2b68f6a4fb6411293ddedd8ee49680afcb20649f57035814fd3e0e7b348adbfa

General

Target

7afabb44010283947b9c8b8f690e3344.exe
Size

512KB
MD5

7afabb44010283947b9c8b8f690e3344
SHA1

21802d13b61b3e210776f5464a97af2acbdbc4f6
SHA256

2b68f6a4fb6411293ddedd8ee49680afcb20649f57035814fd3e0e7b348adbfa
SHA512

3f3d380751bea3deebcff00085e18ae454a0c6b6c2df30a15b212349758856066e088ef6d25e3a6da505903d431601384bbd2cd750da570f5d9d447bc7747de3
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6v:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5s

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
848	iftrgpnohn.exe
840	joixgtyx.exe
2272	vylwpckerelpjlv.exe
2796	oqjvfmgmhdhpa.exe

Loads dropped DLL 4 IoCs

pid	Process
2932	7afabb44010283947b9c8b8f690e3344.exe
2932	7afabb44010283947b9c8b8f690e3344.exe
2932	7afabb44010283947b9c8b8f690e3344.exe
2932	7afabb44010283947b9c8b8f690e3344.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntecrslv = "iftrgpnohn.exe"	vylwpckerelpjlv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ityjiwzm = "vylwpckerelpjlv.exe"	vylwpckerelpjlv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "oqjvfmgmhdhpa.exe"	vylwpckerelpjlv.exe

AutoIT Executable 5 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2932-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x000a000000012704-5.dat	autoit_exe
behavioral1/files/0x000a0000000126af-17.dat	autoit_exe
behavioral1/files/0x000800000001393e-36.dat	autoit_exe
behavioral1/files/0x000a0000000133a9-25.dat	autoit_exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\joixgtyx.exe	7afabb44010283947b9c8b8f690e3344.exe
File created	C:\Windows\SysWOW64\oqjvfmgmhdhpa.exe	7afabb44010283947b9c8b8f690e3344.exe
File opened for modification	C:\Windows\SysWOW64\oqjvfmgmhdhpa.exe	7afabb44010283947b9c8b8f690e3344.exe
File created	C:\Windows\SysWOW64\iftrgpnohn.exe	7afabb44010283947b9c8b8f690e3344.exe
File opened for modification	C:\Windows\SysWOW64\iftrgpnohn.exe	7afabb44010283947b9c8b8f690e3344.exe
File created	C:\Windows\SysWOW64\vylwpckerelpjlv.exe	7afabb44010283947b9c8b8f690e3344.exe
File opened for modification	C:\Windows\SysWOW64\vylwpckerelpjlv.exe	7afabb44010283947b9c8b8f690e3344.exe
File created	C:\Windows\SysWOW64\joixgtyx.exe	7afabb44010283947b9c8b8f690e3344.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	7afabb44010283947b9c8b8f690e3344.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	7afabb44010283947b9c8b8f690e3344.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33352C7E9D2D82226A4477D070512CAA7D8664D7"	7afabb44010283947b9c8b8f690e3344.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCAF9BDF961F2E784093B4286E93994B38D02F143640239E1C442EC09D3"	7afabb44010283947b9c8b8f690e3344.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC1B15A47E738EA53C9B9D6339CD4CE"	7afabb44010283947b9c8b8f690e3344.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFEFCF9482A82689145D72A7D92BDE0E1435943674F623ED7EC"	7afabb44010283947b9c8b8f690e3344.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78468B1FE1821DBD172D1D48A759017"	7afabb44010283947b9c8b8f690e3344.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1849C7751490DAB1B8CD7FE3EC9434BD"	7afabb44010283947b9c8b8f690e3344.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2932	7afabb44010283947b9c8b8f690e3344.exe
2932	7afabb44010283947b9c8b8f690e3344.exe
2932	7afabb44010283947b9c8b8f690e3344.exe
2932	7afabb44010283947b9c8b8f690e3344.exe
2932	7afabb44010283947b9c8b8f690e3344.exe
2932	7afabb44010283947b9c8b8f690e3344.exe
2932	7afabb44010283947b9c8b8f690e3344.exe
2932	7afabb44010283947b9c8b8f690e3344.exe
2272	vylwpckerelpjlv.exe
2272	vylwpckerelpjlv.exe
2272	vylwpckerelpjlv.exe
2272	vylwpckerelpjlv.exe
2272	vylwpckerelpjlv.exe
2272	vylwpckerelpjlv.exe
2272	vylwpckerelpjlv.exe
2272	vylwpckerelpjlv.exe
2272	vylwpckerelpjlv.exe
2272	vylwpckerelpjlv.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
2932	7afabb44010283947b9c8b8f690e3344.exe
2932	7afabb44010283947b9c8b8f690e3344.exe
2932	7afabb44010283947b9c8b8f690e3344.exe
2272	vylwpckerelpjlv.exe
2272	vylwpckerelpjlv.exe
2272	vylwpckerelpjlv.exe
2796	oqjvfmgmhdhpa.exe
2796	oqjvfmgmhdhpa.exe
2796	oqjvfmgmhdhpa.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
2932	7afabb44010283947b9c8b8f690e3344.exe
2932	7afabb44010283947b9c8b8f690e3344.exe
2932	7afabb44010283947b9c8b8f690e3344.exe
2272	vylwpckerelpjlv.exe
2272	vylwpckerelpjlv.exe
2272	vylwpckerelpjlv.exe
2796	oqjvfmgmhdhpa.exe
2796	oqjvfmgmhdhpa.exe
2796	oqjvfmgmhdhpa.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 848	2932	7afabb44010283947b9c8b8f690e3344.exe	28
PID 2932 wrote to memory of 848	2932	7afabb44010283947b9c8b8f690e3344.exe	28
PID 2932 wrote to memory of 848	2932	7afabb44010283947b9c8b8f690e3344.exe	28
PID 2932 wrote to memory of 848	2932	7afabb44010283947b9c8b8f690e3344.exe	28
PID 2932 wrote to memory of 2272	2932	7afabb44010283947b9c8b8f690e3344.exe	31
PID 2932 wrote to memory of 2272	2932	7afabb44010283947b9c8b8f690e3344.exe	31
PID 2932 wrote to memory of 2272	2932	7afabb44010283947b9c8b8f690e3344.exe	31
PID 2932 wrote to memory of 2272	2932	7afabb44010283947b9c8b8f690e3344.exe	31
PID 2932 wrote to memory of 840	2932	7afabb44010283947b9c8b8f690e3344.exe	30
PID 2932 wrote to memory of 840	2932	7afabb44010283947b9c8b8f690e3344.exe	30
PID 2932 wrote to memory of 840	2932	7afabb44010283947b9c8b8f690e3344.exe	30
PID 2932 wrote to memory of 840	2932	7afabb44010283947b9c8b8f690e3344.exe	30
PID 2932 wrote to memory of 2796	2932	7afabb44010283947b9c8b8f690e3344.exe	29
PID 2932 wrote to memory of 2796	2932	7afabb44010283947b9c8b8f690e3344.exe	29
PID 2932 wrote to memory of 2796	2932	7afabb44010283947b9c8b8f690e3344.exe	29
PID 2932 wrote to memory of 2796	2932	7afabb44010283947b9c8b8f690e3344.exe	29
PID 2932 wrote to memory of 2596	2932	7afabb44010283947b9c8b8f690e3344.exe	32
PID 2932 wrote to memory of 2596	2932	7afabb44010283947b9c8b8f690e3344.exe	32
PID 2932 wrote to memory of 2596	2932	7afabb44010283947b9c8b8f690e3344.exe	32
PID 2932 wrote to memory of 2596	2932	7afabb44010283947b9c8b8f690e3344.exe	32

C:\Users\Admin\AppData\Local\Temp\7afabb44010283947b9c8b8f690e3344.exe
"C:\Users\Admin\AppData\Local\Temp\7afabb44010283947b9c8b8f690e3344.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\SysWOW64\iftrgpnohn.exe
  iftrgpnohn.exe
  2⤵
  - Executes dropped EXE
  PID:848
- C:\Windows\SysWOW64\oqjvfmgmhdhpa.exe
  oqjvfmgmhdhpa.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2796
- C:\Windows\SysWOW64\joixgtyx.exe
  joixgtyx.exe
  2⤵
  - Executes dropped EXE
  PID:840
- C:\Windows\SysWOW64\vylwpckerelpjlv.exe
  vylwpckerelpjlv.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2272
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  PID:2596
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
cba844fd67ef4d3ddab5a1fd81a63127

SHA1
c71ae5cbff698d508090581abc73bfd4b99598f1

SHA256
7b1199b5b51a7706713316c106be45c59222d3e80a0b6d6cbb85f183058bfcb6

SHA512
d749cb0564ef6b36a4d0dd0d25556e4f77005eacb4a10a0cba143e3eaccbed4b0b077d2afc22b06bf8496e5e05f8ee26b59a113bd1d6c6e7ed1aaa693c4e0827

Download Submit
C:\Windows\SysWOW64\oqjvfmgmhdhpa.exe

Filesize
512KB

MD5
bddf83268738cc11013813eadf9e7b31

SHA1
59b618cb4ace59f26d01365c6374491f085f6c95

SHA256
7ad5933e45d5a33f415d2e64b228d6a1188f20cc8c39d68c79fbd8d5c444643a

SHA512
7324f71fa922e7e34704a5c0362a2fac3a4d94519643baddc9b6d4bac66f2f48a541ddd1504fbdae5134b48012cfec94006237af3306adfa5ac90a22cb01de93

Download Submit
C:\Windows\SysWOW64\vylwpckerelpjlv.exe

Filesize
512KB

MD5
a22a40608ed778e1af4242e9b5fc494c

SHA1
7836ef51519d8ff09681ccde98f7b92cd2d54deb

SHA256
ca03bf74750fdee2518262118ff3e7b984fd589bd8d378b21fd91e269e1ffe70

SHA512
b752b28ad56a3d852ee1ff6998330c1da799c4723a0a7ad35446ff1677966db9510b1acdb24bbd00941b935fadaedb76d8b101cebe07277a705afc5fb34a18aa

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\iftrgpnohn.exe

Filesize
512KB

MD5
412126f9358354d22301884bc4adc1c2

SHA1
a4d986d29f0f7faf1131d14153eacf490591a723

SHA256
48dc43accffc330cae5d546b8b407364632628c9bbbb4ac9eef1360f9e77858d

SHA512
68880a6a3bd7ae5eb15116c0fd824ca9fcb34433371069609e84c364fdb7e3af5524aa435e084c1c93a0395365b7c56b96115b7af7dd355165a132fa319cf41f

Download Submit
\Windows\SysWOW64\joixgtyx.exe

Filesize
512KB

MD5
f496431049efdc00898276c60f422acb

SHA1
98125284623bfe352837b2c6c57e9c11512f6081

SHA256
6e147c0206b4e7100ed535036a2008adf709b786d4c3826eeb8d5beedabf3a0b

SHA512
a7ab649502ca4d10c1653bc715cf21494267f0baa7fee2a0aba0fc2037c4496d2bc2a42cb4f719e173503a41f9fde028f36924848ab24b265c7b81f0a3f0cc75

Download Submit
memory/2596-40-0x000000002F631000-0x000000002F632000-memory.dmp

Filesize
4KB

Download
memory/2596-41-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2596-42-0x000000007152D000-0x0000000071538000-memory.dmp

Filesize
44KB

Download
memory/2596-62-0x000000007152D000-0x0000000071538000-memory.dmp

Filesize
44KB

Download
memory/2596-81-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2932-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads