Overview

overview

10

Static

static

5

7790847622...07.exe

windows7-x64

10

7790847622...07.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    26/01/2024, 14:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7790847622da02038ed1c4d0c7c8f607.exe

  • Size

    512KB

  • MD5

    7790847622da02038ed1c4d0c7c8f607

  • SHA1

    41e7d135f841e4746e07134225375233eb232b15

  • SHA256

    41c594abb2ef12b08222e3ce8ea23c094c0e81087f2d6410ad7a231db9f69a89

  • SHA512

    428131a559e51e640e5ca9763e8a2d4471be674274598dad5f09d63357c3795fbb2fcf8c85f28da5942c010952b87b9fda79aa5f7258a38920bb1132b6873092

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6s:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5L

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 16 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7790847622da02038ed1c4d0c7c8f607.exe
    "C:\Users\Admin\AppData\Local\Temp\7790847622da02038ed1c4d0c7c8f607.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2548
    • C:\Windows\SysWOW64\qclhzybatyspn.exe
      qclhzybatyspn.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2620
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2688
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2848
      • C:\Windows\SysWOW64\rqpzfury.exe
        rqpzfury.exe
        2⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2680
      • C:\Windows\SysWOW64\cssslrzzpcjfcpi.exe
        cssslrzzpcjfcpi.exe
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2416
      • C:\Windows\SysWOW64\jcjcnneudn.exe
        jcjcnneudn.exe
        2⤵
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Windows security bypass
        • Disables RegEdit via registry modification
        • Executes dropped EXE
        • Loads dropped DLL
        • Windows security modification
        • Enumerates connected drives
        • Modifies WinLogon
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2112
    • C:\Windows\SysWOW64\rqpzfury.exe
      C:\Windows\system32\rqpzfury.exe
      1⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2728

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
      Filesize

      20KB

      MD5

      7f4c0684210154dbfd5071b3f72c44f1

      SHA1

      2ec929496b7075bf2448cf7fd44eaaff774c93ad

      SHA256

      5cc53c70e4909151e9deebd19f870b4a3b25d904860eb873d06be6c342ecb964

      SHA512

      bb0e5e005cf596d064c61cbb6f38f57af4df9cb9b6f51c9e01b9bc772cc25b3c389448acaedb8d0b547e279a2858028ddb0a7cfb4bfd62addef22e1945bb98f9

      Download Submit

    • C:\Windows\SysWOW64\cssslrzzpcjfcpi.exe
      Filesize

      278KB

      MD5

      bbdeb8b6d8712e7ccce336c3356f4a49

      SHA1

      6faba454bee158a592729963c0bd4f896b948d57

      SHA256

      d0e5ec704671aece5bc5459d7d97ca6933ec7b8bf0a9771d16c77fc8aefe1a7f

      SHA512

      759eea566fc7b92223e37fe9b437db7c3b6c6f66c7d4da1e8580494de72ce7f158d78b959a91e5a393c2d42a0a85b2d0a904f3f5112579926ad9ecc579313ab1

      Download Submit

    • C:\Windows\SysWOW64\cssslrzzpcjfcpi.exe
      Filesize

      107KB

      MD5

      108b8c3307bc693dfb1805414a94ce0e

      SHA1

      ccf923d1900d68dc72e75179b216a84bd5e7f706

      SHA256

      dc8eab410b1166eaef2265dc96d7e1b42ce60581b34760d5b12d5191a6a01230

      SHA512

      ec3014310ed430b2441ab4dd0d68eb9873c1858efcd6993d068c333a901396b8de4a36fec8cc613d8f96d72c6aac5eb9bd1b3d3bced8521f7ee10824f7059129

      Download Submit

    • C:\Windows\SysWOW64\cssslrzzpcjfcpi.exe
      Filesize

      512KB

      MD5

      512474b018868f46275891f3160e53f9

      SHA1

      c904a103a0482bc2eb124b5709aea80266f278f8

      SHA256

      d8cd5790010c3f0cd1ad5b32c2da7ddb430e60ed25e89054c259a2e9e59488ef

      SHA512

      d0b4a10ed1d5dad1663ac91165d7f110500c462f06c499d0350f6c52e0ddbf7ed52ad5e4523b1aae9a75a241a08f37a3ad4f71ccc0f21d3b1b61724d8d1e6654

      Download Submit

    • C:\Windows\SysWOW64\jcjcnneudn.exe
      Filesize

      512KB

      MD5

      726930f2f3e537539374b29b46959428

      SHA1

      c9a4206be9895e96b997390dccf2436f85f6b27f

      SHA256

      4ee372fbf3d6f40a58d73f8076293f3a01e48b11a64d46981bc3de37b7806c0f

      SHA512

      f7d95ce492bf806f839f099f41d535e575a6485575053bfcf7b504586cb6b1a6f63cb65762e29846480b4af63c28f3e821f811e59eb910e08dea60f37af92fb9

      Download Submit

    • C:\Windows\SysWOW64\jcjcnneudn.exe
      Filesize

      143KB

      MD5

      18d2a726007bb46a3938e5cd330fcbbe

      SHA1

      a824896be83b8a8e40b6147b851223047da7801a

      SHA256

      4f48fcbe3b7d2256bff0568e9b2a61f940dd17af97392366c7f987c74b89244d

      SHA512

      6d975cb01bdb75b269a8631e4f4e85106e98bb5178d0e4c74f18ee3b7722369a9b0f89020d5673561a20ecd35c3d0ba9906c1c258791361954481536b69e916e

      Download Submit

    • C:\Windows\SysWOW64\qclhzybatyspn.exe
      Filesize

      164KB

      MD5

      4b6cbeaaf6394f85bb35ebbc382c8267

      SHA1

      ab5eac97b95be71edf74dfdebd21ee859e902727

      SHA256

      62b439e4f5472a7f3df2881afad5e3faad04d38f88284301a9081781f8a3dac1

      SHA512

      9fd22a9e442eac9e5347d53284b6dcc6b45bd43da704451ba25640a515351f42caa30d880c80011448c0f3aa6c64107a5eb83ae986fc0ab5e49b02668df8b499

      Download Submit

    • C:\Windows\SysWOW64\qclhzybatyspn.exe
      Filesize

      211KB

      MD5

      fc43f296fbb9d23affbf1b7e87bc92f6

      SHA1

      33795448a3c37748151fdbe159303c3266c80081

      SHA256

      4f0d095b1d736648325edd7e9d5892658cdee4022964d2b465c48b18615f243b

      SHA512

      462d930a2e0238c598b19a4d2c6912b753dbe16622ed713419197425fb134c0244a9969011ce9bb79c10f61c0bebc8e609a2f44dbe84a7003cd7d9ba8b608b9f

      Download Submit

    • C:\Windows\SysWOW64\rqpzfury.exe
      Filesize

      289KB

      MD5

      74bd631a170d9e91220f4a11c103ca8a

      SHA1

      5b51db5763527dae8ddf3626ab014cd52249a2aa

      SHA256

      8d76e5c9e36a96cdf334f4ccffdac89bfb732dade57c14ef36bdd18bb038fc7e

      SHA512

      a8b138e5d0cf17cf6fbf7910c7f1635519297413b6249a4eb195048454a5892556887c4421837946af711ca3d18422dd66d91464fd9597c0b9aa276b17c9263b

      Download Submit

    • C:\Windows\SysWOW64\rqpzfury.exe
      Filesize

      180KB

      MD5

      2a03d4918305a29565f9b2797647ad93

      SHA1

      37ba2bb84f78c07094e35d1027d12072f5d0f790

      SHA256

      2ec393eab6ebc31fca0d615ee68dbe625a20c6832ddc2ac2b4993d1b9f9a82a3

      SHA512

      7c9438f2e4c821559d842afb765da17f69d42e7adc62a8a5807f62dbad6d0f896eb7772cd6beeb4b8a2e2f6982485cf928f8b9c85843209b9f24739d35c4c4d2

      Download Submit

    • C:\Windows\SysWOW64\rqpzfury.exe
      Filesize

      95KB

      MD5

      1b723a8697f013f180fa89c1f34ad7f4

      SHA1

      670278becc2316a3fd4ec9e1f7096ac02c8891d2

      SHA256

      cccbe1e308aec9bacc48cd2401f86242d67a531c06c7d76db6c31cb142c80508

      SHA512

      fa403e4b10c7c3051cbde89765d5d4d4c1880f3b624d30d3a76b89497a4ba487ef42f03e1b3e0b2672daa28af4ab707e9e5395ea501feb4a4a99bd87790ba8b5

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • \Windows\SysWOW64\cssslrzzpcjfcpi.exe
      Filesize

      295KB

      MD5

      5104beded17979f8dc8b74b10e8ebce2

      SHA1

      59e4207699d4a09e4aaa35d434f0c1492cec52ad

      SHA256

      b393b1073d7fe03c7457944a2794389403fb37eabf1d36990e232c79ff469789

      SHA512

      e961469df4db5c22c430085bdaa33129da4576684ebfbb8e3301924e0451b6947779c9c5fd5327a1b79d51e45ab8919f595c00a2440f96ee1c724ebcea559d89

      Download Submit

    • \Windows\SysWOW64\jcjcnneudn.exe
      Filesize

      411KB

      MD5

      98886dd683b81cf5b36d34def4696d47

      SHA1

      9917299539a329d8ab086e53cc78f548a1dfc91f

      SHA256

      962b9965f8bb85ec092ee97e8cd6d734c3196b3eb7ce09ae94bbb6fe4fe1dc9e

      SHA512

      99a770aa1cff9eefaa28436e3ab0a11dd04847120c862f28d17fc549dc5453d681c7e27f66f01c21a680fbd431881bbbea8a01ec9b17c0e14839dc9f784bbf3c

      Download Submit

    • \Windows\SysWOW64\qclhzybatyspn.exe
      Filesize

      200KB

      MD5

      695737ca9a34633e7fea1290d976bea6

      SHA1

      8b3ef01f3916f5b13c40af4d8e75566c62a196a6

      SHA256

      67483d38b7d790df6327683d3e3367579c270e8c48d1cc5ef6166101bed4e925

      SHA512

      48117498959bfbc5456007052781b98cbc93aa5d1fa9f5d2e94e4190a1e994f05a77199dcd075afd3028ba1b969e282c4857a028fa2e773360553878d2c4c295

      Download Submit

    • \Windows\SysWOW64\rqpzfury.exe
      Filesize

      299KB

      MD5

      eba9696bab2793d728e95c9684c5d8b6

      SHA1

      70f1c26036fb1d4efdca56d060cbcba00dd61dc7

      SHA256

      d033971b3a875717c2ad76a3be5a0391f1294e3641ddd4ac5d107837db2e8a3d

      SHA512

      176765821aaa07356eabeb7070b43bea1b00b5f8344a273f863ce0b86d3a7550b99dac40492cdd02cc51b53701957bdc10e1647abf448575ca20d18c64f81dea

      Download Submit

    • \Windows\SysWOW64\rqpzfury.exe
      Filesize

      155KB

      MD5

      a10cc637cce8d4a001d4655dae0086a6

      SHA1

      0ad4d8b51a83cbedfa48601d9c22c847c92df380

      SHA256

      4b5dd2f48eed937d3b8aec0b9446c23d233341a3156ab987828cd89ed3c3a20b

      SHA512

      0b13fb57d9ef88514e40e1690a691a9ab1a12acc7ef58bc83e7a121748101ba4fac4d8bacb6b4ec8c0bca5cc4f6bcf255489995a1ca7b1754719e9b5c28ceb9a

      Download Submit

    • memory/2548-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

      Download

    • memory/2688-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2688-47-0x00000000711BD000-0x00000000711C8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2688-45-0x000000002F041000-0x000000002F042000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2688-74-0x00000000711BD000-0x00000000711C8000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2688-95-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download