Overview

overview

10

Static

static

5

aa2cab0241...e5.exe

windows7-x64

10

aa2cab0241...e5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/01/2024, 19:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aa2cab0241781a572a4dc3e33bfe73e5.exe

  • Size

    512KB

  • MD5

    aa2cab0241781a572a4dc3e33bfe73e5

  • SHA1

    276b64512c473f9015938b249498a2635608f5d1

  • SHA256

    fe77ab007c8ae2130dafffab4e8fd2545abc3736cfc028f45b573848a08051f5

  • SHA512

    abf6113b00cb8ad96eace6f21bbac4644b36bbfb5090accc960d5b9c4657c910756c12b6168ecbb9b2522b48d5699b95b8d1a26010a93fe2c477f10ee797e790

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6J:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm58

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 19 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aa2cab0241781a572a4dc3e33bfe73e5.exe
    "C:\Users\Admin\AppData\Local\Temp\aa2cab0241781a572a4dc3e33bfe73e5.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:988
    • C:\Windows\SysWOW64\pzwnszxmdajorwk.exe
      pzwnszxmdajorwk.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1808
    • C:\Windows\SysWOW64\bxniltgoijebd.exe
      bxniltgoijebd.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1384
    • C:\Windows\SysWOW64\dqhisbms.exe
      dqhisbms.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4372
    • C:\Windows\SysWOW64\pfbqmovuqk.exe
      pfbqmovuqk.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1028
      • C:\Windows\SysWOW64\dqhisbms.exe
        C:\Windows\system32\dqhisbms.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4212
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4792

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    22KB

    MD5

    d396bafcd991e8f0c30c9494d5c2a468

    SHA1

    3446b621be6db90124a6a9a231e7d02cda9a9b0c

    SHA256

    6d802668a69425f210297eb1fe46fc7105aeb07d09a982bcfce891a670440ed4

    SHA512

    88cbfc330851c1c294e4f6eba8cf82c8ee477a2cd8529e61431e7f13c26a1d1752322bb2699c6185b6c985795c25dd1dd30b74256aa58c54bacaaee4a59c104e

    Download Submit

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    31KB

    MD5

    e35e129647c372c443909d11239fdad3

    SHA1

    5795d9ede0c5712e9f104218f34702e1f45bbf3c

    SHA256

    6c3344e867c0ce6e2380887802cee0be426f5f603545d138c4cd3e70ccea505b

    SHA512

    72b1cd681c31aba0d053339187258bbb6c0e5f3e2d62c66e2f11f6019c2909d8b6d3f8f414a5cc3ad9aa082446aa121877c0b94336678964c976593a0edcc5e8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    239B

    MD5

    0c59a5f4b604bdb95d678de25e7be485

    SHA1

    b2f63dc74e24096cfaec01add4039bb6b4221650

    SHA256

    4f67992a112a96b5f8fee2357028d149d02be8c07cfff8b729fc33ad27ab5561

    SHA512

    9e31d6948d8d5d1ad4b8ec7ee4910eebda596ca73fd23dd72401e400c661b993b04ce907aa796597773feb9ef6f598b0c852b091996ec03d6bf69b74d5054e4b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    26aa7c68475db4700c78551920ee0eee

    SHA1

    6950d51f2c5eddba6431f3540bbe3fd18e687788

    SHA256

    dd1c141331dfa094513ac96152318f56b4632ef4077136f2a8d8a7a242d1b475

    SHA512

    b323ebe5ff07c16c0ad96c122f4be2099bb760342f209e3ef654c1ee8fbbf2a949c151fecdd7204012c9d5702386ce257361e21e2fe6fc4a85df351bf45e35ab

    Download Submit

  • C:\Users\Admin\Desktop\TestRestore.doc.exe
    Filesize

    12KB

    MD5

    2526980684884c9627a06a267c12ff10

    SHA1

    918584e64576e6a41b11e9c66681131c38b981c4

    SHA256

    7e553dace34f2f3d7c05398976fe2dc00e15ef193ade36461f1aa22df7c6db59

    SHA512

    a4e97cdca62a1e1cbfda6ca70dc3f084ac7220d58919b320095774f971b54856112be66841bc3a01fe1ed2db077930ea84f5e528bac8c5e40e892ce57fb01f85

    Download Submit

  • C:\Users\Admin\Music\ResumeUnprotect.doc.exe
    Filesize

    57KB

    MD5

    3a81bb7f89fff51fd80d1e9e1e60471f

    SHA1

    7c04e73b47855108f7cb0f1f8e76b71078d74158

    SHA256

    7afee2b09ec479879bca80da134ceff2df40ad8eff99ed5b1461e6b64e3c474e

    SHA512

    d8500626b99b14b8e441c88b9a8431db9188b5dea17610b1d5ff35a199195026f6c9961281e7c3a4babe8c88b1a949a03a42c6872e2eb0ec1761f65095f777cc

    Download Submit

  • C:\Windows\SysWOW64\bxniltgoijebd.exe
    Filesize

    89KB

    MD5

    189db9979f8404849f77cbdd6926c32b

    SHA1

    1cf79dd909df2343dcbb27764d33532f403ecc46

    SHA256

    1d7c69e288621a0a6f480924b369812faff78d58733a06b84d3fa06898ca5aa2

    SHA512

    06a7aea437a97e1da9f7778e4040ed3cf46e2f8038341855e0fa303cf1fb14c0b4698b297230566a7f74c6518ebe585f715d2dbe3d229debf73cd4c8e89314e3

    Download Submit

  • C:\Windows\SysWOW64\bxniltgoijebd.exe
    Filesize

    118KB

    MD5

    23428d64ca2901494df6e7db7992835b

    SHA1

    054a2db21b9e223104180835b89c45e186aae426

    SHA256

    9899bc4778c18600c2eb25ba04a534d938bb904573e72cdd2d2f35fb8c758550

    SHA512

    02fc64d40ef108f4edafa5159c7c00a132d4b97fdf57b7c72989d43538771f982257aeb52cba88ed7685ba8c3fac098cf37be79b07106f47b7ebd0caedeaf5cc

    Download Submit

  • C:\Windows\SysWOW64\dqhisbms.exe
    Filesize

    99KB

    MD5

    9bce0d8644b72c862c07071d7901d27f

    SHA1

    cc2ed2c78814f90a3f405ea1789c3be8d2b165f2

    SHA256

    1b3975cafa8859c8ebef939b0808f246ff57d8793921a7a7aab3968c729e257c

    SHA512

    a8543e0de4759c7e858ca5c94a621f7453bf7517853be1bc57f1756f37a6beec482b9a08a01fc14727c6815d7c11e40ab82a60a6fde4541c1b52a215e29cb6ba

    Download Submit

  • C:\Windows\SysWOW64\dqhisbms.exe
    Filesize

    109KB

    MD5

    26c33fc2aed7c132b6b532cb70f28e5b

    SHA1

    5935442f649091fbe1ae97a0b368b4a6269f963b

    SHA256

    8b8b81bcb840a3a398580b8a3eb51f072fa9b7dcd507b83bba9741508dcb410d

    SHA512

    88a95b26a943242ae6f0982f9017b272fb6ea66116c99ee62008e6b1305ab5da03111936699bc69970eec5f0aa99f2bfa21e9888427a9e34775080c7d080477b

    Download Submit

  • C:\Windows\SysWOW64\dqhisbms.exe
    Filesize

    5KB

    MD5

    3601637820e14acd7e2416ebd0a8b4e2

    SHA1

    ca8f9fecad119786d854dece99a9fef6863206a2

    SHA256

    b5fab74ba597f213400a36cd7d59b59f2834b1c8049a9f709d10e3a01e80b7da

    SHA512

    90c620ef358c6183473fe3d5781200c9053be3411167310ec65956173054b77964119b7d1f7c9c5f2e77c56dd29f7ab0a1ba72dfaaf9252bc1c2ec5e2cb82997

    Download Submit

  • C:\Windows\SysWOW64\pfbqmovuqk.exe
    Filesize

    107KB

    MD5

    a6148729747d82d1ac71701d71153543

    SHA1

    27e0b70e9379682436b7fea03cdb65f70bc41120

    SHA256

    596398c335fc4f20995a800b091b7c236ac206781df6cba06516e11c29efddd8

    SHA512

    b872ebc08bef8c15d2f3e276587415ed071b669ee06e7f11fb71ff6dabf46e0e64b25c50a4d195cc0e8bb9c14a9ad228ba5ec193aebe3323f223ece41dad9d1d

    Download Submit

  • C:\Windows\SysWOW64\pfbqmovuqk.exe
    Filesize

    94KB

    MD5

    56a8016bcafb1aaac26e641b848e2c3a

    SHA1

    43e05081463aa7d4b7d3d1795d437e5cdd1675b0

    SHA256

    353a22a8c5594d278da619d691e267a2c74e83e9be8c1c2f4949b3f84d3244c6

    SHA512

    8e9e4eb2802a4d8fef2c87eb63483da8cd0088e0a47db44a6258192fb890855cf20cb807e19f43db5c0faa52ead4752ac75d7ab20dddfbe52f2c0fb190971832

    Download Submit

  • C:\Windows\SysWOW64\pzwnszxmdajorwk.exe
    Filesize

    105KB

    MD5

    d26aa2d8a525542e3b8aec65cb9c3327

    SHA1

    f85b77d8221bfdd3ed5b5625cf60c5dbf5295a1d

    SHA256

    f21210aeb390605db42c887a5d430ec0029f24c77209596dcf9fe673ecb322a9

    SHA512

    e8c9705441dd6caf279c00a582589b6993f1fe9233c29d6457960a6f99f6480ecf80af922cc1aad510bc96a9266e563e16b0179760a408959c891254d434c7c7

    Download Submit

  • C:\Windows\SysWOW64\pzwnszxmdajorwk.exe
    Filesize

    107KB

    MD5

    2ee12f1b4a274f92006f9f4ad95a3cee

    SHA1

    452079404908796ac32cc0e4c318b214dea1fb0d

    SHA256

    6b59967a8ba23a7e283cdb8c7adfaa010944bd031dd4ec3d99028d3722eea9f6

    SHA512

    7df3dadf6bb09cc867833d46c540c25d03beeb9479bdae1a07a0ea5cc4251f9728aa10cda0cf108e46c9bbf30315c54571d0bf59832b263b763f09cfb0ff6744

    Download Submit

  • C:\Windows\SysWOW64\pzwnszxmdajorwk.exe
    Filesize

    151KB

    MD5

    5444e63d802cb5629598c260905d5505

    SHA1

    8b082a66349dfe903acab3828b24d1f8de7ec9c6

    SHA256

    1fa572bc62eb7b27a87b5604bf3813ce3947aed2b1980dc37940cbcf79e14558

    SHA512

    486f0021b574e7c80eeb74f1a683718a44598194d3054176f0b268ff1e71b8803865f623d66a88d73160963c140d71baaa6b035cbf1dbc53b2d5d836578537ca

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • \??\c:\Users\Admin\Desktop\SaveUndo.doc.exe
    Filesize

    39KB

    MD5

    9e1ac8bb7df86e9f6f120b439daf35f9

    SHA1

    2d5ab6b65fac35f5c20da55616868cf181c6d24e

    SHA256

    becd8faeaa233f7e8c66998413299414180e10aba06fb0d7a329ef0897a4e097

    SHA512

    24d644cc85b9a56d99100523f406951dabf6ab21862d9dbaa5dfaa20a5e483abeae491af325eaf2d9092dcd78cdb3238ff324d57f8ddcaccf332c7b1cbe1a6bf

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    251KB

    MD5

    0539f4d632179be94cd284a9d13af823

    SHA1

    1cad898b18b02605f8e5c69df4ca77bd221a62ca

    SHA256

    173dc3355953db71f18655bbcc8464e383684a815fa518eb6e57f1e4d943e03a

    SHA512

    86d909f6548cd03b1bee2cdb5ee72396d27657fd4d31867bc8e2d81a276e8877a6d88d13643812c886870ceea23cf633c1c839bffc417f1f4eb4d26e6c3bc0e4

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    140KB

    MD5

    46483b729cc7663748a9fd4697973291

    SHA1

    174c0b742470e3c644cd7b19fe48141be023c4c7

    SHA256

    c88c54371e4fd228abc56aaa163ea689e1ce6a4bc03dc9894cccc208b486f1a2

    SHA512

    f4cdcc36fb58b7f161f54f22015f38f9fc4ee1d98371aa85036718dd20091684a6ca1d2204fc20bb60882290b8cc26c65b1061ca522f8eb8c6d7559560ac0168

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    153KB

    MD5

    3ce0263ec22d797ca5e15a7bee7b7d04

    SHA1

    bcaecb2bbb9d5b63aebfed9435331adf0396e28c

    SHA256

    042b6012dd3e28dc08f094e89d36883bde97e88e124f75b19a874501dbe58b02

    SHA512

    b9fb8b6922afbd617b40f0af8fe7e4f1f48640773982142d99380d220c8c246f51374d16ed482de42c4bfa3fe1e32a5f85a2484270dcc93f12a485bb08045445

    Download Submit

  • memory/988-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download

  • memory/4792-45-0x00007FFBEC2F0000-0x00007FFBEC4E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4792-43-0x00007FFBAC370000-0x00007FFBAC380000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4792-57-0x00007FFBEC2F0000-0x00007FFBEC4E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4792-52-0x00007FFBEC2F0000-0x00007FFBEC4E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4792-50-0x00007FFBA9B50000-0x00007FFBA9B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4792-49-0x00007FFBEC2F0000-0x00007FFBEC4E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4792-42-0x00007FFBEC2F0000-0x00007FFBEC4E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4792-58-0x00007FFBEC2F0000-0x00007FFBEC4E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4792-40-0x00007FFBAC370000-0x00007FFBAC380000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4792-39-0x00007FFBEC2F0000-0x00007FFBEC4E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4792-37-0x00007FFBAC370000-0x00007FFBAC380000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4792-36-0x00007FFBEC2F0000-0x00007FFBEC4E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4792-55-0x00007FFBEC2F0000-0x00007FFBEC4E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4792-56-0x00007FFBA9B50000-0x00007FFBA9B60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4792-54-0x00007FFBEC2F0000-0x00007FFBEC4E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4792-53-0x00007FFBEC2F0000-0x00007FFBEC4E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4792-51-0x00007FFBEC2F0000-0x00007FFBEC4E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4792-59-0x00007FFBEC2F0000-0x00007FFBEC4E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4792-48-0x00007FFBEC2F0000-0x00007FFBEC4E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4792-47-0x00007FFBEC2F0000-0x00007FFBEC4E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4792-41-0x00007FFBEC2F0000-0x00007FFBEC4E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4792-38-0x00007FFBAC370000-0x00007FFBAC380000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4792-35-0x00007FFBAC370000-0x00007FFBAC380000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4792-130-0x00007FFBEC2F0000-0x00007FFBEC4E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4792-131-0x00007FFBEC2F0000-0x00007FFBEC4E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4792-132-0x00007FFBEC2F0000-0x00007FFBEC4E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4792-155-0x00007FFBAC370000-0x00007FFBAC380000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4792-156-0x00007FFBAC370000-0x00007FFBAC380000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4792-157-0x00007FFBEC2F0000-0x00007FFBEC4E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4792-158-0x00007FFBAC370000-0x00007FFBAC380000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4792-160-0x00007FFBEC2F0000-0x00007FFBEC4E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4792-159-0x00007FFBEC2F0000-0x00007FFBEC4E5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4792-154-0x00007FFBAC370000-0x00007FFBAC380000-memory.dmp

    Filesize

    64KB

    Download