Overview

overview

10

Static

static

5

43b1e4d14f...29.exe

windows7-x64

10

43b1e4d14f...29.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    05/01/2024, 12:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    43b1e4d14fbf528e5d467fab8c087b29.exe

  • Size

    512KB

  • MD5

    43b1e4d14fbf528e5d467fab8c087b29

  • SHA1

    1cb1894a9bdac78f3016e3fcfb587836a7335053

  • SHA256

    a82b27816e216a1989d545384074bf2e6cdbaf8a5d13268c697ef4134715242b

  • SHA512

    d15cc6df8ce240e874d7f7ff6afba0217746c5b2394f419b723f6ff67b982f1d387714f99540e0dbb96958eac5a18dd2260dc0a8a4ef14d9ef83f922a1303863

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6x:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5k

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 20 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\43b1e4d14fbf528e5d467fab8c087b29.exe
    "C:\Users\Admin\AppData\Local\Temp\43b1e4d14fbf528e5d467fab8c087b29.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Windows\SysWOW64\jctencthpr.exe
      jctencthpr.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2380
      • C:\Windows\SysWOW64\dlwqpbqr.exe
        C:\Windows\system32\dlwqpbqr.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2828
    • C:\Windows\SysWOW64\qmygkhyvbsmlcuz.exe
      qmygkhyvbsmlcuz.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2800
    • C:\Windows\SysWOW64\kcmhmowznqyem.exe
      kcmhmowznqyem.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2764
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2600
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2576
      • C:\Windows\SysWOW64\dlwqpbqr.exe
        dlwqpbqr.exe
        2⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3012

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
      Filesize

      62KB

      MD5

      be3e38fa62bc50f30ad23331f9ed8250

      SHA1

      d5263066f41f70095f18b4af87a082eecba0cf6f

      SHA256

      b14c91af2ebeb83b42a1af3465ee3344246717d5f5599baff07a97349305ba7c

      SHA512

      6f453142676544cab086b0291de9b5e5e7ad8f467d72e5ac7f36f40c397b640fe81c280d7f679f3ecd8ec79535d9916013569a07dda077e9be4cfa97a4fe8dd6

      Download Submit

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
      Filesize

      79KB

      MD5

      4f744cb2767e93f37eb847dc522a340f

      SHA1

      b9ff9fc463475560848a98beb27744e309574348

      SHA256

      91d31976a3bcfc14a59575fa6481d89f7d83e2f5445edc1dab6a51515d8c2c41

      SHA512

      b58cfb0cf76a66a79df4645839cfddb689eb636190a405af8b5995cd239d6235b0eb587bd3261ad1d68a66bcefc32848ef5031b55f09bf266159465ee91c2bdd

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      d594102a91ea5a5bc1ac5ef460371477

      SHA1

      0ed9ce89521e30a4066c99ea6d26444a5bab8e2b

      SHA256

      58a2ca33d093369e4f338cac0d715e1c5d3c2eb92acc9a946b3b1949533fb77b

      SHA512

      5f6bb1d7afc0307c49b17d3683e724dec8f5220f624994420cbf99eed3348b482cc505aebc22829ea7b3f14c1221053f091ba0804668f4d2c332c16fef75fdb8

      Download Submit

    • C:\Users\Admin\Desktop\SetConvert.doc.exe
      Filesize

      405KB

      MD5

      538ddc8a7b5a2a287c99f2f2dac124b4

      SHA1

      0944b63ddcd3496303ba81f767e3f605b77b8a11

      SHA256

      0fbbd7c959975381ccc9d92ef87c6137848541b47325cf508baace8215185120

      SHA512

      26d82a40c928e367455076db7d0d2d5b884d01a446eb212d8aac242843f16f3daadfdf3b3db73ae22b1c9e8745180ad1e866004cfecdbf5448591c4233ef21ac

      Download Submit

    • C:\Users\Admin\Desktop\SetConvert.doc.exe
      Filesize

      415KB

      MD5

      7d3eb4363b539b4c419fdfa48ae17258

      SHA1

      8c1b0ccdf62a2588424e1541355f4748b7074480

      SHA256

      d72a3769b551f37574847d99ea33bff802b1fb5eec3b2390caa5106c90c59959

      SHA512

      38ceb25db74c897180da04ecae91d4d24f11e1abc5a93f7f6cda377898847991ed652f852a47eca4953c486d8df3e82808687e73b88cd94a1bf838c716608f7b

      Download Submit

    • C:\Windows\SysWOW64\dlwqpbqr.exe
      Filesize

      318KB

      MD5

      13c6f90720231a8c1c1822bab4bae602

      SHA1

      c3d2b38d32f2b92c87a0f40f6aac9423446f9741

      SHA256

      8eed536dd3a4bc26f6a4ee6ac68185a59f90162e0045e037bfa8719e5e9422a1

      SHA512

      7cd43dc2a15cd8bd39ec09f9ee2a2e9207f39a2c1ea799bc97e2d4cce266ea59a4c05e1596d49f237f008aa83ce1599acee83ace7158193e80f614872a74491d

      Download Submit

    • C:\Windows\SysWOW64\dlwqpbqr.exe
      Filesize

      294KB

      MD5

      e95e653d79337d5e371ea091cf2e1bd0

      SHA1

      37e04d1352bd68b2b4293cb276fbdbdc19dfbc84

      SHA256

      4372f8f2aa79f4f598bfe828b11387cc0d58002549f4aa8ca6a8f9b0fbc91cad

      SHA512

      a380073c0baa3ec3b5ea765dc991d5403fed99e0bf75282bfee286eb2df34643b73cce0641bd3c6a6474406cb024b2d54a394947bb6f7b5c36369ff11698dc92

      Download Submit

    • C:\Windows\SysWOW64\dlwqpbqr.exe
      Filesize

      246KB

      MD5

      03c28b72a9efc41bab4656deca13c882

      SHA1

      66b131471d015d35d4fd4923fb571f9eb0f8cdd9

      SHA256

      954fbf318b75c87fb24df76a5730e1e68bf9fcf100363b058f598bbcc082c2ae

      SHA512

      6b35dfc4bc4024003c78049a69e2e25a7e4b2f874d7553d9039cb653631a91252e06320e3fbaf4fe651aee553a40c548af4bd582b1d28739b74eee46e622fe49

      Download Submit

    • C:\Windows\SysWOW64\jctencthpr.exe
      Filesize

      338KB

      MD5

      1b30a8fe959665cfe9abe96863df8dbb

      SHA1

      17e6d5af2e793462f95ca6f5223f3597f23cfd1b

      SHA256

      c51ce3a2d6b1e1afc4f36f183479cc721d3b1b4c523265f106e60ba941f5f6ea

      SHA512

      8e28b8610e291648d2cd906bbe4f13c112bf6ed16b4a9ef79b06afbb00cb40877e355d8a9b300d476bf8aea385d9db1fc55d01cbe9811890f79e14e7f11fb703

      Download Submit

    • C:\Windows\SysWOW64\jctencthpr.exe
      Filesize

      309KB

      MD5

      0bb13602bf7d551a3caf9ddf3616b8e0

      SHA1

      62f324247218b5db0e096784234b4e69c27cfda2

      SHA256

      7fb50a3474ad85e9201ced39cce3a482efc0ee29c3a6aac2fdfd77fea0a899dc

      SHA512

      9c91658a54fa19b8aa64518eb44d50faafc54c17cff8532a8afa32008ab33b4526f23cad995bb3729725301dd1170a477cb5a23add9626e87065b0cc4cebae69

      Download Submit

    • C:\Windows\SysWOW64\kcmhmowznqyem.exe
      Filesize

      324KB

      MD5

      56b65a97d28314933e3c5189d591ddf0

      SHA1

      ef6df08380110a914232d7828bbdf6ec29172bb4

      SHA256

      760c17e4b61ec1706ce5071597953f9e8b8743e43af4fb7d46ee77c78dfab9d0

      SHA512

      d93c94fd88278b001f0550b17bbef93e065dea0a862eb715b74af1ee41c4ec43927a35f630514a8c93c84d587f23529060da0a05cb4d4adfcece3cbb1703239a

      Download Submit

    • C:\Windows\SysWOW64\kcmhmowznqyem.exe
      Filesize

      241KB

      MD5

      d8fef572ee6fef44169288eceb712f70

      SHA1

      e960a0e0b39e9ed44a85b5d72f7ed5aa1910b619

      SHA256

      62192da1894d1a2bb4e27162cb5e31763236fee9d9335ade2f3dcd80c8f4e03b

      SHA512

      ad771be4001a2c915f109f09133ebbbd7f55baa291a37298d535fddec5c5de02d2124c4b25cd34768872ca88db3cbb7c6f6ea4272a07fa5631ffc1a7be412e3f

      Download Submit

    • C:\Windows\SysWOW64\qmygkhyvbsmlcuz.exe
      Filesize

      302KB

      MD5

      d3c529fc4888a26b4766c9b88bf4d4d7

      SHA1

      56fb646474648f9f276597885c1a1f0aa9c5df62

      SHA256

      c7b6ec87930bf2a881dd5f22e296babaa0e991edb0ac1fa11e85d3f6ebf24a0e

      SHA512

      c15a059e055a578af012c9baba61d5ad92c8f5d60daf890adb554afe21b15e3403b6a9fa3c63199db7b091a80b765eb2f27655af7dec71369f77c048c7b298d7

      Download Submit

    • C:\Windows\SysWOW64\qmygkhyvbsmlcuz.exe
      Filesize

      272KB

      MD5

      190c42d663fc1eb1d257d32cd27f44c0

      SHA1

      a24af9f88e75eecbc7e55a9740239a64d5b3e30e

      SHA256

      d996656e929baaed010fb8ba65af9f4c676ac8c43bc81c01eec0054667d79d7f

      SHA512

      14dbb7bb11a98677b5daf8311b5cac724812c81c9f0695ee1e620bc7037e00e0a528da971b3befcf50c46e9d605c3590b2fa25122d0e993354e429b2dcb81511

      Download Submit

    • C:\Windows\SysWOW64\qmygkhyvbsmlcuz.exe
      Filesize

      512KB

      MD5

      b44fd41c6a9e6c1b7b83f8305b0c0a69

      SHA1

      da906ce530b5319676731eff34fb51071055ee80

      SHA256

      7647a14901595076e1ba61dd4f57630ae352f1b4dfd346ecd345d5c4621c191a

      SHA512

      7e2d517d36a54a165bccac4339da458c69cb267a974fe7520c99e7e55a29faeb7964c51d4823d1afec5572664532196feba02f9ca8ea611cfc828172dd85e4a7

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • \Windows\SysWOW64\dlwqpbqr.exe
      Filesize

      322KB

      MD5

      576ff3cda2b3ac4688241b36dd050294

      SHA1

      33ab5c3f40292b63a880d464d8045c8575d4b981

      SHA256

      c82347933c83875b70b2f530d20fea3d02e987d2cf53dda65bba3149e93aebd4

      SHA512

      65eb5f6f400aeacc5e15bd753dd6ac471cc7ca84e4a6fdd984269ec3d037788015cb180cb478dae90fc3564b7b201f8080dc50df59cf471807eecf29a085b19e

      Download Submit

    • \Windows\SysWOW64\dlwqpbqr.exe
      Filesize

      309KB

      MD5

      85663848a0161eb9b236f2dd251e48b5

      SHA1

      53682e0db61b34c29cf969b67f2f6c6e4e3bcbf2

      SHA256

      8162d6dc3a1c5885eca08777f699dc9787e2f2c05d7b734f8c19f6e07c1c4084

      SHA512

      cdbdb83e68200ecfe88537835c7515912c57076d2dd49edbf84a519be0d0ed84de009664eb315213ec2174c70e2f6fb32e6879356a9d877a435b16c9935b1ea1

      Download Submit

    • \Windows\SysWOW64\jctencthpr.exe
      Filesize

      99KB

      MD5

      7fc6cf931da79ecd4267f22c6a1aefa8

      SHA1

      913682b9a75a4089cc18ec25b28e082916a6b314

      SHA256

      2672445b36639d26c7bcf277704d7f634ea7a6f4eac634027b98fb3f94062487

      SHA512

      272947751145ba29cbfecc6fe73cf5e20cf017c8c436a8af45198499e8b34c5f70215c3d5f21676a2a5de87616e85aa12b5cf0e263d57042e4221f7e12d81eaf

      Download Submit

    • \Windows\SysWOW64\kcmhmowznqyem.exe
      Filesize

      231KB

      MD5

      27aca2544b12d86edf4a95ee5ee8af32

      SHA1

      2c21cd0bfdf541be91777523a3e88092b9ae5ae5

      SHA256

      912a600fb70891642ba13bd233b117b328f4dd52cf200763eea0cbe15e5b26f1

      SHA512

      b8b2e9473a1ba4da4e8400e2ee7a904c953ab38d8b3aa294e6e70e11919125eef9b4af73752865fbd06377114d2724056f7078ec91a51dd91baabae666535260

      Download Submit

    • \Windows\SysWOW64\qmygkhyvbsmlcuz.exe
      Filesize

      346KB

      MD5

      172812aa2fa714828b337cd237eaec4c

      SHA1

      a0a21aad217cde03fb4ccd3cc05ab8a8b2f610ca

      SHA256

      eefebbdbdda4918cd390d61e4c55399325d9bcd8cea6e493964af81072336771

      SHA512

      e9d2b966b16455e112e7207533cb483514ee91e267e8b3cdd2364367291c40ec256adf9722bcfb42c18f984002c6839bd7af82d9d5a868f5d5561632bfc1e272

      Download Submit

    • memory/2232-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

      Download

    • memory/2600-45-0x000000002F461000-0x000000002F462000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2600-47-0x0000000071A6D000-0x0000000071A78000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2600-80-0x0000000071A6D000-0x0000000071A78000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2600-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2600-101-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download