Overview

overview

10

Static

static

5

3cefe1ab8b...0f.exe

windows7-x64

10

3cefe1ab8b...0f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25-12-2023 21:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3cefe1ab8bbea67d4aa326445931b90f.exe

  • Size

    512KB

  • MD5

    3cefe1ab8bbea67d4aa326445931b90f

  • SHA1

    56f7a596f0dd98d48bbf9d2764bd55d420461dd2

  • SHA256

    2cf5c8f3e4255e2f2cb52277fec1759f16c97811ccdcb348afec208fcc124ea9

  • SHA512

    fb23ca25321a1e22d1ff9e564f28eab2d58dd66698614bac1d50da6cc690784d5f5870f14efcbcdedca890228d641ece9b5334cdfd1fe878b4f241f9932baf58

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6e:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5j

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 17 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3cefe1ab8bbea67d4aa326445931b90f.exe
    "C:\Users\Admin\AppData\Local\Temp\3cefe1ab8bbea67d4aa326445931b90f.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3032
    • C:\Windows\SysWOW64\qipybxpmhk.exe
      qipybxpmhk.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2664
      • C:\Windows\SysWOW64\fxoiafaj.exe
        C:\Windows\system32\fxoiafaj.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2632
    • C:\Windows\SysWOW64\zrweyeajkhbfxhq.exe
      zrweyeajkhbfxhq.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2836
    • C:\Windows\SysWOW64\fxoiafaj.exe
      fxoiafaj.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2980
    • C:\Windows\SysWOW64\jyfvstkjyludw.exe
      jyfvstkjyludw.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2720
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2420
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2628

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
      Filesize

      512KB

      MD5

      0f893c102c111ef5c0fcec1617cba18d

      SHA1

      ae430c6d1a3ab05874cd5b228fe82e909d42fbc0

      SHA256

      c022be85131cdc885d0387f7dc4774e2f48a345670778d7e26601ac4b63caab6

      SHA512

      19d125b7c6fafd1df0c1bb08728aace9f9437da164af689e913c4ac6d6f388626ba80d6ca3665842091745f959657a3839223e9befdba43c98b9e672695add6c

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      f5973b7ff47c84d99ca3174c8e82a066

      SHA1

      03e6eda43c5cac32ed3188df7382fcaebc8ad5f3

      SHA256

      7e5c73b1b2b36dcf13262a00fc33789435ca5d98aa77667d78abe2af73dce2f5

      SHA512

      43a4a09d126b79dc86ab30de21f00370cc54bd426b193b432dccec2be4994479edc7ee457cbadd007235182e5f4333fbdd28cae95b4a9b67f4c0785955abcc8a

      Download Submit

    • C:\Windows\SysWOW64\fxoiafaj.exe
      Filesize

      92KB

      MD5

      6662b185f19fbf697c56a25c92de7961

      SHA1

      0df0c0df0de3724258df2549c583e3c934aca726

      SHA256

      c11edb9e97848e20319fba876d9382c7193f68323eff1f7ed805bb04303bdc86

      SHA512

      c6e2cb83f68a63ca299dae843d2697d41dab8b565fb4005755b0d255b388779b6c1dad97375009c995f0a3d2e0acb4cc820090ca5dc24ee11e1a3de5b1a4921f

      Download Submit

    • C:\Windows\SysWOW64\fxoiafaj.exe
      Filesize

      41KB

      MD5

      b98657ad7f5c0f39dedc2779b2dc6096

      SHA1

      1bbe2ed69d906782f35cf5ca21a702ab30c05231

      SHA256

      628d9b3423f667bf4138411125843ae9cf152c347b081a125109890d9957997f

      SHA512

      b4e5d087b85ddc74ff61c5e53b92b068ea4e2114c5a4b5f600cd9bbfbacdcfb44628318f196b1e2e192ee0153007c19e1e253ebef882cfc43f8994474cb574d6

      Download Submit

    • C:\Windows\SysWOW64\fxoiafaj.exe
      Filesize

      53KB

      MD5

      e254ba020a34b53624bc33bc4f530d5d

      SHA1

      38708de318ca93112ae3a3e7e7e49bb763c55e5c

      SHA256

      14250a1662f8f3c5ce7893417841a1dacc44dd6681756f56e789d64dc48bdcf1

      SHA512

      383ab2deef47de0fc73c74d27d121378b961473de42c6186b1717daaf1ba637cdc82f8b93e6898d2c23948b95593a706bf700ed9d9b66d871ded9101254c326e

      Download Submit

    • C:\Windows\SysWOW64\jyfvstkjyludw.exe
      Filesize

      34KB

      MD5

      718afd5fe5bc9c087d4bd0ed52d26e9f

      SHA1

      853f83df2c4cd13615241515b62135a516dcde58

      SHA256

      3770b9c99080067640ae0eed1f02349783e274d250f385211b2ce2a40e3bb386

      SHA512

      97dcbad4e583deb073a0c3b57b8e8ebdc16c1b2e6314f27336bab4de9929fe2513bc51ccccea8d8d9286e5aabf3a18b371d3aa8344ac02b29b7831c12eb1480f

      Download Submit

    • C:\Windows\SysWOW64\jyfvstkjyludw.exe
      Filesize

      42KB

      MD5

      0d07bbad1aa3a69602cd2f5bd29c2555

      SHA1

      c6d8b66e4408906a640af701008b4c7a30852059

      SHA256

      9d32b385e62d249a6a2d613a4792ba15b74cd3b970fc8d8f35c4e95911d3b8e6

      SHA512

      df2f5bae46d04e61980506ab9d497b82af9bdbe632e10204a4b5b14b13dcd20eca211b267adce479aff028d52e82639970317bc4cde87c6d0c40775442dae2b0

      Download Submit

    • C:\Windows\SysWOW64\qipybxpmhk.exe
      Filesize

      89KB

      MD5

      cf95dc86824bc97671db8d10a0a54ab6

      SHA1

      c060011fa1145fe73a6a46479cb2952403f8e213

      SHA256

      afb523b92a870388a46baa9ffebf7b3ab18bb32c7de2683d6e734596273941f9

      SHA512

      91647914edf65c8c0277bf466f3c60cfd38f445f148652efd51a3a2b86772f99ac577a625c8b1d01e3806db3f2ce7cb7db42e38cfb42419f2bac904b777fa271

      Download Submit

    • C:\Windows\SysWOW64\qipybxpmhk.exe
      Filesize

      82KB

      MD5

      dca8ea10219c247082e83ada83135863

      SHA1

      943b5c971aafdb6298844859c841a7c4056c910c

      SHA256

      1e0a2bc82033669b52563291d3e2a51301aeef8a8089887af47ce84516eb3c9a

      SHA512

      e6181b261e5f09b655f5428739436918c8adbcfcbedb72d1ab70951a58212bd498d1f66670e2270ca74823a9c8dc92b5d4b776fe3f766c893ae8c3c4f9a8b436

      Download Submit

    • C:\Windows\SysWOW64\zrweyeajkhbfxhq.exe
      Filesize

      48KB

      MD5

      9d5f9f36cfc2ced7063d7153193ea8d2

      SHA1

      922c7baca31378ab28d68fb93c4b872d9fdb05da

      SHA256

      fafc48398f96ba60d4c32eec3442a1016173b4d4c43b525f61478b316184185a

      SHA512

      41062efda2d80ab81e2330d15cc26ff29189a59a0027ea5a1eb53a5c2e65d8a00571b859ab120d335617fb85e7aa57ced748f207e0080563231ce7818990e020

      Download Submit

    • C:\Windows\SysWOW64\zrweyeajkhbfxhq.exe
      Filesize

      165KB

      MD5

      28fb72ef488bae739e721ec50baa697e

      SHA1

      51e43d3d7bd302f9276c37d82e7328f1eb43605a

      SHA256

      2350f04c4a6fef80d0d7e72d8132ec1fe6b96335e81656cf14611f9319a88aeb

      SHA512

      676d6bfc4e0e83f3fb84a57b5d5b498f482ac1e697ceb45fe22728bdf28c321ab5c4a2372a6b298ebf0e1367aacff1715f97c63c4d43689f0781a520a5bc091e

      Download Submit

    • C:\Windows\SysWOW64\zrweyeajkhbfxhq.exe
      Filesize

      54KB

      MD5

      9a2bca4f6fec45ca376d5e5d0a9a245a

      SHA1

      9f09247bbb7f7fedcc88e8ba308022010b4ad5e8

      SHA256

      d9542b795559bf77fbec23ffd3fa438493cf4f7886a5fb984f48d0953ca869e0

      SHA512

      bdeb74db20436ffe7be2a5dd61db98e0310bc3e15fda584eb5e5f34381fc4e8bc22396684637778d4648a07f150164761fe6a5954974084b2743a3f4de60a8db

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • \Windows\SysWOW64\fxoiafaj.exe
      Filesize

      53KB

      MD5

      e1a709af1b747eb628999dd2a392684d

      SHA1

      23961cbb8ddc03364eae754a3bd32e8a58a51bcf

      SHA256

      5a3b262a6c0fc1fc0ab702884016820b4db1ed87f2197c569cf2db14729746ea

      SHA512

      9048e22766c7185b9fe29004aa97036a42693105b08780e2bd68a7424d57de43552af01aed42bde3050149505039b88daea5565032e6248ee5bcb48e9b501ce6

      Download Submit

    • \Windows\SysWOW64\fxoiafaj.exe
      Filesize

      51KB

      MD5

      c6d0268bb9efc49737e63f24991dc602

      SHA1

      72ce8f4a2b15b04b808ec20f1f889fec95ea4e65

      SHA256

      36904b2b53d66bf1dadd48cb86fcc03c0d283a3395d658a5621633f6a9fc502c

      SHA512

      e89b8a8ca74da99fb4ccc811a6a0935382414a268eff7782db5c5b31ad3544fa791543578c514092b5668517d6a194d3e46cfd6e7ab93c214262f9b3468b3252

      Download Submit

    • \Windows\SysWOW64\jyfvstkjyludw.exe
      Filesize

      41KB

      MD5

      b37e7b9645f81ccd360eaaacd4da40d2

      SHA1

      ad7ae7f86f4147ae1a69574e7fa12e800208d3d5

      SHA256

      44d7368957c97c3cb82c80e7c7ff382bb3313cd600a298ce2fa546d45ff6eac7

      SHA512

      0abbcc10c329722f7632d864bfdac593e2889ff7c71f05e951194d6a3c90c1d1761930b2a9330fd3e7bf8837af409827f46c8451314f1a2480cc192fd4abb5ea

      Download Submit

    • \Windows\SysWOW64\qipybxpmhk.exe
      Filesize

      50KB

      MD5

      3b09c9c487e753a152409d0760fef99f

      SHA1

      92bd1208d10a4293267c342b78a3e5e57585ed6a

      SHA256

      6712431906d4597b67dd5bf47dd60e8cf443425c3cf581f22228cc5eaeee07e6

      SHA512

      fabc13fd3e1e7464874599f7ef2d14b6feaf50ac55844b4ff3df5ca77f3b550e9f6668ced2941086d0d4c22d5d48895f7511f05d1ea882474403fdbe27e65445

      Download Submit

    • \Windows\SysWOW64\zrweyeajkhbfxhq.exe
      Filesize

      147KB

      MD5

      e5d9780b7e31ea34e444b65189c0e752

      SHA1

      3b73718c87d3719c5c749fce8eeac88b76667182

      SHA256

      1188ddd657be803c062911b500e1267cbde9b1659eebd2e8913e888a21f192bd

      SHA512

      deee9faca5341fbef60f7f69620b664cf5dd3668de09b0b97bf4354d8eac0b6c2f7ae45ca9aee389b68fe20266af5f2ccd9ac9878755e5b6d80db7bd4f8cceb3

      Download Submit

    • memory/2420-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2420-47-0x000000007182D000-0x0000000071838000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2420-45-0x000000002F7E1000-0x000000002F7E2000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2420-76-0x000000007182D000-0x0000000071838000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2420-97-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2420-98-0x000000007182D000-0x0000000071838000-memory.dmp

      Filesize

      44KB

      Download

    • memory/3032-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

      Download