Analysis
-
max time kernel
0s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26/12/2023, 13:59
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
73ee3c7ed6db7afbdb94244cea0035c5.exe
Resource
win7-20231215-en
windows7-x64
18 signatures
150 seconds
Behavioral task
behavioral2
Sample
73ee3c7ed6db7afbdb94244cea0035c5.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
73ee3c7ed6db7afbdb94244cea0035c5.exe
-
Size
512KB
-
MD5
73ee3c7ed6db7afbdb94244cea0035c5
-
SHA1
47bad3fc287993e91db2d11b4010ef54bba0b2bb
-
SHA256
f449681525b460eac798a4a6c844f0a7e3f7272edebcaeae65b0911aec009a25
-
SHA512
c593ba94719dd7e6b57ddafbef03891e46683489380bd976523b4739bd1731dc380f086eaece3a9b71ac8e66dd77caa04e1edde46d754ad10f86ae31ef9aff12
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6y:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5B
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" zsbsurxkil.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" zsbsurxkil.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" zsbsurxkil.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" zsbsurxkil.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" zsbsurxkil.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" zsbsurxkil.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" zsbsurxkil.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" zsbsurxkil.exe -
Executes dropped EXE 4 IoCs
pid Process 2328 zsbsurxkil.exe 2076 whsecmyvqqcyqcr.exe 2824 ovbfkxyx.exe 2736 kuoiqgefrwftl.exe -
Loads dropped DLL 4 IoCs
pid Process 1644 73ee3c7ed6db7afbdb94244cea0035c5.exe 1644 73ee3c7ed6db7afbdb94244cea0035c5.exe 1644 73ee3c7ed6db7afbdb94244cea0035c5.exe 1644 73ee3c7ed6db7afbdb94244cea0035c5.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" zsbsurxkil.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" zsbsurxkil.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" zsbsurxkil.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" zsbsurxkil.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" zsbsurxkil.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" zsbsurxkil.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\t: ovbfkxyx.exe File opened (read-only) \??\y: ovbfkxyx.exe File opened (read-only) \??\j: ovbfkxyx.exe File opened (read-only) \??\p: ovbfkxyx.exe File opened (read-only) \??\g: ovbfkxyx.exe File opened (read-only) \??\l: ovbfkxyx.exe File opened (read-only) \??\o: ovbfkxyx.exe File opened (read-only) \??\r: ovbfkxyx.exe File opened (read-only) \??\a: ovbfkxyx.exe File opened (read-only) \??\b: ovbfkxyx.exe File opened (read-only) \??\n: ovbfkxyx.exe File opened (read-only) \??\s: ovbfkxyx.exe File opened (read-only) \??\z: ovbfkxyx.exe File opened (read-only) \??\e: ovbfkxyx.exe File opened (read-only) \??\m: ovbfkxyx.exe File opened (read-only) \??\k: ovbfkxyx.exe File opened (read-only) \??\q: ovbfkxyx.exe File opened (read-only) \??\u: ovbfkxyx.exe File opened (read-only) \??\v: ovbfkxyx.exe File opened (read-only) \??\w: ovbfkxyx.exe File opened (read-only) \??\x: ovbfkxyx.exe File opened (read-only) \??\h: ovbfkxyx.exe File opened (read-only) \??\i: ovbfkxyx.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" zsbsurxkil.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" zsbsurxkil.exe -
AutoIT Executable 5 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/1644-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x000d00000001232d-22.dat autoit_exe behavioral1/files/0x000d00000001224d-20.dat autoit_exe behavioral1/files/0x000d00000001224d-17.dat autoit_exe behavioral1/files/0x000d00000001232d-5.dat autoit_exe -
Drops file in System32 directory 8 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\whsecmyvqqcyqcr.exe 73ee3c7ed6db7afbdb94244cea0035c5.exe File created C:\Windows\SysWOW64\ovbfkxyx.exe 73ee3c7ed6db7afbdb94244cea0035c5.exe File opened for modification C:\Windows\SysWOW64\ovbfkxyx.exe 73ee3c7ed6db7afbdb94244cea0035c5.exe File created C:\Windows\SysWOW64\kuoiqgefrwftl.exe 73ee3c7ed6db7afbdb94244cea0035c5.exe File opened for modification C:\Windows\SysWOW64\kuoiqgefrwftl.exe 73ee3c7ed6db7afbdb94244cea0035c5.exe File created C:\Windows\SysWOW64\zsbsurxkil.exe 73ee3c7ed6db7afbdb94244cea0035c5.exe File opened for modification C:\Windows\SysWOW64\zsbsurxkil.exe 73ee3c7ed6db7afbdb94244cea0035c5.exe File created C:\Windows\SysWOW64\whsecmyvqqcyqcr.exe 73ee3c7ed6db7afbdb94244cea0035c5.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 73ee3c7ed6db7afbdb94244cea0035c5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 19 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BC9FABCFE11F1E583083B3581EB3E97B38E038A4312024BE2CF429C09A8" 73ee3c7ed6db7afbdb94244cea0035c5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F668B4FE6A21ACD173D1D38A7A9013" 73ee3c7ed6db7afbdb94244cea0035c5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" zsbsurxkil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" zsbsurxkil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFAFC82482F85189040D7207D90BD92E630584067416243D798" 73ee3c7ed6db7afbdb94244cea0035c5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat zsbsurxkil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg zsbsurxkil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" zsbsurxkil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs zsbsurxkil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" zsbsurxkil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1944C67D15E3DAB2B8CC7CE3EC9E34CA" 73ee3c7ed6db7afbdb94244cea0035c5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh zsbsurxkil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc zsbsurxkil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" zsbsurxkil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf zsbsurxkil.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 73ee3c7ed6db7afbdb94244cea0035c5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32302D7B9C5282256D4277D2772E2CAE7D8764AC" 73ee3c7ed6db7afbdb94244cea0035c5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC4B02C4797399D53C5B9A1339CD4CE" 73ee3c7ed6db7afbdb94244cea0035c5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" zsbsurxkil.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 1644 73ee3c7ed6db7afbdb94244cea0035c5.exe 1644 73ee3c7ed6db7afbdb94244cea0035c5.exe 1644 73ee3c7ed6db7afbdb94244cea0035c5.exe 1644 73ee3c7ed6db7afbdb94244cea0035c5.exe 1644 73ee3c7ed6db7afbdb94244cea0035c5.exe 1644 73ee3c7ed6db7afbdb94244cea0035c5.exe 1644 73ee3c7ed6db7afbdb94244cea0035c5.exe 1644 73ee3c7ed6db7afbdb94244cea0035c5.exe 2328 zsbsurxkil.exe 2328 zsbsurxkil.exe 2328 zsbsurxkil.exe 2328 zsbsurxkil.exe 2328 zsbsurxkil.exe 2824 ovbfkxyx.exe 2824 ovbfkxyx.exe 2824 ovbfkxyx.exe 2824 ovbfkxyx.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
pid Process 1644 73ee3c7ed6db7afbdb94244cea0035c5.exe 1644 73ee3c7ed6db7afbdb94244cea0035c5.exe 1644 73ee3c7ed6db7afbdb94244cea0035c5.exe 2328 zsbsurxkil.exe 2328 zsbsurxkil.exe 2328 zsbsurxkil.exe 2076 whsecmyvqqcyqcr.exe 2076 whsecmyvqqcyqcr.exe 2076 whsecmyvqqcyqcr.exe 2824 ovbfkxyx.exe 2824 ovbfkxyx.exe 2824 ovbfkxyx.exe 2736 kuoiqgefrwftl.exe 2736 kuoiqgefrwftl.exe 2736 kuoiqgefrwftl.exe -
Suspicious use of SendNotifyMessage 15 IoCs
pid Process 1644 73ee3c7ed6db7afbdb94244cea0035c5.exe 1644 73ee3c7ed6db7afbdb94244cea0035c5.exe 1644 73ee3c7ed6db7afbdb94244cea0035c5.exe 2328 zsbsurxkil.exe 2328 zsbsurxkil.exe 2328 zsbsurxkil.exe 2076 whsecmyvqqcyqcr.exe 2076 whsecmyvqqcyqcr.exe 2076 whsecmyvqqcyqcr.exe 2824 ovbfkxyx.exe 2824 ovbfkxyx.exe 2824 ovbfkxyx.exe 2736 kuoiqgefrwftl.exe 2736 kuoiqgefrwftl.exe 2736 kuoiqgefrwftl.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1644 wrote to memory of 2328 1644 73ee3c7ed6db7afbdb94244cea0035c5.exe 22 PID 1644 wrote to memory of 2328 1644 73ee3c7ed6db7afbdb94244cea0035c5.exe 22 PID 1644 wrote to memory of 2328 1644 73ee3c7ed6db7afbdb94244cea0035c5.exe 22 PID 1644 wrote to memory of 2328 1644 73ee3c7ed6db7afbdb94244cea0035c5.exe 22 PID 1644 wrote to memory of 2076 1644 73ee3c7ed6db7afbdb94244cea0035c5.exe 21 PID 1644 wrote to memory of 2076 1644 73ee3c7ed6db7afbdb94244cea0035c5.exe 21 PID 1644 wrote to memory of 2076 1644 73ee3c7ed6db7afbdb94244cea0035c5.exe 21 PID 1644 wrote to memory of 2076 1644 73ee3c7ed6db7afbdb94244cea0035c5.exe 21 PID 1644 wrote to memory of 2824 1644 73ee3c7ed6db7afbdb94244cea0035c5.exe 20 PID 1644 wrote to memory of 2824 1644 73ee3c7ed6db7afbdb94244cea0035c5.exe 20 PID 1644 wrote to memory of 2824 1644 73ee3c7ed6db7afbdb94244cea0035c5.exe 20 PID 1644 wrote to memory of 2824 1644 73ee3c7ed6db7afbdb94244cea0035c5.exe 20 PID 1644 wrote to memory of 2736 1644 73ee3c7ed6db7afbdb94244cea0035c5.exe 17 PID 1644 wrote to memory of 2736 1644 73ee3c7ed6db7afbdb94244cea0035c5.exe 17 PID 1644 wrote to memory of 2736 1644 73ee3c7ed6db7afbdb94244cea0035c5.exe 17 PID 1644 wrote to memory of 2736 1644 73ee3c7ed6db7afbdb94244cea0035c5.exe 17
Processes
-
C:\Users\Admin\AppData\Local\Temp\73ee3c7ed6db7afbdb94244cea0035c5.exe"C:\Users\Admin\AppData\Local\Temp\73ee3c7ed6db7afbdb94244cea0035c5.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵PID:2652
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2576
-
-
-
C:\Windows\SysWOW64\kuoiqgefrwftl.exekuoiqgefrwftl.exe2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2736
-
-
C:\Windows\SysWOW64\ovbfkxyx.exeovbfkxyx.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2824
-
-
C:\Windows\SysWOW64\whsecmyvqqcyqcr.exewhsecmyvqqcyqcr.exe2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2076
-
-
C:\Windows\SysWOW64\zsbsurxkil.exezsbsurxkil.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Modifies WinLogon
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2328
-
-
C:\Windows\SysWOW64\ovbfkxyx.exeC:\Windows\system32\ovbfkxyx.exe1⤵PID:1660
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
94KB
MD5adf240d1843e40ab9617e9dc12bc9b5b
SHA170923ac6636077728d2721b22d312002f735deea
SHA256f53d3e249050f489475559b9c39548a2afb7157dbd9e87551ef5349fa76ccb62
SHA512e2aec62114f1f6b5e94e0888efc2758e284835e0099abbfd3dd80cf3500a1e0d628c3ecb66b6b48fe051327746af38f2e953e1f816819c6b18126212621e7ccd
-
Filesize
92KB
MD559ebf1358a9b829f5709baaedeeee6fa
SHA11409fd65da1b814db0a08feae54366dfca196f1c
SHA256d251f3126813d9f42461b0d23153c37c405979347a47fb0f04e0503beaf31a06
SHA512a2d71b94a087aa6d376f4f065d9f7ff987fd50ea93949372fa9ef5b6692b45cef7ae267c88376b9d2953e4476496f67af1173e9f0f8ba81101dc94c6872cf417
-
Filesize
512KB
MD5ce8452d88198fb461b91edfc667d404c
SHA12b82b1838f4f35563e726350d5bbf95b2e85e4e4
SHA256812b9258d1fdea7e9d1b9bd950317df690c8cf1955156d07532d9cd980db1775
SHA51207e25057c1d1f4835937d80712fc8aadfe7058abff4baa7efb45a2d4ce9c844166c3feaf13824d5d245e3284e3a1265892a7f2fffd447205e5ab5bb53f279e76