Analysis

  • max time kernel
    151s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    07/01/2024, 19:20

General

  • Target

    ab0757415e5a33fde6893ba93d5683ff.exe

  • Size

    512KB

  • MD5

    ab0757415e5a33fde6893ba93d5683ff

  • SHA1

    0836ceb3d65019483a8a1664a80422dffdfec99d

  • SHA256

    677fc2b026079044c61098fc32986c2624095fc78d0f478e74e588a559bba8a0

  • SHA512

    3c13d8a82243d85f1462ad9951abdfe4d07fe3e65e1b63c70f23aebf70a27adaab84c5dff41bcd622d04497ec5e7bb69b0cd5b0ca95e07aab1bcaea6efb63565

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6a:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5n

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 14 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ab0757415e5a33fde6893ba93d5683ff.exe
    "C:\Users\Admin\AppData\Local\Temp\ab0757415e5a33fde6893ba93d5683ff.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1308
    • C:\Windows\SysWOW64\nrnahlpexs.exe
      nrnahlpexs.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2668
      • C:\Windows\SysWOW64\tddulpyx.exe
        C:\Windows\system32\tddulpyx.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2692
    • C:\Windows\SysWOW64\xgeddcddpsqcpfs.exe
      xgeddcddpsqcpfs.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2736
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2540
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1948
      • C:\Windows\SysWOW64\klncvszjgclwb.exe
        klncvszjgclwb.exe
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2708
      • C:\Windows\SysWOW64\tddulpyx.exe
        tddulpyx.exe
        2⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2656

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

            Filesize

            16KB

            MD5

            e72a03b4cbc70dd02a2a891bbad55125

            SHA1

            300ca87e84272e2d1fd3448be4cf473cf79b3ec9

            SHA256

            c3ef95656206a2188502faf16e7a60b9edd56bdb1cbf55b55bfffe747e61ec82

            SHA512

            52ee9d5fe27c647ad6474c518403f8f4471410ab20b56ddca88f4644ca8561d597f30a7e30a41241c6b0d9620ffcd2371f25377abe41581299345bda1904ff37

          • C:\Users\Admin\AppData\Roaming\MergeLock.doc.exe

            Filesize

            36KB

            MD5

            af0170a6c815eca0de7c8f53512add64

            SHA1

            d2e1f2c52efd65a612a352faa80ec5562b00db7b

            SHA256

            6e2f625bd893ee21a55f07c9148d5204918e0df6aec58dd80b2854d921ddc910

            SHA512

            0d26f17d05eef1f72fc7ef2d381bd3e1fc241e8eb4b9a7713befdd6c7cb895d4dd4291e23950ea47dcd11b12d78a3e77f6f914b480d38c899e1b53a3f29d25e9

          • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

            Filesize

            20KB

            MD5

            0dfb9a88c389cfd27d405594f07ad056

            SHA1

            f25ce7f3faf5cfc4bb738878f284856d12c2be02

            SHA256

            f30394fdda489b71b287a4e4c8578d6fc74af1d46ee6dd1204808047cc2fd886

            SHA512

            c4054d3de2ef9147b97550dccfb3e27b64a859052d7780b8a8ef94251b4318fc2ed4986a1ede52520542ed998860d0c5f6cce93e616d484ad043f5ef5198fc02

          • C:\Users\Admin\Documents\FormatSet.doc.exe

            Filesize

            112KB

            MD5

            b9bc6aea0a33849b8d92167fee3034de

            SHA1

            e8f2ff6eef336da9a942b4be1aca09720cc62c85

            SHA256

            5453c6ca4503e32bf86205fe82cf30436f5c5b92573a57b6188a8586eb10de96

            SHA512

            8f6b500525f627c86df565d6c24770cfa972dd7f5d9821dd70746715a6a6734fbc4fea50cef4569e6379460b8daf6d6a1f17016d7f32ffa3579b405cb552f51c

          • C:\Windows\SysWOW64\klncvszjgclwb.exe

            Filesize

            118KB

            MD5

            bdc83ea97433795a5c26b1d826ac8323

            SHA1

            75aefbc23df2df09a1b60d58e85abb4c5326619f

            SHA256

            b15923256b7e7a49cff71b64858b0a02ba69f7f352f275eee801a36353913dbd

            SHA512

            ef7c67e85a9861b1dbb863e82e6f89b6012e26cb67b392bff6fc02c7b0ecfa80ae1840f94ba30c4cc3d32ad7d5ef5c3e62dcd014e43d3c957799e8f72d5a249f

          • C:\Windows\SysWOW64\nrnahlpexs.exe

            Filesize

            286KB

            MD5

            c8f31e331d8c82a1f4150bbc9512e520

            SHA1

            9c59fd655a1ba8c9cbd48ad9c3f4c3f501f6d1a1

            SHA256

            d05c0b78773e864a2cf2f940a4aa7617303b72ae23da7e1562016a412461e56e

            SHA512

            328827fde9c316017132fbb2c58b835c5a689a77e75c11221fc939753f054da57703c1c274d25ee18b5106f42264d7702f0854296e5781cef643749d5dc619e9

          • C:\Windows\SysWOW64\tddulpyx.exe

            Filesize

            28KB

            MD5

            33ee1a8a64e645d4f6851dc714022c15

            SHA1

            ba4eb8765bbe95e8699077340904fcedc382ccea

            SHA256

            60d0cf8ef77e3c55dde0f067d6782fe549ee95bb5548f864093f5e142c84762b

            SHA512

            94c8ab332fad1c7d1b6df385159a6f657f66742a034d82b158a887a0a4872514b016d6e4baaf04e5889bfbcfd226f2559aabf02d34c751780dd6956710c2345f

          • C:\Windows\SysWOW64\xgeddcddpsqcpfs.exe

            Filesize

            85KB

            MD5

            27623bf17711551baa843bbab18a4b07

            SHA1

            2d6d50bab42c5defdd9bdf3f14fb826853558392

            SHA256

            6a2c1908feaaa4585f579f19881c7fec6c64bfe38500306f55eaeb5fa0a7b368

            SHA512

            53f01abdb0a6c91cedd6e7bb705ad27f9dfc89722bd6bb07ad9df87ff00ca5c9fc6764706ab6edc018fd90f519cf4d12af670416b3fff7cee5e6aca87e9f153b

          • C:\Windows\SysWOW64\xgeddcddpsqcpfs.exe

            Filesize

            512KB

            MD5

            408dfd55c92f6bcff5726eb159a5d864

            SHA1

            faad33f4d3eee41523ee331dfdaab2a0b528238d

            SHA256

            b51d47b62f5da9d0d9b11b2ae8d1488274ce19f2027c9fe675fa31b001ee1856

            SHA512

            224ad987157e3804025fe32f6791d0dc0feaf5ac17142f969e6b03b7d98b972df0250333bd8d724cb6cbd39545d4abdd5c59457766efe5491d13ddcf13bb0bf6

          • \Windows\SysWOW64\klncvszjgclwb.exe

            Filesize

            382KB

            MD5

            badd716c7c48a8241873d9251da496d1

            SHA1

            6bd2a072c8f64a1780fe75d983cb7b6584985c6d

            SHA256

            ad4373bfa026f66380b8ce44d6bc300d146770114fb10087019af7c616dc11d7

            SHA512

            7bf3f09216e2ba376053e668963797cd78f91119467917a84f467dd3110d6bd26592784cdf7cefd293413ff5b6dbe10a996d89627177235d9f109732c05f36c5

          • \Windows\SysWOW64\nrnahlpexs.exe

            Filesize

            512KB

            MD5

            e37e88958b9a6bd01c13e2d82773ca14

            SHA1

            b03ae165d97f002b565d207a8f57905548781bd3

            SHA256

            d829f701c034149f22fd4e43d80a4a7267ca63b9b5a57c7c34f87f7841d3761c

            SHA512

            a52e720bce8a636900edd1ced181f76ebc6a0b70f0a28f82b0c8c2e9220989281994b512e0bdadff1a4e9c2689602d2c563a9340cb6f048de2296e86e23aab37

          • \Windows\SysWOW64\tddulpyx.exe

            Filesize

            416KB

            MD5

            f2743abd2bcd7b8ddb886282eb27c5fe

            SHA1

            12fedd2bb51b8480bae521c788c0428c7f1a7163

            SHA256

            34d4acba07430a8f06759ba85825be072f942f3dcc684f7ddeccd271496ffcfa

            SHA512

            0e38d916edfc5d63492872ec5b0a33f855afd3904f724196d96bc80c5a18e56bb5ee50bf81da471ec17f97984d2baf09713702239d0f492f58ffefd6f5336ac3

          • \Windows\SysWOW64\tddulpyx.exe

            Filesize

            124KB

            MD5

            de83bfac85a2c62d0cb12eb47652d5dc

            SHA1

            1990b0d527e8ea6e7503d0084dced33b9ffce8a6

            SHA256

            5d14fa9e8658105bdf0715b3de050ea871e8b3aceb585810c35435c966aed51c

            SHA512

            fee49bcb9c25cce746b005724afca9832b0b74b422569a441bb521bec8d31bca3f286c599b8822e7926cae1d0866a27215be6baf8b285356cd1a0bdf4f5da51e

          • \Windows\SysWOW64\xgeddcddpsqcpfs.exe

            Filesize

            384KB

            MD5

            0e151ec3919b72f9a6c7fe60d10f4ea0

            SHA1

            91fb01badc6db9808233ff95abf39c37982a8c85

            SHA256

            f644299fe8f10c5f3e24c1943fc808270b5d4f853e2316abf091c8d18344193c

            SHA512

            41d25f82ce04a14c21d19a9ad2d12663714221b6ecb1c3ee579a4a134949de0bfb3e6212e9acf97d0659d50e7a034dcdc103ecbedd8a71fbfefdc30f5728c12b

          • memory/1308-0-0x0000000000400000-0x0000000000496000-memory.dmp

            Filesize

            600KB

          • memory/2540-45-0x000000002F9B1000-0x000000002F9B2000-memory.dmp

            Filesize

            4KB

          • memory/2540-47-0x0000000070E1D000-0x0000000070E28000-memory.dmp

            Filesize

            44KB

          • memory/2540-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

          • memory/2540-80-0x0000000070E1D000-0x0000000070E28000-memory.dmp

            Filesize

            44KB

          • memory/2540-101-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB