Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    07/01/2024, 19:35

General

  • Target

    a316428effee4f96edee4b7601cfc78c.exe

  • Size

    512KB

  • MD5

    a316428effee4f96edee4b7601cfc78c

  • SHA1

    62c62a83b191db7672a7aa45235c8446335b6e30

  • SHA256

    3c6d66ea64e12029bda1fa7c1f9432980342dff406af07f91c12156c4e27220b

  • SHA512

    601302185a305d95dddb19aba0dc7f3b34b6028db5d8c0ee32efcad8c1962942f6a49a8587557eb8b20e54279670f8b0f7118411ff38b99ecd5a2443953db831

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6I:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5d

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 10 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 22 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe
    "C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3036
    • C:\Windows\SysWOW64\syyqeollnb.exe
      syyqeollnb.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1896
      • C:\Windows\SysWOW64\oxdqizle.exe
        C:\Windows\system32\oxdqizle.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2612
    • C:\Windows\SysWOW64\updnnhixkqehzuw.exe
      updnnhixkqehzuw.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2716
    • C:\Windows\SysWOW64\oxdqizle.exe
      oxdqizle.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2776
    • C:\Windows\SysWOW64\mhnrnvuftqamu.exe
      mhnrnvuftqamu.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2704
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2632
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:948

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

            Filesize

            512KB

            MD5

            5421cb1cbba708b4ea0c07a64e19ffed

            SHA1

            9667419b526c83905b2456a5cc3b17cb320ba48c

            SHA256

            d3ff18b4c4808393aaed293e30733cb03eab694e34439d82e77b5cc9e9c16cad

            SHA512

            f89a18405de14bb7d0da267798935e952f29d6161e007c7f298976e9099ab72217eeca283032818d8cf764efe4bc1c9e86c722b1c192e5050fff5e1f8e1d075d

          • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

            Filesize

            512KB

            MD5

            76b2b48ca7386541913cb09032ed094c

            SHA1

            8715eef910b176a38aa28d0167036de1db2b8403

            SHA256

            5f2e2d646117cef3e0e9bba81bcec70dbdf5949ee39917c33e757e17aec1c8d2

            SHA512

            b07064bf06752f29b336667c3e435a4a6581a41f5f75752a8e25b025d5ce5932c6578c092722c44725ca06f27cade88a142081d64866bc77a108f73cbe96d2d6

          • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

            Filesize

            512KB

            MD5

            8b7ab9961e195817d244f13840e4c09d

            SHA1

            65cc55878abadf97c3d32287d8d645b7e2e1be2f

            SHA256

            a70754e9b82ab768874e95909440f87e5775cd052d94d527aaabd45183d9c762

            SHA512

            887fbc4b3c6242ffe3dba4fc84b6aea6a8c570fc42ac569a578c7a6d59a557e2ff067a45abd5035ede0e10653faec57a0fd3d7cf504534aa05120d547bb4d03e

          • C:\Program Files\PopResume.doc.exe

            Filesize

            512KB

            MD5

            67ce2644f7d02067781481845dd8485d

            SHA1

            4bd94b0dc0807fe13ed06d87f5f380f75f922499

            SHA256

            bd3663ce56caccc943c9292c229fb0cfd1c41d3b1342b51c6e9f95900535802c

            SHA512

            1f0ec971fd3d0af81ea78a95e8446b55880795d8d7c8d18f82060a9e3d5674e7d69ce45454273250aa7d5553f5aafabb5f07e8c1b66cd927ef473c457bb2b8c8

          • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

            Filesize

            20KB

            MD5

            866f2fefced5bcdc28f69dd3fb23ba9c

            SHA1

            9d21cddc0bf3b25d4014210265f1f3af06865e89

            SHA256

            4c8e4ed9a02a470bff9e5b3ec29497be2011db16c0be96ed72e24fe0dcd07609

            SHA512

            bbddbb6ae3ab54f1ff2a8b419b0ae448a8d37f3d559d2afbde45b5d37e1ee50391b14707d7a2cfab20365df68e15516d4628e8ac3c4d736d1c1965a54c53b073

          • C:\Users\Admin\Documents\SkipSubmit.doc.exe

            Filesize

            512KB

            MD5

            27e7bf1641743047a1113949abe86119

            SHA1

            99a3d9ba436e50f11c542b25b2c50b4115c129e9

            SHA256

            0cd2522f05dbb1a463e9401ad22363713ece2cca326dbb12676165f821e7965d

            SHA512

            e5c78113bfd3ae4788c3c9b2bc0e20b9938f0e0e166067ab790630fef6bef339dbdc6fb83a40d45517b19af9b4af53141733182be45162e3cd9f6f8f846dd9a4

          • C:\Windows\SysWOW64\mhnrnvuftqamu.exe

            Filesize

            512KB

            MD5

            e23639df01edc17bd2e23a971d69fbda

            SHA1

            dbfdb7da706d1d6a8d63153ce9876f4c76427232

            SHA256

            3172de7c60ab089ba863ba2e8d8d6e5a7af1380e62e81ffeb4fe985e5e387062

            SHA512

            fa6ab0de0b663a913daac878734ef14b438d2a2ead52cd96b1b2b49232a466a50747021bfef0c7784aa587838345de4f829e89fdd245bf3426917a1f0438bb11

          • C:\Windows\SysWOW64\updnnhixkqehzuw.exe

            Filesize

            512KB

            MD5

            d3cc351bf7c1d0278b1ef146a7d58ae7

            SHA1

            4ccc439b667342ed9be62f991724cc0d60306461

            SHA256

            1581bd26b3e6bee44f547f6434fa9137823efd2f293003b76bcaecd5c86ad46c

            SHA512

            7ee481f6879e92c05b332e602cf84e7cc3e69f97edc1012fc250d52712ea010137549d5c3f2fa029c39dce5f0e431e533d7ffefd7056e3e2ba4f3e4b38cd50bf

          • C:\Windows\mydoc.rtf

            Filesize

            223B

            MD5

            06604e5941c126e2e7be02c5cd9f62ec

            SHA1

            4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

            SHA256

            85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

            SHA512

            803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

          • \Windows\SysWOW64\oxdqizle.exe

            Filesize

            512KB

            MD5

            9adb195379d7dd0d65fc598f95d64298

            SHA1

            e77aba8a5806eeb421e10db646a1306f948f2ffd

            SHA256

            6d9c3cc1e2f0c6c4979ff737108757cdb5e6a5d8220ff9dbaa66056f5d2a9c47

            SHA512

            344653f107b35e2142ee730832e6d2b8a46e20273a3840b47b4df3b183254f640058db72b893968c8d534fd8a94bbbbd966f56cd9e76097fac6297c65adcf9ff

          • \Windows\SysWOW64\syyqeollnb.exe

            Filesize

            512KB

            MD5

            85945b0abfe2de8d68e3ddc4ef1dd186

            SHA1

            b3900e53949cf7612fa2d41fc6b74bb5d16e23e8

            SHA256

            0093b4d3fe40773305a21ee1e87d3b77cfddb7fcb8d6e269255363a446b8f447

            SHA512

            28279e5965ff502bf665e432f655f1849433e7ef33b8d6daad42bce4e108728b8ba12ecfe6e867c7acd04756f24399e42aafbd5103f0568d4fc4cef620f311fc

          • memory/2632-47-0x000000007174D000-0x0000000071758000-memory.dmp

            Filesize

            44KB

          • memory/2632-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

          • memory/2632-45-0x000000002F221000-0x000000002F222000-memory.dmp

            Filesize

            4KB

          • memory/2632-97-0x000000007174D000-0x0000000071758000-memory.dmp

            Filesize

            44KB

          • memory/2632-118-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

          • memory/3036-0-0x0000000000400000-0x0000000000496000-memory.dmp

            Filesize

            600KB