Overview

overview

10

Static

static

5

781520476d...5f.exe

windows7-x64

10

781520476d...5f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-01-2024 18:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    781520476d4361be5ce19d1eeaeb3b5f.exe

  • Size

    512KB

  • MD5

    781520476d4361be5ce19d1eeaeb3b5f

  • SHA1

    9e974df0304e65d615a1a7be1c2fb691285350e0

  • SHA256

    c20ea11f0588f74fd9116cdc7f8828130a8120d446f91d9a66fa7603af7f7d9c

  • SHA512

    841c9f7503718ae09e0c9ea515c69b82e20bd023d01cadaba4ed5d89deb12195da7babae293f1f63ee7df622f6e5c04339cb54f5e38d656e3e3b692f64141897

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6d:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5A

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 18 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\781520476d4361be5ce19d1eeaeb3b5f.exe
    "C:\Users\Admin\AppData\Local\Temp\781520476d4361be5ce19d1eeaeb3b5f.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:396
    • C:\Windows\SysWOW64\ptulsqqsfb.exe
      ptulsqqsfb.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4900
      • C:\Windows\SysWOW64\gkaornvv.exe
        C:\Windows\system32\gkaornvv.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4844
    • C:\Windows\SysWOW64\iinvdonlazroveq.exe
      iinvdonlazroveq.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4216
    • C:\Windows\SysWOW64\dqzxjzcbgmwto.exe
      dqzxjzcbgmwto.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1984
    • C:\Windows\SysWOW64\gkaornvv.exe
      gkaornvv.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4632
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4476

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    45KB

    MD5

    d8f6b20ea3b3d7fec33e42e8a72471c7

    SHA1

    a9d349e52811753066891c107110745afda3a9ad

    SHA256

    e86e7150107645064f0efbafac95f2883a9fa29de0860c4e08f552aedb5e8be8

    SHA512

    5bf2bf9c4104979a3d40d648c0d0549df9219fcc2cf8489ae1d71bac012850610d907246c89900cf86fb80020001c04fc1ec4b4ddcaf611acabdf693c9186111

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    239B

    MD5

    69ab36f887c9aebc03cf2b9924e9af1a

    SHA1

    e89545bd4d84ee79b970724d81406111054e5ede

    SHA256

    7f418960bedd2f787ddffced8647021d08a07fd59577d0f2d012035779122e62

    SHA512

    dc8ae47740aa9109b9646d40500529aeda9c71421f5586f2d6c45a96cdf5a10dd7a4ae45193fbb58d6b3ef918d476af02f699111a1280ddd71cc1f65af38d653

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    6f207e0b5eadd7fc77efda51ef581646

    SHA1

    219532e4994eb7f5644da913b8d211d2896a4223

    SHA256

    d2ccbf028b2197c8430762a75f1e6d7da24fdc8910fb8b64c71ce96dad66c045

    SHA512

    0b785ee5725ba5a77d1b0acbedb8f7e3ccb47d751fdc29cb6870d0802acac68eb7b6d71fc1c3b2df16d0c887e4a3ba891c40878334f03def442d580c8e7b0620

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    b1cf7040b41282e13c40f503c4d34a4c

    SHA1

    0614cd67bd0e69b1b95b5d5c42dbe0e97e05a888

    SHA256

    33004f954a683be8a74d5bb71cbcb2d85f6098785fd3fc723fc0c4b13eafe532

    SHA512

    4aff5c5e217ed58e11ef9253021e5352bfe80a1b1ca0672fddc44659c891b445d94cb6eda1766bdb9fafab156bd4f03c20e4b2d5c05a61ace91a07880c4bd6a1

