737828d9fdc5af55885f98359a0efec2f280ad56827f2fde58ce58dd644e967e

General

Target

200cfbfe7393b4e215c5ed5958b55db7.exe
Size

512KB
MD5

200cfbfe7393b4e215c5ed5958b55db7
SHA1

7d2d37cebd0474cbd3492aae409d792faed03630
SHA256

737828d9fdc5af55885f98359a0efec2f280ad56827f2fde58ce58dd644e967e
SHA512

1867da476ed98532bdb91459c83bcec7f7ac053b6897458e68ebcb47300fde5c53a34c94852c97a3125a9c0019ee397cc97fd64c2a4f266db9d19c824a24a8fe
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6D:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5S

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1384	afqbyyzhfs.exe
4168	ljageebzuralgtp.exe
4232	hieapoks.exe
3540	zesshfthodlvv.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\zesshfthodlvv.exe	200cfbfe7393b4e215c5ed5958b55db7.exe
File created	C:\Windows\SysWOW64\afqbyyzhfs.exe	200cfbfe7393b4e215c5ed5958b55db7.exe
File opened for modification	C:\Windows\SysWOW64\afqbyyzhfs.exe	200cfbfe7393b4e215c5ed5958b55db7.exe
File created	C:\Windows\SysWOW64\ljageebzuralgtp.exe	200cfbfe7393b4e215c5ed5958b55db7.exe
File opened for modification	C:\Windows\SysWOW64\ljageebzuralgtp.exe	200cfbfe7393b4e215c5ed5958b55db7.exe
File created	C:\Windows\SysWOW64\hieapoks.exe	200cfbfe7393b4e215c5ed5958b55db7.exe
File opened for modification	C:\Windows\SysWOW64\hieapoks.exe	200cfbfe7393b4e215c5ed5958b55db7.exe
File created	C:\Windows\SysWOW64\zesshfthodlvv.exe	200cfbfe7393b4e215c5ed5958b55db7.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	200cfbfe7393b4e215c5ed5958b55db7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33422C7E9D5783226D3577A077552CD67DF165DA"	200cfbfe7393b4e215c5ed5958b55db7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB9FABEF917F1E783753B4486993EE2B38A038F4369034CE1C9459D09D1"	200cfbfe7393b4e215c5ed5958b55db7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC3B158479239E352CEBADD329ED4C5"	200cfbfe7393b4e215c5ed5958b55db7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FFBFF824F5A82129130D7217E91BDE5E13D594367346241D6E9"	200cfbfe7393b4e215c5ed5958b55db7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78468C3FE1821DCD108D0D48B099111"	200cfbfe7393b4e215c5ed5958b55db7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1845C77414E7DBC5B8BC7CE3ECE534CE"	200cfbfe7393b4e215c5ed5958b55db7.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	200cfbfe7393b4e215c5ed5958b55db7.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4072	200cfbfe7393b4e215c5ed5958b55db7.exe
4072	200cfbfe7393b4e215c5ed5958b55db7.exe
4072	200cfbfe7393b4e215c5ed5958b55db7.exe
4072	200cfbfe7393b4e215c5ed5958b55db7.exe
4072	200cfbfe7393b4e215c5ed5958b55db7.exe
4072	200cfbfe7393b4e215c5ed5958b55db7.exe
4072	200cfbfe7393b4e215c5ed5958b55db7.exe
4072	200cfbfe7393b4e215c5ed5958b55db7.exe
4072	200cfbfe7393b4e215c5ed5958b55db7.exe
4072	200cfbfe7393b4e215c5ed5958b55db7.exe
4072	200cfbfe7393b4e215c5ed5958b55db7.exe
4072	200cfbfe7393b4e215c5ed5958b55db7.exe
4072	200cfbfe7393b4e215c5ed5958b55db7.exe
4072	200cfbfe7393b4e215c5ed5958b55db7.exe
4072	200cfbfe7393b4e215c5ed5958b55db7.exe
4072	200cfbfe7393b4e215c5ed5958b55db7.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
4072	200cfbfe7393b4e215c5ed5958b55db7.exe
4072	200cfbfe7393b4e215c5ed5958b55db7.exe
4072	200cfbfe7393b4e215c5ed5958b55db7.exe
1384	afqbyyzhfs.exe
1384	afqbyyzhfs.exe
1384	afqbyyzhfs.exe
4168	ljageebzuralgtp.exe
4168	ljageebzuralgtp.exe
4168	ljageebzuralgtp.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
4072	200cfbfe7393b4e215c5ed5958b55db7.exe
4072	200cfbfe7393b4e215c5ed5958b55db7.exe
4072	200cfbfe7393b4e215c5ed5958b55db7.exe
1384	afqbyyzhfs.exe
1384	afqbyyzhfs.exe
1384	afqbyyzhfs.exe
4168	ljageebzuralgtp.exe
4168	ljageebzuralgtp.exe
4168	ljageebzuralgtp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4072 wrote to memory of 1384	4072	200cfbfe7393b4e215c5ed5958b55db7.exe	19
PID 4072 wrote to memory of 1384	4072	200cfbfe7393b4e215c5ed5958b55db7.exe	19
PID 4072 wrote to memory of 1384	4072	200cfbfe7393b4e215c5ed5958b55db7.exe	19
PID 4072 wrote to memory of 4168	4072	200cfbfe7393b4e215c5ed5958b55db7.exe	30
PID 4072 wrote to memory of 4168	4072	200cfbfe7393b4e215c5ed5958b55db7.exe	30
PID 4072 wrote to memory of 4168	4072	200cfbfe7393b4e215c5ed5958b55db7.exe	30
PID 4072 wrote to memory of 4232	4072	200cfbfe7393b4e215c5ed5958b55db7.exe	29
PID 4072 wrote to memory of 4232	4072	200cfbfe7393b4e215c5ed5958b55db7.exe	29
PID 4072 wrote to memory of 4232	4072	200cfbfe7393b4e215c5ed5958b55db7.exe	29
PID 4072 wrote to memory of 3540	4072	200cfbfe7393b4e215c5ed5958b55db7.exe	27
PID 4072 wrote to memory of 3540	4072	200cfbfe7393b4e215c5ed5958b55db7.exe	27
PID 4072 wrote to memory of 3540	4072	200cfbfe7393b4e215c5ed5958b55db7.exe	27

C:\Users\Admin\AppData\Local\Temp\200cfbfe7393b4e215c5ed5958b55db7.exe
"C:\Users\Admin\AppData\Local\Temp\200cfbfe7393b4e215c5ed5958b55db7.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Windows\SysWOW64\afqbyyzhfs.exe
  afqbyyzhfs.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1384
- - C:\Windows\SysWOW64\hieapoks.exe
    C:\Windows\system32\hieapoks.exe
    3⤵
    PID:2220
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
  2⤵
  PID:2960
- C:\Windows\SysWOW64\zesshfthodlvv.exe
  zesshfthodlvv.exe
  2⤵
  - Executes dropped EXE
  PID:3540
- C:\Windows\SysWOW64\hieapoks.exe
  hieapoks.exe
  2⤵
  - Executes dropped EXE
  PID:4232
- C:\Windows\SysWOW64\ljageebzuralgtp.exe
  ljageebzuralgtp.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2960-48-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/2960-46-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/2960-39-0x00007FF8A3C70000-0x00007FF8A3C80000-memory.dmp

Filesize
64KB

Download
memory/2960-45-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/2960-47-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/2960-50-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/2960-53-0x00007FF8A1510000-0x00007FF8A1520000-memory.dmp

Filesize
64KB

Download
memory/2960-55-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/2960-56-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/2960-57-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/2960-58-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/2960-59-0x00007FF8A1510000-0x00007FF8A1520000-memory.dmp

Filesize
64KB

Download
memory/2960-54-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/2960-52-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/2960-51-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/2960-49-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/2960-38-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/2960-138-0x00007FF8A3C70000-0x00007FF8A3C80000-memory.dmp

Filesize
64KB

Download
memory/2960-44-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/2960-43-0x00007FF8A3C70000-0x00007FF8A3C80000-memory.dmp

Filesize
64KB

Download
memory/2960-42-0x00007FF8A3C70000-0x00007FF8A3C80000-memory.dmp

Filesize
64KB

Download
memory/2960-40-0x00007FF8A3C70000-0x00007FF8A3C80000-memory.dmp

Filesize
64KB

Download
memory/2960-41-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/2960-37-0x00007FF8A3C70000-0x00007FF8A3C80000-memory.dmp

Filesize
64KB

Download
memory/2960-114-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/2960-115-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/2960-116-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/2960-139-0x00007FF8A3C70000-0x00007FF8A3C80000-memory.dmp

Filesize
64KB

Download
memory/2960-145-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/2960-144-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/2960-143-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/2960-142-0x00007FF8A3C70000-0x00007FF8A3C80000-memory.dmp

Filesize
64KB

Download
memory/2960-141-0x00007FF8E3BF0000-0x00007FF8E3DE5000-memory.dmp

Filesize
2.0MB

Download
memory/2960-140-0x00007FF8A3C70000-0x00007FF8A3C80000-memory.dmp

Filesize
64KB

Download
memory/4072-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download

Analysis

Sharing