Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2023, 13:16

General

  • Target

    19b27abb987d5162d029710981820847.exe

  • Size

    512KB

  • MD5

    19b27abb987d5162d029710981820847

  • SHA1

    b585c7dd57a7e9f10f87bcbd492f3c12446fd113

  • SHA256

    eef38e74b284a86c40ecb68777c0cd6b77398b9ce4bc7046694e77673e5bca61

  • SHA512

    6986e785e9257a5a731fbb3a7d9eb718b21a4b3a9200d000d63701c56eda217debcc0331a7d0b6706abfb5ab13407d572aa3c6f8d5057fc7927da36063711347

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6m:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5N

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 8 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 21 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 15 IoCs
  • Suspicious use of SendNotifyMessage 15 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Windows\SysWOW64\zaujmigy.exe
    C:\Windows\system32\zaujmigy.exe
    1⤵
    • Executes dropped EXE
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2620
  • C:\Windows\SysWOW64\phguottjatbzf.exe
    phguottjatbzf.exe
    1⤵
    • Executes dropped EXE
    PID:2780
  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2828
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1652
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c phguottjatbzf.exe
      1⤵
        PID:2948
      • C:\Windows\SysWOW64\zaujmigy.exe
        zaujmigy.exe
        1⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2036
      • C:\Windows\SysWOW64\qzjilkdtyujwfgy.exe
        qzjilkdtyujwfgy.exe
        1⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:1164
      • C:\Windows\SysWOW64\tjrnwkqymg.exe
        tjrnwkqymg.exe
        1⤵
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Windows security bypass
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Loads dropped DLL
        • Windows security modification
        • Enumerates connected drives
        • Modifies WinLogon
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:3048
      • C:\Users\Admin\AppData\Local\Temp\19b27abb987d5162d029710981820847.exe
        "C:\Users\Admin\AppData\Local\Temp\19b27abb987d5162d029710981820847.exe"
        1⤵
        • Loads dropped DLL
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2212

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

        Filesize

        512KB

        MD5

        261687b0761a15fbd28aae1129cd2631

        SHA1

        03ab142ee9140b4583f7c9db78e69c6a014c1fb2

        SHA256

        0e75adc5c4417c468279fd8edf15a362cd6fdac3645ee79cb0080a544ddbc522

        SHA512

        6acf46b21ae54aff4cc9d3c1dd34b6d80150670564b2c030a1b0cb3ada26939b45d39ad764547269431f69dd71c14d95dcb36556c25a0e191b8862ac79bccce6

      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

        Filesize

        20KB

        MD5

        28fbee4372ff48a1ecacb4fe28544ab5

        SHA1

        b746442283b61b18f5e7caca20ffd0643a6ef167

        SHA256

        f0c6473ce5e30808dc4c3285b950aa82b153f6c4bc04c14c5fc609d4117c7f05

        SHA512

        2aa9b7959b2386071c5d4e6b7bd77cbfa40d2cab642493a272137a451a4ac30144226afe4321d809c2e7d7f8380937686ce66cdac651a44325b5edfcb86bbc48

      • C:\Windows\SysWOW64\qzjilkdtyujwfgy.exe

        Filesize

        512KB

        MD5

        3b537f259fabde6deab632555b6e7abc

        SHA1

        5fe721cf4afb8918c62e353ba9bee02ba6157972

        SHA256

        419bf986c9ebcd470f78c4a6e9b8cbb82d42abfced80f5040c0b381ad6a1aa63

        SHA512

        d5f7f78683f8c5b412c19a3bc03ba2dded46b5c31fa3e33f39d50653f32d5290610e75fcc63de97212024d7bee0a7cbcf751b9612100b0f4bfc3ed1616397415

      • C:\Windows\SysWOW64\qzjilkdtyujwfgy.exe

        Filesize

        92KB

        MD5

        6662b185f19fbf697c56a25c92de7961

        SHA1

        0df0c0df0de3724258df2549c583e3c934aca726

        SHA256

        c11edb9e97848e20319fba876d9382c7193f68323eff1f7ed805bb04303bdc86

        SHA512

        c6e2cb83f68a63ca299dae843d2697d41dab8b565fb4005755b0d255b388779b6c1dad97375009c995f0a3d2e0acb4cc820090ca5dc24ee11e1a3de5b1a4921f

      • C:\Windows\SysWOW64\tjrnwkqymg.exe

        Filesize

        512KB

        MD5

        38cb525416ed7bd83b1ceb2e572e8b1a

        SHA1

        1c41ebc439f16fff314670c7b3aa61a38ba290dd

        SHA256

        92f7bc521151b43caabaf1ef931b143e94ab9720973ef5552e9c618f7624c446

        SHA512

        40e6ff2b9ab7d8c7df0b58907fab75d0cbd546a62b95bf0e1ed8d856444b6e86bcbba4ee9dedc77ba9dddb409558f73aeb5154afa59bda64321baf367e2d3b77

      • C:\Windows\SysWOW64\zaujmigy.exe

        Filesize

        99KB

        MD5

        7fc6cf931da79ecd4267f22c6a1aefa8

        SHA1

        913682b9a75a4089cc18ec25b28e082916a6b314

        SHA256

        2672445b36639d26c7bcf277704d7f634ea7a6f4eac634027b98fb3f94062487

        SHA512

        272947751145ba29cbfecc6fe73cf5e20cf017c8c436a8af45198499e8b34c5f70215c3d5f21676a2a5de87616e85aa12b5cf0e263d57042e4221f7e12d81eaf

      • \Windows\SysWOW64\zaujmigy.exe

        Filesize

        512KB

        MD5

        f88de94839cba3b1532352e5094c1496

        SHA1

        28dba79189f38b401e54207eb444995e554167c6

        SHA256

        c79ff3c4325e97785953c4960f61798551814130f904be7dfa67ab2f1e473dfc

        SHA512

        d877569722a47f1e4c3a9a1116563fde0ea83b99a794fef25d248aeb0d516e1421ab8a5f3261fd5f8a6d60d7a7aadbf6e1fe34fe1466dafbdd87dc49d453c933

      • memory/2212-0-0x0000000000400000-0x0000000000496000-memory.dmp

        Filesize

        600KB

      • memory/2828-46-0x00000000716ED000-0x00000000716F8000-memory.dmp

        Filesize

        44KB

      • memory/2828-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

      • memory/2828-83-0x00000000716ED000-0x00000000716F8000-memory.dmp

        Filesize

        44KB

      • memory/2828-44-0x000000002F131000-0x000000002F132000-memory.dmp

        Filesize

        4KB

      • memory/2828-104-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB