029dd7eb6b008bb295a8056f2a88b8f3f3ee6ea0f631692417307734a0ce3483

Analysis

max time kernel
0s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01/01/2024, 09:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c77f7a60ef57684afae3dcf19110dfba.exe
Size

512KB
MD5

c77f7a60ef57684afae3dcf19110dfba
SHA1

95db3302117728fd83b040d8794543a42491f7b1
SHA256

029dd7eb6b008bb295a8056f2a88b8f3f3ee6ea0f631692417307734a0ce3483
SHA512

79af59a90602202482479988975207b5631d84bf8b4b446bec2517bdfe7672006926ccfc33b53d7460ba84d0459fafc22b117b25aeb0752116055ccf58f6fd94
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6q:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5P

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1056	lgfjdjgmow.exe
2956	dwefixygehnybig.exe
5056	gxebumot.exe
3464	dkrnsnjowpaom.exe

AutoIT Executable 11 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/3076-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral2/files/0x000700000002304b-19.dat	autoit_exe
behavioral2/files/0x000600000002320e-32.dat	autoit_exe
behavioral2/files/0x0008000000023207-23.dat	autoit_exe
behavioral2/files/0x000600000002320d-28.dat	autoit_exe
behavioral2/files/0x000600000002320d-27.dat	autoit_exe
behavioral2/files/0x0008000000023207-25.dat	autoit_exe
behavioral2/files/0x000600000002320d-35.dat	autoit_exe
behavioral2/files/0x000600000002320e-31.dat	autoit_exe
behavioral2/files/0x000700000002304b-18.dat	autoit_exe
behavioral2/files/0x0008000000023207-5.dat	autoit_exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\lgfjdjgmow.exe	c77f7a60ef57684afae3dcf19110dfba.exe
File opened for modification	C:\Windows\SysWOW64\lgfjdjgmow.exe	c77f7a60ef57684afae3dcf19110dfba.exe
File created	C:\Windows\SysWOW64\dwefixygehnybig.exe	c77f7a60ef57684afae3dcf19110dfba.exe
File opened for modification	C:\Windows\SysWOW64\dwefixygehnybig.exe	c77f7a60ef57684afae3dcf19110dfba.exe
File created	C:\Windows\SysWOW64\gxebumot.exe	c77f7a60ef57684afae3dcf19110dfba.exe
File opened for modification	C:\Windows\SysWOW64\gxebumot.exe	c77f7a60ef57684afae3dcf19110dfba.exe
File created	C:\Windows\SysWOW64\dkrnsnjowpaom.exe	c77f7a60ef57684afae3dcf19110dfba.exe
File opened for modification	C:\Windows\SysWOW64\dkrnsnjowpaom.exe	c77f7a60ef57684afae3dcf19110dfba.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	c77f7a60ef57684afae3dcf19110dfba.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "334F2C7F9C5683556A4176A170212CAC7D8165DE"	c77f7a60ef57684afae3dcf19110dfba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AC8F9CAF913F1E483793A3281EB3996B08A02FC4366024BE1CC42E908D4"	c77f7a60ef57684afae3dcf19110dfba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB5B05B4792399952CBBAA6329AD4BB"	c77f7a60ef57684afae3dcf19110dfba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF5FF8C4F5D851F9042D7297DE6BDE2E635584767466331D799"	c77f7a60ef57684afae3dcf19110dfba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0866BB4FF6E21DED173D0D28B099113"	c77f7a60ef57684afae3dcf19110dfba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184CC70B1593DBBEB9CD7C95ECE737CD"	c77f7a60ef57684afae3dcf19110dfba.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	c77f7a60ef57684afae3dcf19110dfba.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3076	c77f7a60ef57684afae3dcf19110dfba.exe
3076	c77f7a60ef57684afae3dcf19110dfba.exe
3076	c77f7a60ef57684afae3dcf19110dfba.exe
3076	c77f7a60ef57684afae3dcf19110dfba.exe
3076	c77f7a60ef57684afae3dcf19110dfba.exe
3076	c77f7a60ef57684afae3dcf19110dfba.exe
3076	c77f7a60ef57684afae3dcf19110dfba.exe
3076	c77f7a60ef57684afae3dcf19110dfba.exe
3076	c77f7a60ef57684afae3dcf19110dfba.exe
3076	c77f7a60ef57684afae3dcf19110dfba.exe
3076	c77f7a60ef57684afae3dcf19110dfba.exe
3076	c77f7a60ef57684afae3dcf19110dfba.exe
3076	c77f7a60ef57684afae3dcf19110dfba.exe
3076	c77f7a60ef57684afae3dcf19110dfba.exe
3076	c77f7a60ef57684afae3dcf19110dfba.exe
3076	c77f7a60ef57684afae3dcf19110dfba.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
3076	c77f7a60ef57684afae3dcf19110dfba.exe
3076	c77f7a60ef57684afae3dcf19110dfba.exe
3076	c77f7a60ef57684afae3dcf19110dfba.exe
1056	lgfjdjgmow.exe
1056	lgfjdjgmow.exe
1056	lgfjdjgmow.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
3076	c77f7a60ef57684afae3dcf19110dfba.exe
3076	c77f7a60ef57684afae3dcf19110dfba.exe
3076	c77f7a60ef57684afae3dcf19110dfba.exe
1056	lgfjdjgmow.exe
1056	lgfjdjgmow.exe
1056	lgfjdjgmow.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3076 wrote to memory of 1056	3076	c77f7a60ef57684afae3dcf19110dfba.exe	20
PID 3076 wrote to memory of 1056	3076	c77f7a60ef57684afae3dcf19110dfba.exe	20
PID 3076 wrote to memory of 1056	3076	c77f7a60ef57684afae3dcf19110dfba.exe	20
PID 3076 wrote to memory of 2956	3076	c77f7a60ef57684afae3dcf19110dfba.exe	29
PID 3076 wrote to memory of 2956	3076	c77f7a60ef57684afae3dcf19110dfba.exe	29
PID 3076 wrote to memory of 2956	3076	c77f7a60ef57684afae3dcf19110dfba.exe	29
PID 3076 wrote to memory of 5056	3076	c77f7a60ef57684afae3dcf19110dfba.exe	28
PID 3076 wrote to memory of 5056	3076	c77f7a60ef57684afae3dcf19110dfba.exe	28
PID 3076 wrote to memory of 5056	3076	c77f7a60ef57684afae3dcf19110dfba.exe	28
PID 3076 wrote to memory of 3464	3076	c77f7a60ef57684afae3dcf19110dfba.exe	27
PID 3076 wrote to memory of 3464	3076	c77f7a60ef57684afae3dcf19110dfba.exe	27
PID 3076 wrote to memory of 3464	3076	c77f7a60ef57684afae3dcf19110dfba.exe	27

C:\Users\Admin\AppData\Local\Temp\c77f7a60ef57684afae3dcf19110dfba.exe
"C:\Users\Admin\AppData\Local\Temp\c77f7a60ef57684afae3dcf19110dfba.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Windows\SysWOW64\lgfjdjgmow.exe
  lgfjdjgmow.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1056
- - C:\Windows\SysWOW64\gxebumot.exe
    C:\Windows\system32\gxebumot.exe
    3⤵
    PID:944
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
  2⤵
  PID:5000
- C:\Windows\SysWOW64\dkrnsnjowpaom.exe
  dkrnsnjowpaom.exe
  2⤵
  - Executes dropped EXE
  PID:3464
- C:\Windows\SysWOW64\gxebumot.exe
  gxebumot.exe
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Windows\SysWOW64\dwefixygehnybig.exe
  dwefixygehnybig.exe
  2⤵
  - Executes dropped EXE
  PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
239B

MD5
557e218b0e20780b3cd82e427f86aa29

SHA1
63f5b2cb9bf3348d1553bec38764a8fb6a78b9aa

SHA256
3fc1be08067e63dd4be396fedda4558fa1b73824b18ab71fee42fece19c402df

SHA512
baa81f48536d3f518652d81615825b086a0d78f6aa2af4b08f1537fe75929c2cd275a14efd4f3f74786c29eca9b94000cdac8cef23389f6c670d3908455fc79c

Download Submit
C:\Windows\SysWOW64\dkrnsnjowpaom.exe

Filesize
10KB

MD5
b072cafe5ef9e2b489af11e02e2f0fce

SHA1
2fa1e3df9cbce3e80abb56c0ddb3da0a1f3b8cf4

SHA256
654c5d66f0fd2bbdd935a019df34793343dc87d7c7efb821050df480339c8967

SHA512
ef8ef1b06d43fe1deac17f294ddce2a198f29deb41e9968d28fcb335d8d6eca20dd75887a368c78c5a76221e3c42a9db708f6916a8932ceb64fc1fafc2565119

Download Submit
C:\Windows\SysWOW64\dkrnsnjowpaom.exe

Filesize
22KB

MD5
e6110e8247ee6587273a7b5ab40a6946

SHA1
101407f8067dd7b7d872999841f2940a4a478e61

SHA256
e1770d55486cede149ff09b86f7681fe6b8c21788e093b1496fefbdac73ec480

SHA512
6357fb9df1212bb10d8b7c2901115ffe247fde21e0e64cd7c5f780dcf7f32eb9540ae5c5948ae271c489a67cbb990e02d171d306f328711db0b533f2e8b7e8fa

Download Submit
C:\Windows\SysWOW64\dwefixygehnybig.exe

Filesize
1KB

MD5
ec89629d437c17787acc7061c89e753c

SHA1
c65089b32eba1cf75d3546335718073460c971f9

SHA256
87b17909878537f2c3d3bc046f54b9eb382e312fa75d2b177457a978dcc7d83c

SHA512
65f02cc30b64e2c33d7287c135bc0bb20abe1e35c7176a03e47403db3e21da28f7e7ec7a13ef748aeb76ac06e5e159a9b4e62196692c3411459a4ae235a1bec9

Download Submit
C:\Windows\SysWOW64\dwefixygehnybig.exe

Filesize
56KB

MD5
898fec3854ee44f9ab0e4d205b9d0b55

SHA1
ab2e882afed3d1a2126dbb1a57b11a160a6c3a05

SHA256
498c20c9eda6c048769e22fde4f78216679703188904df7619e53c5398bf1af9

SHA512
8b27ee3fb599d5a12ef389e18f04bee1f752fe93956182c7af5a93e355f53cf965ab687341a7a9c945dc78828fe7161dbe11830e3bd3efc50246aa60ade4c510

Download Submit
C:\Windows\SysWOW64\dwefixygehnybig.exe

Filesize
28KB

MD5
64b43f64e763ce9e9371150ee45ee065

SHA1
d3c3cf0cfbc83ee5bc6e5362a5101248e0fd4f0e

SHA256
2c8e61ea10e095d88fc388cba6e3db601e19f1cccd397df4d145f20f37470b6e

SHA512
caaed9efa4853b190c03eb28d17bb91a2b604adb23bc60544a28c6ca3f1fcc640adf76801f5f3753cdd0eff46692952361797670967bbfdf217d0977db74c3b0

Download Submit
C:\Windows\SysWOW64\gxebumot.exe

Filesize
27KB

MD5
d270be3fed73fb44bf632196deadb7af

SHA1
110a51da87ae3befb4d76fc9b8f66a8f6cea5d92

SHA256
d36639ae44f41afe1201d23094da26ef3e2a550b89cb29b0e9ba7ed6445bf71d

SHA512
16a0a446d15ea987a093405669d93064a8927ac4d9ae76250ca99ff582441f189556b49891a64ac1c52533d42a317024da84b3cfb6e99761b364ba8c69a3d147

Download Submit
C:\Windows\SysWOW64\gxebumot.exe

Filesize
31KB

MD5
301a2319eb795327b74d845076c20b44

SHA1
39fbe6f24bfc9c09eb2e6894168b8f1faafaee02

SHA256
6e8630c67761208fff403c80ffa9e7fe17159b6530fddfb2206359c7c221e57c

SHA512
e466047de73175d8ec7aee931851ed532eca9ea1f417a5b20be5a2bbe01b7a93da8e207b7469dabd9fbec1e47b851f0369a41eb323172b91b383874f3085ad42

Download Submit
C:\Windows\SysWOW64\gxebumot.exe

Filesize
50KB

MD5
a4061f886ebf55064a2d87ca2ef12c24

SHA1
1b8d42531c8692e08a4f9ca7b421ce56951dbbf8

SHA256
baea35ab1fd7dac957a1a7364f1a28d317ed066eb1d7456b5cdfaaf3a6802cbb

SHA512
02a6109316538894001eb762cf1cda537ed3346f43fc54dc6d38db33c9222e0d20f8865960afd7dd6c112bcddfbabb03d42fa89be40f7c1b5eee860191000034

Download Submit
C:\Windows\SysWOW64\lgfjdjgmow.exe

Filesize
27KB

MD5
0cc58caddb41cfe8970c054d308a5c30

SHA1
a31b77fe7e1efaeab8c937373405712afa6bd5d7

SHA256
97f55243430da31b5867fde7a39e99a1762a60de7e794ecc04f6e5ae5a51298d

SHA512
1e0dd60e469a23acc7876f63393443640622bacaeb680aefbc063a9aa0dfa3948d703fb8a5f30ae07ff59311dc5b2aec521dc41a32cd3f5e46d4e240905c052b

Download Submit
C:\Windows\SysWOW64\lgfjdjgmow.exe

Filesize
47KB

MD5
146628dbd8f7a95dad1616f1762ffd46

SHA1
71c858ec2c111879eaa0501462fa16f1d8d3a95c

SHA256
2fd68c331fb0e6a9abb3eed26cf383b5b98047f6f3ce05e37be0cd8d5ecbb61a

SHA512
dad08e7d2df93f01a1a6e0d2d811e617453972633b628f623dd1f390a4c7749cf455200f1426efb207d56a96a0ac75ebe241bd9afa9762051cbec6e5861eafb4

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
memory/3076-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/5000-49-0x00007FFE77E90000-0x00007FFE78085000-memory.dmp

Filesize
2.0MB

Download
memory/5000-41-0x00007FFE77E90000-0x00007FFE78085000-memory.dmp

Filesize
2.0MB

Download
memory/5000-57-0x00007FFE77E90000-0x00007FFE78085000-memory.dmp

Filesize
2.0MB

Download
memory/5000-58-0x00007FFE77E90000-0x00007FFE78085000-memory.dmp

Filesize
2.0MB

Download
memory/5000-56-0x00007FFE358C0000-0x00007FFE358D0000-memory.dmp

Filesize
64KB

Download
memory/5000-52-0x00007FFE77E90000-0x00007FFE78085000-memory.dmp

Filesize
2.0MB

Download
memory/5000-51-0x00007FFE77E90000-0x00007FFE78085000-memory.dmp

Filesize
2.0MB

Download
memory/5000-50-0x00007FFE358C0000-0x00007FFE358D0000-memory.dmp

Filesize
64KB

Download
memory/5000-54-0x00007FFE77E90000-0x00007FFE78085000-memory.dmp

Filesize
2.0MB

Download
memory/5000-48-0x00007FFE77E90000-0x00007FFE78085000-memory.dmp

Filesize
2.0MB

Download
memory/5000-46-0x00007FFE77E90000-0x00007FFE78085000-memory.dmp

Filesize
2.0MB

Download
memory/5000-44-0x00007FFE77E90000-0x00007FFE78085000-memory.dmp

Filesize
2.0MB

Download
memory/5000-53-0x00007FFE77E90000-0x00007FFE78085000-memory.dmp

Filesize
2.0MB

Download
memory/5000-43-0x00007FFE37F10000-0x00007FFE37F20000-memory.dmp

Filesize
64KB

Download
memory/5000-42-0x00007FFE37F10000-0x00007FFE37F20000-memory.dmp

Filesize
64KB

Download
memory/5000-55-0x00007FFE77E90000-0x00007FFE78085000-memory.dmp

Filesize
2.0MB

Download
memory/5000-39-0x00007FFE77E90000-0x00007FFE78085000-memory.dmp

Filesize
2.0MB

Download
memory/5000-38-0x00007FFE37F10000-0x00007FFE37F20000-memory.dmp

Filesize
64KB

Download
memory/5000-37-0x00007FFE37F10000-0x00007FFE37F20000-memory.dmp

Filesize
64KB

Download
memory/5000-47-0x00007FFE77E90000-0x00007FFE78085000-memory.dmp

Filesize
2.0MB

Download
memory/5000-45-0x00007FFE77E90000-0x00007FFE78085000-memory.dmp

Filesize
2.0MB

Download
memory/5000-40-0x00007FFE37F10000-0x00007FFE37F20000-memory.dmp

Filesize
64KB

Download
memory/5000-106-0x00007FFE77E90000-0x00007FFE78085000-memory.dmp

Filesize
2.0MB

Download
memory/5000-107-0x00007FFE77E90000-0x00007FFE78085000-memory.dmp

Filesize
2.0MB

Download
memory/5000-108-0x00007FFE77E90000-0x00007FFE78085000-memory.dmp

Filesize
2.0MB

Download
memory/5000-109-0x00007FFE77E90000-0x00007FFE78085000-memory.dmp

Filesize
2.0MB

Download
memory/5000-134-0x00007FFE37F10000-0x00007FFE37F20000-memory.dmp

Filesize
64KB

Download
memory/5000-136-0x00007FFE77E90000-0x00007FFE78085000-memory.dmp

Filesize
2.0MB

Download
memory/5000-135-0x00007FFE77E90000-0x00007FFE78085000-memory.dmp

Filesize
2.0MB

Download
memory/5000-133-0x00007FFE37F10000-0x00007FFE37F20000-memory.dmp

Filesize
64KB

Download
memory/5000-132-0x00007FFE37F10000-0x00007FFE37F20000-memory.dmp

Filesize
64KB

Download
memory/5000-131-0x00007FFE37F10000-0x00007FFE37F20000-memory.dmp

Filesize
64KB

Download