4a0bb892a90ddf84a5e55abbef3e0d84ae2dfd8c819109e12166a5829ba838b6

General

Target

36d010669e21feb684a6e2da9988fcf0.exe
Size

512KB
MD5

36d010669e21feb684a6e2da9988fcf0
SHA1

d95b5c77b4121b2d87a9a1025079451bcabb7687
SHA256

4a0bb892a90ddf84a5e55abbef3e0d84ae2dfd8c819109e12166a5829ba838b6
SHA512

b955a7bb671b7a94b9989fb04496666220cdd40657c669b4a2ef29a73afbe4ca98b6ddfec9dc36ee80c3517c4ff9a1fe9c22d358b0e7a17338cda30c87fe345b
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6A:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5r

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4500	vxjdclueuy.exe
4268	exjapequblfmnzm.exe
2356	epaxxzmz.exe
4432	aftdvhkascocl.exe

AutoIT Executable 5 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/2352-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral2/files/0x0008000000023211-22.dat	autoit_exe
behavioral2/files/0x0007000000023039-20.dat	autoit_exe
behavioral2/files/0x0007000000023039-18.dat	autoit_exe
behavioral2/files/0x0008000000023211-5.dat	autoit_exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\epaxxzmz.exe	36d010669e21feb684a6e2da9988fcf0.exe
File created	C:\Windows\SysWOW64\aftdvhkascocl.exe	36d010669e21feb684a6e2da9988fcf0.exe
File opened for modification	C:\Windows\SysWOW64\aftdvhkascocl.exe	36d010669e21feb684a6e2da9988fcf0.exe
File created	C:\Windows\SysWOW64\vxjdclueuy.exe	36d010669e21feb684a6e2da9988fcf0.exe
File opened for modification	C:\Windows\SysWOW64\vxjdclueuy.exe	36d010669e21feb684a6e2da9988fcf0.exe
File created	C:\Windows\SysWOW64\exjapequblfmnzm.exe	36d010669e21feb684a6e2da9988fcf0.exe
File opened for modification	C:\Windows\SysWOW64\exjapequblfmnzm.exe	36d010669e21feb684a6e2da9988fcf0.exe
File created	C:\Windows\SysWOW64\epaxxzmz.exe	36d010669e21feb684a6e2da9988fcf0.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	36d010669e21feb684a6e2da9988fcf0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32452D0B9C2383206A3F76DC77232CDB7CF465AB"	36d010669e21feb684a6e2da9988fcf0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACFF9BCF967F19884093B44819A3E94B08D02F84315034FE1BF45EA08A7"	36d010669e21feb684a6e2da9988fcf0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB7B02A47EF38EA52BDB9A73298D4CC"	36d010669e21feb684a6e2da9988fcf0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E89FFF84F5F856E9045D72F7DE5BD97E631594467316346D798"	36d010669e21feb684a6e2da9988fcf0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0866BC6FF6C22DCD27BD1D58A089110"	36d010669e21feb684a6e2da9988fcf0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1845C67B1591DAB6B8BE7CE5EDE437CA"	36d010669e21feb684a6e2da9988fcf0.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	36d010669e21feb684a6e2da9988fcf0.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2352	36d010669e21feb684a6e2da9988fcf0.exe
2352	36d010669e21feb684a6e2da9988fcf0.exe
2352	36d010669e21feb684a6e2da9988fcf0.exe
2352	36d010669e21feb684a6e2da9988fcf0.exe
2352	36d010669e21feb684a6e2da9988fcf0.exe
2352	36d010669e21feb684a6e2da9988fcf0.exe
2352	36d010669e21feb684a6e2da9988fcf0.exe
2352	36d010669e21feb684a6e2da9988fcf0.exe
2352	36d010669e21feb684a6e2da9988fcf0.exe
2352	36d010669e21feb684a6e2da9988fcf0.exe
2352	36d010669e21feb684a6e2da9988fcf0.exe
2352	36d010669e21feb684a6e2da9988fcf0.exe
2352	36d010669e21feb684a6e2da9988fcf0.exe
2352	36d010669e21feb684a6e2da9988fcf0.exe
2352	36d010669e21feb684a6e2da9988fcf0.exe
2352	36d010669e21feb684a6e2da9988fcf0.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
2352	36d010669e21feb684a6e2da9988fcf0.exe
2352	36d010669e21feb684a6e2da9988fcf0.exe
2352	36d010669e21feb684a6e2da9988fcf0.exe
4268	exjapequblfmnzm.exe
4268	exjapequblfmnzm.exe
4268	exjapequblfmnzm.exe
2356	epaxxzmz.exe
2356	epaxxzmz.exe
2356	epaxxzmz.exe
4500	vxjdclueuy.exe

