Analysis
-
max time kernel
3s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
07/01/2024, 19:35
Static task
static1
Behavioral task
behavioral1
Sample
a316428effee4f96edee4b7601cfc78c.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
a316428effee4f96edee4b7601cfc78c.exe
Resource
win10v2004-20231215-en
General
-
Target
a316428effee4f96edee4b7601cfc78c.exe
-
Size
512KB
-
MD5
a316428effee4f96edee4b7601cfc78c
-
SHA1
62c62a83b191db7672a7aa45235c8446335b6e30
-
SHA256
3c6d66ea64e12029bda1fa7c1f9432980342dff406af07f91c12156c4e27220b
-
SHA512
601302185a305d95dddb19aba0dc7f3b34b6028db5d8c0ee32efcad8c1962942f6a49a8587557eb8b20e54279670f8b0f7118411ff38b99ecd5a2443953db831
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6I:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5d
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 4940 xglufnyjap.exe 3612 caacrhhtiurqzhb.exe 4512 frflvhui.exe 3668 ttnebptsjdpvw.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/824-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000600000002321c-5.dat autoit_exe behavioral2/files/0x000600000002321b-18.dat autoit_exe behavioral2/files/0x000600000002321e-31.dat autoit_exe behavioral2/files/0x000600000002321c-23.dat autoit_exe behavioral2/files/0x000600000002321c-22.dat autoit_exe behavioral2/files/0x000600000002321b-19.dat autoit_exe behavioral2/files/0x000600000002321d-35.dat autoit_exe behavioral2/files/0x000300000001e761-113.dat autoit_exe behavioral2/files/0x000300000001e761-115.dat autoit_exe behavioral2/files/0x000300000001e761-117.dat autoit_exe -
Drops file in System32 directory 8 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ttnebptsjdpvw.exe a316428effee4f96edee4b7601cfc78c.exe File created C:\Windows\SysWOW64\xglufnyjap.exe a316428effee4f96edee4b7601cfc78c.exe File opened for modification C:\Windows\SysWOW64\xglufnyjap.exe a316428effee4f96edee4b7601cfc78c.exe File created C:\Windows\SysWOW64\caacrhhtiurqzhb.exe a316428effee4f96edee4b7601cfc78c.exe File opened for modification C:\Windows\SysWOW64\caacrhhtiurqzhb.exe a316428effee4f96edee4b7601cfc78c.exe File created C:\Windows\SysWOW64\frflvhui.exe a316428effee4f96edee4b7601cfc78c.exe File opened for modification C:\Windows\SysWOW64\frflvhui.exe a316428effee4f96edee4b7601cfc78c.exe File created C:\Windows\SysWOW64\ttnebptsjdpvw.exe a316428effee4f96edee4b7601cfc78c.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf a316428effee4f96edee4b7601cfc78c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 7 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes a316428effee4f96edee4b7601cfc78c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32322C7F9C2582236A4376A5772F2CAD7D8F65D9" a316428effee4f96edee4b7601cfc78c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACDFACCF917F1E3840B3B3286EC3E95B0FD03F142110238E2C442E808A8" a316428effee4f96edee4b7601cfc78c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB6B028479339EE52C8BAA133E9D7CF" a316428effee4f96edee4b7601cfc78c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF5FC83482E856D9141D65C7E91BCEEE141594366476241D6EA" a316428effee4f96edee4b7601cfc78c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F76BC5FE6E21AED179D0A78B7D9110" a316428effee4f96edee4b7601cfc78c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183AC77415E5DBB3B8CD7FE4ECE234C7" a316428effee4f96edee4b7601cfc78c.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 824 a316428effee4f96edee4b7601cfc78c.exe 824 a316428effee4f96edee4b7601cfc78c.exe 824 a316428effee4f96edee4b7601cfc78c.exe 824 a316428effee4f96edee4b7601cfc78c.exe 824 a316428effee4f96edee4b7601cfc78c.exe 824 a316428effee4f96edee4b7601cfc78c.exe 824 a316428effee4f96edee4b7601cfc78c.exe 824 a316428effee4f96edee4b7601cfc78c.exe 824 a316428effee4f96edee4b7601cfc78c.exe 824 a316428effee4f96edee4b7601cfc78c.exe 824 a316428effee4f96edee4b7601cfc78c.exe 824 a316428effee4f96edee4b7601cfc78c.exe 824 a316428effee4f96edee4b7601cfc78c.exe 824 a316428effee4f96edee4b7601cfc78c.exe 824 a316428effee4f96edee4b7601cfc78c.exe 824 a316428effee4f96edee4b7601cfc78c.exe -
Suspicious use of FindShellTrayWindow 9 IoCs
pid Process 824 a316428effee4f96edee4b7601cfc78c.exe 824 a316428effee4f96edee4b7601cfc78c.exe 824 a316428effee4f96edee4b7601cfc78c.exe 4940 xglufnyjap.exe 4940 xglufnyjap.exe 4940 xglufnyjap.exe 3612 caacrhhtiurqzhb.exe 3612 caacrhhtiurqzhb.exe 3612 caacrhhtiurqzhb.exe -
Suspicious use of SendNotifyMessage 9 IoCs
pid Process 824 a316428effee4f96edee4b7601cfc78c.exe 824 a316428effee4f96edee4b7601cfc78c.exe 824 a316428effee4f96edee4b7601cfc78c.exe 4940 xglufnyjap.exe 4940 xglufnyjap.exe 4940 xglufnyjap.exe 3612 caacrhhtiurqzhb.exe 3612 caacrhhtiurqzhb.exe 3612 caacrhhtiurqzhb.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 824 wrote to memory of 4940 824 a316428effee4f96edee4b7601cfc78c.exe 55 PID 824 wrote to memory of 4940 824 a316428effee4f96edee4b7601cfc78c.exe 55 PID 824 wrote to memory of 4940 824 a316428effee4f96edee4b7601cfc78c.exe 55 PID 824 wrote to memory of 3612 824 a316428effee4f96edee4b7601cfc78c.exe 54 PID 824 wrote to memory of 3612 824 a316428effee4f96edee4b7601cfc78c.exe 54 PID 824 wrote to memory of 3612 824 a316428effee4f96edee4b7601cfc78c.exe 54 PID 824 wrote to memory of 4512 824 a316428effee4f96edee4b7601cfc78c.exe 52 PID 824 wrote to memory of 4512 824 a316428effee4f96edee4b7601cfc78c.exe 52 PID 824 wrote to memory of 4512 824 a316428effee4f96edee4b7601cfc78c.exe 52 PID 824 wrote to memory of 3668 824 a316428effee4f96edee4b7601cfc78c.exe 53 PID 824 wrote to memory of 3668 824 a316428effee4f96edee4b7601cfc78c.exe 53 PID 824 wrote to memory of 3668 824 a316428effee4f96edee4b7601cfc78c.exe 53
Processes
-
C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe"C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\SysWOW64\frflvhui.exefrflvhui.exe2⤵
- Executes dropped EXE
PID:4512
-
-
C:\Windows\SysWOW64\ttnebptsjdpvw.exettnebptsjdpvw.exe2⤵
- Executes dropped EXE
PID:3668
-
-
C:\Windows\SysWOW64\caacrhhtiurqzhb.execaacrhhtiurqzhb.exe2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3612
-
-
C:\Windows\SysWOW64\xglufnyjap.exexglufnyjap.exe2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4940 -
C:\Windows\SysWOW64\frflvhui.exeC:\Windows\system32\frflvhui.exe3⤵PID:1232
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵PID:3036
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD5f290a0f000202d65c447c688e5b8e587
SHA1d3d95890cdd64ceb97ebbce72516d012fcbb52b9
SHA256a59c8cbb3b3f2884e1b8645cbd3be4d06f45559d7c34af095b88a8b0444f94d1
SHA512a3b2f99680dac2b5f8acfc62adf1d068a3de8278501e9acb918f89ba2c21cd1340fb985f2a592198a36ca1a2c21f6c980850ec0c633d05b7327280e667d712ff
-
Filesize
4KB
MD5ed1c60e9a7a92edcab339f7ee087e387
SHA188f8f6c911931da7e87f20ba56d19ccf2c015417
SHA256ef9e1d6f16e23f8640444b0070a2f899eef71f15354263a7d8fb43451b8810b3
SHA5122ecc0b336db1f9d6b3d4d6880980f27a8a4e9ce7eb25a12b095beb28075d793fc7667f06d7bc4512548393d0374885e8739514b96173aaefa44d7baf434f24a2
-
Filesize
32KB
MD5c4954c3e34399ab695a33fc63c8dcddd
SHA1d0599623fcffa3c8f3fdac433cdc31b41708a8bb
SHA256e663ff56deaaf66bd7ec29eedae945fc243acea394a8c926b9f81b6ae66561e1
SHA512b485ce384e71e320882bbc1c03459130bed231ed0c99a977a45183901a87ae0775d44884f481e43cc4a8d2f712e137fdfd8fba2839d1a321f0eb29dcf4495b9f
-
Filesize
40KB
MD5b4aeec33bcb8b7c2a068b715d66bcbd9
SHA16f7ce51dd0077af2093d1534515af3685efbad7e
SHA256372171bf4b7ffbe6a80b250c22e0fc33fb8e67fc45d1fb42da0cdfaac8fae984
SHA512b5204500110ebbe1c63829eb8f301dab923dc355d41350c9c06439d170f7fee2e76f43e3e702dacac0de600fca93bb42c3505b8d298a227a7cde84091d4f65ba
-
Filesize
28KB
MD54e0010bbd9d1ede0229431225d11b4c0
SHA13055bc9fc94f0accbc71b0fce6639d928989994f
SHA256a59fa0a915002b316ee260d8bf62e49fbd5afae9c80922b28311d657dcf24b7a
SHA512c60c6b398f54682130c2fc9010c304d9e35ed73155ae72c2ea42eebc2f62e5912a29c152cecf4ec6123b45aab4c98d7494b1e501a54011219ca5b8817e1c2ea9
-
Filesize
4KB
MD537103ab666d76a6537f43f1b58610180
SHA16eecdfa4a77bb74c62f84bdaee4f1f753dc5157d
SHA2561ce07688e89f9e830041ba37ca9d44a2b3e8f4d65b2a656cfe5a7d816e36d95f
SHA512ac6c49dcaf59209302129765d9a5583b3ddbb0e9e95a4430e0c6532260481f0156551e364306aa661fa056421020c26cb26958d026868213ae2e5dbb0331c9a4
-
Filesize
17KB
MD5add1e2713483deb75c7f6fceaf4d3dcd
SHA124369b1ab5aaeb22033b7eebf7bfb33568f7f0ca
SHA2561ca73d664453b42c8c7f7238787d41f8ae8c484eb3f429696a953be07a019a30
SHA512f86776176c454202a045738ee4e80046fe10462371e91678679e14a5ee061b02454d37683b99cdd01bfb07b8e325504be03394caa20519b23e7df4a7dc0cf90c
-
Filesize
60KB
MD5ce87d1185f9e0d44ebfed1431c83c9ed
SHA111237f5a6d83facfb41da7e58c25a55f3ac2846e
SHA256fbe6e76269aff274f56ef1a82ad5f5e9024fc46af718f56185cf9be3b43fc734
SHA5127fa0c5e198c60863fa4c90ac39c795acd00dac6cefc84042110eee79a1d8cddda65e5752e2718f8e084f1acbc0565a6c59bf26470c7952c45ab37bf830336424
-
Filesize
16KB
MD5941b0cb20a8f245d97bb40d990f78281
SHA12d7a037cf08562148d9b7347a0e3e00d223f8d9d
SHA256e42b962cdb2fcc8603dea723fa7780fd9f2c2ccbeae0f322c87989956a37b281
SHA512868e35b594230ee604e6068381807a190b7a9c817dd4e202c681a1ec88712cab5118c392dfea957c4c03b391b55e9c8c1c38e2b96a7323b5e2b56a750ea87343