Overview

overview

10

Static

static

10

b93bd15835...2c.exe

windows7-x64

10

b93bd15835...2c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    30/04/2024, 01:53

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    b93bd158355c7fb53b409241f3ecbd16f0e65d67dc38765a1352a9b03c595a2c.exe

  • Size

    255KB

  • MD5

    784ca39bd620e09f428f473f68b6b3b0

  • SHA1

    e1d757386b645059e944145b3ac0b6dbfbebb1a5

  • SHA256

    b93bd158355c7fb53b409241f3ecbd16f0e65d67dc38765a1352a9b03c595a2c

  • SHA512

    effbdb85d52cc58f57f2dfd9f86bf7b7823981240db70180b63b36d114019c7a77c8db187a1dd0b8dae50b839b84c2e0a7660b56841f39f9f771d4a7be262831

  • SSDEEP

    3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJm:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIh

Score
10/10
evasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • UPX dump on OEP (original entry point) 60 IoCs
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 60 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 52 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b93bd158355c7fb53b409241f3ecbd16f0e65d67dc38765a1352a9b03c595a2c.exe
    "C:\Users\Admin\AppData\Local\Temp\b93bd158355c7fb53b409241f3ecbd16f0e65d67dc38765a1352a9b03c595a2c.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2988
    • C:\Windows\SysWOW64\gofyeqrsyu.exe
      gofyeqrsyu.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2068
      • C:\Windows\SysWOW64\dmuoiopx.exe
        C:\Windows\system32\dmuoiopx.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2960
    • C:\Windows\SysWOW64\hhhmgyhqvxqnyau.exe
      hhhmgyhqvxqnyau.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2568
    • C:\Windows\SysWOW64\dmuoiopx.exe
      dmuoiopx.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2628
    • C:\Windows\SysWOW64\ifsflfznzgynd.exe
      ifsflfznzgynd.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2648
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2480
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1604

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
            Filesize

            20KB

            MD5

            c9d1f640264af92d9e8018873acea15a

            SHA1

            e7e22640a814e605274f53ab4e3b244bb8f84b24

            SHA256

            b6cd37aa5663b52d9695fddcdfaf0093f5bfe1f8ef07af0c4ef542b2aa20b7c5

            SHA512

            80ce8d0265c647f1da794b79265c2668f89256b1a25ae67409c7390f804917cfa52c347a63e402939d3d8e4a095f010d40e5f6ccb7ef7a9a6aec129b85a03e9c

            Download Submit

          • C:\Windows\SysWOW64\hhhmgyhqvxqnyau.exe
            Filesize

            255KB

            MD5

            784ca39bd620e09f428f473f68b6b3b0

            SHA1

            e1d757386b645059e944145b3ac0b6dbfbebb1a5

            SHA256

            b93bd158355c7fb53b409241f3ecbd16f0e65d67dc38765a1352a9b03c595a2c

            SHA512

            effbdb85d52cc58f57f2dfd9f86bf7b7823981240db70180b63b36d114019c7a77c8db187a1dd0b8dae50b839b84c2e0a7660b56841f39f9f771d4a7be262831

            Download Submit

          • C:\Windows\SysWOW64\ifsflfznzgynd.exe
            Filesize

            255KB

            MD5

            91266ad81d27ec03777ecc59eb7f4d0e

            SHA1

            fc6278bd0060d1b6ebf03bfac0a4004eb68386c7

            SHA256

            3cd76486236cc7f63969260627000c20fc010e0dea6125824a999f0f70874217

            SHA512

            21919cb82bdb1c98b190db7618e6ccd36e1bc84edc66aa91658b42bc0b28f6ed577601824bf0124e3915c4cdd76ad58a0bb08cd8d9c5790f549722c89232365c

            Download Submit

          • C:\Windows\mydoc.rtf
            Filesize

            223B

            MD5

            06604e5941c126e2e7be02c5cd9f62ec

            SHA1

            4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

            SHA256

            85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

            SHA512

            803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

            Download Submit

          • \Windows\SysWOW64\dmuoiopx.exe
            Filesize

            255KB

            MD5

            409f25c482b3371844b26fc3acd9805a

            SHA1

            cb8555af640e297592d9ba0ab0ceddb58a7e9739

            SHA256

            c36f484e890b3e60dc4777c8ccb213ef8682f13f6bd633e8ff1b5cb9f6c1d9b3

            SHA512

            10dba73ac3de055421ef5dd41308569451f98687a9919f700ee82622197603abf29d70161ede4519eb0af628a66e876a70e3890885131dff8095df8c42be60ad

            Download Submit

          • \Windows\SysWOW64\gofyeqrsyu.exe
            Filesize

            255KB

            MD5

            4a00e4e0bac492908e3a315f99069e1b

            SHA1

            e9a62b82dc96e6bfa36e79aff625afdc43290e82

            SHA256

            4335e83a86469ae50334e959ade31d908eace57a09da7e97714c787499c3ac39

            SHA512

            06a9fa72022fb1734da94968f4d4fe174efd4fa8273e38f5ba9edacf56010935ff1d846595c50ca95a23e12d035896675e62a61bfc8a844b0723e203e460c76c

            Download Submit

          • \Windows\SysWOW64\hhhmgyhqvxqnyau.exe
            Filesize

            255KB

            MD5

            4f6e9f9a912abc488d650f447106921f

            SHA1

            8156eec428021196b5bede95f89adb1e25dacba5

            SHA256

            70a1e4dc1ce1c1d3991624a2eae8e2c82767ab5bf9bfa2aad53f76241b03d43d

            SHA512

            e7c3f8e2a5560c457e16fc3234c2701b6f1a18722b9a01d4ca49888a0227b9dde35ca80f7e4a1ef79b53413937f3b7e1acee4953bab55b3e3a2532b011b478fd

            Download Submit

          • memory/2068-106-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2068-100-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2068-137-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2068-134-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2068-131-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2068-90-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2068-27-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2068-74-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2068-93-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2068-143-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2068-109-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2068-85-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2068-103-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2068-140-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2068-96-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2480-130-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2480-47-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2568-94-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2568-138-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2568-144-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2568-86-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2568-91-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2568-141-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2568-110-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2568-104-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2568-32-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2568-107-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2568-97-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2568-135-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2568-101-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2568-79-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2568-132-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2568-75-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2628-84-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2628-80-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2628-76-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2628-39-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2648-98-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2648-92-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2648-111-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2648-108-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2648-77-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2648-105-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2648-88-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2648-133-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2648-102-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2648-145-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2648-136-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2648-87-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2648-95-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2648-142-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2648-139-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2960-83-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2960-78-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2960-44-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2988-0-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2988-29-0x00000000022B0000-0x0000000002350000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2988-46-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

            Download