0572d41a8dc23620498817103720cfa127caf675e51bf657480dde319ce941e0

Analysis

max time kernel
0s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28cd351bcc0e06f40d02fd93bf66ce9f.exe
Size

512KB
MD5

28cd351bcc0e06f40d02fd93bf66ce9f
SHA1

a8b69c9293c0e10bab6d75c1a88355d97f94e835
SHA256

0572d41a8dc23620498817103720cfa127caf675e51bf657480dde319ce941e0
SHA512

7206a08e3bb549d6d18c75a6a7a32984dd63b3aefffa571d2f6eebf1397db46d88f381e5f3e6591714fb00370b1badf5ddd7e5ee6a5c4d725a15aeb63866a4a4
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6Q:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5L

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
408	dwzwnqmojl.exe
444	mybirihrumwhkzx.exe
232	rdmpbrjy.exe
4800	vjygjmabeewed.exe

AutoIT Executable 15 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/1532-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral2/files/0x0008000000023211-6.dat	autoit_exe
behavioral2/files/0x0006000000023216-27.dat	autoit_exe
behavioral2/files/0x0008000000023211-24.dat	autoit_exe
behavioral2/files/0x0006000000023217-32.dat	autoit_exe
behavioral2/files/0x0006000000023217-31.dat	autoit_exe
behavioral2/files/0x0006000000023216-44.dat	autoit_exe
behavioral2/files/0x0006000000023216-29.dat	autoit_exe
behavioral2/files/0x0008000000023211-23.dat	autoit_exe
behavioral2/files/0x0007000000023039-19.dat	autoit_exe
behavioral2/files/0x0007000000023039-18.dat	autoit_exe
behavioral2/files/0x0003000000022713-88.dat	autoit_exe
behavioral2/files/0x0008000000023223-95.dat	autoit_exe
behavioral2/files/0x0008000000023223-117.dat	autoit_exe
behavioral2/files/0x0008000000023223-115.dat	autoit_exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mybirihrumwhkzx.exe	28cd351bcc0e06f40d02fd93bf66ce9f.exe
File created	C:\Windows\SysWOW64\rdmpbrjy.exe	28cd351bcc0e06f40d02fd93bf66ce9f.exe
File opened for modification	C:\Windows\SysWOW64\rdmpbrjy.exe	28cd351bcc0e06f40d02fd93bf66ce9f.exe
File created	C:\Windows\SysWOW64\vjygjmabeewed.exe	28cd351bcc0e06f40d02fd93bf66ce9f.exe
File opened for modification	C:\Windows\SysWOW64\vjygjmabeewed.exe	28cd351bcc0e06f40d02fd93bf66ce9f.exe
File created	C:\Windows\SysWOW64\dwzwnqmojl.exe	28cd351bcc0e06f40d02fd93bf66ce9f.exe
File opened for modification	C:\Windows\SysWOW64\dwzwnqmojl.exe	28cd351bcc0e06f40d02fd93bf66ce9f.exe
File created	C:\Windows\SysWOW64\mybirihrumwhkzx.exe	28cd351bcc0e06f40d02fd93bf66ce9f.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	28cd351bcc0e06f40d02fd93bf66ce9f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	28cd351bcc0e06f40d02fd93bf66ce9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33472D7F9D2382586A3277D170542CAA7D8464AC"	28cd351bcc0e06f40d02fd93bf66ce9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB8F9BDF916F190840B3B3186EC3E93B38A02F942160348E1C545EA09A2"	28cd351bcc0e06f40d02fd93bf66ce9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB2B12E47E338E253CCB9D0329FD4CF"	28cd351bcc0e06f40d02fd93bf66ce9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8CFF8D4F29856F9132D72A7D94BDEFE137594266406344D790"	28cd351bcc0e06f40d02fd93bf66ce9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7FD6BB0FE6C21ACD179D1D58A7F916B"	28cd351bcc0e06f40d02fd93bf66ce9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193DC67E14E5DBB3B8C17FE2ECE037CC"	28cd351bcc0e06f40d02fd93bf66ce9f.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1532	28cd351bcc0e06f40d02fd93bf66ce9f.exe
1532	28cd351bcc0e06f40d02fd93bf66ce9f.exe
1532	28cd351bcc0e06f40d02fd93bf66ce9f.exe
1532	28cd351bcc0e06f40d02fd93bf66ce9f.exe
1532	28cd351bcc0e06f40d02fd93bf66ce9f.exe
1532	28cd351bcc0e06f40d02fd93bf66ce9f.exe
1532	28cd351bcc0e06f40d02fd93bf66ce9f.exe
1532	28cd351bcc0e06f40d02fd93bf66ce9f.exe
1532	28cd351bcc0e06f40d02fd93bf66ce9f.exe
1532	28cd351bcc0e06f40d02fd93bf66ce9f.exe
1532	28cd351bcc0e06f40d02fd93bf66ce9f.exe
1532	28cd351bcc0e06f40d02fd93bf66ce9f.exe
1532	28cd351bcc0e06f40d02fd93bf66ce9f.exe
1532	28cd351bcc0e06f40d02fd93bf66ce9f.exe
1532	28cd351bcc0e06f40d02fd93bf66ce9f.exe
1532	28cd351bcc0e06f40d02fd93bf66ce9f.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1532	28cd351bcc0e06f40d02fd93bf66ce9f.exe
1532	28cd351bcc0e06f40d02fd93bf66ce9f.exe
1532	28cd351bcc0e06f40d02fd93bf66ce9f.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1532	28cd351bcc0e06f40d02fd93bf66ce9f.exe
1532	28cd351bcc0e06f40d02fd93bf66ce9f.exe
1532	28cd351bcc0e06f40d02fd93bf66ce9f.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 408	1532	28cd351bcc0e06f40d02fd93bf66ce9f.exe	30
PID 1532 wrote to memory of 408	1532	28cd351bcc0e06f40d02fd93bf66ce9f.exe	30
PID 1532 wrote to memory of 408	1532	28cd351bcc0e06f40d02fd93bf66ce9f.exe	30
PID 1532 wrote to memory of 444	1532	28cd351bcc0e06f40d02fd93bf66ce9f.exe	29
PID 1532 wrote to memory of 444	1532	28cd351bcc0e06f40d02fd93bf66ce9f.exe	29
PID 1532 wrote to memory of 444	1532	28cd351bcc0e06f40d02fd93bf66ce9f.exe	29
PID 1532 wrote to memory of 232	1532	28cd351bcc0e06f40d02fd93bf66ce9f.exe	28
PID 1532 wrote to memory of 232	1532	28cd351bcc0e06f40d02fd93bf66ce9f.exe	28
PID 1532 wrote to memory of 232	1532	28cd351bcc0e06f40d02fd93bf66ce9f.exe	28
PID 1532 wrote to memory of 4800	1532	28cd351bcc0e06f40d02fd93bf66ce9f.exe	20
PID 1532 wrote to memory of 4800	1532	28cd351bcc0e06f40d02fd93bf66ce9f.exe	20
PID 1532 wrote to memory of 4800	1532	28cd351bcc0e06f40d02fd93bf66ce9f.exe	20

C:\Users\Admin\AppData\Local\Temp\28cd351bcc0e06f40d02fd93bf66ce9f.exe
"C:\Users\Admin\AppData\Local\Temp\28cd351bcc0e06f40d02fd93bf66ce9f.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Windows\SysWOW64\vjygjmabeewed.exe
  vjygjmabeewed.exe
  2⤵
  - Executes dropped EXE
  PID:4800
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
  2⤵
  PID:4876
- C:\Windows\SysWOW64\rdmpbrjy.exe
  rdmpbrjy.exe
  2⤵
  - Executes dropped EXE
  PID:232
- C:\Windows\SysWOW64\mybirihrumwhkzx.exe
  mybirihrumwhkzx.exe
  2⤵
  - Executes dropped EXE
  PID:444
- C:\Windows\SysWOW64\dwzwnqmojl.exe
  dwzwnqmojl.exe
  2⤵
  - Executes dropped EXE
  PID:408

C:\Windows\SysWOW64\rdmpbrjy.exe
C:\Windows\system32\rdmpbrjy.exe
1⤵
PID:640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
fe7edee43442334948ed68fa3d31a6e9

SHA1
7637a8d1325fb925e2a7636ea2ca9a4b7058ec08

SHA256
5bd7071ba9fb3ef00afe517e0859f2224f62bb910c011faeded199bfb2f91b67

SHA512
12b4feb0c72d0c60f55993ebe531988b9e15a8060a96570ebe15a932428b035d06c535e6e427d048989fc6d352f746b3a525b1d0a3fdd046f72d6322772fdf45

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
f39cfc7e41af56340f986667a96768ed

SHA1
87f0b87e230f0e215c03da4b006c3afcdb9c676d

SHA256
87bb1ae48020ebba2f5d4af1cd847389732dfb02aae59d9b9fac2455a12987dd

SHA512
8e171e53c59f2b03d00b53f51bfa3d23934e433bba7199bfcb6c279715b8ce281641ee298e4a91e80894ef9c3a99e8d57171d99e390edfd6dbbc75abd3ec2289

Download Submit
C:\Windows\SysWOW64\dwzwnqmojl.exe

Filesize
39KB

MD5
377db43c86a602f3ce6b8ad668c7f034

SHA1
9cb0a80b45c988fd4d6812c7b9d7c682af8261d7

SHA256
f0c07f92702be4e20831d7b5a1cf5fc231cad1811c837ede242fb2c0162523e2

SHA512
489e7073040ace9fbf904bc06c12ec27331b2b264a97d534cba6bec37a103b5bb1aa67970d0381487ab12a9fdfbed0a80b934344dc0a55d962c1c59522209332

Download Submit
C:\Windows\SysWOW64\dwzwnqmojl.exe

Filesize
66KB

MD5
c83ced337b3352dd3960b0ce9347fe7d

SHA1
f0ddd834c4620918fb9e3bb3f61ab1b28c83add1

SHA256
0a42c8a6bbf8130eb44356bf0c5748f2b473b76880c84e070acd1f570b2fab42

SHA512
cbd7dcce356ca906e8c66606a66a670378dbc34b97f7b1394c3fbfab8a870d31bc7f89c4bfc9d9bef62b5d3a58681f93832fd9f98341255f2ecb3ce9f28aea90

Download Submit
C:\Windows\SysWOW64\mybirihrumwhkzx.exe

Filesize
8KB

MD5
c463f8137283e64ca4407f6319123bc6

SHA1
4c0b40a51a5475e862a848554636e83309557fc4

SHA256
9818685556764ef08c13f9ff5ae59a17b089fe565e372058f6a2f68a069d7b27

SHA512
81b39ff9440e4af68a40a1a345e782f8abbcd19dd2e1d26f64dd8ef57879ea1b722fd339f3d17835c32c1bc30f268669a2c90a39d036c35cc0f0bf3bd9ec4767

Download Submit
C:\Windows\SysWOW64\mybirihrumwhkzx.exe

Filesize
4KB

MD5
139ae3287066668ad1108762b3228bc7

SHA1
668c7621832bf31cfba4d51ccd9b65eca79f0ec7

SHA256
5cd7b6f1de81139379ea8f102e8efe5434216cab2c4c6a96099d501ca561e0ba

SHA512
b7e4c884ac5dd4e356b105fd80328fe8d45934ef38be0c34c93c9cb31e677de3eedcbfe48fa448974f5ecd4da6ef3803d4fcf512b6d844ed2b0de5e1ed7fbd2a

Download Submit
C:\Windows\SysWOW64\mybirihrumwhkzx.exe

Filesize
12KB

MD5
c5069d67dbc788cc6221ae2642ce4944

SHA1
3ce79f390a31e97c4e3797732949844a1748f450

SHA256
88585bdeb224abf279d13e22cfd6341a441e16049f83bb6e6dca11bed70e1730

SHA512
2399d9e6cb3a9cb759fb4000ffb5a43759e58a1108e510692cf9aede2a3bb622df8cd605e336a03293618b7b2c0be87f562a5cc22043afe36b6d42904a66757a

Download Submit
C:\Windows\SysWOW64\rdmpbrjy.exe

Filesize
1KB

MD5
daac8859fdbda973565a2d444782b043

SHA1
02eaeba6abee5cdba3e0f162fabfba7641fa23d4

SHA256
8f1252d5bfd6ae63308d4e03603d5f0b53b0a33e64841e42044159fdb01638fd

SHA512
d16d88e870cffe05379920e5e7d2277b3c1b1ed33bb725cdb87fd678cc2ac0a13772b6dab94ad0362c406d324fefb42f7bef23ae8f6f4cab9e865875b98ab156

Download Submit
C:\Windows\SysWOW64\rdmpbrjy.exe

Filesize
14KB

MD5
d2221a4e7a0e6dfe64898561b1336ea6

SHA1
984e811fbb3e3dcae6a6e2856dfe70b3b27f9c0a

SHA256
1ccf0458e4740dba8d75fd2c45588195f7b7f79c64ec8ec696d0acebd7411900

SHA512
2b6e9619ef0fa6cc8a5f6e5bd76836d858d0ed11242ab1d0112c610ee29e91a850225811235888d63528899a71dcbbfb9875aa9690bf40884093a9a15a6bb96f

Download Submit
C:\Windows\SysWOW64\rdmpbrjy.exe

Filesize
8KB

MD5
b3423b2633e10d5dbb603b6be8caab53

SHA1
9fd5bf9bd1c608c87a5d0d1425817199e87cffdc

SHA256
d2d5ba044f307672eac1265e6541ed74eb92fdd1e53834a2c311d64b97a752c8

SHA512
7abb29f9efc19056881ea3506fd95f76165ac3e57c5649228784b6762f5640257200f06e7bcbac81667c820b4044c220072a65b74dd6842e5421dc441835b158

Download Submit
C:\Windows\SysWOW64\vjygjmabeewed.exe

Filesize
38KB

MD5
72bf75f9923330a1339fc31e1fe9618a

SHA1
3adc691f0deb9b10d4b2fb856c9f06bba4dd83fa

SHA256
b84adfedb754099c0eb446f355e2c91482116d5809c8f95bf9531311d0b87a0d

SHA512
e91f650603c4dd8561c719c909b9734d1bc6af5f71b7816fe8c222ff7aad6310f924143c5c5e1b8fe29056e92399aa83dec956a945917b067cff8a4b60ba3beb

Download Submit
\??\c:\Users\Admin\Documents\AddUse.doc.exe

Filesize
4KB

MD5
ed1c60e9a7a92edcab339f7ee087e387

SHA1
88f8f6c911931da7e87f20ba56d19ccf2c015417

SHA256
ef9e1d6f16e23f8640444b0070a2f899eef71f15354263a7d8fb43451b8810b3

SHA512
2ecc0b336db1f9d6b3d4d6880980f27a8a4e9ce7eb25a12b095beb28075d793fc7667f06d7bc4512548393d0374885e8739514b96173aaefa44d7baf434f24a2

Download Submit
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

Filesize
57KB

MD5
6acc6d7df530b0e5f4e0d36f11813456

SHA1
680d3a95a444541e6fa37bc2d8d1e6eff8ee6d45

SHA256
57a71092acc7e43ce9511c5cae9b750323b7013a177bf4f3e55a9adae10e57ef

SHA512
50bcc91bcf121125fc4e8b2160043ece2b11445476b07c4566e49a195e11b4dd77430a2eee386fb1117dcd38a7d4d45d1767325cba1016140e092940310752db

Download Submit
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

Filesize
32KB

MD5
7fa50bb81d67a65da2868478abb2ec2c

SHA1
8588f938cc91ccd856a433673a1d333f2e0ac26b

SHA256
05fae4c4f4c1882af100d63c4f35395ae5ade0d9ae2f47ee708a1878ee138315

SHA512
fec08d672287f43e437a0a2cc031d91f04b809cff9c5f9c49c352873173d0594dce0575922f24e2603b5e892adc0ce4e6c1283b86dbd1db4ac81131e5c34271e

Download Submit
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

Filesize
11KB

MD5
fc1f9f6c4fe2105ec2a4061f2fb397d1

SHA1
0b0c1fa57adbeafb86b25a433becebc4a10d0f29

SHA256
5c7dd2bce4a9903d57c4c018c257fba824a7c3357f87e081f398e25a256182e3

SHA512
9b5d2197b4e004932d6c7f86052fb1680b2f2f2c49947443e71903bb877b5c14911cd190176c57bbc2576929cd95a04e0862a2e24a4fc411e2b7e87f68ed4625

Download Submit
memory/1532-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/4876-52-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/4876-60-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/4876-55-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/4876-54-0x00007FFB153D0000-0x00007FFB153E0000-memory.dmp

Filesize
64KB

Download
memory/4876-51-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/4876-48-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/4876-47-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/4876-43-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/4876-41-0x00007FFB17D30000-0x00007FFB17D40000-memory.dmp

Filesize
64KB

Download
memory/4876-40-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/4876-39-0x00007FFB17D30000-0x00007FFB17D40000-memory.dmp

Filesize
64KB

Download
memory/4876-38-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/4876-37-0x00007FFB17D30000-0x00007FFB17D40000-memory.dmp

Filesize
64KB

Download
memory/4876-35-0x00007FFB17D30000-0x00007FFB17D40000-memory.dmp

Filesize
64KB

Download
memory/4876-59-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/4876-57-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/4876-58-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/4876-56-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/4876-53-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/4876-50-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/4876-49-0x00007FFB153D0000-0x00007FFB153E0000-memory.dmp

Filesize
64KB

Download
memory/4876-45-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/4876-42-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/4876-36-0x00007FFB17D30000-0x00007FFB17D40000-memory.dmp

Filesize
64KB

Download
memory/4876-119-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/4876-144-0x00007FFB17D30000-0x00007FFB17D40000-memory.dmp

Filesize
64KB

Download
memory/4876-146-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/4876-147-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/4876-145-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/4876-143-0x00007FFB17D30000-0x00007FFB17D40000-memory.dmp

Filesize
64KB

Download
memory/4876-142-0x00007FFB17D30000-0x00007FFB17D40000-memory.dmp

Filesize
64KB

Download
memory/4876-141-0x00007FFB17D30000-0x00007FFB17D40000-memory.dmp

Filesize
64KB

Download