Overview

overview

10

Static

static

5

4aaab8c6c1...4b.exe

windows7-x64

10

4aaab8c6c1...4b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 11:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4aaab8c6c13b38b687a89b714c67769fcdcdb6a9b2afab733869a76f33f0304b.exe

  • Size

    512KB

  • MD5

    6ddc42125dab7bef0e226b4ec8913967

  • SHA1

    3d8e7a7fb00566525d13eacc0ad4dd0111ab7327

  • SHA256

    4aaab8c6c13b38b687a89b714c67769fcdcdb6a9b2afab733869a76f33f0304b

  • SHA512

    572e2daf78c66b1f7657f269ecd3b045c5878cae34e4abf46ad02683d61ae5e6d31deb4c67e43e02ee0a9ccfe6ecfbd1e037ae42effe718c0bf6b0747f756c32

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6q:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5f

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 11 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4aaab8c6c13b38b687a89b714c67769fcdcdb6a9b2afab733869a76f33f0304b.exe
    "C:\Users\Admin\AppData\Local\Temp\4aaab8c6c13b38b687a89b714c67769fcdcdb6a9b2afab733869a76f33f0304b.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2744
    • C:\Windows\SysWOW64\roezfzffaw.exe
      roezfzffaw.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3068
      • C:\Windows\SysWOW64\zisgunhh.exe
        C:\Windows\system32\zisgunhh.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:876
    • C:\Windows\SysWOW64\honmgpnqdxhhwkq.exe
      honmgpnqdxhhwkq.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3500
    • C:\Windows\SysWOW64\zisgunhh.exe
      zisgunhh.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2680
    • C:\Windows\SysWOW64\ykqrbpbwhbckh.exe
      ykqrbpbwhbckh.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2024
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2852

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    33bbbea6ecc28e52fb4a823672da7e56

    SHA1

    93e39e7281f455622ac66d943c6ecdf35f24a1c3

    SHA256

    300a51ddd1e8d09e5f0f6d1ad33d7a783b80fb8a2297bdfc64f05991cb1e7818

    SHA512

    bb512b0b1687bc8683da91201bbc0bba80fd2c4440d7bfe3efd45f2c3556d3a2d22061609837b63f9ce6227ea19e5d6c707b14803934ced2845112150143a176

    Download Submit

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    55a3f6514ec5aea2f8cd768f41b5965c

    SHA1

    303ada57863ca87b6f5af9617a14528039e066d8

    SHA256

    f2d16d67ffe9d02827b858f38b4f00b7d81aa7db326ead6b2065b2351430f36d

    SHA512

    5b1810002aea01a8a4f5a71355dd49bc1f153b863293a1a3f64bce0dd05a56c99bc360d94b6e8efbf439a7f49d9627f7b369f76c9e3ce856e05da2b9743535c0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TCD9486.tmp\gb.xsl
    Filesize

    262KB

    MD5

    51d32ee5bc7ab811041f799652d26e04

    SHA1

    412193006aa3ef19e0a57e16acf86b830993024a

    SHA256

    6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

    SHA512

    5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    239B

    MD5

    12b138a5a40ffb88d1850866bf2959cd

    SHA1

    57001ba2de61329118440de3e9f8a81074cb28a2

    SHA256

    9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

    SHA512

    9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    50821dc0592833215f45792c8ac0b0aa

    SHA1

    e83a40eb6135f97a8d0d67690f614a67f24ac3d0

    SHA256

    cabdc52cd41848d651c02ab1ae9cfe5c9c70594ab0cb5e75dc2c5ab893586b73

    SHA512

    c55cf7c28fd0db7b157d65e6869217c2fb34bcfc4f49116626eba8f4dc675bd5e39477945464817095ffeb780242478fe2e80be0f1063dfd92298a7e5c1fc5b5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    8a0677416bcf0053db4160b1d126de4b

    SHA1

    b79c20935b04e0df56c891905e874e05105d87de

    SHA256

    ab76de467b35ec922772ba5c837f99fd9ee3e2cb6cb7bc69c36d33624777f9c6

    SHA512

    989b816fbf1c48c9011678d30eab0dc9f27295e890b095688aaf0ef3e2c9f5b548fc90d57a25207d5595a5fddc20ba1cb54185b17f80a96bd7ed7788b81ec4b5

    Download Submit

  • C:\Users\Admin\Documents\PingMerge.doc.exe
    Filesize

    512KB

    MD5

    a309558c64aa072598d9f9e359f41b1f

    SHA1

    eab66a62d1f43c1462b1b64099d65f584abb602d

    SHA256

    148de5052b4e219f0f9269dd864095b4d3f3bc62e60fa7062928aaabdcb7ca78

    SHA512

    3c279ebd86a7d6554c5b14a8245803eca0ebf5784677e1543def8bc86eb19c62c0dc75eba463cd14b210e87fb769667aff8802e587e347db6aea77fa5451c359

    Download Submit

  • C:\Users\Admin\Documents\ResolveSearch.doc.exe
    Filesize

    512KB

    MD5

    231a900fb3c77c4780eb2bb547dda17f

    SHA1

    fe4f9da4430a91bbb3629a63499ddf15bb7a9c31

    SHA256

    e43b3f5fd6b233e79dcb403844a961f08bafc9f84cb01e5d737150b2198b962d

    SHA512

    567fc874a68d00aac73c067f15c474919619434557addef5229efdf07a26d0b8e1281f7509407fbcb492022ae153d049f6c3ab59c1c2894d40689fb7c8e64e8d

    Download Submit

  • C:\Windows\SysWOW64\honmgpnqdxhhwkq.exe
    Filesize

    512KB

    MD5

    3f61c7dde6bf39554115d863f122e0a6

    SHA1

    77c95fdc4e9226ba88d868682f62bd452e77c870

    SHA256

    8adfbd7b13afb23b4e389b989b33969cac5c7f080bc3ccbd344a09f1ec78ebca

    SHA512

    7a12ad773217e2bce8881d50aa7807723663947a1a6ee7f91c623a158f84996affe5bbb25340138456ae791cbbfa079326755e74b5017ab21284ecca19193f06

    Download Submit

  • C:\Windows\SysWOW64\roezfzffaw.exe
    Filesize

    512KB

    MD5

    a24e493b3a3d2ca5c9964578c486cdd5

    SHA1

    174b251b236705be1c4e7cf839b44353b3172f64

    SHA256

    6a37eb2311415f033e61eb0c64514e9fade655cbe77a0361360f21993f4c0857

    SHA512

    62c05f765aea98c659930ccd5d9efba23ebfb70676f6367dda626b746c161e5a7289e4557dba3c9aefda84c94c21306f25695ca92a10752177386cc016c00dd0

    Download Submit

  • C:\Windows\SysWOW64\ykqrbpbwhbckh.exe
    Filesize

    512KB

    MD5

    68ef6065df54b18c1db16f88d1fc49ae

    SHA1

    1e741dd7ec9d36baeea71da7180570b051b1c9ba

    SHA256

    337e6991018dc0ccfbe76cde6c9e2b9aaf8494ddcf69a4a5c28f594fc690555c

    SHA512

    29ece71c094482286d411a64c0f109fdfcfbb16d200bfb2726566fe07c689a996c70fc2d0d7d4d29fac7f6c20c498a4e1eb758fca8f1af10c0b0d8020a48eeb8

    Download Submit

  • C:\Windows\SysWOW64\zisgunhh.exe
    Filesize

    512KB

    MD5

    7033f04e2f764e9335829ac31f879734

    SHA1

    b3f80eb2b16b012cde48f3e9e157bd145acae287

    SHA256

    7828cd34b0a5fb4bbe4af34c76cc647190f8e4b0e4ff6dc729eb68a95431fd20

    SHA512

    590b61a392ca682d0f3380164503ffe0a09cf34888826351cc87d7b2d167cad79912d2a29460385332a2e2009e2b8c5f12ea5b913c712689330c824c58d6d17a

    Download Submit

  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    e5636d0ad7fe658a520f593915d0adcc

    SHA1

    8c9535827b1ac7ffff8a37f0c7e6a19d304a04ae

    SHA256

    03de86ddd78828b3833f0948273df9f146834cae269e4be3a759908e23c3e158

    SHA512

    83b6170840935a654e1c4936b397f466d54e1cbfda3623b2e326f27eb5934fcc285ef002238370bfa5a2dad9337fc3d5c46d7737b100a180e395b524671067f1

    Download Submit

  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    197b74817f16009c5d066cf2c78a3de8

    SHA1

    3f6be81ad7ef4b98b2bd7a06f4e80fa71225e861

    SHA256

    b6c688e6362ffb68df1c648b8e4f8a903a27afe29cb4f37e2760ce64ac472dea

    SHA512

    a74d417be401a4b9e81c248403c7e3a41018d8febdb9da9c3113fa59342fdf4d7dd5d2353d64b8c4be19ddac8a1555b26ba36c448e57153551d431441c3b2d66

    Download Submit

  • memory/2744-0-0x0000000000400000-0x0000000000496000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2852-39-0x00007FFBD2710000-0x00007FFBD2720000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2852-38-0x00007FFBD2710000-0x00007FFBD2720000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2852-36-0x00007FFBD2710000-0x00007FFBD2720000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2852-37-0x00007FFBD2710000-0x00007FFBD2720000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2852-35-0x00007FFBD2710000-0x00007FFBD2720000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2852-40-0x00007FFBD0580000-0x00007FFBD0590000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2852-43-0x00007FFBD0580000-0x00007FFBD0590000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2852-606-0x00007FFBD2710000-0x00007FFBD2720000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2852-607-0x00007FFBD2710000-0x00007FFBD2720000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2852-609-0x00007FFBD2710000-0x00007FFBD2720000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2852-608-0x00007FFBD2710000-0x00007FFBD2720000-memory.dmp

    Filesize

    64KB

    Download