Overview

overview

10

Static

static

5

7f275f36f7...df.exe

windows7-x64

10

7f275f36f7...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    29-01-2024 06:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7f275f36f72d5e9693237a68edd3aadf.exe

  • Size

    512KB

  • MD5

    7f275f36f72d5e9693237a68edd3aadf

  • SHA1

    98534772b9f903480b4e865460eeb429d3a6f3ee

  • SHA256

    4033da615de28b69a2b492da42fbe519c6d3386f7e874bed6372f894cf4e7534

  • SHA512

    0a990c22ed4e8b61b8b10ea38d62befe294a22e6f16a3e2efdf48136bd9ab110f2b7e225399030241eab99cd2d0615448f4a9c36cc6cc35a72a5e789b72d0913

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6C:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5p

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 17 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7f275f36f72d5e9693237a68edd3aadf.exe
    "C:\Users\Admin\AppData\Local\Temp\7f275f36f72d5e9693237a68edd3aadf.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1272
    • C:\Windows\SysWOW64\tmysetzgdm.exe
      tmysetzgdm.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2464
      • C:\Windows\SysWOW64\censxgjh.exe
        C:\Windows\system32\censxgjh.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2756
    • C:\Windows\SysWOW64\censxgjh.exe
      censxgjh.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2848
    • C:\Windows\SysWOW64\jzvunzodvdspc.exe
      jzvunzodvdspc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2652
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2676
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2688
      • C:\Windows\SysWOW64\hxujfpmoshuxopr.exe
        hxujfpmoshuxopr.exe
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2768
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c jzvunzodvdspc.exe
      1⤵
        PID:2624

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
        Filesize

        512KB

        MD5

        ed456e4b4a1db82776402fbda60e0abb

        SHA1

        841cc1700307d20075517770b0c101b65efe0796

        SHA256

        a7f10c9026e9d699ba8922f72c4fb10e865685ab1e6cf3264a50175d2f6cdc65

        SHA512

        f8349435d6b3bc95cddbc2c2d9568d1a823e3c4c45f3f5db185a4e3c90f4eb2056bdfe9f639b35a0fb18ef9ba8f139a093c71f291b91dbe6cd229e72e3f47881

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
        Filesize

        20KB

        MD5

        bc61b328659061ac87a18ba07ffe3f14

        SHA1

        87f696b0f39cec84191858b651b6c870fd408dec

        SHA256

        84f5a90d830a21399dfd8219f08e1d52a990cfacd8c3476872265231570bfbf9

        SHA512

        5d3f9611ed93bec66454dd0edc15191324a274cc969f5d0f826dd9823c828054e47679c8375cb8ea1378406727de4f529bd84bf98e7afd51133224328b3c1dda

        Download Submit

      • C:\Windows\SysWOW64\censxgjh.exe
        Filesize

        269KB

        MD5

        bf736f8a4db1c27b4ba62fe38371ef88

        SHA1

        b20236832b5975b2dbe1f8eb2828dd595ee60e71

        SHA256

        96a4b9371d2312e9e5edacbecaef4cc864d6d5be268a4aa802095c255b95a74e

        SHA512

        bac58f964d4a99bc6f55cc266dea71994bdd4626e103338cef6d10cfb187f0ba38bbeb8ca2a0c2bfcc67e8fd78cd52438c29e96e8abbb440e1b48edcba1fef7c

        Download Submit

      • C:\Windows\SysWOW64\censxgjh.exe
        Filesize

        236KB

        MD5

        0a1d916cf6227ad1085961444010d4be

        SHA1

        034db17a71a50103e42ac793469194b5cc998c40

        SHA256

        d565f12eff27a63e60a7c31189bdbdf3aea58493d40bf8d9c9f77a599dd1dca7

        SHA512

        963fcc24745726f711f944f14e429ba1a8bd001e3baa854f1d1e53138e6c85a31e0f85af281da2af514129bd095bed29d263b51c9154ce0fad76a72b92891360

        Download Submit

      • C:\Windows\SysWOW64\censxgjh.exe
        Filesize

        219KB

        MD5

        26c0b74efb3b30a5179d0da985aebcaa

        SHA1

        5f56ac7a2fc4c048640d73f86a0a54a1b8a853af

        SHA256

        2ff73d9b6b6ed449f23fe772e41812c8711556e5d2295cd70e94a28854bf6acf

        SHA512

        802e985953bcd83869acb2f15306e7859b7a5db8f932779d688f48b2cb3ab0e73aa7d4ef2505f81dc86f60777df3c8f54d82d61f3f2f574e3c0092ae974d6ebe

        Download Submit

      • C:\Windows\SysWOW64\hxujfpmoshuxopr.exe
        Filesize

        225KB

        MD5

        83fc82830be5ba50deaf01bdefce2227

        SHA1

        cc7ae42add345b3a29312271e38ec5882bba599e

        SHA256

        071291107238bced2cd82dd67bfff057e8fc59768fabb8a048fa3b247574651a

        SHA512

        e10844042b527990ba16a8ca4f79c7eb17ebd8c882c886eb9ab253cf2c8c1f3e192b613c112fab1ee17d6df8b0a37a10aacb45904dc792b296bd8dc1bf978fc6

        Download Submit

      • C:\Windows\SysWOW64\hxujfpmoshuxopr.exe
        Filesize

        212KB

        MD5

        4637abe1124d77f6698437e17b3b45f7

        SHA1

        42cb78d23beddd35acec80012d98709d35a13f4b

        SHA256

        9c77bf645fa9cc0f62d69b9812ec7cab14087bf3a83de92e22b18e5f502e3ffa

        SHA512

        4bda4ca1958a0ce82d066ced3b122a78905c76c91ab90a80a071fe6011332b03773da2944029a020e821e711c79ec1acbdba6f7f02fe35d5556cf0de0f3275cb

        Download Submit

      • C:\Windows\SysWOW64\hxujfpmoshuxopr.exe
        Filesize

        512KB

        MD5

        4fa6b9623aaed5f4bb77b07b92074e06

        SHA1

        ac115e0fb0e8b81fc1edba9f8430bd1952d861c0

        SHA256

        9358e1d951d95c39fbcab62ef91f03b0d8d17e9afcfc08c83637ebd38673102e

        SHA512

        3df833a06c348914847fa4fbbb59c30243eef19208b4a6a5a3031c40ac813dc3423a46eb6362fdad25c3c013b627cef274ab87dbe3a2a56ccfff758b1ebb18e3

        Download Submit

      • C:\Windows\SysWOW64\jzvunzodvdspc.exe
        Filesize

        214KB

        MD5

        083c3b5011c4ae45a066f657ebf803b0

        SHA1

        5d860d6a6c74455bba56043eaa54fcacc04cd22b

        SHA256

        bcd425909b812d4b6ed7cf5f0041425ffc11e144d77cc038e6ee54126495b8c9

        SHA512

        6c3aa61fd751ea2e8f1719386b292efc81ab0d2b655ea800856ad4ac75cfa5b13e56a005f190591bca5658d7c9cd649f6bfaec5d8b6b40fd898127c38471ebc2

        Download Submit

      • C:\Windows\SysWOW64\jzvunzodvdspc.exe
        Filesize

        237KB

        MD5

        8cea23cbb6da81d00e8875b7bf505ce3

        SHA1

        ac929a8c24160ead6195da565a1a5fce0adeca03

        SHA256

        995cdffd120dd89063e4346312104b4a9296b7aeaf2308fc58fbe7fa56fc896d

        SHA512

        eeb9c15fd859879d45c7b847c50389de1d42564866c89843cb75d3b023bf5f6e94e6403208ea28173c352b2cce8984bcd7767fe9399dd1f2fb95060d5631a116

        Download Submit

      • C:\Windows\SysWOW64\tmysetzgdm.exe
        Filesize

        440KB

        MD5

        e76016392062631f651c3b668a399ba9

        SHA1

        ee65cd2e34764ddd0bd16fd41f39b5b7f7b95daf

        SHA256

        aa1887e3435aafcdb4fc4607c2ac5c78010aea828af97a30abfb682560045e4a

        SHA512

        bdcaa3eb51fafca989c2651f5d17f9179f137d5fd699db49e3cf028b2858bb0d63406dbf329c88290e86f9e40a084e637c73f87f06246c1a69cd8b1de7c90eef

        Download Submit

      • C:\Windows\SysWOW64\tmysetzgdm.exe
        Filesize

        512KB

        MD5

        e012d7d9a77d8ad80b3f525544703231

        SHA1

        6b7fba55e253beec32d274eaa588cf1fd105e47b

        SHA256

        5a80e2f90c7ea9005332e86a077d4f4b83245dc068888395ee9b24dfd785a16f

        SHA512

        6d7131dca007a4722c4ea6916513bdb3543d0e9cdf17d426f41d67d96ccd6b780250b895acc4e1110db9f42ce2f34eb6c5cd322ed56535802738d6f89017c71d

        Download Submit

      • C:\Windows\mydoc.rtf
        Filesize

        223B

        MD5

        06604e5941c126e2e7be02c5cd9f62ec

        SHA1

        4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

        SHA256

        85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

        SHA512

        803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

        Download Submit

      • \Windows\SysWOW64\censxgjh.exe
        Filesize

        361KB

        MD5

        fbea753950ef0ddfa20f313ca92cdc08

        SHA1

        dfcf60e67380074f52eb2c2aadb9638b9689d82d

        SHA256

        b128c8dfd2ec2fb31165463b31360757909023bb1641f7acc104eaaa0e341699

        SHA512

        56f1fadd4d77285f88e44db70a1ef7204d31ca0d95c3ff3799d052789c4dad1578af70445721d68949174d5edfb915c68310651438feef5559c7d0ffad4715f1

        Download Submit

      • \Windows\SysWOW64\censxgjh.exe
        Filesize

        195KB

        MD5

        a5a0eb7c5cfd3b04170ead13713128c4

        SHA1

        b61211f597cfda8eeefaa89f59cd6f4e126b50bd

        SHA256

        2519477ddf669ba35349a6ec48ff5eeccbb87b599d91024259750acd16f08065

        SHA512

        75fbcf4520882d8370b6ddbc856275d81c269041155a06b01cddeb9f849a384f16d0cd407772553e06d6196ab2094d9355779c4aef4d47893c2387e1453a5ea4

        Download Submit

      • \Windows\SysWOW64\hxujfpmoshuxopr.exe
        Filesize

        412KB

        MD5

        d6ca9f85fdb420b94c5656111b5ffb4e

        SHA1

        b4bfb1dc5bb080d40c17009e8a0e5a45b9f60028

        SHA256

        a87c4fcff8fcd9a7048329dd7204849ff063bee1eeef87258579da756a70229c

        SHA512

        995cd86c1c3732bfd13bddcb56865aaede27372a0e57c4a67be8b1b8fa5c9984dfdf7629ff87c7a3e1e055ae495586f70a201067498df22cc800e28efebcb567

        Download Submit

      • \Windows\SysWOW64\jzvunzodvdspc.exe
        Filesize

        290KB

        MD5

        93ddfbf0f4325151aba3a6ce1c0a9bcd

        SHA1

        69b4168707c1886cf8bf7d954d3d534b9f493e75

        SHA256

        32844c1b1c1668c94a7ffc7ff3116e27fe61a205105f3c39c3da18ce794804b3

        SHA512

        862230d1678612222c2ccdd674158f3b93019bb845e455a03b4b6498b58947301da6a7f520ebaa47de2f295407196c934f814aecd82dda4c413f6029f1310ed1

        Download Submit

      • \Windows\SysWOW64\tmysetzgdm.exe
        Filesize

        243KB

        MD5

        b960587b619d4beac157e1db91dbb8ac

        SHA1

        35efce614fc0a738669f534fd896f9b640ce6df1

        SHA256

        36891c772ca6447bc4a01b899a80f1242028b6ef96e5ef251a1cac32b49de5e3

        SHA512

        8864335a51693605323ef78681be8bf2fa99443d527582f38c4890647d4a964ca325f66b1f3fe6bd449efb4e21df03b652433d8a6116286eae71cc8561522aed

        Download Submit

      • memory/1272-0-0x0000000000400000-0x0000000000496000-memory.dmp

        Filesize

        600KB

        Download

      • memory/2676-47-0x0000000070B1D000-0x0000000070B28000-memory.dmp

        Filesize

        44KB

        Download

      • memory/2676-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2676-45-0x000000002FBA1000-0x000000002FBA2000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2676-76-0x0000000070B1D000-0x0000000070B28000-memory.dmp

        Filesize

        44KB

        Download

      • memory/2676-97-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download