Overview

overview

10

Static

static

5

b6f0f81ecb...ee.exe

windows7-x64

10

b6f0f81ecb...ee.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 20:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe

  • Size

    512KB

  • MD5

    6f91d104958a5ca488ef235eec0c5cb4

  • SHA1

    da2b08f41effa470dc52346de414c245ecd7a464

  • SHA256

    b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee

  • SHA512

    d267842ff5fd158fe1700cfa7be1c6b086e9cb12a86f836e068adddc1574793a5a08f1b8d299c188ca597a036bd191612df3f32c0a9f360a99eb3f183be6527d

  • SSDEEP

    6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6z:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5G

Score
10/10
evasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 10 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Program Files directory 21 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe
    "C:\Users\Admin\AppData\Local\Temp\b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1764
    • C:\Windows\SysWOW64\tlvefcbudc.exe
      tlvefcbudc.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2016
      • C:\Windows\SysWOW64\uorekaug.exe
        C:\Windows\system32\uorekaug.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4248
    • C:\Windows\SysWOW64\cvydpsmphrroqbx.exe
      cvydpsmphrroqbx.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1368
    • C:\Windows\SysWOW64\uorekaug.exe
      uorekaug.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1496
    • C:\Windows\SysWOW64\ovxdytklcukde.exe
      ovxdytklcukde.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:968
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4516

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe
    Filesize

    512KB

    MD5

    4062a3074fe539df4daddf18e4630279

    SHA1

    85bdfd54777886be50d4441c428d6cffc71a0ed2

    SHA256

    5a62edd1c632f8c8e05aa5fa73318581d666ccb486bee276ceb911d49bc76793

    SHA512

    b14ee548b01eb249a6c34757d49d60b8a00cd0ea1b22f11b6f155839cddee3701019fc92a1aae51f6fde7b8bb7da0f2486f1f7c981815a135fe9aaa5eaf0d683

    Download Submit
  • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe
    Filesize

    512KB

    MD5

    11eddc1e80d9afc2477f654fae61ac20

    SHA1

    2b9ce433a59c3360ee0cfc08c39d79c2310ceba9

    SHA256

    c34e1cf9666a3c5e7e8838483ea6589a5f9bd3241d8a62c87f2617e943578828

    SHA512

    a712b3eaf095151576367e0393bb4123ee390d69ce997837c800b5ff70c2739b36c81570837b1a4664ff028089d4239dfb90d3ebe5f6bfb3bc226bbbc8dd1d65

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\TCDC10B.tmp\iso690.xsl
    Filesize

    263KB

    MD5

    ff0e07eff1333cdf9fc2523d323dd654

    SHA1

    77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

    SHA256

    3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

    SHA512

    b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    239B

    MD5

    12b138a5a40ffb88d1850866bf2959cd

    SHA1

    57001ba2de61329118440de3e9f8a81074cb28a2

    SHA256

    9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

    SHA512

    9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    12e440df2cf3c29e7113939622b05193

    SHA1

    83b3fe6efb4ac918e998987e473485201c9a44fa

    SHA256

    e8e343873a993588435590755a0f00069422f3eb44fe275b56f0c46f0f39ad26

    SHA512

    31857b41c74dd3196dffcad277892e1e3a91dd7fdd5e18ecded8c0af8a2752f6a1400df6c07c460c1ab681ded4a2d700160eea87c8cbb3e678110da481b2a86a

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    2a0123926733d4943b0a0987008f04e5

    SHA1

    17459d2382d38abe6d3b9a9fe2d8b738a55ef863

    SHA256

    e931317c5e441e4e09a89789109d7dfa7a6e78d003b70326929a109bd24a5acf

    SHA512

    6886b2058754b7a80dd62d740ab792e2db812d059aeb602787dae0ab9a031603811d85f163bae1f934e897a5b387a4991330acb4df3c4d079b57162ed94fdc06

    Download Submit
  • C:\Users\Admin\Documents\ShowFind.doc.exe
    Filesize

    512KB

    MD5

    b89a56b030a031af7ec6b147bdb61df5

    SHA1

    41a56d72c537274de3944eb61253998ad8beda36

    SHA256

    0bbf5733866d51b9752cb0f5510b8dd7ceb1e33a77bbc2a692591ef6a0a59b18

    SHA512

    67d17c84519025b019c944857fdd91966a74b0f1401af6a059745e95b74156659f0a432c7ca2b978b209c84475bad49fc90db5174ca1ce90f0d9ff0123f0753a

    Download Submit
  • C:\Windows\SysWOW64\cvydpsmphrroqbx.exe
    Filesize

    512KB

    MD5

    a7b3ef6716633f0120bff68eafdf2fcf

    SHA1

    57e43e1fb1ad156cc89e37dcca59477aea778e76

    SHA256

    cdca4f7333d872bbe0cfdaf5a6b9be4a5f24164471ce9cd92c1a070004bb3bbd

    SHA512

    ab498966fbc82598bdcbd562c07402608dfaaee6983d92d03811454768667ffbe697217f9c85a3fad5864aab1d24ea1e336b4edbc2f755d3c2c81a0adbba8520

    Download Submit
  • C:\Windows\SysWOW64\ovxdytklcukde.exe
    Filesize

    512KB

    MD5

    b602e8d8a5a8fb492fe7f708072b28d2

    SHA1

    a4d22277739d15cdc5fda67e3290d884d7f5fea6

    SHA256

    cdebac1af43e692d9585b39549269a8e8314a1b9b6487c19b512088a14bf54b3

    SHA512

    c79fb2cb983f75d2c2d3b3dc3998364ab62453a2a98f40ba373797fdbf03cc7e49bb919c6f65451663dc0fec2a382d2f1b43033fde2bb80d6fd9ab4e58e55dfe

    Download Submit
  • C:\Windows\SysWOW64\tlvefcbudc.exe
    Filesize

    512KB

    MD5

    335cebb7db20bc93c619a5098f3c3f5b

    SHA1

    cd62bd24dee2e05cd15a6c921c9a557b2046ef4c

    SHA256

    7e834b2b430149fb60c287878c204b525c5b9a2325e5fffeb5bca9b99e0e9a35

    SHA512

    7909f3a282fb2ffe1f37b05ddfda9d60073fa45fd3bb77003b238f3866d35ab23b7d73760fc06d95ea9504da371e45de15fcc2b8906b07cf34a6755aba27fd66

    Download Submit
  • C:\Windows\SysWOW64\uorekaug.exe
    Filesize

    512KB

    MD5

    e0b537ffb8e3d05675af3d5302a7caeb

    SHA1

    bd6f68a7e81188c201f607d0bc652cfb376d8566

    SHA256

    7e82081ab3c9dd972de4c85a4de42e54ec0aed59a4c765f9e272f857e65725c2

    SHA512

    114a43cb1f7719039df33e519d84b899ec42232b353f463e910a915162649b316207db0bc1a379993424b2455cf8c73450a2e5d41efbaef4ae3070f0249364d2

    Download Submit
  • C:\Windows\mydoc.rtf
    Filesize

    223B

    MD5

    06604e5941c126e2e7be02c5cd9f62ec

    SHA1

    4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

    SHA256

    85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

    SHA512

    803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

    Download Submit
  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    7b62392070dc54ba1d8f6ed135dfca72

    SHA1

    1432026e3efe9ed10f369b794a8aa7dd58517adb

    SHA256

    ebb5761dff61572a6c1896bf79271e31a09ce9662104af8471d02799517be21f

    SHA512

    d7c76f408385a28b684dfe76e3d5b6b93f83561ccd8288871ea327b3579a40d730f84cf30dacd92158b8b7442fe4f943bdd0dbcbb5ca32effd760c3c033c3866

    Download Submit
  • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe
    Filesize

    512KB

    MD5

    b973072feaaa13e7ff85102d691d2868

    SHA1

    073c684c8c330f5d2feb3db587728548da0de655

    SHA256

    6bd75a2bae6921320b7dff424c73968bb04f863e11360e9fa4d2364a92188ebe

    SHA512

    6d8bc10ae04d5c57043e02e8cf26ef0dd9e012e44c0db61cfcb9609a137a18cf5f38ddef9727ac4ecd8245c2712839f3c9827823c19f78e3b5baef9065d7ce0c

    Download Submit
  • memory/1764-0-0x0000000000400000-0x0000000000496000-memory.dmp
    Filesize

    600KB

    Download
  • memory/4516-37-0x00007FFBDFE10000-0x00007FFBDFE20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4516-38-0x00007FFBDFE10000-0x00007FFBDFE20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4516-36-0x00007FFBDFE10000-0x00007FFBDFE20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4516-39-0x00007FFBDFE10000-0x00007FFBDFE20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4516-40-0x00007FFBDD4E0000-0x00007FFBDD4F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4516-43-0x00007FFBDD4E0000-0x00007FFBDD4F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4516-35-0x00007FFBDFE10000-0x00007FFBDFE20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4516-603-0x00007FFBDFE10000-0x00007FFBDFE20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4516-604-0x00007FFBDFE10000-0x00007FFBDFE20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4516-606-0x00007FFBDFE10000-0x00007FFBDFE20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4516-605-0x00007FFBDFE10000-0x00007FFBDFE20000-memory.dmp
    Filesize

    64KB

    Download