Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
03/10/2022, 16:56
Behavioral task
behavioral1
Sample
ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe
Resource
win7-20220901-en
windows7-x64
26 signatures
150 seconds
General
-
Target
ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe
-
Size
255KB
-
MD5
626509ddae151d48789e02639aac4d60
-
SHA1
af14c973814bd987d8f2c8d62c39308c68dc2878
-
SHA256
ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5
-
SHA512
9f54a6e2ff181c0c093204d6183b23cd4919d91e10cc0d786cd214e0cf9f698043b64b1ee73870dedd8788ecbb2fb792fce257a5a50bffe28b580e1dba5e5d25
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJN:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI4
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ivxnoonckf.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ivxnoonckf.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ivxnoonckf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ivxnoonckf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ivxnoonckf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ivxnoonckf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ivxnoonckf.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ivxnoonckf.exe -
Executes dropped EXE 5 IoCs
pid Process 620 ivxnoonckf.exe 1756 nbrbxlzovrfrbfc.exe 4840 olhcxwrd.exe 3236 vxavrvlcsobbp.exe 2616 olhcxwrd.exe -
resource yara_rule behavioral2/memory/4328-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0003000000022dfa-134.dat upx behavioral2/files/0x0001000000022dfe-141.dat upx behavioral2/files/0x0001000000022dfe-142.dat upx behavioral2/files/0x0001000000022dff-145.dat upx behavioral2/memory/1756-146-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0001000000022dff-144.dat upx behavioral2/memory/620-143-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0001000000022dfd-138.dat upx behavioral2/files/0x0001000000022dfd-137.dat upx behavioral2/files/0x0003000000022dfa-135.dat upx behavioral2/memory/4840-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3236-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0001000000022dfe-150.dat upx behavioral2/memory/4328-152-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2616-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0003000000000703-162.dat upx behavioral2/files/0x00030000000006d3-163.dat upx behavioral2/memory/620-164-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1756-165-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4840-166-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3236-167-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2616-168-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000200000001e791-169.dat upx behavioral2/files/0x000200000001e792-170.dat upx behavioral2/files/0x000200000001e792-171.dat upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ivxnoonckf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ivxnoonckf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ivxnoonckf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ivxnoonckf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ivxnoonckf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ivxnoonckf.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\scmvdapi = "ivxnoonckf.exe" nbrbxlzovrfrbfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aqtdjllm = "nbrbxlzovrfrbfc.exe" nbrbxlzovrfrbfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "vxavrvlcsobbp.exe" nbrbxlzovrfrbfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run nbrbxlzovrfrbfc.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\s: ivxnoonckf.exe File opened (read-only) \??\u: olhcxwrd.exe File opened (read-only) \??\j: olhcxwrd.exe File opened (read-only) \??\b: olhcxwrd.exe File opened (read-only) \??\l: olhcxwrd.exe File opened (read-only) \??\i: ivxnoonckf.exe File opened (read-only) \??\p: ivxnoonckf.exe File opened (read-only) \??\m: olhcxwrd.exe File opened (read-only) \??\p: olhcxwrd.exe File opened (read-only) \??\q: olhcxwrd.exe File opened (read-only) \??\e: olhcxwrd.exe File opened (read-only) \??\o: ivxnoonckf.exe File opened (read-only) \??\a: olhcxwrd.exe File opened (read-only) \??\s: olhcxwrd.exe File opened (read-only) \??\e: olhcxwrd.exe File opened (read-only) \??\u: olhcxwrd.exe File opened (read-only) \??\f: ivxnoonckf.exe File opened (read-only) \??\y: ivxnoonckf.exe File opened (read-only) \??\k: olhcxwrd.exe File opened (read-only) \??\w: olhcxwrd.exe File opened (read-only) \??\f: olhcxwrd.exe File opened (read-only) \??\j: ivxnoonckf.exe File opened (read-only) \??\m: ivxnoonckf.exe File opened (read-only) \??\x: ivxnoonckf.exe File opened (read-only) \??\n: olhcxwrd.exe File opened (read-only) \??\v: olhcxwrd.exe File opened (read-only) \??\f: olhcxwrd.exe File opened (read-only) \??\i: olhcxwrd.exe File opened (read-only) \??\n: olhcxwrd.exe File opened (read-only) \??\r: olhcxwrd.exe File opened (read-only) \??\k: olhcxwrd.exe File opened (read-only) \??\q: olhcxwrd.exe File opened (read-only) \??\x: olhcxwrd.exe File opened (read-only) \??\b: ivxnoonckf.exe File opened (read-only) \??\g: ivxnoonckf.exe File opened (read-only) \??\l: ivxnoonckf.exe File opened (read-only) \??\r: ivxnoonckf.exe File opened (read-only) \??\h: olhcxwrd.exe File opened (read-only) \??\z: olhcxwrd.exe File opened (read-only) \??\i: olhcxwrd.exe File opened (read-only) \??\m: olhcxwrd.exe File opened (read-only) \??\r: olhcxwrd.exe File opened (read-only) \??\o: olhcxwrd.exe File opened (read-only) \??\s: olhcxwrd.exe File opened (read-only) \??\u: ivxnoonckf.exe File opened (read-only) \??\w: ivxnoonckf.exe File opened (read-only) \??\g: olhcxwrd.exe File opened (read-only) \??\w: olhcxwrd.exe File opened (read-only) \??\t: ivxnoonckf.exe File opened (read-only) \??\j: olhcxwrd.exe File opened (read-only) \??\y: olhcxwrd.exe File opened (read-only) \??\t: olhcxwrd.exe File opened (read-only) \??\y: olhcxwrd.exe File opened (read-only) \??\l: olhcxwrd.exe File opened (read-only) \??\v: olhcxwrd.exe File opened (read-only) \??\a: ivxnoonckf.exe File opened (read-only) \??\h: ivxnoonckf.exe File opened (read-only) \??\q: ivxnoonckf.exe File opened (read-only) \??\z: ivxnoonckf.exe File opened (read-only) \??\g: olhcxwrd.exe File opened (read-only) \??\x: olhcxwrd.exe File opened (read-only) \??\k: ivxnoonckf.exe File opened (read-only) \??\v: ivxnoonckf.exe File opened (read-only) \??\o: olhcxwrd.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ivxnoonckf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ivxnoonckf.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1756-146-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/620-143-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4840-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3236-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4328-152-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2616-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/620-164-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1756-165-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4840-166-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3236-167-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2616-168-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe olhcxwrd.exe File opened for modification C:\Windows\SysWOW64\nbrbxlzovrfrbfc.exe ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe File opened for modification C:\Windows\SysWOW64\vxavrvlcsobbp.exe ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ivxnoonckf.exe File created C:\Windows\SysWOW64\olhcxwrd.exe ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe File opened for modification C:\Windows\SysWOW64\olhcxwrd.exe ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe File created C:\Windows\SysWOW64\vxavrvlcsobbp.exe ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe olhcxwrd.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe olhcxwrd.exe File created C:\Windows\SysWOW64\ivxnoonckf.exe ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe File opened for modification C:\Windows\SysWOW64\ivxnoonckf.exe ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe File created C:\Windows\SysWOW64\nbrbxlzovrfrbfc.exe ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe olhcxwrd.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe olhcxwrd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal olhcxwrd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe olhcxwrd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe olhcxwrd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe olhcxwrd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal olhcxwrd.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe olhcxwrd.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe olhcxwrd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal olhcxwrd.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe olhcxwrd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal olhcxwrd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe olhcxwrd.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe olhcxwrd.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe olhcxwrd.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe olhcxwrd.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe olhcxwrd.exe File opened for modification C:\Windows\mydoc.rtf ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe olhcxwrd.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe olhcxwrd.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe olhcxwrd.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe olhcxwrd.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe olhcxwrd.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe olhcxwrd.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe olhcxwrd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc ivxnoonckf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" ivxnoonckf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf ivxnoonckf.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8CFC8F485882689041D6217DE0BDEEE631593167456345D6EB" ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F26BB6FE6922DED20FD0D68B799163" ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat ivxnoonckf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" ivxnoonckf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1838C70914E6DABFB8CE7CE8ED9234BD" ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ivxnoonckf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" ivxnoonckf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg ivxnoonckf.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" ivxnoonckf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" ivxnoonckf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33352D7E9D2183516A3376A670512CDD7D8564DF" ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABBFACDFE16F1E084783B3681EA39E5B389038F4315023BE1CC42E608A9" ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC4B15F47E6399A52BDB9D533E8D7BB" ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh ivxnoonckf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs ivxnoonckf.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4896 WINWORD.EXE 4896 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4328 ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe 4328 ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe 4328 ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe 4328 ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe 4328 ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe 4328 ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe 4328 ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe 4328 ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe 4328 ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe 4328 ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe 4328 ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe 4328 ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe 4328 ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe 4328 ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe 4328 ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe 4328 ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe 620 ivxnoonckf.exe 620 ivxnoonckf.exe 620 ivxnoonckf.exe 620 ivxnoonckf.exe 620 ivxnoonckf.exe 620 ivxnoonckf.exe 620 ivxnoonckf.exe 620 ivxnoonckf.exe 1756 nbrbxlzovrfrbfc.exe 1756 nbrbxlzovrfrbfc.exe 1756 nbrbxlzovrfrbfc.exe 1756 nbrbxlzovrfrbfc.exe 1756 nbrbxlzovrfrbfc.exe 1756 nbrbxlzovrfrbfc.exe 1756 nbrbxlzovrfrbfc.exe 1756 nbrbxlzovrfrbfc.exe 620 ivxnoonckf.exe 620 ivxnoonckf.exe 1756 nbrbxlzovrfrbfc.exe 1756 nbrbxlzovrfrbfc.exe 1756 nbrbxlzovrfrbfc.exe 1756 nbrbxlzovrfrbfc.exe 4840 olhcxwrd.exe 4840 olhcxwrd.exe 4840 olhcxwrd.exe 4840 olhcxwrd.exe 4840 olhcxwrd.exe 4840 olhcxwrd.exe 4840 olhcxwrd.exe 4840 olhcxwrd.exe 3236 vxavrvlcsobbp.exe 3236 vxavrvlcsobbp.exe 3236 vxavrvlcsobbp.exe 3236 vxavrvlcsobbp.exe 3236 vxavrvlcsobbp.exe 3236 vxavrvlcsobbp.exe 3236 vxavrvlcsobbp.exe 3236 vxavrvlcsobbp.exe 3236 vxavrvlcsobbp.exe 3236 vxavrvlcsobbp.exe 3236 vxavrvlcsobbp.exe 3236 vxavrvlcsobbp.exe 1756 nbrbxlzovrfrbfc.exe 1756 nbrbxlzovrfrbfc.exe 2616 olhcxwrd.exe 2616 olhcxwrd.exe 2616 olhcxwrd.exe 2616 olhcxwrd.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4328 ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe 4328 ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe 4328 ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe 620 ivxnoonckf.exe 620 ivxnoonckf.exe 620 ivxnoonckf.exe 1756 nbrbxlzovrfrbfc.exe 1756 nbrbxlzovrfrbfc.exe 1756 nbrbxlzovrfrbfc.exe 4840 olhcxwrd.exe 4840 olhcxwrd.exe 4840 olhcxwrd.exe 3236 vxavrvlcsobbp.exe 3236 vxavrvlcsobbp.exe 3236 vxavrvlcsobbp.exe 2616 olhcxwrd.exe 2616 olhcxwrd.exe 2616 olhcxwrd.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4328 ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe 4328 ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe 4328 ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe 620 ivxnoonckf.exe 620 ivxnoonckf.exe 620 ivxnoonckf.exe 1756 nbrbxlzovrfrbfc.exe 1756 nbrbxlzovrfrbfc.exe 1756 nbrbxlzovrfrbfc.exe 4840 olhcxwrd.exe 4840 olhcxwrd.exe 4840 olhcxwrd.exe 3236 vxavrvlcsobbp.exe 3236 vxavrvlcsobbp.exe 3236 vxavrvlcsobbp.exe 2616 olhcxwrd.exe 2616 olhcxwrd.exe 2616 olhcxwrd.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4896 WINWORD.EXE 4896 WINWORD.EXE 4896 WINWORD.EXE 4896 WINWORD.EXE 4896 WINWORD.EXE 4896 WINWORD.EXE 4896 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4328 wrote to memory of 620 4328 ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe 78 PID 4328 wrote to memory of 620 4328 ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe 78 PID 4328 wrote to memory of 620 4328 ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe 78 PID 4328 wrote to memory of 1756 4328 ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe 79 PID 4328 wrote to memory of 1756 4328 ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe 79 PID 4328 wrote to memory of 1756 4328 ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe 79 PID 4328 wrote to memory of 4840 4328 ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe 81 PID 4328 wrote to memory of 4840 4328 ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe 81 PID 4328 wrote to memory of 4840 4328 ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe 81 PID 4328 wrote to memory of 3236 4328 ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe 80 PID 4328 wrote to memory of 3236 4328 ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe 80 PID 4328 wrote to memory of 3236 4328 ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe 80 PID 620 wrote to memory of 2616 620 ivxnoonckf.exe 82 PID 620 wrote to memory of 2616 620 ivxnoonckf.exe 82 PID 620 wrote to memory of 2616 620 ivxnoonckf.exe 82 PID 4328 wrote to memory of 4896 4328 ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe 83 PID 4328 wrote to memory of 4896 4328 ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe"C:\Users\Admin\AppData\Local\Temp\ec036499f9b63c373e12161b7450cb73bc820813780a398cb0e0a8ff0df599d5.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\SysWOW64\ivxnoonckf.exeivxnoonckf.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\olhcxwrd.exeC:\Windows\system32\olhcxwrd.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2616
-
-
-
C:\Windows\SysWOW64\nbrbxlzovrfrbfc.exenbrbxlzovrfrbfc.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1756
-
-
C:\Windows\SysWOW64\vxavrvlcsobbp.exevxavrvlcsobbp.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3236
-
-
C:\Windows\SysWOW64\olhcxwrd.exeolhcxwrd.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4840
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4896
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
256KB
MD51a9097827ff836c7b9ed5a28d6cac405
SHA18b2e7b16dad859c7d18fa79bf950f3f74f64414a
SHA2561a91cc2ee4a88edaa09fc1c430677920437699b7f5dc9cc5a5a081cc0b2400a9
SHA5126ada77694b291b10848ef44918144f4acdbe768a0a82ad4ee00178708b48a184a085ea4457cd8d10f8fb41d3fb9bd5fc3608964b157738fa61fd2b310914fed6
-
Filesize
256KB
MD52da5b55f241ddd5d7c5ef293fd1e039b
SHA1eb29bc0710185dbfcd926c53dafd5c8255f55037
SHA2568e84989d4739289f9e285bfba9d70f2a8cea01eee23a2f45e2a2b45b9fe597c4
SHA5124d205328f6a51245a608590c78ce0f4f10f20e4edb94e7645df696c51a3b5cbb0b178669eaadba99fcc3fb654d6083b174f13aad6f590cba4d247102e93be8ae
-
Filesize
255KB
MD593a4e54d131ce72cadd1534af9939b9a
SHA147eb002644d6850d70271fb3e78514dae4d76687
SHA2566ea37f1370d8d4e52343dfb8df255d29d725e83ed5b14cd6cc78e9578f9972fd
SHA512d40f6a001aa9a0a6d9bfcd446cb7aeb8ef3d6876551bee07a8fe04e34765f899ddc8a483f0480a57312c4c2bbd4c467ef5c177171141dd3dc183e6af335d79b7
-
Filesize
255KB
MD593a4e54d131ce72cadd1534af9939b9a
SHA147eb002644d6850d70271fb3e78514dae4d76687
SHA2566ea37f1370d8d4e52343dfb8df255d29d725e83ed5b14cd6cc78e9578f9972fd
SHA512d40f6a001aa9a0a6d9bfcd446cb7aeb8ef3d6876551bee07a8fe04e34765f899ddc8a483f0480a57312c4c2bbd4c467ef5c177171141dd3dc183e6af335d79b7
-
Filesize
255KB
MD58c3fb298dba26ea6f3bbc94ca2f423f1
SHA1048ae91092b1f00dfa0d27936c6ba2329a9b6649
SHA256e4cdbc116b1b3eb15a3e135ee4f93645f65f0150a55a038bd416b120ff75acc3
SHA512b1bbea2ca0b9486d331bedd8afae80275abacee0f5a429c29160dfa477423cf4b1720c9b62517ff9a65130f68f5439d8f35c8b4cf8fa359ddb2709e680d54a77
-
Filesize
255KB
MD58c3fb298dba26ea6f3bbc94ca2f423f1
SHA1048ae91092b1f00dfa0d27936c6ba2329a9b6649
SHA256e4cdbc116b1b3eb15a3e135ee4f93645f65f0150a55a038bd416b120ff75acc3
SHA512b1bbea2ca0b9486d331bedd8afae80275abacee0f5a429c29160dfa477423cf4b1720c9b62517ff9a65130f68f5439d8f35c8b4cf8fa359ddb2709e680d54a77
-
Filesize
255KB
MD5f14bc8577b94988221f325ddaa19de0f
SHA10a08305da32ba89e91f73a61778d86d1179bf1b4
SHA256108a48e2e3f2331ab9c1fef280f4d49ab4905c3f0b0f9d17e279ed550615278c
SHA512a2df7c9a2cc19fa42bdf2bc5f2d67752eb97df221b4ec9f0ae5b9ec91bc8bb96d9666d2cbf706177100c7ef41d569da4645bfad9cc489fddcba33a571fa74e07
-
Filesize
255KB
MD5f14bc8577b94988221f325ddaa19de0f
SHA10a08305da32ba89e91f73a61778d86d1179bf1b4
SHA256108a48e2e3f2331ab9c1fef280f4d49ab4905c3f0b0f9d17e279ed550615278c
SHA512a2df7c9a2cc19fa42bdf2bc5f2d67752eb97df221b4ec9f0ae5b9ec91bc8bb96d9666d2cbf706177100c7ef41d569da4645bfad9cc489fddcba33a571fa74e07
-
Filesize
255KB
MD5f14bc8577b94988221f325ddaa19de0f
SHA10a08305da32ba89e91f73a61778d86d1179bf1b4
SHA256108a48e2e3f2331ab9c1fef280f4d49ab4905c3f0b0f9d17e279ed550615278c
SHA512a2df7c9a2cc19fa42bdf2bc5f2d67752eb97df221b4ec9f0ae5b9ec91bc8bb96d9666d2cbf706177100c7ef41d569da4645bfad9cc489fddcba33a571fa74e07
-
Filesize
255KB
MD556fde841ace7a89f7104f0196a11b0e6
SHA18003722189e24d793a8276836027e376977d9b6e
SHA25621bf186561b6afc940a9399a72173177546f18c784da8d00c7a246dd10dda616
SHA512f4768d3351faacb1cbf41e8a9be5897a09dd5b0e40b15bc581a318fda1323812088da638ab210cd9ece1b6cdce39cbecb9d1646c946b7390ac9258bb903c2a56
-
Filesize
255KB
MD556fde841ace7a89f7104f0196a11b0e6
SHA18003722189e24d793a8276836027e376977d9b6e
SHA25621bf186561b6afc940a9399a72173177546f18c784da8d00c7a246dd10dda616
SHA512f4768d3351faacb1cbf41e8a9be5897a09dd5b0e40b15bc581a318fda1323812088da638ab210cd9ece1b6cdce39cbecb9d1646c946b7390ac9258bb903c2a56
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
256KB
MD552d0669ea215e0ca103abc58d56e9db4
SHA116cb5b5bd2fa3413f7ef4386e337ff0bebcb8e36
SHA256b4b90ff258bcf37d06d5c53790f459d3c3f6cca55c6c6d1eafc6516c8f56cd70
SHA512550d7b3c67e1ddd0083e9513b59a3ab9ccc275cb6476117bdd3f65d85acd1f38e9bdace764682f753b421941707136aa68cdff5ee2323cabc763b4ddb95b4ddf
-
Filesize
256KB
MD5a262122aceb9900fc524a97789ec9d84
SHA1fa1278dced6014ce5a4bbd25d45545d7f1875380
SHA25686523be5ce17bdf8564f1136bc42c86ea13adf06cd2db900457c1fc2cca66e9a
SHA5125273ecea5fda8988bfc444de1fa9a2889809d69b70d84ca641bf29d2b22c6f94cf3969988a1849a07feb7b88f1190d9b00b670a228e66029af68e7c78198dc93
-
Filesize
256KB
MD5bb2d8a5e4740ab93b360d094b562fadd
SHA13ffe278dcbbc868b851e510a15606b7b097c3ef8
SHA2566a9e3570a0e0bdb2ffd2ef36ce32ad0547fa60cb7110cf35828949977b4c16fe
SHA51255b678727a3fe203f6ead9eedd25312085020c913da600ac1f62f87853bbcfa862c1c2a79a498054bf6c403e8bf985cda0d551a96887c75c392116dab340a72e