Overview

overview

10

Static

static

5

73e013693d...d9.exe

windows7-x64

10

73e013693d...d9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    165s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/01/2024, 05:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    73e013693da5ed75f739f5bfe74ed2d9.exe

  • Size

    512KB

  • MD5

    73e013693da5ed75f739f5bfe74ed2d9

  • SHA1

    f5dd4fdda13caaac465dd4060899dc9998d3c775

  • SHA256

    0c070654787fce6f1e05cc54c6a382bacbdb2b032ed07cf6ff39296bb4258476

  • SHA512

    e56ab96313aaf4bcc6dfef6c096e2f2c60bf037f3ce6a5469b3e8675287b3b1a144ec32a4dad7fe96e769b5568310b2bb997a25ee4f0eabfdc89f2c21e9b23e5

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6E:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5R

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 9 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\73e013693da5ed75f739f5bfe74ed2d9.exe
    "C:\Users\Admin\AppData\Local\Temp\73e013693da5ed75f739f5bfe74ed2d9.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4996
    • C:\Windows\SysWOW64\wjeqxeseih.exe
      wjeqxeseih.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4360
      • C:\Windows\SysWOW64\hbseozds.exe
        C:\Windows\system32\hbseozds.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1860
    • C:\Windows\SysWOW64\gkeyjctjxsposgp.exe
      gkeyjctjxsposgp.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2608
    • C:\Windows\SysWOW64\hbseozds.exe
      hbseozds.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1208
    • C:\Windows\SysWOW64\acsewkkdhydwf.exe
      acsewkkdhydwf.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3420
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2940

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    a442393e0cd433ed8e3c1fd55a30641b

    SHA1

    e361d1e7dff4ee70f808da210eb265d6164af763

    SHA256

    a395f6d6c8118410fa15e3cec7c51d0ce266ab5175fbd52717aca0b3e3ed66ed

    SHA512

    e52c327a4f4b2d3342f2fcebe2950df8ae95a3bae265a27022b6282a8867930f3c48c3de7b0cbb0a28ed530e8abab0579f69b5c20b15e9e5671c4fc8ee354c20

    Download Submit

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    040e882b7725732802c29a5fbec92e5c

    SHA1

    c2eb9022bedf7102bcf70b699b133e6043414a43

    SHA256

    5ca04eb65a42e19a5f7d6a3fd0afb2f55d948a5999b21e9745a7ce39739f4d5a

    SHA512

    7dde1a539fbcb911ac04f52510f652bc402ef2cc5479ab1497269ccb696982625d452472ae88bb03c21cb0489103dbacbffd5e8c18ca64c842fe11bd109bf3e8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    25ff47fb3528a0d9fe7d2e1a0092c8f6

    SHA1

    0a4cd7b792dc684481fd7969b425bdd75590f5d6

    SHA256

    64ac4dc709d870fb675b18f104c8b39753c81bdeabc0d343495ed0c16b0cfaab

    SHA512

    3c92820c8b23289828c685f07776b52e180f4490e53c9dce7e267cebb5c465c711b9bb63c1aea158acdc76487e9a4dd3dc0aba8f84a016db642cdaccfe4358fb

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    d62d2e3f7ebfda6cb054a619ebb7a94f

    SHA1

    f538b3fae9f1a83d0f5362f5865f59af4e78be72

    SHA256

    6cafbc37b4af5929b464dca41487c8b0a2636a61b7746287ac79ac0f59323791

    SHA512

    215fe2801155adacb5b3132f1768933b7476d50bacde31cdc6ae7bfb731057cb7ba475b80d0cd90fe936f2797704b200420cfcefb6c0a725eb5cd4fda9b8b58b

    Download Submit

  • C:\Windows\SysWOW64\acsewkkdhydwf.exe
    Filesize

    512KB

    MD5

    3adb6597827e313d4a32435428ebc00a

    SHA1

    e678f89d54c1ae18ce237adb80ead02e305cb0bc

    SHA256

    2031f364709e22dec9d3a8baaeaaf1177f6b3c18240c3d588236cb1f63e1f839

    SHA512

    8fa7e7c10dd7a947cd308eb6095aaa62a79166db6409fe343d9483368b18878737250aa48289a2327d3987a4dd76ee3fa89fa3d4ee56846faa708527b334cce9

