Analysis

  • max time kernel
    133s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    07/01/2024, 19:21

General

  • Target

    a169003918d23a41e228f8030b458f9e.exe

  • Size

    314KB

  • MD5

    a169003918d23a41e228f8030b458f9e

  • SHA1

    cdea2fbc475659219ca14fc9d26f2a361c5c2162

  • SHA256

    cfe2b6781d8cbc4cd1bc34c2a5ee42c966ce0ba9d84c6ef69942d5a050111860

  • SHA512

    6095e63a6d8f0ba4a1b924213db29cd283800f08f32b6a948376b3a875573a0a75ac260ccbad397f12be20313d4f855c4b668d7db2c7e1ce075f349a88b85c5a

  • SSDEEP

    6144:CpJXjd9rDT+YyQBmBf4DYSfok1AAUaIxQOwUFk:STd9DDyQBmvIpCAdI5u

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 28 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 29 IoCs
  • Suspicious use of SendNotifyMessage 22 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe
    "C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2324
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /Q /C "C:\Users\Admin\AppData\Local\Temp\ac8zt2\install.bat"
      2⤵
      • Loads dropped DLL
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2876
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32.exe /s etlrlws.dll
        3⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        PID:2636
      • C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe
        eotk.exe C:\Windows\bokpkov.dll bokpkov
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies registry class
        PID:2656
      • C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe
        eotk.exe resot
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        PID:1672
      • C:\Users\Admin\AppData\Local\Temp\ac8zt2\fmsxwqs.exe
        fmsxwqs.exe reg
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:3068
      • C:\Windows\SysWOW64\regsvr32.exe
        C:\Windows\system32\regsvr32.exe /s C:\Windows\drnpfdxqvm.dll
        3⤵
        • Installs/modifies Browser Helper Object
        • Modifies registry class
        PID:2476
      • C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe
        eotk.exe C:\Windows\altvxvm.dll altvxvm
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies registry class
        PID:2200
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /Q /C C:\Users\Admin\AppData\Local\Temp\nsd1068.tmp.bat "C:\Users\Admin\AppData\Local\Temp\a169003918d23a41e228f8030b458f9e.exe"
      2⤵
      • Deletes itself
      PID:3048
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2192

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\ac8zt2\altvxvm.dll

          Filesize

          224KB

          MD5

          5adbeca70b6fd47a7a7d226b6c07db35

          SHA1

          adf21cc56d6a2875f0f3163e019663a69a62883e

          SHA256

          fabab4b8a1627aa01f94997b5243322b9bb527d05890474bf638f16debc2478b

          SHA512

          326301d81ada859305dde00c78e08c487432f06d1029ef2a78422e331c1526806df2f6f163b864df323ca7ebe3079bf9a90c94e86bda196ab8c7d4bb6f3c51c9

        • C:\Users\Admin\AppData\Local\Temp\ac8zt2\bokpkov.dll

          Filesize

          212KB

          MD5

          0f2a9b99c1ee35460fa8342abeb811cf

          SHA1

          aed04b62c5f190b42e3e097a4b4f0e4050b1d379

          SHA256

          dc72b09de1605b453f29c2be22698d609ec250664b13f7efba67d5f7583a60cc

          SHA512

          70c69cbcd8bcb35e5e1854c18f0a3dfa205a7e84bfdeb766935b86636741392d4093df9bedbc3b02aaf94989e0eae79539f66954911b8919b2dc26a9c44ada7a

        • C:\Users\Admin\AppData\Local\Temp\ac8zt2\drnpfdxqvm.dll

          Filesize

          240KB

          MD5

          a191063294b95df9c5f1734243a3abcb

          SHA1

          d6539737335d698259cf132509178fae42bcf930

          SHA256

          79c3827b60856aed73ce04a3c7fd3474a1a0f4f8caf90b2f9ce03b1e9de78026

          SHA512

          6d6b27d305d15b77a6f19f7f527cdadeb61ee33c33d6c2231d5c7a65f82d267d812717589841252aacf31968ff63b922aa14c337cfe4481307262d75750ebc37

        • C:\Users\Admin\AppData\Local\Temp\ac8zt2\eotk.exe

          Filesize

          88KB

          MD5

          b4603bf962319153e1b7e78c88d9c8ce

          SHA1

          20af0d302057e0ff5eb1fa2eb80078e1941f99de

          SHA256

          ce8050818ad6f1a97326642679076c73a66d82ce288ce51ae4fae54bce786ef2

          SHA512

          49ff00a7187413d3b4e3c2b57e858a0dcf374987971e8ca7c3c9dc4dfe658a6a0bb3e1e9e56c6b291c1cd1c23ee03409412d6c4291e9b32cb6582e34351a6a40

        • C:\Users\Admin\AppData\Local\Temp\ac8zt2\etlrlws.dll

          Filesize

          172KB

          MD5

          c93de9f81b4bcad2a3b662b816ea515b

          SHA1

          e5c560fa6fdfb544318a6fcd478ee071fa0bdb9f

          SHA256

          3993623c186dc28c79dff4a3837f889352481e8e0bbc25878498bd3738f51b34

          SHA512

          c3a676c4ecf135d36b5b42d7ee871ad5e45426a763aa190c86e4d1aa88e8ef62facd76ff3487eca97ca01e6c329826e8c03f42dddd9837833b194b79fab1bed7

        • C:\Users\Admin\AppData\Local\Temp\ac8zt2\fmsxwqs.exe

          Filesize

          96KB

          MD5

          49f1cf8df1a47e9991d3ad3eeff7180f

          SHA1

          b23470a749df6d2a33ad97116510bcce2df44a4a

          SHA256

          d38afd2ce3a785e5e580cef69db96365ac83b17591c249252c7c0e9c5103fc24

          SHA512

          d4380995748abfdc7b12f48a9f2321cefb2079834218195f6a307432c2775de5e481b1c6f94390c71b207467da032afae40ada2c85ce31b6da4ca6b25f8a7e48

        • C:\Users\Admin\AppData\Local\Temp\ac8zt2\install.bat

          Filesize

          1014B

          MD5

          b39297d67ace2dfcbe18f05a9305fcdd

          SHA1

          15ea67c95d502cc21370145d610f313928da8e40

          SHA256

          fa36cc0c0abeb34917492e91c4761f5728b09202cc22e0ce693b380a97d4a2ca

          SHA512

          7a5ea05c4b65cf9366ee71118b4ab1c12d57c678bb7903ce48a21f8e44796e94abc2e9759a4f828a8c61085388259055cc20952a1eea176b72f8834d29464cee

        • C:\Users\Admin\AppData\Local\Temp\nsd1068.tmp.bat

          Filesize

          113B

          MD5

          4c11940d880aa2b65bf4532ac6b7d90a

          SHA1

          4bc01f898d6720ea5b754d080c1cda9815343f0b

          SHA256

          f71df0264de7e5f8f487929531066182bd19e375feeef0456593ba973abddc8b

          SHA512

          60a03ea5692782841cf514a8e951378dbffcdc5ab5b3f0a6a2db6b3290edc8012ea3490920dfd984778db371f53342fc15c71c548952caa2c5c5a4f4b77ba1c7

        • C:\Users\Admin\AppData\Local\Temp\nsdEE1.tmp\System.dll

          Filesize

          10KB

          MD5

          7d85b1f619a3023cc693a88f040826d2

          SHA1

          09f5d32f8143e7e0d9270430708db1b9fc8871a8

          SHA256

          dc198967b0fb2bc7aaab0886a700c7f4d8cb346c4f9d48b9b220487b0dfe8a18

          SHA512

          5465804c56d6251bf369609e1b44207b717228a8ac36c7992470b9daf4a231256c0ce95e0b027c4164e62d9656742a56e2b51e9347c8b17ab51ff40f32928c85

        • \Users\Admin\AppData\Local\Temp\nsdEE1.tmp\blowfish.dll

          Filesize

          22KB

          MD5

          5afd4a9b7e69e7c6e312b2ce4040394a

          SHA1

          fbd07adb3f02f866dc3a327a86b0f319d4a94502

          SHA256

          053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

          SHA512

          f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

        • memory/2192-103-0x0000000004410000-0x0000000004411000-memory.dmp

          Filesize

          4KB

        • memory/2192-104-0x0000000004410000-0x0000000004411000-memory.dmp

          Filesize

          4KB

        • memory/2192-108-0x0000000002630000-0x0000000002640000-memory.dmp

          Filesize

          64KB