Overview

overview

10

Static

static

5

473c7c2b53...de.exe

windows7-x64

10

473c7c2b53...de.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    1s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    08/01/2024, 02:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    473c7c2b5312e33799192b66183cc9de.exe

  • Size

    512KB

  • MD5

    473c7c2b5312e33799192b66183cc9de

  • SHA1

    efc8a29120e6c57e6360eed84b0173d1683b7a5b

  • SHA256

    17417d614536e55eec8bafb4a56b45c8000e7543f16b9cccc944d57fe07ca9b5

  • SHA512

    271e64924d1af77788a72273d6d6cc1b9960a085262b76a4278b2f37f45cad61363cc2a259b929a538d8a59a3ae9bf0b09dff190d42b7ab6e3dcde2885b6a65c

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6t:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5y

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 8 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 19 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of FindShellTrayWindow 11 IoCs
  • Suspicious use of SendNotifyMessage 11 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\473c7c2b5312e33799192b66183cc9de.exe
    "C:\Users\Admin\AppData\Local\Temp\473c7c2b5312e33799192b66183cc9de.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1968
    • C:\Windows\SysWOW64\bcaalhmhicsfbug.exe
      bcaalhmhicsfbug.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2208
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
        PID:2568
        • C:\Windows\splwow64.exe
          C:\Windows\splwow64.exe 12288
          3⤵
            PID:2804
        • C:\Windows\SysWOW64\atgdhmkupkbkg.exe
          atgdhmkupkbkg.exe
          2⤵
          • Executes dropped EXE
          PID:2656
        • C:\Windows\SysWOW64\yksegdmm.exe
          yksegdmm.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:2544
        • C:\Windows\SysWOW64\mljvkdlkxl.exe
          mljvkdlkxl.exe
          2⤵
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Windows security bypass
          • Disables RegEdit via registry modification
          • Executes dropped EXE
          • Windows security modification
          • Modifies WinLogon
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:2176
      • C:\Windows\SysWOW64\yksegdmm.exe
        C:\Windows\system32\yksegdmm.exe
        1⤵
          PID:2576
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
            PID:2424

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1968-0-0x0000000000400000-0x0000000000496000-memory.dmp

            Filesize

            600KB

            Download

          • memory/2424-75-0x0000000004130000-0x0000000004131000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2424-78-0x0000000004130000-0x0000000004131000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2568-45-0x000000002F4B1000-0x000000002F4B2000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2568-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2568-47-0x000000007193D000-0x0000000071948000-memory.dmp

            Filesize

            44KB

            Download

          • memory/2568-76-0x000000007193D000-0x0000000071948000-memory.dmp

            Filesize

            44KB

            Download