Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    07/01/2024, 19:21

General

  • Target

    a511396442a36431fa575db4a1db79be.exe

  • Size

    512KB

  • MD5

    a511396442a36431fa575db4a1db79be

  • SHA1

    2559152c5fdd746f76c9335e1b4fafcb16657b6d

  • SHA256

    7daaabc1b929c83288bc103aa3b60d23df7e17d3616ec899027abf08cb7efce3

  • SHA512

    035461372a5393f04d4bdc500872fc09368e2d2ffb8eba26d59120038b516aeeab4a83f10a294fbd22b694e768d5730a5da21d0599439278e49054a72839f4be

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj62:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5/

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe
    "C:\Users\Admin\AppData\Local\Temp\a511396442a36431fa575db4a1db79be.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2904
    • C:\Windows\SysWOW64\adrdxbdmqe.exe
      adrdxbdmqe.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2728
      • C:\Windows\SysWOW64\mkdmbpui.exe
        C:\Windows\system32\mkdmbpui.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2692
    • C:\Windows\SysWOW64\bfvitizwsuhskrd.exe
      bfvitizwsuhskrd.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2368
    • C:\Windows\SysWOW64\mkdmbpui.exe
      mkdmbpui.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2608
    • C:\Windows\SysWOW64\kbkesefmoavhy.exe
      kbkesefmoavhy.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2684
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3064
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2476

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

            Filesize

            512KB

            MD5

            db08ef2d2035b97badadd2d116b6603c

            SHA1

            724a1139e810e14403ef637dd4a426c3ee7ccfa8

            SHA256

            4e8704faa4e94871f4a7ac57482fc5c76f58ec1ca7e82b15806ec409d5f2f907

            SHA512

            b5dfc32bc817f2d6538f15f09f874d384e0575a8f56b517f22a378c6af03e713021bd0ac58de87eab9bfbc044e1ac728359db814bd20b5f9f02d852cf7d0ef3c

          • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

            Filesize

            20KB

            MD5

            a954e93bc5437829cfd90c7fae875eb6

            SHA1

            c99479ec22b7744f10064c3deda057c76d3c74bc

            SHA256

            cd56595a7ab1f1315e8924d9d868e917408b10221c2b5457103b28b3b41f31e6

            SHA512

            9c2a684ded015df0c4103bd2d7f973c90ea57d0214279f998d3b067991917f989d759d348ca9ed4f5d617cb5d35fbd6c3b2f954b20426f276d5010fbb5a0ecb3

          • C:\Users\Admin\Downloads\ResetCopy.doc.exe

            Filesize

            512KB

            MD5

            3a9d2f8dbf861965838dbd3044a18c04

            SHA1

            41cf2b3aac72afe709855a7b91713c1711bf94e7

            SHA256

            67e74ea2548cb43760cc1a31baeea606c34cdf50c6937dd867f559e560c65e53

            SHA512

            4e8553d2f1c28f2e08cfcce39bb12e181701d810ee778b10019dd619a895c14699308ab979afa193f4d8b5e6ded2be0da523f3e98f9c6addf97875614b86bc88

          • C:\Windows\SysWOW64\bfvitizwsuhskrd.exe

            Filesize

            512KB

            MD5

            fab0de4e047791d425ef9f15045775eb

            SHA1

            03ae04329b402d046c2fb20e1313ab67c4e6352f

            SHA256

            a912bcc68e2db706da8efacf01a2be91a025c616d1c4658a1bdf53bac56a5fff

            SHA512

            616cb8efc90f1f069bb28ae84c3e3124bea9817194cf2fbb5b3b7eac9e2dd2af96bc59ceb48257baa489b8545c3820180a2b3ec0e747b2cf650aa9ab2eb39a00

          • C:\Windows\mydoc.rtf

            Filesize

            223B

            MD5

            06604e5941c126e2e7be02c5cd9f62ec

            SHA1

            4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

            SHA256

            85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

            SHA512

            803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

          • \Windows\SysWOW64\adrdxbdmqe.exe

            Filesize

            512KB

            MD5

            1feb1e3dffb4d687281740533add7a9b

            SHA1

            79b18134209185f0218703de4ad2a8315f3ac3ab

            SHA256

            2e1c03cfd7968d39098216c4bd758295aab5afc4877eb5e195a672b5a4975fc9

            SHA512

            9713ee296d3e2e0a15ac72b2e4366e9e28366525d53e34b105c98b48be0f61df1e3ecf318aee2aeb04b8de66f15a7b72e35388bbe9369c1e2e22400877e8920c

          • \Windows\SysWOW64\kbkesefmoavhy.exe

            Filesize

            512KB

            MD5

            0dbc3532d76c284123fcf924aff86bb1

            SHA1

            8e17c10eacdfec4e179afbff567d20ce5a6991c1

            SHA256

            2c6212e9b2fec0785373e72da0df9805eaf9b6e78464acc8d43d14847ff440bb

            SHA512

            b519337acef6d0e1106ed2bba514404f36ef01d8a3bf65f315cffc9a18eec09a1ca72a823bfe61119c3bd2646c61d7b63b549d7f5b7b9d20a3b249248a9d138d

          • \Windows\SysWOW64\mkdmbpui.exe

            Filesize

            512KB

            MD5

            c8225c84921e93249ce55a91e0b7ee43

            SHA1

            7a3960efac43851a159a84a283cacf6ab3b52e17

            SHA256

            3084a12a18535a65c9c1928563d2792a931439bf6f01be554012061952f304c6

            SHA512

            3b2a66d60a7d75a4d19785d75e9807b54a33d90631d930a83ca28e4f87acf0efb8aa7e4443f9feb4af4aac79c477b7c2843bdec8f069923afe94ec2610589d84

          • memory/2904-0-0x0000000000400000-0x0000000000496000-memory.dmp

            Filesize

            600KB

          • memory/3064-47-0x0000000070D4D000-0x0000000070D58000-memory.dmp

            Filesize

            44KB

          • memory/3064-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

          • memory/3064-45-0x000000002FE41000-0x000000002FE42000-memory.dmp

            Filesize

            4KB

          • memory/3064-82-0x0000000070D4D000-0x0000000070D58000-memory.dmp

            Filesize

            44KB

          • memory/3064-103-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB