f5c1e2b62ffa6bb8137f29183d4003b5053ad1234d90e372b5d2019bc29fae73

General

Target

54f3c113280b05d6b04095c2a62aa0a3.exe
Size

512KB
MD5

54f3c113280b05d6b04095c2a62aa0a3
SHA1

1fbb8bba89a5d57c50361a25669d103909cf5c6a
SHA256

f5c1e2b62ffa6bb8137f29183d4003b5053ad1234d90e372b5d2019bc29fae73
SHA512

64c5b63e222a509dce98179b885bc44cddfd20af0413a557c745d1b9bed6cd70d1151601e9cdc4f315140b81b30b7d20e00b2df11dd49341a04e36ff4d5a1428
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6s:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5v

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2488	ewnbronnuc.exe
2832	fqbhpihtahsudkc.exe
2248	zqlfzxyd.exe
2548	ygghbyxrrlbir.exe

Loads dropped DLL 4 IoCs

pid	Process
1068	54f3c113280b05d6b04095c2a62aa0a3.exe
1068	54f3c113280b05d6b04095c2a62aa0a3.exe
1068	54f3c113280b05d6b04095c2a62aa0a3.exe
1068	54f3c113280b05d6b04095c2a62aa0a3.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1068-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x000b0000000139e0-17.dat	autoit_exe
behavioral1/files/0x000b000000015d0f-21.dat	autoit_exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\fqbhpihtahsudkc.exe	54f3c113280b05d6b04095c2a62aa0a3.exe
File created	C:\Windows\SysWOW64\zqlfzxyd.exe	54f3c113280b05d6b04095c2a62aa0a3.exe
File opened for modification	C:\Windows\SysWOW64\zqlfzxyd.exe	54f3c113280b05d6b04095c2a62aa0a3.exe
File created	C:\Windows\SysWOW64\ygghbyxrrlbir.exe	54f3c113280b05d6b04095c2a62aa0a3.exe
File opened for modification	C:\Windows\SysWOW64\ygghbyxrrlbir.exe	54f3c113280b05d6b04095c2a62aa0a3.exe
File created	C:\Windows\SysWOW64\ewnbronnuc.exe	54f3c113280b05d6b04095c2a62aa0a3.exe
File opened for modification	C:\Windows\SysWOW64\ewnbronnuc.exe	54f3c113280b05d6b04095c2a62aa0a3.exe
File created	C:\Windows\SysWOW64\fqbhpihtahsudkc.exe	54f3c113280b05d6b04095c2a62aa0a3.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	54f3c113280b05d6b04095c2a62aa0a3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7FC68C4FE1C22DFD27CD0A78A0B9011"	54f3c113280b05d6b04095c2a62aa0a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184DC70815E5DAC4B8BD7F97ED9034CB"	54f3c113280b05d6b04095c2a62aa0a3.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	54f3c113280b05d6b04095c2a62aa0a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33462D7F9C2783226D3E76A670512CA97CF464DA"	54f3c113280b05d6b04095c2a62aa0a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACAF9CCF916F19184093B3186EC3E95B08E02FC4212023CE1CA42EB08A9"	54f3c113280b05d6b04095c2a62aa0a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC1B02B47E2399D52C4B9A1339CD7BB"	54f3c113280b05d6b04095c2a62aa0a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF8FFFB482785199141D62E7E9DBCEFE630594B67456337D6ED"	54f3c113280b05d6b04095c2a62aa0a3.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1068	54f3c113280b05d6b04095c2a62aa0a3.exe
1068	54f3c113280b05d6b04095c2a62aa0a3.exe
1068	54f3c113280b05d6b04095c2a62aa0a3.exe
1068	54f3c113280b05d6b04095c2a62aa0a3.exe
1068	54f3c113280b05d6b04095c2a62aa0a3.exe
1068	54f3c113280b05d6b04095c2a62aa0a3.exe
1068	54f3c113280b05d6b04095c2a62aa0a3.exe
1068	54f3c113280b05d6b04095c2a62aa0a3.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
1068	54f3c113280b05d6b04095c2a62aa0a3.exe
1068	54f3c113280b05d6b04095c2a62aa0a3.exe
1068	54f3c113280b05d6b04095c2a62aa0a3.exe
2488	ewnbronnuc.exe
2488	ewnbronnuc.exe
2488	ewnbronnuc.exe
2832	fqbhpihtahsudkc.exe
2832	fqbhpihtahsudkc.exe
2832	fqbhpihtahsudkc.exe
2248	zqlfzxyd.exe
2248	zqlfzxyd.exe
2248	zqlfzxyd.exe
2548	ygghbyxrrlbir.exe
2548	ygghbyxrrlbir.exe
2548	ygghbyxrrlbir.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
1068	54f3c113280b05d6b04095c2a62aa0a3.exe
1068	54f3c113280b05d6b04095c2a62aa0a3.exe
1068	54f3c113280b05d6b04095c2a62aa0a3.exe
2488	ewnbronnuc.exe
2488	ewnbronnuc.exe
2488	ewnbronnuc.exe
2832	fqbhpihtahsudkc.exe
2832	fqbhpihtahsudkc.exe
2832	fqbhpihtahsudkc.exe
2248	zqlfzxyd.exe
2248	zqlfzxyd.exe
2248	zqlfzxyd.exe
2548	ygghbyxrrlbir.exe
2548	ygghbyxrrlbir.exe
2548	ygghbyxrrlbir.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1068 wrote to memory of 2488	1068	54f3c113280b05d6b04095c2a62aa0a3.exe	21
PID 1068 wrote to memory of 2488	1068	54f3c113280b05d6b04095c2a62aa0a3.exe	21
PID 1068 wrote to memory of 2488	1068	54f3c113280b05d6b04095c2a62aa0a3.exe	21
PID 1068 wrote to memory of 2488	1068	54f3c113280b05d6b04095c2a62aa0a3.exe	21
PID 1068 wrote to memory of 2832	1068	54f3c113280b05d6b04095c2a62aa0a3.exe	20
PID 1068 wrote to memory of 2832	1068	54f3c113280b05d6b04095c2a62aa0a3.exe	20
PID 1068 wrote to memory of 2832	1068	54f3c113280b05d6b04095c2a62aa0a3.exe	20
PID 1068 wrote to memory of 2832	1068	54f3c113280b05d6b04095c2a62aa0a3.exe	20
PID 1068 wrote to memory of 2248	1068	54f3c113280b05d6b04095c2a62aa0a3.exe	19
PID 1068 wrote to memory of 2248	1068	54f3c113280b05d6b04095c2a62aa0a3.exe	19
PID 1068 wrote to memory of 2248	1068	54f3c113280b05d6b04095c2a62aa0a3.exe	19
PID 1068 wrote to memory of 2248	1068	54f3c113280b05d6b04095c2a62aa0a3.exe	19
PID 1068 wrote to memory of 2548	1068	54f3c113280b05d6b04095c2a62aa0a3.exe	18
PID 1068 wrote to memory of 2548	1068	54f3c113280b05d6b04095c2a62aa0a3.exe	18
PID 1068 wrote to memory of 2548	1068	54f3c113280b05d6b04095c2a62aa0a3.exe	18
PID 1068 wrote to memory of 2548	1068	54f3c113280b05d6b04095c2a62aa0a3.exe	18

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
1⤵
PID:2712
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1664

C:\Windows\SysWOW64\zqlfzxyd.exe
C:\Windows\system32\zqlfzxyd.exe
1⤵
PID:2352

C:\Windows\SysWOW64\ygghbyxrrlbir.exe
ygghbyxrrlbir.exe
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2548

C:\Windows\SysWOW64\zqlfzxyd.exe
zqlfzxyd.exe
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2248

C:\Windows\SysWOW64\fqbhpihtahsudkc.exe
fqbhpihtahsudkc.exe
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2832

C:\Windows\SysWOW64\ewnbronnuc.exe
ewnbronnuc.exe
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2488

C:\Users\Admin\AppData\Local\Temp\54f3c113280b05d6b04095c2a62aa0a3.exe
"C:\Users\Admin\AppData\Local\Temp\54f3c113280b05d6b04095c2a62aa0a3.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\ewnbronnuc.exe

Filesize
92KB

MD5
59ebf1358a9b829f5709baaedeeee6fa

SHA1
1409fd65da1b814db0a08feae54366dfca196f1c

SHA256
d251f3126813d9f42461b0d23153c37c405979347a47fb0f04e0503beaf31a06

SHA512
a2d71b94a087aa6d376f4f065d9f7ff987fd50ea93949372fa9ef5b6692b45cef7ae267c88376b9d2953e4476496f67af1173e9f0f8ba81101dc94c6872cf417

Download Submit
memory/1068-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2712-45-0x000000002F8B1000-0x000000002F8B2000-memory.dmp

Filesize
4KB

Download
memory/2712-47-0x0000000070B0D000-0x0000000070B18000-memory.dmp

Filesize
44KB

Download
memory/2712-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2712-75-0x0000000070B0D000-0x0000000070B18000-memory.dmp

Filesize
44KB

Download
memory/2712-96-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing