Overview

overview

10

Static

static

5

3d0a8983d1...6b.exe

windows7-x64

10

3d0a8983d1...6b.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    0s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2023, 21:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3d0a8983d1c76b9ac2c80e058138b16b.exe

  • Size

    512KB

  • MD5

    3d0a8983d1c76b9ac2c80e058138b16b

  • SHA1

    a4a38c96475bd49cb078c041011ccec3296915f6

  • SHA256

    e6bd8ad2ab36739fd045c556548d7af136e419669c8a2a9872a6c286ed30ac82

  • SHA512

    63330948e15c5c33c3761551515eb291aa709939b777fd531bfd6ff530832c2402d1270ab509b8a45a20878ef7646db55ed0fdc28a4bdba6d8d911d7987df65f

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6e:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5N

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 14 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 8 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 19 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of FindShellTrayWindow 9 IoCs
  • Suspicious use of SendNotifyMessage 9 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3d0a8983d1c76b9ac2c80e058138b16b.exe
    "C:\Users\Admin\AppData\Local\Temp\3d0a8983d1c76b9ac2c80e058138b16b.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1476
    • C:\Windows\SysWOW64\qejqlwkpvjkzz.exe
      qejqlwkpvjkzz.exe
      2⤵
      • Executes dropped EXE
      PID:2664
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
        PID:2624
        • C:\Windows\splwow64.exe
          C:\Windows\splwow64.exe 12288
          3⤵
            PID:772
        • C:\Windows\SysWOW64\prlcmkcd.exe
          prlcmkcd.exe
          2⤵
          • Executes dropped EXE
          PID:2556
        • C:\Windows\SysWOW64\plsmyxdrkkgyesi.exe
          plsmyxdrkkgyesi.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:3012
        • C:\Windows\SysWOW64\msrzpgpqrz.exe
          msrzpgpqrz.exe
          2⤵
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Windows security bypass
          • Disables RegEdit via registry modification
          • Executes dropped EXE
          • Windows security modification
          • Modifies WinLogon
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:2744
      • C:\Windows\SysWOW64\prlcmkcd.exe
        C:\Windows\system32\prlcmkcd.exe
        1⤵
          PID:1732

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
          Filesize

          20KB

          MD5

          705c96a275729247440027b8f8d683c4

          SHA1

          320f9756c8001b46033dcab6be9963149fb83aa6

          SHA256

          61693e9c773ec73f36e6a1998d319ebfb7283f6bda1cb7bcfacc9b186833e27d

          SHA512

          0f9778febcaf70a9c066d5a4a78d7759c25cdaf17beb7dee2fbb1cad7ec089499231015481278d76511cf90d97f91273909d436c0fb74582f816bdcd1001a688

          Download Submit

        • C:\Windows\SysWOW64\msrzpgpqrz.exe
          Filesize

          145KB

          MD5

          624f1b8f576d9d9a9e21a73dd57fa3ab

          SHA1

          2a0c3dced757347bcd7ed6d4d073cafa9cb7e593

          SHA256

          2702a8c58a46b83c3431f6d4911ef1d914d2764e2fcd9d1b9faaea57b61d7446

          SHA512

          8b3a51f8349f4e994ddea29dced7fe7713c1460fcf163fb18ee825557d79bf778630abe5ddc4c1aa26f76cc4fcb2d97324927e457135a8e0c08c9a5b64ec6fbf

          Download Submit

        • C:\Windows\SysWOW64\plsmyxdrkkgyesi.exe
          Filesize

          40KB

          MD5

          819b66b5778e028e7e63baa0e10b5c0f

          SHA1

          ca38bd13168e1b266fd7c38ba67bd13006bbd3ac

          SHA256

          c3f746854dff143d819923fd3479555a8d9ad42bbd6f6615a1d6e04e5e8e8162

          SHA512

          5b64ce7b061d9462cf910877c68542d3c25160a6228202d0f2426a533163b0366f6d7a64bded92f7d5af96fbda5a8dbb89ca23622837875fb02e796e2bd55838

          Download Submit

        • C:\Windows\SysWOW64\plsmyxdrkkgyesi.exe
          Filesize

          145KB

          MD5

          3cc65bc0af0b7be5a35b82ba28fee418

          SHA1

          0763ae55c8dab025e20f26c38acac09f64010934

          SHA256

          2b8754755b0fe7be3c1edbb568c93118320dcd5eea4645c4c71ecf97f0746019

          SHA512

          67ccaa14f486b72b574ee81fbd31f2b0e85933fbf01af878ffbe8f05051a53d83b912e3a61afa1629241a8867bf6bbc067ec9b9bc9ba3f126b3af9c21d5a5904

          Download Submit

        • C:\Windows\SysWOW64\plsmyxdrkkgyesi.exe
          Filesize

          36KB

          MD5

          3d71287d9f4f920664f0770be782406a

          SHA1

          79a0b2b9815fc1a9386e3a1bc6a980d2196a46ee

          SHA256

          81c7e4d5b3be21a801f3eb6b9caa1125550116e197c487061466eaff21e3d1ef

          SHA512

          8a2133be972fdd0d6b7a8d4a48ccf703bb150c49f12b215e52ef9b1b95f1f0d2eea04c13ae314709c838a093839bb5f2008b3951643a1ae2a0913a5cd675de92

          Download Submit

        • C:\Windows\SysWOW64\prlcmkcd.exe
          Filesize

          106KB

          MD5

          d826bad332bc62e22290a6b71edd118a

          SHA1

          d8062056870edd78165fd1584a1b71dc57f66aea

          SHA256

          f473b8ca6f4d526c38f3ad1e05846c442239112b4dfae733c6735f928c427800

          SHA512

          e6fe6d799093428bac04478ec53b6910507de5e9dea2ce1fcd09000d10286531fc59d79aaebc19116c14d855754e42cc35e5fef0ec7e86db1b83084f7205414d

          Download Submit

        • C:\Windows\SysWOW64\prlcmkcd.exe
          Filesize

          27KB

          MD5

          f05f397b897e268fe09d2df0d2bf7ecb

          SHA1

          54a7c0b496fea4dad93977f3bcab746c804401d0

          SHA256

          52ae9a58fa94f55fe0c926f0b8b92bea878521a3dff882e241524f10c913f621

          SHA512

          209b462a36a5b305833cfa23a22f195fb8d395b2e22ce5a7d63c92c46eb454010fc70e7c418b2e0aa7acfea02c19cb1a4ad9f3e89e8d296bc27e93f96a5ac148

          Download Submit

        • C:\Windows\SysWOW64\prlcmkcd.exe
          Filesize

          7KB

          MD5

          3ca90c6b6e0593af7db348c8eaef061d

          SHA1

          6d9c212bcd9f06c04b4aa9456125ff1e734387ed

          SHA256

          4b3a88a1150d535de6aa6c50425a150f6c223f5b2a8a900954a3fd9071b6a98f

          SHA512

          4997daea6e0c8c363e9a4a3fa100605919dce3d8970d296817d18569f79742e610066aeeecf1a933b873336fc90a15c959f647dd5c52375c136589988253a5ce

          Download Submit

        • C:\Windows\SysWOW64\qejqlwkpvjkzz.exe
          Filesize

          1KB

          MD5

          ec89629d437c17787acc7061c89e753c

          SHA1

          c65089b32eba1cf75d3546335718073460c971f9

          SHA256

          87b17909878537f2c3d3bc046f54b9eb382e312fa75d2b177457a978dcc7d83c

          SHA512

          65f02cc30b64e2c33d7287c135bc0bb20abe1e35c7176a03e47403db3e21da28f7e7ec7a13ef748aeb76ac06e5e159a9b4e62196692c3411459a4ae235a1bec9

          Download Submit

        • C:\Windows\mydoc.rtf
          Filesize

          223B

          MD5

          06604e5941c126e2e7be02c5cd9f62ec

          SHA1

          4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

          SHA256

          85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

          SHA512

          803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

          Download Submit

        • \Windows\SysWOW64\msrzpgpqrz.exe
          Filesize

          96KB

          MD5

          cc727bf87e75e50d52a07aae13046485

          SHA1

          1e3f482c3e5ce033458667b8600f90037a39f88c

          SHA256

          a030d652d6e7aa73d0ee0f3cdc1c4c4de60b34c67e8ad81e9dccaf28e833871b

          SHA512

          a724410143e813afcfba5b3033840a919bc1205f8a9cfbcfc8191d241051f10fa3d11bbaa5beabadb9b4456c717ec541013d42e125216620f2988a0f6acee44e

          Download Submit

        • \Windows\SysWOW64\plsmyxdrkkgyesi.exe
          Filesize

          121KB

          MD5

          c643a7192808eea173bf1e13cc6b8042

          SHA1

          b3245d9c8b3e725f44f54d19a9600203725300e2

          SHA256

          c1d9b441dc4d70ba754584ae1ee18caba8cca770d5dcfda02d482aa745d8f634

          SHA512

          37b456480d876d8f6d6543d794c16e9c63f0119fd6a92c2fb36a29303184065f1bc392bf2fb5b349f6cacf12e19504b2480ee8375ed7518efa41739f0ef24157

          Download Submit

        • \Windows\SysWOW64\prlcmkcd.exe
          Filesize

          62KB

          MD5

          a4056e466653f23c5399733b8a928cae

          SHA1

          849f7defb6dc463558cec1a37a397c4793542437

          SHA256

          939a87f2a0ebde59786aa1b6d6fd1ef3ceb819018f5b40d6ef49830dead6c5cf

          SHA512

          241b1657294d8b9fc016fd0c4d61eeed37d5342552b5715ad8fbda0e2c665248a92c1a8de8ba06ec4438f0b55ba3dc17d6df886476192a9fc7e51bf9b5b1a956

          Download Submit

        • \Windows\SysWOW64\prlcmkcd.exe
          Filesize

          82KB

          MD5

          88699c7e246f79abb684ad9af4874a04

          SHA1

          01804fa9a14ec860b70908155e14ff9ec385e560

          SHA256

          9e72455314c33700a9ba7e5367a8c050a2279a0571ff7a45b0017760d029eb29

          SHA512

          0d2540507abeb49d8c146d8a72a801b66c5102b9da61002cb0aa87842cf4aad326376a91510a60eb67c181de58dfb43bec00483c058b551aaff134993e53a75d

          Download Submit

        • \Windows\SysWOW64\qejqlwkpvjkzz.exe
          Filesize

          108KB

          MD5

          1fd3602b6767a80c59fba7cb2bee9e5d

          SHA1

          374d507e77fcd9c88ff7b0a70ad199c0c8660092

          SHA256

          5950f7753998902e304b322e6dff21de4e873a243d0b42d6e298b22c640ce8cb

          SHA512

          30418fe1331007edf763fa4feb97e96c9669ec6d3b168cbe4bad0b0bcf864e48a06b03a15b270c496a6a786129b88cc86f2f204b35db7ee7cb06b03ae50f3386

          Download Submit

        • memory/1476-0-0x0000000000400000-0x0000000000496000-memory.dmp

          Filesize

          600KB

          Download

        • memory/2624-46-0x000000007147D000-0x0000000071488000-memory.dmp

          Filesize

          44KB

          Download

        • memory/2624-44-0x000000002FD41000-0x000000002FD42000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2624-74-0x000000007147D000-0x0000000071488000-memory.dmp

          Filesize

          44KB

          Download

        • memory/2624-95-0x000000005FFF0000-0x0000000060000000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2624-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

          Filesize

          64KB

          Download