e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba

Analysis

max time kernel
153s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 21:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe
Size

255KB
MD5

69c8b057382d3e11253928874aeaaecf
SHA1

0aba47bcd1bad65ba65445b4d275f5c2409271b4
SHA256

e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba
SHA512

dfc0a0b1f881ca108ccf02a5dd00a674f415001dba667282d22c791f80ba0596ae35c343aea87d71955a9b023d82dd59d61874c4c513dbd5ca11029a987069cc
SSDEEP

3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJw:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIh

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lutgnzbpcm.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lutgnzbpcm.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	lutgnzbpcm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	lutgnzbpcm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	lutgnzbpcm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	lutgnzbpcm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	lutgnzbpcm.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lutgnzbpcm.exe

Executes dropped EXE 5 IoCs

pid	Process
1916	lutgnzbpcm.exe
1108	oagjxppkbyjkdaq.exe
1080	vdyuikjq.exe
1764	qurqiyyvwfhcf.exe
1488	vdyuikjq.exe

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c0000000054a8-55.dat	upx
behavioral1/files/0x000c0000000054a8-57.dat	upx
behavioral1/files/0x000c0000000054a8-59.dat	upx
behavioral1/files/0x000b000000012315-60.dat	upx
behavioral1/files/0x000b000000012315-62.dat	upx
behavioral1/files/0x0009000000012326-64.dat	upx
behavioral1/files/0x0009000000012326-67.dat	upx
behavioral1/files/0x000b000000012315-66.dat	upx
behavioral1/memory/1756-71-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x0009000000012326-75.dat	upx
behavioral1/memory/1916-74-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1108-76-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1080-77-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x000800000001232e-73.dat	upx
behavioral1/files/0x000800000001232e-69.dat	upx
behavioral1/files/0x000800000001232e-79.dat	upx
behavioral1/files/0x0009000000012326-80.dat	upx
behavioral1/files/0x0009000000012326-82.dat	upx
behavioral1/memory/1764-84-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1488-86-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1756-87-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1916-90-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1108-91-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1080-92-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1764-93-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1488-94-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x00070000000136c6-100.dat	upx

Loads dropped DLL 5 IoCs

pid	Process
1756	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe
1756	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe
1756	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe
1756	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe
1916	lutgnzbpcm.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	lutgnzbpcm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	lutgnzbpcm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	lutgnzbpcm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	lutgnzbpcm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	lutgnzbpcm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	lutgnzbpcm.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "qurqiyyvwfhcf.exe"	oagjxppkbyjkdaq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	oagjxppkbyjkdaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zxemjrcq = "lutgnzbpcm.exe"	oagjxppkbyjkdaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\felcensf = "oagjxppkbyjkdaq.exe"	oagjxppkbyjkdaq.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\m:	vdyuikjq.exe
File opened (read-only)	\??\s:	vdyuikjq.exe
File opened (read-only)	\??\z:	vdyuikjq.exe
File opened (read-only)	\??\o:	vdyuikjq.exe
File opened (read-only)	\??\z:	lutgnzbpcm.exe
File opened (read-only)	\??\u:	lutgnzbpcm.exe
File opened (read-only)	\??\x:	vdyuikjq.exe
File opened (read-only)	\??\m:	lutgnzbpcm.exe
File opened (read-only)	\??\f:	vdyuikjq.exe
File opened (read-only)	\??\y:	vdyuikjq.exe
File opened (read-only)	\??\a:	lutgnzbpcm.exe
File opened (read-only)	\??\l:	lutgnzbpcm.exe
File opened (read-only)	\??\t:	vdyuikjq.exe
File opened (read-only)	\??\o:	lutgnzbpcm.exe
File opened (read-only)	\??\i:	vdyuikjq.exe
File opened (read-only)	\??\p:	vdyuikjq.exe
File opened (read-only)	\??\f:	vdyuikjq.exe
File opened (read-only)	\??\r:	vdyuikjq.exe
File opened (read-only)	\??\g:	vdyuikjq.exe
File opened (read-only)	\??\j:	lutgnzbpcm.exe
File opened (read-only)	\??\v:	lutgnzbpcm.exe
File opened (read-only)	\??\z:	vdyuikjq.exe
File opened (read-only)	\??\g:	lutgnzbpcm.exe
File opened (read-only)	\??\x:	vdyuikjq.exe
File opened (read-only)	\??\a:	vdyuikjq.exe
File opened (read-only)	\??\u:	vdyuikjq.exe
File opened (read-only)	\??\k:	lutgnzbpcm.exe
File opened (read-only)	\??\s:	lutgnzbpcm.exe
File opened (read-only)	\??\w:	lutgnzbpcm.exe
File opened (read-only)	\??\e:	vdyuikjq.exe
File opened (read-only)	\??\l:	vdyuikjq.exe
File opened (read-only)	\??\g:	vdyuikjq.exe
File opened (read-only)	\??\p:	vdyuikjq.exe
File opened (read-only)	\??\y:	lutgnzbpcm.exe
File opened (read-only)	\??\q:	vdyuikjq.exe
File opened (read-only)	\??\o:	vdyuikjq.exe
File opened (read-only)	\??\n:	lutgnzbpcm.exe
File opened (read-only)	\??\k:	vdyuikjq.exe
File opened (read-only)	\??\n:	vdyuikjq.exe
File opened (read-only)	\??\v:	vdyuikjq.exe
File opened (read-only)	\??\b:	lutgnzbpcm.exe
File opened (read-only)	\??\i:	vdyuikjq.exe
File opened (read-only)	\??\k:	vdyuikjq.exe
File opened (read-only)	\??\w:	vdyuikjq.exe
File opened (read-only)	\??\q:	lutgnzbpcm.exe
File opened (read-only)	\??\t:	lutgnzbpcm.exe
File opened (read-only)	\??\j:	vdyuikjq.exe
File opened (read-only)	\??\m:	vdyuikjq.exe
File opened (read-only)	\??\q:	vdyuikjq.exe
File opened (read-only)	\??\t:	vdyuikjq.exe
File opened (read-only)	\??\e:	vdyuikjq.exe
File opened (read-only)	\??\j:	vdyuikjq.exe
File opened (read-only)	\??\y:	vdyuikjq.exe
File opened (read-only)	\??\r:	lutgnzbpcm.exe
File opened (read-only)	\??\a:	vdyuikjq.exe
File opened (read-only)	\??\n:	vdyuikjq.exe
File opened (read-only)	\??\u:	vdyuikjq.exe
File opened (read-only)	\??\b:	vdyuikjq.exe
File opened (read-only)	\??\s:	vdyuikjq.exe
File opened (read-only)	\??\r:	vdyuikjq.exe
File opened (read-only)	\??\i:	lutgnzbpcm.exe
File opened (read-only)	\??\h:	vdyuikjq.exe
File opened (read-only)	\??\x:	lutgnzbpcm.exe
File opened (read-only)	\??\b:	vdyuikjq.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	lutgnzbpcm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	lutgnzbpcm.exe

AutoIT Executable 12 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1756-71-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1916-74-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1108-76-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1080-77-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1764-84-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1488-86-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1756-87-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1916-90-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1108-91-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1080-92-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1764-93-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1488-94-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\lutgnzbpcm.exe	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe
File opened for modification	C:\Windows\SysWOW64\lutgnzbpcm.exe	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe
File created	C:\Windows\SysWOW64\oagjxppkbyjkdaq.exe	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe
File created	C:\Windows\SysWOW64\vdyuikjq.exe	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe
File opened for modification	C:\Windows\SysWOW64\qurqiyyvwfhcf.exe	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe
File opened for modification	C:\Windows\SysWOW64\oagjxppkbyjkdaq.exe	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe
File opened for modification	C:\Windows\SysWOW64\vdyuikjq.exe	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe
File created	C:\Windows\SysWOW64\qurqiyyvwfhcf.exe	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	lutgnzbpcm.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	vdyuikjq.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	vdyuikjq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	vdyuikjq.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	vdyuikjq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	vdyuikjq.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	vdyuikjq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	vdyuikjq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	vdyuikjq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	vdyuikjq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	vdyuikjq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	vdyuikjq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	vdyuikjq.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	vdyuikjq.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	vdyuikjq.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\mydoc.rtf	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	lutgnzbpcm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB6B12E44E7389853BEBAA0329FD4BC"	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	lutgnzbpcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F89FC824F5D82699131D62E7E9CBC92E6355941674F6346D7E9"	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	lutgnzbpcm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	lutgnzbpcm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E08068C4FE1821ACD27AD1D38A7A906B"	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	lutgnzbpcm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
636	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1756	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe
1756	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe
1756	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe
1756	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe
1756	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe
1756	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe
1756	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe
1916	lutgnzbpcm.exe
1916	lutgnzbpcm.exe
1916	lutgnzbpcm.exe
1916	lutgnzbpcm.exe
1916	lutgnzbpcm.exe
1756	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe
1080	vdyuikjq.exe
1080	vdyuikjq.exe
1080	vdyuikjq.exe
1080	vdyuikjq.exe
1108	oagjxppkbyjkdaq.exe
1108	oagjxppkbyjkdaq.exe
1108	oagjxppkbyjkdaq.exe
1108	oagjxppkbyjkdaq.exe
1108	oagjxppkbyjkdaq.exe
1764	qurqiyyvwfhcf.exe
1764	qurqiyyvwfhcf.exe
1764	qurqiyyvwfhcf.exe
1764	qurqiyyvwfhcf.exe
1764	qurqiyyvwfhcf.exe
1764	qurqiyyvwfhcf.exe
1108	oagjxppkbyjkdaq.exe
1488	vdyuikjq.exe
1488	vdyuikjq.exe
1488	vdyuikjq.exe
1488	vdyuikjq.exe
1108	oagjxppkbyjkdaq.exe
1764	qurqiyyvwfhcf.exe
1764	qurqiyyvwfhcf.exe
1108	oagjxppkbyjkdaq.exe
1108	oagjxppkbyjkdaq.exe
1764	qurqiyyvwfhcf.exe
1764	qurqiyyvwfhcf.exe
1108	oagjxppkbyjkdaq.exe
1764	qurqiyyvwfhcf.exe
1764	qurqiyyvwfhcf.exe
1108	oagjxppkbyjkdaq.exe
1764	qurqiyyvwfhcf.exe
1764	qurqiyyvwfhcf.exe
1108	oagjxppkbyjkdaq.exe
1764	qurqiyyvwfhcf.exe
1764	qurqiyyvwfhcf.exe
1108	oagjxppkbyjkdaq.exe
1764	qurqiyyvwfhcf.exe
1764	qurqiyyvwfhcf.exe
1108	oagjxppkbyjkdaq.exe
1764	qurqiyyvwfhcf.exe
1764	qurqiyyvwfhcf.exe
1108	oagjxppkbyjkdaq.exe
1764	qurqiyyvwfhcf.exe
1764	qurqiyyvwfhcf.exe
1108	oagjxppkbyjkdaq.exe
1764	qurqiyyvwfhcf.exe
1764	qurqiyyvwfhcf.exe
1108	oagjxppkbyjkdaq.exe
1764	qurqiyyvwfhcf.exe
1764	qurqiyyvwfhcf.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
1756	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe
1756	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe
1756	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe
1916	lutgnzbpcm.exe
1916	lutgnzbpcm.exe
1916	lutgnzbpcm.exe
1108	oagjxppkbyjkdaq.exe
1108	oagjxppkbyjkdaq.exe
1108	oagjxppkbyjkdaq.exe
1080	vdyuikjq.exe
1080	vdyuikjq.exe
1080	vdyuikjq.exe
1764	qurqiyyvwfhcf.exe
1764	qurqiyyvwfhcf.exe
1764	qurqiyyvwfhcf.exe
1488	vdyuikjq.exe
1488	vdyuikjq.exe
1488	vdyuikjq.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
1756	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe
1756	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe
1756	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe
1916	lutgnzbpcm.exe
1916	lutgnzbpcm.exe
1916	lutgnzbpcm.exe
1108	oagjxppkbyjkdaq.exe
1108	oagjxppkbyjkdaq.exe
1108	oagjxppkbyjkdaq.exe
1080	vdyuikjq.exe
1080	vdyuikjq.exe
1080	vdyuikjq.exe
1764	qurqiyyvwfhcf.exe
1764	qurqiyyvwfhcf.exe
1764	qurqiyyvwfhcf.exe
1488	vdyuikjq.exe
1488	vdyuikjq.exe
1488	vdyuikjq.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
636	WINWORD.EXE
636	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 1916	1756	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe	28
PID 1756 wrote to memory of 1916	1756	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe	28
PID 1756 wrote to memory of 1916	1756	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe	28
PID 1756 wrote to memory of 1916	1756	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe	28
PID 1756 wrote to memory of 1108	1756	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe	29
PID 1756 wrote to memory of 1108	1756	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe	29
PID 1756 wrote to memory of 1108	1756	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe	29
PID 1756 wrote to memory of 1108	1756	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe	29
PID 1756 wrote to memory of 1080	1756	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe	30
PID 1756 wrote to memory of 1080	1756	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe	30
PID 1756 wrote to memory of 1080	1756	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe	30
PID 1756 wrote to memory of 1080	1756	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe	30
PID 1756 wrote to memory of 1764	1756	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe	31
PID 1756 wrote to memory of 1764	1756	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe	31
PID 1756 wrote to memory of 1764	1756	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe	31
PID 1756 wrote to memory of 1764	1756	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe	31
PID 1916 wrote to memory of 1488	1916	lutgnzbpcm.exe	32
PID 1916 wrote to memory of 1488	1916	lutgnzbpcm.exe	32
PID 1916 wrote to memory of 1488	1916	lutgnzbpcm.exe	32
PID 1916 wrote to memory of 1488	1916	lutgnzbpcm.exe	32
PID 1756 wrote to memory of 636	1756	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe	33
PID 1756 wrote to memory of 636	1756	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe	33
PID 1756 wrote to memory of 636	1756	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe	33
PID 1756 wrote to memory of 636	1756	e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe	33
PID 636 wrote to memory of 1752	636	WINWORD.EXE	37
PID 636 wrote to memory of 1752	636	WINWORD.EXE	37
PID 636 wrote to memory of 1752	636	WINWORD.EXE	37
PID 636 wrote to memory of 1752	636	WINWORD.EXE	37

C:\Users\Admin\AppData\Local\Temp\e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe
"C:\Users\Admin\AppData\Local\Temp\e2759fe3435c638105a5dbed674bbe682a45b6d2d6d6230085c0fe7aca95d8ba.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\SysWOW64\lutgnzbpcm.exe
  lutgnzbpcm.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\SysWOW64\vdyuikjq.exe
    C:\Windows\system32\vdyuikjq.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1488
- C:\Windows\SysWOW64\oagjxppkbyjkdaq.exe
  oagjxppkbyjkdaq.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1108
- C:\Windows\SysWOW64\vdyuikjq.exe
  vdyuikjq.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1080
- C:\Windows\SysWOW64\qurqiyyvwfhcf.exe
  qurqiyyvwfhcf.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1764
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
255KB

MD5
455896ce808b48fbcab2778fb3f4d0f7

SHA1
97a1042154b2bd5eddfdc9aaa69a110a1f194634

SHA256
4be742cf4ffc4b26ff933a58c72eed374a753be66f75ae056882441c5b9c7d5b

SHA512
f129b76f1d53ee6d1b0fabc2ff7db1ede7d24abb36fa30161f2793a80383b72d384b3c440853ab53a14000ec6ddaa98e13357d289269146e9ac95b7207c3bfe6

Download Submit
C:\Windows\SysWOW64\lutgnzbpcm.exe

Filesize
255KB

MD5
c160a55db27dca40f17da65ef7dc07c3

SHA1
febd04009d02610df520024acb5a7e62fa7afef1

SHA256
7b8dcd0cd66a4c105a96967d3dac3fcb357e0b0acca14cbc54c94961c2de9d7f

SHA512
b1305ea789ab32d4b07eeac740bc3a3ba2472dfb6f71d85e83a29319e1be84777de5a29dfeb31abe6530df27bcf04796a73140424589568ef5ca99fe587e2119

Download Submit
C:\Windows\SysWOW64\lutgnzbpcm.exe

Filesize
255KB

MD5
c160a55db27dca40f17da65ef7dc07c3

SHA1
febd04009d02610df520024acb5a7e62fa7afef1

SHA256
7b8dcd0cd66a4c105a96967d3dac3fcb357e0b0acca14cbc54c94961c2de9d7f

SHA512
b1305ea789ab32d4b07eeac740bc3a3ba2472dfb6f71d85e83a29319e1be84777de5a29dfeb31abe6530df27bcf04796a73140424589568ef5ca99fe587e2119

Download Submit
C:\Windows\SysWOW64\oagjxppkbyjkdaq.exe

Filesize
255KB

MD5
396fa912605b886330a5351fc8fff693

SHA1
a37c82b0cf4a6f486452c50b02aa8bd8831f6f90

SHA256
3c549eb077757b17ca1f43de4ecd1e51b7187b69e1376337fea376775c9045db

SHA512
6202e6321dd0abbaaeee871f9c1dd461eab0441e599b425a90d3956e759b2ba4e11712c4f35f860efe966da6a93367491413983ce3ab4d17fa0ae9269cb64ee1

Download Submit
C:\Windows\SysWOW64\oagjxppkbyjkdaq.exe

Filesize
255KB

MD5
396fa912605b886330a5351fc8fff693

SHA1
a37c82b0cf4a6f486452c50b02aa8bd8831f6f90

SHA256
3c549eb077757b17ca1f43de4ecd1e51b7187b69e1376337fea376775c9045db

SHA512
6202e6321dd0abbaaeee871f9c1dd461eab0441e599b425a90d3956e759b2ba4e11712c4f35f860efe966da6a93367491413983ce3ab4d17fa0ae9269cb64ee1

Download Submit
C:\Windows\SysWOW64\qurqiyyvwfhcf.exe

Filesize
255KB

MD5
4160d73282fce448a69b14ed12f98488

SHA1
d5a3d6fd9ad932f712b164d2196fc11009d4c1b5

SHA256
e746140f488d7b53447d57ca08c9414b659c646066843754b2bb7b1f91bfa2d0

SHA512
33b67d2dc1863a303efcdd02163807b898b67c2d9e6098bd04954cb89dabc2a7de01191cfb1a942697b72acfad0f314b6ce09dcfadb1dad8fd4c6de8d8953eb2

Download Submit
C:\Windows\SysWOW64\qurqiyyvwfhcf.exe

Filesize
255KB

MD5
4160d73282fce448a69b14ed12f98488

SHA1
d5a3d6fd9ad932f712b164d2196fc11009d4c1b5

SHA256
e746140f488d7b53447d57ca08c9414b659c646066843754b2bb7b1f91bfa2d0

SHA512
33b67d2dc1863a303efcdd02163807b898b67c2d9e6098bd04954cb89dabc2a7de01191cfb1a942697b72acfad0f314b6ce09dcfadb1dad8fd4c6de8d8953eb2

Download Submit
C:\Windows\SysWOW64\vdyuikjq.exe

Filesize
255KB

MD5
d95a83998ac19d91f4eb5d45674e73fd

SHA1
741c2101582239b5ccbacaa1b7e293c5d4d2ea41

SHA256
1d5b18d1db398ad548eee3d2c50e1c3f6501a11654b8e8c3f48458fae9df7f44

SHA512
c36aebf97c04d137ea8820b7be85eaafcae6ccc1d5c9b6d5f5be63aaaf506039ad8b37496e3d9dad5d32f65af66251376fbcb3066a632ea8bd59534b6e77976c

Download Submit
C:\Windows\SysWOW64\vdyuikjq.exe

Filesize
255KB

MD5
d95a83998ac19d91f4eb5d45674e73fd

SHA1
741c2101582239b5ccbacaa1b7e293c5d4d2ea41

SHA256
1d5b18d1db398ad548eee3d2c50e1c3f6501a11654b8e8c3f48458fae9df7f44

SHA512
c36aebf97c04d137ea8820b7be85eaafcae6ccc1d5c9b6d5f5be63aaaf506039ad8b37496e3d9dad5d32f65af66251376fbcb3066a632ea8bd59534b6e77976c

Download Submit
C:\Windows\SysWOW64\vdyuikjq.exe

Filesize
255KB

MD5
d95a83998ac19d91f4eb5d45674e73fd

SHA1
741c2101582239b5ccbacaa1b7e293c5d4d2ea41

SHA256
1d5b18d1db398ad548eee3d2c50e1c3f6501a11654b8e8c3f48458fae9df7f44

SHA512
c36aebf97c04d137ea8820b7be85eaafcae6ccc1d5c9b6d5f5be63aaaf506039ad8b37496e3d9dad5d32f65af66251376fbcb3066a632ea8bd59534b6e77976c

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\lutgnzbpcm.exe

Filesize
255KB

MD5
c160a55db27dca40f17da65ef7dc07c3

SHA1
febd04009d02610df520024acb5a7e62fa7afef1

SHA256
7b8dcd0cd66a4c105a96967d3dac3fcb357e0b0acca14cbc54c94961c2de9d7f

SHA512
b1305ea789ab32d4b07eeac740bc3a3ba2472dfb6f71d85e83a29319e1be84777de5a29dfeb31abe6530df27bcf04796a73140424589568ef5ca99fe587e2119

Download Submit
\Windows\SysWOW64\oagjxppkbyjkdaq.exe

Filesize
255KB

MD5
396fa912605b886330a5351fc8fff693

SHA1
a37c82b0cf4a6f486452c50b02aa8bd8831f6f90

SHA256
3c549eb077757b17ca1f43de4ecd1e51b7187b69e1376337fea376775c9045db

SHA512
6202e6321dd0abbaaeee871f9c1dd461eab0441e599b425a90d3956e759b2ba4e11712c4f35f860efe966da6a93367491413983ce3ab4d17fa0ae9269cb64ee1

Download Submit
\Windows\SysWOW64\qurqiyyvwfhcf.exe

Filesize
255KB

MD5
4160d73282fce448a69b14ed12f98488

SHA1
d5a3d6fd9ad932f712b164d2196fc11009d4c1b5

SHA256
e746140f488d7b53447d57ca08c9414b659c646066843754b2bb7b1f91bfa2d0

SHA512
33b67d2dc1863a303efcdd02163807b898b67c2d9e6098bd04954cb89dabc2a7de01191cfb1a942697b72acfad0f314b6ce09dcfadb1dad8fd4c6de8d8953eb2

Download Submit
\Windows\SysWOW64\vdyuikjq.exe

Filesize
255KB

MD5
d95a83998ac19d91f4eb5d45674e73fd

SHA1
741c2101582239b5ccbacaa1b7e293c5d4d2ea41

SHA256
1d5b18d1db398ad548eee3d2c50e1c3f6501a11654b8e8c3f48458fae9df7f44

SHA512
c36aebf97c04d137ea8820b7be85eaafcae6ccc1d5c9b6d5f5be63aaaf506039ad8b37496e3d9dad5d32f65af66251376fbcb3066a632ea8bd59534b6e77976c

Download Submit
\Windows\SysWOW64\vdyuikjq.exe

Filesize
255KB

MD5
d95a83998ac19d91f4eb5d45674e73fd

SHA1
741c2101582239b5ccbacaa1b7e293c5d4d2ea41

SHA256
1d5b18d1db398ad548eee3d2c50e1c3f6501a11654b8e8c3f48458fae9df7f44

SHA512
c36aebf97c04d137ea8820b7be85eaafcae6ccc1d5c9b6d5f5be63aaaf506039ad8b37496e3d9dad5d32f65af66251376fbcb3066a632ea8bd59534b6e77976c

Download Submit
memory/636-103-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/636-89-0x0000000070691000-0x0000000070693000-memory.dmp

Filesize
8KB

Download
memory/636-95-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/636-96-0x000000007167D000-0x0000000071688000-memory.dmp

Filesize
44KB

Download
memory/636-88-0x0000000072C11000-0x0000000072C14000-memory.dmp

Filesize
12KB

Download
memory/636-99-0x000000007167D000-0x0000000071688000-memory.dmp

Filesize
44KB

Download
memory/636-104-0x000000007167D000-0x0000000071688000-memory.dmp

Filesize
44KB

Download
memory/1080-92-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1080-77-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1108-76-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1108-91-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1488-94-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1488-86-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1752-102-0x000007FEFC2C1000-0x000007FEFC2C3000-memory.dmp

Filesize
8KB

Download
memory/1756-72-0x0000000002F40000-0x0000000002FE0000-memory.dmp

Filesize
640KB

Download
memory/1756-87-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1756-54-0x00000000756B1000-0x00000000756B3000-memory.dmp

Filesize
8KB

Download
memory/1756-71-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1764-93-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1764-84-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1916-74-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1916-90-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download