Analysis
-
max time kernel
0s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26-12-2023 08:57
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
61af06651ac02a7846d63c57cd2c4aee.exe
Resource
win7-20231215-en
windows7-x64
18 signatures
150 seconds
Behavioral task
behavioral2
Sample
61af06651ac02a7846d63c57cd2c4aee.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
24 signatures
150 seconds
General
-
Target
61af06651ac02a7846d63c57cd2c4aee.exe
-
Size
512KB
-
MD5
61af06651ac02a7846d63c57cd2c4aee
-
SHA1
b39cea0a6f536749d720f00a4cb133d2aaf55bf2
-
SHA256
eabb9db1d4ac0369a4e3794908b0d639ab0e38de1d032e95ba80d8dbcde992aa
-
SHA512
2a20fb679b68fd64d2ff2d8b16a2c32e42f1bcc148b0c4c56651352181f712ff056f051e68fa4ec86b5ad9dbcbb1de2688342db25f2c246212b4389a415b6c6e
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6/:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5C
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" eyivkoctyu.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" eyivkoctyu.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" eyivkoctyu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" eyivkoctyu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" eyivkoctyu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" eyivkoctyu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" eyivkoctyu.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" eyivkoctyu.exe -
Executes dropped EXE 4 IoCs
pid Process 2040 eyivkoctyu.exe 2296 bvfuwgvtrkzilde.exe 2824 znvzixhz.exe 2272 dllzhcmoghjse.exe -
Loads dropped DLL 5 IoCs
pid Process 2532 61af06651ac02a7846d63c57cd2c4aee.exe 2532 61af06651ac02a7846d63c57cd2c4aee.exe 2532 61af06651ac02a7846d63c57cd2c4aee.exe 2532 61af06651ac02a7846d63c57cd2c4aee.exe 2764 cmd.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" eyivkoctyu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" eyivkoctyu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" eyivkoctyu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" eyivkoctyu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" eyivkoctyu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" eyivkoctyu.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csuvctlv = "eyivkoctyu.exe" bvfuwgvtrkzilde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vbuedbuu = "bvfuwgvtrkzilde.exe" bvfuwgvtrkzilde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "dllzhcmoghjse.exe" bvfuwgvtrkzilde.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" eyivkoctyu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" eyivkoctyu.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2532-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe -
Drops file in System32 directory 8 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\bvfuwgvtrkzilde.exe 61af06651ac02a7846d63c57cd2c4aee.exe File created C:\Windows\SysWOW64\znvzixhz.exe 61af06651ac02a7846d63c57cd2c4aee.exe File opened for modification C:\Windows\SysWOW64\znvzixhz.exe 61af06651ac02a7846d63c57cd2c4aee.exe File created C:\Windows\SysWOW64\dllzhcmoghjse.exe 61af06651ac02a7846d63c57cd2c4aee.exe File opened for modification C:\Windows\SysWOW64\dllzhcmoghjse.exe 61af06651ac02a7846d63c57cd2c4aee.exe File created C:\Windows\SysWOW64\eyivkoctyu.exe 61af06651ac02a7846d63c57cd2c4aee.exe File opened for modification C:\Windows\SysWOW64\eyivkoctyu.exe 61af06651ac02a7846d63c57cd2c4aee.exe File created C:\Windows\SysWOW64\bvfuwgvtrkzilde.exe 61af06651ac02a7846d63c57cd2c4aee.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 61af06651ac02a7846d63c57cd2c4aee.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 19 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF5FF8B482C821B9130D75D7DE7BDE2E135593067366246D791" 61af06651ac02a7846d63c57cd2c4aee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf eyivkoctyu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" eyivkoctyu.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 61af06651ac02a7846d63c57cd2c4aee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33462D089C2082596A3776A670252DDA7C8765DC" 61af06651ac02a7846d63c57cd2c4aee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193DC60814E7DABEB8C07CE6ECE237CC" 61af06651ac02a7846d63c57cd2c4aee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" eyivkoctyu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" eyivkoctyu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs eyivkoctyu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg eyivkoctyu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC1B15D449338E853BEB9A1329DD4CC" 61af06651ac02a7846d63c57cd2c4aee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F268B6FF1822DED273D1D18A759017" 61af06651ac02a7846d63c57cd2c4aee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh eyivkoctyu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc eyivkoctyu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" eyivkoctyu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" eyivkoctyu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACEF9C9F96BF2E5840C3B46819D3E95B38D02FF4262034BE1B9429D08D6" 61af06651ac02a7846d63c57cd2c4aee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat eyivkoctyu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" eyivkoctyu.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 2532 61af06651ac02a7846d63c57cd2c4aee.exe 2532 61af06651ac02a7846d63c57cd2c4aee.exe 2532 61af06651ac02a7846d63c57cd2c4aee.exe 2532 61af06651ac02a7846d63c57cd2c4aee.exe 2532 61af06651ac02a7846d63c57cd2c4aee.exe 2532 61af06651ac02a7846d63c57cd2c4aee.exe 2532 61af06651ac02a7846d63c57cd2c4aee.exe 2532 61af06651ac02a7846d63c57cd2c4aee.exe 2296 bvfuwgvtrkzilde.exe 2296 bvfuwgvtrkzilde.exe 2296 bvfuwgvtrkzilde.exe 2296 bvfuwgvtrkzilde.exe 2296 bvfuwgvtrkzilde.exe 2040 eyivkoctyu.exe 2040 eyivkoctyu.exe 2040 eyivkoctyu.exe 2040 eyivkoctyu.exe 2040 eyivkoctyu.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
pid Process 2532 61af06651ac02a7846d63c57cd2c4aee.exe 2532 61af06651ac02a7846d63c57cd2c4aee.exe 2532 61af06651ac02a7846d63c57cd2c4aee.exe 2040 eyivkoctyu.exe 2040 eyivkoctyu.exe 2040 eyivkoctyu.exe 2296 bvfuwgvtrkzilde.exe 2296 bvfuwgvtrkzilde.exe 2296 bvfuwgvtrkzilde.exe 2824 znvzixhz.exe 2824 znvzixhz.exe 2824 znvzixhz.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 2532 61af06651ac02a7846d63c57cd2c4aee.exe 2532 61af06651ac02a7846d63c57cd2c4aee.exe 2532 61af06651ac02a7846d63c57cd2c4aee.exe 2040 eyivkoctyu.exe 2040 eyivkoctyu.exe 2040 eyivkoctyu.exe 2296 bvfuwgvtrkzilde.exe 2296 bvfuwgvtrkzilde.exe 2296 bvfuwgvtrkzilde.exe 2824 znvzixhz.exe 2824 znvzixhz.exe 2824 znvzixhz.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2532 wrote to memory of 2040 2532 61af06651ac02a7846d63c57cd2c4aee.exe 26 PID 2532 wrote to memory of 2040 2532 61af06651ac02a7846d63c57cd2c4aee.exe 26 PID 2532 wrote to memory of 2040 2532 61af06651ac02a7846d63c57cd2c4aee.exe 26 PID 2532 wrote to memory of 2040 2532 61af06651ac02a7846d63c57cd2c4aee.exe 26 PID 2532 wrote to memory of 2296 2532 61af06651ac02a7846d63c57cd2c4aee.exe 25 PID 2532 wrote to memory of 2296 2532 61af06651ac02a7846d63c57cd2c4aee.exe 25 PID 2532 wrote to memory of 2296 2532 61af06651ac02a7846d63c57cd2c4aee.exe 25 PID 2532 wrote to memory of 2296 2532 61af06651ac02a7846d63c57cd2c4aee.exe 25 PID 2532 wrote to memory of 2824 2532 61af06651ac02a7846d63c57cd2c4aee.exe 24 PID 2532 wrote to memory of 2824 2532 61af06651ac02a7846d63c57cd2c4aee.exe 24 PID 2532 wrote to memory of 2824 2532 61af06651ac02a7846d63c57cd2c4aee.exe 24 PID 2532 wrote to memory of 2824 2532 61af06651ac02a7846d63c57cd2c4aee.exe 24 PID 2296 wrote to memory of 2764 2296 bvfuwgvtrkzilde.exe 23 PID 2296 wrote to memory of 2764 2296 bvfuwgvtrkzilde.exe 23 PID 2296 wrote to memory of 2764 2296 bvfuwgvtrkzilde.exe 23 PID 2296 wrote to memory of 2764 2296 bvfuwgvtrkzilde.exe 23 PID 2532 wrote to memory of 2272 2532 61af06651ac02a7846d63c57cd2c4aee.exe 22 PID 2532 wrote to memory of 2272 2532 61af06651ac02a7846d63c57cd2c4aee.exe 22 PID 2532 wrote to memory of 2272 2532 61af06651ac02a7846d63c57cd2c4aee.exe 22 PID 2532 wrote to memory of 2272 2532 61af06651ac02a7846d63c57cd2c4aee.exe 22
Processes
-
C:\Users\Admin\AppData\Local\Temp\61af06651ac02a7846d63c57cd2c4aee.exe"C:\Users\Admin\AppData\Local\Temp\61af06651ac02a7846d63c57cd2c4aee.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵PID:2692
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2684
-
-
-
C:\Windows\SysWOW64\dllzhcmoghjse.exedllzhcmoghjse.exe2⤵
- Executes dropped EXE
PID:2272
-
-
C:\Windows\SysWOW64\znvzixhz.exeznvzixhz.exe2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2824
-
-
C:\Windows\SysWOW64\bvfuwgvtrkzilde.exebvfuwgvtrkzilde.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2296
-
-
C:\Windows\SysWOW64\eyivkoctyu.exeeyivkoctyu.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Modifies WinLogon
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2040
-
-
C:\Windows\SysWOW64\znvzixhz.exeC:\Windows\system32\znvzixhz.exe1⤵PID:2672
-
C:\Windows\SysWOW64\dllzhcmoghjse.exedllzhcmoghjse.exe1⤵PID:2944
-
C:\Windows\SysWOW64\cmd.execmd.exe /c dllzhcmoghjse.exe1⤵
- Loads dropped DLL
PID:2764
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1