    Download Submit

  • C:\Users\Admin\Downloads\RedoOptimize.doc.exe
    Filesize

    143KB

    MD5

    cc65196cb56ee504462ae30dff422096

    SHA1

    f63da68e28dd49038a1817a188a40a43b4528dc7

    SHA256

    fa2d0120f1697225bc0b7868965f88fe1908b251b6eb1b5d6ab8963f1ac2973a

    SHA512

    cbbef727f580bf2b87a229d5cb9477163d398b0e92a7f2f3ed74518c311dc5e5543b3dfdecc0bffb653049c48c24d61de21ba666fb57112ef452a4c3df49a6c6

    Download Submit

  • C:\Users\Admin\Downloads\SkipOptimize.doc.exe
    Filesize

    161KB

    MD5

    c4a2cd542ca7c2e45d5036cdf24247f1

    SHA1

    b449ccec1d698f8e41164c1d011733e48f9b4eaa

    SHA256

    f453a7a78fbab595172576a9f7e83f4ee1a127c1ccb96cd11db58cc825eb335b

    SHA512

    bda2343a13a823ec2a2e9d280fa1999b90e7d8c0020805cf50a1ce79bf2fa69d3577c86ff7c1ae4e7683b4c02be5e90ee64103c57ddcd047555591138b4cde68

    Download Submit

  • C:\Users\Admin\Music\OptimizeAssert.doc.exe
    Filesize

    327KB

    MD5

    6faeccc1a9dbc1ea8debf6c92fe211e9

    SHA1

    6c8bdf0db5b3f56aea953bc8d12c1b3f1eb42c2a

    SHA256

    03bcf0cdeb4920d0f2ec3aff6b8fc5417f0317e1878dad07701b4c445691f942

    SHA512

    446fc45bb1488d4c7e173cf05ca631d3b02fbee74a3883015d02f37968ac9aec978ad8477ba2fa6fecc2c479645707e7eef6f601a8f70a856f4ff67938069ee5

    Download Submit

  • C:\Users\Admin\Music\OptimizeAssert.doc.exe
    Filesize

    136KB

    MD5

    d645e0f30c593cb739e7d4506b237d8c

    SHA1

    b6d2f4e51e93fe2481318f85200e93372260f125

    SHA256

    338a34fabd496e43332726b820cd71ef15a23a8e4039c6ae641de474c6fd2647

    SHA512

    34590bd3747c0f6b838df0fc26d7de87f0046745d00985f0e223e8cb61581ad392bb7265f1d568d8501655cb8ad4fe8cfdce27aef01f3506088f28e98b87060c

    Download Submit

  • C:\Windows\SysWOW64\dqzxjzcbgmwto.exe
    Filesize

    286KB

    MD5

    a0943635b7b92b8649e3e8c3d51c1fd4

    SHA1

    f69c5893597bd962f84fb327aabe49cd15eb4fb5

    SHA256

    b8e4a26f09a874c7e318ed3249f8ae0caa39ce9fb7363e1e066175833b748f43

    SHA512

    659c6918e04433decdf9a9684da77655c5c1c0cf0fbfdbaefd061533a4f54417c265963456adfe931b7ed3b2a90c64307d3d31ab526eb7393e9c967ba98bf6fb

    Download Submit

  • C:\Windows\SysWOW64\dqzxjzcbgmwto.exe
    Filesize

    364KB

    MD5

    335d1d806c6ad086da56337de5fda15b

    SHA1

    f5f2bd4cea695dafd52a1a5328d114c161d3b9ec

    SHA256

    1267ff4ff879df01d628c22862ed8c6bb876933d351c0188c5e2bcb98dee649b

    SHA512

    1224772e913e5ab8217281ab7756b35656fd6ff003915a377413753ce7ca23d514f5567e32d9be37ac3115e3e5f408701638b1eda080c2ed3ef8b4eeb98b9ee6

    Download Submit

  • C:\Windows\SysWOW64\gkaornvv.exe
    Filesize

    395KB

    MD5

    32175e25e233866883fa076075844660

    SHA1

    3ddf05f0f0fcccf3997a716d9b1ff6b305778c7c

    SHA256

    f612789eb0bb5048666078aba9eacef229616174edf3fda810bfece07aa9a3bc

    SHA512

    cb758847f109b6a6a33236ec0b0a096535372f75c30c326322c34c16e0e6f05c719e2b472dbe342c8d5aa1c84385df56973a8dbe705df2240dadde38d70bb3f6

    Download Submit

  • C:\Windows\SysWOW64\gkaornvv.exe
    Filesize

    326KB

    MD5

    0bb0a0227987d70d8ffc04d2a21b5bb6

    SHA1

    e674cb84928c35b55e27bcf8067cbbaf4d0fe4c1

    SHA256

    b7bbaa6927154a9339185de35be41f9d0ce346368e153db7e354c9a34369aad1

    SHA512

    1e99c106329f812a8a6636bc0fe48c88516cf6cd35d1c1796fca61e3c3e2926bc6539ab1d0d73066263bc4afee36863c43c75b3f2fc0c0b0c00b94cf2e4950a2

    Download Submit

  • C:\Windows\SysWOW64\gkaornvv.exe
    Filesize

    317KB

    MD5

    0db804295c40981715e6dba0bcce50c9

    SHA1

    7b93a3b19021ac33cb02a0b7cb78b6d84db573ff

    SHA256

    0a4b5cdd5d23e332a7c0d636394c7dd5a2929a03908bf2abea2519b587f63744

    SHA512

    855e283bc03f5abde309f3140463c8df74c79923f56a3bb43d7558b307998a45699fbef5f2cb5d66de55ac04b7e5581c9b8a6e2678af18c50094e809c4bb02bc

    Download Submit

  • C:\Windows\SysWOW64\iinvdonlazroveq.exe
    Filesize

    391KB

    MD5

    d53a6b28403b4c1a5d6b4221c7efee22

    SHA1

    1bfc110db0e24cc08ba26cd1ca867401c5b0b479

    SHA256

    833ebec9d57b4f0a98931e32c4e25be81e9aa11ca83b41757c7d6463762a157c

    SHA512

    3f349db077a644ac0c51371aa8134bfed84afedce062d4dd26bc8cb4c2d772ceb5063fecd518bec79a9c935353f80a6544f6ae47b0fb956f752b644ec64ae13d

    Download Submit

  • C:\Windows\SysWOW64\iinvdonlazroveq.exe
    Filesize

    331KB

    MD5

    9c1adc5c91b8edae50e6f5e14179686c

    SHA1

    7b2e23887fdc40240fc489e014fe8f23294bf73b

    SHA256

    1687d1116b7f29d0608c5353406b5867ea5ac1cff861439e7820ec9bbafb6843

    SHA512

    2f7cfcff00862f33e133c9e2ed870e3a1034b7d0178dfa91894c5d51664d183f52d31aac0b2c9544a0c4367251d4975883d85179f4976d0c6b7f9dda0874c85d

    Download Submit

  • C:\Windows\SysWOW64\iinvdonlazroveq.exe
    Filesize

    512KB

    MD5

    ffd9acf643cfa5fff7feb4c2ecdd4c2c

    SHA1

    946a17a7d626b57c01480de6a7e4b7a361167909

    SHA256

    e4e8a9ff4b41ea557a1426383ac51f941be7089044899f19a85a2330ac2eb39a

    SHA512

    dd1ac48fb3759f656f458a6270ba08628c9687f89980e3cbe065494e5c940ad79211cf71fae2d8a34b574f72ea9a7d180f85d2ec3b4dc617e7e85df2c3a0c3e4

    Download Submit

  • C:\Windows\SysWOW64\ptulsqqsfb.exe
    Filesize

    495KB

    MD5

    a2b6f6c2e35ce3e8578f0fa8cb863ac3

    SHA1

    5919e296c1053c3acef4c90a0593b8c22dd8ca41

    SHA256

    b942c9ed844840889e67cbfcaed276a7b71e456b4c7d4edd40c65e4aba13a930

    SHA512

    d5ac57e63bea42e17e9fc48da121e946a9552b7e0a96ea5f41560b67c2efab1d1c79eb4872906312793d532774a5ec8871734e2da41a19956e8f1189233a5bfd

    Download Submit

  • C:\Windows\SysWOW64\ptulsqqsfb.exe
    Filesize

    512KB

    MD5

    96669855bc72f4751e5ad819dda2761e

    SHA1

    b09091e3abab1acfec8f0f897b55b2ec28000559

    SHA256

    b7719771097fc251171524e37f5291637322517b03c5135806dc4575e34e2e5f

    SHA512

    46c235ced26c6a0775eb857087cb8aed00062ff826d0372dae9d4d22e5b6f5978c9216d7606c715b7bfd8ef2a66412c7a39153fc36d0362b06acddb2b86f3417

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    9d6a961294abe27a069e0d73b414287b

    SHA1

    d471112b81b409a62a157c424b03370f0970deb7

    SHA256

    89424fa93ee3cb8f2a7b80081f07be65197dbb58647b13c4689608e44d8d7406

    SHA512

    4ddc6c3c04edd2fa99af3440b826ca2f9ddbe4002c9767b481d97c6d8f179a21dcc3ca8b1698af7558256aec7656f1877112211e67832eb3f387767c7c1cf436

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    25f4661b6f71aa51ecbc6388977193e8

    SHA1

    7adead387a4b997929725a42b919507a4b3a0361

    SHA256

    06bcd7fa42e325109575d5c47c807d649d8a26a5dc828e3da7a9f8e030a58a7e

    SHA512

    01f57bf47c24e64ad504f5da638b0f6c5abeabc7fa98983bfb3ef979a027f4b940d1e744a7454d00fae76b5dac37119a5bba7f1cd0220a429a1f72d632bcb15f

    Download Submit

  • memory/396-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download

  • memory/4476-39-0x00007FF804290000-0x00007FF8042A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4476-46-0x00007FF844210000-0x00007FF844405000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4476-51-0x00007FF844210000-0x00007FF844405000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4476-52-0x00007FF844210000-0x00007FF844405000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4476-53-0x00007FF844210000-0x00007FF844405000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4476-50-0x00007FF844210000-0x00007FF844405000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4476-49-0x00007FF801A30000-0x00007FF801A40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4476-54-0x00007FF844210000-0x00007FF844405000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4476-56-0x00007FF801A30000-0x00007FF801A40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4476-48-0x00007FF844210000-0x00007FF844405000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4476-55-0x00007FF844210000-0x00007FF844405000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4476-40-0x00007FF804290000-0x00007FF8042A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4476-43-0x00007FF844210000-0x00007FF844405000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4476-47-0x00007FF844210000-0x00007FF844405000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4476-45-0x00007FF844210000-0x00007FF844405000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4476-37-0x00007FF804290000-0x00007FF8042A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4476-44-0x00007FF844210000-0x00007FF844405000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4476-41-0x00007FF844210000-0x00007FF844405000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4476-42-0x00007FF844210000-0x00007FF844405000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4476-38-0x00007FF844210000-0x00007FF844405000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4476-36-0x00007FF804290000-0x00007FF8042A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4476-35-0x00007FF804290000-0x00007FF8042A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4476-131-0x00007FF844210000-0x00007FF844405000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4476-153-0x00007FF804290000-0x00007FF8042A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4476-154-0x00007FF804290000-0x00007FF8042A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4476-157-0x00007FF804290000-0x00007FF8042A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4476-155-0x00007FF804290000-0x00007FF8042A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4476-156-0x00007FF844210000-0x00007FF844405000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4476-160-0x00007FF844210000-0x00007FF844405000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4476-158-0x00007FF844210000-0x00007FF844405000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4476-159-0x00007FF844210000-0x00007FF844405000-memory.dmp

    Filesize

    2.0MB

    Download