Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    07/01/2024, 19:20

General

  • Target

    ab6b87a8ef210e5c047f565cd76a0a1f.exe

  • Size

    512KB

  • MD5

    ab6b87a8ef210e5c047f565cd76a0a1f

  • SHA1

    a760eecc424853e684a357082d1aca3302f579a7

  • SHA256

    1474f25f1f927dcea56a12f600530547de3fa6a226474b3459425ec4145bb226

  • SHA512

    21899007f1fa298fc7688f51693662c2e3f01dc5d5ce96a3cee4bb3850c4d72c14d2c48f51fb04b4cf7f82828f6afd1d92e362decf0eeabf19abadc3b42f854f

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6C:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5h

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 3 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 17 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\ab6b87a8ef210e5c047f565cd76a0a1f.exe
    "C:\Users\Admin\AppData\Local\Temp\ab6b87a8ef210e5c047f565cd76a0a1f.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3016
    • C:\Windows\SysWOW64\apdlrggrqwckd.exe
      apdlrggrqwckd.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2488
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2388
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2928
      • C:\Windows\SysWOW64\jvltsuyd.exe
        jvltsuyd.exe
        2⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2736
      • C:\Windows\SysWOW64\nzpuyraiesbvscj.exe
        nzpuyraiesbvscj.exe
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2708
      • C:\Windows\SysWOW64\zzpxpuafcp.exe
        zzpxpuafcp.exe
        2⤵
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Windows security bypass
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Loads dropped DLL
        • Windows security modification
        • Enumerates connected drives
        • Modifies WinLogon
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2828
    • C:\Windows\SysWOW64\jvltsuyd.exe
      C:\Windows\system32\jvltsuyd.exe
      1⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2596
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c apdlrggrqwckd.exe
      1⤵
        PID:2604
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1376
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1000
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:996

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

              Filesize

              81KB

              MD5

              b5addadae5c1a41dc5359783d76dccb4

              SHA1

              867fe3224b46cbb2f50c96d393ca17d50b043e00

              SHA256

              70330982608413acd92a9a87b764907e7df03dc6b245fc44b64eaa912ded4c64

              SHA512

              a1171fc317331330a31186e0919fc1c71ab260bf813b98b5f85433785ebfa9df8afe09dc54fb5715aac921ff9a0c3eec101677fae77875223d649aefce7fc34f

            • C:\Windows\SysWOW64\apdlrggrqwckd.exe

              Filesize

              34KB

              MD5

              a07b8a6a02acfaa14cb1c447196d78ea

              SHA1

              33856afd7a1de92a0d49b2a697ee84b56c58d7bb

              SHA256

              22bdad5af5d56021fbcb6704d154077a027ac86a5954b7b37aad905799d17949

              SHA512

              207c50691db178673bc12e4e44e62c4ad498279276c04f3bb5c0ddeb34a22407588ce9d6a20d4ea6e9d8ecbd1c830d7f0bbda56d6b8c47fcd814c8439c8b9271

            • C:\Windows\SysWOW64\apdlrggrqwckd.exe

              Filesize

              86KB

              MD5

              b39657a2ccf130086f58eeb184f2f073

              SHA1

              67db059b9e5ed1c1b754b9332f114b8cd36d7f26

              SHA256

              c5ca81c8eba594e625affcf25709b16f78628e606931f3f1d11275cd3f36b627

              SHA512

              97d3fad06f8620bd90c07bf516afc51d0f40d8fe8cd47c41d7d57ecc33084969fd22592b4cbccb359ea8e66320aa2165a926be7079da6024653eb246a3c57a0c

            • C:\Windows\SysWOW64\jvltsuyd.exe

              Filesize

              81KB

              MD5

              876ba27d8b3800a4f69324dea397c877

              SHA1

              8c47ad648fb3264bba8430d5cdffe1705259f7a8

              SHA256

              fd24f824a6fe8c40269e2cad859ccc958e604712c822cfd54e9f7337ecf85172

              SHA512

              72d274a4dd4ba2f8828a191b8b46b6e1bfcd0bab54e18543e69f17403dc771c4e6f9e98d3c250fff8d93c4d433a0657060d0e791d6e0c89a2149c9159c9cfd20

            • C:\Windows\SysWOW64\jvltsuyd.exe

              Filesize

              74KB

              MD5

              9a43be07b744a39f6fd32b78ce8cb23e

              SHA1

              4dd2ced60c46f0394ae8751e68fdb5f0bd94b4b3

              SHA256

              f7b32d21fd3069d66dd51543224aca4ed176c7e24989ca4caa61d9effe3cc2b7

              SHA512

              e46acc7c6d23766501e0e79751981a2da2ace37d82851f2f6f941fbbc4ad2ac7490037c48cd0f3a96225dc63039511eb26f2c2a2b415f2d3947ca8ae29351265

            • C:\Windows\SysWOW64\jvltsuyd.exe

              Filesize

              97KB

              MD5

              f3a0150b0b0e4c49ca0b0868a89a0410

              SHA1

              527f30d7bb83f62659c5ee6f4589003d3ddb2221

              SHA256

              415b93f11f2869a0092ff6610a0913bf875049ccc519f293198e30739cc5face

              SHA512

              81e72b0b3eaedb72d7945ac8205060ffd6a065369c409f92df807f7237bfe064dea489aea00cb0dfd6109fe4826f535ada7f8fa01988d797a04384cdde8878d0

            • C:\Windows\SysWOW64\nzpuyraiesbvscj.exe

              Filesize

              69KB

              MD5

              59b27545f6774df170f6e029fbea9c1d

              SHA1

              69f177a30d45be612d3d2ae7d09a6e9c4d44db1f

              SHA256

              2079811ff3b903d8e4231cbe6100f81601813738ea49b22ce781101007400770

              SHA512

              272fa9ff843bbb87f9742c756951a9c4f09746a78a915bb6a648b5c1e21c79a0432301d1f156cc1e26bee8de2bf27f6e2fd2d10668e6cf57bbdcf954f2453b89

            • C:\Windows\SysWOW64\nzpuyraiesbvscj.exe

              Filesize

              44KB

              MD5

              6e42e2765ed3840a79e984c6c1b92445

              SHA1

              9ce1ae3ef0ccfa798e440c51c8e52704ed7333b6

              SHA256

              3263f5b73396cbe768f0602a961dea4bbeb477d6fcedf31ae8da1d3475ae1ad3

              SHA512

              d79d92d28058fdde7c34109359f46fa78b6e31f0a016f72f67fcfea21622cacc48ea4dd98b2e30f793e86594b785091126b7de77862705ba1576d6ff0b04c93e

            • C:\Windows\SysWOW64\nzpuyraiesbvscj.exe

              Filesize

              318KB

              MD5

              a68136f45c4323f9dc17f6607de98e51

              SHA1

              612eeb3d0f808d28c060a65b81032c9a7a75cd9a

              SHA256

              5ccdeee55769ca75dc0c8eb81b38db4279f40f1ba2c5377938520b2dce24dce7

              SHA512

              016ec9bac4b4ae869e1d40c4b1e06ed04222c93578fbf57567a2b2ec5a178a19a1557dd683ec0ff7feb4193917eefa7166fab2f966012fff0d1a67aa8f369dd5

            • C:\Windows\SysWOW64\zzpxpuafcp.exe

              Filesize

              281KB

              MD5

              798e4b5770f7973cfa95c8f2cacc869c

              SHA1

              2dcb002bf23a5be39ffd6a3cf9013c7958b9add7

              SHA256

              f98ef4d5c3fa996fa199ef20542a81a6ae3a76e58d2d6d27ebb1e40b273da38c

              SHA512

              cadf010d2aa79eb4b66c8f1344bce9b3953297ef48e92e09e66009d03fc293dbdd1c7810e384ce6e0b749c22c44ac1a338af61c56fa089d9062fe2b86d70e311

            • C:\Windows\SysWOW64\zzpxpuafcp.exe

              Filesize

              132KB

              MD5

              e67ace7436ff24488c9f04ae953eac74

              SHA1

              f68fd80e760e45b3ebb593db09e87a0096f4b340

              SHA256

              a6a76b0a7689a47e8be675e05ca2307eccac3c451beba8f7a2ec75138b2627cf

              SHA512

              0e3f661d3cd95abff1cec613c0b8b5bf70613a0fa678039b9a0ef6f0f83fc6b20b49feca771fb350a958fe7558cfc540e0cdd56d1efe9d72448fa5c3bc55faf9

            • C:\Windows\mydoc.rtf

              Filesize

              223B

              MD5

              06604e5941c126e2e7be02c5cd9f62ec

              SHA1

              4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

              SHA256

              85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

              SHA512

              803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

            • \Windows\SysWOW64\apdlrggrqwckd.exe

              Filesize

              28KB

              MD5

              4f48933a4f80218441168a3b616d6a32

              SHA1

              545cd2768a3d4cd109b7fe7a5640d8290c261962

              SHA256

              fca12dbc8cceadbb3618da213bc11a01962fb703dfb24f997f9875ca95d6666b

              SHA512

              8f6fdc96e5c993f5b425cb5df06bb614109b5a9255620c794e794feb5d653554cb98dc1b52dff3b5bbbbdb6ed7fc06adcf91e89071789a8e24caf6104fd5b501

            • \Windows\SysWOW64\jvltsuyd.exe

              Filesize

              228KB

              MD5

              17ae4b1db52054219a7e49f0ce1f32d7

              SHA1

              5c60a6650a6c358bd4f04ffa0dd590a49aec01cb

              SHA256

              6c7cfcce878333ad1fc97ca5ebfa24dbbdbcb6a16f7a113116b1b7e9c8a598a0

              SHA512

              ac5923aa3480292543bcaa85b9ce01461402f833e3c8290febc492bb225862ca3b76903a540ae8737f66456276bdaf80b9a1175913c8139c9b64db2840e0b46a

            • \Windows\SysWOW64\jvltsuyd.exe

              Filesize

              85KB

              MD5

              27623bf17711551baa843bbab18a4b07

              SHA1

              2d6d50bab42c5defdd9bdf3f14fb826853558392

              SHA256

              6a2c1908feaaa4585f579f19881c7fec6c64bfe38500306f55eaeb5fa0a7b368

              SHA512

              53f01abdb0a6c91cedd6e7bb705ad27f9dfc89722bd6bb07ad9df87ff00ca5c9fc6764706ab6edc018fd90f519cf4d12af670416b3fff7cee5e6aca87e9f153b

            • \Windows\SysWOW64\nzpuyraiesbvscj.exe

              Filesize

              34KB

              MD5

              b034eb39fa2e13db766f27eb7d6dad8d

              SHA1

              9a95ed9bec3bfad89d8191d59a29efbf0403696a

              SHA256

              cddf8a49033718d91ae300e3ad8cffc145214b67cb3d13873806737e6df9030f

              SHA512

              b0654979485335772ad89a3e86ca9c0cf48387322de1a5447d8cb2545860b142f96e45bd8cb14b3d3f66d59d987250bc07212c7eb9a7dde4d4120d0ad87ef317

            • \Windows\SysWOW64\zzpxpuafcp.exe

              Filesize

              59KB

              MD5

              0e6183c8138efaaf0d56f4a1aead56c0

              SHA1

              1d5899fab32e0b572b00280f0be352836b49a890

              SHA256

              3e512f8c572e2047d90455c10f1723208ab0012f7a107eda4813bc2d167e2eeb

              SHA512

              d8781af9f5366b9ac625ca59830c5bbcfb00e1c20835b06c28dbd3da5d9b700bce47c3e4bf9d39e8d0bf9d395a3c69055487fa84dc75cd1bee695dac0373d9ae

            • memory/996-80-0x0000000004280000-0x0000000004281000-memory.dmp

              Filesize

              4KB

            • memory/996-82-0x0000000004280000-0x0000000004281000-memory.dmp

              Filesize

              4KB

            • memory/996-87-0x0000000003C20000-0x0000000003C30000-memory.dmp

              Filesize

              64KB

            • memory/1000-77-0x0000000004220000-0x0000000004221000-memory.dmp

              Filesize

              4KB

            • memory/1376-76-0x0000000004360000-0x0000000004361000-memory.dmp

              Filesize

              4KB

            • memory/2388-47-0x0000000070A9D000-0x0000000070AA8000-memory.dmp

              Filesize

              44KB

            • memory/2388-79-0x0000000070A9D000-0x0000000070AA8000-memory.dmp

              Filesize

              44KB

            • memory/2388-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

              Filesize

              64KB

            • memory/2388-45-0x000000002FDA1000-0x000000002FDA2000-memory.dmp

              Filesize

              4KB

            • memory/3016-0-0x0000000000400000-0x0000000000496000-memory.dmp

              Filesize

              600KB