Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11-03-2024 00:31

General

  • Target

    bf5e147e1eb1695ad7557d7f52e67a39.exe

  • Size

    512KB

  • MD5

    bf5e147e1eb1695ad7557d7f52e67a39

  • SHA1

    93902e132135af7a546b8edd374478b8c5679298

  • SHA256

    62064fc6511ca26dc8b532fa5d8e8c77e53796fff99418948fe82a3ae0a066f0

  • SHA512

    3eca7cf29859d8e88047ae7715cf29aaf159ad9a50c422c7da860226de4f239ce33191166f6729112086e39587f969bfb9db2c314dbfb04c05f6470e989a5c8a

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj63:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5i

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bf5e147e1eb1695ad7557d7f52e67a39.exe
    "C:\Users\Admin\AppData\Local\Temp\bf5e147e1eb1695ad7557d7f52e67a39.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2844
    • C:\Windows\SysWOW64\xiadpugmgs.exe
      xiadpugmgs.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2620
      • C:\Windows\SysWOW64\uhkywgyz.exe
        C:\Windows\system32\uhkywgyz.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2692
    • C:\Windows\SysWOW64\eqnwaayqwvfjeiu.exe
      eqnwaayqwvfjeiu.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2036
    • C:\Windows\SysWOW64\uhkywgyz.exe
      uhkywgyz.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2540
    • C:\Windows\SysWOW64\rmqdsoilblvxi.exe
      rmqdsoilblvxi.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2716
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2236
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1440

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

      Filesize

      512KB

      MD5

      c6260bbce833b2f522e33d8d1e930347

      SHA1

      444514d3bcbe7912a79bc21b5522f7017e389d62

      SHA256

      b12331059729d295970f2f6f1eb609c82be0bf253895739f670f27bd3252c548

      SHA512

      78794446ad4f63df903533f3230e2d9077a7564932742dfaba9a61ae2117648c236c668762d3e9a8f46c17ec757a1d952ba61fb60140cb8baff51df7126a28ae

    • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

      Filesize

      20KB

      MD5

      2fffa668c8f90c26076abfaa4558f674

      SHA1

      bef267d7b229a39127926451ef1cd09c66e2f00c

      SHA256

      3030751ab0a63fc00067e108f89bfb0f9c3c5b2717618fdb2894d4397856379c

      SHA512

      c0d4843f7a7fe8cd4237bf099c091768bb557ff21b67c78effaff45f8ce5fe6b53317ef0c7e4de825895c95592741b6197db211e6ddfaf1f81d5894b47657760

    • C:\Windows\SysWOW64\eqnwaayqwvfjeiu.exe

      Filesize

      512KB

      MD5

      a2c5ad1f41e8dfd98a5eec2f17d2a7fc

      SHA1

      b43fd5266b7a4d69fab6e8779f784cc2f3d83c11

      SHA256

      4b13f4c3a779d5ce46536d3c522a53938386d9693df7a5e4ef310cffa2a1e703

      SHA512

      0459de24f7d5cf765d432572b37114e6771cfbb710394255a333575a16a6013b36dcffc6a97382c92149005242a44efe4d39396308fb490c00092f1603735d73

    • C:\Windows\mydoc.rtf

      Filesize

      223B

      MD5

      06604e5941c126e2e7be02c5cd9f62ec

      SHA1

      4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

      SHA256

      85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

      SHA512

      803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    • \Windows\SysWOW64\rmqdsoilblvxi.exe

      Filesize

      512KB

      MD5

      e57ad59184e44c7a4fba6fec8014d9dc

      SHA1

      3edf2c4103fae26785f7f06f95bdc530ca0014e7

      SHA256

      c86a845f1d26fbd318e0130b73f341b9bb2c8f1e8339272667ef6f3d8252b3f2

      SHA512

      95e4ff2b35c62a2f8aa8bd4ba07924aca6387c802f277cc0219433971b211c824875f636bcfa149cc083e0d05e2491f2c304dbcda81be55d3c447dc2a0913058

    • \Windows\SysWOW64\uhkywgyz.exe

      Filesize

      512KB

      MD5

      4932156640d0fbc92e695d33609c2874

      SHA1

      8ed36b61b453824e04d5e2a9652de2e71050c083

      SHA256

      80fd1e89ea0f8b576ad9c37411756b1c7bad627c50c56180d84d245f8d35c0cb

      SHA512

      d0f1d32f6929d07db51b0f80ccada41900b74fa9e2889eeef965dcde8be9185250f33c3363c2e0991f26795d6fea1bea4cbb9ea4fe1a63da5b1930c2817aaf4a

    • \Windows\SysWOW64\xiadpugmgs.exe

      Filesize

      512KB

      MD5

      076a7f0ddd4c470f138ef5b812bf667c

      SHA1

      090b794dc2b719961a0b1416856e95c78a8a750f

      SHA256

      4abeaaf807f5ec938cf78050e3da4a9ee84fd99eaf4e050928e3eafd8bb78d17

      SHA512

      339ed633e1f9741752df1448c4e608cc7d8e78bf0a6075ec37d271b63d0e2577196f4d319caa7702794f47edadaf8f2e0124eb5e114e977a1b36f1503465407b

    • memory/2236-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2236-47-0x0000000070CED000-0x0000000070CF8000-memory.dmp

      Filesize

      44KB

    • memory/2236-45-0x000000002FF41000-0x000000002FF42000-memory.dmp

      Filesize

      4KB

    • memory/2236-82-0x0000000070CED000-0x0000000070CF8000-memory.dmp

      Filesize

      44KB

    • memory/2236-103-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2844-0-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB