eeaa2181be19dfdfc7ce17d5eb82a8c64693c536d012bcea9b3fce67a8e4c73b

General

Target

379c2b93eabee044047c1261e9aaa2ee.exe
Size

512KB
MD5

379c2b93eabee044047c1261e9aaa2ee
SHA1

0ce2abba7e5a3f5586b7d863ec91d0369640240f
SHA256

eeaa2181be19dfdfc7ce17d5eb82a8c64693c536d012bcea9b3fce67a8e4c73b
SHA512

59ac957c6440918a631578c3ca52594b01d520d56a82965cf3da54131f64e3adec98d8e72fcf4f42870fdb7f094847c9af0414b46a0441d9c71cdad804f48b41
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6m:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm55

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3400	pdyezakajr.exe
2376	ijlevbkgxvgxdqy.exe
2832	rtibwkbg.exe
3024	jsnksfrelbtxa.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/4908-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral2/files/0x0007000000023213-22.dat	autoit_exe
behavioral2/files/0x0007000000023210-18.dat	autoit_exe
behavioral2/files/0x0007000000023213-5.dat	autoit_exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rtibwkbg.exe	379c2b93eabee044047c1261e9aaa2ee.exe
File opened for modification	C:\Windows\SysWOW64\rtibwkbg.exe	379c2b93eabee044047c1261e9aaa2ee.exe
File created	C:\Windows\SysWOW64\jsnksfrelbtxa.exe	379c2b93eabee044047c1261e9aaa2ee.exe
File opened for modification	C:\Windows\SysWOW64\jsnksfrelbtxa.exe	379c2b93eabee044047c1261e9aaa2ee.exe
File created	C:\Windows\SysWOW64\pdyezakajr.exe	379c2b93eabee044047c1261e9aaa2ee.exe
File opened for modification	C:\Windows\SysWOW64\pdyezakajr.exe	379c2b93eabee044047c1261e9aaa2ee.exe
File created	C:\Windows\SysWOW64\ijlevbkgxvgxdqy.exe	379c2b93eabee044047c1261e9aaa2ee.exe
File opened for modification	C:\Windows\SysWOW64\ijlevbkgxvgxdqy.exe	379c2b93eabee044047c1261e9aaa2ee.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	379c2b93eabee044047c1261e9aaa2ee.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	379c2b93eabee044047c1261e9aaa2ee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32432C7C9D2083236D3676D170562CDF7D8465DB"	379c2b93eabee044047c1261e9aaa2ee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABCFABEF961F1E5840F3B4386E93996B3FE038B43160248E1CA459A09A3"	379c2b93eabee044047c1261e9aaa2ee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB2B02E47E7399952C9BAA032E8D7BE"	379c2b93eabee044047c1261e9aaa2ee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFBFCFF482E851A9042D7217E97BD93E147594566436236D7EC"	379c2b93eabee044047c1261e9aaa2ee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7836BB4FF6C21A9D208D1D68B7D9166"	379c2b93eabee044047c1261e9aaa2ee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1848C77B1590DAC4B9BE7CE0ED9534BB"	379c2b93eabee044047c1261e9aaa2ee.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4908	379c2b93eabee044047c1261e9aaa2ee.exe
4908	379c2b93eabee044047c1261e9aaa2ee.exe
4908	379c2b93eabee044047c1261e9aaa2ee.exe
4908	379c2b93eabee044047c1261e9aaa2ee.exe
4908	379c2b93eabee044047c1261e9aaa2ee.exe
4908	379c2b93eabee044047c1261e9aaa2ee.exe
4908	379c2b93eabee044047c1261e9aaa2ee.exe
4908	379c2b93eabee044047c1261e9aaa2ee.exe
4908	379c2b93eabee044047c1261e9aaa2ee.exe
4908	379c2b93eabee044047c1261e9aaa2ee.exe
4908	379c2b93eabee044047c1261e9aaa2ee.exe
4908	379c2b93eabee044047c1261e9aaa2ee.exe
4908	379c2b93eabee044047c1261e9aaa2ee.exe
4908	379c2b93eabee044047c1261e9aaa2ee.exe
4908	379c2b93eabee044047c1261e9aaa2ee.exe
4908	379c2b93eabee044047c1261e9aaa2ee.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
4908	379c2b93eabee044047c1261e9aaa2ee.exe
4908	379c2b93eabee044047c1261e9aaa2ee.exe
4908	379c2b93eabee044047c1261e9aaa2ee.exe
3400	pdyezakajr.exe
3400	pdyezakajr.exe
3400	pdyezakajr.exe
2832	rtibwkbg.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
4908	379c2b93eabee044047c1261e9aaa2ee.exe
4908	379c2b93eabee044047c1261e9aaa2ee.exe
4908	379c2b93eabee044047c1261e9aaa2ee.exe
3400	pdyezakajr.exe
3400	pdyezakajr.exe
3400	pdyezakajr.exe
2832	rtibwkbg.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 3400	4908	379c2b93eabee044047c1261e9aaa2ee.exe	21
PID 4908 wrote to memory of 3400	4908	379c2b93eabee044047c1261e9aaa2ee.exe	21
PID 4908 wrote to memory of 3400	4908	379c2b93eabee044047c1261e9aaa2ee.exe	21
PID 4908 wrote to memory of 2376	4908	379c2b93eabee044047c1261e9aaa2ee.exe	30
PID 4908 wrote to memory of 2376	4908	379c2b93eabee044047c1261e9aaa2ee.exe	30
PID 4908 wrote to memory of 2376	4908	379c2b93eabee044047c1261e9aaa2ee.exe	30
PID 4908 wrote to memory of 2832	4908	379c2b93eabee044047c1261e9aaa2ee.exe	28
PID 4908 wrote to memory of 2832	4908	379c2b93eabee044047c1261e9aaa2ee.exe	28
PID 4908 wrote to memory of 2832	4908	379c2b93eabee044047c1261e9aaa2ee.exe	28
PID 4908 wrote to memory of 3024	4908	379c2b93eabee044047c1261e9aaa2ee.exe	27
PID 4908 wrote to memory of 3024	4908	379c2b93eabee044047c1261e9aaa2ee.exe	27
PID 4908 wrote to memory of 3024	4908	379c2b93eabee044047c1261e9aaa2ee.exe	27

C:\Users\Admin\AppData\Local\Temp\379c2b93eabee044047c1261e9aaa2ee.exe
"C:\Users\Admin\AppData\Local\Temp\379c2b93eabee044047c1261e9aaa2ee.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Windows\SysWOW64\pdyezakajr.exe
  pdyezakajr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3400
- - C:\Windows\SysWOW64\rtibwkbg.exe
    C:\Windows\system32\rtibwkbg.exe
    3⤵
    PID:4840
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
  2⤵
  PID:3572
- C:\Windows\SysWOW64\jsnksfrelbtxa.exe
  jsnksfrelbtxa.exe
  2⤵
  - Executes dropped EXE
  PID:3024
- C:\Windows\SysWOW64\rtibwkbg.exe
  rtibwkbg.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2832
- C:\Windows\SysWOW64\ijlevbkgxvgxdqy.exe
  ijlevbkgxvgxdqy.exe
  2⤵
  - Executes dropped EXE
  PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ijlevbkgxvgxdqy.exe

Filesize
92KB

MD5
6662b185f19fbf697c56a25c92de7961

SHA1
0df0c0df0de3724258df2549c583e3c934aca726

SHA256
c11edb9e97848e20319fba876d9382c7193f68323eff1f7ed805bb04303bdc86

SHA512
c6e2cb83f68a63ca299dae843d2697d41dab8b565fb4005755b0d255b388779b6c1dad97375009c995f0a3d2e0acb4cc820090ca5dc24ee11e1a3de5b1a4921f

Download Submit
C:\Windows\SysWOW64\ijlevbkgxvgxdqy.exe

Filesize
109KB

MD5
0cfbc90dc8b06c8ac2973903ff26c131

SHA1
9fd26122e35167e6bbc549f0a23284cd22830f1e

SHA256
ae825b1d51d84d547ee7f3d3e45c8fa185a9038804c439c227e8387bf16d990e

SHA512
04823693460c545a9402e40ec88cfc6fa420ae0810637280c23f728a17777f90bf957db8a6d51204d953c5c7553f71493ceae3f54a6e796be42441e15b6a762f

Download Submit
C:\Windows\SysWOW64\pdyezakajr.exe

Filesize
46KB

MD5
65932464ef2e4b9f238185a152e96621

SHA1
7c4c87f355675a2183fe7b3a82668ccfbdea44f5

SHA256
6c0c18e34aec2349111015e285e4308e6cbe2b1e0791ec97ed3b975bd1ef8b75

SHA512
fc477076143309c0c8ef6be134e9b295a95709032d9e1755a44f8706cb3a09e3ab0ab9adedbd7fd7b6dccf8716cf50a0235b1ad95f67a5645cc90e16fb18f8b2

Download Submit
memory/3572-54-0x00007FFDD10D0000-0x00007FFDD12C5000-memory.dmp

Filesize
2.0MB

Download
memory/3572-41-0x00007FFD91150000-0x00007FFD91160000-memory.dmp

Filesize
64KB

Download
memory/3572-47-0x00007FFDD10D0000-0x00007FFDD12C5000-memory.dmp

Filesize
2.0MB

Download
memory/3572-50-0x00007FFDD10D0000-0x00007FFDD12C5000-memory.dmp

Filesize
2.0MB

Download
memory/3572-141-0x00007FFD91150000-0x00007FFD91160000-memory.dmp

Filesize
64KB

Download
memory/3572-53-0x00007FFD8EFF0000-0x00007FFD8F000000-memory.dmp

Filesize
64KB

Download
memory/3572-52-0x00007FFDD10D0000-0x00007FFDD12C5000-memory.dmp

Filesize
2.0MB

Download
memory/3572-51-0x00007FFDD10D0000-0x00007FFDD12C5000-memory.dmp

Filesize
2.0MB

Download
memory/3572-55-0x00007FFD8EFF0000-0x00007FFD8F000000-memory.dmp

Filesize
64KB

Download
memory/3572-49-0x00007FFDD10D0000-0x00007FFDD12C5000-memory.dmp

Filesize
2.0MB

Download
memory/3572-48-0x00007FFDD10D0000-0x00007FFDD12C5000-memory.dmp

Filesize
2.0MB

Download
memory/3572-46-0x00007FFDD10D0000-0x00007FFDD12C5000-memory.dmp

Filesize
2.0MB

Download
memory/3572-45-0x00007FFD91150000-0x00007FFD91160000-memory.dmp

Filesize
64KB

Download
memory/3572-43-0x00007FFDD10D0000-0x00007FFDD12C5000-memory.dmp

Filesize
2.0MB

Download
memory/3572-39-0x00007FFDD10D0000-0x00007FFDD12C5000-memory.dmp

Filesize
2.0MB

Download
memory/3572-38-0x00007FFD91150000-0x00007FFD91160000-memory.dmp

Filesize
64KB

Download
memory/3572-37-0x00007FFD91150000-0x00007FFD91160000-memory.dmp

Filesize
64KB

Download
memory/3572-40-0x00007FFDD10D0000-0x00007FFDD12C5000-memory.dmp

Filesize
2.0MB

Download
memory/3572-36-0x00007FFDD10D0000-0x00007FFDD12C5000-memory.dmp

Filesize
2.0MB

Download
memory/3572-35-0x00007FFD91150000-0x00007FFD91160000-memory.dmp

Filesize
64KB

Download
memory/3572-117-0x00007FFDD10D0000-0x00007FFDD12C5000-memory.dmp

Filesize
2.0MB

Download
memory/3572-118-0x00007FFDD10D0000-0x00007FFDD12C5000-memory.dmp

Filesize
2.0MB

Download
memory/3572-119-0x00007FFDD10D0000-0x00007FFDD12C5000-memory.dmp

Filesize
2.0MB

Download
memory/3572-145-0x00007FFDD10D0000-0x00007FFDD12C5000-memory.dmp

Filesize
2.0MB

Download
memory/3572-144-0x00007FFD91150000-0x00007FFD91160000-memory.dmp

Filesize
64KB

Download
memory/3572-143-0x00007FFD91150000-0x00007FFD91160000-memory.dmp

Filesize
64KB

Download
memory/3572-142-0x00007FFD91150000-0x00007FFD91160000-memory.dmp

Filesize
64KB

Download
memory/4908-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download

Analysis

Sharing