Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    22-01-2024 16:52

General

  • Target

    6fd1083bf5feeb646bd239a8a746071b.exe

  • Size

    512KB

  • MD5

    6fd1083bf5feeb646bd239a8a746071b

  • SHA1

    b2fa8706e82e41d761acb14bd8cb2f3f5c9297c1

  • SHA256

    a52f6ab0aa9602129134aeddd524fa53ed0b02e7f2f4c6e10358f12384c4cfd2

  • SHA512

    7099119882f3ed29b8e8480e946f2d8cf2ae38ab12aed10f65ae4d1beedeb99b9d1d13666f6f7c3f9f3e9a20322d57c7cd0db647869c4e5cd5103f98e9459c4a

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj65:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5S

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 21 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 47 IoCs
  • Suspicious use of SendNotifyMessage 34 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\6fd1083bf5feeb646bd239a8a746071b.exe
    "C:\Users\Admin\AppData\Local\Temp\6fd1083bf5feeb646bd239a8a746071b.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2508
    • C:\Windows\SysWOW64\bynytgzeob.exe
      bynytgzeob.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2796
      • C:\Windows\SysWOW64\vdjxjtla.exe
        C:\Windows\system32\vdjxjtla.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        PID:2644
    • C:\Windows\SysWOW64\uzdocdmqooyceye.exe
      uzdocdmqooyceye.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2724
    • C:\Windows\SysWOW64\vdjxjtla.exe
      vdjxjtla.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2580
    • C:\Windows\SysWOW64\ywibyjqirjxhk.exe
      ywibyjqirjxhk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2940
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2444
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1336

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

    Filesize

    512KB

    MD5

    f1c4c8f9a9396c617d6d99f701944cfe

    SHA1

    7165b9ba86d064bd7f4db61b12c7c64d6c037a70

    SHA256

    ff79c0fd78441c5836bac825a28da512fb22056cd482fd0fed2e331518b6ab46

    SHA512

    36f71852c162c8472faf5cbb72d003f8c03364218f4afedb4ae1649b60d5c1dee469998bd25d270ec612acd661ea1e08300aae3efde2147fca6ac847d3eac1d5

  • C:\Windows\SysWOW64\uzdocdmqooyceye.exe

    Filesize

    512KB

    MD5

    8d0f76668531af83f4fac43ef08d159f

    SHA1

    3c17d848e74d1bd0468516608826e5a3f4eb7ed0

    SHA256

    0df0a215abfaacd46d23f31b0ae796a262799ae76c3c3bd014cdc680e95c77b2

    SHA512

    53bbb3842fecab56ea053df3f26d8f562a715c47bcda5432800c8c102a7c142c86373d8fc8039994a51e037c7872a46740baf4fc60453b6e952d387a53772ded

  • C:\Windows\mydoc.rtf

    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

  • \Windows\SysWOW64\bynytgzeob.exe

    Filesize

    512KB

    MD5

    86f0b44999e226cc9878cdad082cc6bd

    SHA1

    62fe694f6918c3c47520d9805479fea29942d52a

    SHA256

    b6a6a737a965ce5f7e2f63a572235e8e3419f7c984e5c0812b9cd27d153eb7d0

    SHA512

    6b3bd3932be93e0ba979c02d1481cc9b4980cf39cc6a6a6459eb0a86328e6676f34300692219c709e70b12f15996cedb830855cb12d9ef8439871a5ecc62e656

  • \Windows\SysWOW64\vdjxjtla.exe

    Filesize

    512KB

    MD5

    e18c745fffd23d4e3a55efebe2e86cf1

    SHA1

    923dc2b142e388b6536cec5dee11a47b52f2a31d

    SHA256

    976c7e5d03fe4138b191bfd3173b1d4283f6681dae45fb75fbd48006a452e8a3

    SHA512

    1f9b119f87086c74b8e55f0eb34ef52e303e79c99448cc51df09a580c061a7fd98ba50f47ada08f934e33030e0be8ca2d0ee72bcf1a6ecb4614c638b75a8190d

  • \Windows\SysWOW64\ywibyjqirjxhk.exe

    Filesize

    512KB

    MD5

    be0746c26aa6b6f5c3ef5fa035c75222

    SHA1

    66fe8dd7df009610033b0ae7df010a6129b68c40

    SHA256

    d6b00c1a7fa71b35186f78842ca6fd07767a72715852a87948d0124a19e710df

    SHA512

    2e1567c9e2d874e89e2e96d3837318577af2bff0c4b79df67a5bae46ae0f98088ba3ca77f101fa1ca3a7e3f198ad671fb6ddbf5387beb768cc0d32f983c0834f

  • memory/1336-76-0x0000000003FB0000-0x0000000003FB1000-memory.dmp

    Filesize

    4KB

  • memory/1336-79-0x0000000003FB0000-0x0000000003FB1000-memory.dmp

    Filesize

    4KB

  • memory/1336-84-0x0000000002630000-0x0000000002640000-memory.dmp

    Filesize

    64KB

  • memory/2444-45-0x000000002F631000-0x000000002F632000-memory.dmp

    Filesize

    4KB

  • memory/2444-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2444-47-0x0000000070EDD000-0x0000000070EE8000-memory.dmp

    Filesize

    44KB

  • memory/2444-77-0x0000000070EDD000-0x0000000070EE8000-memory.dmp

    Filesize

    44KB

  • memory/2508-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB