Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2023, 08:01

General

  • Target

    12e22d7ddba3199c80f284b55a67c778.exe

  • Size

    512KB

  • MD5

    12e22d7ddba3199c80f284b55a67c778

  • SHA1

    4f91a165006d8a0a2b4a27fc0a50f059e4f39b2e

  • SHA256

    a9894fb73d6b45cd1f47e13a0d28e38082a9d81efdc3b725d45dc6c9f3973d55

  • SHA512

    2399d9649f2a1d2db0b2a8d97f1c7fb5335182303e169b2a6d56ab8839d8c90f926352371564701c29b52cb4153e3ec3c9fefec07e83a10a7a5d19db58246caa

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6i:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5Z

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 5 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 15 IoCs
  • Suspicious use of SendNotifyMessage 15 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\12e22d7ddba3199c80f284b55a67c778.exe
    "C:\Users\Admin\AppData\Local\Temp\12e22d7ddba3199c80f284b55a67c778.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2092
    • C:\Windows\SysWOW64\tvgtwvchdf.exe
      tvgtwvchdf.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2828
      • C:\Windows\SysWOW64\kfgaldtu.exe
        C:\Windows\system32\kfgaldtu.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2632
    • C:\Windows\SysWOW64\etdvnjbwbbibxdo.exe
      etdvnjbwbbibxdo.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2728
    • C:\Windows\SysWOW64\fhkxnrlvjlurm.exe
      fhkxnrlvjlurm.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2692
    • C:\Windows\SysWOW64\kfgaldtu.exe
      kfgaldtu.exe
      2⤵
      • Executes dropped EXE
      PID:2584
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2596
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2408

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      8ef7b4ee7886b64c1b1d25c9a12effe7

      SHA1

      6e22d241da68b375f911088d30dfe9ef7d0ab00d

      SHA256

      c95752df9f57e25096e80599500b1dda707645fbd9946390484b8cecdb5ddb6e

      SHA512

      eec8ece5af4fe6f19a326effe9c4e48e91549d7b1cceb92e020ae600e67de311f01632e1fa4c5cd48f032c0242c1a9d68d6adfc168f696b7d8dfa7c8c8ca80e7

    • C:\Windows\SysWOW64\etdvnjbwbbibxdo.exe

      Filesize

      512KB

      MD5

      886e038aacc9a6a8bf21a22410488b6b

      SHA1

      50cfe65250bfcc6d5489b272ca743647cb80ca52

      SHA256

      05e2caffc6db8a306253c1ee7ef17a319405833f76b9eb99a0222194907fece4

      SHA512

      ce2a9a00bbca14496ab1693df71f5dd4a0f02df4e8c77a5276939a55d1ad49f32ecb6242cc3e70bee2be236d9fb0c27091bc001cf8b7a0ea1c4517fbe4a3ae68

    • C:\Windows\SysWOW64\kfgaldtu.exe

      Filesize

      512KB

      MD5

      7d0d1f7e93bd813293f5ba6370cfac0c

      SHA1

      0941562f3e1921a1498f01dd6c2cf50f9d6801f0

      SHA256

      88d3dcdb471950587ce21aedca4a8da9264fbe909773d85fc86c7b81410ec351

      SHA512

      ce112b70f1b5ad84573b1f1078fff8fb47644245d7640cfc2582f3ce1b4823284288fc529a402a94d5699d1e6949b3af3aab0145ff0cfde9fe1e3107f7766623

    • C:\Windows\mydoc.rtf

      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    • \Windows\SysWOW64\fhkxnrlvjlurm.exe

      Filesize

      512KB

      MD5

      b6177febd399214bba82dbb718cbe7f2

      SHA1

      9d47d2da6681be120f0e22af2a7cc47a84828d40

      SHA256

      e33afdf2247a3d2733ec01d861c108a1ce406076b540dcf3fa16c9d0067c3fd1

      SHA512

      c18f1b208a4178e2c5063ab55559f4a544d77d62cde3648cdd74a00fe072ec04bbc8e87612a672a7a496bb5c916df405a1bcd8462d639da41eabc05b74059985

    • \Windows\SysWOW64\tvgtwvchdf.exe

      Filesize

      512KB

      MD5

      566d134aeb4337d6f16a4a8e6b7ad5ac

      SHA1

      07a9a83412300f8d609d80dbfa7c95f86885d2ce

      SHA256

      180c275e46f22fae5a6acb4711659e0c9d5d24b176bcd4c5c2b64d87963d61eb

      SHA512

      fa581b0a57e4c46ac8050e15b5d717217b4c7c3901a9ae39f2a8aa74f6dd9e1feb590d3c0ba92fbbfaab86d3ebde7e0bbf32c99ed7740b62935fabc098cb6201

    • memory/2092-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

    • memory/2596-45-0x000000002F5E1000-0x000000002F5E2000-memory.dmp

      Filesize

      4KB

    • memory/2596-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2596-47-0x000000007160D000-0x0000000071618000-memory.dmp

      Filesize

      44KB

    • memory/2596-82-0x000000007160D000-0x0000000071618000-memory.dmp

      Filesize

      44KB

    • memory/2596-103-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB