Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/01/2024, 19:22

General

  • Target

    abed8efcd70338477e181f1d423f4165.exe

  • Size

    512KB

  • MD5

    abed8efcd70338477e181f1d423f4165

  • SHA1

    ebde2447df6b5aa2c45300f15ada806b7e7ea3f6

  • SHA256

    3dd43dbae635f5dc7294c39c7cc92e0240542a1124383d1f02eb113c52bd1a6c

  • SHA512

    61ac8d7fab0a420d4280242f371fc3081357efee7e960ab574db905e067285c29daaa8466274803402e93431eec346a32567b3455ae440d64936a80d8db782b0

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6j:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5W

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe
    "C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2544
    • C:\Windows\SysWOW64\sjyjrfvegd.exe
      sjyjrfvegd.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4572
      • C:\Windows\SysWOW64\qxmnfwku.exe
        C:\Windows\system32\qxmnfwku.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4152
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4484
    • C:\Windows\SysWOW64\iofblvqmjpavl.exe
      iofblvqmjpavl.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4840
    • C:\Windows\SysWOW64\qxmnfwku.exe
      qxmnfwku.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2256
    • C:\Windows\SysWOW64\vliuuhlhvhtstcb.exe
      vliuuhlhvhtstcb.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3056

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

          Filesize

          3KB

          MD5

          f55690a824e662067757e692a36c1478

          SHA1

          6eefb0e80348bfa82ca33a2f5f7c9aff46ba732e

          SHA256

          050228ebe05e825ec37fe373c888a9777bade38e7fbb24d069bd2400294678dc

          SHA512

          00ba2f411aa68d7302c0baf5bc4834fce38c9d102192c841d0bd9af274221e61a049fa742f1943157916b5e0aa4fada6430f1b3697c887d08b827324e7e61773

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

          Filesize

          3KB

          MD5

          5944decdd218442a9b87a85fdf9371fb

          SHA1

          9983847b0b26da971037bd04429054333db961fb

          SHA256

          dfb4ccf134a2bb284896945e8fe47f36598efd4fc902806869cdaa92152fc0df

          SHA512

          7af91f0ebb289a0fa7dd3eb6bceb93100fd77106c3ec9b59d6ec3905791e5e3f6c894cd0730b172437c4c4b183f4b9779df9bf91238dc006d93ba5f11642af8c

        • C:\Windows\SysWOW64\qxmnfwku.exe

          Filesize

          93KB

          MD5

          257f28bd5bdc2b725434b7ab570814e7

          SHA1

          972446e0f8d210c5d6f42a57a921391a236d564d

          SHA256

          d80f45a5995ba038d69dbe87f7c12827ffa2b53e79beedb0bc6ee91c10a61688

          SHA512

          c27aa91c3c3605941a1a121021c840fc7886cf27d43e9d6b2c371888a276d9dfd39135600a4f933f62dfa3d46cb6e12de6e31b3f8b939676701ff37f8cc61575

        • C:\Windows\SysWOW64\qxmnfwku.exe

          Filesize

          512KB

          MD5

          9bdcff2e89100c7047e9afb3783d0d13

          SHA1

          6fdcfe7c510cd24bd8df65fb9221ae414a801229

          SHA256

          2f475f0025aa0b9968bd6710c7a45bb7b2be7a3232eee8ce0c7e605a865930b7

          SHA512

          8dfed1cafaf75ff7a67c18967e9d1490ac8ecf598fb14da1fa2c86ad2f6c08e6e0f3ddfbfb6e6fe54d28fbbf3870623a5506ca33b4ce8b133d0b64467406abc3

        • C:\Windows\SysWOW64\sjyjrfvegd.exe

          Filesize

          512KB

          MD5

          8ecda247a9199dfbc22fd9a673b06fcb

          SHA1

          140404cd246399b5c1d3e57b4e2f64262cdb4c88

          SHA256

          8bf6a69fda95656fa3079d7a95107c60cfe9b269ed9ed0ad9a498314f72d9be1

          SHA512

          1273fc3ebb8285dc92ba693deba4ef81a83ab84aa46a75fafe83247ca5ccc00e0e51ab2c372419996e7b20403fd0703d219cc8a41796918dec292bf36ac2704e

        • C:\Windows\SysWOW64\vliuuhlhvhtstcb.exe

          Filesize

          92KB

          MD5

          6662b185f19fbf697c56a25c92de7961

          SHA1

          0df0c0df0de3724258df2549c583e3c934aca726

          SHA256

          c11edb9e97848e20319fba876d9382c7193f68323eff1f7ed805bb04303bdc86

          SHA512

          c6e2cb83f68a63ca299dae843d2697d41dab8b565fb4005755b0d255b388779b6c1dad97375009c995f0a3d2e0acb4cc820090ca5dc24ee11e1a3de5b1a4921f

        • C:\Windows\SysWOW64\vliuuhlhvhtstcb.exe

          Filesize

          512KB

          MD5

          eee206a448cce0d0be8c919376d34ece

          SHA1

          c5f12d343c1d3b180008643aa0d2d86c4dbc3a03

          SHA256

          0820346d025a39a72cc55f22371eb528a2939b778ae2af0a063194122c0b5371

          SHA512

          ed3b4b16f07a3339d341e0f169feebf6a788133f9089c4ccb90676f7b672b13793db8a410ff7fcb0aade02188f4ded2adb01b50d9c87b1131371b57330ab3bad

        • memory/2544-0-0x0000000000400000-0x0000000000496000-memory.dmp

          Filesize

          600KB

        • memory/4484-42-0x00007FFF9D3D0000-0x00007FFF9D3E0000-memory.dmp

          Filesize

          64KB

        • memory/4484-38-0x00007FFF9D3D0000-0x00007FFF9D3E0000-memory.dmp

          Filesize

          64KB

        • memory/4484-51-0x00007FFF9ACB0000-0x00007FFF9ACC0000-memory.dmp

          Filesize

          64KB

        • memory/4484-47-0x00007FFFDD350000-0x00007FFFDD545000-memory.dmp

          Filesize

          2.0MB

        • memory/4484-46-0x00007FFFDD350000-0x00007FFFDD545000-memory.dmp

          Filesize

          2.0MB

        • memory/4484-45-0x00007FFF9D3D0000-0x00007FFF9D3E0000-memory.dmp

          Filesize

          64KB

        • memory/4484-43-0x00007FFFDD350000-0x00007FFFDD545000-memory.dmp

          Filesize

          2.0MB

        • memory/4484-49-0x00007FFFDD350000-0x00007FFFDD545000-memory.dmp

          Filesize

          2.0MB

        • memory/4484-37-0x00007FFFDD350000-0x00007FFFDD545000-memory.dmp

          Filesize

          2.0MB

        • memory/4484-36-0x00007FFF9D3D0000-0x00007FFF9D3E0000-memory.dmp

          Filesize

          64KB

        • memory/4484-35-0x00007FFF9D3D0000-0x00007FFF9D3E0000-memory.dmp

          Filesize

          64KB

        • memory/4484-48-0x00007FFFDD350000-0x00007FFFDD545000-memory.dmp

          Filesize

          2.0MB

        • memory/4484-44-0x00007FFFDD350000-0x00007FFFDD545000-memory.dmp

          Filesize

          2.0MB

        • memory/4484-50-0x00007FFF9ACB0000-0x00007FFF9ACC0000-memory.dmp

          Filesize

          64KB

        • memory/4484-39-0x00007FFFDD350000-0x00007FFFDD545000-memory.dmp

          Filesize

          2.0MB

        • memory/4484-111-0x00007FFFDD350000-0x00007FFFDD545000-memory.dmp

          Filesize

          2.0MB

        • memory/4484-112-0x00007FFFDD350000-0x00007FFFDD545000-memory.dmp

          Filesize

          2.0MB

        • memory/4484-135-0x00007FFF9D3D0000-0x00007FFF9D3E0000-memory.dmp

          Filesize

          64KB

        • memory/4484-137-0x00007FFFDD350000-0x00007FFFDD545000-memory.dmp

          Filesize

          2.0MB

        • memory/4484-141-0x00007FFFDD350000-0x00007FFFDD545000-memory.dmp

          Filesize

          2.0MB

        • memory/4484-140-0x00007FFFDD350000-0x00007FFFDD545000-memory.dmp

          Filesize

          2.0MB

        • memory/4484-138-0x00007FFF9D3D0000-0x00007FFF9D3E0000-memory.dmp

          Filesize

          64KB

        • memory/4484-139-0x00007FFFDD350000-0x00007FFFDD545000-memory.dmp

          Filesize

          2.0MB

        • memory/4484-136-0x00007FFF9D3D0000-0x00007FFF9D3E0000-memory.dmp

          Filesize

          64KB

        • memory/4484-134-0x00007FFF9D3D0000-0x00007FFF9D3E0000-memory.dmp

          Filesize

          64KB