Analysis
-
max time kernel
152s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
28/10/2022, 18:40 UTC
Behavioral task
behavioral1
Sample
0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe
Resource
win7-20220812-en
windows7-x64
26 signatures
150 seconds
General
-
Target
0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe
-
Size
255KB
-
MD5
0a4c8c0364ca55889b01f2e5f96640a9
-
SHA1
0f4378d08797b2151a8e6710bfdc7898689f3237
-
SHA256
0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139
-
SHA512
92623092213d9afdd3635c5d44af50f14b54d3a37280daf47f743224570e33ef3069aef8afef919cd48e61dc9efeb5b33ff1944a6ebeca9b493114ef5cfeb0ef
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJ0:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI9
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" qdgbvsixdc.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" qdgbvsixdc.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" qdgbvsixdc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" qdgbvsixdc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" qdgbvsixdc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" qdgbvsixdc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" qdgbvsixdc.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qdgbvsixdc.exe -
Executes dropped EXE 5 IoCs
pid Process 3076 qdgbvsixdc.exe 3508 jywsammdkgyqkrx.exe 208 urrestqm.exe 1092 kqckiasczawmf.exe 3976 urrestqm.exe -
resource yara_rule behavioral2/memory/3012-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0007000000022de8-134.dat upx behavioral2/files/0x0007000000022de8-135.dat upx behavioral2/files/0x0003000000022dfe-140.dat upx behavioral2/files/0x0003000000022dfe-141.dat upx behavioral2/files/0x0004000000022df4-138.dat upx behavioral2/files/0x0004000000022df4-137.dat upx behavioral2/memory/3076-143-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/208-145-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3508-144-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0004000000022e00-146.dat upx behavioral2/files/0x0004000000022e00-147.dat upx behavioral2/files/0x0003000000022dfe-149.dat upx behavioral2/memory/1092-150-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3976-151-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3012-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0001000000022e08-162.dat upx behavioral2/files/0x0001000000022e09-163.dat upx behavioral2/memory/3076-164-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3508-165-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/208-166-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1092-167-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3976-168-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000500000001e785-169.dat upx behavioral2/files/0x000800000001db67-170.dat upx behavioral2/files/0x000800000001db67-171.dat upx behavioral2/files/0x000800000001db67-172.dat upx behavioral2/memory/3976-179-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/208-178-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" qdgbvsixdc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" qdgbvsixdc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" qdgbvsixdc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" qdgbvsixdc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" qdgbvsixdc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" qdgbvsixdc.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "kqckiasczawmf.exe" jywsammdkgyqkrx.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run jywsammdkgyqkrx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\itokhffl = "qdgbvsixdc.exe" jywsammdkgyqkrx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdcqmvwa = "jywsammdkgyqkrx.exe" jywsammdkgyqkrx.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\j: urrestqm.exe File opened (read-only) \??\w: urrestqm.exe File opened (read-only) \??\z: urrestqm.exe File opened (read-only) \??\v: urrestqm.exe File opened (read-only) \??\w: qdgbvsixdc.exe File opened (read-only) \??\a: urrestqm.exe File opened (read-only) \??\i: urrestqm.exe File opened (read-only) \??\w: urrestqm.exe File opened (read-only) \??\z: urrestqm.exe File opened (read-only) \??\x: qdgbvsixdc.exe File opened (read-only) \??\h: qdgbvsixdc.exe File opened (read-only) \??\q: qdgbvsixdc.exe File opened (read-only) \??\t: qdgbvsixdc.exe File opened (read-only) \??\y: qdgbvsixdc.exe File opened (read-only) \??\q: urrestqm.exe File opened (read-only) \??\s: urrestqm.exe File opened (read-only) \??\b: urrestqm.exe File opened (read-only) \??\a: qdgbvsixdc.exe File opened (read-only) \??\k: urrestqm.exe File opened (read-only) \??\s: urrestqm.exe File opened (read-only) \??\h: urrestqm.exe File opened (read-only) \??\z: qdgbvsixdc.exe File opened (read-only) \??\e: urrestqm.exe File opened (read-only) \??\n: qdgbvsixdc.exe File opened (read-only) \??\v: qdgbvsixdc.exe File opened (read-only) \??\o: urrestqm.exe File opened (read-only) \??\y: urrestqm.exe File opened (read-only) \??\a: urrestqm.exe File opened (read-only) \??\x: urrestqm.exe File opened (read-only) \??\u: qdgbvsixdc.exe File opened (read-only) \??\o: urrestqm.exe File opened (read-only) \??\f: urrestqm.exe File opened (read-only) \??\t: urrestqm.exe File opened (read-only) \??\h: urrestqm.exe File opened (read-only) \??\x: urrestqm.exe File opened (read-only) \??\j: urrestqm.exe File opened (read-only) \??\q: urrestqm.exe File opened (read-only) \??\m: qdgbvsixdc.exe File opened (read-only) \??\g: urrestqm.exe File opened (read-only) \??\p: urrestqm.exe File opened (read-only) \??\y: urrestqm.exe File opened (read-only) \??\n: urrestqm.exe File opened (read-only) \??\b: urrestqm.exe File opened (read-only) \??\n: urrestqm.exe File opened (read-only) \??\f: qdgbvsixdc.exe File opened (read-only) \??\o: qdgbvsixdc.exe File opened (read-only) \??\e: urrestqm.exe File opened (read-only) \??\f: urrestqm.exe File opened (read-only) \??\i: urrestqm.exe File opened (read-only) \??\k: urrestqm.exe File opened (read-only) \??\m: urrestqm.exe File opened (read-only) \??\m: urrestqm.exe File opened (read-only) \??\j: qdgbvsixdc.exe File opened (read-only) \??\t: urrestqm.exe File opened (read-only) \??\r: urrestqm.exe File opened (read-only) \??\r: qdgbvsixdc.exe File opened (read-only) \??\l: urrestqm.exe File opened (read-only) \??\r: urrestqm.exe File opened (read-only) \??\g: urrestqm.exe File opened (read-only) \??\k: qdgbvsixdc.exe File opened (read-only) \??\e: qdgbvsixdc.exe File opened (read-only) \??\g: qdgbvsixdc.exe File opened (read-only) \??\p: qdgbvsixdc.exe File opened (read-only) \??\s: qdgbvsixdc.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" qdgbvsixdc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" qdgbvsixdc.exe -
AutoIT Executable 14 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3012-132-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3076-143-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/208-145-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3508-144-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1092-150-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3976-151-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3012-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3076-164-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3508-165-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/208-166-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1092-167-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3976-168-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3976-179-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/208-178-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll qdgbvsixdc.exe File created C:\Windows\SysWOW64\qdgbvsixdc.exe 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe File created C:\Windows\SysWOW64\jywsammdkgyqkrx.exe 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe File opened for modification C:\Windows\SysWOW64\jywsammdkgyqkrx.exe 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe File created C:\Windows\SysWOW64\urrestqm.exe 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe File opened for modification C:\Windows\SysWOW64\urrestqm.exe 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe File created C:\Windows\SysWOW64\kqckiasczawmf.exe 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe File opened for modification C:\Windows\SysWOW64\qdgbvsixdc.exe 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe File opened for modification C:\Windows\SysWOW64\kqckiasczawmf.exe 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe urrestqm.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe urrestqm.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe urrestqm.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe urrestqm.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe urrestqm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal urrestqm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe urrestqm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal urrestqm.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe urrestqm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal urrestqm.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe urrestqm.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe urrestqm.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe urrestqm.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe urrestqm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe urrestqm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe urrestqm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe urrestqm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal urrestqm.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe urrestqm.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe urrestqm.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe urrestqm.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe urrestqm.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe urrestqm.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe urrestqm.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe urrestqm.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe urrestqm.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe urrestqm.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe urrestqm.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe urrestqm.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe urrestqm.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe urrestqm.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe urrestqm.exe File opened for modification C:\Windows\mydoc.rtf 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe urrestqm.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe urrestqm.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe urrestqm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABFF9BDFE6AF2E3830E3B3586963995B0FB028842610238E1C5459B09A2" 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc qdgbvsixdc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs qdgbvsixdc.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFAFCF9485A851A9131D75F7E96BDEEE641594666406333D7E9" 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78168B1FE6B21AAD278D0A88A7F9166" 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1938C67515E1DBC5B8C97FE2ECE034C8" 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" qdgbvsixdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" qdgbvsixdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" qdgbvsixdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" qdgbvsixdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32422C7C9C5583226D4377D3702F2DD67DF364DA" 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat qdgbvsixdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" qdgbvsixdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" qdgbvsixdc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg qdgbvsixdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB7B0284497399852CDB9D633EDD7CB" 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh qdgbvsixdc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf qdgbvsixdc.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3108 WINWORD.EXE 3108 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3012 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 3012 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 3012 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 3012 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 3012 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 3012 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 3012 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 3012 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 3012 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 3012 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 3012 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 3012 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 3012 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 3012 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 3012 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 3012 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 3076 qdgbvsixdc.exe 3076 qdgbvsixdc.exe 3076 qdgbvsixdc.exe 3076 qdgbvsixdc.exe 3076 qdgbvsixdc.exe 3076 qdgbvsixdc.exe 3076 qdgbvsixdc.exe 3076 qdgbvsixdc.exe 3076 qdgbvsixdc.exe 3076 qdgbvsixdc.exe 208 urrestqm.exe 208 urrestqm.exe 208 urrestqm.exe 208 urrestqm.exe 208 urrestqm.exe 208 urrestqm.exe 208 urrestqm.exe 208 urrestqm.exe 1092 kqckiasczawmf.exe 1092 kqckiasczawmf.exe 1092 kqckiasczawmf.exe 1092 kqckiasczawmf.exe 1092 kqckiasczawmf.exe 1092 kqckiasczawmf.exe 1092 kqckiasczawmf.exe 1092 kqckiasczawmf.exe 1092 kqckiasczawmf.exe 1092 kqckiasczawmf.exe 1092 kqckiasczawmf.exe 1092 kqckiasczawmf.exe 3508 jywsammdkgyqkrx.exe 3508 jywsammdkgyqkrx.exe 3508 jywsammdkgyqkrx.exe 3508 jywsammdkgyqkrx.exe 3508 jywsammdkgyqkrx.exe 3508 jywsammdkgyqkrx.exe 3508 jywsammdkgyqkrx.exe 3508 jywsammdkgyqkrx.exe 3508 jywsammdkgyqkrx.exe 3508 jywsammdkgyqkrx.exe 3976 urrestqm.exe 3976 urrestqm.exe 3976 urrestqm.exe 3976 urrestqm.exe 3976 urrestqm.exe 3976 urrestqm.exe 3976 urrestqm.exe 3976 urrestqm.exe -
Suspicious use of FindShellTrayWindow 20 IoCs
pid Process 3012 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 3012 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 3012 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 3076 qdgbvsixdc.exe 3076 qdgbvsixdc.exe 3076 qdgbvsixdc.exe 3508 jywsammdkgyqkrx.exe 208 urrestqm.exe 3508 jywsammdkgyqkrx.exe 208 urrestqm.exe 3508 jywsammdkgyqkrx.exe 208 urrestqm.exe 3508 jywsammdkgyqkrx.exe 208 urrestqm.exe 1092 kqckiasczawmf.exe 1092 kqckiasczawmf.exe 1092 kqckiasczawmf.exe 3976 urrestqm.exe 3976 urrestqm.exe 3976 urrestqm.exe -
Suspicious use of SendNotifyMessage 20 IoCs
pid Process 3012 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 3012 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 3012 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 3076 qdgbvsixdc.exe 3076 qdgbvsixdc.exe 3076 qdgbvsixdc.exe 3508 jywsammdkgyqkrx.exe 208 urrestqm.exe 3508 jywsammdkgyqkrx.exe 208 urrestqm.exe 3508 jywsammdkgyqkrx.exe 208 urrestqm.exe 3508 jywsammdkgyqkrx.exe 208 urrestqm.exe 1092 kqckiasczawmf.exe 1092 kqckiasczawmf.exe 1092 kqckiasczawmf.exe 3976 urrestqm.exe 3976 urrestqm.exe 3976 urrestqm.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3108 WINWORD.EXE 3108 WINWORD.EXE 3108 WINWORD.EXE 3108 WINWORD.EXE 3108 WINWORD.EXE 3108 WINWORD.EXE 3108 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3012 wrote to memory of 3076 3012 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 84 PID 3012 wrote to memory of 3076 3012 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 84 PID 3012 wrote to memory of 3076 3012 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 84 PID 3012 wrote to memory of 3508 3012 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 85 PID 3012 wrote to memory of 3508 3012 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 85 PID 3012 wrote to memory of 3508 3012 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 85 PID 3012 wrote to memory of 208 3012 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 86 PID 3012 wrote to memory of 208 3012 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 86 PID 3012 wrote to memory of 208 3012 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 86 PID 3012 wrote to memory of 1092 3012 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 87 PID 3012 wrote to memory of 1092 3012 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 87 PID 3012 wrote to memory of 1092 3012 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 87 PID 3076 wrote to memory of 3976 3076 qdgbvsixdc.exe 88 PID 3076 wrote to memory of 3976 3076 qdgbvsixdc.exe 88 PID 3076 wrote to memory of 3976 3076 qdgbvsixdc.exe 88 PID 3012 wrote to memory of 3108 3012 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 89 PID 3012 wrote to memory of 3108 3012 0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe"C:\Users\Admin\AppData\Local\Temp\0be04044966005b3066c1a2963446fd038f9300dcb8d586ecee6d16e906e1139.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\qdgbvsixdc.exeqdgbvsixdc.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\urrestqm.exeC:\Windows\system32\urrestqm.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3976
-
-
-
C:\Windows\SysWOW64\jywsammdkgyqkrx.exejywsammdkgyqkrx.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3508
-
-
C:\Windows\SysWOW64\urrestqm.exeurrestqm.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:208
-
-
C:\Windows\SysWOW64\kqckiasczawmf.exekqckiasczawmf.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1092
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3108
-
Network
-
Remote address:8.8.8.8:53Request14.110.152.52.in-addr.arpaIN PTRResponse
-
46 B 40 B 1 1
-
2.8kB 8.5kB 19 19
-
322 B 7
-
322 B 7
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5e13a1a0d898cb60012f3b30d787d01fe
SHA1760b24c0acd68b40f4b1ff4891d828a1d42b88d9
SHA256987f1209827ab06849479ab509d46d0afda187910d2493b0b2af4a4beb1730a9
SHA512394f181ad926b049f596567996f092bb0997ad02156a51637310d52914adc4cfd1ed7fd078bc26837f658ad91caa66abf3b04ae74586bcadbcae789758563e16
-
Filesize
255KB
MD565f0d04550263109ee5496a74fdafa2d
SHA15523e62edb0a5f0a39a95dd809216af6dad60447
SHA25660cab8b6076756be654f3297412b90321101252a9373cf79e2f4d1185a01384b
SHA5124564fb873077cb4ed59f3415b601c57535e09047f7a53c2698388b9a4ca1bb3bcc4309fed09dcfc02a46d4e2ebcf4f86ca3c9ef1d408b120bd4a10aa796c588d
-
Filesize
255KB
MD51eb90b51af11807b629206de388774bb
SHA1b0ad621e9e06b9d60a061f8cee96f1b9c29d076a
SHA256016098a269606465f1a8307902bc6b61bef7c174187b04e136e2aaf742d45b63
SHA5126bfae5d7dadd58432a159525e185ab3f649d2af86280358402c03c2b2689096495d4ba0a2b2ceee5de60008d033c382ee97533b02b6e278f41ddcaa3ce404bdb
-
Filesize
255KB
MD562197771d1266846680847640617db49
SHA1e902c9b54464d7f2b9ed05b3cdd96ba3fd4fb80c
SHA25601a3c509c6e11cd3556a03b189870cef27d0190d54928355fde73273e3f83015
SHA512bf046cd3e77f9a684a9c26c78b18ec71246a73bd3829109873295dbf9f2dfd5a053e2185e4769465aef8366a6566ea076cd4c476cef718c998b0949c0c3e3d3d
-
Filesize
255KB
MD562197771d1266846680847640617db49
SHA1e902c9b54464d7f2b9ed05b3cdd96ba3fd4fb80c
SHA25601a3c509c6e11cd3556a03b189870cef27d0190d54928355fde73273e3f83015
SHA512bf046cd3e77f9a684a9c26c78b18ec71246a73bd3829109873295dbf9f2dfd5a053e2185e4769465aef8366a6566ea076cd4c476cef718c998b0949c0c3e3d3d
-
Filesize
255KB
MD562642024393175f8986b73aa0f253716
SHA1bbb0cffee88f00acfe395698b8b3c76f2bad4ceb
SHA256f306d075b5ef6509579489816409f2db46ecbcf287e8f7d8a906fc0da70d4f0f
SHA5126f752fcaeb244ac410fed59d1e105fa5da5e0cbad20cf4389b2374a6ff387136543df3a28bf2d2a51f2de97a49cf7dcd7be935cdbbd86c42a8ef2d9cd5c0fa9c
-
Filesize
255KB
MD562642024393175f8986b73aa0f253716
SHA1bbb0cffee88f00acfe395698b8b3c76f2bad4ceb
SHA256f306d075b5ef6509579489816409f2db46ecbcf287e8f7d8a906fc0da70d4f0f
SHA5126f752fcaeb244ac410fed59d1e105fa5da5e0cbad20cf4389b2374a6ff387136543df3a28bf2d2a51f2de97a49cf7dcd7be935cdbbd86c42a8ef2d9cd5c0fa9c
-
Filesize
255KB
MD5f669a6c5f1d80e03d094d8c684453a79
SHA18cdb970d37d986f7639c2ce081e7d3ffc73029ca
SHA2569a920f27f9cdf13ac2b4f0cee3dadc265ba5c41ce67c3f17235446314fd0b327
SHA5124ef9da2735354b4e9ca0c96f142d19ce9308c8e3088e813cb526a6c07a3f48d7042babfc7bb639e268bb604ce1bb12be8a54f2f1727e03401aec7b67d3316d3e
-
Filesize
255KB
MD5f669a6c5f1d80e03d094d8c684453a79
SHA18cdb970d37d986f7639c2ce081e7d3ffc73029ca
SHA2569a920f27f9cdf13ac2b4f0cee3dadc265ba5c41ce67c3f17235446314fd0b327
SHA5124ef9da2735354b4e9ca0c96f142d19ce9308c8e3088e813cb526a6c07a3f48d7042babfc7bb639e268bb604ce1bb12be8a54f2f1727e03401aec7b67d3316d3e
-
Filesize
255KB
MD5f72b01116834094595609e22c5d29bdb
SHA104d0f086d10bbecf85f6a177cc2090cbd265e881
SHA256ee8fbd3f6c3baf9662e13fad461d7b1d907c61b0dfa19d4c5f0d540705f8ca76
SHA51242990eae2cbc5a1c482e6adaaf5902f2250b8fd0e9bf4f84d41a8e1fe854f8423cb37356a94daf8d90890e47b83a9a0a519d42a95a93c2de78a4196d7bbf11c7
-
Filesize
255KB
MD5f72b01116834094595609e22c5d29bdb
SHA104d0f086d10bbecf85f6a177cc2090cbd265e881
SHA256ee8fbd3f6c3baf9662e13fad461d7b1d907c61b0dfa19d4c5f0d540705f8ca76
SHA51242990eae2cbc5a1c482e6adaaf5902f2250b8fd0e9bf4f84d41a8e1fe854f8423cb37356a94daf8d90890e47b83a9a0a519d42a95a93c2de78a4196d7bbf11c7
-
Filesize
255KB
MD5f72b01116834094595609e22c5d29bdb
SHA104d0f086d10bbecf85f6a177cc2090cbd265e881
SHA256ee8fbd3f6c3baf9662e13fad461d7b1d907c61b0dfa19d4c5f0d540705f8ca76
SHA51242990eae2cbc5a1c482e6adaaf5902f2250b8fd0e9bf4f84d41a8e1fe854f8423cb37356a94daf8d90890e47b83a9a0a519d42a95a93c2de78a4196d7bbf11c7
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD58e70c3800a5fc060c420e71454d1ee93
SHA15285e6362c171cec619a5f03265a2941fb6396fe
SHA2564c80fa3ba27297eb22f0b0de1dc8a73dd0c5f82d9998a2f51c6765c24c24f2b5
SHA5122d09596a5073611605cd2f4902eea9e35edbf4fc60ea905723f76e66c9f6e7ba27775e90ed28a7647a3f0fa126edf06f93e002e48eaacc53a6d6a2e6010bf5bc
-
Filesize
255KB
MD57de7e56e2e48377e43e1d949dcef7968
SHA12d50d6b02df5e3df79f6c5dee5289760cf5ae804
SHA256281aec9ac5b52c21a3cb9b81225511912fcb2e6a69b4acc4eca4b8648896a540
SHA51249a67b469ddd381ce4f1800ede15d2574b299fd09f211652a838dfb68cefe6b6fb0cf27c1bec3d0f0e660680489e4b7ad0da1e1befd56e19cf96c9d29c82d354
-
Filesize
255KB
MD57de7e56e2e48377e43e1d949dcef7968
SHA12d50d6b02df5e3df79f6c5dee5289760cf5ae804
SHA256281aec9ac5b52c21a3cb9b81225511912fcb2e6a69b4acc4eca4b8648896a540
SHA51249a67b469ddd381ce4f1800ede15d2574b299fd09f211652a838dfb68cefe6b6fb0cf27c1bec3d0f0e660680489e4b7ad0da1e1befd56e19cf96c9d29c82d354