4ce62b2c6fcd833b8dc4000f79116657a4411f497af73d81fb73ae90bc6d2bb3

General

Target

41b81c35a7e3845b2e8c00662fd54e24.exe
Size

512KB
MD5

41b81c35a7e3845b2e8c00662fd54e24
SHA1

2b89bb74fac9427cb8aaddff3b923518418888a8
SHA256

4ce62b2c6fcd833b8dc4000f79116657a4411f497af73d81fb73ae90bc6d2bb3
SHA512

23ed88ee3e9bc3fdbe4b7e72fbe436e6c91e8d4d41930dee88889db92a8b24bdb929e424343e92d62799ace7731d697adf8d186cff4f8eb659461b4af75389d3
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6U:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5N

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
5016	gvnneqzqnc.exe
1540	afhfsbovtcffatq.exe
2988	dcrhetbv.exe
3400	ndcwwwwhkrzne.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/1748-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral2/files/0x0006000000023224-108.dat	autoit_exe
behavioral2/files/0x0006000000023224-114.dat	autoit_exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\gvnneqzqnc.exe	41b81c35a7e3845b2e8c00662fd54e24.exe
File created	C:\Windows\SysWOW64\afhfsbovtcffatq.exe	41b81c35a7e3845b2e8c00662fd54e24.exe
File opened for modification	C:\Windows\SysWOW64\afhfsbovtcffatq.exe	41b81c35a7e3845b2e8c00662fd54e24.exe
File created	C:\Windows\SysWOW64\dcrhetbv.exe	41b81c35a7e3845b2e8c00662fd54e24.exe
File opened for modification	C:\Windows\SysWOW64\dcrhetbv.exe	41b81c35a7e3845b2e8c00662fd54e24.exe
File created	C:\Windows\SysWOW64\ndcwwwwhkrzne.exe	41b81c35a7e3845b2e8c00662fd54e24.exe
File opened for modification	C:\Windows\SysWOW64\ndcwwwwhkrzne.exe	41b81c35a7e3845b2e8c00662fd54e24.exe
File created	C:\Windows\SysWOW64\gvnneqzqnc.exe	41b81c35a7e3845b2e8c00662fd54e24.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	41b81c35a7e3845b2e8c00662fd54e24.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	41b81c35a7e3845b2e8c00662fd54e24.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33442D7E9C2783516A4277D177552DDF7D8064DA"	41b81c35a7e3845b2e8c00662fd54e24.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB4FAC9F965F1E484083B4386ED3E97B38B028C4315033FE1CF459D09D2"	41b81c35a7e3845b2e8c00662fd54e24.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB0B129449739EA53CBB9D632E8D4B9"	41b81c35a7e3845b2e8c00662fd54e24.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFFFF83485A826F9046D6207E92BDE5E146584566366330D791"	41b81c35a7e3845b2e8c00662fd54e24.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F36BB8FF1B21ACD272D0A98A7F9161"	41b81c35a7e3845b2e8c00662fd54e24.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184BC77B15ECDAC5B9C17CE3ED9537CD"	41b81c35a7e3845b2e8c00662fd54e24.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1748	41b81c35a7e3845b2e8c00662fd54e24.exe
1748	41b81c35a7e3845b2e8c00662fd54e24.exe
1748	41b81c35a7e3845b2e8c00662fd54e24.exe
1748	41b81c35a7e3845b2e8c00662fd54e24.exe
1748	41b81c35a7e3845b2e8c00662fd54e24.exe
1748	41b81c35a7e3845b2e8c00662fd54e24.exe
1748	41b81c35a7e3845b2e8c00662fd54e24.exe
1748	41b81c35a7e3845b2e8c00662fd54e24.exe
1748	41b81c35a7e3845b2e8c00662fd54e24.exe
1748	41b81c35a7e3845b2e8c00662fd54e24.exe
1748	41b81c35a7e3845b2e8c00662fd54e24.exe
1748	41b81c35a7e3845b2e8c00662fd54e24.exe
1748	41b81c35a7e3845b2e8c00662fd54e24.exe
1748	41b81c35a7e3845b2e8c00662fd54e24.exe
1748	41b81c35a7e3845b2e8c00662fd54e24.exe
1748	41b81c35a7e3845b2e8c00662fd54e24.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1748	41b81c35a7e3845b2e8c00662fd54e24.exe
1748	41b81c35a7e3845b2e8c00662fd54e24.exe
1748	41b81c35a7e3845b2e8c00662fd54e24.exe
5016	gvnneqzqnc.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1748	41b81c35a7e3845b2e8c00662fd54e24.exe
1748	41b81c35a7e3845b2e8c00662fd54e24.exe
1748	41b81c35a7e3845b2e8c00662fd54e24.exe
5016	gvnneqzqnc.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 5016	1748	41b81c35a7e3845b2e8c00662fd54e24.exe	20
PID 1748 wrote to memory of 5016	1748	41b81c35a7e3845b2e8c00662fd54e24.exe	20
PID 1748 wrote to memory of 5016	1748	41b81c35a7e3845b2e8c00662fd54e24.exe	20
PID 1748 wrote to memory of 1540	1748	41b81c35a7e3845b2e8c00662fd54e24.exe	29
PID 1748 wrote to memory of 1540	1748	41b81c35a7e3845b2e8c00662fd54e24.exe	29
PID 1748 wrote to memory of 1540	1748	41b81c35a7e3845b2e8c00662fd54e24.exe	29
PID 1748 wrote to memory of 2988	1748	41b81c35a7e3845b2e8c00662fd54e24.exe	27
PID 1748 wrote to memory of 2988	1748	41b81c35a7e3845b2e8c00662fd54e24.exe	27
PID 1748 wrote to memory of 2988	1748	41b81c35a7e3845b2e8c00662fd54e24.exe	27
PID 1748 wrote to memory of 3400	1748	41b81c35a7e3845b2e8c00662fd54e24.exe	21
PID 1748 wrote to memory of 3400	1748	41b81c35a7e3845b2e8c00662fd54e24.exe	21
PID 1748 wrote to memory of 3400	1748	41b81c35a7e3845b2e8c00662fd54e24.exe	21

C:\Users\Admin\AppData\Local\Temp\41b81c35a7e3845b2e8c00662fd54e24.exe
"C:\Users\Admin\AppData\Local\Temp\41b81c35a7e3845b2e8c00662fd54e24.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Windows\SysWOW64\gvnneqzqnc.exe
  gvnneqzqnc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5016
- - C:\Windows\SysWOW64\dcrhetbv.exe
    C:\Windows\system32\dcrhetbv.exe
    3⤵
    PID:2044
- C:\Windows\SysWOW64\ndcwwwwhkrzne.exe
  ndcwwwwhkrzne.exe
  2⤵
  - Executes dropped EXE
  PID:3400
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
  2⤵
  PID:3600
- C:\Windows\SysWOW64\dcrhetbv.exe
  dcrhetbv.exe
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Windows\SysWOW64\afhfsbovtcffatq.exe
  afhfsbovtcffatq.exe
  2⤵
  - Executes dropped EXE
  PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

Filesize
512KB

MD5
55d68c8bb95b388088231ac0769e2152

SHA1
48a64fc72772608feef6cb39431609d701caeb9a

SHA256
889d076e07a76559d2abd93b61ef4c1f61c079ef9ca0293082de6f319ec56a82

SHA512
b3a029c9d272c106e20968711cc7f5650c35f1e0c7d4ff4d35193b941c1e44928bf2b4ab4256043e96b58790271425f95be861aef4256e2c5169ce972421a548

Download Submit
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

Filesize
512KB

MD5
54527731a92cbcd44c360900aaed0e93

SHA1
94b96dbcd68222a3583b91f217c89dfa15387cad

SHA256
b397ec200df2fdb2d672b5bfb9b911a4be1ee4a84404e26f93ff7a517bf137b2

SHA512
dbb9cb54eaf12d3b605dee2b8ac77bb0723dbe3065f7e64d222e202b95d0f717b0b941e9b35678ee9e47a88806868a760ba3464a55774ab00b25c49c15c98d45

Download Submit
memory/1748-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/3600-37-0x00007FF9F8DB0000-0x00007FF9F8FA5000-memory.dmp

Filesize
2.0MB

Download
memory/3600-117-0x00007FF9F8DB0000-0x00007FF9F8FA5000-memory.dmp

Filesize
2.0MB

Download
memory/3600-47-0x00007FF9F8DB0000-0x00007FF9F8FA5000-memory.dmp

Filesize
2.0MB

Download
memory/3600-49-0x00007FF9F8DB0000-0x00007FF9F8FA5000-memory.dmp

Filesize
2.0MB

Download
memory/3600-52-0x00007FF9F8DB0000-0x00007FF9F8FA5000-memory.dmp

Filesize
2.0MB

Download
memory/3600-53-0x00007FF9F8DB0000-0x00007FF9F8FA5000-memory.dmp

Filesize
2.0MB

Download
memory/3600-51-0x00007FF9B6DD0000-0x00007FF9B6DE0000-memory.dmp

Filesize
64KB

Download
memory/3600-50-0x00007FF9F8DB0000-0x00007FF9F8FA5000-memory.dmp

Filesize
2.0MB

Download
memory/3600-54-0x00007FF9B6DD0000-0x00007FF9B6DE0000-memory.dmp

Filesize
64KB

Download
memory/3600-48-0x00007FF9F8DB0000-0x00007FF9F8FA5000-memory.dmp

Filesize
2.0MB

Download
memory/3600-45-0x00007FF9F8DB0000-0x00007FF9F8FA5000-memory.dmp

Filesize
2.0MB

Download
memory/3600-42-0x00007FF9B8E30000-0x00007FF9B8E40000-memory.dmp

Filesize
64KB

Download
memory/3600-39-0x00007FF9F8DB0000-0x00007FF9F8FA5000-memory.dmp

Filesize
2.0MB

Download
memory/3600-44-0x00007FF9B8E30000-0x00007FF9B8E40000-memory.dmp

Filesize
64KB

Download
memory/3600-46-0x00007FF9F8DB0000-0x00007FF9F8FA5000-memory.dmp

Filesize
2.0MB

Download
memory/3600-43-0x00007FF9F8DB0000-0x00007FF9F8FA5000-memory.dmp

Filesize
2.0MB

Download
memory/3600-36-0x00007FF9B8E30000-0x00007FF9B8E40000-memory.dmp

Filesize
64KB

Download
memory/3600-38-0x00007FF9B8E30000-0x00007FF9B8E40000-memory.dmp

Filesize
64KB

Download
memory/3600-116-0x00007FF9F8DB0000-0x00007FF9F8FA5000-memory.dmp

Filesize
2.0MB

Download
memory/3600-35-0x00007FF9B8E30000-0x00007FF9B8E40000-memory.dmp

Filesize
64KB

Download
memory/3600-118-0x00007FF9F8DB0000-0x00007FF9F8FA5000-memory.dmp

Filesize
2.0MB

Download
memory/3600-143-0x00007FF9F8DB0000-0x00007FF9F8FA5000-memory.dmp

Filesize
2.0MB

Download
memory/3600-147-0x00007FF9F8DB0000-0x00007FF9F8FA5000-memory.dmp

Filesize
2.0MB

Download
memory/3600-146-0x00007FF9F8DB0000-0x00007FF9F8FA5000-memory.dmp

Filesize
2.0MB

Download
memory/3600-145-0x00007FF9F8DB0000-0x00007FF9F8FA5000-memory.dmp

Filesize
2.0MB

Download
memory/3600-144-0x00007FF9B8E30000-0x00007FF9B8E40000-memory.dmp

Filesize
64KB

Download
memory/3600-142-0x00007FF9B8E30000-0x00007FF9B8E40000-memory.dmp

Filesize
64KB

Download
memory/3600-141-0x00007FF9B8E30000-0x00007FF9B8E40000-memory.dmp

Filesize
64KB

Download
memory/3600-140-0x00007FF9B8E30000-0x00007FF9B8E40000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing