Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/01/2024, 19:20

General

  • Target

    a55653f091ed18edbe657030b185c23e.exe

  • Size

    512KB

  • MD5

    a55653f091ed18edbe657030b185c23e

  • SHA1

    e628497e30e768b0c19451b053c2764ff9d5f01f

  • SHA256

    e2f3a6e1d219c9304c3cfabcf3ed5436b7b94fae2c578df159b40ac9e1fbf8ec

  • SHA512

    26ff643e78e748a8ae81ff83ba549a901348904efdbbe94aa432c4707254072b5cd9efa611a6994b8c7ac2aab49049e85fe7f48a661f0583647fd3c7a1d2804c

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6y:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm55

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 17 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe
    "C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4716
    • C:\Windows\SysWOW64\zknqubcpxzdrnyg.exe
      zknqubcpxzdrnyg.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2904
    • C:\Windows\SysWOW64\sdvvumaw.exe
      sdvvumaw.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2324
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1888
    • C:\Windows\SysWOW64\nevaqadkxpwwr.exe
      nevaqadkxpwwr.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4568
    • C:\Windows\SysWOW64\xqkjqhcidd.exe
      xqkjqhcidd.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:5020
  • C:\Windows\SysWOW64\sdvvumaw.exe
    C:\Windows\system32\sdvvumaw.exe
    1⤵
    • Executes dropped EXE
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3924

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

          Filesize

          94KB

          MD5

          a01969a7ace301cfa146501768a2785f

          SHA1

          b00866ee9a2a0ba411c4b576b628bb02c7eb377e

          SHA256

          2e3f2a3e7f185b1049ff36e8f91ed75257e0630c16b3b064e91cf3c6a90aa1e4

          SHA512

          f7af7b17e51a642088e8e78f9bc52fce49c207c033ef92363436350da7bdf2d97a19d1d1be7969d716c377a2b1cc387f1a39385ac1998734fedd00ff201c839c

        • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

          Filesize

          70KB

          MD5

          178acb3a535958573d2d65f5765423eb

          SHA1

          ab76495c02b1cce9d3a45af36898d541bc968a7f

          SHA256

          61af45b4e5e6874cb17af4ca2e3200284e8eed1bdfa68cbcd2062ae4f422de0f

          SHA512

          c8370c983aa955071b61aa4d167ffa8c96dbf36f5ac962f4a950ab8679bd6cde956daa3c31a9d4eab346c50e8213e88a06e0b8b000506cacfeddcf62e35ea7b2

        • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

          Filesize

          239B

          MD5

          12b138a5a40ffb88d1850866bf2959cd

          SHA1

          57001ba2de61329118440de3e9f8a81074cb28a2

          SHA256

          9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

          SHA512

          9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

          Filesize

          3KB

          MD5

          edef1f39b6c213fe678c244843cde01f

          SHA1

          d699b72ba58aaf977f97bcce42e53ff87776e935

          SHA256

          8d673aef8428334f765845bd3c01fb552edf4f5a8f1838497ab729e41a45b83f

          SHA512

          15bab0c4de17bbae495f517b69fd27c23ee9dbfef170457df3b50be31fdd8a4b3b1548d80fed9c0410afd85500a6fd48bdaeaad86a73ef441cb2a5369f3189e4

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

          Filesize

          3KB

          MD5

          e6100b7d0180b75d49c331f6d15fed9d

          SHA1

          61aeef274a26310dda0815d4308ef49c79d45774

          SHA256

          50bee110d2282d15fb42f62109916d8323948a1516e028fba1e4b8da03b7c097

          SHA512

          4b2397b65cfe6dcd248d941f3aecc965c155d06a635d5c943b51b8a5036391e1f5d985f36895f010f79c915e9390ba3c23660419c573f6bcd0e1b4c0a49feeb5

        • C:\Windows\SysWOW64\nevaqadkxpwwr.exe

          Filesize

          149KB

          MD5

          5a1366d811460096a3c3f9960094826e

          SHA1

          73404ca8a2aad03e5abf7adeb6cbb311b2cf6a0a

          SHA256

          4e9231d36d7c9aadd6a627de644ddf942629f80c1d33739a9cdded3380bfca92

          SHA512

          95d7b50fe24e86d40df88c6c7c2c57c1e2a9575c3922316dc842e3cf41712b8f511a6602e83aa43b45e819dd85a0b853340e47055ea5d8e00794344328cb58e1

        • C:\Windows\SysWOW64\nevaqadkxpwwr.exe

          Filesize

          141KB

          MD5

          e083de0dae5df581fe8aebfdbe8a8515

          SHA1

          de8f2a38d4c6acbdba6525f1154e73d1c32bf9c8

          SHA256

          d5da42b3e1193ccddc2c6a6ede9d12156d6a05ab2d23e389662777810204ac5b

          SHA512

          65db92855de2eaf9e7e8782277fb21b2e872137fd2da7c16676af0616c19ad47e958557d61d649bdd312dec7353f2a4661b32134299726914a5e568164935465

        • C:\Windows\SysWOW64\sdvvumaw.exe

          Filesize

          286KB

          MD5

          0349bcc51e358b089b8a916c085924ac

          SHA1

          11c4a2209bb79d933ed4f211c296df184f4aaaf0

          SHA256

          38a68a4cc5711fe9b2b363f745f286aa7de369f2c13e4ddca571a6b2c6e72c43

          SHA512

          7197219549c21a228d7b1ea529a09ed011ac11551cffedd3d04c8863a52936c5fb3c0eade219b661a3444c9546275c14d6d2f2f714effedf38a9a74a2ddaa864

        • C:\Windows\SysWOW64\sdvvumaw.exe

          Filesize

          227KB

          MD5

          c218401b7a4f9c830d294d1dfa145d3b

          SHA1

          d528cce0e980d5cbcfb4971f6b1dec309871f0fc

          SHA256

          e292c9c81908f49e54e9ed0c03c024b2764eebca44e8ab1228efea1154c8bdf2

          SHA512

          4d0aea282bfa11108722f4c7cb129c1d5cf30e5d4bf988e5d3a6f3aaea85401f31a55b43c17c6a678e17c3a395a4eef7b5e4a884c9bd27b9eb3d4cf9e039be02

        • C:\Windows\SysWOW64\sdvvumaw.exe

          Filesize

          154KB

          MD5

          8ce5c42dcb5bb99b42dfc99b5d8f0609

          SHA1

          aa66771f7ead7bd41b82d908b65086a43e57e354

          SHA256

          0dfba2ab75a66072278603be912db56295bb4470aa11f50f590994ddbfaf6784

          SHA512

          388bdc31b12c990b04615e13e7b114572bf4ef881dfd1b11a71422f3c757ba0ec586d3de4d52155ec72923ed2b2fee30b2d952bfeb728ec76404cacecfbaaa74

        • C:\Windows\SysWOW64\xqkjqhcidd.exe

          Filesize

          193KB

          MD5

          47e578d1d1ac0d9041eee6b4967d3025

          SHA1

          9b6c732f33155469ddc490001df01d423036b493

          SHA256

          fa2dbaf77184be2125a7faf94a4d38d809da41fe96969d8c683a948898a6ae52

          SHA512

          69a64594725188939e30c3615897c48cdcfd49c596b78c6dd6c3cdbe6f66c1351655ac17d20c78a09cf18917be7592671854b5be9fe638d680888edf0a22866b

        • C:\Windows\SysWOW64\xqkjqhcidd.exe

          Filesize

          126KB

          MD5

          7798e437ad2675b7b314967f97bd1d65

          SHA1

          75adcc02ed0238da96d122816b472dc5ce39ccfe

          SHA256

          8aa300da89e9875ebd69cd5173ed5e8fab83043c6cf701e71628841b75cf67d0

          SHA512

          15bf7c270b3f030f39a88d5e2808444533a90841419c3a506fdf63a887d6520e69b79e82f4f90ca7f5686953b5e7d2b45e03dfb51b31f9b0312baed4ed0d8455

        • C:\Windows\SysWOW64\zknqubcpxzdrnyg.exe

          Filesize

          157KB

          MD5

          60c7cc5b0ecff4d2fd54a78d33e530bc

          SHA1

          ac796bcce2ceff3d37dfad327f70ca809766f37b

          SHA256

          21b01eb8aca8303499059d54f5c0bf11f2ae0bf3f3a58253c8794d1bb8842f42

          SHA512

          17c1288ff18565a5823b95f6e7621a828242b8632b41ce5c14b31e899894ff76d795b0de0cb90a8b2d32c3b4a41f25ebab7123b6e988118d29caea569d44b4d5

        • C:\Windows\SysWOW64\zknqubcpxzdrnyg.exe

          Filesize

          176KB

          MD5

          30af0cd048a6f5be623951643cd14d28

          SHA1

          47ee81993a3603fd840b2eaf5b4f83e2feba0b80

          SHA256

          4f1498efede0d439e3644d0b6d63e056c934ea63bbf1429d91e2e39ddc921ef3

          SHA512

          cfe4c237a33c51529bc685c4fd1548261262a1612f67cb26b7b618771d8a8ab7ab20eea1a86bc787d8556eeaf8f9ec9f568f3d2205804b47d908504da6586f80

        • C:\Windows\SysWOW64\zknqubcpxzdrnyg.exe

          Filesize

          388KB

          MD5

          39fefc2896d1c99bc0faee45069e4235

          SHA1

          3deb22d173ccf88365d2f87fff4db906178fc3ea

          SHA256

          8332e6d7217ee1aa5adf469e8b25ab25b73a0b8dff1a93e9b99fe6eeccfdd2e9

          SHA512

          19944cf7177de370faab030134d587d3fa4455cf0d87624fedebde0553a259c686e75ddbb47796e461a87e420e43e7af5c8071ddf43795cbb2503ef580985b8b

        • C:\Windows\mydoc.rtf

          Filesize

          223B

          MD5

          06604e5941c126e2e7be02c5cd9f62ec

          SHA1

          4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

          SHA256

          85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

          SHA512

          803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

        • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

          Filesize

          57KB

          MD5

          3a81bb7f89fff51fd80d1e9e1e60471f

          SHA1

          7c04e73b47855108f7cb0f1f8e76b71078d74158

          SHA256

          7afee2b09ec479879bca80da134ceff2df40ad8eff99ed5b1461e6b64e3c474e

          SHA512

          d8500626b99b14b8e441c88b9a8431db9188b5dea17610b1d5ff35a199195026f6c9961281e7c3a4babe8c88b1a949a03a42c6872e2eb0ec1761f65095f777cc

        • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

          Filesize

          31KB

          MD5

          cb773013b2b1110e85a5b84471babddf

          SHA1

          67583aa38c393612a3d18c55faa71b18c72bf2fd

          SHA256

          f575abb671bdaed6cff1648fd5caf0426c3d88e40e41c2902844b015536634b2

          SHA512

          0e57db1a4476573e0003c47c951303df939f281d482746fdb73557b7ec06293bb72ccff7d900c20d09d558f021065f624f0dd73a2957f08f06dd1954f7e53fd1

        • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

          Filesize

          21KB

          MD5

          c1ac0478509acff17293605b5c0769e4

          SHA1

          9ea219a8886ab0f868f2139bcd858cfb90c254e0

          SHA256

          8f1d8d9584e76cf3dba8216171376d8a8fecea53d3f98008ea432fb9326547a7

          SHA512

          b6ce1b16d3694c9271e269573243e77136378a46645b1dba1a644920183769eed958facff19ee8e62722d2d61c30add412745b4db26db33ce9a2fa0236e60d97

        • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

          Filesize

          296KB

          MD5

          625d8f23cc5676a6b6a5e520be0ee917

          SHA1

          32e34e6f577e98666d51c91d4971bc6a8d873fb4

          SHA256

          f3ccf8404009dddb8b726cc094e8835e6fa5e5ed91dde8edfeb927c8ad2de99c

          SHA512

          52507463d4afade3b4717d9d7ea0661c78464d31e4a613ab9e7876e67e0d9d0197e18684ccf264e2c3e9bedcaab4a4e42aefec6e06b850f9bd75d1430244feb7

