Analysis
-
max time kernel
12s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
-
submitted
13/02/2024, 04:08
General
-
Target
98705b5a907f1a691359259b19b16d3d.exe
-
Size
512KB
-
MD5
98705b5a907f1a691359259b19b16d3d
-
SHA1
baef9e414aa721ec9c310a32c78b1160ab99f48b
-
SHA256
69347a80b962904a59cc1114412832f2449c79f5601468d5e424dda355aa2296
-
SHA512
44d4b37bd5d1d2da6065e062f7b549c966d177e960358ed46caee459d1df7ad954b4ae04fa8affdba0a5713e926d5a21847ace76af08a0683c334e6b20949598
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj66:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5F
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 5 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 6 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon 2 TTPs 2 IoCs
-
AutoIT Executable 16 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 13 IoCs
-
Drops file in Program Files directory 14 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 20 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of FindShellTrayWindow 18 IoCs
-
Suspicious use of SendNotifyMessage 18 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\98705b5a907f1a691359259b19b16d3d.exe"C:\Users\Admin\AppData\Local\Temp\98705b5a907f1a691359259b19b16d3d.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\bouiajcukk.exebouiajcukk.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\uiqnmbiq.exeC:\Windows\system32\uiqnmbiq.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
-
C:\Windows\SysWOW64\cwodpaymwhzzn.execwodpaymwhzzn.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\uiqnmbiq.exeuiqnmbiq.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\xozupjreolixhwn.exexozupjreolixhwn.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
120KB
MD5681fedf0b68c6169bc76c7271f48a8ed
SHA18f169f275c0dd73f4c9e8664b0120afded816a0c
SHA256193ce321e01ea39adebc944607f19593ffd0ab2248a0964a39bd8d0138a595f0
SHA5126002296429d820f3d3ab0cfa142cf481602df44a0059041f8df21d4963f7f3a1234f869d706bdc5bca757c0359a20d5c4ce6ba8a3a1eb56173d35658c4ed2b0e
-
Filesize
170KB
MD52d519645be98d0362ec41dacf59bf070
SHA1e79c9c40ecc77b3d77211b5e0d36d14abe3bc235
SHA25611f12c2d58cb8ff5c73acc4f33b32ca747de315734b1a6155a64536e391f14dc
SHA512661f5e84d34965546941bda3bc2a2f33b02ab2fce33ffe84dc58f5e05b2b3b173427f6a49f3b131540f35f4aaffab392f1a503f38d168b556c74043714990070
-
Filesize
239B
MD5361ba5cdfe246f4303b0a1638e0daf43
SHA1eced7199b1af3c8e92209a68cb9a925ff3f369a3
SHA256507143acb38e64408d03a0dd98e16bd34ca557294c466ae8ec9c7c763eb3a2a5
SHA51281b9d124396d138717aea4dc71cec59426a3b65b47eaa0d13523adf030c5e3df9fa670ed48f7634d0301812d4b546dd43bc5bf863b58112570a2ab049bc7ab54
-
Filesize
3KB
MD58208798c6cf37631099038b1adf51794
SHA19e2c3aa23074a5c31369f9dea737e37ce55f7a73
SHA2564a54bcb566cfcb244806b476a938fc3d4512fe8bb4ed8a15550c4bc2a075d1d5
SHA512110ef5d39c550bda60f1ab19d618c00a1e2418069fbda657ef13cede2ce9881470e4d720afad65ea1c5b8c4f9be2291aeb94ede28331f030c5ec2ef3f6cad2ca
-
Filesize
3KB
MD5011650e66a42e970a1bd630ac98c5355
SHA1e4fdc89d3b23051fc55f851c72fd078940a45436
SHA2563c4fb92b2e16d7597f86fdcbe4cc78beb21f2ef5106f40ed3a797b7655758e27
SHA51227930d39189b16e1d456225bca5882b26bd6f4a02616842f2d55fdd8b596995a41c5959aac17641103cde8d0490e44c5e66f78460b3c763a7fe84b2cdeb900c0
-
Filesize
172KB
MD5489c382f47d723b3d33a1ebbafc20c07
SHA1ab85f5dd3cab9b8cdf431fffe6908ff3be0508ee
SHA256120f5cae967c36205259b2d20620f8812a6071c299b9396537af86cb871302bc
SHA512978e2a0ea66fd15811d4518d5f1bd0db0d950cf7e357ed4404d54cdb188c700b93ecd5f5c2b18aa25a213cf44e2bd09a99c5d4c0a571c3299d737c880b1e9b8a
-
Filesize
265KB
MD5fc6744d0cbcc4a525b11bf73e3929fad
SHA17a506f1a874a95341bdea7306e4d75295f173016
SHA2562df6c224fc6bc4a48611ef4137215a35479e7e273c31a41978a8db3a4d7085fc
SHA512030632abf6895362af8ed6292af5cf0d3e4f293d763aa1b8e33d9e8fcd8fd27248454da71f0cd536887d5e6b4270e3ec2a941ff256b624f80a9244ada5fe8951
-
Filesize
236KB
MD53c0a51c27c233d681812c344463f0e0f
SHA194ce91126beb72d64492bdc516f0fd8bfe0003db
SHA25670c3263fb1ae3ac409481ab0e6b4c6cfc462c9848093044e8c0fb36e8255ab2b
SHA51224517716a0fc9dbf0f0a1e821e399a6c7fc8b258145d06fad3c1c5ef4db7f2ab32f23ff731af25a978fec042949d98134c529038258a070bad1bf36b4e2167db
-
Filesize
228KB
MD51c3d964e4976c45f9ba8885a68dec8ca
SHA1af19241fb66a27d741a33e61520948b3710b7671
SHA2569d4e7c0351f6463b14ac2c516d040bb73b0a60cba093fb2098a32cb317e240e3
SHA5128e68e27e5b84fa6731c557c6bf7aee22972c2437ad34b31c54112194a164242343dfa0baa111c69ac81eca7105eb191f12bc58db22a0808078461151039ecae5
-
Filesize
190KB
MD5410be96e6dfc52d37e89da2638252ea0
SHA13ae7c1abdcc6fd7815eaefd9cb7698deb8c52807
SHA2566e232cc4be80e3c81a50b6acfee7b11edf428d8d281377394af3a771c324072a
SHA5126e72bf0729ea637718538c5a57a9e17cc32ffc366889cde6b45e06d09ce7de5c34f7a68c25a697035d4064ebca8154993c8d8994dcef332c9d510c4ee391704a
-
Filesize
209KB
MD53e3fb6af93dc3818da0a82772009c825
SHA1c25cfb264481022916e12ac1f2f38346b7df0192
SHA2567f794964e3cdba4143f74a9a1f6a4357666b574c31e44bc1991befac963fbc93
SHA512cc7a276b36fc1620d999ea117a64439398318f90b78a6cddfa69383fdf2787138a731a8fa7468769050cbee6952b4b9cf5f3acfa8ca19d4ebfe5c83bda9a3cf5
-
Filesize
315KB
MD5750129771b9ac77aa3e325d21ef2187c
SHA137ed086d2bf255b3f8f13e135ed9eedb5267fcc9
SHA256e4f0c4403e356dc179f4ca38daf9df6f3f8a45b5abbc191050ec7ebdbe50965c
SHA512f8b70a4fa8aa64c4c959e09f5b9b8cfc3fb2f8e570840ca39cd0752e4d41b8474280cce00d67c257338206f5fa540449c91386997f7d599cc7337cb8b7332f46
-
Filesize
123KB
MD5b9db33c66c316d298ea9f9b70550ad54
SHA1a8b495e6a7af953793e2cf9ade48f8041a37f4b0
SHA256f9efd8dee97c671c6097adaa89911146ff6d97bb46703789a9e41f4287f9cd04
SHA512d672da6beac64fbd79d4632135781859e66e788b782bd07017c420ff331800b8354718c56cd1600fd9addd65af29d879467e16fddac1c3200af2b3c3b77e6de0
-
Filesize
267KB
MD5677dbf144502c516f24cc8129cde78d0
SHA148076eb466c8c3e53d32f8e08a3f2be7e5dade13
SHA2566e3a37cc4e79df96c39186b13eef985d1f547c18a876382cdd4727e91fca2307
SHA5128857ed99eebfb9c719dd685772e15eb66e8fc51305fe14554ee9f66f7466f941a3cd36d431a2348d678ab7874a365137d1c95d6fbab3f47d15d1d658293f2f26
-
Filesize
335KB
MD57ae872399675c7de388dc07e01767ec1
SHA1b6eb40f3321b8e5baa53476c7ac2f41caaff24ea
SHA25662f1cadf0b8df875a19f202d0b0fe51dfd3e03fcd1a6abeadba51c47cf5c1d61
SHA51271aec8ec6e88c19582da8316c8ea507c1bb119e4f9569ab50ae8c63e5903c2050178df6fffad45586b67aa38e801ccd93389c8ac06d1cc982f70984b6e95a178
-
Filesize
232KB
MD5d61734c683b3e2a72e841a88a4bfc6f9
SHA1f3834d0f6ad22d51fe2c6c350c2c966be18a3b07
SHA256e02fa9cbf4b9a5d59c4f741fadb8de6ba7d56c4374dc818275482f6892e3bd73
SHA51251d1e75569af44e7ec7400e991d57a09cd5063e784adcf4fd7fb34f1ce9f9feb7d04d18c1b2eab4282b87e7f55c90aa1e2b0df9ea0e73456e3ea6181b140d437
-
Filesize
322KB
MD552ee4382162db5df198c7d9578e3b959
SHA11f58806c065b995a6d49dbfef12d861a6a735c27
SHA25680751551a010ab7db00e225a26845109a8636b012ff619a580202e480dda0806
SHA51229f40950c130d52dbc1d3cf28a2f17d789b52cf0b10660be6fe9b18d7c6c8e8d8293618605e595f12add49c92a351cd8399411a91b706ae6530b3f2d5ee05760
-
Filesize
66KB
MD50d3a9d7f81f48e108ed3f6912a394ac4
SHA10a88f553d8df87930ceb2146c6072086dad155b5
SHA256c0cef10be6bc60087a3f4529b1495deae319e5e2473a369ab73efc28b5881490
SHA512d28dca4c4080e7cda6d2c15c2b5635da299c3f1e13f635015ab3a72319f2591e3115ed288640b0f90bc3271ba169494e3f750235d4653aec222235768d56d9bb
-
Filesize
600KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB