Analysis

  • max time kernel
    3s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/01/2024, 19:35

General

  • Target

    a316428effee4f96edee4b7601cfc78c.exe

  • Size

    512KB

  • MD5

    a316428effee4f96edee4b7601cfc78c

  • SHA1

    62c62a83b191db7672a7aa45235c8446335b6e30

  • SHA256

    3c6d66ea64e12029bda1fa7c1f9432980342dff406af07f91c12156c4e27220b

  • SHA512

    601302185a305d95dddb19aba0dc7f3b34b6028db5d8c0ee32efcad8c1962942f6a49a8587557eb8b20e54279670f8b0f7118411ff38b99ecd5a2443953db831

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6I:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5d

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • AutoIT Executable 11 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 8 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of FindShellTrayWindow 9 IoCs
  • Suspicious use of SendNotifyMessage 9 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe
    "C:\Users\Admin\AppData\Local\Temp\a316428effee4f96edee4b7601cfc78c.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:824
    • C:\Windows\SysWOW64\frflvhui.exe
      frflvhui.exe
      2⤵
      • Executes dropped EXE
      PID:4512
    • C:\Windows\SysWOW64\ttnebptsjdpvw.exe
      ttnebptsjdpvw.exe
      2⤵
      • Executes dropped EXE
      PID:3668
    • C:\Windows\SysWOW64\caacrhhtiurqzhb.exe
      caacrhhtiurqzhb.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3612
    • C:\Windows\SysWOW64\xglufnyjap.exe
      xglufnyjap.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4940
      • C:\Windows\SysWOW64\frflvhui.exe
        C:\Windows\system32\frflvhui.exe
        3⤵
          PID:1232
      • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
        "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
        2⤵
          PID:3036

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Windows\SysWOW64\caacrhhtiurqzhb.exe

              Filesize

              35KB

              MD5

              f290a0f000202d65c447c688e5b8e587

              SHA1

              d3d95890cdd64ceb97ebbce72516d012fcbb52b9

              SHA256

              a59c8cbb3b3f2884e1b8645cbd3be4d06f45559d7c34af095b88a8b0444f94d1

              SHA512

              a3b2f99680dac2b5f8acfc62adf1d068a3de8278501e9acb918f89ba2c21cd1340fb985f2a592198a36ca1a2c21f6c980850ec0c633d05b7327280e667d712ff

            • C:\Windows\SysWOW64\caacrhhtiurqzhb.exe

              Filesize

              4KB

              MD5

              ed1c60e9a7a92edcab339f7ee087e387

              SHA1

              88f8f6c911931da7e87f20ba56d19ccf2c015417

              SHA256

              ef9e1d6f16e23f8640444b0070a2f899eef71f15354263a7d8fb43451b8810b3

              SHA512

              2ecc0b336db1f9d6b3d4d6880980f27a8a4e9ce7eb25a12b095beb28075d793fc7667f06d7bc4512548393d0374885e8739514b96173aaefa44d7baf434f24a2

            • C:\Windows\SysWOW64\caacrhhtiurqzhb.exe

              Filesize

              32KB

              MD5

              c4954c3e34399ab695a33fc63c8dcddd

              SHA1

              d0599623fcffa3c8f3fdac433cdc31b41708a8bb

              SHA256

              e663ff56deaaf66bd7ec29eedae945fc243acea394a8c926b9f81b6ae66561e1

              SHA512

              b485ce384e71e320882bbc1c03459130bed231ed0c99a977a45183901a87ae0775d44884f481e43cc4a8d2f712e137fdfd8fba2839d1a321f0eb29dcf4495b9f

            • C:\Windows\SysWOW64\frflvhui.exe

              Filesize

              40KB

              MD5

              b4aeec33bcb8b7c2a068b715d66bcbd9

              SHA1

              6f7ce51dd0077af2093d1534515af3685efbad7e

              SHA256

              372171bf4b7ffbe6a80b250c22e0fc33fb8e67fc45d1fb42da0cdfaac8fae984

              SHA512

              b5204500110ebbe1c63829eb8f301dab923dc355d41350c9c06439d170f7fee2e76f43e3e702dacac0de600fca93bb42c3505b8d298a227a7cde84091d4f65ba

            • C:\Windows\SysWOW64\xglufnyjap.exe

              Filesize

              28KB

              MD5

              4e0010bbd9d1ede0229431225d11b4c0

              SHA1

              3055bc9fc94f0accbc71b0fce6639d928989994f

              SHA256

              a59fa0a915002b316ee260d8bf62e49fbd5afae9c80922b28311d657dcf24b7a

              SHA512

              c60c6b398f54682130c2fc9010c304d9e35ed73155ae72c2ea42eebc2f62e5912a29c152cecf4ec6123b45aab4c98d7494b1e501a54011219ca5b8817e1c2ea9

            • C:\Windows\SysWOW64\xglufnyjap.exe

              Filesize

              4KB

              MD5

              37103ab666d76a6537f43f1b58610180

              SHA1

              6eecdfa4a77bb74c62f84bdaee4f1f753dc5157d

              SHA256

              1ce07688e89f9e830041ba37ca9d44a2b3e8f4d65b2a656cfe5a7d816e36d95f

              SHA512

              ac6c49dcaf59209302129765d9a5583b3ddbb0e9e95a4430e0c6532260481f0156551e364306aa661fa056421020c26cb26958d026868213ae2e5dbb0331c9a4

            • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

              Filesize

              17KB

              MD5

              add1e2713483deb75c7f6fceaf4d3dcd

              SHA1

              24369b1ab5aaeb22033b7eebf7bfb33568f7f0ca

              SHA256

              1ca73d664453b42c8c7f7238787d41f8ae8c484eb3f429696a953be07a019a30

              SHA512

              f86776176c454202a045738ee4e80046fe10462371e91678679e14a5ee061b02454d37683b99cdd01bfb07b8e325504be03394caa20519b23e7df4a7dc0cf90c

            • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

              Filesize

              60KB

              MD5

              ce87d1185f9e0d44ebfed1431c83c9ed

              SHA1

              11237f5a6d83facfb41da7e58c25a55f3ac2846e

              SHA256

              fbe6e76269aff274f56ef1a82ad5f5e9024fc46af718f56185cf9be3b43fc734

              SHA512

              7fa0c5e198c60863fa4c90ac39c795acd00dac6cefc84042110eee79a1d8cddda65e5752e2718f8e084f1acbc0565a6c59bf26470c7952c45ab37bf830336424

            • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

              Filesize

              16KB

              MD5

              941b0cb20a8f245d97bb40d990f78281

              SHA1

              2d7a037cf08562148d9b7347a0e3e00d223f8d9d

              SHA256

              e42b962cdb2fcc8603dea723fa7780fd9f2c2ccbeae0f322c87989956a37b281

              SHA512

              868e35b594230ee604e6068381807a190b7a9c817dd4e202c681a1ec88712cab5118c392dfea957c4c03b391b55e9c8c1c38e2b96a7323b5e2b56a750ea87343

            • memory/824-0-0x0000000000400000-0x0000000000496000-memory.dmp

              Filesize

              600KB

            • memory/3036-54-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmp

              Filesize

              2.0MB

            • memory/3036-46-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmp

              Filesize

              2.0MB

            • memory/3036-47-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmp

              Filesize

              2.0MB

            • memory/3036-48-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmp

              Filesize

              2.0MB

            • memory/3036-51-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmp

              Filesize

              2.0MB

            • memory/3036-52-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmp

              Filesize

              2.0MB

            • memory/3036-53-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmp

              Filesize

              2.0MB

            • memory/3036-44-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmp

              Filesize

              2.0MB

            • memory/3036-56-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmp

              Filesize

              2.0MB

            • memory/3036-57-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmp

              Filesize

              2.0MB

            • memory/3036-55-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmp

              Filesize

              2.0MB

            • memory/3036-50-0x00007FFF0EFF0000-0x00007FFF0F000000-memory.dmp

              Filesize

              64KB

            • memory/3036-49-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmp

              Filesize

              2.0MB

            • memory/3036-45-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmp

              Filesize

              2.0MB

            • memory/3036-41-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmp

              Filesize

              2.0MB

            • memory/3036-40-0x00007FFF11150000-0x00007FFF11160000-memory.dmp

              Filesize

              64KB

            • memory/3036-38-0x00007FFF11150000-0x00007FFF11160000-memory.dmp

              Filesize

              64KB

            • memory/3036-37-0x00007FFF11150000-0x00007FFF11160000-memory.dmp

              Filesize

              64KB

            • memory/3036-58-0x00007FFF0EFF0000-0x00007FFF0F000000-memory.dmp

              Filesize

              64KB

            • memory/3036-104-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmp

              Filesize

              2.0MB

            • memory/3036-43-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmp

              Filesize

              2.0MB

            • memory/3036-42-0x00007FFF11150000-0x00007FFF11160000-memory.dmp

              Filesize

              64KB

            • memory/3036-39-0x00007FFF11150000-0x00007FFF11160000-memory.dmp

              Filesize

              64KB

            • memory/3036-144-0x00007FFF510D0000-0x00007FFF512C5000-memory.dmp

              Filesize

              2.0MB

            • memory/3036-143-0x00007FFF11150000-0x00007FFF11160000-memory.dmp

              Filesize

              64KB

            • memory/3036-142-0x00007FFF11150000-0x00007FFF11160000-memory.dmp

              Filesize

              64KB

            • memory/3036-141-0x00007FFF11150000-0x00007FFF11160000-memory.dmp

              Filesize

              64KB

            • memory/3036-140-0x00007FFF11150000-0x00007FFF11160000-memory.dmp

              Filesize

              64KB