Overview

overview

10

Static

static

5

5c0f6d72b4...57.exe

windows7-x64

10

5c0f6d72b4...57.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    0s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    06/01/2024, 10:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5c0f6d72b434499429a0d8c642d6ad57.exe

  • Size

    512KB

  • MD5

    5c0f6d72b434499429a0d8c642d6ad57

  • SHA1

    c8356d85394613fc2890f1208d0002ea1a680ba9

  • SHA256

    3c8b2411d5efcb418d713105aefc2e17f93d374268e194d7a700619141ae9e45

  • SHA512

    aa6533d6380302afa7ba6772ec02b8f8b738c2b0e35d445a4e005fda144164d3fc8d455b19f51d45785b4558ff58dff8ba9534728bd8661b05bbfd260ad6b469

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6O:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5F

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 8 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 19 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of FindShellTrayWindow 12 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5c0f6d72b434499429a0d8c642d6ad57.exe
    "C:\Users\Admin\AppData\Local\Temp\5c0f6d72b434499429a0d8c642d6ad57.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2912
    • C:\Windows\SysWOW64\lxikvpohgnsiapu.exe
      lxikvpohgnsiapu.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3032
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
        PID:2768
      • C:\Windows\SysWOW64\ialubugsvwtja.exe
        ialubugsvwtja.exe
        2⤵
        • Executes dropped EXE
        PID:2876
      • C:\Windows\SysWOW64\tkdtndjn.exe
        tkdtndjn.exe
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2608
      • C:\Windows\SysWOW64\uyjrmaxiqv.exe
        uyjrmaxiqv.exe
        2⤵
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Windows security bypass
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Windows security modification
        • Modifies WinLogon
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2412
    • C:\Windows\SysWOW64\tkdtndjn.exe
      C:\Windows\system32\tkdtndjn.exe
      1⤵
        PID:2760
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
          PID:2700
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
            PID:1824
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
              PID:576

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
              Filesize

              512KB

              MD5

              7767d1cce46c5a88bd83156bee28b707

              SHA1

              8d356c6717bab522993d6006e616079ed8119edb

              SHA256

              25cccef1cffdf65bd96ae2cbd5e94f127ab2cc3bf3d846b4b55f1697ebf4750b

              SHA512

              2b2698c298bab9fead5bfc924376feb3db8fe063e0b6bbdf45c5fc2d620945c54cd64453531726f60cf66bb15aafcfdcffee0a9dfc0159dfc292dbc173fc39b5

              Download Submit

            • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
              Filesize

              512KB

              MD5

              afc3e5bfe5189b059de89b65186adc75

              SHA1

              cbe67eaa7e513bfa64bed3c536f22eda271ea24a

              SHA256

              d2e16bc58b783d458da39b937ecc778876ebdf0c02a5cf0837643336875c2c3f

              SHA512

              c7c4dc07bb71cbb5af41933a51766f83f17124d75bd649b3283cde988dc3504c3927452ca74b51f6704b38bc39f98cd3f84fe2132356c5a549b6b67ac1e569b3

              Download Submit

            • C:\Windows\SysWOW64\lxikvpohgnsiapu.exe
              Filesize

              512KB

              MD5

              20badd0b3517bb3fa89a7ebe418657d1

              SHA1

              c8eac8ec70e3b909b5f3cb1efc3cdc2e971023ed

              SHA256

              6ba26349c6c7ebb09cf2b9dd991fee3e1acc6380209e5e22861ccac172522318

              SHA512

              f47b12334a6715bf71939e186ce623b491e86cfd9c38ebd65f4e8ab748e339c30af00b4c666cc3d1ede1105a8aab614c8f61481746b69b7d224b63bc5b644fe7

              Download Submit

            • C:\Windows\SysWOW64\tkdtndjn.exe
              Filesize

              512KB

              MD5

              28eb58f8a2248c05b388b72e4e5d4dc3

              SHA1

              404fbe8302428276014a2d82878a90a200fe56e0

              SHA256

              395fce9fa6f95bd4a489e39b04b48571fd875e3081f5cc3490f50bc88f703d97

              SHA512

              c0c31f9bb8c2e2a1bab860ae6d5c4f6f17e09d921e59862acc0ee807f06b504a07947dbf585d8a52fbf0efa85df61d9b24c2242b4498935f8d440efcb05618cd

              Download Submit

            • C:\Windows\SysWOW64\uyjrmaxiqv.exe
              Filesize

              512KB

              MD5

              e51a09a2560846fd0b99cfc41d795f69

              SHA1

              56aff39a298917d8e18cd1584bf66dad7263f214

              SHA256

              1438e57ad9b2b6b77616ffa41b921bbd31bc7110581a24fa7d8aaf85e710347d

              SHA512

              0340b7a4c9ee6cae99e426e3712c9e19754d38e6d041499bfd868769f8446fcb8e5444e330ddef4d7c9618c1a3353ecbc0f79665099b55f5d5df38cf7ef8b380

              Download Submit

            • C:\Windows\mydoc.rtf
              Filesize

              223B

              MD5

              06604e5941c126e2e7be02c5cd9f62ec

              SHA1

              4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

              SHA256

              85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

              SHA512

              803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

              Download Submit

            • \Windows\SysWOW64\ialubugsvwtja.exe
              Filesize

              512KB

              MD5

              a7668cb8822a4eda63d0c3ec465d1f27

              SHA1

              f76b414f4ddf51fe9f3b5d88a07db9aaac9b5ca3

              SHA256

              be21528d5393b831c5f3f70cb423d09321099920b7ca5ab52bcb52e8863bce72

              SHA512

              ea1e4c44a72ee95ab5a06f842d84fc63c07c29165c4a4dce1d313664eb1f2e3234140a9574e93e259899fbff938859f5dd55fb314ec5763084161daf03422adb

              Download Submit

            • memory/576-82-0x0000000003DD0000-0x0000000003DD1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/576-80-0x0000000003DD0000-0x0000000003DD1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1824-78-0x0000000004220000-0x0000000004221000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2700-77-0x0000000004260000-0x0000000004261000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2768-47-0x00000000717FD000-0x0000000071808000-memory.dmp

              Filesize

              44KB

              Download

            • memory/2768-79-0x00000000717FD000-0x0000000071808000-memory.dmp

              Filesize

              44KB

              Download

            • memory/2768-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2768-45-0x000000002F411000-0x000000002F412000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2912-0-0x0000000000400000-0x0000000000496000-memory.dmp

              Filesize

              600KB

              Download