Analysis
-
max time kernel
194s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28/10/2022, 18:39
Behavioral task
behavioral1
Sample
aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe
Resource
win7-20220812-en
windows7-x64
28 signatures
150 seconds
Behavioral task
behavioral2
Sample
aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe
-
Size
255KB
-
MD5
0aaf4cf51d935b8200463d02b4026610
-
SHA1
247f7ee858725a04d9079dfc3e9e33c85504222a
-
SHA256
aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085
-
SHA512
450f70413626597abee56651461ace383cafcafc5516e14c1743df13c786b2378db06dc3a784968217d7c2788d7fe60f3cc3629e0b8f6ad69479a008c6f24abe
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJf:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIk
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" bzrlokbopb.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" bzrlokbopb.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" bzrlokbopb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" bzrlokbopb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" bzrlokbopb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" bzrlokbopb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" bzrlokbopb.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bzrlokbopb.exe -
Executes dropped EXE 5 IoCs
pid Process 3208 bzrlokbopb.exe 1744 mjrfzxkunauhznq.exe 1620 uczzassl.exe 1272 zwjtvwjvhdtov.exe 4244 uczzassl.exe -
resource yara_rule behavioral2/memory/8-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000f000000022e22-135.dat upx behavioral2/files/0x000f000000022e22-134.dat upx behavioral2/memory/3208-136-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0009000000022e2b-138.dat upx behavioral2/files/0x0009000000022e2b-139.dat upx behavioral2/files/0x0008000000022e2c-141.dat upx behavioral2/files/0x0008000000022e2c-142.dat upx behavioral2/files/0x0007000000022e5a-145.dat upx behavioral2/files/0x0007000000022e5a-146.dat upx behavioral2/files/0x0008000000022e2c-148.dat upx behavioral2/memory/1620-150-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1744-149-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4244-152-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1272-151-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/8-154-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0006000000022e60-155.dat upx behavioral2/files/0x0006000000022e61-156.dat upx behavioral2/memory/3208-157-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1744-158-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1620-159-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1272-160-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4244-161-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" bzrlokbopb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" bzrlokbopb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" bzrlokbopb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" bzrlokbopb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" bzrlokbopb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" bzrlokbopb.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lvwqobry = "mjrfzxkunauhznq.exe" mjrfzxkunauhznq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "zwjtvwjvhdtov.exe" mjrfzxkunauhznq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run mjrfzxkunauhznq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zqadyqgc = "bzrlokbopb.exe" mjrfzxkunauhznq.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\i: uczzassl.exe File opened (read-only) \??\o: uczzassl.exe File opened (read-only) \??\w: uczzassl.exe File opened (read-only) \??\x: uczzassl.exe File opened (read-only) \??\f: uczzassl.exe File opened (read-only) \??\q: bzrlokbopb.exe File opened (read-only) \??\g: uczzassl.exe File opened (read-only) \??\s: uczzassl.exe File opened (read-only) \??\k: uczzassl.exe File opened (read-only) \??\n: uczzassl.exe File opened (read-only) \??\t: uczzassl.exe File opened (read-only) \??\y: uczzassl.exe File opened (read-only) \??\u: bzrlokbopb.exe File opened (read-only) \??\w: bzrlokbopb.exe File opened (read-only) \??\w: uczzassl.exe File opened (read-only) \??\t: uczzassl.exe File opened (read-only) \??\o: uczzassl.exe File opened (read-only) \??\a: uczzassl.exe File opened (read-only) \??\s: uczzassl.exe File opened (read-only) \??\k: bzrlokbopb.exe File opened (read-only) \??\j: uczzassl.exe File opened (read-only) \??\n: bzrlokbopb.exe File opened (read-only) \??\p: bzrlokbopb.exe File opened (read-only) \??\z: uczzassl.exe File opened (read-only) \??\f: bzrlokbopb.exe File opened (read-only) \??\j: bzrlokbopb.exe File opened (read-only) \??\x: bzrlokbopb.exe File opened (read-only) \??\a: uczzassl.exe File opened (read-only) \??\m: bzrlokbopb.exe File opened (read-only) \??\v: bzrlokbopb.exe File opened (read-only) \??\m: uczzassl.exe File opened (read-only) \??\x: uczzassl.exe File opened (read-only) \??\q: uczzassl.exe File opened (read-only) \??\y: uczzassl.exe File opened (read-only) \??\b: uczzassl.exe File opened (read-only) \??\e: uczzassl.exe File opened (read-only) \??\h: uczzassl.exe File opened (read-only) \??\a: bzrlokbopb.exe File opened (read-only) \??\i: bzrlokbopb.exe File opened (read-only) \??\r: bzrlokbopb.exe File opened (read-only) \??\v: uczzassl.exe File opened (read-only) \??\e: bzrlokbopb.exe File opened (read-only) \??\l: bzrlokbopb.exe File opened (read-only) \??\i: uczzassl.exe File opened (read-only) \??\j: uczzassl.exe File opened (read-only) \??\k: uczzassl.exe File opened (read-only) \??\u: uczzassl.exe File opened (read-only) \??\l: uczzassl.exe File opened (read-only) \??\y: bzrlokbopb.exe File opened (read-only) \??\z: bzrlokbopb.exe File opened (read-only) \??\v: uczzassl.exe File opened (read-only) \??\p: uczzassl.exe File opened (read-only) \??\r: uczzassl.exe File opened (read-only) \??\b: uczzassl.exe File opened (read-only) \??\u: uczzassl.exe File opened (read-only) \??\o: bzrlokbopb.exe File opened (read-only) \??\t: bzrlokbopb.exe File opened (read-only) \??\r: uczzassl.exe File opened (read-only) \??\e: uczzassl.exe File opened (read-only) \??\h: uczzassl.exe File opened (read-only) \??\q: uczzassl.exe File opened (read-only) \??\l: uczzassl.exe File opened (read-only) \??\m: uczzassl.exe File opened (read-only) \??\p: uczzassl.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" bzrlokbopb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" bzrlokbopb.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3208-136-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1620-150-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1744-149-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4244-152-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1272-151-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/8-154-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3208-157-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1744-158-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1620-159-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1272-160-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4244-161-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\bzrlokbopb.exe aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe File opened for modification C:\Windows\SysWOW64\uczzassl.exe aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe File opened for modification C:\Windows\SysWOW64\zwjtvwjvhdtov.exe aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe File created C:\Windows\SysWOW64\uczzassl.exe aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe File created C:\Windows\SysWOW64\zwjtvwjvhdtov.exe aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll bzrlokbopb.exe File opened for modification C:\Windows\SysWOW64\bzrlokbopb.exe aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe File created C:\Windows\SysWOW64\mjrfzxkunauhznq.exe aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe File opened for modification C:\Windows\SysWOW64\mjrfzxkunauhznq.exe aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe uczzassl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe uczzassl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe uczzassl.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe uczzassl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe uczzassl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe uczzassl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal uczzassl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe uczzassl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal uczzassl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe uczzassl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal uczzassl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal uczzassl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe uczzassl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe uczzassl.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs bzrlokbopb.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat bzrlokbopb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB8FABEFE16F1E4847A3A3286E93E94B081028A42140348E2C442EE09D2" aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB7B12944E438E853CFB9D133EFD7CA" aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" bzrlokbopb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" bzrlokbopb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" bzrlokbopb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" bzrlokbopb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33412D0D9D5283536A3376A270242CAA7C8E64DB" aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf bzrlokbopb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg bzrlokbopb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" bzrlokbopb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FFBFCFB482A826E9045D6207DE6BC92E143594366436331D6E9" aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E08068B4FE1C21DCD179D1D68A7E9110" aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184CC70C14E5DBC5B8CB7CE6ECE737B9" aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh bzrlokbopb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc bzrlokbopb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" bzrlokbopb.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4028 WINWORD.EXE 4028 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 8 aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe 8 aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe 8 aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe 8 aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe 8 aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe 8 aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe 8 aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe 8 aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe 8 aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe 8 aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe 8 aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe 8 aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe 8 aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe 8 aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe 3208 bzrlokbopb.exe 3208 bzrlokbopb.exe 3208 bzrlokbopb.exe 3208 bzrlokbopb.exe 3208 bzrlokbopb.exe 3208 bzrlokbopb.exe 3208 bzrlokbopb.exe 3208 bzrlokbopb.exe 3208 bzrlokbopb.exe 3208 bzrlokbopb.exe 8 aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe 8 aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe 1744 mjrfzxkunauhznq.exe 1744 mjrfzxkunauhznq.exe 1744 mjrfzxkunauhznq.exe 1744 mjrfzxkunauhznq.exe 1744 mjrfzxkunauhznq.exe 1744 mjrfzxkunauhznq.exe 1744 mjrfzxkunauhznq.exe 1744 mjrfzxkunauhznq.exe 1744 mjrfzxkunauhznq.exe 1744 mjrfzxkunauhznq.exe 1744 mjrfzxkunauhznq.exe 1744 mjrfzxkunauhznq.exe 1620 uczzassl.exe 1620 uczzassl.exe 1620 uczzassl.exe 1620 uczzassl.exe 1620 uczzassl.exe 1620 uczzassl.exe 1620 uczzassl.exe 1620 uczzassl.exe 1272 zwjtvwjvhdtov.exe 1272 zwjtvwjvhdtov.exe 1272 zwjtvwjvhdtov.exe 1272 zwjtvwjvhdtov.exe 1272 zwjtvwjvhdtov.exe 1272 zwjtvwjvhdtov.exe 1272 zwjtvwjvhdtov.exe 1272 zwjtvwjvhdtov.exe 1272 zwjtvwjvhdtov.exe 1272 zwjtvwjvhdtov.exe 1272 zwjtvwjvhdtov.exe 1272 zwjtvwjvhdtov.exe 4244 uczzassl.exe 4244 uczzassl.exe 4244 uczzassl.exe 4244 uczzassl.exe 4244 uczzassl.exe 4244 uczzassl.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 8 aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe 8 aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe 8 aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe 3208 bzrlokbopb.exe 3208 bzrlokbopb.exe 3208 bzrlokbopb.exe 1744 mjrfzxkunauhznq.exe 1744 mjrfzxkunauhznq.exe 1744 mjrfzxkunauhznq.exe 1620 uczzassl.exe 1620 uczzassl.exe 1620 uczzassl.exe 1272 zwjtvwjvhdtov.exe 1272 zwjtvwjvhdtov.exe 1272 zwjtvwjvhdtov.exe 4244 uczzassl.exe 4244 uczzassl.exe 4244 uczzassl.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 8 aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe 8 aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe 8 aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe 3208 bzrlokbopb.exe 3208 bzrlokbopb.exe 3208 bzrlokbopb.exe 1744 mjrfzxkunauhznq.exe 1744 mjrfzxkunauhznq.exe 1744 mjrfzxkunauhznq.exe 1620 uczzassl.exe 1620 uczzassl.exe 1620 uczzassl.exe 1272 zwjtvwjvhdtov.exe 1272 zwjtvwjvhdtov.exe 1272 zwjtvwjvhdtov.exe 4244 uczzassl.exe 4244 uczzassl.exe 4244 uczzassl.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4028 WINWORD.EXE 4028 WINWORD.EXE 4028 WINWORD.EXE 4028 WINWORD.EXE 4028 WINWORD.EXE 4028 WINWORD.EXE 4028 WINWORD.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 8 wrote to memory of 3208 8 aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe 82 PID 8 wrote to memory of 3208 8 aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe 82 PID 8 wrote to memory of 3208 8 aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe 82 PID 8 wrote to memory of 1744 8 aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe 83 PID 8 wrote to memory of 1744 8 aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe 83 PID 8 wrote to memory of 1744 8 aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe 83 PID 8 wrote to memory of 1620 8 aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe 84 PID 8 wrote to memory of 1620 8 aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe 84 PID 8 wrote to memory of 1620 8 aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe 84 PID 1744 wrote to memory of 3768 1744 mjrfzxkunauhznq.exe 85 PID 1744 wrote to memory of 3768 1744 mjrfzxkunauhznq.exe 85 PID 1744 wrote to memory of 3768 1744 mjrfzxkunauhznq.exe 85 PID 8 wrote to memory of 1272 8 aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe 86 PID 8 wrote to memory of 1272 8 aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe 86 PID 8 wrote to memory of 1272 8 aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe 86 PID 3208 wrote to memory of 4244 3208 bzrlokbopb.exe 88 PID 3208 wrote to memory of 4244 3208 bzrlokbopb.exe 88 PID 3208 wrote to memory of 4244 3208 bzrlokbopb.exe 88 PID 8 wrote to memory of 4028 8 aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe 89 PID 8 wrote to memory of 4028 8 aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe"C:\Users\Admin\AppData\Local\Temp\aabe162a946aff5639cb19687f514d6f3c90d531a9662b2d8b218d181ee9f085.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\SysWOW64\bzrlokbopb.exebzrlokbopb.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\uczzassl.exeC:\Windows\system32\uczzassl.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4244
-
-
-
C:\Windows\SysWOW64\mjrfzxkunauhznq.exemjrfzxkunauhznq.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\cmd.execmd.exe /c zwjtvwjvhdtov.exe3⤵PID:3768
-
-
-
C:\Windows\SysWOW64\uczzassl.exeuczzassl.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1620
-
-
C:\Windows\SysWOW64\zwjtvwjvhdtov.exezwjtvwjvhdtov.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1272
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4028
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD53908a07f53af848981ec07b369553d22
SHA106629a8be4ff393513c6f8c1e0755de23c6d9b75
SHA25633b9375ccb4b1763eeb758bfe5d05ea77bc83bd2f8e7dfc6c3cd717f04a3aa5f
SHA51224b8d18b92166bab952bde8f9e6ceea879af67d728465c4f49790c2d4efbd30d154e59be9cf0099e7328d0b9dec3e5ddc11e6182d925d67b8bff87479705720e
-
Filesize
255KB
MD531b9c5df0a5b5ffa2be32eb34f77de75
SHA16d74d35c7f059685e81ea4414c3844e7f98c49f6
SHA256e587da6b5449e37b5c176755ab1e9ad1beb915c0ddde49ee9b920f361f8572de
SHA512eaca5d698cf63f78d07bc5d59206d27bba0b89005819e6392dd589185963e71b5ba1cdf02d7c274b24292b2e982976645a4e9cda334aafe5729bd0c89ddff843
-
Filesize
255KB
MD52c557e20d0f708d99013dc24a27e32e0
SHA132e1e7b4be70088bd8457a36491870ff0b05bcf7
SHA256b7ad987de850cfa7651f0468bc8ce93d4fbf673ac53f203893bd05a6d79fbdb8
SHA512d9bce4cd7a5c79f932d109144d5c444024dfd3f0cbc5e570c35a30043bb6defba527dfd6644a81bcb35d210aa239c66b4d0fdca8873da453738983c496454b42
-
Filesize
255KB
MD52c557e20d0f708d99013dc24a27e32e0
SHA132e1e7b4be70088bd8457a36491870ff0b05bcf7
SHA256b7ad987de850cfa7651f0468bc8ce93d4fbf673ac53f203893bd05a6d79fbdb8
SHA512d9bce4cd7a5c79f932d109144d5c444024dfd3f0cbc5e570c35a30043bb6defba527dfd6644a81bcb35d210aa239c66b4d0fdca8873da453738983c496454b42
-
Filesize
255KB
MD50a656101345e068393ca5efa66919863
SHA1bceb2b6a863f24ca11264838823fcf0f728bfeb7
SHA2563ba4c5c2f19a7f688d22134c114340ab0ddf10a3d18b3e27b7b912c9cf0eaa95
SHA512cb63f37a2b45346949ca6b9c5341c758676520a61bf9de9f3ddc5d1c2b4dd311d519b0bb65d182c122b3c27acd14c477dfb8942613b0b765b997b3dd42d640f1
-
Filesize
255KB
MD50a656101345e068393ca5efa66919863
SHA1bceb2b6a863f24ca11264838823fcf0f728bfeb7
SHA2563ba4c5c2f19a7f688d22134c114340ab0ddf10a3d18b3e27b7b912c9cf0eaa95
SHA512cb63f37a2b45346949ca6b9c5341c758676520a61bf9de9f3ddc5d1c2b4dd311d519b0bb65d182c122b3c27acd14c477dfb8942613b0b765b997b3dd42d640f1
-
Filesize
255KB
MD5a0a3aaa6dc1d2e5e1ba1ab97a48684b6
SHA1a5c670903e72e96523b477d4461047a4af5a18da
SHA256e3dce3c2b1bc4a6603e4110886134599a7a8d7f6759204ca26bb91fd67248e12
SHA512c8cac806793ef9c070ccf42b1091a283dcc74b68dcd0f3c0017ee33ba4815cb0fce2dfa389592a6e3f559ecda4ef4b933283937e1e24e403cc2e1fa02c194d6f
-
Filesize
255KB
MD5a0a3aaa6dc1d2e5e1ba1ab97a48684b6
SHA1a5c670903e72e96523b477d4461047a4af5a18da
SHA256e3dce3c2b1bc4a6603e4110886134599a7a8d7f6759204ca26bb91fd67248e12
SHA512c8cac806793ef9c070ccf42b1091a283dcc74b68dcd0f3c0017ee33ba4815cb0fce2dfa389592a6e3f559ecda4ef4b933283937e1e24e403cc2e1fa02c194d6f
-
Filesize
255KB
MD5a0a3aaa6dc1d2e5e1ba1ab97a48684b6
SHA1a5c670903e72e96523b477d4461047a4af5a18da
SHA256e3dce3c2b1bc4a6603e4110886134599a7a8d7f6759204ca26bb91fd67248e12
SHA512c8cac806793ef9c070ccf42b1091a283dcc74b68dcd0f3c0017ee33ba4815cb0fce2dfa389592a6e3f559ecda4ef4b933283937e1e24e403cc2e1fa02c194d6f
-
Filesize
255KB
MD52671875925053701544f1ceb91dd99b0
SHA1ece77f456e62aad7c9af66fa44282ea39de03518
SHA256fe309aa3416c19a7d0b9408c2c0c9bb6f4797fd6efdd4e81370e6c627b2c8524
SHA5123623ff655c49c8b09ed2fe8206aa7e9c5369e9737366319966fc3493e6ed0161b9ffbaa57481f66554f290bc17096dead8a800357b643a69fa637f63ee241ea7
-
Filesize
255KB
MD52671875925053701544f1ceb91dd99b0
SHA1ece77f456e62aad7c9af66fa44282ea39de03518
SHA256fe309aa3416c19a7d0b9408c2c0c9bb6f4797fd6efdd4e81370e6c627b2c8524
SHA5123623ff655c49c8b09ed2fe8206aa7e9c5369e9737366319966fc3493e6ed0161b9ffbaa57481f66554f290bc17096dead8a800357b643a69fa637f63ee241ea7
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7