    Download Submit

  • C:\Windows\SysWOW64\gkeyjctjxsposgp.exe
    Filesize

    512KB

    MD5

    f7fb321526e0c9286e7e3fc8d2e454af

    SHA1

    d80bba8c39008b5ce24e1472e97b503f72670263

    SHA256

    e58960b5a34cde023845cba02c4c43ad7a72c161ad7a2a67fb4b3d17d6244e45

    SHA512

    7dd1fbb1bc2ff94b756e2a102ba7c23e1b92b12525a27db048b8f1420e84ef66c6efce021329eee8e725cb7ee28f5a76a22c04f49dadb7c28e756de3cf351aa8

    Download Submit

  • C:\Windows\SysWOW64\hbseozds.exe
    Filesize

    512KB

    MD5

    f40348ec875d8b715e4dcfd47dc82e68

    SHA1

    1427b559497856272f7a148b3339c8cd18bf3a44

    SHA256

    21315145826606ccd96038a9e2ca9fd1ecdb4aa757b4104486278d247977ba52

    SHA512

    7879bacb7bfdabe098892edf02db3c955afa01ea632465accaa93f35d0c8c07c15ac1bb764be3005756cff23ada989e13ece199f6bde3fd6b39ffb3d564a8b6d

    Download Submit

  • C:\Windows\SysWOW64\wjeqxeseih.exe
    Filesize

    512KB

    MD5

    ab077189298c07cf81b821754334b78e

    SHA1

    be47e4b567da26366f955e0de2f11249fc9fd345

    SHA256

    197abadeeeb89dddd84014638297cbb2ac20cc58c3cd863acf98133f77810fda

    SHA512

    cb07fe63fbe6a813da4175663e57ac9fb63143edd6aa71ceef70882c491b87574d14c36f8f0ba51dc3d265bde6235407b14afeccb937db9db60c871f7ad4563c

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    622384f12e5420f8e33375498c1f912d

    SHA1

    687c240c54a23a922bb5ab121cd67f1a47a96e15

    SHA256

    310eb995b7291fe07cacdd4533be53de3ab7e5627a3e78c7e2c1ffb572e6c4e8

    SHA512

    20f4bcdfadab2296a5c1e4bac01c272ef86e5b614bdd5550ed3dc14a0d95d0fd2f88ab70d9c7b7ce23e0304e2810a933c859c0a4cd18d72fe529e832b08a2f17

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    79648dd858d2bd9351c54a78c0ece15b

    SHA1

    cae835c8416c11ae9086d008d3993df8d25748a3

    SHA256

    b8930c40c02cc876190afbcce2d1eb8636433adc9278529b7a88c6c8bc0bf380

    SHA512

    95fc9690f5e9a63446da110603167955124a604751e0cc3e73b0d7dd8e32a803289b7f43035e27f31f8e9d3c40ddc4808341a8e24185007e34337c5afa14e1b1

    Download Submit

  • memory/2940-50-0x00007FF9B6170000-0x00007FF9B6365000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2940-122-0x00007FF9761F0000-0x00007FF976200000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2940-45-0x00007FF9B6170000-0x00007FF9B6365000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2940-46-0x00007FF9B6170000-0x00007FF9B6365000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2940-47-0x00007FF9B6170000-0x00007FF9B6365000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2940-48-0x00007FF9B6170000-0x00007FF9B6365000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2940-49-0x00007FF9B6170000-0x00007FF9B6365000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2940-37-0x00007FF9761F0000-0x00007FF976200000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2940-51-0x00007FF9B6170000-0x00007FF9B6365000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2940-52-0x00007FF973990000-0x00007FF9739A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2940-53-0x00007FF973990000-0x00007FF9739A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2940-43-0x00007FF9761F0000-0x00007FF976200000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2940-42-0x00007FF9761F0000-0x00007FF976200000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2940-41-0x00007FF9B6170000-0x00007FF9B6365000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2940-39-0x00007FF9761F0000-0x00007FF976200000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2940-40-0x00007FF9B6170000-0x00007FF9B6365000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2940-98-0x00007FF9B6170000-0x00007FF9B6365000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2940-120-0x00007FF9761F0000-0x00007FF976200000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2940-121-0x00007FF9761F0000-0x00007FF976200000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2940-44-0x00007FF9B6170000-0x00007FF9B6365000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2940-123-0x00007FF9761F0000-0x00007FF976200000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2940-124-0x00007FF9B6170000-0x00007FF9B6365000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2940-125-0x00007FF9B6170000-0x00007FF9B6365000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2940-126-0x00007FF9B6170000-0x00007FF9B6365000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2940-38-0x00007FF9761F0000-0x00007FF976200000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4996-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download