8d98f16b179bfcca1a4e56a2bc3aa16f28d89
-
Filesize
71KB
MD546bcad6260d13c671ff3c36b07537b16
SHA14151fd9c6433a90e63d064acef40f5e9c24a475d
SHA256a7c7855923c61d9e7ef727bdaad151d6c391185f89e469b330be1d15af7af4aa
SHA5126b106b80f96bc7d527a9cb7ac77eff917be4ce4e29b4ca9e09110afdd850fbfc5e82dbd60fed3cfc56b6462b5d971746311c92a6ef65b38ab7d795777264ad33
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
600KB