Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/01/2025, 22:07

General

  • Target

    2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe

  • Size

    256KB

  • MD5

    35acbae676bebc38d9948c0176d3eb55

  • SHA1

    2eba5c17218ea94e9a4da3d84f7de1d4bebca5fa

  • SHA256

    2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01

  • SHA512

    aee2376f59b2b923c14888b4c3e048f5d1c90fa25b0844f85d6d2aafbfcb4e0fee8ecc015fbebb54465d50c1864079ab39ec2ebd3c7a7f9db071756136672390

  • SSDEEP

    6144:1xlZam+akqx6YQJXcNlEHUIQeE3mmBWFv6Y:Plf5j6zCNa0xeE3mR

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 5 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
  • AutoIT Executable 63 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe
    "C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4284
    • C:\Windows\SysWOW64\tdkmlnmfdo.exe
      tdkmlnmfdo.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Windows security modification
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4000
      • C:\Windows\SysWOW64\dovyreyx.exe
        C:\Windows\system32\dovyreyx.exe
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1992
    • C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe
      qvrwxqrmmjxkpdi.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2424
    • C:\Windows\SysWOW64\dovyreyx.exe
      dovyreyx.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4076
    • C:\Windows\SysWOW64\cqjxieyamfukj.exe
      cqjxieyamfukj.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4808
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:5032

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

          Filesize

          256KB

          MD5

          c0b8ebdeb9df251bd8e9a5f68ed7304a

          SHA1

          3babfadd7cd403a2d5d16b53e321b5afc14b70d9

          SHA256

          4996a844503068afa4a52e2749014301bbef377216d02c9f58f722083a02869f

          SHA512

          3210e06d0ed9622a0ec583c5254794f4e206ed829676a77987dae600ea06eb882be368760b54408c87d7c227d5d8a0517c8c6e28a4e17342ab1b284d7cb5abdb

        • C:\Users\Admin\AppData\Local\Temp\TCDE26E.tmp\gb.xsl

          Filesize

          262KB

          MD5

          51d32ee5bc7ab811041f799652d26e04

          SHA1

          412193006aa3ef19e0a57e16acf86b830993024a

          SHA256

          6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

          SHA512

          5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

        • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

          Filesize

          413B

          MD5

          d69cee2243db753ab4efde604933f0c2

          SHA1

          caafa5ec2c4a5e7c7f67d1beadb0a646de9e3217

          SHA256

          066cd0fe467030c99e2b268bfbe5fa5cdc036612785151654ee9a4d2f7946794

          SHA512

          c25ca54b0a612b725fd19ad9183e0cffe5fcbfd598719a8f26507abdbaa70384240e2b03b40fcc8584f1b19a53c04e75210e6b7b7ddecd544e9066ae7742beea

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

          Filesize

          1KB

          MD5

          22dbc4ec04dfc6a6430d187eba50a57f

          SHA1

          dd273be9a73bc71928292929c2fd359bd4b7c7cf

          SHA256

          8a4f88404ec028775f8563449c90683252876739ecc3071ce375618b92023c89

          SHA512

          240b2a99db363142b3ceebe8f9074997f70438ca4a3b6b99bcac031750bbb90c24054c3456abf24c9387b81bd0aa1899a5c80ee6ba80c9a8762d9fe234a7d0a6

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

          Filesize

          1KB

          MD5

          81815c559dce0d196720a57ee4c4a5e2

          SHA1

          740fdf51b6e64d49b2223dd3ef499e11f0869a84

          SHA256

          37672e142b6c62fd627b8ab1ce932c35cece40e8eaa3232356d0367a6622562c

          SHA512

          3848155db81418b64b5f7cfbba1930588ea0e247630722cd2f4b722426db758f79ebe7ccb391ffb03904a2f0a7af29508a0600932e1dd04bb00f49d5793e3478

        • C:\Users\Admin\Desktop\AssertWait.doc.exe

          Filesize

          256KB

          MD5

          8d1e96c0dd500632e37b17d578ddc732

          SHA1

          dcd90ae6952d94978533924aadc6ad44834ace81

          SHA256

          b914891d97a012ab7fc387bc357f73db09c43ed32615e242693ab8627a95afb0

          SHA512

          c5113251276986f396fa1ff625950f66c1881a7a2b10fcf72a65823771840bd2306cdfe0b3f27d53417896fc62467120955e5472a1212fafa0f128b9313981e3

        • C:\Windows\SysWOW64\cqjxieyamfukj.exe

          Filesize

          256KB

          MD5

          fef9ac4866d09ae277e8386f24fd5cc8

          SHA1

          46363ac5c27888a969b2ccb7572a5664b1f1662e

          SHA256

          5d471196627cd755e6a54cac189a9c80a52d4f0fec8e5dca49127f279f351122

          SHA512

          473f24f4169746bc7c83280a899ae8282fac5eee8242680a842698452bdf62e9ca25d1e7f1e428267ddb2c0cc2123213ccd223d21a8cdc1eda2d16f097363245

        • C:\Windows\SysWOW64\dovyreyx.exe

          Filesize

          256KB

          MD5

          9df3909fa0203734fd67f09b205a9300

          SHA1

          57a17d917a49813d5edea03ff216b8e2b6d00418

          SHA256

          33f02fe96c52c3b9d66de257ca0465ccbf425b68550280310f801661acfc29cd

          SHA512

          9d39763a175ddda8e33b672fce4b5731fe4a9e9d6d32a28ed53ceaf40428d8a41069d528f6b9f586664b59ce2aed844d081f6fae95e39aada396a7d9a4d62560

        • C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe

          Filesize

          256KB

          MD5

          e928b10a13f331783eef8397488672e0

          SHA1

          2dfa082c487ac39c3c941a520d55df8cbc92925b

          SHA256

          4c39bbe26130544540ba539ef7de24313687d2cf45c2fb7e58026ff9155aba1c

          SHA512

          bd022f94142f950e2636f1889210fe38aa10902be0b6167796f8ddc86f1e39be5a9f8536994d81330e31225872efd9d72b9f013e076a3bab63d18ec571fccedd

        • C:\Windows\SysWOW64\tdkmlnmfdo.exe

          Filesize

          256KB

          MD5

          38c3c647d8c2268cd24ec56c04ece57d

          SHA1

          45c27057355bb66a2858ab215e151cc46bdd0ebf

          SHA256

          e3ee8e41fabdf65a44f2fb23cdb4be47ff7eef3470427a48f475dab29552fab9

          SHA512

          a331d665d7736a8964a92a6dc409e75c4fc16a1627cc5702882c430d40d8f1570501e296d02a4b8705eecf991f3e90a1692a26704e3c4086e3e807a91b505d68

        • C:\Windows\mydoc.rtf

          Filesize

          223B

          MD5

          06604e5941c126e2e7be02c5cd9f62ec

          SHA1

          4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

          SHA256

          85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

          SHA512

          803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

        • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

          Filesize

          256KB

          MD5

          268501b6e720ad389edd48b9789feb1d

          SHA1

          2da2111c81cef429988ed62071dac790054d1c9a

          SHA256

          877c02693c3127d6e8da69be0958ac74ca8d5a330c09acbef1c8d2952c4b9286

          SHA512

          0a3070a6ce1904d12c26414f305447ddf907b5d1bb92f2085c35210a8b04cbee6eb9a06d3fe031a2c5f10297e1a26265167f4ba3e627bfcb0c5c1c1f9c0c9fac

        • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

          Filesize

          256KB

          MD5

          17e64d8c1bf606ee485624e06b60c7be

          SHA1

          e2164dae1c8d5cb2c31fbce69ea043eb8ec39e9f

          SHA256

          722b10c6032ee941c6af033f16df4880f3a0174f0e0ef22385c4e0369fefec98

          SHA512

          c7be0f03fb51988293b978e7e2d29eb45516265107d0e8a5ce72d029d2af9bdec37c48b882bf1fe91e653fc0ccd2a828a5911bd4e661de3d9bfbe4dac20f2d2e

        • \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

          Filesize

          256KB

          MD5

          5f3bed296a37b61a86593623f1d5e09b

          SHA1

          52acc3d80469fe7644ec9ee3ad585d3ea6c9a155

          SHA256

          d4271b34bc5ed4e83686edf3708541343997fd782ed531368f456b09f1f711b0

          SHA512

          b328079fc01911075d25881ecd5defd0bd09fa0c99bc28e74ffb76c1a012b805a1511c2877849ccadcd31e60ed84b3748cc27cb5d5b3dfed297c1c2ebfec86f1

        • memory/1992-275-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/1992-280-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/1992-288-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/1992-43-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/1992-266-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/1992-88-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/1992-285-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/1992-89-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/2424-277-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/2424-302-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/2424-282-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/2424-291-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/2424-85-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/2424-308-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/2424-75-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/2424-305-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/2424-272-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/2424-311-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/2424-314-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/2424-24-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/2424-317-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/2424-320-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/2424-299-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/2424-256-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/4000-298-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/4000-74-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/4000-313-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/4000-255-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/4000-316-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/4000-310-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/4000-307-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/4000-271-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/4000-304-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/4000-276-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/4000-319-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/4000-301-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/4000-84-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/4000-290-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/4000-281-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/4076-278-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/4076-27-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/4076-76-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/4076-273-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/4076-86-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/4076-289-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/4076-283-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/4076-257-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/4284-35-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/4284-0-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/4808-279-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/4808-321-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/4808-292-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/4808-83-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/4808-303-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/4808-318-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/4808-306-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/4808-300-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/4808-87-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/4808-32-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/4808-309-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/4808-274-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/4808-284-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/4808-312-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/4808-258-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/4808-315-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/5032-42-0x00007FFE8F440000-0x00007FFE8F450000-memory.dmp

          Filesize

          64KB

        • memory/5032-36-0x00007FFE91D70000-0x00007FFE91D80000-memory.dmp

          Filesize

          64KB

        • memory/5032-40-0x00007FFE91D70000-0x00007FFE91D80000-memory.dmp

          Filesize

          64KB

        • memory/5032-39-0x00007FFE91D70000-0x00007FFE91D80000-memory.dmp

          Filesize

          64KB

        • memory/5032-38-0x00007FFE91D70000-0x00007FFE91D80000-memory.dmp

          Filesize

          64KB

        • memory/5032-37-0x00007FFE91D70000-0x00007FFE91D80000-memory.dmp

          Filesize

          64KB

        • memory/5032-44-0x00007FFE8F440000-0x00007FFE8F450000-memory.dmp

          Filesize

          64KB