Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
28/10/2022, 18:39
Behavioral task
behavioral1
Sample
933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe
Resource
win7-20220901-en
General
-
Target
933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe
-
Size
255KB
-
MD5
0bbff655e34f4c0e5dfa533aa75f0ee0
-
SHA1
42094006d3935665659f3bf9c4598612b1557b58
-
SHA256
933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b
-
SHA512
9a514e59b588e2752f0553538ae252fef59b6c5d925634b726c59382398f48c0ad3d6d831374b9e746d99a27a11cd865102681b322bb9f902c1112441b2cb66e
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJh:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIK
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" afzlkchzft.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" afzlkchzft.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" afzlkchzft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" afzlkchzft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" afzlkchzft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" afzlkchzft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" afzlkchzft.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" afzlkchzft.exe -
Executes dropped EXE 5 IoCs
pid Process 856 afzlkchzft.exe 1396 pppxysidjfnytqp.exe 5048 zqhzpzqm.exe 1220 oecefyrozeoqy.exe 204 zqhzpzqm.exe -
resource yara_rule behavioral2/memory/2188-135-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0004000000022de2-137.dat upx behavioral2/files/0x0004000000022de2-138.dat upx behavioral2/files/0x0003000000022de7-140.dat upx behavioral2/files/0x0003000000022de7-141.dat upx behavioral2/files/0x0003000000022dea-143.dat upx behavioral2/files/0x0003000000022dea-144.dat upx behavioral2/files/0x0002000000022df2-147.dat upx behavioral2/files/0x0002000000022df2-146.dat upx behavioral2/memory/856-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1396-149-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/5048-150-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1220-151-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2188-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0003000000022dea-155.dat upx behavioral2/memory/204-156-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0002000000022df4-164.dat upx behavioral2/files/0x0002000000009de9-163.dat upx behavioral2/memory/856-167-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1396-168-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/5048-169-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1220-170-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/204-171-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000400000001e6ee-172.dat upx behavioral2/files/0x000400000001e6ee-173.dat upx behavioral2/memory/5048-180-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/204-179-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" afzlkchzft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" afzlkchzft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" afzlkchzft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" afzlkchzft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" afzlkchzft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" afzlkchzft.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\amtzrbsp = "pppxysidjfnytqp.exe" pppxysidjfnytqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "oecefyrozeoqy.exe" pppxysidjfnytqp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run pppxysidjfnytqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nfpernce = "afzlkchzft.exe" pppxysidjfnytqp.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\w: afzlkchzft.exe File opened (read-only) \??\g: zqhzpzqm.exe File opened (read-only) \??\t: zqhzpzqm.exe File opened (read-only) \??\w: zqhzpzqm.exe File opened (read-only) \??\v: afzlkchzft.exe File opened (read-only) \??\b: afzlkchzft.exe File opened (read-only) \??\i: afzlkchzft.exe File opened (read-only) \??\q: zqhzpzqm.exe File opened (read-only) \??\x: afzlkchzft.exe File opened (read-only) \??\a: zqhzpzqm.exe File opened (read-only) \??\x: zqhzpzqm.exe File opened (read-only) \??\z: zqhzpzqm.exe File opened (read-only) \??\h: zqhzpzqm.exe File opened (read-only) \??\p: zqhzpzqm.exe File opened (read-only) \??\r: zqhzpzqm.exe File opened (read-only) \??\f: zqhzpzqm.exe File opened (read-only) \??\r: zqhzpzqm.exe File opened (read-only) \??\u: zqhzpzqm.exe File opened (read-only) \??\a: zqhzpzqm.exe File opened (read-only) \??\l: zqhzpzqm.exe File opened (read-only) \??\j: afzlkchzft.exe File opened (read-only) \??\n: afzlkchzft.exe File opened (read-only) \??\o: afzlkchzft.exe File opened (read-only) \??\e: zqhzpzqm.exe File opened (read-only) \??\g: afzlkchzft.exe File opened (read-only) \??\v: zqhzpzqm.exe File opened (read-only) \??\b: zqhzpzqm.exe File opened (read-only) \??\l: zqhzpzqm.exe File opened (read-only) \??\g: zqhzpzqm.exe File opened (read-only) \??\l: afzlkchzft.exe File opened (read-only) \??\r: afzlkchzft.exe File opened (read-only) \??\a: afzlkchzft.exe File opened (read-only) \??\e: afzlkchzft.exe File opened (read-only) \??\k: afzlkchzft.exe File opened (read-only) \??\o: zqhzpzqm.exe File opened (read-only) \??\p: zqhzpzqm.exe File opened (read-only) \??\s: zqhzpzqm.exe File opened (read-only) \??\n: zqhzpzqm.exe File opened (read-only) \??\v: zqhzpzqm.exe File opened (read-only) \??\f: afzlkchzft.exe File opened (read-only) \??\j: zqhzpzqm.exe File opened (read-only) \??\h: afzlkchzft.exe File opened (read-only) \??\y: afzlkchzft.exe File opened (read-only) \??\q: zqhzpzqm.exe File opened (read-only) \??\w: zqhzpzqm.exe File opened (read-only) \??\y: zqhzpzqm.exe File opened (read-only) \??\j: zqhzpzqm.exe File opened (read-only) \??\x: zqhzpzqm.exe File opened (read-only) \??\m: zqhzpzqm.exe File opened (read-only) \??\b: zqhzpzqm.exe File opened (read-only) \??\s: zqhzpzqm.exe File opened (read-only) \??\p: afzlkchzft.exe File opened (read-only) \??\t: afzlkchzft.exe File opened (read-only) \??\z: afzlkchzft.exe File opened (read-only) \??\n: zqhzpzqm.exe File opened (read-only) \??\i: zqhzpzqm.exe File opened (read-only) \??\o: zqhzpzqm.exe File opened (read-only) \??\i: zqhzpzqm.exe File opened (read-only) \??\t: zqhzpzqm.exe File opened (read-only) \??\z: zqhzpzqm.exe File opened (read-only) \??\q: afzlkchzft.exe File opened (read-only) \??\u: zqhzpzqm.exe File opened (read-only) \??\s: afzlkchzft.exe File opened (read-only) \??\u: afzlkchzft.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" afzlkchzft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" afzlkchzft.exe -
AutoIT Executable 13 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/856-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1396-149-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5048-150-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1220-151-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2188-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/204-156-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/856-167-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1396-168-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5048-169-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1220-170-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/204-171-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5048-180-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/204-179-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\oecefyrozeoqy.exe 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll afzlkchzft.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe zqhzpzqm.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe zqhzpzqm.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe zqhzpzqm.exe File opened for modification C:\Windows\SysWOW64\afzlkchzft.exe 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe File created C:\Windows\SysWOW64\zqhzpzqm.exe 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe File opened for modification C:\Windows\SysWOW64\pppxysidjfnytqp.exe 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe File opened for modification C:\Windows\SysWOW64\zqhzpzqm.exe 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe File created C:\Windows\SysWOW64\oecefyrozeoqy.exe 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe zqhzpzqm.exe File created C:\Windows\SysWOW64\afzlkchzft.exe 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe File created C:\Windows\SysWOW64\pppxysidjfnytqp.exe 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal zqhzpzqm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zqhzpzqm.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zqhzpzqm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal zqhzpzqm.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zqhzpzqm.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zqhzpzqm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal zqhzpzqm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zqhzpzqm.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zqhzpzqm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal zqhzpzqm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zqhzpzqm.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zqhzpzqm.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zqhzpzqm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zqhzpzqm.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe zqhzpzqm.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe zqhzpzqm.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe zqhzpzqm.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe zqhzpzqm.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe zqhzpzqm.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe zqhzpzqm.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe zqhzpzqm.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe zqhzpzqm.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe zqhzpzqm.exe File opened for modification C:\Windows\mydoc.rtf 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe zqhzpzqm.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe zqhzpzqm.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe zqhzpzqm.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe zqhzpzqm.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe zqhzpzqm.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe zqhzpzqm.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe zqhzpzqm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg afzlkchzft.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" afzlkchzft.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh afzlkchzft.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs afzlkchzft.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" afzlkchzft.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7846BB3FF1F21DDD172D0A08A7A9116" 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat afzlkchzft.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" afzlkchzft.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" afzlkchzft.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" afzlkchzft.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33422C7E9D2383536A3776D3702E2DAD7DF165DD" 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" afzlkchzft.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf afzlkchzft.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BB5F9CBFE14F29184793A4286EB3995B0FC028B4366024BE2CA459A09D1" 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC1B02B47E638E852CEB9A733EDD7CB" 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFEFF82485A856D9145D62E7E97BDE2E64159426731623FD69D" 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1838C67C14E6DBB1B9BD7CE6ECE437C9" 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc afzlkchzft.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4440 WINWORD.EXE 4440 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2188 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe 2188 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe 2188 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe 2188 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe 2188 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe 2188 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe 2188 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe 2188 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe 2188 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe 2188 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe 2188 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe 2188 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe 2188 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe 2188 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe 2188 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe 2188 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe 856 afzlkchzft.exe 856 afzlkchzft.exe 1396 pppxysidjfnytqp.exe 856 afzlkchzft.exe 1396 pppxysidjfnytqp.exe 856 afzlkchzft.exe 856 afzlkchzft.exe 856 afzlkchzft.exe 1396 pppxysidjfnytqp.exe 1396 pppxysidjfnytqp.exe 856 afzlkchzft.exe 856 afzlkchzft.exe 1396 pppxysidjfnytqp.exe 1396 pppxysidjfnytqp.exe 856 afzlkchzft.exe 856 afzlkchzft.exe 1396 pppxysidjfnytqp.exe 1396 pppxysidjfnytqp.exe 5048 zqhzpzqm.exe 5048 zqhzpzqm.exe 5048 zqhzpzqm.exe 5048 zqhzpzqm.exe 5048 zqhzpzqm.exe 5048 zqhzpzqm.exe 5048 zqhzpzqm.exe 5048 zqhzpzqm.exe 1220 oecefyrozeoqy.exe 1220 oecefyrozeoqy.exe 1220 oecefyrozeoqy.exe 1220 oecefyrozeoqy.exe 1220 oecefyrozeoqy.exe 1220 oecefyrozeoqy.exe 1220 oecefyrozeoqy.exe 1220 oecefyrozeoqy.exe 1220 oecefyrozeoqy.exe 1220 oecefyrozeoqy.exe 1396 pppxysidjfnytqp.exe 1396 pppxysidjfnytqp.exe 1220 oecefyrozeoqy.exe 1220 oecefyrozeoqy.exe 1396 pppxysidjfnytqp.exe 1396 pppxysidjfnytqp.exe 1220 oecefyrozeoqy.exe 1220 oecefyrozeoqy.exe 1220 oecefyrozeoqy.exe 1220 oecefyrozeoqy.exe 204 zqhzpzqm.exe 204 zqhzpzqm.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2188 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe 2188 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe 2188 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe 856 afzlkchzft.exe 856 afzlkchzft.exe 856 afzlkchzft.exe 1396 pppxysidjfnytqp.exe 1396 pppxysidjfnytqp.exe 1396 pppxysidjfnytqp.exe 5048 zqhzpzqm.exe 5048 zqhzpzqm.exe 5048 zqhzpzqm.exe 1220 oecefyrozeoqy.exe 1220 oecefyrozeoqy.exe 1220 oecefyrozeoqy.exe 204 zqhzpzqm.exe 204 zqhzpzqm.exe 204 zqhzpzqm.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2188 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe 2188 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe 2188 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe 856 afzlkchzft.exe 856 afzlkchzft.exe 856 afzlkchzft.exe 1396 pppxysidjfnytqp.exe 1396 pppxysidjfnytqp.exe 1396 pppxysidjfnytqp.exe 5048 zqhzpzqm.exe 5048 zqhzpzqm.exe 5048 zqhzpzqm.exe 1220 oecefyrozeoqy.exe 1220 oecefyrozeoqy.exe 1220 oecefyrozeoqy.exe 204 zqhzpzqm.exe 204 zqhzpzqm.exe 204 zqhzpzqm.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4440 WINWORD.EXE 4440 WINWORD.EXE 4440 WINWORD.EXE 4440 WINWORD.EXE 4440 WINWORD.EXE 4440 WINWORD.EXE 4440 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2188 wrote to memory of 856 2188 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe 84 PID 2188 wrote to memory of 856 2188 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe 84 PID 2188 wrote to memory of 856 2188 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe 84 PID 2188 wrote to memory of 1396 2188 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe 85 PID 2188 wrote to memory of 1396 2188 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe 85 PID 2188 wrote to memory of 1396 2188 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe 85 PID 2188 wrote to memory of 5048 2188 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe 86 PID 2188 wrote to memory of 5048 2188 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe 86 PID 2188 wrote to memory of 5048 2188 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe 86 PID 2188 wrote to memory of 1220 2188 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe 87 PID 2188 wrote to memory of 1220 2188 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe 87 PID 2188 wrote to memory of 1220 2188 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe 87 PID 2188 wrote to memory of 4440 2188 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe 88 PID 2188 wrote to memory of 4440 2188 933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe 88 PID 856 wrote to memory of 204 856 afzlkchzft.exe 90 PID 856 wrote to memory of 204 856 afzlkchzft.exe 90 PID 856 wrote to memory of 204 856 afzlkchzft.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe"C:\Users\Admin\AppData\Local\Temp\933fb5f9c00791d40f5b0d812d9ac7d529f687f93f0c16f423fd48e4cf99798b.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\afzlkchzft.exeafzlkchzft.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\zqhzpzqm.exeC:\Windows\system32\zqhzpzqm.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:204
-
-
-
C:\Windows\SysWOW64\pppxysidjfnytqp.exepppxysidjfnytqp.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1396
-
-
C:\Windows\SysWOW64\zqhzpzqm.exezqhzpzqm.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5048
-
-
C:\Windows\SysWOW64\oecefyrozeoqy.exeoecefyrozeoqy.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1220
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4440
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5e51087f2092a41729a29ab5582151056
SHA1f6c5988c0b53e886048bbdff7766036d5b8d953f
SHA2567ce90c81a482c0bffc5c9648971324725c446ca85dbc082b087c5fd6c11b9139
SHA512a4c3fccb4d9f2f34d1c188f7ade269e3e9c0e83242a70819d1a5bcbaec8f8fa7ae6dbb39b521de2036b658096819098113d1cec8d7ee8e7cf3b18aac2a8c0999
-
Filesize
255KB
MD536a2bd619b03f6aa50834164aae81fd0
SHA19a7005b54f60319677be78d69cbd202fd887dafc
SHA25631a1ddaa17b06f9337ad6b6555beb89cdd86e1f8ab3c0462bbc08e8c28d900d6
SHA51217aa9ac9ae1c17b107eb8f91b59ce8a287b706a75fac4bf5a46d75ee7ce18758c5015635808a6a752aa87699134616c7e9d35d0bcc225797f764bce1606faf15
-
Filesize
255KB
MD50d54f52ec46c5f569f351a6ee01fa755
SHA1422a7f3f8c19a7f1682b2148d84d4323d2808b31
SHA2564cea29f54c5d2a5d73fc537244d7ca494c83070c2d04e6c511a8b20af9389659
SHA51217379b8825bd8b397de321b5d37b660b5be0c4baf1264639c92203acbcff74c6229a69d615f796c2214994dc86c8f060cd7e5797bdb8d3598f0933cf265d59ea
-
Filesize
255KB
MD50d54f52ec46c5f569f351a6ee01fa755
SHA1422a7f3f8c19a7f1682b2148d84d4323d2808b31
SHA2564cea29f54c5d2a5d73fc537244d7ca494c83070c2d04e6c511a8b20af9389659
SHA51217379b8825bd8b397de321b5d37b660b5be0c4baf1264639c92203acbcff74c6229a69d615f796c2214994dc86c8f060cd7e5797bdb8d3598f0933cf265d59ea
-
Filesize
255KB
MD516068637193f3bdb9bd4d378c11406f9
SHA13912890c20c7534d46c0f594f8f613d74423d77b
SHA256a3a9b4e2fde15c01de6ab48ad907835e4ca07e8bdd5f30cf41b37972a7eaef02
SHA512f9f962d8028d1daeb292c0a51b8ef1745c3c0da328911b5314c4d3c5b8dbaf9b4fa14b558e56854a84a3736dc046c77eeffbba08c4b49ea4a5e265bc11eb3e4c
-
Filesize
255KB
MD516068637193f3bdb9bd4d378c11406f9
SHA13912890c20c7534d46c0f594f8f613d74423d77b
SHA256a3a9b4e2fde15c01de6ab48ad907835e4ca07e8bdd5f30cf41b37972a7eaef02
SHA512f9f962d8028d1daeb292c0a51b8ef1745c3c0da328911b5314c4d3c5b8dbaf9b4fa14b558e56854a84a3736dc046c77eeffbba08c4b49ea4a5e265bc11eb3e4c
-
Filesize
255KB
MD5ebf91cdfc69204e7d206f436d7bc1c09
SHA1da9012209fdc2f3ae91a5a38345594c12c02d72c
SHA256eab05fbac8cb0d504e6a94d9ee08b6ce54d3f374c0a59f55c62d9386f35ba23a
SHA5129882e90d05b7c144a909d6ae629a1740a28d2befb27e1ffd7bd5ab6b86f480028600f33c5fa5ad1dcf947da8d3c7577ddee64bf1bec51266d298f324eaf6d3d1
-
Filesize
255KB
MD5ebf91cdfc69204e7d206f436d7bc1c09
SHA1da9012209fdc2f3ae91a5a38345594c12c02d72c
SHA256eab05fbac8cb0d504e6a94d9ee08b6ce54d3f374c0a59f55c62d9386f35ba23a
SHA5129882e90d05b7c144a909d6ae629a1740a28d2befb27e1ffd7bd5ab6b86f480028600f33c5fa5ad1dcf947da8d3c7577ddee64bf1bec51266d298f324eaf6d3d1
-
Filesize
255KB
MD595631db2092bbb81a5f0b8e7edea4634
SHA194696abab3dacadb4250ffef5db884988df00317
SHA256ab363ce59117f5fcc6228202a59b5fa482c978f06d72cb913fc8c34234d0faf5
SHA5123e1fe51794049c6143fa03cb9c09278f2f2fc0bb771045323fc39fd9d872d5f0d3311b42d5126d7ef1c78a00d08b6ab6ffb0f19f5456b213a1e97e07e1f63f07
-
Filesize
255KB
MD595631db2092bbb81a5f0b8e7edea4634
SHA194696abab3dacadb4250ffef5db884988df00317
SHA256ab363ce59117f5fcc6228202a59b5fa482c978f06d72cb913fc8c34234d0faf5
SHA5123e1fe51794049c6143fa03cb9c09278f2f2fc0bb771045323fc39fd9d872d5f0d3311b42d5126d7ef1c78a00d08b6ab6ffb0f19f5456b213a1e97e07e1f63f07
-
Filesize
255KB
MD595631db2092bbb81a5f0b8e7edea4634
SHA194696abab3dacadb4250ffef5db884988df00317
SHA256ab363ce59117f5fcc6228202a59b5fa482c978f06d72cb913fc8c34234d0faf5
SHA5123e1fe51794049c6143fa03cb9c09278f2f2fc0bb771045323fc39fd9d872d5f0d3311b42d5126d7ef1c78a00d08b6ab6ffb0f19f5456b213a1e97e07e1f63f07
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD5dd5cc4734e0bf489e21f8f235405c18a
SHA1f753f673b8d5903178153793e6c63a9140c9f0fe
SHA256f0065d79ec150707bb9c44b62422d737156ee61df2e5668a65e2cf0efb838312
SHA512107538992fd289d6a2fe05c429e10820740f5bed22b8bed325a3bf6b78fcc2e8cd46bbd6cfa1928c2f0a4ee99a91a56fdd8c292ed1f8837f15c257c4ecdb3c0a
-
Filesize
256KB
MD577634c8389a6a22647787f79e348cf21
SHA16ee984a4b99bda88ab42b8c8b1c0f1c7824e0f82
SHA256083ca0d0dc1644712d87f137b134cfc7707d0067001f6bd06f3016f050ff1419
SHA512667aa88f5940e4a5364e92720958f4badf8b97f49a4fffc6f9d12164a1ed5b667be28e9641c2322db7202e0223d42817d88d10aea70a5699fa79182cf3e5c5e9