798423dd6228fb7c22bbc38d16329a258ef50d18c05f3294c29cbe26750055f4

General

Target

236d14c7db45ba294eb4a48b157d0f8f.exe
Size

512KB
MD5

236d14c7db45ba294eb4a48b157d0f8f
SHA1

24ec910ebf3f7a6795c20a1ff0fb49fd3556189a
SHA256

798423dd6228fb7c22bbc38d16329a258ef50d18c05f3294c29cbe26750055f4
SHA512

8ed9583e1ffa0c9824ac009e72547adf1b713c86409e550ec098294546aeb5136d95229f951e8fb75924e98c993edfb1a81083f55e6e91ef80d6b79117120891
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj66:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5L

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4644	whqtdlhobh.exe
2144	maxykkcviiqlpup.exe
1232	rpojfhki.exe
3480	nnckqrpnqnsmy.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/4484-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\nnckqrpnqnsmy.exe	236d14c7db45ba294eb4a48b157d0f8f.exe
File opened for modification	C:\Windows\SysWOW64\nnckqrpnqnsmy.exe	236d14c7db45ba294eb4a48b157d0f8f.exe
File created	C:\Windows\SysWOW64\whqtdlhobh.exe	236d14c7db45ba294eb4a48b157d0f8f.exe
File opened for modification	C:\Windows\SysWOW64\whqtdlhobh.exe	236d14c7db45ba294eb4a48b157d0f8f.exe
File created	C:\Windows\SysWOW64\maxykkcviiqlpup.exe	236d14c7db45ba294eb4a48b157d0f8f.exe
File opened for modification	C:\Windows\SysWOW64\maxykkcviiqlpup.exe	236d14c7db45ba294eb4a48b157d0f8f.exe
File created	C:\Windows\SysWOW64\rpojfhki.exe	236d14c7db45ba294eb4a48b157d0f8f.exe
File opened for modification	C:\Windows\SysWOW64\rpojfhki.exe	236d14c7db45ba294eb4a48b157d0f8f.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	236d14c7db45ba294eb4a48b157d0f8f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB2B02A47E139E853C8BAA1329ED7CF"	236d14c7db45ba294eb4a48b157d0f8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFFFF89485A851A9040D65A7E95BDE3E633593266446333D69D"	236d14c7db45ba294eb4a48b157d0f8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7846BB3FE6A22DBD279D1D18B099164"	236d14c7db45ba294eb4a48b157d0f8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1849C60F15EDDBB3B8C87CE6ECE437BA"	236d14c7db45ba294eb4a48b157d0f8f.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	236d14c7db45ba294eb4a48b157d0f8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32442C0B9D5782206A4176DC702E2CAA7DF564A8"	236d14c7db45ba294eb4a48b157d0f8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB8FACCFE65F290837B3B4A86983E97B0FD02FD4269034CE2CE459E09D1"	236d14c7db45ba294eb4a48b157d0f8f.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4484	236d14c7db45ba294eb4a48b157d0f8f.exe
4484	236d14c7db45ba294eb4a48b157d0f8f.exe
4484	236d14c7db45ba294eb4a48b157d0f8f.exe
4484	236d14c7db45ba294eb4a48b157d0f8f.exe
4484	236d14c7db45ba294eb4a48b157d0f8f.exe
4484	236d14c7db45ba294eb4a48b157d0f8f.exe
4484	236d14c7db45ba294eb4a48b157d0f8f.exe
4484	236d14c7db45ba294eb4a48b157d0f8f.exe
4484	236d14c7db45ba294eb4a48b157d0f8f.exe
4484	236d14c7db45ba294eb4a48b157d0f8f.exe
4484	236d14c7db45ba294eb4a48b157d0f8f.exe
4484	236d14c7db45ba294eb4a48b157d0f8f.exe
4484	236d14c7db45ba294eb4a48b157d0f8f.exe
4484	236d14c7db45ba294eb4a48b157d0f8f.exe
4484	236d14c7db45ba294eb4a48b157d0f8f.exe
4484	236d14c7db45ba294eb4a48b157d0f8f.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
4484	236d14c7db45ba294eb4a48b157d0f8f.exe
4484	236d14c7db45ba294eb4a48b157d0f8f.exe
4484	236d14c7db45ba294eb4a48b157d0f8f.exe
4644	whqtdlhobh.exe
4644	whqtdlhobh.exe
4644	whqtdlhobh.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
4484	236d14c7db45ba294eb4a48b157d0f8f.exe
4484	236d14c7db45ba294eb4a48b157d0f8f.exe
4484	236d14c7db45ba294eb4a48b157d0f8f.exe
4644	whqtdlhobh.exe
4644	whqtdlhobh.exe
4644	whqtdlhobh.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4484 wrote to memory of 4644	4484	236d14c7db45ba294eb4a48b157d0f8f.exe	35
PID 4484 wrote to memory of 4644	4484	236d14c7db45ba294eb4a48b157d0f8f.exe	35
PID 4484 wrote to memory of 4644	4484	236d14c7db45ba294eb4a48b157d0f8f.exe	35
PID 4484 wrote to memory of 2144	4484	236d14c7db45ba294eb4a48b157d0f8f.exe	34
PID 4484 wrote to memory of 2144	4484	236d14c7db45ba294eb4a48b157d0f8f.exe	34
PID 4484 wrote to memory of 2144	4484	236d14c7db45ba294eb4a48b157d0f8f.exe	34
PID 4484 wrote to memory of 1232	4484	236d14c7db45ba294eb4a48b157d0f8f.exe	26
PID 4484 wrote to memory of 1232	4484	236d14c7db45ba294eb4a48b157d0f8f.exe	26
PID 4484 wrote to memory of 1232	4484	236d14c7db45ba294eb4a48b157d0f8f.exe	26
PID 4484 wrote to memory of 3480	4484	236d14c7db45ba294eb4a48b157d0f8f.exe	33
PID 4484 wrote to memory of 3480	4484	236d14c7db45ba294eb4a48b157d0f8f.exe	33
PID 4484 wrote to memory of 3480	4484	236d14c7db45ba294eb4a48b157d0f8f.exe	33

C:\Users\Admin\AppData\Local\Temp\236d14c7db45ba294eb4a48b157d0f8f.exe
"C:\Users\Admin\AppData\Local\Temp\236d14c7db45ba294eb4a48b157d0f8f.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Windows\SysWOW64\rpojfhki.exe
  rpojfhki.exe
  2⤵
  - Executes dropped EXE
  PID:1232
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
  2⤵
  PID:5084
- C:\Windows\SysWOW64\nnckqrpnqnsmy.exe
  nnckqrpnqnsmy.exe
  2⤵
  - Executes dropped EXE
  PID:3480
- C:\Windows\SysWOW64\maxykkcviiqlpup.exe
  maxykkcviiqlpup.exe
  2⤵
  - Executes dropped EXE
  PID:2144
- C:\Windows\SysWOW64\whqtdlhobh.exe
  whqtdlhobh.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4644

C:\Windows\SysWOW64\rpojfhki.exe
C:\Windows\system32\rpojfhki.exe
1⤵
PID:3660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4484-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/5084-37-0x00007FFF72B90000-0x00007FFF72BA0000-memory.dmp

Filesize
64KB

Download
memory/5084-42-0x00007FFF72B90000-0x00007FFF72BA0000-memory.dmp

Filesize
64KB

Download
memory/5084-45-0x00007FFFB2B10000-0x00007FFFB2D05000-memory.dmp

Filesize
2.0MB

Download
memory/5084-47-0x00007FFFB2B10000-0x00007FFFB2D05000-memory.dmp

Filesize
2.0MB

Download
memory/5084-49-0x00007FFFB2B10000-0x00007FFFB2D05000-memory.dmp

Filesize
2.0MB

Download
memory/5084-52-0x00007FFFB2B10000-0x00007FFFB2D05000-memory.dmp

Filesize
2.0MB

Download
memory/5084-54-0x00007FFFB2B10000-0x00007FFFB2D05000-memory.dmp

Filesize
2.0MB

Download
memory/5084-56-0x00007FFF707B0000-0x00007FFF707C0000-memory.dmp

Filesize
64KB

Download
memory/5084-57-0x00007FFFB2B10000-0x00007FFFB2D05000-memory.dmp

Filesize
2.0MB

Download
memory/5084-59-0x00007FFFB2B10000-0x00007FFFB2D05000-memory.dmp

Filesize
2.0MB

Download
memory/5084-58-0x00007FFFB2B10000-0x00007FFFB2D05000-memory.dmp

Filesize
2.0MB

Download
memory/5084-55-0x00007FFFB2B10000-0x00007FFFB2D05000-memory.dmp

Filesize
2.0MB

Download
memory/5084-53-0x00007FFFB2B10000-0x00007FFFB2D05000-memory.dmp

Filesize
2.0MB

Download
memory/5084-51-0x00007FFFB2B10000-0x00007FFFB2D05000-memory.dmp

Filesize
2.0MB

Download
memory/5084-50-0x00007FFF707B0000-0x00007FFF707C0000-memory.dmp

Filesize
64KB

Download
memory/5084-48-0x00007FFFB2B10000-0x00007FFFB2D05000-memory.dmp

Filesize
2.0MB

Download
memory/5084-46-0x00007FFFB2B10000-0x00007FFFB2D05000-memory.dmp

Filesize
2.0MB

Download
memory/5084-44-0x00007FFFB2B10000-0x00007FFFB2D05000-memory.dmp

Filesize
2.0MB

Download
memory/5084-43-0x00007FFF72B90000-0x00007FFF72BA0000-memory.dmp

Filesize
64KB

Download
memory/5084-41-0x00007FFFB2B10000-0x00007FFFB2D05000-memory.dmp

Filesize
2.0MB

Download
memory/5084-40-0x00007FFF72B90000-0x00007FFF72BA0000-memory.dmp

Filesize
64KB

Download
memory/5084-39-0x00007FFFB2B10000-0x00007FFFB2D05000-memory.dmp

Filesize
2.0MB

Download
memory/5084-38-0x00007FFF72B90000-0x00007FFF72BA0000-memory.dmp

Filesize
64KB

Download
memory/5084-132-0x00007FFFB2B10000-0x00007FFFB2D05000-memory.dmp

Filesize
2.0MB

Download
memory/5084-133-0x00007FFFB2B10000-0x00007FFFB2D05000-memory.dmp

Filesize
2.0MB

Download
memory/5084-134-0x00007FFFB2B10000-0x00007FFFB2D05000-memory.dmp

Filesize
2.0MB

Download
memory/5084-159-0x00007FFF72B90000-0x00007FFF72BA0000-memory.dmp

Filesize
64KB

Download
memory/5084-162-0x00007FFFB2B10000-0x00007FFFB2D05000-memory.dmp

Filesize
2.0MB

Download
memory/5084-161-0x00007FFFB2B10000-0x00007FFFB2D05000-memory.dmp

Filesize
2.0MB

Download
memory/5084-160-0x00007FFFB2B10000-0x00007FFFB2D05000-memory.dmp

Filesize
2.0MB

Download
memory/5084-158-0x00007FFF72B90000-0x00007FFF72BA0000-memory.dmp

Filesize
64KB

Download
memory/5084-157-0x00007FFF72B90000-0x00007FFF72BA0000-memory.dmp

Filesize
64KB

Download
memory/5084-156-0x00007FFF72B90000-0x00007FFF72BA0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing