Analysis

  • max time kernel
    151s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    07/01/2024, 19:37

General

  • Target

    a91ea79a692b6b7cdda92c6a588386f8.exe

  • Size

    512KB

  • MD5

    a91ea79a692b6b7cdda92c6a588386f8

  • SHA1

    d1acc93a5257f3c64bbec46bc923c66f78fc8353

  • SHA256

    d86d042c8681af6deee373b23f0dc4b3cdcfe4775aa73da1975a7f9ae733fa3a

  • SHA512

    9b440dc43a8a8c8fe82c3f2978b25af7f21fb24f21980fcdf93959d191cd562f917437c44052abb8ce2d153b56234dd4722f237f1fb7bf0223e7994a3dfff905

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6K:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5h

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe
    "C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1180
    • C:\Windows\SysWOW64\dupwvtkpgl.exe
      dupwvtkpgl.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1312
      • C:\Windows\SysWOW64\jadatwvj.exe
        C:\Windows\system32\jadatwvj.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2172
    • C:\Windows\SysWOW64\sigtwzommipquan.exe
      sigtwzommipquan.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1460
    • C:\Windows\SysWOW64\jadatwvj.exe
      jadatwvj.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1212
    • C:\Windows\SysWOW64\szeauakyzohfa.exe
      szeauakyzohfa.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2960
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2628
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2176

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

            Filesize

            512KB

            MD5

            6eea7f31a600911c7815ba48142bd2c8

            SHA1

            b4df559594445dcd6427639984f74f6ab6b12e94

            SHA256

            95642b59ccd3ec2a3d302340d942795859607ff9441e74992cbe97afa17df9f4

            SHA512

            51b56c53843447afd4774459cbfd983fc087d29c04c10f92178ef7f9855e9078461a6c094b86a1b983eb7063b0235c5813adc81185b1f87c203918e614d9d256

          • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

            Filesize

            20KB

            MD5

            73e9f0d4fbad95d409437bd37e431931

            SHA1

            bce799d523dbe19d3ad15dc0f36bee8b613802ed

            SHA256

            fea042645b5918f0ab3091e24ce962c4f9b8474dca344b03e960e3b5f4840fde

            SHA512

            3eec9a6aa6e67ed3f002199a683d79f6a8bff9065b800530a02a04045f02ad5d1011b014ef674d3d689da6b92d6b10f6d862d2e8d49106e6d2aefac0d035b6de

          • C:\Users\Admin\Documents\ConvertUnregister.doc.exe

            Filesize

            512KB

            MD5

            abf67e55313251022e001a397e96e435

            SHA1

            c32eabfa28e7ab157644e1b232141f6e3f02b679

            SHA256

            e70315cf5e3384474eff686b90e8db1e71f7bd0f52eb365cf734a5743387885d

            SHA512

            659cb8b8dc7dda21514a6fea26b51875bb6474c6f44d2b99eabcce2e162762241efeee43f16855ed2907fb1207d83d500f71624bdfb27cd5f98429b30cc74eb4

          • C:\Windows\SysWOW64\sigtwzommipquan.exe

            Filesize

            512KB

            MD5

            671d5447bbcc8d8fd781259309c657bb

            SHA1

            cf9c35705d68952be42d5719e6b22b5d0bef7ba5

            SHA256

            423bd936ebb93c7c01752cd691737c538731102ddc07d51bf1aeae3c0eb45365

            SHA512

            8cbe169fac544689c8e815108f7b0ed9ffd314c873590669b6e06d0214e9e011dfd2b4ba0615a4ba87d227445f4ef211020205343d89237eb9355618b78938fc

          • C:\Windows\mydoc.rtf

            Filesize

            223B

            MD5

            06604e5941c126e2e7be02c5cd9f62ec

            SHA1

            4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

            SHA256

            85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

            SHA512

            803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

          • \Windows\SysWOW64\dupwvtkpgl.exe

            Filesize

            512KB

            MD5

            adfa23b90f169f7c82d2ed47ef5ab266

            SHA1

            5cacfd4c413664fd18f39e9bad4a59fdc59aed03

            SHA256

            6a54fc65ce0d9abc620ce0afac439fddbda85b7d4573414a29aa0a1e78ae10f2

            SHA512

            71697e13b5d5baa71fc91ab4e00ed4ba147edf8bcf00c1234849d2c67be1c97f761fa4f856a9b6ebae2290cfac24ae12551687483b59057357e685a7b341a21f

          • \Windows\SysWOW64\jadatwvj.exe

            Filesize

            512KB

            MD5

            bb78b8f8859cdc6ea0616178df9d0c10

            SHA1

            7f8d7e0906ee5a68cfee55c6dc9f408b406c8f03

            SHA256

            3c5740c4ed4af7eeac476a83c4ae33dd32ce3ae53ca9ffd5418e996e3145e0c2

            SHA512

            124f261207cd72a82499d9dcac8a0254d7c8616d723864c59589504607f78d0fb7cfe7d7847e3ee9939eabbc704b6b7ea183a245757b7733b4e2e363c58b0b64

          • \Windows\SysWOW64\szeauakyzohfa.exe

            Filesize

            512KB

            MD5

            390ff42e081bbfc323a0f522d31aee44

            SHA1

            2d87ee39e5ed9d85180695092bee312f4be81470

            SHA256

            d302261d61e7f788400a5c16e8b0190b6ab9bec47dc738b1182d5c0f0d949960

            SHA512

            386d9d2451c6b298d4ffcdb31162c405519f4ad3f5a324e4371e9155728611cd1af444e27bae08d763f7e10b0f3c89a9314a0198c0b4fcedecfcf55de73adc05

          • memory/1180-0-0x0000000000400000-0x0000000000496000-memory.dmp

            Filesize

            600KB

          • memory/2628-47-0x0000000070E3D000-0x0000000070E48000-memory.dmp

            Filesize

            44KB

          • memory/2628-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

          • memory/2628-45-0x000000002FE31000-0x000000002FE32000-memory.dmp

            Filesize

            4KB

          • memory/2628-82-0x0000000070E3D000-0x0000000070E48000-memory.dmp

            Filesize

            44KB

          • memory/2628-103-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB