de3d5d114f4875ac3874a6a5b0656a3c8732507974ca1bcbc4bd49193b2194f8

Analysis

max time kernel
0s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/01/2024, 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fc7d574eda0aa78c7374d97cff91de3.exe
Size

512KB
MD5

3fc7d574eda0aa78c7374d97cff91de3
SHA1

c8f5c8bc56b913d33822268c6ad88dee0d3bea93
SHA256

de3d5d114f4875ac3874a6a5b0656a3c8732507974ca1bcbc4bd49193b2194f8
SHA512

50f5a971e60746ac7faf1c72eb8768d581eaa18eb323a7392d025f3dcc2be5a082211790844a710ca505748818119ccbe0bd1813b961dc033ac571ff2bb098a3
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6M:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5v

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3764	kkvdhpbvub.exe
1208	nrrrmsphxstkams.exe
492	yunudnlg.exe
4160	vrykjavqxurfn.exe

AutoIT Executable 9 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/2524-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral2/files/0x00090000000231e3-6.dat	autoit_exe
behavioral2/files/0x00070000000231ea-31.dat	autoit_exe
behavioral2/files/0x00070000000231e9-28.dat	autoit_exe
behavioral2/files/0x000e000000023145-19.dat	autoit_exe
behavioral2/files/0x0006000000023211-75.dat	autoit_exe
behavioral2/files/0x0006000000023210-72.dat	autoit_exe
behavioral2/files/0x000c000000023125-99.dat	autoit_exe
behavioral2/files/0x000c000000023125-103.dat	autoit_exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\vrykjavqxurfn.exe	3fc7d574eda0aa78c7374d97cff91de3.exe
File opened for modification	C:\Windows\SysWOW64\vrykjavqxurfn.exe	3fc7d574eda0aa78c7374d97cff91de3.exe
File created	C:\Windows\SysWOW64\kkvdhpbvub.exe	3fc7d574eda0aa78c7374d97cff91de3.exe
File opened for modification	C:\Windows\SysWOW64\kkvdhpbvub.exe	3fc7d574eda0aa78c7374d97cff91de3.exe
File created	C:\Windows\SysWOW64\nrrrmsphxstkams.exe	3fc7d574eda0aa78c7374d97cff91de3.exe
File opened for modification	C:\Windows\SysWOW64\nrrrmsphxstkams.exe	3fc7d574eda0aa78c7374d97cff91de3.exe
File created	C:\Windows\SysWOW64\yunudnlg.exe	3fc7d574eda0aa78c7374d97cff91de3.exe
File opened for modification	C:\Windows\SysWOW64\yunudnlg.exe	3fc7d574eda0aa78c7374d97cff91de3.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	3fc7d574eda0aa78c7374d97cff91de3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	3fc7d574eda0aa78c7374d97cff91de3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33332C0A9D5683206A3477D070242DD87CF464DB"	3fc7d574eda0aa78c7374d97cff91de3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABBF9CDFE16F2E0837D3A42819B3999B3FE038C42130332E1CF42ED09A9"	3fc7d574eda0aa78c7374d97cff91de3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC2B02F47E0389853CABADC3299D7BE"	3fc7d574eda0aa78c7374d97cff91de3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8CFCFC4F29851A9132D75F7E93BC97E643584266456341D79A"	3fc7d574eda0aa78c7374d97cff91de3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F468C4FF1821D9D179D1A98A749011"	3fc7d574eda0aa78c7374d97cff91de3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184BC60C15E0DAB4B9CD7FE5EC9434C7"	3fc7d574eda0aa78c7374d97cff91de3.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2524	3fc7d574eda0aa78c7374d97cff91de3.exe
2524	3fc7d574eda0aa78c7374d97cff91de3.exe
2524	3fc7d574eda0aa78c7374d97cff91de3.exe
2524	3fc7d574eda0aa78c7374d97cff91de3.exe
2524	3fc7d574eda0aa78c7374d97cff91de3.exe
2524	3fc7d574eda0aa78c7374d97cff91de3.exe
2524	3fc7d574eda0aa78c7374d97cff91de3.exe
2524	3fc7d574eda0aa78c7374d97cff91de3.exe
2524	3fc7d574eda0aa78c7374d97cff91de3.exe
2524	3fc7d574eda0aa78c7374d97cff91de3.exe
2524	3fc7d574eda0aa78c7374d97cff91de3.exe
2524	3fc7d574eda0aa78c7374d97cff91de3.exe
2524	3fc7d574eda0aa78c7374d97cff91de3.exe
2524	3fc7d574eda0aa78c7374d97cff91de3.exe
2524	3fc7d574eda0aa78c7374d97cff91de3.exe
2524	3fc7d574eda0aa78c7374d97cff91de3.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2524	3fc7d574eda0aa78c7374d97cff91de3.exe
2524	3fc7d574eda0aa78c7374d97cff91de3.exe
2524	3fc7d574eda0aa78c7374d97cff91de3.exe
3764	kkvdhpbvub.exe
3764	kkvdhpbvub.exe
3764	kkvdhpbvub.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2524	3fc7d574eda0aa78c7374d97cff91de3.exe
2524	3fc7d574eda0aa78c7374d97cff91de3.exe
2524	3fc7d574eda0aa78c7374d97cff91de3.exe
3764	kkvdhpbvub.exe
3764	kkvdhpbvub.exe
3764	kkvdhpbvub.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 3764	2524	3fc7d574eda0aa78c7374d97cff91de3.exe	30
PID 2524 wrote to memory of 3764	2524	3fc7d574eda0aa78c7374d97cff91de3.exe	30
PID 2524 wrote to memory of 3764	2524	3fc7d574eda0aa78c7374d97cff91de3.exe	30
PID 2524 wrote to memory of 1208	2524	3fc7d574eda0aa78c7374d97cff91de3.exe	29
PID 2524 wrote to memory of 1208	2524	3fc7d574eda0aa78c7374d97cff91de3.exe	29
PID 2524 wrote to memory of 1208	2524	3fc7d574eda0aa78c7374d97cff91de3.exe	29
PID 2524 wrote to memory of 492	2524	3fc7d574eda0aa78c7374d97cff91de3.exe	28
PID 2524 wrote to memory of 492	2524	3fc7d574eda0aa78c7374d97cff91de3.exe	28
PID 2524 wrote to memory of 492	2524	3fc7d574eda0aa78c7374d97cff91de3.exe	28
PID 2524 wrote to memory of 4160	2524	3fc7d574eda0aa78c7374d97cff91de3.exe	22
PID 2524 wrote to memory of 4160	2524	3fc7d574eda0aa78c7374d97cff91de3.exe	22
PID 2524 wrote to memory of 4160	2524	3fc7d574eda0aa78c7374d97cff91de3.exe	22

