Overview

overview

10

Static

static

5

62116bc306...18.exe

windows7-x64

10

62116bc306...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 00:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    62116bc306500152e1d21625f269172dJaffaCakes118.exe

  • Size

    512KB

  • MD5

    62116bc306500152e1d21625f269172d

  • SHA1

    0a856d74c01b7faea69576345bc41390e9682dbc

  • SHA256

    401ed2181665240ec44880261531b2513d8fc0b0f5bd30625abc70e9ad83a865

  • SHA512

    0ca372cd065f204d2b0e242099b5f6fd1007c6a996f19ec348f9ffb797e8edaff57a82b24d6b338996324733dacbd0282aaa6cb037758e0d20716affeb4ffb25

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj65:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5i

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 11 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\62116bc306500152e1d21625f269172dJaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\62116bc306500152e1d21625f269172dJaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2524
    • C:\Windows\SysWOW64\krsvgsgjqx.exe
      krsvgsgjqx.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1016
      • C:\Windows\SysWOW64\qpnmixfi.exe
        C:\Windows\system32\qpnmixfi.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:392
    • C:\Windows\SysWOW64\hssyyjblzbljzbe.exe
      hssyyjblzbljzbe.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1520
    • C:\Windows\SysWOW64\qpnmixfi.exe
      qpnmixfi.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:5020
    • C:\Windows\SysWOW64\bxaygwsjydhah.exe
      bxaygwsjydhah.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1380
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:3160

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    485678909065ffb74256d046da87d06a

    SHA1

    faf380f877621f7fd06a8c9263bb7d82f907222d

    SHA256

    4e16798ec466a432b486f766e5ec4b91cc033d5a0e7e3369fdc25946e4b317ad

    SHA512

    04a83d116626f6ccbb089c019d4a58e4d254c73e5b96c2416971b586aab68092b0ab88a85ddad793e60bfdc799f4c0e404293ccf02108106a8d789c257eeeff8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TCD985E.tmp\iso690.xsl
    Filesize

    263KB

    MD5

    ff0e07eff1333cdf9fc2523d323dd654

    SHA1

    77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

    SHA256

    3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

    SHA512

    b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    239B

    MD5

    12b138a5a40ffb88d1850866bf2959cd

    SHA1

    57001ba2de61329118440de3e9f8a81074cb28a2

    SHA256

    9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

    SHA512

    9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    ac4e0a3f39abe563fd6950db9115665f

    SHA1

    e5121ccabc194d32f9d4bd6e04d764109ebb05e4

    SHA256

    cb783c05940cf778ca5c24d301a96064dab3813a05835291439b9ad10287231e

    SHA512

    b67861dbda183882e5dbb5ba526277d5e8e166e31c4dc4be3cb384b69cae5c0223fd2bf31a448cc216664205bc936cb1971e96a57dbc166c2920bcb0999026ec

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    9e46086266e71ac2401073d6e6374bcf

    SHA1

    07e0a49d8e301082c9c5f5ca864f7881beee596f

    SHA256

    d4b99ce04941beafcd407cda42cbbd36e36dd91c4caa443a9e6c7a67e29499da

    SHA512

    c62786720168b56eb299070418f78e9254dba764037004447b5874221bc5188eb290d3b6134a1d1b0908218e4c845bf794a42be81e2eddf06867d33b8e20dd8b

    Download Submit

  • C:\Users\Admin\Documents\PingRestart.doc.exe
    Filesize

    512KB

    MD5

    67fedc1c71198406f5ac344e6ba2a650

    SHA1

    8dee90aa71453ab492003c67374aa8fd72c489f1

    SHA256

    2bed95efc7daede3b82e9f1a84ff872bf5212caa456f5f0a3dcb0561113f9e50

    SHA512

    e28c6308a4ea25dc493ddc4245ab7a4d3069f45042414b7cb8e83f0b2970356c2b4b0d0c7388575a73977ba1036afc54b5c6068ea4609e6ea161a6efbba40f30

    Download Submit

  • C:\Users\Admin\Documents\ProtectBlock.doc.exe
    Filesize

    512KB

    MD5

    cd88e35cae4ccc6c84da9e2b2c12a36a

    SHA1

    e4d892a5fc2f819e1ccb49891b2811746aedb01b

    SHA256

    c32ee50b6f3c096b4f1b96059c03abf0a51c4bcf7724a2877c6f71d751e19be1

    SHA512

    0d4c677ab4f5b7bf1af8f7252c8783d2d5d036b0e71ac5890f1de47602370150905549503ccd9d9f61166be4e3b93cb80c470508817a8d4189b0a95cd93a529e

    Download Submit

  • C:\Windows\SysWOW64\bxaygwsjydhah.exe
    Filesize

    512KB

    MD5

    714dc17b1097ab06b24eaa5e34ef9632

    SHA1

    46f4fc62bdd84c4e7d2545ca54eaf93c77ccc17d

    SHA256

    4f96cabec5fd2a2a288f6a1d29df08a4cb5b34a89dd473a79787f31ec0520acd

    SHA512

    db6bd6cdecead9befae69bf47336eabd3c23c1ac291c28e315d3523cb4ae1ede03fbd22e588c5a19378b7a3e414bca96fd17e2f0e6c81e4dca81800bd60245de

    Download Submit

  • C:\Windows\SysWOW64\hssyyjblzbljzbe.exe
    Filesize

    512KB

    MD5

    d66c0b1385cc20690bd79ac498ec8bc6

    SHA1

    10e0a95c35447c42f6fe309f19eb0434e39a3ba7

    SHA256

    3ea295213e95ef31fc93e2460e5f02bb93a5521a68f27b45fdcba2253b071218

    SHA512

    3e96bc6cce132959bddda3d37de96ab0281525bc99f0a73852a0b544f6f4b664ab46037c48e81be955494ca0afcdc1ec696e4020c8cf686e77f488c57639a417

    Download Submit

  • C:\Windows\SysWOW64\krsvgsgjqx.exe
    Filesize

    512KB

    MD5

    fa03a533a6106a48c27f87500ad2a88a

    SHA1

    9592c1427b46f7bffbfccdebcf251196b88af7d7

    SHA256

    e5db3cff4690d84964cce8c0da59714ad3a1a632565d4b4ac49aa1662f857f19

    SHA512

    d0c408fececac58541e6676569b3171815cc752f85c5fa9abfe1e06cbf8c61dc1e851a4a5a5518e214c6006aee4f944ac8333dc4f2d00587f876a45b4a814cad

    Download Submit

  • C:\Windows\SysWOW64\qpnmixfi.exe
    Filesize

    512KB

    MD5

    0f739c0513bc3d46e62ea6bcd9edfce9

    SHA1

    1dbab239347a18b5a9fae4004f929bee73b2f9d2

    SHA256

    ebb6c24d7f5ac24a01348500e6422dbc2af250c899da7fef1505909607b18401

    SHA512

    32d5ee8bcd40453c479d07e2cedf668f5b5de3b6cce98037945eacbd1a1d6a7a4be943c8db81d8f792bea74bd4159f16e061ea0bf2300a16ffc3ad2b253f381c

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    5eb0c77e1d30de965aa434e70f4d6197

    SHA1

    1599d75ecefd9d62154f2f7564d78f4d82c51c48

    SHA256

    783c7f9f58eb07edda84a51ad5eea468f8432f2a48c5744ed3459d9a1a699c27

    SHA512

    c9605a5bc75975c93639207bebc23bd4eb774c87b62fc9aadf8804245dd9afaaaadee9dd2712d5cfb8a0126d93e6ce356c6dbf24f78571ceea45f003244f16f8

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    40a72648b3a442545048b637d0a1671e

    SHA1

    079b01c2717a3166e40b950f4c5a058eecf16769

    SHA256

    e6a3c9ee76370931779cb4faad91ed2842b82facac67d8e5d1f1bf8f467152dc

    SHA512

    6c15f4465718258881fc7ab26f6f93e15fb07bc765196cb2627a24ff2729fce652587d848243e625d76923f78553c973b9d1a0f03ad523864a7e7c6af41bc48c

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    8807350e49938b30bc9f30176a7ebc41

    SHA1

    a0dd9747648822522619cfa17e0e662917d425bf

    SHA256

    7f85dcbcb601ee5cd7d357272225ceaa00819798ff524abcc0951ed6987bf9fb

    SHA512

    5d8811b64768fa586408beaa927fc7c14ae0ef490118d0a7418cc7f84d9228be9a66e3a739d4897801d77e409a808253a655992c859c1f08562688c63d160e19

    Download Submit

  • memory/2524-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download

  • memory/3160-40-0x00007FFEDFBC0000-0x00007FFEDFBD0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3160-39-0x00007FFEE21B0000-0x00007FFEE21C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3160-36-0x00007FFEE21B0000-0x00007FFEE21C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3160-38-0x00007FFEE21B0000-0x00007FFEE21C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3160-37-0x00007FFEE21B0000-0x00007FFEE21C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3160-43-0x00007FFEDFBC0000-0x00007FFEDFBD0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3160-35-0x00007FFEE21B0000-0x00007FFEE21C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3160-612-0x00007FFEE21B0000-0x00007FFEE21C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3160-613-0x00007FFEE21B0000-0x00007FFEE21C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3160-615-0x00007FFEE21B0000-0x00007FFEE21C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3160-614-0x00007FFEE21B0000-0x00007FFEE21C0000-memory.dmp

    Filesize

    64KB

    Download