Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    07/01/2024, 19:20

General

  • Target

    a55653f091ed18edbe657030b185c23e.exe

  • Size

    512KB

  • MD5

    a55653f091ed18edbe657030b185c23e

  • SHA1

    e628497e30e768b0c19451b053c2764ff9d5f01f

  • SHA256

    e2f3a6e1d219c9304c3cfabcf3ed5436b7b94fae2c578df159b40ac9e1fbf8ec

  • SHA512

    26ff643e78e748a8ae81ff83ba549a901348904efdbbe94aa432c4707254072b5cd9efa611a6994b8c7ac2aab49049e85fe7f48a661f0583647fd3c7a1d2804c

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6y:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm55

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 10 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe
    "C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Windows\SysWOW64\rltnmyqkan.exe
      rltnmyqkan.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1228
      • C:\Windows\SysWOW64\ibdzrjpv.exe
        C:\Windows\system32\ibdzrjpv.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2640
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2496
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2832
      • C:\Windows\SysWOW64\xdahcslvewojh.exe
        xdahcslvewojh.exe
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2664
      • C:\Windows\SysWOW64\ibdzrjpv.exe
        ibdzrjpv.exe
        2⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2592
      • C:\Windows\SysWOW64\gvdgjvfuvlcgdve.exe
        gvdgjvfuvlcgdve.exe
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3016

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

            Filesize

            20KB

            MD5

            070c0b58a341f40f0f1d37f9d21c60d9

            SHA1

            d37f5fe58b3eeb24cff982dee4d0d846f57e537c

            SHA256

            b027be3f271bbf5ccf238d9db22b5c76853700aa5cbb201ff0fdb9e9a387f048

            SHA512

            902563e4388f56c1361ccd5aa20a032ff2fdad87969967ee6a87edfb96231d64a3cc922600c49297408f9ba0034d03e22aea51d45f960a32dd737d23206f6d51

          • C:\Windows\SysWOW64\gvdgjvfuvlcgdve.exe

            Filesize

            99KB

            MD5

            7fc6cf931da79ecd4267f22c6a1aefa8

            SHA1

            913682b9a75a4089cc18ec25b28e082916a6b314

            SHA256

            2672445b36639d26c7bcf277704d7f634ea7a6f4eac634027b98fb3f94062487

            SHA512

            272947751145ba29cbfecc6fe73cf5e20cf017c8c436a8af45198499e8b34c5f70215c3d5f21676a2a5de87616e85aa12b5cf0e263d57042e4221f7e12d81eaf

          • C:\Windows\SysWOW64\gvdgjvfuvlcgdve.exe

            Filesize

            512KB

            MD5

            5adafb3372e232d25d0ab54e6c97f2ea

            SHA1

            3ca5e80575c139319a0e6ce6d1ca13d90ca35210

            SHA256

            177d690f7659284712ead93d9a8e78f169142225a02525e3f816644565d0a9e9

            SHA512

            9389505b00e0243eb36436665497774abdde574410b9746784a123623bda8c7857780f8297105d2850ea7b3f63c8c40c2657ce60a3143d936c805379a4d2ec71

          • C:\Windows\SysWOW64\ibdzrjpv.exe

            Filesize

            384KB

            MD5

            0e151ec3919b72f9a6c7fe60d10f4ea0

            SHA1

            91fb01badc6db9808233ff95abf39c37982a8c85

            SHA256

            f644299fe8f10c5f3e24c1943fc808270b5d4f853e2316abf091c8d18344193c

            SHA512

            41d25f82ce04a14c21d19a9ad2d12663714221b6ecb1c3ee579a4a134949de0bfb3e6212e9acf97d0659d50e7a034dcdc103ecbedd8a71fbfefdc30f5728c12b

          • C:\Windows\SysWOW64\ibdzrjpv.exe

            Filesize

            93KB

            MD5

            257f28bd5bdc2b725434b7ab570814e7

            SHA1

            972446e0f8d210c5d6f42a57a921391a236d564d

            SHA256

            d80f45a5995ba038d69dbe87f7c12827ffa2b53e79beedb0bc6ee91c10a61688

            SHA512

            c27aa91c3c3605941a1a121021c840fc7886cf27d43e9d6b2c371888a276d9dfd39135600a4f933f62dfa3d46cb6e12de6e31b3f8b939676701ff37f8cc61575

          • C:\Windows\SysWOW64\xdahcslvewojh.exe

            Filesize

            382KB

            MD5

            badd716c7c48a8241873d9251da496d1

            SHA1

            6bd2a072c8f64a1780fe75d983cb7b6584985c6d

            SHA256

            ad4373bfa026f66380b8ce44d6bc300d146770114fb10087019af7c616dc11d7

            SHA512

            7bf3f09216e2ba376053e668963797cd78f91119467917a84f467dd3110d6bd26592784cdf7cefd293413ff5b6dbe10a996d89627177235d9f109732c05f36c5

          • C:\Windows\SysWOW64\xdahcslvewojh.exe

            Filesize

            98KB

            MD5

            609af11fd29d08e54980de8c57a56b23

            SHA1

            e50dccaa3bd6cb5b4793d75239949664c7b7b85c

            SHA256

            263becbbaf456f58f41f0ac5b3d64a9146f02fe787e80917150392fa4b571274

            SHA512

            598fc2efae60327ed354d106300f79ddd327756e93b5afaa7178dde66f28b9326c31b553190840a55c1d1d3b027015fbfe7b8a004564aed9dc1b3ecb184f8586

          • \Windows\SysWOW64\ibdzrjpv.exe

            Filesize

            512KB

            MD5

            d1b3806f6ce4b24ff6eb532197bef5be

            SHA1

            c59b2fa57ca35afdccd930c058f6346b3b1e7b7d

            SHA256

            4a5c8955f353a366774fe39bc856111dfc9372adc5095cb68080041a5cbaf959

            SHA512

            51c5d4da159f11a9b5a6325fc53907e10be011509bed0ee795284ab65eadab503265a313ae6c56b171691da2d722a43f02605df76f4c1a06a1eb3f07d941bf9d

          • \Windows\SysWOW64\rltnmyqkan.exe

            Filesize

            512KB

            MD5

            67c515e91b0456bd93889826750ea960

            SHA1

            22fbd4d942c1753a5ec08a06295e2de07cc8a7f0

            SHA256

            c52bf1c19b874dd1222e224529ac47e673311abd5d4c78a58bf7d9c710093c4e

            SHA512

            f76187c2f9c5feada49b612125aaa08d7000a411c1dd427b0f6dfc11925e246b9e509169e699c25cece160829f363105773a42dcc3c5dba63bd48fc82660bca5

          • \Windows\SysWOW64\xdahcslvewojh.exe

            Filesize

            512KB

            MD5

            c03f1b415c1a0f85ad198a005bf7046e

            SHA1

            a2efaf68ab7dd7dcc79269aa3cd97522358a9cdb

            SHA256

            74e015f4c2e9e3124b63eb60f1c32a8a593cdedc52057a6d92d718246e48f0de

            SHA512

            e1174f2d5c4af620eb9fd1baebff76c3bec1cc70a061424ce0d82cdcca358d39d9d79154838d507973bbcb5cf574a18eb20b4347e84aaf8a4431017a25011f49

          • memory/2380-0-0x0000000000400000-0x0000000000496000-memory.dmp

            Filesize

            600KB

          • memory/2496-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

          • memory/2496-45-0x000000002FD61000-0x000000002FD62000-memory.dmp

            Filesize

            4KB

          • memory/2496-47-0x000000007130D000-0x0000000071318000-memory.dmp

            Filesize

            44KB

          • memory/2496-76-0x000000007130D000-0x0000000071318000-memory.dmp

            Filesize

            44KB

          • memory/2496-97-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB