Overview

overview

10

Static

static

5

4aaab8c6c1...4b.exe

windows7-x64

10

4aaab8c6c1...4b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    24-05-2024 11:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4aaab8c6c13b38b687a89b714c67769fcdcdb6a9b2afab733869a76f33f0304b.exe

  • Size

    512KB

  • MD5

    6ddc42125dab7bef0e226b4ec8913967

  • SHA1

    3d8e7a7fb00566525d13eacc0ad4dd0111ab7327

  • SHA256

    4aaab8c6c13b38b687a89b714c67769fcdcdb6a9b2afab733869a76f33f0304b

  • SHA512

    572e2daf78c66b1f7657f269ecd3b045c5878cae34e4abf46ad02683d61ae5e6d31deb4c67e43e02ee0a9ccfe6ecfbd1e037ae42effe718c0bf6b0747f756c32

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6q:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5f

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 47 IoCs
  • Suspicious use of SendNotifyMessage 34 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\4aaab8c6c13b38b687a89b714c67769fcdcdb6a9b2afab733869a76f33f0304b.exe
    "C:\Users\Admin\AppData\Local\Temp\4aaab8c6c13b38b687a89b714c67769fcdcdb6a9b2afab733869a76f33f0304b.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Windows\SysWOW64\rmlcbffhqk.exe
      rmlcbffhqk.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1756
      • C:\Windows\SysWOW64\mzylmtcc.exe
        C:\Windows\system32\mzylmtcc.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        PID:2824
    • C:\Windows\SysWOW64\odvtnijbbutcyam.exe
      odvtnijbbutcyam.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2176
    • C:\Windows\SysWOW64\mzylmtcc.exe
      mzylmtcc.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2600
    • C:\Windows\SysWOW64\nnzronakeoena.exe
      nnzronakeoena.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2716
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2684
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1248

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    8e43ad441ef99c9244736861c12e70f3

    SHA1

    b20b6ec18766865e6908858841db3e7a7e5bfd98

    SHA256

    c12c9850c5bdfb1113c5dbf32a86bffb7f48c5a3faf9325c68ebd793af21ad32

    SHA512

    b400f89ea4c4176097e42947aa4e0ff429201d9415228fbf446855fec556cbd7f4b753dbfdc84d836fdb090cecf5dff9e19e52277d2d5b8b381f57f08d38488f

    Download Submit

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    05a333e6ef9f24e3b475418e8111425d

    SHA1

    7a92cf693093d61bd47b064581f2b3bca6224a34

    SHA256

    ef60f1e2f93e0bbb5d14fe6025372c1fac738d29c04d6c15514b6e92c34e15ee

    SHA512

    127719796d6e99b142397942c0b79e3d4f86d6fee9a5e062f68a6d5aa73f033c8898b26c66c4a2b6496891b22b6b08d4f896d724745782e1bfc21e197abdc602

    Download Submit

  • C:\Windows\SysWOW64\nnzronakeoena.exe
    Filesize

    512KB

    MD5

    7eea5e1b4ccc5bf124afba7bf7e425a0

    SHA1

    7d18166e462891bb509a99761f701c19025b2b83

    SHA256

    4f4ffcac7d3543315ecb535575506ef8c10de3d0b20c19d8c7f3441a10641f54

    SHA512

    1ab92ac572cb48ce807b48b96f94da81f6485d7c219e98603df4957de3da497d11e32dd991df536c0f9ce431f6fdf02210c6226a461c8b03ca4fc23af35adac9

    Download Submit

  • C:\Windows\SysWOW64\odvtnijbbutcyam.exe
    Filesize

    512KB

    MD5

    add2ee1358852cb792b2c7730a1c8eb7

    SHA1

    6e3ed935282af042e98a5af076e92a74854d41b5

    SHA256

    b71f796e6871a76a956e623061cdd776c828f77cabe93bfb77e39cf903a8552b

    SHA512

    8e08ecef255fd7de05e6f561798a7c0c0b2ceda7c93c579479f20edb78390af97472f3a4650d83b48520f65953f78f22ed65501c643183efd2426c123af1d4c6

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • \Windows\SysWOW64\mzylmtcc.exe
    Filesize

    512KB

    MD5

    6122dd2e9b58cd7047f190c7e33a7d96

    SHA1

    48c7eea4d4b6e309d520d51c9a60ebf7e2fe9774

    SHA256

    e5efff88cf88e59965511d00767cc8e409aaabcbacd77a63b03adc3f8c23cbf2

    SHA512

    8223f4887f06f563a4df9135d4b88fea9915c1b3bace0fc88e14f590627d60888e4cf74c3fbca39f826846d9379b8705582d67c5149d193c1b248de4257645e5

    Download Submit

  • \Windows\SysWOW64\rmlcbffhqk.exe
    Filesize

    512KB

    MD5

    c74bfd93272c14ba36e857aa71a60dd8

    SHA1

    e8373403f856a572856637acae37a270829802d2

    SHA256

    c655f6a1b52b0a24b851b32f3c85b8002fb742c57230a9c37fef0d34a49b9bef

    SHA512

    dba80894d16e814d365114117bc5f8d15ae2f4fc7fac6a50f2ebfd9111a1ecbbc2529af644bac91d964ff5ce72d6a39c4c315855e7abf143b7674075edf2989e

    Download Submit

  • memory/1248-77-0x0000000002A40000-0x0000000002A50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2416-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2684-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download