Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    09/03/2024, 19:22

General

  • Target

    bc99c4677a06951c7c1b7ce58f5d29d3.exe

  • Size

    512KB

  • MD5

    bc99c4677a06951c7c1b7ce58f5d29d3

  • SHA1

    7d7d01882e8cf2a5afc3324f88c21817405c5632

  • SHA256

    ce425c663951485304a21f3bd6bfb536f0c270478f411bafc09ebeea86324559

  • SHA512

    c216c2a0ce0dbaf52aae43a70a75f1ffbc812bc1e38057bfa3850dd7d996b48561d97f7240570a65780e30f317cb12a4dbc7357392cf9e967f52115ab29a9721

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj66:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5F

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bc99c4677a06951c7c1b7ce58f5d29d3.exe
    "C:\Users\Admin\AppData\Local\Temp\bc99c4677a06951c7c1b7ce58f5d29d3.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2292
    • C:\Windows\SysWOW64\iwaxctbhaf.exe
      iwaxctbhaf.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2552
      • C:\Windows\SysWOW64\qvxuiquz.exe
        C:\Windows\system32\qvxuiquz.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2632
    • C:\Windows\SysWOW64\fljdwnnbnnobjjt.exe
      fljdwnnbnnobjjt.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2600
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c oeoxjrkrxyohp.exe
        3⤵
        • Loads dropped DLL
        PID:2564
        • C:\Windows\SysWOW64\oeoxjrkrxyohp.exe
          oeoxjrkrxyohp.exe
          4⤵
            PID:2516
      • C:\Windows\SysWOW64\qvxuiquz.exe
        qvxuiquz.exe
        2⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2684
      • C:\Windows\SysWOW64\oeoxjrkrxyohp.exe
        oeoxjrkrxyohp.exe
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2876
      • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
        2⤵
        • Drops file in Windows directory
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2480
        • C:\Windows\splwow64.exe
          C:\Windows\splwow64.exe 12288
          3⤵
            PID:2704

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

        Filesize

        512KB

        MD5

        2b38810733417d44cb5239ad49a2ed40

        SHA1

        081006574aaed609dcc480f268ec9b6c1f3613ab

        SHA256

        be3cc2b3bfb07415531a01601896e82239f8659645e11c71455217de2f250444

        SHA512

        659ab98a23ab1cfa756ce41ba2576cb84b625fe0e3f564aff5a84d58b1230c748bba5536b9cb32e4f5ee5455bc1cc399821fdb1a494b06e17a6ce1a0960530b1

      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

        Filesize

        20KB

        MD5

        fd55e39a7c01f0369f9872b5b7487cc8

        SHA1

        59a83d8df85f6338acda474a755c25436c350fcf

        SHA256

        354c5971935c3c9a66da2b17d48349a00bef2d7db5e0b5409bdc97c397202f10

        SHA512

        94c79e00a3d1e24fadfec0eeeca8f6533ffbb66c0b345a17e17fc4b033fd2fa9b4159c0cf52621a3bd9651a0f0daa84908e4f1c85f3000aaf82150531c450108

      • C:\Windows\SysWOW64\fljdwnnbnnobjjt.exe

        Filesize

        512KB

        MD5

        b504215ee3145f33e9a287a61942e4cf

        SHA1

        21ffc864f4543e817c49bec2acc2fef0abc11e0d

        SHA256

        e7a717129dd15ff1a74a632e2d5ef8fe1b335bff344780bbc2b751edbc57e024

        SHA512

        0766f1ab5f646ad9b2ff0b9518df61684f1132995c1e5ef90863723d73473a60ef74f10ad8dfc9e1562783c7d748c9752b1e22b185b7189e0423007abcf5afc3

      • C:\Windows\mydoc.rtf

        Filesize

        223B

        MD5

        06604e5941c126e2e7be02c5cd9f62ec

        SHA1

        4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

        SHA256

        85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

        SHA512

        803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

      • \Windows\SysWOW64\iwaxctbhaf.exe

        Filesize

        512KB

        MD5

        76407ae9d6b436fc5606d10cb5a1882c

        SHA1

        3bb62a56f552bb0fd493356fb94fef50ac5337fd

        SHA256

        3b8b8dfae226c26ed982d9ac93ae8cf314f68b8a6cd6e2487df901cefa59d6b0

        SHA512

        2061ef165f86754fc29a58ae28cbb099dc9c030d363c468f6e153a5a7e060a77501fe417277668f1916f17865c393fb21922a6870aa7114172c6b218c80b484d

      • \Windows\SysWOW64\oeoxjrkrxyohp.exe

        Filesize

        512KB

        MD5

        3ec05e3464386c82dba16b968ae8a0cb

        SHA1

        3b424e851b46aa9ce38ca313ffe409cdd4fcdf57

        SHA256

        c88133ff3b0a4c0d7df86f599594dffd1ea0bf88066f590d36c50be96d059cb6

        SHA512

        d27f462f689f371b77c7049eaf8a364e2cf4134e01e3a8da0e7cc3a863c9119855b993297374e44b5731d4e22fec216184932a4edaa4ebeb255ceb9f93d85b1f

      • \Windows\SysWOW64\qvxuiquz.exe

        Filesize

        512KB

        MD5

        2bbb41a56fd1a8c21ebf59fe83a1424a

        SHA1

        56a4b65e86c18cc009737ef148f4b44d2fadafbd

        SHA256

        d3d4c9b1ac00cfb8b450a5760a0903070a37a7518f1073ead34932dcb2f31ac4

        SHA512

        7e36f3849b689d0ed5e730f4ddc8dfd464b221fca40db031cbb6d5a79814e3ca59df73d0c6d076c8efac458fcaf4e2cf28baca846bf1e8040bae2372f1a9e7b6

      • memory/2292-0-0x0000000000400000-0x0000000000496000-memory.dmp

        Filesize

        600KB

      • memory/2480-48-0x0000000070B8D000-0x0000000070B98000-memory.dmp

        Filesize

        44KB

      • memory/2480-47-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

      • memory/2480-46-0x000000002FAD1000-0x000000002FAD2000-memory.dmp

        Filesize

        4KB

      • memory/2480-77-0x0000000070B8D000-0x0000000070B98000-memory.dmp

        Filesize

        44KB

      • memory/2480-98-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB