f5c1e2b62ffa6bb8137f29183d4003b5053ad1234d90e372b5d2019bc29fae73

General

Target

54f3c113280b05d6b04095c2a62aa0a3.exe
Size

512KB
MD5

54f3c113280b05d6b04095c2a62aa0a3
SHA1

1fbb8bba89a5d57c50361a25669d103909cf5c6a
SHA256

f5c1e2b62ffa6bb8137f29183d4003b5053ad1234d90e372b5d2019bc29fae73
SHA512

64c5b63e222a509dce98179b885bc44cddfd20af0413a557c745d1b9bed6cd70d1151601e9cdc4f315140b81b30b7d20e00b2df11dd49341a04e36ff4d5a1428
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6s:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5v

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
208	lygcawavzo.exe
4356	cvmymfabxnvjhnw.exe
2052	lbgeroaz.exe
3544	jxeiigklgiplt.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/4148-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral2/files/0x000700000002321e-23.dat	autoit_exe
behavioral2/files/0x000700000002321b-19.dat	autoit_exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\lbgeroaz.exe	54f3c113280b05d6b04095c2a62aa0a3.exe
File opened for modification	C:\Windows\SysWOW64\lbgeroaz.exe	54f3c113280b05d6b04095c2a62aa0a3.exe
File created	C:\Windows\SysWOW64\jxeiigklgiplt.exe	54f3c113280b05d6b04095c2a62aa0a3.exe
File opened for modification	C:\Windows\SysWOW64\jxeiigklgiplt.exe	54f3c113280b05d6b04095c2a62aa0a3.exe
File created	C:\Windows\SysWOW64\lygcawavzo.exe	54f3c113280b05d6b04095c2a62aa0a3.exe
File opened for modification	C:\Windows\SysWOW64\lygcawavzo.exe	54f3c113280b05d6b04095c2a62aa0a3.exe
File created	C:\Windows\SysWOW64\cvmymfabxnvjhnw.exe	54f3c113280b05d6b04095c2a62aa0a3.exe
File opened for modification	C:\Windows\SysWOW64\cvmymfabxnvjhnw.exe	54f3c113280b05d6b04095c2a62aa0a3.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	54f3c113280b05d6b04095c2a62aa0a3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC7B1284790399852CCBADD32EDD4CC"	54f3c113280b05d6b04095c2a62aa0a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFBFC8F485C85189131D7207DE5BDE1E135593766476332D690"	54f3c113280b05d6b04095c2a62aa0a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F268C3FE6B21D9D208D0A78A7D9111"	54f3c113280b05d6b04095c2a62aa0a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183AC67C14E3DABFB9CE7C94ED9634C7"	54f3c113280b05d6b04095c2a62aa0a3.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	54f3c113280b05d6b04095c2a62aa0a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "334F2D089C5583256A4677D770272DD87C8464D6"	54f3c113280b05d6b04095c2a62aa0a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACDF9C9F960F290837D3B47869A3993B3FE02FA42150333E1BD42EE09D4"	54f3c113280b05d6b04095c2a62aa0a3.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4148	54f3c113280b05d6b04095c2a62aa0a3.exe
4148	54f3c113280b05d6b04095c2a62aa0a3.exe
4148	54f3c113280b05d6b04095c2a62aa0a3.exe
4148	54f3c113280b05d6b04095c2a62aa0a3.exe
4148	54f3c113280b05d6b04095c2a62aa0a3.exe
4148	54f3c113280b05d6b04095c2a62aa0a3.exe
4148	54f3c113280b05d6b04095c2a62aa0a3.exe
4148	54f3c113280b05d6b04095c2a62aa0a3.exe
4148	54f3c113280b05d6b04095c2a62aa0a3.exe
4148	54f3c113280b05d6b04095c2a62aa0a3.exe
4148	54f3c113280b05d6b04095c2a62aa0a3.exe
4148	54f3c113280b05d6b04095c2a62aa0a3.exe
4148	54f3c113280b05d6b04095c2a62aa0a3.exe
4148	54f3c113280b05d6b04095c2a62aa0a3.exe
4148	54f3c113280b05d6b04095c2a62aa0a3.exe
4148	54f3c113280b05d6b04095c2a62aa0a3.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
4148	54f3c113280b05d6b04095c2a62aa0a3.exe
4148	54f3c113280b05d6b04095c2a62aa0a3.exe
4148	54f3c113280b05d6b04095c2a62aa0a3.exe
208	lygcawavzo.exe
4356	cvmymfabxnvjhnw.exe
208	lygcawavzo.exe
4356	cvmymfabxnvjhnw.exe
208	lygcawavzo.exe
4356	cvmymfabxnvjhnw.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
4148	54f3c113280b05d6b04095c2a62aa0a3.exe
4148	54f3c113280b05d6b04095c2a62aa0a3.exe
4148	54f3c113280b05d6b04095c2a62aa0a3.exe
208	lygcawavzo.exe
4356	cvmymfabxnvjhnw.exe
208	lygcawavzo.exe
4356	cvmymfabxnvjhnw.exe
208	lygcawavzo.exe
4356	cvmymfabxnvjhnw.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4148 wrote to memory of 208	4148	54f3c113280b05d6b04095c2a62aa0a3.exe	30
PID 4148 wrote to memory of 208	4148	54f3c113280b05d6b04095c2a62aa0a3.exe	30
PID 4148 wrote to memory of 208	4148	54f3c113280b05d6b04095c2a62aa0a3.exe	30
PID 4148 wrote to memory of 4356	4148	54f3c113280b05d6b04095c2a62aa0a3.exe	29
PID 4148 wrote to memory of 4356	4148	54f3c113280b05d6b04095c2a62aa0a3.exe	29
PID 4148 wrote to memory of 4356	4148	54f3c113280b05d6b04095c2a62aa0a3.exe	29
PID 4148 wrote to memory of 2052	4148	54f3c113280b05d6b04095c2a62aa0a3.exe	19
PID 4148 wrote to memory of 2052	4148	54f3c113280b05d6b04095c2a62aa0a3.exe	19
PID 4148 wrote to memory of 2052	4148	54f3c113280b05d6b04095c2a62aa0a3.exe	19
PID 4148 wrote to memory of 3544	4148	54f3c113280b05d6b04095c2a62aa0a3.exe	26
PID 4148 wrote to memory of 3544	4148	54f3c113280b05d6b04095c2a62aa0a3.exe	26
PID 4148 wrote to memory of 3544	4148	54f3c113280b05d6b04095c2a62aa0a3.exe	26

C:\Users\Admin\AppData\Local\Temp\54f3c113280b05d6b04095c2a62aa0a3.exe
"C:\Users\Admin\AppData\Local\Temp\54f3c113280b05d6b04095c2a62aa0a3.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4148
- C:\Windows\SysWOW64\lbgeroaz.exe
  lbgeroaz.exe
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
  2⤵
  PID:4028
- C:\Windows\SysWOW64\jxeiigklgiplt.exe
  jxeiigklgiplt.exe
  2⤵
  - Executes dropped EXE
  PID:3544
- C:\Windows\SysWOW64\cvmymfabxnvjhnw.exe
  cvmymfabxnvjhnw.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4356
- C:\Windows\SysWOW64\lygcawavzo.exe
  lygcawavzo.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:208

C:\Windows\SysWOW64\lbgeroaz.exe
C:\Windows\system32\lbgeroaz.exe
1⤵
PID:4460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\cvmymfabxnvjhnw.exe

Filesize
512KB

MD5
309af2a1e58ce4973d391cbeb9fb1bc8

SHA1
fa6b0e3291e6f9654d0eff82740f7bd12c48225b

SHA256
e78fef48a77023f2004c7587f53fea313aa4b0f4082ad15e520310c7939e59cf

SHA512
d4d684cfd370a98956541a95032dd265842900b5fa60beac72c04e1b9bea3edd2afac459cd12f202f458c0e1a7b9d64844fe298bdfda8480ddde5f6ec5ea6c30

Download Submit
C:\Windows\SysWOW64\lygcawavzo.exe

Filesize
512KB

MD5
ed66e8a9e5c595c8e924dd51c5b0a06d

SHA1
7238a8d4dc8157dac9d8215fb66e9dc790071ec0

SHA256
58b65904145ed4750282410df5931b4c7e52a09b15e7435a73d160641fbfbc31

SHA512
c58157f8b775478659bfe4d073b2957fcd74b591f88f3dd78fda3862d0f9bc7dae42883d5f4d51b5c0b0531938f9c33e3340ef67b17c931b9f90e08bc4a207c7

Download Submit
memory/4028-55-0x00007FFDFE350000-0x00007FFDFE545000-memory.dmp

Filesize
2.0MB

Download
memory/4028-42-0x00007FFDFE350000-0x00007FFDFE545000-memory.dmp

Filesize
2.0MB

Download
memory/4028-48-0x00007FFDFE350000-0x00007FFDFE545000-memory.dmp

Filesize
2.0MB

Download
memory/4028-50-0x00007FFDFE350000-0x00007FFDFE545000-memory.dmp

Filesize
2.0MB

Download
memory/4028-51-0x00007FFDBBF00000-0x00007FFDBBF10000-memory.dmp

Filesize
64KB

Download
memory/4028-54-0x00007FFDFE350000-0x00007FFDFE545000-memory.dmp

Filesize
2.0MB

Download
memory/4028-133-0x00007FFDBE3D0000-0x00007FFDBE3E0000-memory.dmp

Filesize
64KB

Download
memory/4028-57-0x00007FFDBBF00000-0x00007FFDBBF10000-memory.dmp

Filesize
64KB

Download
memory/4028-43-0x00007FFDBE3D0000-0x00007FFDBE3E0000-memory.dmp

Filesize
64KB

Download
memory/4028-56-0x00007FFDFE350000-0x00007FFDFE545000-memory.dmp

Filesize
2.0MB

Download
memory/4028-53-0x00007FFDFE350000-0x00007FFDFE545000-memory.dmp

Filesize
2.0MB

Download
memory/4028-52-0x00007FFDFE350000-0x00007FFDFE545000-memory.dmp

Filesize
2.0MB

Download
memory/4028-49-0x00007FFDFE350000-0x00007FFDFE545000-memory.dmp

Filesize
2.0MB

Download
memory/4028-47-0x00007FFDFE350000-0x00007FFDFE545000-memory.dmp

Filesize
2.0MB

Download
memory/4028-44-0x00007FFDFE350000-0x00007FFDFE545000-memory.dmp

Filesize
2.0MB

Download
memory/4028-46-0x00007FFDFE350000-0x00007FFDFE545000-memory.dmp

Filesize
2.0MB

Download
memory/4028-58-0x00007FFDFE350000-0x00007FFDFE545000-memory.dmp

Filesize
2.0MB

Download
memory/4028-45-0x00007FFDBE3D0000-0x00007FFDBE3E0000-memory.dmp

Filesize
64KB

Download
memory/4028-41-0x00007FFDBE3D0000-0x00007FFDBE3E0000-memory.dmp

Filesize
64KB

Download
memory/4028-40-0x00007FFDFE350000-0x00007FFDFE545000-memory.dmp

Filesize
2.0MB

Download
memory/4028-38-0x00007FFDFE350000-0x00007FFDFE545000-memory.dmp

Filesize
2.0MB

Download
memory/4028-39-0x00007FFDBE3D0000-0x00007FFDBE3E0000-memory.dmp

Filesize
64KB

Download
memory/4028-37-0x00007FFDBE3D0000-0x00007FFDBE3E0000-memory.dmp

Filesize
64KB

Download
memory/4028-109-0x00007FFDFE350000-0x00007FFDFE545000-memory.dmp

Filesize
2.0MB

Download
memory/4028-110-0x00007FFDFE350000-0x00007FFDFE545000-memory.dmp

Filesize
2.0MB

Download
memory/4028-111-0x00007FFDFE350000-0x00007FFDFE545000-memory.dmp

Filesize
2.0MB

Download
memory/4028-138-0x00007FFDFE350000-0x00007FFDFE545000-memory.dmp

Filesize
2.0MB

Download
memory/4028-137-0x00007FFDFE350000-0x00007FFDFE545000-memory.dmp

Filesize
2.0MB

Download
memory/4028-136-0x00007FFDBE3D0000-0x00007FFDBE3E0000-memory.dmp

Filesize
64KB

Download
memory/4028-135-0x00007FFDBE3D0000-0x00007FFDBE3E0000-memory.dmp

Filesize
64KB

Download
memory/4028-134-0x00007FFDBE3D0000-0x00007FFDBE3E0000-memory.dmp

Filesize
64KB

Download
memory/4148-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download

Analysis

Sharing