Analysis

  • max time kernel
    251s
  • max time network
    277s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26-12-2023 03:42

General

  • Target

    514d4ec35b688cd54467278e5c5d41a2.exe

  • Size

    512KB

  • MD5

    514d4ec35b688cd54467278e5c5d41a2

  • SHA1

    2a116bc638fd3367872f8dac3760cba5b581d7e4

  • SHA256

    c438c375ddbd6a62753a5cdd333f225626dc5ce3fb39e0f96a72ae7d09dc130f

  • SHA512

    3ff4f28b4cac41efd744d188ca8f72f54aa5ef05de1f6807d2cca5597dbd4eed522cca077cfde117ad90b5301ea319bdc4bd42785aa724891c6c74e5c0d605a7

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6O:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5T

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 17 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 21 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 33 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 44 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\514d4ec35b688cd54467278e5c5d41a2.exe
    "C:\Users\Admin\AppData\Local\Temp\514d4ec35b688cd54467278e5c5d41a2.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2876
    • C:\Windows\SysWOW64\thwepacoym.exe
      thwepacoym.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2144
      • C:\Windows\SysWOW64\tddbmjmp.exe
        C:\Windows\system32\tddbmjmp.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1244
    • C:\Windows\SysWOW64\qcyicbvsadafm.exe
      qcyicbvsadafm.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1164
    • C:\Windows\SysWOW64\tddbmjmp.exe
      tddbmjmp.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2188
    • C:\Windows\SysWOW64\yvjxpbtqotsrtvb.exe
      yvjxpbtqotsrtvb.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1272
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:240
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2800
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1064
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x518
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2300

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

      Filesize

      512KB

      MD5

      c44c176945767acdaae39fd86e54a726

      SHA1

      695a06751fd9946f2a88a2b28201a4d3f4c7557a

      SHA256

      a28c190a7e15d301285b8a50fb4964282ac0a47ea4996bc345a2ecdd22dbf4ae

      SHA512

      4574fb87385cc864e11bb70aa286d38fc09b190aa40f789f8211b733ca867b1121862ca21029a9742332d09c02730cff1bcb83296fbd1d313b6abb79f03cc205

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

      Filesize

      512KB

      MD5

      6197102822b0c19d20a786b4b21f1d31

      SHA1

      44a0b6953fbcd92eb39ac7da49bb780e03009279

      SHA256

      915f20dd50abf26855a9e396f516aae6d2e8c0a77461c19646d5244f6b8b7574

      SHA512

      2bf5368846e4f6a9acfddf6dee3322c69493dcff33f5fe400a5920a376caed1ff14479b973536336915b9d80294d65b9562a3f3d78e71d6adb6049bead35c0f5

    • C:\Users\Admin\Documents\UnregisterEnter.doc.exe

      Filesize

      512KB

      MD5

      02eed8a3405c1ccaaa4971aa5419eb81

      SHA1

      2228e41559938d4009a56df8c8053fe8e8d01083

      SHA256

      a2996ccf8dcfe2b981742dddd18666852857319dcab79d859dd00cd7281fa9f3

      SHA512

      ae8367d27a4f6d891a5e8f98b830e459438d01311727dde3b77bc28d427450e5cdaa956cb9a7319486ffc95d341b869ba9ce5931d61b85701960f862cc068b1d

    • C:\Windows\SysWOW64\qcyicbvsadafm.exe

      Filesize

      375KB

      MD5

      0ff1bd2acf1477af7b3bb02963b0a039

      SHA1

      75171dab260e5b0a9f7177c2afc8c01a9af77907

      SHA256

      3b81ab762fdc77d3c915f204f1699279a2e44a35526ca4d64fedf2dce1074f08

      SHA512

      db8a494433543e915cea8f4dd09ea71a2a0b8ae463a2c3d903c28f14d468c02e07850c3b9040e514096f61d16e530e57449020141a065e03a16ae1de3a157452

    • C:\Windows\SysWOW64\qcyicbvsadafm.exe

      Filesize

      85KB

      MD5

      27623bf17711551baa843bbab18a4b07

      SHA1

      2d6d50bab42c5defdd9bdf3f14fb826853558392

      SHA256

      6a2c1908feaaa4585f579f19881c7fec6c64bfe38500306f55eaeb5fa0a7b368

      SHA512

      53f01abdb0a6c91cedd6e7bb705ad27f9dfc89722bd6bb07ad9df87ff00ca5c9fc6764706ab6edc018fd90f519cf4d12af670416b3fff7cee5e6aca87e9f153b

    • C:\Windows\SysWOW64\tddbmjmp.exe

      Filesize

      396KB

      MD5

      fb799a6e0b41bb2634213d6216733613

      SHA1

      7753dcaa5e7302edde3b5163e3861fc2345c5944

      SHA256

      8d7bc1c78c48b4f420d976ff85487201ab077106bca7b2b4eacb8a2d8bc4b75c

      SHA512

      4da825f761986a01a5c5b7933ca2ee52f161a00f6ea9b2ae94d3a37845ade83dc10d28a84e903649d10b2e8fab82598b48c077469db5c8b45a754ec8b88c7430

    • C:\Windows\SysWOW64\tddbmjmp.exe

      Filesize

      13KB

      MD5

      93b60a88e7843a99ec04168b8d93750a

      SHA1

      687f563ea0695b0af22e5b18bd7758a6a986bc66

      SHA256

      114298a30a908f2084f327bcd252fb420560148edaf8ca96051eb47c3b65eb9a

      SHA512

      f1fc5c1306169f0bf937e16a1046f81ac6f68797a57894273fd140f827a66deebd9271af52955fe59e4a8e309f36722740f5c35dd9e994bf1026663cc74ddbd8

    • C:\Windows\SysWOW64\tddbmjmp.exe

      Filesize

      512KB

      MD5

      3aed660d8e799608bb97362104914eb9

      SHA1

      ef0d8f36e234c46bb8b215176217666c8bee810f

      SHA256

      8a5c6ef55933065c0795b729c79c65159b618e45228c7d11726f55e706579349

      SHA512

      77ca102c24d364a0c1ee086dacdc11710fe296d4ae9762747f6341aa3a3205017d9931e1f0662a58f05e1d668974de51ad2589b52e32409678e1a8ab25e5b200

    • C:\Windows\SysWOW64\thwepacoym.exe

      Filesize

      356KB

      MD5

      7e32204c7be91c53b7f7aa0dde2a281f

      SHA1

      80fcad69a52741c426eebf14983948804b02c45f

      SHA256

      fa488fc752a975c4883e3fbaac48ff4562831a19f1dc1bb3f49e62af3cc251da

      SHA512

      63420fcaade6cc2ea3873c87b4b73beca4af578b4e7da1c0844e98f3d2d8f8abb8db0d050208a94b1dce9881269910c4409400519c85cefad0192a3c91dad915

    • C:\Windows\SysWOW64\yvjxpbtqotsrtvb.exe

      Filesize

      4KB

      MD5

      9a39eab4787614a330232f9f85c7af4c

      SHA1

      c79a07e88a091f9ca67498ecd3451f1e67e0c472

      SHA256

      e71fdc77a001fbf0ccb31a1ba522ceb5444f1f1bf76657f6743346e8366ef5f4

      SHA512

      19afc5c83e0bc815dad7a43598aadf7f76393ef90491246c39f250f1cf202d408560e97be32505abf0a429421c0948a1bbe8230cec4ee3e7a9023ff193de93b6

    • C:\Windows\SysWOW64\yvjxpbtqotsrtvb.exe

      Filesize

      512KB

      MD5

      c9a5589741bb940912b0c84a84b583f2

      SHA1

      47a205c26ce9e7caf1a7a67bb58f1d63a607bc4e

      SHA256

      0eac1d5cabafad894c388208bae104452fb3c1e58c1368c9c9e33a2cac81ad7b

      SHA512

      7fc2332f959b151617450d9e2159613b7ca8cc8d50fbc093587f747ed1352cb774d2c988233d84a4b841eb1decd3f79048dd49ef4b8f6b0363f962655d277514

    • C:\Windows\mydoc.rtf

      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    • \Windows\SysWOW64\qcyicbvsadafm.exe

      Filesize

      410KB

      MD5

      8e62a97f98717700d3e36c35e0661c84

      SHA1

      03aab201834daca81ffa89d0d0bf5c11ad3122da

      SHA256

      33a6a56166b2bf473055462e9e0ca130f3c126d1837d379cbf34d43ebf66ca72

      SHA512

      088e01aff5d5b12c05c74be8d9387f6f9523cecaa217471832766824ed443e4bdcc1ddc9b7f4cc10c506f01909e672bc5b4c01ab0f6f0e77f2640c158c13bdb5

    • \Windows\SysWOW64\tddbmjmp.exe

      Filesize

      381KB

      MD5

      30aec9e0b33fbd99234328357879f812

      SHA1

      3c9d37139d4ccfe2b694afba9633170d0f510a92

      SHA256

      15aad0daaaeea2f1eb8d19a8999f42844b2885d6bef949f6787feba7dad46563

      SHA512

      2060f2cc8c90181dd0a9965f0ff3a94aece08c82c4a68454846f66778bc60dade3ba5ddc38be57311ff4a7bd78217b89a9cd09837eee4b5d9893277299dad415

    • \Windows\SysWOW64\tddbmjmp.exe

      Filesize

      344KB

      MD5

      1d4f16c098a1369204d84f81b7920b5e

      SHA1

      27bb2e82d7e54cc6bacfee84c0b25830306f9ada

      SHA256

      edc5320048192807fbb6fd03f7cde14eafd8e0321de75df1d52a27bf062af261

      SHA512

      3ce617cedf7862abad1bccb180c1cf5e8d68b2471a9ab73334f2ede4ceaeacc5f9f720690af3b346134193f38b41086801691c48f34d6e8a7819c6cb8ea6285b

    • \Windows\SysWOW64\thwepacoym.exe

      Filesize

      512KB

      MD5

      bb6144c6c2deec4d9da2556fa0c006c2

      SHA1

      17f61798b8ce702021e6ef2b7edd2c79a8318cb0

      SHA256

      03b66766a5aa73b748f19a4fca9a7bddb9c292efd34c1b4070af254775b3bf41

      SHA512

      f5c32dad3b2f8197d06f34a0c5c58b9e3863426aeb042742e3ebb74a6bc4f03188280a73255feebe2528518e92d674848be580eda7fbea4acb2d2b95657a0e1c

    • \Windows\SysWOW64\yvjxpbtqotsrtvb.exe

      Filesize

      101KB

      MD5

      ae8598f4c728c11dbfa0293180fc8af2

      SHA1

      51cce6eba90d17f4e091ac0535558e0f3b808073

      SHA256

      3ab006fc6ba6f62248806db47b6484fa0fac6e5672b4034895478b832e9fec91

      SHA512

      2ff3c65c7e0cd5503844ea5808bb81118945e884878946d918a8182ee5ffee4f444c5985f9eff09676132fb457deb8e44e3a416208dba898633115efb99477fc

    • memory/240-45-0x000000002FCC1000-0x000000002FCC2000-memory.dmp

      Filesize

      4KB

    • memory/240-47-0x0000000070EDD000-0x0000000070EE8000-memory.dmp

      Filesize

      44KB

    • memory/240-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/240-67-0x0000000070EDD000-0x0000000070EE8000-memory.dmp

      Filesize

      44KB

    • memory/1064-68-0x0000000004310000-0x0000000004311000-memory.dmp

      Filesize

      4KB

    • memory/1064-61-0x0000000004310000-0x0000000004311000-memory.dmp

      Filesize

      4KB

    • memory/2876-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB