Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15/01/2025, 22:07

General

  • Target

    2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe

  • Size

    256KB

  • MD5

    35acbae676bebc38d9948c0176d3eb55

  • SHA1

    2eba5c17218ea94e9a4da3d84f7de1d4bebca5fa

  • SHA256

    2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01

  • SHA512

    aee2376f59b2b923c14888b4c3e048f5d1c90fa25b0844f85d6d2aafbfcb4e0fee8ecc015fbebb54465d50c1864079ab39ec2ebd3c7a7f9db071756136672390

  • SSDEEP

    6144:1xlZam+akqx6YQJXcNlEHUIQeE3mmBWFv6Y:Plf5j6zCNa0xeE3mR

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Disables RegEdit via registry modification 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 56 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 9 IoCs
  • UPX packed file 63 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies registry class 24 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 47 IoCs
  • Suspicious use of SendNotifyMessage 34 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe
    "C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2988
    • C:\Windows\SysWOW64\tdkmlnmfdo.exe
      tdkmlnmfdo.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1664
      • C:\Windows\SysWOW64\dovyreyx.exe
        C:\Windows\system32\dovyreyx.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        PID:2820
    • C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe
      qvrwxqrmmjxkpdi.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1864
    • C:\Windows\SysWOW64\dovyreyx.exe
      dovyreyx.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2680
    • C:\Windows\SysWOW64\cqjxieyamfukj.exe
      cqjxieyamfukj.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2760
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2576
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:2508
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2620

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

            Filesize

            256KB

            MD5

            5ab16107bd9d4f1f3f842f8aa42bdd6f

            SHA1

            f1d13d1d5e732b6d21fa2cb6dc650d23ec029c0f

            SHA256

            5f6bda2c93292d669b9313a7ffbc68bf4e7d18958c47b87f2d68254c382a049c

            SHA512

            d8d0f1fe7f47bf09b28c27e7dd14b2e9d2e204a0845324853dfdd00ff9202952bad63c21703169e8c559c72d5d076bb22661f6121e825611f5fa618cf495860f

          • C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

            Filesize

            256KB

            MD5

            39f7bdca5a2b453c35921a4b2bdc33c6

            SHA1

            3dce515034396ffe5017d9eff3f0bbf2eff2a3a7

            SHA256

            d95d556dd97d90950d2b3be5e0bd4a129a0113f86302a23ec4a01ae5fb4fa099

            SHA512

            e7e9740aaaca946d7418d8162f80222e365c31f3c4fb751f881658e373b8b656d4d8761b32cb5aab7715b338da849686cfb5b3fef0e563cbfebb4fc5c6172286

          • C:\Windows\SysWOW64\dovyreyx.exe

            Filesize

            256KB

            MD5

            da0c0d2aa56277f6128c90aa32f28d04

            SHA1

            f8e66d9355055e86cbba7fd7677caf4336079478

            SHA256

            8febe0e1881dd96f2737084d5e9ee0722d7be7d98cd2e0c1c26a670518d02c20

            SHA512

            45553d444c0016e36087d76355d1093ef265805f20632e1813a2efee8d95270f53bea1f5dcc3bf742e06bfa2d52f9ebe6ae3669ba1708b0fa31e28d1f37ddd1a

          • C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe

            Filesize

            256KB

            MD5

            68df199f55eb43a47f090e53f716fd7d

            SHA1

            3664f81b11e2ebb01214a37418b95e9e049eab8d

            SHA256

            e824770d7b0874dfd0e62a3686ae3e1bd352862e5ac1e3b8fc4c21c56e14ee64

            SHA512

            c0b74c6ccf48005d719cf5eb8123a4c26ab71d7b9c6c791d33549717919f573aa69ee498feb85e23be0f27335c2c4718a6ed9babffd80b86409a01ec59ab0ecd

          • C:\Windows\mydoc.rtf

            Filesize

            223B

            MD5

            06604e5941c126e2e7be02c5cd9f62ec

            SHA1

            4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

            SHA256

            85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

            SHA512

            803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

          • \Windows\SysWOW64\cqjxieyamfukj.exe

            Filesize

            256KB

            MD5

            cc2cc8c6c95eb41622a2144967bbceec

            SHA1

            e08cbf42a04f16e1f7382f4d60d02c395c704341

            SHA256

            3c67d9e139dc9654b8b1d22961ff290914e0b4d561fbe7eca653301a6d584dd1

            SHA512

            83869566eb0045ae02d0129075f4300c690953d30d7c8f1b1eaeb1567f59bea8de810012c39f96a26df58610d3aeac52e3f59e1190ed0520de1d35b16f0daaca

          • \Windows\SysWOW64\tdkmlnmfdo.exe

            Filesize

            256KB

            MD5

            61f59638749b72309447f526ba4acf31

            SHA1

            ea77105c8c378ff49602f1c94c3d7a809a7e7dc6

            SHA256

            14d4360e326e802ad776d10316752bdb306eb3fe54773182e296eb7757da5476

            SHA512

            eefa6cc905e26ff8c14aefa1681a657895d5337d695c1f18fe66976a3337b07129fbdf85c8d303223f6400945adf5690cbf327f81dde28fbea8092734ed1dcb7

          • memory/1664-95-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/1664-114-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/1664-111-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/1664-130-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/1664-108-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/1664-40-0x0000000003BE0000-0x0000000003C80000-memory.dmp

            Filesize

            640KB

          • memory/1664-72-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/1664-101-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/1664-98-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/1664-117-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/1664-126-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/1664-77-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/1664-92-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/1664-123-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/1664-120-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/1664-82-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/1864-109-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/1864-73-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/1864-78-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/1864-131-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/1864-83-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/1864-118-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/1864-112-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/1864-102-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/1864-93-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/1864-127-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/1864-121-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/1864-96-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/1864-124-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/1864-99-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/1864-115-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/2576-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

          • memory/2620-129-0x0000000003270000-0x0000000003280000-memory.dmp

            Filesize

            64KB

          • memory/2680-74-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/2680-79-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/2680-90-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/2680-84-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/2760-75-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/2760-122-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/2760-103-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/2760-113-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/2760-100-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/2760-116-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/2760-97-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/2760-94-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/2760-119-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/2760-132-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/2760-128-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/2760-110-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/2760-85-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/2760-80-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/2760-125-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/2820-81-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/2820-76-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/2820-86-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/2820-41-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/2820-89-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/2988-0-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/2988-44-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB

          • memory/2988-42-0x0000000000400000-0x00000000004A0000-memory.dmp

            Filesize

            640KB