Analysis
-
max time kernel
185s -
max time network
185s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
26/12/2023, 00:21
General
-
Target
46013bfe74e462633b0e54804e2f12ae.exe
-
Size
512KB
-
MD5
46013bfe74e462633b0e54804e2f12ae
-
SHA1
bfaf9597ecc87ff0ac60fa9216c9f0ce81c0267d
-
SHA256
4ba1f2816660bf4865a204b1f40f60375c24e1ede57a53c50b77061f577bea10
-
SHA512
82635ce0b2fa47c92f380e9971d2ea568099c4d17eec3349d583cc113d2673d8b92a93f499712dbc556d088528a02fd987c024489e2bbbfcb108c59b4a5c2e2e
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6M:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5h
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 5 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 6 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon 2 TTPs 2 IoCs
-
AutoIT Executable 15 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 9 IoCs
-
Drops file in Program Files directory 14 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 20 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of FindShellTrayWindow 18 IoCs
-
Suspicious use of SendNotifyMessage 18 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\46013bfe74e462633b0e54804e2f12ae.exe"C:\Users\Admin\AppData\Local\Temp\46013bfe74e462633b0e54804e2f12ae.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\jcmgvtwlkb.exejcmgvtwlkb.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\lbgjxepe.exeC:\Windows\system32\lbgjxepe.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
-
C:\Windows\SysWOW64\nmfkqsddbapzpop.exenmfkqsddbapzpop.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\lbgjxepe.exelbgjxepe.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\tfdgmhzoatrlw.exetfdgmhzoatrlw.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD53788a56ed90f370640daeb8a73b34318
SHA1ed6dcfaf4ffd23d3f73fe756ea6ab87b8595fd6f
SHA256923f9a32ce0d273133c5c3fbf3497c2a25ac34507324a0ef2eb1c3fd4e9e4c0c
SHA512c30e5387dcb592df3bfa29e2619ff116f2f83d5a20c5d6ae5b4871e9c1491dd9d42004a9454a419e3b0dccaa1d5c4dcf0e38c110d71c21720be087aa7d52ca33
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
Filesize
3KB
MD5bbe09dc1e5a062ccca3035010b4e012c
SHA1b9896ea350585ffb9cfab703fc30e8f1666bc6c7
SHA256c030af506ea22cf6113c2ec9a54dce1228ede01a02c6e0b06a334ce0fbc165a8
SHA51221f247285d9c0048fbd3456ea612168237b4963aece76494e3c1062b1b16cb539294e4690635b2c62e3ba815939a9936e905e54fc992054547d6a3e61e6ceb23
-
Filesize
3KB
MD55dbed80637745b8956f2034517b047b5
SHA155c7132dbf304b93a39166427b069f9375367b6a
SHA256bc7a0dcf2298dee2c994a884d9593f106e01a19b177f871a884d65da24126c5c
SHA512dd7b62c705a5cd43c2232e488cb3150977d20f3ea23c42bae937019d39e58cc28496e18c7dea14a4c98e112cf5d18aa322a8276e25656a7cb962e72bc40e6dbf
-
Filesize
75KB
MD5787169f8b4a1c40d75fc1574225837cc
SHA16422e5c9e540c49d1909e68551de157a74345428
SHA2561450ca15728ade51583144c15a2e2e15e051f8313c6dccd9861dd6425f0d005c
SHA51228ee4f42acd601201d57e8f3a7417e39c7f4532fe7cd9e255c09b168743802219aef0ca81517ada58c3ad8bb9cd406b2e0be20f7addd81ca3f33158bb5422c80
-
Filesize
78KB
MD5834c3712a0aec011ae14cfe237fd9207
SHA1c96b3e095271efbf17c3cb96583c84539c1d44f7
SHA256f4cf469c71f9811176d3a93d55f9069382f8624333ca6ac81cbcdf7c76943a5f
SHA5123346443132fd67589cf611568c8f2d43198eda342190b2f197ae1c8a4978dda2ff1a36eca724ab1fe25951e445efd31c10ea923ee2c492946d145513450b34ba
-
Filesize
29KB
MD5124e94ff2ccea905fe779675dd0e8f97
SHA1ed49a5822b249a5471d16783189d08e7a7ed21bd
SHA256417b3dec9079ce25bd15cebdbf0dbc3a1e56c33a89c6b7f4aa23e6029b28471b
SHA512cbd2beba655b1f3abbc8906ebf92fd3940f0931f96ac12e716512d3bac51cc1d0bb293a3824608fa95938c47992c1bf5a198da7ffe7fa88b7cfe7c7cc1c53b8e
-
Filesize
58KB
MD58ba6e3e395dc265e40fd99b98d414958
SHA1d8e5bd83b8d366b6a879af7e3ce0fe50eb4af710
SHA256fe3250443012ec75ad7170ce17362ba49e29474d0f8702ece60c9b7b1260bfcf
SHA512acbba146a97f210627ff57d964c0b9788e08b75beead6c6e96e3963fab8ccc5ddd6039e30085b53d1964f75cafbcf085e42e87e861e818b84b18123eab1ffd0b
-
Filesize
23KB
MD5ef697411936e74e66bbe548e0ac8c396
SHA1f0518d0ea4f9ec558da920ac1148cd0f3de8ab55
SHA2566dda11762c4a80615dc5a768f4b2f85ce974a8a72238547501a546ffefc49c2a
SHA5120b8535b88bba72d2e6d0aca4a9b497f23cf521595c88b850f5bbcee6c1de340ccdb40145a9daea6abd955dc821eb35c1d2add99e58859da63799a2d5f0f53a77
-
Filesize
33KB
MD5c805d18886f3309100139cfc95158d2b
SHA1e199dec7e07e3706e1c9ec25bc30e33c91ae42bd
SHA2568a21472932af91514787f3f93d846063a2a3bc78abca1666377a515796b804d7
SHA512113d9cfca0eda4e2334f2ad4b76701c9081a1f7a31ea5f5967abd2dcccf3768f912140a3fb52307d6abc493290f8c87c755da6200eaf7181d9bdb364df629d1f
-
Filesize
5KB
MD58b75f548f625f5bcdefd8a002b413126
SHA1cb30cad9b1eaab56528f063957982cd90c824589
SHA256c8aedcde02051e1e93dda61a7e73daafdaf8ea9ff0458bc7ba8674a8bea7058b
SHA51220212c80e77f458f4593d3b550a5b9a63dd0a34c6cb10dd0d450c0499da530baaee1839f5ae328313fc416ccf0b51d11205a90e576f43794f18af895b08be1b8
-
Filesize
17KB
MD5b759829eeacc9c79f61a1c860e211ca4
SHA145d2297c8c033206157f1057f949e210666464ff
SHA256e1a797e3d46463b129897dc9405c04ee1d1a78940fb58a1b6740072bfc7057fe
SHA512ed7d8560f3badf62965a154ca891632f1deb3bdac4c0cffc47a6ee28681b2b3f2410f83dba29df7d9fd7d3574d405967d583f4529109a58d6234cb773c67c1c5
-
Filesize
23KB
MD5036e92a88a4cfe01bfa014360b062990
SHA12c9f202d9cda9616d356d406ac297de4cbbaf932
SHA2565dcc247d95beba4f80a8f5a0143498e8a35f6d3b9120bfbd10193a4655f0404a
SHA51205603b50173b3c925ca292006eb1d723029cf8587018ebe071c326a83058b3bbcee8c35cb8822202ec6c36ecc7c0a2e5a3445eefdbcd193359eadfb59e5cb6ff
-
Filesize
22KB
MD5b45f8434d9f2caa128f837fe0a0516b2
SHA1da8c7ace986d9a1915e336e3aac8603d207c022e
SHA2564cea35dd3c8320aea3e8d7f116080e83bc1a16c3a4194f8efbf61bcf233536f8
SHA512e2f832549cf309942d2bb50524553c1ff95e21819f07e447b3788011d02d1b06f1d43755a3458fa1cf79f95328652fdef2eb274e300bcd23d32c15a031b66ed2
-
Filesize
17KB
MD5ff77f7c586b09374ae3909b6c22f53fb
SHA193cee2bb616ecece397742f78758a1f689ab6523
SHA2569cbf5adeb13e227138d5e8f0191bbaf5144992e6134685f9b65da95d204d3107
SHA51226a0d37bab9cc9880561e6f421c6f9aca9a5134d85fc515ed6f2b57320801ed390c6001306873611313b0267c52d736875a7ce7b139caa8a06f23ec9057d14a7
-
Filesize
28KB
MD5bb767caf7827b113394ca011a6d98bda
SHA19250c206400eaf81279382ed5daaacfb0bd897f7
SHA25645a0750a5a9a99e88ad8fff0c056ef10052277f1a16f679fe3d61e59e88aebec
SHA51228f05aa60b8969792e2e8220c17643ae06d470b69745fdc1df9bc65aab40f8f76c96acfa4de892d9cd2970d1f96a2cce18eb1c2b21ec05c90dcc8ab54755250e
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
122KB
MD566f72ed677095c09bf5cb3c2eaa97b6e
SHA1f1cfffa22cea2581769d2f3dd39ad4a49d7b87a1
SHA256d956488d5f87ca05f66025f7633b14648b2e8d02d114c662001463be6562f919
SHA512dde4f19a7c41e2d77ac49a7aa516f4ddfb13e81ccaafc6ef717421771ec9b0424bf2825bdafe0eab2b50ce84367aa83c7a923dc3e3c957359b197b61f4f8d690
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
600KB