Analysis
-
max time kernel
151s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
26/12/2023, 11:08
General
-
Target
69a9d80778f373878f980f579b105db7.exe
-
Size
512KB
-
MD5
69a9d80778f373878f980f579b105db7
-
SHA1
bf1b57bb97b6828b8d9d577a6404204d4d1a7bbb
-
SHA256
8059c6d2e245ff6d6192b62b09042c2c2dd14f64621c3482c3308e9a8cc1f65d
-
SHA512
92268a39f84159bec8de152f0fcc427bb6ba9064e98fe9fdccd8ab39caccf3227d3a5d97b99b1aaafb60673ae8fcd09ff757f197a698a58a95d770463f81bdb4
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6j:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5I
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 5 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 6 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon 2 TTPs 2 IoCs
-
AutoIT Executable 17 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 13 IoCs
-
Drops file in Program Files directory 21 IoCs
-
Drops file in Windows directory 11 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 20 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of FindShellTrayWindow 18 IoCs
-
Suspicious use of SendNotifyMessage 18 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\69a9d80778f373878f980f579b105db7.exe"C:\Users\Admin\AppData\Local\Temp\69a9d80778f373878f980f579b105db7.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\febckmcrnu.exefebckmcrnu.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nwfxmpiw.exeC:\Windows\system32\nwfxmpiw.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
-
C:\Windows\SysWOW64\pkzlwyagtjsrlss.exepkzlwyagtjsrlss.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\nwfxmpiw.exenwfxmpiw.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\declatpgvmymo.exedeclatpgvmymo.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
447KB
MD52eb5daf465c8c2c5dc18b47e34402e33
SHA1097ffd674d20853e7cf89c40b37b9582b1aa3e7c
SHA256bbd06fd2576425473295c101d770bce483a355e01d993ec0c1010e9daae4e6e9
SHA51223f809f26007f3e7571f3229495f8ce37f8f7448cce5b9987a76ee0a369b81241ea2261a02ca91bd5b925a7f8f828ceaa60af58674b965b8e44d976e51271049
-
Filesize
131KB
MD5c702d36d1bab46efc37c2fb78e9a0601
SHA18ceb2f7480dd4d96af03b6774d6b1f8361bafe4c
SHA256d1cd16afe0fe2e898616ba2b6b92d2a5c632922f5e8b050f030d9ff5a3c01dc9
SHA512fa3d8d06875f8b9b75e8fdb1fc91ed84764e9e7b8d509673063d4e573857950930c4104303a1fc89dda432141b35b0f061e91691540a0f5fe89ab7cec1f3ab66
-
Filesize
512KB
MD5ba7fbacca8f8ff4c88f38224e0eee5aa
SHA19925f24cd7b1a813afd11c7b389173e07a29f47c
SHA2565a504d53d45afdb9f434e45da7a2a786859c900a69b00235577f73a5f8425f17
SHA5123e9e625a306a0df4d53eca864bced18ae94e90d2dfa922222ef236daf0023c7c8c357798d25f96661ca938ac6a41cdba0042caaab189f5a4c20107bc7d06a902
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
Filesize
3KB
MD58746e5cc0b99680939964165f5fdd879
SHA14b3c987a6c9642cf786ff13a740c29bc3bc79e14
SHA256b58150bb1c3e02a929a4e3aa72c634059d17309a17bed800212b2344c21609af
SHA51233815980eb10d628e2d7a7e6e19bf03583bb6124ce0dac266a41f9421d15a44aff1d12f803c98885c51a50eec28225f872ba0dfae2b1eb49d3d1a1983d6f9b7c
-
Filesize
3KB
MD57e45a1ef7699c38290ce1400cdd13847
SHA14eb52e9029eb73f7af513da176b4f1e7f9d402d9
SHA256c0b13507701a9832c3cc4e07e2033e7942795a5b637778e3eac8564c67f52e38
SHA512a6a3f5912efa1d59beeb5053c243a12fb97352ae6504bbffd090a396ae16ad754c1b7b21ec99dfc6a3b3944e3ce6833299e2bba9960d4c7ce44eccaaab6816e2
-
Filesize
124KB
MD5bd7783f528a6e3f6b9719128a5bb4018
SHA1e2a5f09d405e98811290eea2ad6f836a959657b3
SHA2564fd660ddb7af04fd61cd636d465c1e63ca6de03ca8ab5e23df18684cf4fe7c1e
SHA5126dd0bed5af92fb577e20567afbcb3bc922e413c17e900304c177c7002c1945992f5e9cd7594e17e93829dfcbd0e8a582f6c0f193857b39fb618c9ae72673aa64
-
Filesize
74KB
MD50685f981b00f5745fefd5fbca5dc16f4
SHA1ff435de85428c29f661a2551b788140bcfa2a9f0
SHA2567ebefeee38de290ab5a3016da5ac21a571e8e75c55a01e09036db4a857c854f3
SHA5127e2d420a135f7a07e8270cb7d2300ad2b4c63f7c6c291aee40a57319fb0db08b7cef344d0159d892f93a4bad517dd2e674984524f4987b8dbfa275ca421442a3
-
Filesize
377KB
MD5d1df7ad4a53cd9d45bd95d9be3157ec9
SHA139632cf442e3797372f2f0bf36dafc944b405237
SHA25634ae4d3dd16500b14079fd06b454924dd28fe8b63b1cf738cd10cdfd4e72ed3b
SHA512aab4a14b92dea0e9e1f0b31dca09f8f78c39e46c0ebce6b2e3bc4ebf21205e74a420cc49ac072ca8524fd056f75d73c39a559293738d39658704e40a5b5d82a9
-
Filesize
351KB
MD584b07ddc98a70306da9eb2223df42b30
SHA12bd66614c6ec93da6291184460846ddc7156dc3a
SHA25656936e1ee7a4802ce43e0bdf7adc012af8dac5c7bc6a2ace3d47edaad3e6c188
SHA51242c258f6c82b142d2d1c9c2ec2ac52a240a96f2e7e850202d0c9b303d455f6576e3690a76096ac840f4a183219b6b97a75c44e62f6c68678c112f20ec62bcb26
-
Filesize
61KB
MD5ee02fce5c1b8481cbe2539703054f994
SHA1803cb4e0349ab80f0b07cfd01d38f0739eab22ee
SHA2562429425c5258acf4341053ca29639124fd8832a240c415ba84d6d26978004f37
SHA51258c306762423b6df2be21ca37feec2336b84379a3b4e1bf2356bc41c39e61fb30a8ecca49bdb91dfbf5996c8d458874e83ebc6c695dc29e4ecae2dd169b04637
-
Filesize
33KB
MD5c09509eb392bcb4b9c86b9c82f62d7c9
SHA11b8aa57080c9ea47f813667c499dabc7d451a934
SHA2567bfdfb228e626e6c0464108be78dc2343062b00fd2b8cf6ee8959fc9b81ee78f
SHA51287fd9dbb493e32d27bbac0006c58a9c825a7e026730ba66cab3e66127ee7ee6c5d843d0e74e0253cbb7923360489a3ece6a835164bdaf5d3207a42728fcb55b8
-
Filesize
32KB
MD5455b8d63955ffae5bae23735172529f0
SHA1ae9a535d5d6be983ee6e84cd6ef035025b297e99
SHA25606ed95382492189be4a48293a280159607031a88caf6e8535ba65a458aa73599
SHA5124705ff67b67cba31791ce3eb21ca3595d6b574aacf8559e21cc52acc73b56b5887e5dce1e6a87ecddab66a9ca662a8de3993b872b228a5dfb6c156119920111b
-
Filesize
86KB
MD568e8f5878756c602ae4d390f9f17762f
SHA1d5911841f54f67f82c1591c64ffe155015098778
SHA256f290558e9915e51985d1f4cdbeb8c72b59a6465ee9dd151c3216ea430dba7826
SHA512c29806f43c2229be77c8284d8427e5124105488ad69d801dcaa8ec84088779c74ea874842a08f7afbc5387f6232e431e7d84c881cd8c16b551f02f41b7570ee4
-
Filesize
82KB
MD5b24b5497b0b0e5223a3b94201cd93109
SHA142c240c281303d1d775f3d3c2eca830535c9ce99
SHA256a22452a7e82cc351b793b03ded14ac16c32471ae30cad1d08c5c55f20c5f45df
SHA512d860378d5b50afb24a20bf3e8fea4bcd39fa5e1471d8d0f612d637b592a5cfc26e54f28ac67508af4356f59f940ffbf577525692590eceb5d8de05e39f50970a
-
Filesize
95KB
MD51853d084f25839953a87167fb8ac829f
SHA1991942e87452351f5d01d435133ae3432ceaea0c
SHA2568b0fcdaaaa00bdbc684c00df15472b5070f82028a87fe2047f0838fc70e9d28b
SHA5129d682065fba2ca46c56b324e2fed7d31abf82c52aa5dd263936f6fbec4e5714a3c45d49e60cc26bd9cd409012f4c9da6a957ace9af08fd482e7e83d121e8b1af
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
191KB
MD5fc051a3133bd2f0324354a0d9d60aee2
SHA1f51ff760b30062f0d1a9fe26e175a0ef58ae8516
SHA2569c550276c8523a30021b787b62ef27d7b03f3d0da05f0ec16f0e9340a58749f9
SHA512b2258d19e26b5d173e36bf841a9a4b5c104b4dd8a4b3fcd17a86c1ff90af9b4f37ad37954e30f941a44da993b02a2f33822bb61535c0ba660426d63a975bbf32
-
Filesize
512KB
MD535f6c9dc653eca7174c18f0c6a54b5f1
SHA1c2f2503ca66257ac90e488c5f7e022f1725ef650
SHA2569edc6fd365f17771b7007cb5dbf0acac9d3757c704f7a8ca7495c9dd214204fa
SHA512eed28d82ce4cfbbb950ec9df62e48303a4c707883280d4f5ad66d8776b2d1ef16e5435725c192f830a980e31288e8ee68de6b2e1b99205e444b2c7d80c7a7b82
-
Filesize
512KB
MD51e9ba280b54a95bfe0b9438f03c44122
SHA16139fb90581e9c334ad1c65bc4e87ad9e3ddcd91
SHA256e72af2151863f0819a4b44e1c193fe8fc8930a2eb3b71d0cfb4513908911473c
SHA512f1c13a44f2e887fa6b950fdf49dbc1b98aa863c961321461ae4c051f2405ecaa4f9d6d54c45eaa3fbb672f72575613f4fce8dee61336db6826e4579bbcfc16fd
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
600KB