28e06945ee657354892c1e3870be243a00537f6d97e8264fee47ef1168a44b7a

General

Target

2cee48071443a912de476a0a087391ae.exe
Size

512KB
MD5

2cee48071443a912de476a0a087391ae
SHA1

cd9096469690843bc02636668528ebebd27b7e63
SHA256

28e06945ee657354892c1e3870be243a00537f6d97e8264fee47ef1168a44b7a
SHA512

e6e0321edbcfa62d95d5b852351fe0d742843a4ff41f1617c3db94b6bd5483a1e2a93bcef8747cf7185d8799d91f43d7b2b9c58a02fe26c55483641180c08e19
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6e:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5b

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2028	fxxlsgqnyw.exe
2880	aulvcvdvninzhnq.exe
4592	myspcjgu.exe
1228	rlgzmaaewbxmy.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/3188-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral2/files/0x00080000000231ea-19.dat	autoit_exe
behavioral2/files/0x00080000000231ea-18.dat	autoit_exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\fxxlsgqnyw.exe	Process not Found
File created	C:\Windows\SysWOW64\aulvcvdvninzhnq.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\aulvcvdvninzhnq.exe	Process not Found
File created	C:\Windows\SysWOW64\myspcjgu.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\myspcjgu.exe	Process not Found
File created	C:\Windows\SysWOW64\rlgzmaaewbxmy.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\rlgzmaaewbxmy.exe	Process not Found
File created	C:\Windows\SysWOW64\fxxlsgqnyw.exe	Process not Found

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	Process not Found

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1844C67514E3DBC0B8C17FE1EC9E37CE"	Process not Found
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33452D0B9D2183536D3F76D777272CA97C8765DE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB4F9B1F961F2E483083A47869F3E97B08102FD43660233E1BD42EE09D2"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC6B058449438E253CDBAA73292D4B8"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F88FF8B4827821B9135D75F7D94BD93E6355945664F6333D69D"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78668B1FE6921ABD10ED0D38A0B9165"	Process not Found

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found
3188	Process not Found

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3188	Process not Found
3188	Process not Found
3188	Process not Found

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3188	Process not Found
3188	Process not Found
3188	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3188 wrote to memory of 2028	3188	Process not Found	28
PID 3188 wrote to memory of 2028	3188	Process not Found	28
PID 3188 wrote to memory of 2028	3188	Process not Found	28
PID 3188 wrote to memory of 2880	3188	Process not Found	27
PID 3188 wrote to memory of 2880	3188	Process not Found	27
PID 3188 wrote to memory of 2880	3188	Process not Found	27
PID 3188 wrote to memory of 4592	3188	Process not Found	26
PID 3188 wrote to memory of 4592	3188	Process not Found	26
PID 3188 wrote to memory of 4592	3188	Process not Found	26
PID 3188 wrote to memory of 1228	3188	Process not Found	18
PID 3188 wrote to memory of 1228	3188	Process not Found	18
PID 3188 wrote to memory of 1228	3188	Process not Found	18

C:\Users\Admin\AppData\Local\Temp\2cee48071443a912de476a0a087391ae.exe
"C:\Users\Admin\AppData\Local\Temp\2cee48071443a912de476a0a087391ae.exe"
1⤵
PID:3188
- C:\Windows\SysWOW64\rlgzmaaewbxmy.exe
  rlgzmaaewbxmy.exe
  2⤵
  - Executes dropped EXE
  PID:1228
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
  2⤵
  PID:4596
- C:\Windows\SysWOW64\myspcjgu.exe
  myspcjgu.exe
  2⤵
  - Executes dropped EXE
  PID:4592
- C:\Windows\SysWOW64\aulvcvdvninzhnq.exe
  aulvcvdvninzhnq.exe
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\SysWOW64\fxxlsgqnyw.exe
  fxxlsgqnyw.exe
  2⤵
  - Executes dropped EXE
  PID:2028

C:\Windows\SysWOW64\myspcjgu.exe
C:\Windows\system32\myspcjgu.exe
1⤵
PID:676

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\fxxlsgqnyw.exe

Filesize
92KB

MD5
59ebf1358a9b829f5709baaedeeee6fa

SHA1
1409fd65da1b814db0a08feae54366dfca196f1c

SHA256
d251f3126813d9f42461b0d23153c37c405979347a47fb0f04e0503beaf31a06

SHA512
a2d71b94a087aa6d376f4f065d9f7ff987fd50ea93949372fa9ef5b6692b45cef7ae267c88376b9d2953e4476496f67af1173e9f0f8ba81101dc94c6872cf417

Download Submit
memory/3188-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/4596-57-0x00007FFEEA8D0000-0x00007FFEEAAC5000-memory.dmp

Filesize
2.0MB

Download
memory/4596-35-0x00007FFEAA950000-0x00007FFEAA960000-memory.dmp

Filesize
64KB

Download
memory/4596-51-0x00007FFEEA8D0000-0x00007FFEEAAC5000-memory.dmp

Filesize
2.0MB

Download
memory/4596-53-0x00007FFEEA8D0000-0x00007FFEEAAC5000-memory.dmp

Filesize
2.0MB

Download
memory/4596-55-0x00007FFEA8890000-0x00007FFEA88A0000-memory.dmp

Filesize
64KB

Download
memory/4596-45-0x00007FFEEA8D0000-0x00007FFEEAAC5000-memory.dmp

Filesize
2.0MB

Download
memory/4596-58-0x00007FFEEA8D0000-0x00007FFEEAAC5000-memory.dmp

Filesize
2.0MB

Download
memory/4596-56-0x00007FFEEA8D0000-0x00007FFEEAAC5000-memory.dmp

Filesize
2.0MB

Download
memory/4596-54-0x00007FFEEA8D0000-0x00007FFEEAAC5000-memory.dmp

Filesize
2.0MB

Download
memory/4596-52-0x00007FFEEA8D0000-0x00007FFEEAAC5000-memory.dmp

Filesize
2.0MB

Download
memory/4596-48-0x00007FFEEA8D0000-0x00007FFEEAAC5000-memory.dmp

Filesize
2.0MB

Download
memory/4596-50-0x00007FFEEA8D0000-0x00007FFEEAAC5000-memory.dmp

Filesize
2.0MB

Download
memory/4596-49-0x00007FFEA8890000-0x00007FFEA88A0000-memory.dmp

Filesize
64KB

Download
memory/4596-46-0x00007FFEEA8D0000-0x00007FFEEAAC5000-memory.dmp

Filesize
2.0MB

Download
memory/4596-47-0x00007FFEEA8D0000-0x00007FFEEAAC5000-memory.dmp

Filesize
2.0MB

Download
memory/4596-39-0x00007FFEAA950000-0x00007FFEAA960000-memory.dmp

Filesize
64KB

Download
memory/4596-42-0x00007FFEEA8D0000-0x00007FFEEAAC5000-memory.dmp

Filesize
2.0MB

Download
memory/4596-37-0x00007FFEAA950000-0x00007FFEAA960000-memory.dmp

Filesize
64KB

Download
memory/4596-36-0x00007FFEAA950000-0x00007FFEAA960000-memory.dmp

Filesize
64KB

Download
memory/4596-40-0x00007FFEEA8D0000-0x00007FFEEAAC5000-memory.dmp

Filesize
2.0MB

Download
memory/4596-41-0x00007FFEAA950000-0x00007FFEAA960000-memory.dmp

Filesize
64KB

Download
memory/4596-38-0x00007FFEEA8D0000-0x00007FFEEAAC5000-memory.dmp

Filesize
2.0MB

Download
memory/4596-115-0x00007FFEEA8D0000-0x00007FFEEAAC5000-memory.dmp

Filesize
2.0MB

Download
memory/4596-142-0x00007FFEEA8D0000-0x00007FFEEAAC5000-memory.dmp

Filesize
2.0MB

Download
memory/4596-141-0x00007FFEEA8D0000-0x00007FFEEAAC5000-memory.dmp

Filesize
2.0MB

Download
memory/4596-140-0x00007FFEAA950000-0x00007FFEAA960000-memory.dmp

Filesize
64KB

Download
memory/4596-139-0x00007FFEAA950000-0x00007FFEAA960000-memory.dmp

Filesize
64KB

Download
memory/4596-138-0x00007FFEAA950000-0x00007FFEAA960000-memory.dmp

Filesize
64KB

Download
memory/4596-137-0x00007FFEAA950000-0x00007FFEAA960000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing