Analysis
-
max time kernel
1s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
08/01/2024, 02:12
Static task
static1
Behavioral task
behavioral1
Sample
473c7c2b5312e33799192b66183cc9de.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
473c7c2b5312e33799192b66183cc9de.exe
Resource
win10v2004-20231215-en
General
-
Target
473c7c2b5312e33799192b66183cc9de.exe
-
Size
512KB
-
MD5
473c7c2b5312e33799192b66183cc9de
-
SHA1
efc8a29120e6c57e6360eed84b0173d1683b7a5b
-
SHA256
17417d614536e55eec8bafb4a56b45c8000e7543f16b9cccc944d57fe07ca9b5
-
SHA512
271e64924d1af77788a72273d6d6cc1b9960a085262b76a4278b2f37f45cad61363cc2a259b929a538d8a59a3ae9bf0b09dff190d42b7ab6e3dcde2885b6a65c
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6t:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5y
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" mljvkdlkxl.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" mljvkdlkxl.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" mljvkdlkxl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" mljvkdlkxl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" mljvkdlkxl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" mljvkdlkxl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" mljvkdlkxl.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mljvkdlkxl.exe -
Executes dropped EXE 4 IoCs
pid Process 2176 mljvkdlkxl.exe 2208 bcaalhmhicsfbug.exe 2544 yksegdmm.exe 2656 atgdhmkupkbkg.exe -
Loads dropped DLL 4 IoCs
pid Process 1968 473c7c2b5312e33799192b66183cc9de.exe 1968 473c7c2b5312e33799192b66183cc9de.exe 1968 473c7c2b5312e33799192b66183cc9de.exe 1968 473c7c2b5312e33799192b66183cc9de.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" mljvkdlkxl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" mljvkdlkxl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" mljvkdlkxl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" mljvkdlkxl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" mljvkdlkxl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" mljvkdlkxl.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" mljvkdlkxl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" mljvkdlkxl.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/1968-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe -
Drops file in System32 directory 8 IoCs
description ioc Process File created C:\Windows\SysWOW64\yksegdmm.exe 473c7c2b5312e33799192b66183cc9de.exe File opened for modification C:\Windows\SysWOW64\yksegdmm.exe 473c7c2b5312e33799192b66183cc9de.exe File created C:\Windows\SysWOW64\atgdhmkupkbkg.exe 473c7c2b5312e33799192b66183cc9de.exe File opened for modification C:\Windows\SysWOW64\atgdhmkupkbkg.exe 473c7c2b5312e33799192b66183cc9de.exe File created C:\Windows\SysWOW64\mljvkdlkxl.exe 473c7c2b5312e33799192b66183cc9de.exe File opened for modification C:\Windows\SysWOW64\mljvkdlkxl.exe 473c7c2b5312e33799192b66183cc9de.exe File created C:\Windows\SysWOW64\bcaalhmhicsfbug.exe 473c7c2b5312e33799192b66183cc9de.exe File opened for modification C:\Windows\SysWOW64\bcaalhmhicsfbug.exe 473c7c2b5312e33799192b66183cc9de.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 473c7c2b5312e33799192b66183cc9de.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 19 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1849C77B15E1DABEB8BD7F97EDE737CD" 473c7c2b5312e33799192b66183cc9de.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat mljvkdlkxl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" mljvkdlkxl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC2B1214494399853C9BAD63298D7CB" 473c7c2b5312e33799192b66183cc9de.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E89FC834827856E9130D72A7DE5BC93E632593567456335D7EA" 473c7c2b5312e33799192b66183cc9de.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs mljvkdlkxl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" mljvkdlkxl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" mljvkdlkxl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" mljvkdlkxl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" mljvkdlkxl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh mljvkdlkxl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc mljvkdlkxl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" mljvkdlkxl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "334E2C0F9C2382596A3776D470532CAE7C8664AC" 473c7c2b5312e33799192b66183cc9de.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACEFACEF917F198837C3B3286963999B0FD028C4212033FE1CC459E08D4" 473c7c2b5312e33799192b66183cc9de.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf mljvkdlkxl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg mljvkdlkxl.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 473c7c2b5312e33799192b66183cc9de.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F66BB8FE6D22DBD10BD0A08A7B9016" 473c7c2b5312e33799192b66183cc9de.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 1968 473c7c2b5312e33799192b66183cc9de.exe 1968 473c7c2b5312e33799192b66183cc9de.exe 1968 473c7c2b5312e33799192b66183cc9de.exe 1968 473c7c2b5312e33799192b66183cc9de.exe 1968 473c7c2b5312e33799192b66183cc9de.exe 1968 473c7c2b5312e33799192b66183cc9de.exe 1968 473c7c2b5312e33799192b66183cc9de.exe 1968 473c7c2b5312e33799192b66183cc9de.exe 2176 mljvkdlkxl.exe 2176 mljvkdlkxl.exe 2176 mljvkdlkxl.exe 2176 mljvkdlkxl.exe 2176 mljvkdlkxl.exe -
Suspicious use of FindShellTrayWindow 11 IoCs
pid Process 1968 473c7c2b5312e33799192b66183cc9de.exe 1968 473c7c2b5312e33799192b66183cc9de.exe 1968 473c7c2b5312e33799192b66183cc9de.exe 2176 mljvkdlkxl.exe 2176 mljvkdlkxl.exe 2176 mljvkdlkxl.exe 2544 yksegdmm.exe 2544 yksegdmm.exe 2544 yksegdmm.exe 2208 bcaalhmhicsfbug.exe 2208 bcaalhmhicsfbug.exe -
Suspicious use of SendNotifyMessage 11 IoCs
pid Process 1968 473c7c2b5312e33799192b66183cc9de.exe 1968 473c7c2b5312e33799192b66183cc9de.exe 1968 473c7c2b5312e33799192b66183cc9de.exe 2176 mljvkdlkxl.exe 2176 mljvkdlkxl.exe 2176 mljvkdlkxl.exe 2544 yksegdmm.exe 2544 yksegdmm.exe 2544 yksegdmm.exe 2208 bcaalhmhicsfbug.exe 2208 bcaalhmhicsfbug.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1968 wrote to memory of 2176 1968 473c7c2b5312e33799192b66183cc9de.exe 25 PID 1968 wrote to memory of 2176 1968 473c7c2b5312e33799192b66183cc9de.exe 25 PID 1968 wrote to memory of 2176 1968 473c7c2b5312e33799192b66183cc9de.exe 25 PID 1968 wrote to memory of 2176 1968 473c7c2b5312e33799192b66183cc9de.exe 25 PID 1968 wrote to memory of 2208 1968 473c7c2b5312e33799192b66183cc9de.exe 20 PID 1968 wrote to memory of 2208 1968 473c7c2b5312e33799192b66183cc9de.exe 20 PID 1968 wrote to memory of 2208 1968 473c7c2b5312e33799192b66183cc9de.exe 20 PID 1968 wrote to memory of 2208 1968 473c7c2b5312e33799192b66183cc9de.exe 20 PID 1968 wrote to memory of 2544 1968 473c7c2b5312e33799192b66183cc9de.exe 24 PID 1968 wrote to memory of 2544 1968 473c7c2b5312e33799192b66183cc9de.exe 24 PID 1968 wrote to memory of 2544 1968 473c7c2b5312e33799192b66183cc9de.exe 24 PID 1968 wrote to memory of 2544 1968 473c7c2b5312e33799192b66183cc9de.exe 24 PID 1968 wrote to memory of 2656 1968 473c7c2b5312e33799192b66183cc9de.exe 23 PID 1968 wrote to memory of 2656 1968 473c7c2b5312e33799192b66183cc9de.exe 23 PID 1968 wrote to memory of 2656 1968 473c7c2b5312e33799192b66183cc9de.exe 23 PID 1968 wrote to memory of 2656 1968 473c7c2b5312e33799192b66183cc9de.exe 23
Processes
-
C:\Users\Admin\AppData\Local\Temp\473c7c2b5312e33799192b66183cc9de.exe"C:\Users\Admin\AppData\Local\Temp\473c7c2b5312e33799192b66183cc9de.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\bcaalhmhicsfbug.exebcaalhmhicsfbug.exe2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2208
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵PID:2568
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2804
-
-
-
C:\Windows\SysWOW64\atgdhmkupkbkg.exeatgdhmkupkbkg.exe2⤵
- Executes dropped EXE
PID:2656
-
-
C:\Windows\SysWOW64\yksegdmm.exeyksegdmm.exe2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2544
-
-
C:\Windows\SysWOW64\mljvkdlkxl.exemljvkdlkxl.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Modifies WinLogon
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2176
-
-
C:\Windows\SysWOW64\yksegdmm.exeC:\Windows\system32\yksegdmm.exe1⤵PID:2576
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2424