Analysis

  • max time kernel
    136s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/12/2023, 04:45

General

  • Target

    28b84dca448ab58fa3a35940a125f7d4.exe

  • Size

    512KB

  • MD5

    28b84dca448ab58fa3a35940a125f7d4

  • SHA1

    9ce6b74321a985ee2ca0888147eab15796a6c013

  • SHA256

    6e8742ca1f6c692bfa9933281637d47aaf08b77909a51629fcfa60d87a1b4e1b

  • SHA512

    d019b108fab6c3b87a8cfae2f78e29288a14f0842686ec0bc4388109d8cafc0444c5763858c72208848846e5338e5780f0254160793b10245df4066922dadeda

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6H:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5g

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\28b84dca448ab58fa3a35940a125f7d4.exe
    "C:\Users\Admin\AppData\Local\Temp\28b84dca448ab58fa3a35940a125f7d4.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:428
    • C:\Windows\SysWOW64\ybcpadacbtblawa.exe
      ybcpadacbtblawa.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4948
    • C:\Windows\SysWOW64\lmphrnaarexoz.exe
      lmphrnaarexoz.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3420
    • C:\Windows\SysWOW64\gmvrcxpl.exe
      gmvrcxpl.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4572
    • C:\Windows\SysWOW64\tdlvgbtsdm.exe
      tdlvgbtsdm.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:5068
      • C:\Windows\SysWOW64\gmvrcxpl.exe
        C:\Windows\system32\gmvrcxpl.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2756
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1228

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\tdlvgbtsdm.exe

    Filesize

    382KB

    MD5

    badd716c7c48a8241873d9251da496d1

    SHA1

    6bd2a072c8f64a1780fe75d983cb7b6584985c6d

    SHA256

    ad4373bfa026f66380b8ce44d6bc300d146770114fb10087019af7c616dc11d7

    SHA512

    7bf3f09216e2ba376053e668963797cd78f91119467917a84f467dd3110d6bd26592784cdf7cefd293413ff5b6dbe10a996d89627177235d9f109732c05f36c5

  • C:\Windows\SysWOW64\ybcpadacbtblawa.exe

    Filesize

    512KB

    MD5

    d403c76f8ac2c16d30aa6fec5ad5c550

    SHA1

    1637d0c8c53997cfc3102c7820bf8dc7f8c0d2c9

    SHA256

    2dfbc2fb7064cebfa45aee661a9cdfd61e2334cb025591ab0d3e4f1474da6647

    SHA512

    a97fb23b50d3f090f98d0a19338c5fb848bbc269b0d778731e7c6c6dd2058ffd592e7cc975cb9131fb3c51973a7e8e2be088faab6e61df5b82a824e740e89640

  • C:\Windows\SysWOW64\ybcpadacbtblawa.exe

    Filesize

    92KB

    MD5

    59ebf1358a9b829f5709baaedeeee6fa

    SHA1

    1409fd65da1b814db0a08feae54366dfca196f1c

    SHA256

    d251f3126813d9f42461b0d23153c37c405979347a47fb0f04e0503beaf31a06

    SHA512

    a2d71b94a087aa6d376f4f065d9f7ff987fd50ea93949372fa9ef5b6692b45cef7ae267c88376b9d2953e4476496f67af1173e9f0f8ba81101dc94c6872cf417

  • C:\Windows\SysWOW64\ybcpadacbtblawa.exe

    Filesize

    384KB

    MD5

    0e151ec3919b72f9a6c7fe60d10f4ea0

    SHA1

    91fb01badc6db9808233ff95abf39c37982a8c85

    SHA256

    f644299fe8f10c5f3e24c1943fc808270b5d4f853e2316abf091c8d18344193c

    SHA512

    41d25f82ce04a14c21d19a9ad2d12663714221b6ecb1c3ee579a4a134949de0bfb3e6212e9acf97d0659d50e7a034dcdc103ecbedd8a71fbfefdc30f5728c12b

  • memory/428-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

  • memory/1228-60-0x00007FFD4FCF0000-0x00007FFD4FD00000-memory.dmp

    Filesize

    64KB

  • memory/1228-48-0x00007FFD91CD0000-0x00007FFD91EC5000-memory.dmp

    Filesize

    2.0MB

  • memory/1228-44-0x00007FFD91CD0000-0x00007FFD91EC5000-memory.dmp

    Filesize

    2.0MB

  • memory/1228-45-0x00007FFD91CD0000-0x00007FFD91EC5000-memory.dmp

    Filesize

    2.0MB

  • memory/1228-47-0x00007FFD91CD0000-0x00007FFD91EC5000-memory.dmp

    Filesize

    2.0MB

  • memory/1228-49-0x00007FFD91CD0000-0x00007FFD91EC5000-memory.dmp

    Filesize

    2.0MB

  • memory/1228-52-0x00007FFD91CD0000-0x00007FFD91EC5000-memory.dmp

    Filesize

    2.0MB

  • memory/1228-54-0x00007FFD91CD0000-0x00007FFD91EC5000-memory.dmp

    Filesize

    2.0MB

  • memory/1228-55-0x00007FFD91CD0000-0x00007FFD91EC5000-memory.dmp

    Filesize

    2.0MB

  • memory/1228-56-0x00007FFD91CD0000-0x00007FFD91EC5000-memory.dmp

    Filesize

    2.0MB

  • memory/1228-57-0x00007FFD91CD0000-0x00007FFD91EC5000-memory.dmp

    Filesize

    2.0MB

  • memory/1228-59-0x00007FFD91CD0000-0x00007FFD91EC5000-memory.dmp

    Filesize

    2.0MB

  • memory/1228-38-0x00007FFD51D50000-0x00007FFD51D60000-memory.dmp

    Filesize

    64KB

  • memory/1228-58-0x00007FFD91CD0000-0x00007FFD91EC5000-memory.dmp

    Filesize

    2.0MB

  • memory/1228-53-0x00007FFD91CD0000-0x00007FFD91EC5000-memory.dmp

    Filesize

    2.0MB

  • memory/1228-51-0x00007FFD4FCF0000-0x00007FFD4FD00000-memory.dmp

    Filesize

    64KB

  • memory/1228-50-0x00007FFD91CD0000-0x00007FFD91EC5000-memory.dmp

    Filesize

    2.0MB

  • memory/1228-43-0x00007FFD91CD0000-0x00007FFD91EC5000-memory.dmp

    Filesize

    2.0MB

  • memory/1228-46-0x00007FFD91CD0000-0x00007FFD91EC5000-memory.dmp

    Filesize

    2.0MB

  • memory/1228-42-0x00007FFD51D50000-0x00007FFD51D60000-memory.dmp

    Filesize

    64KB

  • memory/1228-41-0x00007FFD51D50000-0x00007FFD51D60000-memory.dmp

    Filesize

    64KB

  • memory/1228-39-0x00007FFD51D50000-0x00007FFD51D60000-memory.dmp

    Filesize

    64KB

  • memory/1228-40-0x00007FFD91CD0000-0x00007FFD91EC5000-memory.dmp

    Filesize

    2.0MB

  • memory/1228-37-0x00007FFD51D50000-0x00007FFD51D60000-memory.dmp

    Filesize

    64KB

  • memory/1228-101-0x00007FFD91CD0000-0x00007FFD91EC5000-memory.dmp

    Filesize

    2.0MB

  • memory/1228-102-0x00007FFD91CD0000-0x00007FFD91EC5000-memory.dmp

    Filesize

    2.0MB

  • memory/1228-103-0x00007FFD91CD0000-0x00007FFD91EC5000-memory.dmp

    Filesize

    2.0MB

  • memory/1228-145-0x00007FFD51D50000-0x00007FFD51D60000-memory.dmp

    Filesize

    64KB

  • memory/1228-147-0x00007FFD91CD0000-0x00007FFD91EC5000-memory.dmp

    Filesize

    2.0MB

  • memory/1228-148-0x00007FFD91CD0000-0x00007FFD91EC5000-memory.dmp

    Filesize

    2.0MB

  • memory/1228-146-0x00007FFD51D50000-0x00007FFD51D60000-memory.dmp

    Filesize

    64KB

  • memory/1228-144-0x00007FFD51D50000-0x00007FFD51D60000-memory.dmp

    Filesize

    64KB

  • memory/1228-143-0x00007FFD51D50000-0x00007FFD51D60000-memory.dmp

    Filesize

    64KB