Overview

overview

10

Static

static

5

4df1df823d...9d.exe

windows7-x64

10

4df1df823d...9d.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    152s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    09-01-2024 09:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4df1df823dbd68e297bcd2f28502c39d.exe

  • Size

    512KB

  • MD5

    4df1df823dbd68e297bcd2f28502c39d

  • SHA1

    d6ddc39c3ea32887b06215f08193cdf42c364298

  • SHA256

    47be30d78bec6df66d7e40bd3d62a43f8b956c62a9215794257fbdeee2bbe5ae

  • SHA512

    fda79895654eaacd68ab0901889fc017f59145f09dae244ade6a0c199b72cdc2090642585df251d0e683e65a3d7b990bda5b90390bdb7437abada8f5d5d131b5

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj61:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm58

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 11 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4df1df823dbd68e297bcd2f28502c39d.exe
    "C:\Users\Admin\AppData\Local\Temp\4df1df823dbd68e297bcd2f28502c39d.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1000
    • C:\Windows\SysWOW64\teiwbdrnle.exe
      teiwbdrnle.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2796
      • C:\Windows\SysWOW64\hbdlpinw.exe
        C:\Windows\system32\hbdlpinw.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2664
    • C:\Windows\SysWOW64\urpofruyldbgwvf.exe
      urpofruyldbgwvf.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2080
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c sbvzkgdoytxck.exe
        3⤵
          PID:2808
      • C:\Windows\SysWOW64\hbdlpinw.exe
        hbdlpinw.exe
        2⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2868
      • C:\Windows\SysWOW64\sbvzkgdoytxck.exe
        sbvzkgdoytxck.exe
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2268
      • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
        2⤵
        • Drops file in Windows directory
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2060
        • C:\Windows\splwow64.exe
          C:\Windows\splwow64.exe 12288
          3⤵
            PID:2032

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
        Filesize

        20KB

        MD5

        197201cdd568d81516d750a1c6ce950b

        SHA1

        00ac90a40ea8e1567db6e269af13db0ce0e7eaeb

        SHA256

        aae9e7362f39bb992b434232002875de0ba83856bbee25ef3d3304511ac0f13b

        SHA512

        1b0965a13217b7b84cd6f21ff84c2af5654a1a9e3bf95ff69b246af6461af3d9a8462c608d7f55a694fac9434e4784faa85746ee9deaa59143d8dbc831f3e973

        Download Submit

      • C:\Windows\SysWOW64\hbdlpinw.exe
        Filesize

        440KB

        MD5

        95ff0bdea593e5aa04307a131950c7fd

        SHA1

        a0eff902325d059732fd5c04e00af164cd818e6d

        SHA256

        78f2598606260dbd141db4765594e034ee65f9f4499ee000f9ca67031e212ff1

        SHA512

        7586df6491d293ed8eca1e3530185acd3536c73d22373077f2d9e58be7ecbcfa90e04e1246a530073ababf594a86e436cf8ca5246e2f1bafbfae072f81347f58

        Download Submit

      • C:\Windows\SysWOW64\hbdlpinw.exe
        Filesize

        172KB

        MD5

        94fc9c02159377ebfe9ebf3e0b7b610f

        SHA1

        1e9bb7cf32c715a425fbd25987866174432566d9

        SHA256

        329d9a03156f28b3a0c65a92bae28552f7999a4c2974f2b83c02e9c6c2d99828

        SHA512

        e6b4f5d239b6bc3e1042043ed19bd2d67cbc9e57050fe0a54911af8e7a5c75de2ffc2ca16b6c7df2d2ec011ea2d844de30cf4b55123dd86d625c472343946732

        Download Submit

      • C:\Windows\SysWOW64\hbdlpinw.exe
        Filesize

        173KB

        MD5

        ca5982da47e156618b318ddb6cee7fca

        SHA1

        69fcf856c188fd0d8fece8a554e397e7c07cb1df

        SHA256

        a09e558506dbe83726a58b1ef6be11f1256fcf10c379d195dcc3fe8c254150f4

        SHA512

        42e06e5772219cbf96817d70e2847d9dff5e0f176395d00468fcc0d887a7b0710428e5d36e3a2966696bede91230e0e905b7813be6fac98476fbc5842313dc4e

        Download Submit

      • C:\Windows\SysWOW64\sbvzkgdoytxck.exe
        Filesize

        330KB

        MD5

        d86ccdde85025eabff0a5d64cab44c70

        SHA1

        f632cd354a769cc417bc232b66cf1d6440e4b651

        SHA256

        18c7a4afb11c83795cc0e2ac99c9ba4f8ddf7e6897bf7f0861de6df7c1656627

        SHA512

        02f14efbc002dcd062bb866d277fff41c968218229243011c0cf8363a953d03f98bdd60747cea63c034c25e0e32654ec94400eb094c150b2e64d130495b1b6a7

        Download Submit

      • C:\Windows\SysWOW64\sbvzkgdoytxck.exe
        Filesize

        210KB

        MD5

        1b4fda7271268352a2e2a605b45abe48

        SHA1

        c740ed3322c9a898cd0ad2dec7f7f3cd0b7023cf

        SHA256

        bc4bc3c739383292100b5fe941c99fc23009fc43c16167c3fe06c373b255ffb1

        SHA512

        646ada783ab63fd63d11fd6f3c5b06b4b7717d51fbc467d59da91c3c40803d70ebe15014010e1946ab480a842af535866a48fa71483c7771195ac9dc138f5db0

        Download Submit

      • C:\Windows\SysWOW64\urpofruyldbgwvf.exe
        Filesize

        512KB

        MD5

        9a350fc33342adcb1d6f420507ae874a

        SHA1

        9fabfd700652e47be637ddd05112126ec5404f17

        SHA256

        4be52cb3e565b67dc5555d1cec18960d463c79c594a23b629b8a0dff6c15898c

        SHA512

        ca6d67897b873bbe02341de340c61c801f8d8d46e8bf40b0359a57289c5c9e0b6764f70a014076e2e1024e80d6c9ddb855228a38d9db694dc60b13d984074a05

        Download Submit

      • C:\Windows\mydoc.rtf
        Filesize

        223B

        MD5

        06604e5941c126e2e7be02c5cd9f62ec

        SHA1

        4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

        SHA256

        85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

        SHA512

        803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

        Download Submit

      • \Windows\SysWOW64\hbdlpinw.exe
        Filesize

        512KB

        MD5

        9ba86e50215ebe1ef98f5b043e7ae725

        SHA1

        3f99c7bd0c6acad25f844f528da058c0fb6c3bc0

        SHA256

        3d380fa389f397f9e666b2a22224f96bdf527e37d3ccc75ad1bdf613511964c9

        SHA512

        7727bbd907d5ec68e43b0fb3a7c1cd7d2661cda544fbda6bbc3c06b90a5d6683424ad948ba1da1d5b4e0d9d498efbba7d3c802fc1238f0867a14db2fe3cca8c0

        Download Submit

      • \Windows\SysWOW64\hbdlpinw.exe
        Filesize

        393KB

        MD5

        11b6b8eff7f1b7ed67b452dd5fe1bd61

        SHA1

        1cff8d8faa6132094e45cd7c786db62cede2d03c

        SHA256

        dfc4bb086ee7b416e01293bad3f79f50bea6a4b7662305eb71c78a876460dd4b

        SHA512

        18bcc3b130bbd8933de149512bad86ce2ff592be04e6e51e2df46c17eb1bfc3f3d74b93ac48589f1c81a160d1d9fdd4084e10152262c1d0eb6157c4708a49617

        Download Submit

      • \Windows\SysWOW64\sbvzkgdoytxck.exe
        Filesize

        329KB

        MD5

        777b7b2b1c7122758fd5be01e8882f63

        SHA1

        fc826681699124e29f9af445d8951c2fa5add898

        SHA256

        d0f28948d513d6fc490149ca6fc8e02a982bbcf5281ca7931b9b4c08295eb1e2

        SHA512

        21632da8419b14f6f03c4c40ced8698b3356be84f985b4a0771b15efc488f61c9598971b030198405570b76c801ebb92e5bcd14be9f9ee84761253f26ee6decf

        Download Submit

      • \Windows\SysWOW64\teiwbdrnle.exe
        Filesize

        512KB

        MD5

        7f815b13da3bae581e519669f7651cb8

        SHA1

        2f9f813d2e5b83ab812e931fa89f3882d39e42e5

        SHA256

        93a5ce01df305f396849852166e1db7e2283a819ddbfbc9728201df78c40b832

        SHA512

        fa82c4b85d608646a1286d9a8a3dee70b484d492ac1c7b0a4ee4a0950bcf419f914ccf50cfef8ae9ec78d361b6b830a4cc8cbc3b4ce6ee2ca7105e62bcca085a

        Download Submit

      • memory/1000-0-0x0000000000400000-0x0000000000496000-memory.dmp

        Filesize

        600KB

        Download

      • memory/2060-45-0x000000002F901000-0x000000002F902000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2060-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2060-47-0x00000000715AD000-0x00000000715B8000-memory.dmp

        Filesize

        44KB

        Download

      • memory/2060-78-0x00000000715AD000-0x00000000715B8000-memory.dmp

        Filesize

        44KB

        Download

      • memory/2060-99-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download