C:\Users\Admin\AppData\Local\Temp\3fc7d574eda0aa78c7374d97cff91de3.exe
"C:\Users\Admin\AppData\Local\Temp\3fc7d574eda0aa78c7374d97cff91de3.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\SysWOW64\vrykjavqxurfn.exe
  vrykjavqxurfn.exe
  2⤵
  - Executes dropped EXE
  PID:4160
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
  2⤵
  PID:640
- C:\Windows\SysWOW64\yunudnlg.exe
  yunudnlg.exe
  2⤵
  - Executes dropped EXE
  PID:492
- C:\Windows\SysWOW64\nrrrmsphxstkams.exe
  nrrrmsphxstkams.exe
  2⤵
  - Executes dropped EXE
  PID:1208
- C:\Windows\SysWOW64\kkvdhpbvub.exe
  kkvdhpbvub.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3764

C:\Windows\SysWOW64\yunudnlg.exe
C:\Windows\system32\yunudnlg.exe
1⤵
PID:4372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

Filesize
512KB

MD5
9012673b2ceab019be0e0fe5544099d8

SHA1
cc257056492f8880efe0dafe60d2db30cbf7924e

SHA256
b4321aed39c855d6ee04737e341cc33dfc0769784ff49f037320ae1e9135e391

SHA512
ab71ab788a2aeba88fe159f6ecb7802f3ead9f204224c0ac790d9a74691e3b861e6bea35123b1cfa303a2701630fa8fc285cc9b60dfbb58c958be23e083d7c73

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

Filesize
512KB

MD5
440fd89427ff70e2ad00dc1dfbded087

SHA1
f178cdbf3ad69f81dde14169da92313a0610000c

SHA256
f991765afda13005e2c36d14516d59112cae5c31044ddef94c9604f77367f136

SHA512
f7afcea053dc85fefbfcf04d960da74b085d5a59a0aa230f86d4988891910f0a7dfc3220dd332c1b72bd321d85b97c84aa6ea1eb2b1b2a57ec4538fa8be9cae5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
239B

MD5
1459a67e7603529e2bd4067a2a106783

SHA1
50364cbc787a8be7195e9f7847e1087a8426f3d7

SHA256
c989778e2fd3711e7ec2d1578a84da327ba9ef65015084c9f4fcf3e4c9e1a9cc

SHA512
b21324f7d9bbb59a64f178c735dd70496629ad0a08b2b5a6eee2346664104b03c13805102347cf5263f8b2e797f08fadaec01e231bc2db1f7716e1f7b257c373

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
2192fd39a211f71de7747336a400dd77

SHA1
498d37d888de9f9bce2df0dcd732fdf3b1a72683

SHA256
b784990a40ac0f726da20bdb830f52d7f96330f123b6e7f77c837c3ea8748469

SHA512
4173898a131c1bb5126073767492517980fabbc9e301b9ba8184f112706882bab6fea20291df090a7655d40d2c5744210efb3d84988f72795766a537f3eec41b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
fecde45cd9fedcc6136a3e29953562f4

SHA1
8f7c2ffe43fcfc4b87ca70ddb683794b49602318

SHA256
1793f6c88a98ab559ce68ed9b841b94b117ffb4802db23326eed2ac1ac24a2f3

SHA512
d2a8a60ed55e4e5d5271d1475ef773d547bffcebf6963f9d61dcfa2da2c5ac0be6053de4557ad05614b5f00323a7b7024cc5804bb6a9766bdd9723e574c4470f

Download Submit
C:\Windows\SysWOW64\kkvdhpbvub.exe

Filesize
512KB

MD5
0056df92fe303e174ef68a7ad997c5ad

SHA1
2933a5865620c167522d505c99018b245c049bfc

SHA256
ee9033ceb292a35cc53a61239416ebbc20e19db1562179f2efad581c3dc3eaab

SHA512
6de8cdf918405b491fb18c4cd1e9095b103df78625082c97948f2dccb366d0252c72196a6e60fc93ebf0aad3d69299f2589c68a87b28d2d7a3f41cde34720874

Download Submit
C:\Windows\SysWOW64\nrrrmsphxstkams.exe

Filesize
512KB

MD5
dd742abb66b42e4b86d598a7cf3dbbd5

SHA1
6059e8af6b9edfca9244ab75bc6aa66eb50fd43c

SHA256
422efed56513b5d04d131a61f08a2b6a7daae7412f7240c87424ac1fefee8463

SHA512
0cd6f7411a7f29fb8a36e9fcb1aa6eed33c8fcc9fb524eea8bb0c6784b3324b75f5c7d23273cb05d5bc2c93d29909536aa4b948fac24042c821fceab12245dc9

Download Submit
C:\Windows\SysWOW64\vrykjavqxurfn.exe

Filesize
512KB

MD5
0483b2e895fe5d25fdfd29ca21764578

SHA1
9cf094d7d9dbbab2ede77224abef2c3a31d3f3ba

SHA256
7d8aaa7200ccf69c4e290248f63a6ee150e2b61e92ea69d1acfe30502da6b00f

SHA512
09316a6ed60a4c880104c59fc659de29baf448d3fa0b7de7438ae3cc610b9c7a3d83609fb18ee64ec50e70167d86e019d7954ced6e4abbde2ea173f19c50f9b3

Download Submit
C:\Windows\SysWOW64\yunudnlg.exe

Filesize
512KB

MD5
b18ce6221bdae62eb753d46f7d5917c9

SHA1
f10e6788521493afdb86a367e0f0375c915d8a30

SHA256
945de4a9c9c5ba61db3dfdbedc0973e98dcdb383f1a7db06a0e281e2a79b05cb

SHA512
ba1ff6267cd97a310e2f5533a0f59b04db5df2f73fb30f3fa44120be9a82d81797344ef6fd452dfb2967e9807dbf23ef891ec543a2cdecd95bfbbfa705230a67

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

Filesize
512KB

MD5
fbb435c4e2420bddedcdb6e201885563

SHA1
54225a658fbb107136935ea6daa721368e1aeb54

SHA256
da29239c4aade84ec6c64d3b56eb6cfca44b5712cb73e7a06baaf1340795ba36

SHA512
f57217ed534dac957b54354d6c8d4ee751165d14378f8ff2d6e1e28b75414f877eebc997d5e2cd4ba4505d6235e2bcb1f1c115d604d19258c29906be966d04a7

Download Submit
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

Filesize
512KB

MD5
3c968ecc89c6cb0e607761b1c493037f

SHA1
1523094808ef749b097ceb41b2645df0517114f4

SHA256
161bd8662271dcc8cef2618a9e8d8b508b1c306c7d4450a9f78fddec05c748b8

SHA512
5dbe59798275a31196f0755a95d37e2d00c586b949df40af1d76429baf0e60c8a3448c0f2f7f89b706714ee468e7a62cfde4d87ece98999b27d36378eead614a

Download Submit
memory/640-54-0x00007FFDE8CB0000-0x00007FFDE8EA5000-memory.dmp

Filesize
2.0MB

Download
memory/640-56-0x00007FFDE8CB0000-0x00007FFDE8EA5000-memory.dmp

Filesize
2.0MB

Download
memory/640-57-0x00007FFDA6560000-0x00007FFDA6570000-memory.dmp

Filesize
64KB

Download
memory/640-52-0x00007FFDE8CB0000-0x00007FFDE8EA5000-memory.dmp

Filesize
2.0MB

Download
memory/640-51-0x00007FFDE8CB0000-0x00007FFDE8EA5000-memory.dmp

Filesize
2.0MB

Download
memory/640-49-0x00007FFDE8CB0000-0x00007FFDE8EA5000-memory.dmp

Filesize
2.0MB

Download
memory/640-48-0x00007FFDE8CB0000-0x00007FFDE8EA5000-memory.dmp

Filesize
2.0MB

Download
memory/640-46-0x00007FFDE8CB0000-0x00007FFDE8EA5000-memory.dmp

Filesize
2.0MB

Download
memory/640-44-0x00007FFDE8CB0000-0x00007FFDE8EA5000-memory.dmp

Filesize
2.0MB

Download
memory/640-42-0x00007FFDA8D30000-0x00007FFDA8D40000-memory.dmp

Filesize
64KB

Download
memory/640-41-0x00007FFDA8D30000-0x00007FFDA8D40000-memory.dmp

Filesize
64KB

Download
memory/640-40-0x00007FFDE8CB0000-0x00007FFDE8EA5000-memory.dmp

Filesize
2.0MB

Download
memory/640-55-0x00007FFDE8CB0000-0x00007FFDE8EA5000-memory.dmp

Filesize
2.0MB

Download
memory/640-38-0x00007FFDA8D30000-0x00007FFDA8D40000-memory.dmp

Filesize
64KB

Download
memory/640-37-0x00007FFDA8D30000-0x00007FFDA8D40000-memory.dmp

Filesize
64KB

Download
memory/640-58-0x00007FFDE8CB0000-0x00007FFDE8EA5000-memory.dmp

Filesize
2.0MB

Download
memory/640-125-0x00007FFDA8D30000-0x00007FFDA8D40000-memory.dmp

Filesize
64KB

Download
memory/640-53-0x00007FFDE8CB0000-0x00007FFDE8EA5000-memory.dmp

Filesize
2.0MB

Download
memory/640-50-0x00007FFDA6560000-0x00007FFDA6570000-memory.dmp

Filesize
64KB

Download
memory/640-47-0x00007FFDE8CB0000-0x00007FFDE8EA5000-memory.dmp

Filesize
2.0MB

Download
memory/640-45-0x00007FFDE8CB0000-0x00007FFDE8EA5000-memory.dmp

Filesize
2.0MB

Download
memory/640-43-0x00007FFDE8CB0000-0x00007FFDE8EA5000-memory.dmp

Filesize
2.0MB

Download
memory/640-39-0x00007FFDA8D30000-0x00007FFDA8D40000-memory.dmp

Filesize
64KB

Download
memory/640-105-0x00007FFDE8CB0000-0x00007FFDE8EA5000-memory.dmp

Filesize
2.0MB

Download
memory/640-129-0x00007FFDE8CB0000-0x00007FFDE8EA5000-memory.dmp

Filesize
2.0MB

Download
memory/640-128-0x00007FFDA8D30000-0x00007FFDA8D40000-memory.dmp

Filesize
64KB

Download
memory/640-127-0x00007FFDA8D30000-0x00007FFDA8D40000-memory.dmp

Filesize
64KB

Download
memory/640-126-0x00007FFDA8D30000-0x00007FFDA8D40000-memory.dmp

Filesize
64KB

Download
memory/2524-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download