Overview

overview

10

Static

static

5

e916525822...2c.exe

windows7-x64

10

e916525822...2c.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    0s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-01-2024 18:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e91652582204e0b0ed5a985679370c2c.exe

  • Size

    512KB

  • MD5

    e91652582204e0b0ed5a985679370c2c

  • SHA1

    86b3bee0bf1a0d14aaca723f9593ccb1ce60979f

  • SHA256

    58e7e1de9ea84e8624aaae7dd4731ec68a6845376b77ad08c86998c42f74e07b

  • SHA512

    20c059e2d822d57b6d79da6ff5d1b5f884e745001a67d081a8111c0386f27894ae234e051b82e8377160e4762f74c360ddff145185f16074068afecb0baaac78

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6p:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5m

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 8 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious use of FindShellTrayWindow 15 IoCs
  • Suspicious use of SendNotifyMessage 15 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e91652582204e0b0ed5a985679370c2c.exe
    "C:\Users\Admin\AppData\Local\Temp\e91652582204e0b0ed5a985679370c2c.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1068
    • C:\Windows\SysWOW64\znfoynxfyy.exe
      znfoynxfyy.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:800
      • C:\Windows\SysWOW64\wbkmrsbq.exe
        C:\Windows\system32\wbkmrsbq.exe
        3⤵
          PID:4248
      • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
        "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
        2⤵
          PID:2132
        • C:\Windows\SysWOW64\xzwlkgnkhgjcl.exe
          xzwlkgnkhgjcl.exe
          2⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:3044
        • C:\Windows\SysWOW64\wbkmrsbq.exe
          wbkmrsbq.exe
          2⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:2312
        • C:\Windows\SysWOW64\nxfyotxkazvrghe.exe
          nxfyotxkazvrghe.exe
          2⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:4588

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SysWOW64\nxfyotxkazvrghe.exe
        Filesize

        384KB

        MD5

        0e151ec3919b72f9a6c7fe60d10f4ea0

        SHA1

        91fb01badc6db9808233ff95abf39c37982a8c85

        SHA256

        f644299fe8f10c5f3e24c1943fc808270b5d4f853e2316abf091c8d18344193c

        SHA512

        41d25f82ce04a14c21d19a9ad2d12663714221b6ecb1c3ee579a4a134949de0bfb3e6212e9acf97d0659d50e7a034dcdc103ecbedd8a71fbfefdc30f5728c12b

        Download Submit

      • C:\Windows\SysWOW64\nxfyotxkazvrghe.exe
        Filesize

        95KB

        MD5

        325d35d16810bf2ca20f49e9369ceafc

        SHA1

        16a818972ea75b6656eba8b6ca090be9e0bc8f03

        SHA256

        8798efdb1d409d30daf09e596ff0a6875f2f9b89e08c16e891206ddf0771a645

        SHA512

        a0664efd0a950150ffa3b7f79d76038579f20835e4b99043db61586a475ca9f06f1907b7cbdc46e36feb556a8d4cbf473a7f8a5aa51872a41b997c8904284893

        Download Submit

      • C:\Windows\SysWOW64\nxfyotxkazvrghe.exe
        Filesize

        416KB

        MD5

        2abeeb511cf907c6f98948f1d353d907

        SHA1

        c18056fa175d5a45f714463f6be457635e36f633

        SHA256

        ea830a674fdc9bca3d2a122319ba8a50740accad73c1cd4146f0d3f5534c338d

        SHA512

        1591d0abcb9f94ae0ae97343e8904ca05322e9a152de24e32747e733d1b86ae9f2cb11430a8902cc4d4679407e3ecc796c21ac25a1deebf1c834cfe2b9df24a1

        Download Submit

      • C:\Windows\SysWOW64\znfoynxfyy.exe
        Filesize

        157KB

        MD5

        2b86fa5d78b76d8dd71930240ffb0bf3

        SHA1

        32d61bf71aa0a7fa59ab851ff5555828d878369f

        SHA256

        9880692568a5911ed807944583e19c10ea1d0000a1dc3e972e8748938e3f88d2

        SHA512

        f96cbb126421088d5effe18db01d0349cf1dc5436fb0440665d2736c1f58045bf059b671ac5487a2c0b18da0fff17f15591865143168955e9e016b6d0337f5da

        Download Submit

      • C:\Windows\SysWOW64\znfoynxfyy.exe
        Filesize

        149KB

        MD5

        aa8615d5e073d6b347331f8ca06e73c4

        SHA1

        2ded5b731a3f88b8a0fbcf227fa75eafcb7bed1d

        SHA256

        882acb9ac6273b1d8a77258f6102e6f7942e023653286b48f27fd00b2b8dbb27

        SHA512

        8490a2c9b28ffa6d2007169b47f879144649a992589a49bc912b9534cb8661fccead9a1eed61b9ae8a8a9b605e9d34ec4c2b05668a39a70fa0cf17dba55cb216

        Download Submit

      • memory/1068-0-0x0000000000400000-0x0000000000496000-memory.dmp

        Filesize

        600KB

        Download

      • memory/2132-51-0x00007FFCD5A50000-0x00007FFCD5C45000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2132-38-0x00007FFC95AD0000-0x00007FFC95AE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2132-46-0x00007FFCD5A50000-0x00007FFCD5C45000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2132-53-0x00007FFCD5A50000-0x00007FFCD5C45000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2132-52-0x00007FFCD5A50000-0x00007FFCD5C45000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2132-55-0x00007FFCD5A50000-0x00007FFCD5C45000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2132-56-0x00007FFCD5A50000-0x00007FFCD5C45000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2132-57-0x00007FFCD5A50000-0x00007FFCD5C45000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2132-58-0x00007FFCD5A50000-0x00007FFCD5C45000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2132-54-0x00007FFC934B0000-0x00007FFC934C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2132-50-0x00007FFCD5A50000-0x00007FFCD5C45000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2132-49-0x00007FFCD5A50000-0x00007FFCD5C45000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2132-48-0x00007FFC934B0000-0x00007FFC934C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2132-43-0x00007FFC95AD0000-0x00007FFC95AE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2132-40-0x00007FFCD5A50000-0x00007FFCD5C45000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2132-44-0x00007FFCD5A50000-0x00007FFCD5C45000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2132-37-0x00007FFC95AD0000-0x00007FFC95AE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2132-36-0x00007FFC95AD0000-0x00007FFC95AE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2132-35-0x00007FFC95AD0000-0x00007FFC95AE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2132-47-0x00007FFCD5A50000-0x00007FFCD5C45000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2132-45-0x00007FFCD5A50000-0x00007FFCD5C45000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2132-39-0x00007FFCD5A50000-0x00007FFCD5C45000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2132-113-0x00007FFCD5A50000-0x00007FFCD5C45000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2132-137-0x00007FFCD5A50000-0x00007FFCD5C45000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2132-136-0x00007FFC95AD0000-0x00007FFC95AE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2132-140-0x00007FFCD5A50000-0x00007FFCD5C45000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2132-139-0x00007FFCD5A50000-0x00007FFCD5C45000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2132-138-0x00007FFC95AD0000-0x00007FFC95AE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2132-135-0x00007FFC95AD0000-0x00007FFC95AE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2132-134-0x00007FFC95AD0000-0x00007FFC95AE0000-memory.dmp

        Filesize

        64KB

        Download