Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
13-05-2021 12:55
Static task
static1
Behavioral task
behavioral1
Sample
14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe
Resource
win7v20210410
General
-
Target
14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe
-
Size
255KB
-
MD5
5596c16aa632fda3736791a939823e5a
-
SHA1
82083ec2d74969fd07aa5b878287779b0c85a507
-
SHA256
14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1
-
SHA512
ddb44da1636aa43953da973702beca76233e8bb4a0580c31525f21bb6d7b22f5bccfa8c0b0fae6a20415e255f79a204a023b465e8ef1b7df3b7c0927a503a6e9
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs
-
Disables RegEdit via registry modification
-
Executes dropped EXE 5 IoCs
Processes:
zyitkiivaj.exeztnwykfyecsbvrc.exeocpjdimp.exellieahfmagiem.exeocpjdimp.exepid process 1412 zyitkiivaj.exe 1972 ztnwykfyecsbvrc.exe 2000 ocpjdimp.exe 1740 llieahfmagiem.exe 2008 ocpjdimp.exe -
Processes:
resource yara_rule \Windows\SysWOW64\zyitkiivaj.exe upx \Windows\SysWOW64\ztnwykfyecsbvrc.exe upx C:\Windows\SysWOW64\zyitkiivaj.exe upx C:\Windows\SysWOW64\ztnwykfyecsbvrc.exe upx \Windows\SysWOW64\ocpjdimp.exe upx \Windows\SysWOW64\llieahfmagiem.exe upx C:\Windows\SysWOW64\ocpjdimp.exe upx C:\Windows\SysWOW64\llieahfmagiem.exe upx C:\Windows\SysWOW64\ztnwykfyecsbvrc.exe upx C:\Windows\SysWOW64\ocpjdimp.exe upx C:\Windows\SysWOW64\zyitkiivaj.exe upx C:\Windows\SysWOW64\llieahfmagiem.exe upx \Windows\SysWOW64\ocpjdimp.exe upx C:\Windows\SysWOW64\ocpjdimp.exe upx C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe upx C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe upx C:\Users\Admin\Documents\ReceiveEdit.doc.exe upx C:\Users\Admin\Downloads\InvokeUndo.doc.exe upx -
Loads dropped DLL 5 IoCs
Processes:
14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exezyitkiivaj.exepid process 1688 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe 1688 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe 1688 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe 1688 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe 1412 zyitkiivaj.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
zyitkiivaj.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" zyitkiivaj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" zyitkiivaj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" zyitkiivaj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" zyitkiivaj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" zyitkiivaj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" zyitkiivaj.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
ztnwykfyecsbvrc.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run ztnwykfyecsbvrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\thhhnumi = "zyitkiivaj.exe" ztnwykfyecsbvrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ncystvkf = "ztnwykfyecsbvrc.exe" ztnwykfyecsbvrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "llieahfmagiem.exe" ztnwykfyecsbvrc.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ocpjdimp.exeocpjdimp.exezyitkiivaj.exedescription ioc process File opened (read-only) \??\z: ocpjdimp.exe File opened (read-only) \??\z: ocpjdimp.exe File opened (read-only) \??\q: ocpjdimp.exe File opened (read-only) \??\y: ocpjdimp.exe File opened (read-only) \??\v: ocpjdimp.exe File opened (read-only) \??\l: zyitkiivaj.exe File opened (read-only) \??\s: ocpjdimp.exe File opened (read-only) \??\t: ocpjdimp.exe File opened (read-only) \??\a: ocpjdimp.exe File opened (read-only) \??\l: ocpjdimp.exe File opened (read-only) \??\i: ocpjdimp.exe File opened (read-only) \??\v: ocpjdimp.exe File opened (read-only) \??\j: zyitkiivaj.exe File opened (read-only) \??\o: ocpjdimp.exe File opened (read-only) \??\u: ocpjdimp.exe File opened (read-only) \??\i: ocpjdimp.exe File opened (read-only) \??\o: ocpjdimp.exe File opened (read-only) \??\f: ocpjdimp.exe File opened (read-only) \??\g: ocpjdimp.exe File opened (read-only) \??\j: ocpjdimp.exe File opened (read-only) \??\p: zyitkiivaj.exe File opened (read-only) \??\t: zyitkiivaj.exe File opened (read-only) \??\p: ocpjdimp.exe File opened (read-only) \??\a: zyitkiivaj.exe File opened (read-only) \??\g: zyitkiivaj.exe File opened (read-only) \??\z: zyitkiivaj.exe File opened (read-only) \??\n: ocpjdimp.exe File opened (read-only) \??\u: ocpjdimp.exe File opened (read-only) \??\b: ocpjdimp.exe File opened (read-only) \??\q: ocpjdimp.exe File opened (read-only) \??\w: zyitkiivaj.exe File opened (read-only) \??\e: ocpjdimp.exe File opened (read-only) \??\f: ocpjdimp.exe File opened (read-only) \??\a: ocpjdimp.exe File opened (read-only) \??\e: zyitkiivaj.exe File opened (read-only) \??\m: zyitkiivaj.exe File opened (read-only) \??\v: zyitkiivaj.exe File opened (read-only) \??\w: ocpjdimp.exe File opened (read-only) \??\h: ocpjdimp.exe File opened (read-only) \??\w: ocpjdimp.exe File opened (read-only) \??\y: ocpjdimp.exe File opened (read-only) \??\q: zyitkiivaj.exe File opened (read-only) \??\y: zyitkiivaj.exe File opened (read-only) \??\k: ocpjdimp.exe File opened (read-only) \??\i: zyitkiivaj.exe File opened (read-only) \??\o: zyitkiivaj.exe File opened (read-only) \??\u: zyitkiivaj.exe File opened (read-only) \??\x: ocpjdimp.exe File opened (read-only) \??\n: zyitkiivaj.exe File opened (read-only) \??\s: zyitkiivaj.exe File opened (read-only) \??\x: zyitkiivaj.exe File opened (read-only) \??\g: ocpjdimp.exe File opened (read-only) \??\h: ocpjdimp.exe File opened (read-only) \??\l: ocpjdimp.exe File opened (read-only) \??\b: zyitkiivaj.exe File opened (read-only) \??\h: zyitkiivaj.exe File opened (read-only) \??\p: ocpjdimp.exe File opened (read-only) \??\e: ocpjdimp.exe File opened (read-only) \??\t: ocpjdimp.exe File opened (read-only) \??\f: zyitkiivaj.exe File opened (read-only) \??\r: ocpjdimp.exe File opened (read-only) \??\m: ocpjdimp.exe File opened (read-only) \??\r: zyitkiivaj.exe File opened (read-only) \??\j: ocpjdimp.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
zyitkiivaj.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" zyitkiivaj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" zyitkiivaj.exe -
Drops file in System32 directory 9 IoCs
Processes:
14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exezyitkiivaj.exedescription ioc process File opened for modification C:\Windows\SysWOW64\zyitkiivaj.exe 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe File opened for modification C:\Windows\SysWOW64\ztnwykfyecsbvrc.exe 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll zyitkiivaj.exe File created C:\Windows\SysWOW64\llieahfmagiem.exe 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe File opened for modification C:\Windows\SysWOW64\llieahfmagiem.exe 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe File created C:\Windows\SysWOW64\zyitkiivaj.exe 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe File created C:\Windows\SysWOW64\ztnwykfyecsbvrc.exe 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe File created C:\Windows\SysWOW64\ocpjdimp.exe 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe File opened for modification C:\Windows\SysWOW64\ocpjdimp.exe 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe -
Drops file in Program Files directory 15 IoCs
Processes:
ocpjdimp.exeocpjdimp.exedescription ioc process File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ocpjdimp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal ocpjdimp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal ocpjdimp.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ocpjdimp.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ocpjdimp.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ocpjdimp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ocpjdimp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal ocpjdimp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal ocpjdimp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ocpjdimp.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ocpjdimp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ocpjdimp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ocpjdimp.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ocpjdimp.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ocpjdimp.exe -
Drops file in Windows directory 5 IoCs
Processes:
WINWORD.EXE14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exedescription ioc process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE -
Modifies registry class 19 IoCs
Processes:
zyitkiivaj.exe14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat zyitkiivaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" zyitkiivaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" zyitkiivaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs zyitkiivaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" zyitkiivaj.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184EC60B1490DBC3B9C07FE2ED9534CF" 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" zyitkiivaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh zyitkiivaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc zyitkiivaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" zyitkiivaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBFF9B0F963F2E784793B4A869D3E98B08A028C4212033BE2C8459B08A9" 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC4B12944EE39E853CABAA23298D4BF" 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFDFF8B4829856D9140D72F7D93BDE0E1335940674E6344D799" 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" zyitkiivaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf zyitkiivaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32302D089C2082206A3776A0702F2DD87D8F64AA" 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F56BC4FE6C21D0D27ED1D28A749163" 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg zyitkiivaj.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 884 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exezyitkiivaj.exeocpjdimp.exellieahfmagiem.exeztnwykfyecsbvrc.exeocpjdimp.exepid process 1688 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe 1688 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe 1688 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe 1688 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe 1688 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe 1688 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe 1688 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe 1688 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe 1412 zyitkiivaj.exe 1412 zyitkiivaj.exe 1412 zyitkiivaj.exe 1412 zyitkiivaj.exe 1412 zyitkiivaj.exe 2000 ocpjdimp.exe 2000 ocpjdimp.exe 2000 ocpjdimp.exe 2000 ocpjdimp.exe 1740 llieahfmagiem.exe 1740 llieahfmagiem.exe 1740 llieahfmagiem.exe 1740 llieahfmagiem.exe 1740 llieahfmagiem.exe 1740 llieahfmagiem.exe 1972 ztnwykfyecsbvrc.exe 1972 ztnwykfyecsbvrc.exe 1972 ztnwykfyecsbvrc.exe 1972 ztnwykfyecsbvrc.exe 1972 ztnwykfyecsbvrc.exe 2008 ocpjdimp.exe 2008 ocpjdimp.exe 2008 ocpjdimp.exe 2008 ocpjdimp.exe 1972 ztnwykfyecsbvrc.exe 1740 llieahfmagiem.exe 1740 llieahfmagiem.exe 1972 ztnwykfyecsbvrc.exe 1972 ztnwykfyecsbvrc.exe 1740 llieahfmagiem.exe 1740 llieahfmagiem.exe 1972 ztnwykfyecsbvrc.exe 1740 llieahfmagiem.exe 1740 llieahfmagiem.exe 1972 ztnwykfyecsbvrc.exe 1740 llieahfmagiem.exe 1740 llieahfmagiem.exe 1972 ztnwykfyecsbvrc.exe 1740 llieahfmagiem.exe 1740 llieahfmagiem.exe 1972 ztnwykfyecsbvrc.exe 1740 llieahfmagiem.exe 1740 llieahfmagiem.exe 1972 ztnwykfyecsbvrc.exe 1740 llieahfmagiem.exe 1740 llieahfmagiem.exe 1972 ztnwykfyecsbvrc.exe 1740 llieahfmagiem.exe 1740 llieahfmagiem.exe 1972 ztnwykfyecsbvrc.exe 1740 llieahfmagiem.exe 1740 llieahfmagiem.exe 1972 ztnwykfyecsbvrc.exe 1740 llieahfmagiem.exe 1740 llieahfmagiem.exe 1972 ztnwykfyecsbvrc.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exezyitkiivaj.exeocpjdimp.exeztnwykfyecsbvrc.exellieahfmagiem.exeocpjdimp.exepid process 1688 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe 1688 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe 1688 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe 1412 zyitkiivaj.exe 1412 zyitkiivaj.exe 1412 zyitkiivaj.exe 2000 ocpjdimp.exe 2000 ocpjdimp.exe 2000 ocpjdimp.exe 1972 ztnwykfyecsbvrc.exe 1972 ztnwykfyecsbvrc.exe 1972 ztnwykfyecsbvrc.exe 1740 llieahfmagiem.exe 1740 llieahfmagiem.exe 1740 llieahfmagiem.exe 2008 ocpjdimp.exe 2008 ocpjdimp.exe 2008 ocpjdimp.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exezyitkiivaj.exeocpjdimp.exeztnwykfyecsbvrc.exellieahfmagiem.exeocpjdimp.exepid process 1688 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe 1688 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe 1688 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe 1412 zyitkiivaj.exe 1412 zyitkiivaj.exe 1412 zyitkiivaj.exe 2000 ocpjdimp.exe 2000 ocpjdimp.exe 2000 ocpjdimp.exe 1972 ztnwykfyecsbvrc.exe 1972 ztnwykfyecsbvrc.exe 1972 ztnwykfyecsbvrc.exe 1740 llieahfmagiem.exe 1740 llieahfmagiem.exe 1740 llieahfmagiem.exe 2008 ocpjdimp.exe 2008 ocpjdimp.exe 2008 ocpjdimp.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 884 WINWORD.EXE 884 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exezyitkiivaj.exeWINWORD.EXEdescription pid process target process PID 1688 wrote to memory of 1412 1688 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe zyitkiivaj.exe PID 1688 wrote to memory of 1412 1688 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe zyitkiivaj.exe PID 1688 wrote to memory of 1412 1688 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe zyitkiivaj.exe PID 1688 wrote to memory of 1412 1688 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe zyitkiivaj.exe PID 1688 wrote to memory of 1972 1688 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe ztnwykfyecsbvrc.exe PID 1688 wrote to memory of 1972 1688 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe ztnwykfyecsbvrc.exe PID 1688 wrote to memory of 1972 1688 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe ztnwykfyecsbvrc.exe PID 1688 wrote to memory of 1972 1688 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe ztnwykfyecsbvrc.exe PID 1688 wrote to memory of 2000 1688 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe ocpjdimp.exe PID 1688 wrote to memory of 2000 1688 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe ocpjdimp.exe PID 1688 wrote to memory of 2000 1688 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe ocpjdimp.exe PID 1688 wrote to memory of 2000 1688 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe ocpjdimp.exe PID 1688 wrote to memory of 1740 1688 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe llieahfmagiem.exe PID 1688 wrote to memory of 1740 1688 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe llieahfmagiem.exe PID 1688 wrote to memory of 1740 1688 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe llieahfmagiem.exe PID 1688 wrote to memory of 1740 1688 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe llieahfmagiem.exe PID 1412 wrote to memory of 2008 1412 zyitkiivaj.exe ocpjdimp.exe PID 1412 wrote to memory of 2008 1412 zyitkiivaj.exe ocpjdimp.exe PID 1412 wrote to memory of 2008 1412 zyitkiivaj.exe ocpjdimp.exe PID 1412 wrote to memory of 2008 1412 zyitkiivaj.exe ocpjdimp.exe PID 1688 wrote to memory of 884 1688 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe WINWORD.EXE PID 1688 wrote to memory of 884 1688 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe WINWORD.EXE PID 1688 wrote to memory of 884 1688 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe WINWORD.EXE PID 1688 wrote to memory of 884 1688 14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe WINWORD.EXE PID 884 wrote to memory of 1580 884 WINWORD.EXE splwow64.exe PID 884 wrote to memory of 1580 884 WINWORD.EXE splwow64.exe PID 884 wrote to memory of 1580 884 WINWORD.EXE splwow64.exe PID 884 wrote to memory of 1580 884 WINWORD.EXE splwow64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe"C:\Users\Admin\AppData\Local\Temp\14ff3168aa1415fae8a2adf43ac26c7d30fa61beabbf506177a87e1b620af5e1.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\zyitkiivaj.exezyitkiivaj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ocpjdimp.exeC:\Windows\system32\ocpjdimp.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\ztnwykfyecsbvrc.exeztnwykfyecsbvrc.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\ocpjdimp.exeocpjdimp.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\llieahfmagiem.exellieahfmagiem.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hidden Files and Directories
2Modify Registry
7Disabling Security Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exeMD5
cccc2067e26bb916a11dde55fc23cb41
SHA1210575486d0d2df723a7eca077ff2acb3b77f43d
SHA256a3c59f6a5b64827ee7b9f962bcc247d5e0928dbeb52bb96e98a2f5e172222d98
SHA512af7c8c36f043992106a7a90e9fce05ddbea1b00a35b2fd1f1978344b5a0044d1d2dee141cf2c9a720d80cb62cabaa862ed92df04d590a735809314d10d017ca0
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exeMD5
79ff48cf711e92bbbed599131f69996c
SHA19ef0e07303c3007994bfc063153b5dd30f740c6d
SHA256318ffb23ece5e1a7c57d82a41549f1611bfab36b2db0b3820b5315aa54db9f12
SHA5123fa394c64f0a1bbfe690a5489dd0b4fbbd29494e11ff3041dc885731ac67c0b491e28f20f64685ce55c073ce97c61763f45fa2da208c3d997cf9118a4b0c2d01
-
C:\Users\Admin\Documents\ReceiveEdit.doc.exeMD5
8813ebcacedcc656dab6cd9d0e75d792
SHA172f5c560d591e203b89838585972e786aefbe12b
SHA256e63c87cf76998f18ff83f0f88aafb975c6c868e83d452ef88bc9d0a685e2ba88
SHA512fff29f08140e4dcd3f9d01f09558c2b11544632c25d0a99ed5246dcdaa972ff02d7f3d6564d335edef7d8c90ce6b7b59bb6e866ca16f4efc5bfb7f256a49fb5b
-
C:\Users\Admin\Downloads\InvokeUndo.doc.exeMD5
4a836fcbd114f648a731e38ab46250e6
SHA18edb6eb377f0d5aef6f589f9ede413be58d65d67
SHA256bcd025674d7ab73ace9f2c0c340a2acd31cf9e0774bbdef13508ec5082aeb4ec
SHA512be18e2b335d9c723482dbab04d58ae9ae34c2f6d9c3e413c9aaa7984ace8b1566863eb0f5df77babb84ad257642f154d174f4141ea7b92426dcd2454ab6edd88
-
C:\Windows\SysWOW64\llieahfmagiem.exeMD5
9ebb82f38887848f3e190a864dbcf3d5
SHA1b54b79daf78655e3984ec53ec0315392124949cb
SHA25639e6c38f5cb0e072204ff5891199772284e38c5834c464b15fec37d8ee8bf6e2
SHA512bd5595e782bcaf7d405cc0dd0d9f729f56b212e4bda1316134e2b3336021ca885aa149ff6d048050780f9e4c4cb7389de302a759994a22306359683de6940705
-
C:\Windows\SysWOW64\llieahfmagiem.exeMD5
9ebb82f38887848f3e190a864dbcf3d5
SHA1b54b79daf78655e3984ec53ec0315392124949cb
SHA25639e6c38f5cb0e072204ff5891199772284e38c5834c464b15fec37d8ee8bf6e2
SHA512bd5595e782bcaf7d405cc0dd0d9f729f56b212e4bda1316134e2b3336021ca885aa149ff6d048050780f9e4c4cb7389de302a759994a22306359683de6940705
-
C:\Windows\SysWOW64\ocpjdimp.exeMD5
6333c214ad431f9f45ffc2ce4cbbc60c
SHA15ed2ae189baab90ab868822bf2457343c16fdab8
SHA256c0b2c4e9dd74916b9c7fa1fe7405f75241c5d5400ea54d3e850444de60b8b6ff
SHA51267015d60cfb42a0ff50df959db10362ca8e7ff5ef7477151a01ec9d870be144495f8600f2112ef0f59b7df3e47b99f1714a8691662ff9af30a37d2695e57dd8f
-
C:\Windows\SysWOW64\ocpjdimp.exeMD5
6333c214ad431f9f45ffc2ce4cbbc60c
SHA15ed2ae189baab90ab868822bf2457343c16fdab8
SHA256c0b2c4e9dd74916b9c7fa1fe7405f75241c5d5400ea54d3e850444de60b8b6ff
SHA51267015d60cfb42a0ff50df959db10362ca8e7ff5ef7477151a01ec9d870be144495f8600f2112ef0f59b7df3e47b99f1714a8691662ff9af30a37d2695e57dd8f
-
C:\Windows\SysWOW64\ocpjdimp.exeMD5
6333c214ad431f9f45ffc2ce4cbbc60c
SHA15ed2ae189baab90ab868822bf2457343c16fdab8
SHA256c0b2c4e9dd74916b9c7fa1fe7405f75241c5d5400ea54d3e850444de60b8b6ff
SHA51267015d60cfb42a0ff50df959db10362ca8e7ff5ef7477151a01ec9d870be144495f8600f2112ef0f59b7df3e47b99f1714a8691662ff9af30a37d2695e57dd8f
-
C:\Windows\SysWOW64\ztnwykfyecsbvrc.exeMD5
b27b048961e442a99d07926213659f9c
SHA13fe3a41497ed0367d30dc5f3a8744e440bd398a5
SHA256bd4908777daf16e5059691ca1657dd69ea1c0c3771598709e08fe80694c60678
SHA5128a9abbe0c09b0215e7d69aa849ab9e57617e6a9ad7d0e2032856d1d706d1f0a45d1c762c3bd08f2033e2fc0cdfd633399b2a14b4349196bca0d2ceb464c80997
-
C:\Windows\SysWOW64\ztnwykfyecsbvrc.exeMD5
b27b048961e442a99d07926213659f9c
SHA13fe3a41497ed0367d30dc5f3a8744e440bd398a5
SHA256bd4908777daf16e5059691ca1657dd69ea1c0c3771598709e08fe80694c60678
SHA5128a9abbe0c09b0215e7d69aa849ab9e57617e6a9ad7d0e2032856d1d706d1f0a45d1c762c3bd08f2033e2fc0cdfd633399b2a14b4349196bca0d2ceb464c80997
-
C:\Windows\SysWOW64\zyitkiivaj.exeMD5
ec1ffaa0ebca3fa99fb836d86c2ffe31
SHA1bf0a3d6f7e9707fcdf6ffc42dbeba3208a227bee
SHA256c30bf14e04c3be289ce572da64424144d376c45424a1ac2fe1715ba08fc4ffb1
SHA512affdf68748fe878dbeab9dc3d74758bf5f6703b5c8391174b8837cf39d22cf846fece12ec28078868bb2e58a6ee070817f8a7de561fda9e764a1e346d08b2072
-
C:\Windows\SysWOW64\zyitkiivaj.exeMD5
ec1ffaa0ebca3fa99fb836d86c2ffe31
SHA1bf0a3d6f7e9707fcdf6ffc42dbeba3208a227bee
SHA256c30bf14e04c3be289ce572da64424144d376c45424a1ac2fe1715ba08fc4ffb1
SHA512affdf68748fe878dbeab9dc3d74758bf5f6703b5c8391174b8837cf39d22cf846fece12ec28078868bb2e58a6ee070817f8a7de561fda9e764a1e346d08b2072
-
C:\Windows\mydoc.rtfMD5
06604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\Windows\SysWOW64\llieahfmagiem.exeMD5
9ebb82f38887848f3e190a864dbcf3d5
SHA1b54b79daf78655e3984ec53ec0315392124949cb
SHA25639e6c38f5cb0e072204ff5891199772284e38c5834c464b15fec37d8ee8bf6e2
SHA512bd5595e782bcaf7d405cc0dd0d9f729f56b212e4bda1316134e2b3336021ca885aa149ff6d048050780f9e4c4cb7389de302a759994a22306359683de6940705
-
\Windows\SysWOW64\ocpjdimp.exeMD5
6333c214ad431f9f45ffc2ce4cbbc60c
SHA15ed2ae189baab90ab868822bf2457343c16fdab8
SHA256c0b2c4e9dd74916b9c7fa1fe7405f75241c5d5400ea54d3e850444de60b8b6ff
SHA51267015d60cfb42a0ff50df959db10362ca8e7ff5ef7477151a01ec9d870be144495f8600f2112ef0f59b7df3e47b99f1714a8691662ff9af30a37d2695e57dd8f
-
\Windows\SysWOW64\ocpjdimp.exeMD5
6333c214ad431f9f45ffc2ce4cbbc60c
SHA15ed2ae189baab90ab868822bf2457343c16fdab8
SHA256c0b2c4e9dd74916b9c7fa1fe7405f75241c5d5400ea54d3e850444de60b8b6ff
SHA51267015d60cfb42a0ff50df959db10362ca8e7ff5ef7477151a01ec9d870be144495f8600f2112ef0f59b7df3e47b99f1714a8691662ff9af30a37d2695e57dd8f
-
\Windows\SysWOW64\ztnwykfyecsbvrc.exeMD5
b27b048961e442a99d07926213659f9c
SHA13fe3a41497ed0367d30dc5f3a8744e440bd398a5
SHA256bd4908777daf16e5059691ca1657dd69ea1c0c3771598709e08fe80694c60678
SHA5128a9abbe0c09b0215e7d69aa849ab9e57617e6a9ad7d0e2032856d1d706d1f0a45d1c762c3bd08f2033e2fc0cdfd633399b2a14b4349196bca0d2ceb464c80997
-
\Windows\SysWOW64\zyitkiivaj.exeMD5
ec1ffaa0ebca3fa99fb836d86c2ffe31
SHA1bf0a3d6f7e9707fcdf6ffc42dbeba3208a227bee
SHA256c30bf14e04c3be289ce572da64424144d376c45424a1ac2fe1715ba08fc4ffb1
SHA512affdf68748fe878dbeab9dc3d74758bf5f6703b5c8391174b8837cf39d22cf846fece12ec28078868bb2e58a6ee070817f8a7de561fda9e764a1e346d08b2072
-
memory/884-87-0x00000000700E1000-0x00000000700E3000-memory.dmpFilesize
8KB
-
memory/884-85-0x0000000000000000-mapping.dmp
-
memory/884-86-0x0000000072661000-0x0000000072664000-memory.dmpFilesize
12KB
-
memory/884-88-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/884-96-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1412-62-0x0000000000000000-mapping.dmp
-
memory/1580-94-0x0000000000000000-mapping.dmp
-
memory/1580-95-0x000007FEFBB51000-0x000007FEFBB53000-memory.dmpFilesize
8KB
-
memory/1688-60-0x0000000075011000-0x0000000075013000-memory.dmpFilesize
8KB
-
memory/1740-75-0x0000000000000000-mapping.dmp
-
memory/1972-66-0x0000000000000000-mapping.dmp
-
memory/2000-70-0x0000000000000000-mapping.dmp
-
memory/2008-82-0x0000000000000000-mapping.dmp