Suspicious use of SendNotifyMessage 10 IoCs

pid	Process
2352	36d010669e21feb684a6e2da9988fcf0.exe
2352	36d010669e21feb684a6e2da9988fcf0.exe
2352	36d010669e21feb684a6e2da9988fcf0.exe
4268	exjapequblfmnzm.exe
4268	exjapequblfmnzm.exe
4268	exjapequblfmnzm.exe
2356	epaxxzmz.exe
2356	epaxxzmz.exe
2356	epaxxzmz.exe
4500	vxjdclueuy.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 4500	2352	36d010669e21feb684a6e2da9988fcf0.exe	26
PID 2352 wrote to memory of 4500	2352	36d010669e21feb684a6e2da9988fcf0.exe	26
PID 2352 wrote to memory of 4500	2352	36d010669e21feb684a6e2da9988fcf0.exe	26
PID 2352 wrote to memory of 4268	2352	36d010669e21feb684a6e2da9988fcf0.exe	25
PID 2352 wrote to memory of 4268	2352	36d010669e21feb684a6e2da9988fcf0.exe	25
PID 2352 wrote to memory of 4268	2352	36d010669e21feb684a6e2da9988fcf0.exe	25
PID 2352 wrote to memory of 2356	2352	36d010669e21feb684a6e2da9988fcf0.exe	24
PID 2352 wrote to memory of 2356	2352	36d010669e21feb684a6e2da9988fcf0.exe	24
PID 2352 wrote to memory of 2356	2352	36d010669e21feb684a6e2da9988fcf0.exe	24
PID 2352 wrote to memory of 4432	2352	36d010669e21feb684a6e2da9988fcf0.exe	19
PID 2352 wrote to memory of 4432	2352	36d010669e21feb684a6e2da9988fcf0.exe	19
PID 2352 wrote to memory of 4432	2352	36d010669e21feb684a6e2da9988fcf0.exe	19

C:\Users\Admin\AppData\Local\Temp\36d010669e21feb684a6e2da9988fcf0.exe
"C:\Users\Admin\AppData\Local\Temp\36d010669e21feb684a6e2da9988fcf0.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\SysWOW64\aftdvhkascocl.exe
  aftdvhkascocl.exe
  2⤵
  - Executes dropped EXE
  PID:4432
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
  2⤵
  PID:3616
- C:\Windows\SysWOW64\epaxxzmz.exe
  epaxxzmz.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2356
- C:\Windows\SysWOW64\exjapequblfmnzm.exe
  exjapequblfmnzm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4268
- C:\Windows\SysWOW64\vxjdclueuy.exe
  vxjdclueuy.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4500

C:\Windows\SysWOW64\epaxxzmz.exe
C:\Windows\system32\epaxxzmz.exe
1⤵
PID:1412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\exjapequblfmnzm.exe

Filesize
512KB

MD5
c0ca5d6916bdc068842412cc3fd1fd2a

SHA1
945d720d8c1f5bef8187e1b67408b6d3a0d0e807

SHA256
fdf5e833903fcbe2056c9be7caaa548ed8417fd559f3806f6abbfbf3e66b649a

SHA512
178d0de50ab563a941e0b6771e9cf6c7e459958f07f68e0a88c2f01dee8630ef3e61824b496b020562b072e2cf69bb3fc5323d7b90144e23b4497acb557530e0

Download Submit
C:\Windows\SysWOW64\vxjdclueuy.exe

Filesize
381KB

MD5
30aec9e0b33fbd99234328357879f812

SHA1
3c9d37139d4ccfe2b694afba9633170d0f510a92

SHA256
15aad0daaaeea2f1eb8d19a8999f42844b2885d6bef949f6787feba7dad46563

SHA512
2060f2cc8c90181dd0a9965f0ff3a94aece08c82c4a68454846f66778bc60dade3ba5ddc38be57311ff4a7bd78217b89a9cd09837eee4b5d9893277299dad415

Download Submit
C:\Windows\SysWOW64\vxjdclueuy.exe

Filesize
92KB

MD5
6662b185f19fbf697c56a25c92de7961

SHA1
0df0c0df0de3724258df2549c583e3c934aca726

SHA256
c11edb9e97848e20319fba876d9382c7193f68323eff1f7ed805bb04303bdc86

SHA512
c6e2cb83f68a63ca299dae843d2697d41dab8b565fb4005755b0d255b388779b6c1dad97375009c995f0a3d2e0acb4cc820090ca5dc24ee11e1a3de5b1a4921f

Download Submit
memory/2352-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/3616-58-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3616-38-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3616-56-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3616-59-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3616-52-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3616-57-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3616-54-0x00007FFB153D0000-0x00007FFB153E0000-memory.dmp

Filesize
64KB

Download
memory/3616-53-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3616-50-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3616-49-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3616-47-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3616-44-0x00007FFB17D30000-0x00007FFB17D40000-memory.dmp

Filesize
64KB

Download
memory/3616-42-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3616-41-0x00007FFB17D30000-0x00007FFB17D40000-memory.dmp

Filesize
64KB

Download
memory/3616-39-0x00007FFB17D30000-0x00007FFB17D40000-memory.dmp

Filesize
64KB

Download
memory/3616-55-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3616-37-0x00007FFB17D30000-0x00007FFB17D40000-memory.dmp

Filesize
64KB

Download
memory/3616-36-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3616-35-0x00007FFB17D30000-0x00007FFB17D40000-memory.dmp

Filesize
64KB

Download
memory/3616-51-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3616-48-0x00007FFB153D0000-0x00007FFB153E0000-memory.dmp

Filesize
64KB

Download
memory/3616-45-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3616-40-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3616-112-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3616-113-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3616-114-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3616-140-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3616-139-0x00007FFB17D30000-0x00007FFB17D40000-memory.dmp

Filesize
64KB

Download
memory/3616-138-0x00007FFB17D30000-0x00007FFB17D40000-memory.dmp

Filesize
64KB

Download
memory/3616-137-0x00007FFB17D30000-0x00007FFB17D40000-memory.dmp

Filesize
64KB

Download
memory/3616-136-0x00007FFB17D30000-0x00007FFB17D40000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing