Overview

overview

10

Static

static

5

5a9a3c0573...ec.exe

windows7-x64

10

5a9a3c0573...ec.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26-12-2023 06:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5a9a3c0573ad6bbf8ab99941801dbeec.exe

  • Size

    512KB

  • MD5

    5a9a3c0573ad6bbf8ab99941801dbeec

  • SHA1

    7445faccb3896c4e18e0140b5a208ad5f7773e88

  • SHA256

    9586d4cb6b50068c7a98f5c8c05b3717712a7724754a491b0851f2de8ce122e6

  • SHA512

    d5c141078fad9bddcb34e8d3fa1e8a01028c7e3c107a8806a625f02d19cf17dae5349b564d613e0f0431095f6de359eab1cf4134972f32f36662ae5c4a7d0556

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6/:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5k

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 3 IoCs
    persistence
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 56 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\5a9a3c0573ad6bbf8ab99941801dbeec.exe
    "C:\Users\Admin\AppData\Local\Temp\5a9a3c0573ad6bbf8ab99941801dbeec.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:836
    • C:\Windows\SysWOW64\mfbapdydit.exe
      mfbapdydit.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2840
      • C:\Windows\SysWOW64\dswyoarg.exe
        C:\Windows\system32\dswyoarg.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        PID:2280
    • C:\Windows\SysWOW64\kkqlenytwntzhyb.exe
      kkqlenytwntzhyb.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2888
    • C:\Windows\SysWOW64\dswyoarg.exe
      dswyoarg.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2740
    • C:\Windows\SysWOW64\bqiqdyjdgrlya.exe
      bqiqdyjdgrlya.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2820
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2420
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2208
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1044
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1604
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2432

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
      Filesize

      512KB

      MD5

      6c533e8e59f65f3dd144541c08a83463

      SHA1

      a4a429d22da7402241da0c50038fe02db442c176

      SHA256

      63ae1300aaa3b150624f050958b5611b7d981897679e8443389f5aa5d895e9d7

      SHA512

      9d40a0e1570a9328de229b2dffc037a144e0613e55417afdb0dc469565d3f5d7f875a0357ad6b2dfe3882d8fdb729bf9e925ad9cfe08c66a967173ea8dcf2e39

      Download Submit

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
      Filesize

      512KB

      MD5

      451e45131df900ca3c5b85d5174ed629

      SHA1

      1cd887b6b52984bc25b031984b115d353a6c83ad

      SHA256

      f6c2534eaff57ed2a4ee44b1179773ffdac5a5a3cd20d494dc5541e98a5c59e6

      SHA512

      550e7028dff3d708d10835324315d158bae27c1e18ed28d154f818ed8b49bf179a95d44f59574735421dd84ae582bc15f52ccce049582f2a92ab279522c8b4db

      Download Submit

    • C:\Windows\SysWOW64\dswyoarg.exe
      Filesize

      85KB

      MD5

      27623bf17711551baa843bbab18a4b07

      SHA1

      2d6d50bab42c5defdd9bdf3f14fb826853558392

      SHA256

      6a2c1908feaaa4585f579f19881c7fec6c64bfe38500306f55eaeb5fa0a7b368

      SHA512

      53f01abdb0a6c91cedd6e7bb705ad27f9dfc89722bd6bb07ad9df87ff00ca5c9fc6764706ab6edc018fd90f519cf4d12af670416b3fff7cee5e6aca87e9f153b

      Download Submit

    • C:\Windows\SysWOW64\dswyoarg.exe
      Filesize

      512KB

      MD5

      07a699b0b8c986dbe7d9c335241ffdb2

      SHA1

      7605a644bdff3f1234c81251ba0b0ddd8f365c17

      SHA256

      300df951eed1d12ac1440e76ce550d30a3063fc511f719214a6daeb58f6e2572

      SHA512

      d8be95845e77029fcee62d0a238cb1f800f89551fdd58c4f2f50c5834dcae8c9f0bc9a07dd8bfe94673830f5ae8d83a99b10a92c50dbb0b3eda0070c7ffb84f4

      Download Submit

    • C:\Windows\SysWOW64\kkqlenytwntzhyb.exe
      Filesize

      512KB

      MD5

      36d22b9f899bdb5265c12eafc00fe91d

      SHA1

      a376506b7ee312189e9f699b8a9446827bc9e74d

      SHA256

      35946a7d18774a9dedfdd4b411795833412b8c3b3974468f1012b2b58b86a445

      SHA512

      1fb31e45116bf5239e6a3e5e989a99d68e7587c9f59884d0cbfd3560514ac3606e474d8198f2ee55e2a9239f2a798c8109f3649852c7136d564344c49dd11cb3

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • \Windows\SysWOW64\bqiqdyjdgrlya.exe
      Filesize

      512KB

      MD5

      423d1a1883be00d0a013d5828953e711

      SHA1

      6a08f492a2884a9e93fec72ff496a9bdcf704374

      SHA256

      b57c11709479950c20d16bd699c495432af25428bc414671c86fcdf843cd230b

      SHA512

      7b195d47f44bb0ebf8a263f080ee89dde6e8a784c45cbed54ac47023ddd460a01a9ca7e3566381702ee5cf896b2b53009c4ed8fe212c9394431593f385f90b0e

      Download Submit

    • \Windows\SysWOW64\mfbapdydit.exe
      Filesize

      512KB

      MD5

      fb63d6120fc8f8859f8df994d779e9f4

      SHA1

      d6e758751e10c2ad819a65d9c6b7dffc3f675d8b

      SHA256

      b3da1bd12b9a2d522a44281c211ce62717673c9265281e01dbf68e963e92d08f

      SHA512

      6e1c05ba150ece83ca05ad84dd5e1969eff112b6d88dfc1dfe1c18ba8efd083e9fcc6f695670646c4883d10225a5079181c3695d16385f328a23debc3b0ad113

      Download Submit

    • memory/836-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

      Download

    • memory/1044-65-0x0000000003C60000-0x0000000003C61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1604-66-0x0000000003E20000-0x0000000003E21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2420-47-0x0000000070C1D000-0x0000000070C28000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2420-67-0x0000000070C1D000-0x0000000070C28000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2420-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2420-45-0x000000002FDE1000-0x000000002FDE2000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2432-68-0x0000000003E90000-0x0000000003E91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2432-76-0x0000000003E90000-0x0000000003E91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2432-82-0x0000000002680000-0x0000000002690000-memory.dmp

      Filesize

      64KB

      Download