Overview

overview

10

Static

static

5

460065e200...b6.exe

windows7-x64

10

460065e200...b6.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    0s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    06/01/2024, 10:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    460065e20051bbf96161a9b3a59ce1b6.exe

  • Size

    512KB

  • MD5

    460065e20051bbf96161a9b3a59ce1b6

  • SHA1

    d2d6b8bdfe855b87f816d6c77783552228370ad6

  • SHA256

    e3f047c98e3d6f7d29e4da35c4a814b999b423243a50da515c832b16273a8c78

  • SHA512

    6865777d53b923b4a4922eb79872253fd691517f427b9eac9ae0e5fc772456800dcc3e8b3146b4d423693acee6ed0e0bc10581c16ab9bfd6facbb7517032fd08

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6u:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5f

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 5 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 8 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 19 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of FindShellTrayWindow 12 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\460065e20051bbf96161a9b3a59ce1b6.exe
    "C:\Users\Admin\AppData\Local\Temp\460065e20051bbf96161a9b3a59ce1b6.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1960
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
        PID:2612
        • C:\Windows\splwow64.exe
          C:\Windows\splwow64.exe 12288
          3⤵
            PID:1700
        • C:\Windows\SysWOW64\fzdvvdqbhcmhi.exe
          fzdvvdqbhcmhi.exe
          2⤵
          • Executes dropped EXE
          PID:2020
        • C:\Windows\SysWOW64\uaipqtpo.exe
          uaipqtpo.exe
          2⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:2796
        • C:\Windows\SysWOW64\xamzeokkthkybfq.exe
          xamzeokkthkybfq.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:2800
        • C:\Windows\SysWOW64\tqnerdtxhm.exe
          tqnerdtxhm.exe
          2⤵
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Windows security bypass
          • Disables RegEdit via registry modification
          • Executes dropped EXE
          • Windows security modification
          • Modifies WinLogon
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:2712
      • C:\Windows\SysWOW64\uaipqtpo.exe
        C:\Windows\system32\uaipqtpo.exe
        1⤵
          PID:2876

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\xamzeokkthkybfq.exe
          Filesize

          382KB

          MD5

          badd716c7c48a8241873d9251da496d1

          SHA1

          6bd2a072c8f64a1780fe75d983cb7b6584985c6d

          SHA256

          ad4373bfa026f66380b8ce44d6bc300d146770114fb10087019af7c616dc11d7

          SHA512

          7bf3f09216e2ba376053e668963797cd78f91119467917a84f467dd3110d6bd26592784cdf7cefd293413ff5b6dbe10a996d89627177235d9f109732c05f36c5

          Download Submit

        • \Windows\SysWOW64\tqnerdtxhm.exe
          Filesize

          512KB

          MD5

          529b23fdb54ba9b252cc7cdd775b4efa

          SHA1

          57a9569ab898cba3a04d9100790cfd29dcda30bc

          SHA256

          543335d72c0b7b77b7370be8563e171202e9799840551d0a47feb0dfeea2fde3

          SHA512

          fe134f58f91181751699e2b315d830357d15257b5533d1675081e543f639a515330b61bd11ce7cffef18ea89942eb94e42bad34719d689b65230a25a436cc3ad

          Download Submit

        • \Windows\SysWOW64\xamzeokkthkybfq.exe
          Filesize

          92KB

          MD5

          59ebf1358a9b829f5709baaedeeee6fa

          SHA1

          1409fd65da1b814db0a08feae54366dfca196f1c

          SHA256

          d251f3126813d9f42461b0d23153c37c405979347a47fb0f04e0503beaf31a06

          SHA512

          a2d71b94a087aa6d376f4f065d9f7ff987fd50ea93949372fa9ef5b6692b45cef7ae267c88376b9d2953e4476496f67af1173e9f0f8ba81101dc94c6872cf417

          Download Submit

        • memory/1960-0-0x0000000000400000-0x0000000000496000-memory.dmp

          Filesize

          600KB

          Download

        • memory/2612-45-0x000000002F6C1000-0x000000002F6C2000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2612-47-0x0000000071A6D000-0x0000000071A78000-memory.dmp

          Filesize

          44KB

          Download

        • memory/2612-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2612-77-0x0000000071A6D000-0x0000000071A78000-memory.dmp

          Filesize

          44KB

          Download

        • memory/2612-98-0x000000005FFF0000-0x0000000060000000-memory.dmp

          Filesize

          64KB

          Download