        • memory/1888-57-0x00007FF989A90000-0x00007FF989AA0000-memory.dmp

          Filesize

          64KB

        • memory/1888-51-0x00007FF9CBD90000-0x00007FF9CBF85000-memory.dmp

          Filesize

          2.0MB

        • memory/1888-48-0x00007FF9CBD90000-0x00007FF9CBF85000-memory.dmp

          Filesize

          2.0MB

        • memory/1888-50-0x00007FF989A90000-0x00007FF989AA0000-memory.dmp

          Filesize

          64KB

        • memory/1888-42-0x00007FF98BE10000-0x00007FF98BE20000-memory.dmp

          Filesize

          64KB

        • memory/1888-41-0x00007FF9CBD90000-0x00007FF9CBF85000-memory.dmp

          Filesize

          2.0MB

        • memory/1888-39-0x00007FF9CBD90000-0x00007FF9CBF85000-memory.dmp

          Filesize

          2.0MB

        • memory/1888-38-0x00007FF98BE10000-0x00007FF98BE20000-memory.dmp

          Filesize

          64KB

        • memory/1888-36-0x00007FF98BE10000-0x00007FF98BE20000-memory.dmp

          Filesize

          64KB

        • memory/1888-35-0x00007FF98BE10000-0x00007FF98BE20000-memory.dmp

          Filesize

          64KB

        • memory/1888-52-0x00007FF9CBD90000-0x00007FF9CBF85000-memory.dmp

          Filesize

          2.0MB

        • memory/1888-54-0x00007FF9CBD90000-0x00007FF9CBF85000-memory.dmp

          Filesize

          2.0MB

        • memory/1888-56-0x00007FF9CBD90000-0x00007FF9CBF85000-memory.dmp

          Filesize

          2.0MB

        • memory/1888-58-0x00007FF9CBD90000-0x00007FF9CBF85000-memory.dmp

          Filesize

          2.0MB

        • memory/1888-138-0x00007FF98BE10000-0x00007FF98BE20000-memory.dmp

          Filesize

          64KB

        • memory/1888-55-0x00007FF9CBD90000-0x00007FF9CBF85000-memory.dmp

          Filesize

          2.0MB

        • memory/1888-53-0x00007FF9CBD90000-0x00007FF9CBF85000-memory.dmp

          Filesize

          2.0MB

        • memory/1888-46-0x00007FF9CBD90000-0x00007FF9CBF85000-memory.dmp

          Filesize

          2.0MB

        • memory/1888-49-0x00007FF9CBD90000-0x00007FF9CBF85000-memory.dmp

          Filesize

          2.0MB

        • memory/1888-47-0x00007FF9CBD90000-0x00007FF9CBF85000-memory.dmp

          Filesize

          2.0MB

        • memory/1888-43-0x00007FF9CBD90000-0x00007FF9CBF85000-memory.dmp

          Filesize

          2.0MB

        • memory/1888-40-0x00007FF98BE10000-0x00007FF98BE20000-memory.dmp

          Filesize

          64KB

        • memory/1888-37-0x00007FF9CBD90000-0x00007FF9CBF85000-memory.dmp

          Filesize

          2.0MB

        • memory/1888-114-0x00007FF9CBD90000-0x00007FF9CBF85000-memory.dmp

          Filesize

          2.0MB

        • memory/1888-115-0x00007FF9CBD90000-0x00007FF9CBF85000-memory.dmp

          Filesize

          2.0MB

        • memory/1888-116-0x00007FF9CBD90000-0x00007FF9CBF85000-memory.dmp

          Filesize

          2.0MB

        • memory/1888-140-0x00007FF98BE10000-0x00007FF98BE20000-memory.dmp

          Filesize

          64KB

        • memory/1888-139-0x00007FF98BE10000-0x00007FF98BE20000-memory.dmp

          Filesize

          64KB

        • memory/1888-141-0x00007FF98BE10000-0x00007FF98BE20000-memory.dmp

          Filesize

          64KB

        • memory/1888-143-0x00007FF9CBD90000-0x00007FF9CBF85000-memory.dmp

          Filesize

          2.0MB

        • memory/1888-144-0x00007FF9CBD90000-0x00007FF9CBF85000-memory.dmp

          Filesize

          2.0MB

        • memory/1888-142-0x00007FF9CBD90000-0x00007FF9CBF85000-memory.dmp

          Filesize

          2.0MB

        • memory/4716-0-0x0000000000400000-0x0000000000496000-memory.dmp

          Filesize

          600KB