75e99541f4cfb89a7db488698a28163587f1fef79c819e8d48a58a8f444db216

General

Target

24143324f13d371cdbb045347c0ec35b.exe
Size

512KB
MD5

24143324f13d371cdbb045347c0ec35b
SHA1

e44cf8d152970fcb9e7d8388ab7d0f18cf4ce88b
SHA256

75e99541f4cfb89a7db488698a28163587f1fef79c819e8d48a58a8f444db216
SHA512

05432fff512f927d5bab5f3891dd499f64669513b39754e99815de64fedc8478965f941885d62d1c32db4dac391b037d77b27ddc1b5f0349cfbc8f9554f8cd03
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6P:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5i

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2956	kkletrheil.exe
1600	ttpsorlqtmfjsre.exe
2648	zwcbwaag.exe
3340	savyufffqkike.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/2808-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral2/files/0x000f000000023164-19.dat	autoit_exe
behavioral2/files/0x000f000000023164-18.dat	autoit_exe
behavioral2/files/0x000800000002320f-5.dat	autoit_exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\savyufffqkike.exe	24143324f13d371cdbb045347c0ec35b.exe
File opened for modification	C:\Windows\SysWOW64\savyufffqkike.exe	24143324f13d371cdbb045347c0ec35b.exe
File created	C:\Windows\SysWOW64\kkletrheil.exe	24143324f13d371cdbb045347c0ec35b.exe
File opened for modification	C:\Windows\SysWOW64\kkletrheil.exe	24143324f13d371cdbb045347c0ec35b.exe
File created	C:\Windows\SysWOW64\ttpsorlqtmfjsre.exe	24143324f13d371cdbb045347c0ec35b.exe
File opened for modification	C:\Windows\SysWOW64\ttpsorlqtmfjsre.exe	24143324f13d371cdbb045347c0ec35b.exe
File created	C:\Windows\SysWOW64\zwcbwaag.exe	24143324f13d371cdbb045347c0ec35b.exe
File opened for modification	C:\Windows\SysWOW64\zwcbwaag.exe	24143324f13d371cdbb045347c0ec35b.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	24143324f13d371cdbb045347c0ec35b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	24143324f13d371cdbb045347c0ec35b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33332C0A9C2583236D4177D2702E2CDB7D8764AC"	24143324f13d371cdbb045347c0ec35b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BC8F9B0FE14F2E3837F3A4386973E90B38B02F943150333E2CD459B08D6"	24143324f13d371cdbb045347c0ec35b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC1B02D4794399952C9BAD332EDD7BE"	24143324f13d371cdbb045347c0ec35b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8BFFF94F268218903DD7217D93BD92E6335935674E6335D791"	24143324f13d371cdbb045347c0ec35b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0816BB1FF1D22DED20ED1D58A7E9014"	24143324f13d371cdbb045347c0ec35b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "194AC6741594DBC0B8BE7CE8EDE737BC"	24143324f13d371cdbb045347c0ec35b.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2808	24143324f13d371cdbb045347c0ec35b.exe
2808	24143324f13d371cdbb045347c0ec35b.exe
2808	24143324f13d371cdbb045347c0ec35b.exe
2808	24143324f13d371cdbb045347c0ec35b.exe
2808	24143324f13d371cdbb045347c0ec35b.exe
2808	24143324f13d371cdbb045347c0ec35b.exe
2808	24143324f13d371cdbb045347c0ec35b.exe
2808	24143324f13d371cdbb045347c0ec35b.exe
2808	24143324f13d371cdbb045347c0ec35b.exe
2808	24143324f13d371cdbb045347c0ec35b.exe
2808	24143324f13d371cdbb045347c0ec35b.exe
2808	24143324f13d371cdbb045347c0ec35b.exe
2808	24143324f13d371cdbb045347c0ec35b.exe
2808	24143324f13d371cdbb045347c0ec35b.exe
2808	24143324f13d371cdbb045347c0ec35b.exe
2808	24143324f13d371cdbb045347c0ec35b.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2808	24143324f13d371cdbb045347c0ec35b.exe
2808	24143324f13d371cdbb045347c0ec35b.exe
2808	24143324f13d371cdbb045347c0ec35b.exe
2648	zwcbwaag.exe
2956	kkletrheil.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2808	24143324f13d371cdbb045347c0ec35b.exe
2808	24143324f13d371cdbb045347c0ec35b.exe
2808	24143324f13d371cdbb045347c0ec35b.exe
2648	zwcbwaag.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 2956	2808	24143324f13d371cdbb045347c0ec35b.exe	32
PID 2808 wrote to memory of 2956	2808	24143324f13d371cdbb045347c0ec35b.exe	32
PID 2808 wrote to memory of 2956	2808	24143324f13d371cdbb045347c0ec35b.exe	32
PID 2808 wrote to memory of 1600	2808	24143324f13d371cdbb045347c0ec35b.exe	31
PID 2808 wrote to memory of 1600	2808	24143324f13d371cdbb045347c0ec35b.exe	31
PID 2808 wrote to memory of 1600	2808	24143324f13d371cdbb045347c0ec35b.exe	31
PID 2808 wrote to memory of 2648	2808	24143324f13d371cdbb045347c0ec35b.exe	30
PID 2808 wrote to memory of 2648	2808	24143324f13d371cdbb045347c0ec35b.exe	30
PID 2808 wrote to memory of 2648	2808	24143324f13d371cdbb045347c0ec35b.exe	30
PID 2808 wrote to memory of 3340	2808	24143324f13d371cdbb045347c0ec35b.exe	21
PID 2808 wrote to memory of 3340	2808	24143324f13d371cdbb045347c0ec35b.exe	21
PID 2808 wrote to memory of 3340	2808	24143324f13d371cdbb045347c0ec35b.exe	21

C:\Users\Admin\AppData\Local\Temp\24143324f13d371cdbb045347c0ec35b.exe
"C:\Users\Admin\AppData\Local\Temp\24143324f13d371cdbb045347c0ec35b.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\SysWOW64\savyufffqkike.exe
  savyufffqkike.exe
  2⤵
  - Executes dropped EXE
  PID:3340
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
  2⤵
  PID:2192
- C:\Windows\SysWOW64\zwcbwaag.exe
  zwcbwaag.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2648
- C:\Windows\SysWOW64\ttpsorlqtmfjsre.exe
  ttpsorlqtmfjsre.exe
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\SysWOW64\kkletrheil.exe
  kkletrheil.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:2956

C:\Windows\SysWOW64\zwcbwaag.exe
C:\Windows\system32\zwcbwaag.exe
1⤵
PID:4032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\kkletrheil.exe

Filesize
512KB

MD5
79a4df97d19d27fdc8de94ff67e029fd

SHA1
fc27e0c7e8211d6c15951705b404c9f8113042f6

SHA256
0b5a57ac6fef6e5d46bbbb9cd8497292cf1d77124f54c8b2f97ccdddf79958b2

SHA512
4f98573f0c97ae91ff012b613409458245378c1bc217f80be48e641173c45b41b89eae3dadcf19be77b22e3ec9e5c179326b2af743f3a6175982b32be1db0540

Download Submit
C:\Windows\SysWOW64\kkletrheil.exe

Filesize
381KB

MD5
30aec9e0b33fbd99234328357879f812

SHA1
3c9d37139d4ccfe2b694afba9633170d0f510a92

SHA256
15aad0daaaeea2f1eb8d19a8999f42844b2885d6bef949f6787feba7dad46563

SHA512
2060f2cc8c90181dd0a9965f0ff3a94aece08c82c4a68454846f66778bc60dade3ba5ddc38be57311ff4a7bd78217b89a9cd09837eee4b5d9893277299dad415

Download Submit
C:\Windows\SysWOW64\ttpsorlqtmfjsre.exe

Filesize
512KB

MD5
1c49fa399d4b66ecef45de9867094aeb

SHA1
8204e92eb8dbc14a52fcf8606d282a78369a620f

SHA256
5c0722adb6e375836618993cd5b6c2d24145d2794bc3cd82393d327cad187383

SHA512
6addd59441ec5c74948ee6beab0512fe6e9c0c34cc670ad13c9dca67e472dfb6a382da698aaf9e9f0834cb4226ebdc48b8584e5d693e01f1b391a785335b4a43

Download Submit
memory/2192-51-0x00007FFD76F70000-0x00007FFD77165000-memory.dmp

Filesize
2.0MB

Download
memory/2192-45-0x00007FFD76F70000-0x00007FFD77165000-memory.dmp

Filesize
2.0MB

Download
memory/2192-50-0x00007FFD76F70000-0x00007FFD77165000-memory.dmp

Filesize
2.0MB

Download
memory/2192-49-0x00007FFD76F70000-0x00007FFD77165000-memory.dmp

Filesize
2.0MB

Download
memory/2192-52-0x00007FFD76F70000-0x00007FFD77165000-memory.dmp

Filesize
2.0MB

Download
memory/2192-55-0x00007FFD76F70000-0x00007FFD77165000-memory.dmp

Filesize
2.0MB

Download
memory/2192-56-0x00007FFD76F70000-0x00007FFD77165000-memory.dmp

Filesize
2.0MB

Download
memory/2192-60-0x00007FFD76F70000-0x00007FFD77165000-memory.dmp

Filesize
2.0MB

Download
memory/2192-59-0x00007FFD76F70000-0x00007FFD77165000-memory.dmp

Filesize
2.0MB

Download
memory/2192-58-0x00007FFD76F70000-0x00007FFD77165000-memory.dmp

Filesize
2.0MB

Download
memory/2192-57-0x00007FFD76F70000-0x00007FFD77165000-memory.dmp

Filesize
2.0MB

Download
memory/2192-54-0x00007FFD76F70000-0x00007FFD77165000-memory.dmp

Filesize
2.0MB

Download
memory/2192-53-0x00007FFD34B60000-0x00007FFD34B70000-memory.dmp

Filesize
64KB

Download
memory/2192-152-0x00007FFD36FF0000-0x00007FFD37000000-memory.dmp

Filesize
64KB

Download
memory/2192-47-0x00007FFD76F70000-0x00007FFD77165000-memory.dmp

Filesize
2.0MB

Download
memory/2192-48-0x00007FFD76F70000-0x00007FFD77165000-memory.dmp

Filesize
2.0MB

Download
memory/2192-38-0x00007FFD36FF0000-0x00007FFD37000000-memory.dmp

Filesize
64KB

Download
memory/2192-42-0x00007FFD36FF0000-0x00007FFD37000000-memory.dmp

Filesize
64KB

Download
memory/2192-46-0x00007FFD34B60000-0x00007FFD34B70000-memory.dmp

Filesize
64KB

Download
memory/2192-37-0x00007FFD36FF0000-0x00007FFD37000000-memory.dmp

Filesize
64KB

Download
memory/2192-36-0x00007FFD36FF0000-0x00007FFD37000000-memory.dmp

Filesize
64KB

Download
memory/2192-35-0x00007FFD36FF0000-0x00007FFD37000000-memory.dmp

Filesize
64KB

Download
memory/2192-44-0x00007FFD76F70000-0x00007FFD77165000-memory.dmp

Filesize
2.0MB

Download
memory/2192-43-0x00007FFD76F70000-0x00007FFD77165000-memory.dmp

Filesize
2.0MB

Download
memory/2192-40-0x00007FFD76F70000-0x00007FFD77165000-memory.dmp

Filesize
2.0MB

Download
memory/2192-130-0x00007FFD76F70000-0x00007FFD77165000-memory.dmp

Filesize
2.0MB

Download
memory/2192-156-0x00007FFD76F70000-0x00007FFD77165000-memory.dmp

Filesize
2.0MB

Download
memory/2192-155-0x00007FFD36FF0000-0x00007FFD37000000-memory.dmp

Filesize
64KB

Download
memory/2192-154-0x00007FFD36FF0000-0x00007FFD37000000-memory.dmp

Filesize
64KB

Download
memory/2192-153-0x00007FFD36FF0000-0x00007FFD37000000-memory.dmp

Filesize
64KB

Download
memory/2808-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download

Analysis

Sharing