Overview

overview

10

Static

static

5

0f204124cb...66.exe

windows7-x64

10

0f204124cb...66.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30-12-2023 04:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0f204124cb067932ab90bb44f2fdb666.exe

  • Size

    512KB

  • MD5

    0f204124cb067932ab90bb44f2fdb666

  • SHA1

    b944d80fef69756ef58631ca18a9f0ffb14a900f

  • SHA256

    fc5b5a8e273e96cc708a8df86e3a3e4ae0ae79ffae82877a0b3991c919c29e30

  • SHA512

    e7771c49e264ec08d942dd29cbbb150b83969f1bfef9c50bc5c3452652cc20c364b005cb194d9336b66436e1a738c9af34ea3bee8af1ae55d9cd0b3eafa4f9c7

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6c:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5V

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0f204124cb067932ab90bb44f2fdb666.exe
    "C:\Users\Admin\AppData\Local\Temp\0f204124cb067932ab90bb44f2fdb666.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1516
    • C:\Windows\SysWOW64\zioemiyhms.exe
      zioemiyhms.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2812
      • C:\Windows\SysWOW64\tjsgwpgy.exe
        C:\Windows\system32\tjsgwpgy.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2632
    • C:\Windows\SysWOW64\llzhdlzfzfnqnds.exe
      llzhdlzfzfnqnds.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2852
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c frpzkizrtkusv.exe
        3⤵
          PID:2780
      • C:\Windows\SysWOW64\tjsgwpgy.exe
        tjsgwpgy.exe
        2⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2792
      • C:\Windows\SysWOW64\frpzkizrtkusv.exe
        frpzkizrtkusv.exe
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2740
      • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
        2⤵
        • Drops file in Windows directory
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2560
        • C:\Windows\splwow64.exe
          C:\Windows\splwow64.exe 12288
          3⤵
            PID:1776

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
        Filesize

        512KB

        MD5

        e8afd7bbcfc1d399f38498b5da3a195b

        SHA1

        a3c401a5418a16bb4fef8e556b270e51e137febc

        SHA256

        14467e6cfce8948371b738c79382a5f44187b8eab6136f13a1b9cdd88fdb7ff8

        SHA512

        784829c1b306a15c3eb174df495779b98b6375745f78486b64751d586592dba52199ea8e84d9e971fe8f955aa432b51a7e117c3e93873724cd27599b7b370c10

        Download Submit

      • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
        Filesize

        512KB

        MD5

        2db80082111eb3f29ff013a1533f1917

        SHA1

        5e0d3c9c9a12cb5896a07d99c44cd072c7aa4ddc

        SHA256

        c2b0cfb60b0cd1771d9b3bb5f38f08a72f042660bbcdcdd1c676fbff78203ce5

        SHA512

        be87903f4d0ea9c3ec54d97ee005433f78bcf3c877bca0aaf1dbd4ac585a5ecda5cd2ec436b49fec324b9c0a742992abccf6846a711d452a5b2a167f397ce783

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
        Filesize

        20KB

        MD5

        4003f62018533a1dd736de3a08e52475

        SHA1

        0b0b2b7e1ebdb3c7874caee781bcd3e4b7ab3ede

        SHA256

        779ddadfc0b2e6d2787718b6aee7e802f2bc312981a638b46facc118b8f0da7c

        SHA512

        4dee473d47c0866cc5db455e079d59aa73ed621a87218600a6223582483ef6667e4cdd6a878ca7af0fad819f72b9eb240b31999303160fd1ca0803996c3c5cbd

        Download Submit

      • C:\Windows\SysWOW64\llzhdlzfzfnqnds.exe
        Filesize

        512KB

        MD5

        1a7ad3512c744a70a9cd4fe79e8b2dd4

        SHA1

        3e3db10b0080d20aec5ca725edd44d559226023d

        SHA256

        013f7662427b1b2379117a7b869de857d317bf99904e662a83132ec571aaeeb5

        SHA512

        186a48d64dc8783110723e5f71874d945ee02250201050f119505070a5a38090dc29ca76cdae6d2a0a37f5acaa503fb313bfad0a188300ab6ac02834d245995d

        Download Submit

      • C:\Windows\SysWOW64\tjsgwpgy.exe
        Filesize

        512KB

        MD5

        488a25f18a27cdbc73431395da6080d7

        SHA1

        18e3c988a5e90d0a61a26bbe3ffe623cad12b340

        SHA256

        bf565a447d9fa50f96a67477018b5a00c520ab5ce3b2adbcb28d60b98c147ae5

        SHA512

        010a7478574fe5d4b605be965206b7010a4a652359ea74a439f8d2f80b43cf1448c9e0705b5f5e9abf72d20e4fd7b897ba8f9d2bbd62d44f2f4c66f2923650fd

        Download Submit

      • C:\Windows\mydoc.rtf
        Filesize

        223B

        MD5

        06604e5941c126e2e7be02c5cd9f62ec

        SHA1

        4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

        SHA256

        85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

        SHA512

        803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

        Download Submit

      • \Windows\SysWOW64\frpzkizrtkusv.exe
        Filesize

        512KB

        MD5

        200e216829ce25b293c76e36b766c308

        SHA1

        358ff8c3bdf99a860c0d7dc8e437bcf14f2926e0

        SHA256

        5fcdaa68bf79f78ea783e26c754b7b860bc87e5348611b69bbb31c2df6f20705

        SHA512

        175ec94373c2ed6a0adc214c51b663805f7f65ac99204b22e2b534b11d52f19b603fff9653325f460923624cb1fdf9bfbfaafc914cecea4f5a95cf888d2d1f4f

        Download Submit

      • \Windows\SysWOW64\zioemiyhms.exe
        Filesize

        512KB

        MD5

        d70727060157dbf5d72dd34d4abe26ee

        SHA1

        f78772dc39e34d3f258a677126a91ac873edb050

        SHA256

        aefcc0161ba8a42e2813639fef697e0c5fc0e44a8e2161d4157fdc6841faf60c

        SHA512

        f57c8b8a3aad08ade3231e812f34956b3cf807aa699b7951bb09e579bc3fda598963e68a2d5c3e496e88ecd70d8163731a59503cd30d1ce66390636b668b16bd

        Download Submit

      • memory/1516-0-0x0000000000400000-0x0000000000496000-memory.dmp

        Filesize

        600KB

        Download

      • memory/2560-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2560-66-0x000000007170D000-0x0000000071718000-memory.dmp

        Filesize

        44KB

        Download

      • memory/2560-47-0x000000007170D000-0x0000000071718000-memory.dmp

        Filesize

        44KB

        Download

      • memory/2560-45-0x000000002FCD1000-0x000000002FCD2000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2560-109-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download