Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    07/01/2024, 19:20

General

  • Target

    492aa041e8bc85623d4ee5ca79cb4994.exe

  • Size

    512KB

  • MD5

    492aa041e8bc85623d4ee5ca79cb4994

  • SHA1

    9dfe6b5e7216cec78d6637f8b97ea1dd0db2dceb

  • SHA256

    40981dea368726c7fa3ff82e67c69da71275dde939a5ff28f034df0bd86b0a5b

  • SHA512

    a4ef35f9f29b9d0847fb41413b473dbd1ddc1edec14cfc0265b14fde1eb828e3a47a5a426460d67586ccf744f512a10804ced1c0c8db49e068331134a4491be0

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj60:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5h

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 5 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 22 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe
    "C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Windows\SysWOW64\lvxwrnoibc.exe
      lvxwrnoibc.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2716
      • C:\Windows\SysWOW64\qylqcvvf.exe
        C:\Windows\system32\qylqcvvf.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2572
    • C:\Windows\SysWOW64\obpmdcvptferbqc.exe
      obpmdcvptferbqc.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2812
    • C:\Windows\SysWOW64\qylqcvvf.exe
      qylqcvvf.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2952
    • C:\Windows\SysWOW64\itrfgsxemmlkz.exe
      itrfgsxemmlkz.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2840
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2688
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1728

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

            Filesize

            20KB

            MD5

            027946734307570da7ad402d47a1ca37

            SHA1

            061bd708caed26cbb791431e64a63b51bd0e8339

            SHA256

            1e4515fed8933e5b6969e4386e3b8b3090e114c64f454bfad4b5446c1e50d62f

            SHA512

            e5b5f2da6a94c47fa7368fd9a4b51732ec172063b4c46c18585f4d8a3d9f24d0927a95ea63f9dde73c6bb1888dbd957c6230478d1994fb43be3c29038827b205

          • C:\Windows\SysWOW64\obpmdcvptferbqc.exe

            Filesize

            512KB

            MD5

            c1b7aea6a2b071441cd2b7f5ad3d8784

            SHA1

            899aa6153d393d4cb14e98f6638238d5bca1db3f

            SHA256

            b9bc44483512856795a1fae015e065a1a3ae1a75bab711de162d39a75009451f

            SHA512

            d919de801e4d22723c1e298ba05925278ac730d0e2620e06f68a4d062588666de1e5515082109b6d76374b7f3b9d5cfb8aceeb3ffae85aaa8284107525ca9395

          • C:\Windows\mydoc.rtf

            Filesize

            223B

            MD5

            06604e5941c126e2e7be02c5cd9f62ec

            SHA1

            4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

            SHA256

            85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

            SHA512

            803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

          • \Windows\SysWOW64\itrfgsxemmlkz.exe

            Filesize

            512KB

            MD5

            28e5fa144fb4c26ff3a1f5d7832e53aa

            SHA1

            98f4b9ebe100ad1046f638e19012a0aa08a1a648

            SHA256

            67e897207968a54682c348c4ced68ce6bc5c7e98341b8e75ae797c77074eef33

            SHA512

            2bcc57c72166093954c6a05853ff0cb3475fd33cdfa0dcd2960f02c492d744919d9c87e03514a2adc156e9d22b85a81d4ba009f395180d42f2453d02329b4c5d

          • \Windows\SysWOW64\lvxwrnoibc.exe

            Filesize

            512KB

            MD5

            e2475e8a46b34995a40313f758796232

            SHA1

            7dda71374e15c8fa22805b97a9963e0172053631

            SHA256

            7145ab029e8f89109af6c7b0f2e0ac5e23b5127f8cf4614b7d680569fdf38349

            SHA512

            707da961f64ce42e007c06d75bc1ea9f2c12f135da70550f32a7787b03c6c2e858e8fc08387ab4863ec14bcaa9b02dc6f67fd9d0f4c2e60093e97a013018cada

          • \Windows\SysWOW64\qylqcvvf.exe

            Filesize

            512KB

            MD5

            fe04121e7e24d036ff1afc7e26ce7931

            SHA1

            d3bf4fa2afc65846b184d74970fd71b15d2342a7

            SHA256

            569ffeabc542175b95347259b36c358424e8f05ef685bdf5700d4c5a6de08c63

            SHA512

            fc57c17a97e8fba7a0b17439281d5f250f984819ab4041ef35acec07412c3d5bad89deb400440ce7ab1dbb8c193ba393c7c13abf2139ac70abd7c61fe7059f34

          • memory/2004-0-0x0000000000400000-0x0000000000496000-memory.dmp

            Filesize

            600KB

          • memory/2688-45-0x000000002F221000-0x000000002F222000-memory.dmp

            Filesize

            4KB

          • memory/2688-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

          • memory/2688-47-0x000000007192D000-0x0000000071938000-memory.dmp

            Filesize

            44KB

          • memory/2688-78-0x000000007192D000-0x0000000071938000-memory.dmp

            Filesize

            44KB

          • memory/2688-99-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB