Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
153s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
14/10/2022, 10:43
Behavioral task
behavioral1
Sample
cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe
Resource
win7-20220812-en
windows7-x64
26 signatures
150 seconds
General
-
Target
cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe
-
Size
255KB
-
MD5
041517df62f8e841367468104014d91a
-
SHA1
469d197f59194f70a58941921de4c14c86f4dceb
-
SHA256
cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15
-
SHA512
0ae84ae5977380d411ba41917c94446a98361dcff643cb952a69317e925470dcc0e18c5069b2be49e0a08e8eeb43343466815bdab5d438a0ca7d71aa0f017d66
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJH:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI2
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" juglmfelim.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" juglmfelim.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" juglmfelim.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" juglmfelim.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" juglmfelim.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" juglmfelim.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" juglmfelim.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" juglmfelim.exe -
Executes dropped EXE 5 IoCs
pid Process 5108 juglmfelim.exe 4220 kxqdteyvlpghacc.exe 4684 gkwcbbsz.exe 4444 ehxyjrcprqnch.exe 1372 gkwcbbsz.exe -
resource yara_rule behavioral2/memory/4480-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0009000000022e09-134.dat upx behavioral2/files/0x0009000000022e09-135.dat upx behavioral2/files/0x000b000000022e2c-137.dat upx behavioral2/files/0x000b000000022e2c-138.dat upx behavioral2/files/0x000b000000022e3a-140.dat upx behavioral2/files/0x000b000000022e3a-141.dat upx behavioral2/files/0x0006000000022e42-144.dat upx behavioral2/files/0x0006000000022e42-143.dat upx behavioral2/memory/5108-145-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4220-146-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4684-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4444-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000b000000022e3a-150.dat upx behavioral2/memory/4480-152-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1372-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0003000000009dee-159.dat upx behavioral2/files/0x0007000000022e46-160.dat upx behavioral2/memory/5108-164-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4220-165-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4684-166-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4444-167-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1372-168-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" juglmfelim.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" juglmfelim.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" juglmfelim.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" juglmfelim.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" juglmfelim.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" juglmfelim.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ehxyjrcprqnch.exe" kxqdteyvlpghacc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run kxqdteyvlpghacc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\piwlsxiu = "juglmfelim.exe" kxqdteyvlpghacc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\figahvtj = "kxqdteyvlpghacc.exe" kxqdteyvlpghacc.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\z: gkwcbbsz.exe File opened (read-only) \??\w: gkwcbbsz.exe File opened (read-only) \??\b: juglmfelim.exe File opened (read-only) \??\o: gkwcbbsz.exe File opened (read-only) \??\t: gkwcbbsz.exe File opened (read-only) \??\i: juglmfelim.exe File opened (read-only) \??\r: gkwcbbsz.exe File opened (read-only) \??\e: gkwcbbsz.exe File opened (read-only) \??\k: gkwcbbsz.exe File opened (read-only) \??\x: gkwcbbsz.exe File opened (read-only) \??\h: juglmfelim.exe File opened (read-only) \??\x: gkwcbbsz.exe File opened (read-only) \??\t: gkwcbbsz.exe File opened (read-only) \??\u: gkwcbbsz.exe File opened (read-only) \??\g: juglmfelim.exe File opened (read-only) \??\p: juglmfelim.exe File opened (read-only) \??\p: gkwcbbsz.exe File opened (read-only) \??\v: gkwcbbsz.exe File opened (read-only) \??\q: gkwcbbsz.exe File opened (read-only) \??\j: juglmfelim.exe File opened (read-only) \??\s: juglmfelim.exe File opened (read-only) \??\y: juglmfelim.exe File opened (read-only) \??\a: juglmfelim.exe File opened (read-only) \??\a: gkwcbbsz.exe File opened (read-only) \??\m: gkwcbbsz.exe File opened (read-only) \??\y: gkwcbbsz.exe File opened (read-only) \??\k: juglmfelim.exe File opened (read-only) \??\w: gkwcbbsz.exe File opened (read-only) \??\l: juglmfelim.exe File opened (read-only) \??\o: juglmfelim.exe File opened (read-only) \??\h: gkwcbbsz.exe File opened (read-only) \??\j: gkwcbbsz.exe File opened (read-only) \??\l: gkwcbbsz.exe File opened (read-only) \??\k: gkwcbbsz.exe File opened (read-only) \??\n: gkwcbbsz.exe File opened (read-only) \??\u: gkwcbbsz.exe File opened (read-only) \??\o: gkwcbbsz.exe File opened (read-only) \??\p: gkwcbbsz.exe File opened (read-only) \??\r: gkwcbbsz.exe File opened (read-only) \??\f: gkwcbbsz.exe File opened (read-only) \??\y: gkwcbbsz.exe File opened (read-only) \??\g: gkwcbbsz.exe File opened (read-only) \??\i: gkwcbbsz.exe File opened (read-only) \??\x: juglmfelim.exe File opened (read-only) \??\e: gkwcbbsz.exe File opened (read-only) \??\u: juglmfelim.exe File opened (read-only) \??\h: gkwcbbsz.exe File opened (read-only) \??\j: gkwcbbsz.exe File opened (read-only) \??\e: juglmfelim.exe File opened (read-only) \??\t: juglmfelim.exe File opened (read-only) \??\b: gkwcbbsz.exe File opened (read-only) \??\g: gkwcbbsz.exe File opened (read-only) \??\f: gkwcbbsz.exe File opened (read-only) \??\n: juglmfelim.exe File opened (read-only) \??\r: juglmfelim.exe File opened (read-only) \??\v: juglmfelim.exe File opened (read-only) \??\s: gkwcbbsz.exe File opened (read-only) \??\f: juglmfelim.exe File opened (read-only) \??\i: gkwcbbsz.exe File opened (read-only) \??\l: gkwcbbsz.exe File opened (read-only) \??\a: gkwcbbsz.exe File opened (read-only) \??\m: gkwcbbsz.exe File opened (read-only) \??\v: gkwcbbsz.exe File opened (read-only) \??\z: gkwcbbsz.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" juglmfelim.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" juglmfelim.exe -
AutoIT Executable 12 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4480-132-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5108-145-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4220-146-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4684-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4444-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4480-152-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1372-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5108-164-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4220-165-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4684-166-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4444-167-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1372-168-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\juglmfelim.exe cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe File opened for modification C:\Windows\SysWOW64\gkwcbbsz.exe cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe File opened for modification C:\Windows\SysWOW64\ehxyjrcprqnch.exe cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll juglmfelim.exe File opened for modification C:\Windows\SysWOW64\juglmfelim.exe cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe File created C:\Windows\SysWOW64\kxqdteyvlpghacc.exe cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe File opened for modification C:\Windows\SysWOW64\kxqdteyvlpghacc.exe cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe File created C:\Windows\SysWOW64\gkwcbbsz.exe cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe File created C:\Windows\SysWOW64\ehxyjrcprqnch.exe cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gkwcbbsz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gkwcbbsz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal gkwcbbsz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal gkwcbbsz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gkwcbbsz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gkwcbbsz.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gkwcbbsz.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gkwcbbsz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gkwcbbsz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal gkwcbbsz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gkwcbbsz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gkwcbbsz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gkwcbbsz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gkwcbbsz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal gkwcbbsz.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" juglmfelim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" juglmfelim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" juglmfelim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" juglmfelim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33302D7D9C5583536A3176D670232CAB7D8764AF" cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB5B1214490399A53CCBAD033EFD4CC" cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF4FF8F4F2882189132D65A7D96BC94E630584667326346D79C" cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat juglmfelim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh juglmfelim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" juglmfelim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg juglmfelim.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F16BC3FF1A21ABD173D1A68A099016" cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" juglmfelim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc juglmfelim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs juglmfelim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABEF9BCFE17F1E284743B4481EB3E97B0FA038D43160348E1CF429C08A9" cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183DC67815E5DAC5B8CC7FE2ECE534BC" cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf juglmfelim.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1836 WINWORD.EXE 1836 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4480 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 4480 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 4480 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 4480 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 4480 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 4480 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 4480 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 4480 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 4480 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 4480 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 4480 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 4480 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 5108 juglmfelim.exe 5108 juglmfelim.exe 5108 juglmfelim.exe 5108 juglmfelim.exe 5108 juglmfelim.exe 5108 juglmfelim.exe 5108 juglmfelim.exe 5108 juglmfelim.exe 5108 juglmfelim.exe 5108 juglmfelim.exe 4480 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 4480 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 4480 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 4480 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 4220 kxqdteyvlpghacc.exe 4220 kxqdteyvlpghacc.exe 4684 gkwcbbsz.exe 4684 gkwcbbsz.exe 4220 kxqdteyvlpghacc.exe 4220 kxqdteyvlpghacc.exe 4684 gkwcbbsz.exe 4684 gkwcbbsz.exe 4220 kxqdteyvlpghacc.exe 4684 gkwcbbsz.exe 4220 kxqdteyvlpghacc.exe 4684 gkwcbbsz.exe 4684 gkwcbbsz.exe 4220 kxqdteyvlpghacc.exe 4684 gkwcbbsz.exe 4220 kxqdteyvlpghacc.exe 4220 kxqdteyvlpghacc.exe 4220 kxqdteyvlpghacc.exe 4220 kxqdteyvlpghacc.exe 4220 kxqdteyvlpghacc.exe 4444 ehxyjrcprqnch.exe 4444 ehxyjrcprqnch.exe 4444 ehxyjrcprqnch.exe 4444 ehxyjrcprqnch.exe 4444 ehxyjrcprqnch.exe 4444 ehxyjrcprqnch.exe 4444 ehxyjrcprqnch.exe 4444 ehxyjrcprqnch.exe 4444 ehxyjrcprqnch.exe 4444 ehxyjrcprqnch.exe 4444 ehxyjrcprqnch.exe 4444 ehxyjrcprqnch.exe 1372 gkwcbbsz.exe 1372 gkwcbbsz.exe 1372 gkwcbbsz.exe 1372 gkwcbbsz.exe 1372 gkwcbbsz.exe 1372 gkwcbbsz.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4480 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 4480 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 4480 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 5108 juglmfelim.exe 5108 juglmfelim.exe 5108 juglmfelim.exe 4684 gkwcbbsz.exe 4684 gkwcbbsz.exe 4684 gkwcbbsz.exe 4220 kxqdteyvlpghacc.exe 4220 kxqdteyvlpghacc.exe 4220 kxqdteyvlpghacc.exe 4444 ehxyjrcprqnch.exe 4444 ehxyjrcprqnch.exe 4444 ehxyjrcprqnch.exe 1372 gkwcbbsz.exe 1372 gkwcbbsz.exe 1372 gkwcbbsz.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4480 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 4480 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 4480 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 5108 juglmfelim.exe 5108 juglmfelim.exe 5108 juglmfelim.exe 4684 gkwcbbsz.exe 4684 gkwcbbsz.exe 4684 gkwcbbsz.exe 4220 kxqdteyvlpghacc.exe 4220 kxqdteyvlpghacc.exe 4220 kxqdteyvlpghacc.exe 4444 ehxyjrcprqnch.exe 4444 ehxyjrcprqnch.exe 4444 ehxyjrcprqnch.exe 1372 gkwcbbsz.exe 1372 gkwcbbsz.exe 1372 gkwcbbsz.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1836 WINWORD.EXE 1836 WINWORD.EXE 1836 WINWORD.EXE 1836 WINWORD.EXE 1836 WINWORD.EXE 1836 WINWORD.EXE 1836 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4480 wrote to memory of 5108 4480 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 84 PID 4480 wrote to memory of 5108 4480 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 84 PID 4480 wrote to memory of 5108 4480 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 84 PID 4480 wrote to memory of 4220 4480 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 85 PID 4480 wrote to memory of 4220 4480 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 85 PID 4480 wrote to memory of 4220 4480 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 85 PID 4480 wrote to memory of 4684 4480 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 86 PID 4480 wrote to memory of 4684 4480 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 86 PID 4480 wrote to memory of 4684 4480 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 86 PID 4480 wrote to memory of 4444 4480 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 87 PID 4480 wrote to memory of 4444 4480 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 87 PID 4480 wrote to memory of 4444 4480 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 87 PID 5108 wrote to memory of 1372 5108 juglmfelim.exe 88 PID 5108 wrote to memory of 1372 5108 juglmfelim.exe 88 PID 5108 wrote to memory of 1372 5108 juglmfelim.exe 88 PID 4480 wrote to memory of 1836 4480 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 89 PID 4480 wrote to memory of 1836 4480 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe"C:\Users\Admin\AppData\Local\Temp\cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\juglmfelim.exejuglmfelim.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\SysWOW64\gkwcbbsz.exeC:\Windows\system32\gkwcbbsz.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1372
-
-
-
C:\Windows\SysWOW64\kxqdteyvlpghacc.exekxqdteyvlpghacc.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4220
-
-
C:\Windows\SysWOW64\gkwcbbsz.exegkwcbbsz.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4684
-
-
C:\Windows\SysWOW64\ehxyjrcprqnch.exeehxyjrcprqnch.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4444
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1836
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5e32a2aa6a7d11302251825d96f6bf182
SHA1229e8ff88641b1664af15f7f644197656e5e8af2
SHA2563eb744878f58acafd7b4abf81b368525ac07b2f7b695401a14ae345981b49f98
SHA512a5517cd83950792d206720b066ca35c83d7096c6c197181333d57594d64aa6cafcee3934c78715d72a93f94b9b1ac57072b2468773e4e56951031cb159cd3447
-
Filesize
255KB
MD579e14448f95b32e39157a135f78e72d1
SHA1167bb3cc269e1951b08e3f3390636a20ed1f8f09
SHA256a672697cfa7821dbbb3cfdd7b90a5fcad728aafa9ff4854ff19a4f2fc41604f1
SHA5121958f59a72a187215320bc019309c49b8d35276a828f99ef45353b81ebf0fd2ac71693ee7f956adc8bf10c7195809a7511d52a4c5b926d301b39e6fb4a793d2f
-
Filesize
255KB
MD55018d4f14168784cf79de5246d0e4e9b
SHA15bbcd9685594c56091e8ded9461d0e12fdd73294
SHA25636230fc7bc0f35310d6089a4f0708c7f6fe3c1d3354b62d52d9869e6e69c85f0
SHA512282499141bada65ada1dfc5dd3bf64b64b1ee1bd8fa16ed1651e474f8e2340cd4fd11d723323ed4ffae90f4a42684b57b936d168d2c9274f9c7424d615cd2d03
-
Filesize
255KB
MD55018d4f14168784cf79de5246d0e4e9b
SHA15bbcd9685594c56091e8ded9461d0e12fdd73294
SHA25636230fc7bc0f35310d6089a4f0708c7f6fe3c1d3354b62d52d9869e6e69c85f0
SHA512282499141bada65ada1dfc5dd3bf64b64b1ee1bd8fa16ed1651e474f8e2340cd4fd11d723323ed4ffae90f4a42684b57b936d168d2c9274f9c7424d615cd2d03
-
Filesize
255KB
MD5dcd3222a49d3c1da9911ce4f6122ab77
SHA140ca2067d1efe0620611fa8688d5c92cd59bdee6
SHA2565094cb2e0b21d5965cb82267ad89dc580e858ef61e0c6809ee8d09ccb1fdbf50
SHA512f9783f640bdbaeca10de1fc0322e273fb70045e2fe77f89756a09ce5b3e8ab5d72799c8a9b06ed65f3975f176b2da850bb118151d0a2077e0e28827ef1778ab8
-
Filesize
255KB
MD5dcd3222a49d3c1da9911ce4f6122ab77
SHA140ca2067d1efe0620611fa8688d5c92cd59bdee6
SHA2565094cb2e0b21d5965cb82267ad89dc580e858ef61e0c6809ee8d09ccb1fdbf50
SHA512f9783f640bdbaeca10de1fc0322e273fb70045e2fe77f89756a09ce5b3e8ab5d72799c8a9b06ed65f3975f176b2da850bb118151d0a2077e0e28827ef1778ab8
-
Filesize
255KB
MD5dcd3222a49d3c1da9911ce4f6122ab77
SHA140ca2067d1efe0620611fa8688d5c92cd59bdee6
SHA2565094cb2e0b21d5965cb82267ad89dc580e858ef61e0c6809ee8d09ccb1fdbf50
SHA512f9783f640bdbaeca10de1fc0322e273fb70045e2fe77f89756a09ce5b3e8ab5d72799c8a9b06ed65f3975f176b2da850bb118151d0a2077e0e28827ef1778ab8
-
Filesize
255KB
MD544c4dc2e21f9f1e1b2e2c6fae04f11a6
SHA1b360bccfa43562dbf5efabf25a8c9232176699b8
SHA25681c5559006d571dc24d6cefb6d1529352bcf8e2e29c5656fe54157470cf9ef12
SHA512be9a6f891d0b4317b9630d62fbcba42f7c51313df5b62f661741ea813b0a19a66c504b026c305a9644c5221370de4a6d75f27ca71db174b7752245689cc1d521
-
Filesize
255KB
MD544c4dc2e21f9f1e1b2e2c6fae04f11a6
SHA1b360bccfa43562dbf5efabf25a8c9232176699b8
SHA25681c5559006d571dc24d6cefb6d1529352bcf8e2e29c5656fe54157470cf9ef12
SHA512be9a6f891d0b4317b9630d62fbcba42f7c51313df5b62f661741ea813b0a19a66c504b026c305a9644c5221370de4a6d75f27ca71db174b7752245689cc1d521
-
Filesize
255KB
MD5d73015970f7f49a33ca7d9e6d5df7696
SHA1f39a365c552518b869207e7538cfe7b7ff2d92bf
SHA2568b602cf6aa2b22c934586008efc041af6a9920e51a0b4a3fd3225502d5524921
SHA512f59215b801c9b5d1e3091f6e758028b20839aca5c7cc8600e19fa5ad2ee036747f66ef3512e750ac9b0082e25495753d5f6bb329bc50f45a1dd5897b00b4aacc
-
Filesize
255KB
MD5d73015970f7f49a33ca7d9e6d5df7696
SHA1f39a365c552518b869207e7538cfe7b7ff2d92bf
SHA2568b602cf6aa2b22c934586008efc041af6a9920e51a0b4a3fd3225502d5524921
SHA512f59215b801c9b5d1e3091f6e758028b20839aca5c7cc8600e19fa5ad2ee036747f66ef3512e750ac9b0082e25495753d5f6bb329bc50f45a1dd5897b00b4aacc
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7