Overview

overview

10

Static

static

5

bbb786619b...cd.exe

windows7-x64

10

bbb786619b...cd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-03-2024 16:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bbb786619b7371680726d89dc2b5bccd.exe

  • Size

    512KB

  • MD5

    bbb786619b7371680726d89dc2b5bccd

  • SHA1

    ee1d8db853cb3e977816a9f5d08b392faa06c232

  • SHA256

    ec424e4137803921bb6a96ecf2c5105f84571b8e72866d7f9692bdaec8979850

  • SHA512

    08349691205d42db82c5beae31ad654132087849ac63e56b8c702d052bc3dcd7cacdf189d7a6549add572928bc0039f64d5209a7fd87eed86eafe12299198b7d

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6j:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5W

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 14 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bbb786619b7371680726d89dc2b5bccd.exe
    "C:\Users\Admin\AppData\Local\Temp\bbb786619b7371680726d89dc2b5bccd.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:620
    • C:\Windows\SysWOW64\ichevcwmvc.exe
      ichevcwmvc.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4032
      • C:\Windows\SysWOW64\nqwclbvq.exe
        C:\Windows\system32\nqwclbvq.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1980
    • C:\Windows\SysWOW64\stggqcnsamxicsm.exe
      stggqcnsamxicsm.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4580
    • C:\Windows\SysWOW64\nqwclbvq.exe
      nqwclbvq.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3772
    • C:\Windows\SysWOW64\sliksfxzokyrd.exe
      sliksfxzokyrd.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3900
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:456
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3908 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:1136

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
      Filesize

      512KB

      MD5

      e2343dd2da9f4215036ffe65a946f19c

      SHA1

      def900781047a71022d276fcb7852f70de96d8bd

      SHA256

      4e849920a216a6c74f42c6df1db53e6183b2f3199f6ca274dd98f46baef8a411

      SHA512

      fb9013f83501bfb919012f78ae2ce188263767f3ac9de9aa150024cc0f7a33d0633efae74990b56ba955a447f0ad2b40b903a37ab6c6d35a48f34457e786dd61

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
      Filesize

      239B

      MD5

      12b138a5a40ffb88d1850866bf2959cd

      SHA1

      57001ba2de61329118440de3e9f8a81074cb28a2

      SHA256

      9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

      SHA512

      9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
      Filesize

      3KB

      MD5

      0d3507e232482dbac3a13fd780b7837b

      SHA1

      822f1a5f5e14257cfc393c6ac720e3498fe1b592

      SHA256

      e9d55d3aecdd3af841c4502137727c365d50cd344c8c73979ec8f32e97170b90

      SHA512

      1fc6b24f37cc91a393fb771580dfd0cb9e2d201d49006ff0979adceca403cc2434114419cd9ee29dfd9c6c6a622d83998e19392ae4682dc9eb14c61bd88b6118

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
      Filesize

      3KB

      MD5

      a8d568aa91e8e8380d1addfc62d93eda

      SHA1

      acc0dd67b62330622aae992c2befed78d096db84

      SHA256

      cf38e406f229a2289ee9df75fa393b5f6df6541a79a41581b9d34d013a28422c

      SHA512

      85a6f84e82979cd830c8765e64dcb2745767b626bd84ff25fb827d4d9468e0d71615ac96755a57a0b55586b78a2b065d2d4a1f0fd7d78357aa00a06d090e530b

      Download Submit

    • C:\Users\Admin\Documents\CopyTest.doc.exe
      Filesize

      512KB

      MD5

      92eeaea39f977f1602536000520bef54

      SHA1

      79ff33c6278a1b13e1a932820036fa2b376cce29

      SHA256

      005a2df9e4afd56531db150b8193dac8edde0482b643ea0811c852f17ac087d2

      SHA512

      602b7978be78cced8235b761e1cce2b9b9e8fff590908605a9fd319dde83cb1f4932914026a8455d22d46c7a26b1dbda019740af281a00b24a96bc594ff46953

      Download Submit

    • C:\Windows\SysWOW64\ichevcwmvc.exe
      Filesize

      512KB

      MD5

      ff433177142e057298a4213fae33a97d

      SHA1

      6240e7e03a3983c944a8812b93c53acdf6d164cf

      SHA256

      66a711ce2c099a0fd822441e68c3c381c6855d8a2183b82763d13f1c77db72b6

      SHA512

      b74605c15c8a4e1cac8bb4704c579aca56642e00765a3dbb6181d66fec856b0acc4b2520ff0cfba665887d1d800cf4b088b7b4aff6adbed71e72d0c384ac916d

      Download Submit

    • C:\Windows\SysWOW64\nqwclbvq.exe
      Filesize

      448KB

      MD5

      9728739f509ce0f3b3b073c945c208bf

      SHA1

      31bf207a650a7f1bbb8e90552891f1a6f4e4783b

      SHA256

      f252517c755af447fe73347dd23cd133e28c7a203d01382306a195c8ddda3dba

      SHA512

      76e963f4d1b88528ebbdbc375372889efffba4768f6a99bccce4c1faa730e9515f93fa74bd10bb61c0034f2ceb9ef85ee8234f9d13df183ffc7e163ae3dd38e7

      Download Submit

    • C:\Windows\SysWOW64\nqwclbvq.exe
      Filesize

      128KB

      MD5

      33be84de0fa03c6883fec2ead970e3ba

      SHA1

      dbe35ed4343779aa93200c24966ccb805e18f223

      SHA256

      ef0f2733bf476c4dc632a27627cb24681d552719aafcc969eec5db1a90996887

      SHA512

      3e93ab8677009d404503e243038ae323b1bc55af56c8c53bd3d44f5313ed4383c987ccb1f1f0e86111fc36db67c7b1b76de4eb4b1c6742baadffd70d7dc6c093

      Download Submit

    • C:\Windows\SysWOW64\nqwclbvq.exe
      Filesize

      512KB

      MD5

      3048173708bc1378bbdc4827254de155

      SHA1

      cd4f0eb9a3282c0b8affec760517d6b7e7d02307

      SHA256

      77edc9a4cbde1c843281d9188998f9fb55d36a43d620a96bd5951babd4fdbc37

      SHA512

      4489b5e42d81e830dcfdf10bf4737cb4292cb99ba96b2dca7af4d94f1a13cfc150c3d7fda6407ed65569882ac7ba198c8f6da930dbc8b0700743d903ea641a32

      Download Submit

    • C:\Windows\SysWOW64\sliksfxzokyrd.exe
      Filesize

      512KB

      MD5

      4a2bc3b2a70737b7403702d0a18cc48d

      SHA1

      e6beed59dca45b1b9d6ba64e1c7ab84ece0b9854

      SHA256

      7365c956b0f3ba1bcf0dc6fd27f58cf3efdd94d2a4b2c0498cfaf33c8d580729

      SHA512

      00cf9a08a79cba2ee1f49338e19f094568b085d2cf571c443eb13c177ad6e8d621b784d219cea93d21a078d8b0560a7a95a1557a1fad801d7a1ae63a473ad585

      Download Submit

    • C:\Windows\SysWOW64\stggqcnsamxicsm.exe
      Filesize

      320KB

      MD5

      40eccbf82b7b8fc916befc4f91646a41

      SHA1

      9b26728b4c732bfeb504f70ab523d90def972d37

      SHA256

      1dc118e41bf637830be03d9bfe6d57960cf8dc9dbe9c8302a78e3406285bbaaa

      SHA512

      4714d4a188098bfac7feb042ef4c6f0236e826c335c740df7f47d60f0e70d50c5eeaf73e1b94afb0408bd8c6b5ef6fa9d49577a6ac214ce115f4b6db0b341cdf

      Download Submit

    • C:\Windows\SysWOW64\stggqcnsamxicsm.exe
      Filesize

      512KB

      MD5

      2cc79ecac808188703441dde45e5ce10

      SHA1

      1e7933f514d6409fad947744eb6d3dd409c82bcb

      SHA256

      8a11fabfb7e6d1d9024ccd00909dfd14b0ad6969d711d7d8983268319beed01c

      SHA512

      01ecae66aaa9b45421246bef4ce62c4389e5f4e8096383dace5fb537408e56b9f550f5d40068419c4323b6a5bb018f3605239ebe415e71eca0817776741976a8

      Download Submit

    • C:\Windows\mydoc.rtf
      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      Download Submit

    • \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
      Filesize

      512KB

      MD5

      f6a580fde25e003862be2e7f8e9cc277

      SHA1

      685b042110e9d99001cf0afb13bffdae8283d2ac

      SHA256

      8781edd881e302a2a9cec77ee571a64453b1ac30e23b64ad148edc7f28c4e761

      SHA512

      00fdc83a925506189c8f663ee48bb47852b4e6ca19cf6fa4482a4e2d12c97df786f8b6773cc5ec82d542dc76e5aea75e74f72a0d27e1f388c14ab7cafe8f4ef1

      Download Submit

    • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
      Filesize

      512KB

      MD5

      d3248f9e4dfacfa619e575e08d3bcb79

      SHA1

      49c77dac8b790461c66b6310d9adb4102efbdc4b

      SHA256

      34a61a7378af783b82b16a7698d800e7385b61675f790a44680a0a9096b131ac

      SHA512

      7d330c6adf0a93b821d4385b6e026638c37c9e07d5902bc080a7c3d6ad3e80898d0d82dc63121996e63fb449b559a157ca391a7522adbd36412679f12448222b

      Download Submit

    • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
      Filesize

      256KB

      MD5

      a6912481eb039ab8ce8e65eefa5ac57b

      SHA1

      5859f27fff5ebd524ebd24615ab41f86fba46f02

      SHA256

      660f3560eeba127d97ee2570ed1c2dacd357f42f6136589ecedd2aa3004dccb4

      SHA512

      8f3bd0fa20db122cacaaeb9cba2d755db7a1d51371da190ea9337429d514ebde3336cd55f2db82358e06fe8f7906f50cb1799cb494875e3e38f478640697db40

      Download Submit

    • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
      Filesize

      369KB

      MD5

      3c5c486fbdd0aea642584f27e2fcd8cc

      SHA1

      7562d442732a2ca5955dd4ba6ebabd6b2a665b25

      SHA256

      8d6fa60fd7c048f959f37ccfd586cc912ec20b4f9384e2e61efa4b60e70035de

      SHA512

      9978ac9b4390ce55be803b3f9711e8d5eb48df461685aeb0233bed5ba616b752f69ab1a51acefbb2b227c44ed1924d7bba3c39e02cc9f2e56bcc234efa2bc7c3

      Download Submit

    • memory/456-38-0x00007FFD5F250000-0x00007FFD5F445000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/456-134-0x00007FFD5F250000-0x00007FFD5F445000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/456-48-0x00007FFD1CD90000-0x00007FFD1CDA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/456-43-0x00007FFD5F250000-0x00007FFD5F445000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/456-42-0x00007FFD1F2D0000-0x00007FFD1F2E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/456-40-0x00007FFD1F2D0000-0x00007FFD1F2E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/456-39-0x00007FFD1F2D0000-0x00007FFD1F2E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/456-80-0x00007FFD5F250000-0x00007FFD5F445000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/456-81-0x00007FFD5F250000-0x00007FFD5F445000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/456-41-0x00007FFD5F250000-0x00007FFD5F445000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/456-136-0x00007FFD5F250000-0x00007FFD5F445000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/456-47-0x00007FFD1CD90000-0x00007FFD1CDA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/456-46-0x00007FFD5F250000-0x00007FFD5F445000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/456-44-0x00007FFD1F2D0000-0x00007FFD1F2E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/456-37-0x00007FFD1F2D0000-0x00007FFD1F2E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/456-45-0x00007FFD5F250000-0x00007FFD5F445000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/456-129-0x00007FFD1F2D0000-0x00007FFD1F2E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/456-130-0x00007FFD1F2D0000-0x00007FFD1F2E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/456-131-0x00007FFD1F2D0000-0x00007FFD1F2E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/456-133-0x00007FFD5F250000-0x00007FFD5F445000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/456-132-0x00007FFD1F2D0000-0x00007FFD1F2E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/456-94-0x00007FFD5F250000-0x00007FFD5F445000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/456-135-0x00007FFD5F250000-0x00007FFD5F445000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/620-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

      Download