Overview

overview

10

Static

static

5

4afd279e94...74.exe

windows7-x64

10

4afd279e94...74.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    155s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-12-2023 01:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4afd279e943b47d193850cd1a8115574.exe

  • Size

    512KB

  • MD5

    4afd279e943b47d193850cd1a8115574

  • SHA1

    cf5176219e8cb85e0f519ba41a0dc1d8446dad85

  • SHA256

    4d0875997de174ca7c7bbfae1102c1c91bc5114dd4af168bb3cf3b219ddc3e28

  • SHA512

    a2fb77e0c14482dc005f9698db9944a124a8dca574e91c95d19e0bf51fe476f3d8ed7fc119a2d9de2e1a6c9d61bb57a45a6a03b83a4c1d8b6d2a3facd151232e

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6H:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5K

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 13 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4afd279e943b47d193850cd1a8115574.exe
    "C:\Users\Admin\AppData\Local\Temp\4afd279e943b47d193850cd1a8115574.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3364
    • C:\Windows\SysWOW64\itpwyixpxq.exe
      itpwyixpxq.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:5052
      • C:\Windows\SysWOW64\jcnobbym.exe
        C:\Windows\system32\jcnobbym.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1532
    • C:\Windows\SysWOW64\lcdsfswweemyrli.exe
      lcdsfswweemyrli.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3724
    • C:\Windows\SysWOW64\jcnobbym.exe
      jcnobbym.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1076
    • C:\Windows\SysWOW64\ntypmcrhuiqxl.exe
      ntypmcrhuiqxl.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2868
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:3756

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    4dece2aba786ecbcd41184f9a1ebdce5

    SHA1

    7bb64bf1ad2c2f2c93d45ca4decf64be9d7dd8f5

    SHA256

    a753bd26ba51c2df0264be5134841d940207026af5c8f4b5be1315b82e125dd4

    SHA512

    9777135c5c776788b8ee6ccd8263a5c8739ab84a45989abf33afc0de98f40f5991b62b9822c5c12952d78b2a897113081db685674e9188451a299b8a4aaa0f45

    Download Submit

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    52613989380128acff3539ca002fb455

    SHA1

    8e5e05aacea92e3a866c232d835469fb3f52718c

    SHA256

    2a9e7613d598bcccf65bdbf00174ac9356a6873608a5ed6ca7003c02ff406e14

    SHA512

    ad71daf1edbf36562a09ba318b71737327d32aee0872cbbed78b1f14bc1e20ce1c50c2df605a247ebb05284a428614e0f12ad7ff163ec5cb85451ea3fc1d630e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    239B

    MD5

    12b138a5a40ffb88d1850866bf2959cd

    SHA1

    57001ba2de61329118440de3e9f8a81074cb28a2

    SHA256

    9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

    SHA512

    9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    32715eeb7a8d7977411aae9b4cced464

    SHA1

    0223413a8b7e10cff6a185d3954d7c567bd99717

    SHA256

    a226933dea7d8581c0ec698cab5a97fc0f409d748b1c9829647f6f02500109cf

    SHA512

    8b5467bd450cc0285145a91761b067c14f8a6b3c057049e02e8f4bc47d79b7fd24e59b2ecf1fe734b1caf8308c1ec2cf185f238e30d997299bf6f116203966fc

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    92ed00534c3dc97a6fa597bb436593b5

    SHA1

    1c60a91a1c8e348be8956a7c9fb98014af64af99

    SHA256

    2ead323098f8d64dc42d09f2a897f7d272784ecb973d3aec41f941a53c7452c7

    SHA512

    fe25e5f1921e4f104f359d58af89bde137a4f274cf0cb2d7945c758f37c97b7265f0b84e10ba13ef17809754bfa89447f63f6fe45b169ef211dc917229b68f12

    Download Submit

  • C:\Users\Admin\Documents\EnableDisconnect.doc.exe
    Filesize

    512KB

    MD5

    d4bf45bac27aa4e63f60b03d45941e28

    SHA1

    28cc1c54ded7928706f843581dea380716272f4d

    SHA256

    82c1f880f5e3ea35d884a3960e9a443705dcf01a4c429294deb596d95ed18992

    SHA512

    b89a0a21c7040164a0d3b8b3fb5b3ead3d6128b69fc4672f8f8e93bea9d8b0e00039222ddfd8e88c582b9db8f7959b064a39e60f36102d21f05a71db10acdfab

    Download Submit

  • C:\Windows\SysWOW64\itpwyixpxq.exe
    Filesize

    512KB

    MD5

    18b98d10d6d846326681bef1366cfdda

    SHA1

    a5e7f0d18199c2faa9c4940b62f2aadbd100b119

    SHA256

    c77c37b229ecf4964e11aaf9eaf797c7851abf318d0cd60f0d2b5592c12209ed

    SHA512

    0c74546340c79263ef61c91fdd889647420cf392f0edf3a8e638bf84613d100409d4371c6b0b39d1f3fdd23337c2c0bc1a148d7b8de86aabb2ee5452251c297d

    Download Submit

  • C:\Windows\SysWOW64\jcnobbym.exe
    Filesize

    432KB

    MD5

    79399f7ee2bd4c34c72891f2742abc80

    SHA1

    16ba443f9a05260570111be3d6ea24e350ee62ad

    SHA256

    12fff2473162ebefdde51662008147dfbdd367b7aea68a1b77fba6fd3dbf5702

    SHA512

    a6083441d9d87a4772d0513c143fe2612e27f3bd1dae53cdacefa4462eb9d8ad1f264ad008adc6a28ca8787ff39ce85c6d64e4df4bd521633f534a056289f527

    Download Submit

  • C:\Windows\SysWOW64\jcnobbym.exe
    Filesize

    281KB

    MD5

    e5e93dc26db4dee6eafad0fdd6ba577f

    SHA1

    b5740414ecdff9e28e14f31e2cbf73d16b1ab310

    SHA256

    51fc38b3fa73ec6f44348110d7e82a2199cd06de628f96a0255e770f9b456fa4

    SHA512

    17c50f8383c686d3eafe1360fdea3e2a75cfc853393ee5009af9a00ac31bd16fb20cebb286f15ea5b2651f1c1adda920afa3a897519ad62e6aafecff67569902

    Download Submit

  • C:\Windows\SysWOW64\jcnobbym.exe
    Filesize

    85KB

    MD5

    6ffe19dd388090496961cb1f22e51cea

    SHA1

    ce4d927bc772ce3e0e647a749163ea903ca14801

    SHA256

    b927ae8ccfb87df61dc3c0db0d02c388384fe64edca03718c7fff89a7b2c8f36

    SHA512

    7ffe013ea67bc20f05bdbf14bf8bd0dc8f81ada42a597e735b10e0d5a792f5d8711c626c0ada5dc1945a1deadf05570a86022d949e2c38fa3769e51018ac00f2

    Download Submit

  • C:\Windows\SysWOW64\lcdsfswweemyrli.exe
    Filesize

    455KB

    MD5

    dcca4039f7e3bf14f799bcfba40c951a

    SHA1

    d635da0ba685e234cbcb9feab42f70e97c6326dd

    SHA256

    d0bd5e4d1ad3c7ffda27137ff5c2688616d9efd8088c361ad3bd0ad820ae20b1

    SHA512

    f294194207f9a47e772bb965aeb64b75f9bc8a90f244084d9388e45536807cf6ff5a7d531f1538d69e7fc946d33dcaea418f32fed54dc8c0fcdfca7da4f7c4e2

    Download Submit

  • C:\Windows\SysWOW64\lcdsfswweemyrli.exe
    Filesize

    403KB

    MD5

    13bb2acfa83bc93e6e4b55b6cdcb9f44

    SHA1

    ec6bd2ca6e9b5f36db1595d17442b7f2d78cf1b3

    SHA256

    6bc2125bb8977b789de4f44fd533b792f19ded2de848b2191fde1f0ff94ec7fe

    SHA512

    d710dbba8690647795e3dd30adce53058d7fd237405e93309c52e51b709915e1656d2708fa6c672ae1b62f81bdeacd09140d9926c657d3d8a52be2bacf29febf

    Download Submit

  • C:\Windows\SysWOW64\lcdsfswweemyrli.exe
    Filesize

    512KB

    MD5

    47e791100fbc6273e755e491856e9d5c

    SHA1

    dab40f663ce93716562173abf7a0bacc42505ad0

    SHA256

    c76f2df32b05b2fb0238783cd1204b8d24b2b967cf6705d39213881fb37ad52d

    SHA512

    a03ad7949a2d8e6f4e6addaad178b010313267173b54d8070463670f019e6f4fc0aff09a68a99aa92bed53264159d2cfd8be7937efecf2b419d1532f1fad7a18

    Download Submit

  • C:\Windows\SysWOW64\ntypmcrhuiqxl.exe
    Filesize

    381KB

    MD5

    b3ab192f2911d0e63296a3a91c857abb

    SHA1

    99b3b21b2bcba90bc030a99eff0cfab26d5003c2

    SHA256

    ad272e73fc023f78279e563b0bf37d853bf3e5c9f4c91b2de04dad9effdbfdb6

    SHA512

    105ebccd31607c2816f99291715e716705245b140b8a90bc1fa37b0214dcdffc8c4d4af9697440a24079aa239202593a6e5c1a2e3e4691752370b46206d711d0

    Download Submit

  • C:\Windows\SysWOW64\ntypmcrhuiqxl.exe
    Filesize

    181KB

    MD5

    5698e10b9f2ebe5738bba13af728e35c

    SHA1

    56f08e5a6521e51769f3f19bf805afbe4143ae88

    SHA256

    40a8be9ebf4e5e1aee0ac6b5eca528adf681a0e1a925b3728fe11bf5d9b49a6a

    SHA512

    dc2d0a4bf6d5caa8d03774170bf9f905735f6c3b91dc965e38f8358bc030784d69b1d88f628796014135cad7566bfda0812c4a62e05d491228fc05787c5cd5ca

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • memory/3364-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download

  • memory/3756-40-0x00007FFB15730000-0x00007FFB15740000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3756-37-0x00007FFB15730000-0x00007FFB15740000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3756-46-0x00007FFB12DD0000-0x00007FFB12DE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3756-47-0x00007FFB12DD0000-0x00007FFB12DE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3756-38-0x00007FFB15730000-0x00007FFB15740000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3756-41-0x00007FFB15730000-0x00007FFB15740000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3756-43-0x00007FFB15730000-0x00007FFB15740000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3756-44-0x00007FFB556B0000-0x00007FFB558A5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3756-69-0x00007FFB556B0000-0x00007FFB558A5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3756-45-0x00007FFB556B0000-0x00007FFB558A5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3756-42-0x00007FFB556B0000-0x00007FFB558A5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3756-39-0x00007FFB556B0000-0x00007FFB558A5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3756-115-0x00007FFB15730000-0x00007FFB15740000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3756-116-0x00007FFB15730000-0x00007FFB15740000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3756-118-0x00007FFB556B0000-0x00007FFB558A5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3756-119-0x00007FFB15730000-0x00007FFB15740000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3756-120-0x00007FFB556B0000-0x00007FFB558A5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3756-117-0x00007FFB15730000-0x00007FFB15740000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3756-121-0x00007FFB556B0000-0x00007FFB558A5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3756-122-0x00007FFB556B0000-0x00007FFB558A5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3756-123-0x00007FFB556B0000-0x00007FFB558A5000-memory.dmp

    Filesize

    2.0MB

    Download