Analysis
-
max time kernel
151s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
29-10-2022 02:40
Behavioral task
behavioral1
Sample
9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe
Resource
win7-20220812-en
windows7-x64
26 signatures
150 seconds
General
-
Target
9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe
-
Size
255KB
-
MD5
58a946d1880ea8da4f20ed522434cf53
-
SHA1
91ae70936bf7d0c42e81779de7ec8e9ac37944ca
-
SHA256
9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93
-
SHA512
064b7ba2ccba3dc207d4644bc4476d01d68e58343abe480d2393112a6064e4355ad757fb6606c41926f41e080d2ca34fcc4eb0ba7012490f14b28c758216d76a
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJD:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIo
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" bwyjqcdowo.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" bwyjqcdowo.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" bwyjqcdowo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" bwyjqcdowo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" bwyjqcdowo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" bwyjqcdowo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" bwyjqcdowo.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bwyjqcdowo.exe -
Executes dropped EXE 5 IoCs
pid Process 1360 bwyjqcdowo.exe 4256 hfajyfcagkreghw.exe 4496 gbjuagld.exe 2336 hhtcwbmyazals.exe 936 gbjuagld.exe -
resource yara_rule behavioral2/memory/1664-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0006000000022e23-134.dat upx behavioral2/files/0x0006000000022e23-135.dat upx behavioral2/files/0x0002000000022e63-138.dat upx behavioral2/files/0x0002000000022e63-139.dat upx behavioral2/files/0x0001000000022e69-140.dat upx behavioral2/files/0x0001000000022e69-141.dat upx behavioral2/memory/1360-143-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0001000000022e6a-145.dat upx behavioral2/memory/4256-144-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0001000000022e6a-146.dat upx behavioral2/memory/4496-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1664-149-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2336-150-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0001000000022e69-152.dat upx behavioral2/memory/936-158-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000500000001d9e9-162.dat upx behavioral2/files/0x000400000001d9ee-164.dat upx behavioral2/files/0x000400000001d9ee-163.dat upx behavioral2/memory/4256-165-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4496-167-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1360-166-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2336-168-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/936-169-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000500000001e785-170.dat upx behavioral2/files/0x000200000001e78f-171.dat upx behavioral2/files/0x000200000001e78f-172.dat upx behavioral2/memory/936-179-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4496-178-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" bwyjqcdowo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" bwyjqcdowo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" bwyjqcdowo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" bwyjqcdowo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" bwyjqcdowo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" bwyjqcdowo.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mtvsxofj = "hfajyfcagkreghw.exe" hfajyfcagkreghw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "hhtcwbmyazals.exe" hfajyfcagkreghw.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run hfajyfcagkreghw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ozthqtdm = "bwyjqcdowo.exe" hfajyfcagkreghw.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\e: bwyjqcdowo.exe File opened (read-only) \??\r: bwyjqcdowo.exe File opened (read-only) \??\b: gbjuagld.exe File opened (read-only) \??\n: gbjuagld.exe File opened (read-only) \??\q: gbjuagld.exe File opened (read-only) \??\g: gbjuagld.exe File opened (read-only) \??\k: gbjuagld.exe File opened (read-only) \??\g: bwyjqcdowo.exe File opened (read-only) \??\h: bwyjqcdowo.exe File opened (read-only) \??\s: bwyjqcdowo.exe File opened (read-only) \??\u: bwyjqcdowo.exe File opened (read-only) \??\z: bwyjqcdowo.exe File opened (read-only) \??\t: gbjuagld.exe File opened (read-only) \??\i: bwyjqcdowo.exe File opened (read-only) \??\x: bwyjqcdowo.exe File opened (read-only) \??\y: gbjuagld.exe File opened (read-only) \??\h: gbjuagld.exe File opened (read-only) \??\a: gbjuagld.exe File opened (read-only) \??\t: gbjuagld.exe File opened (read-only) \??\z: gbjuagld.exe File opened (read-only) \??\a: bwyjqcdowo.exe File opened (read-only) \??\l: bwyjqcdowo.exe File opened (read-only) \??\o: bwyjqcdowo.exe File opened (read-only) \??\t: bwyjqcdowo.exe File opened (read-only) \??\i: gbjuagld.exe File opened (read-only) \??\e: gbjuagld.exe File opened (read-only) \??\f: gbjuagld.exe File opened (read-only) \??\k: gbjuagld.exe File opened (read-only) \??\m: gbjuagld.exe File opened (read-only) \??\o: gbjuagld.exe File opened (read-only) \??\r: gbjuagld.exe File opened (read-only) \??\i: gbjuagld.exe File opened (read-only) \??\f: bwyjqcdowo.exe File opened (read-only) \??\p: bwyjqcdowo.exe File opened (read-only) \??\q: bwyjqcdowo.exe File opened (read-only) \??\j: gbjuagld.exe File opened (read-only) \??\m: gbjuagld.exe File opened (read-only) \??\s: gbjuagld.exe File opened (read-only) \??\a: gbjuagld.exe File opened (read-only) \??\j: gbjuagld.exe File opened (read-only) \??\n: gbjuagld.exe File opened (read-only) \??\n: bwyjqcdowo.exe File opened (read-only) \??\v: bwyjqcdowo.exe File opened (read-only) \??\b: gbjuagld.exe File opened (read-only) \??\l: gbjuagld.exe File opened (read-only) \??\u: gbjuagld.exe File opened (read-only) \??\v: gbjuagld.exe File opened (read-only) \??\w: gbjuagld.exe File opened (read-only) \??\f: gbjuagld.exe File opened (read-only) \??\w: gbjuagld.exe File opened (read-only) \??\b: bwyjqcdowo.exe File opened (read-only) \??\m: bwyjqcdowo.exe File opened (read-only) \??\g: gbjuagld.exe File opened (read-only) \??\p: gbjuagld.exe File opened (read-only) \??\v: gbjuagld.exe File opened (read-only) \??\y: gbjuagld.exe File opened (read-only) \??\r: gbjuagld.exe File opened (read-only) \??\e: gbjuagld.exe File opened (read-only) \??\o: gbjuagld.exe File opened (read-only) \??\l: gbjuagld.exe File opened (read-only) \??\u: gbjuagld.exe File opened (read-only) \??\k: bwyjqcdowo.exe File opened (read-only) \??\w: bwyjqcdowo.exe File opened (read-only) \??\x: gbjuagld.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" bwyjqcdowo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" bwyjqcdowo.exe -
AutoIT Executable 13 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1360-143-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4256-144-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4496-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1664-149-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2336-150-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/936-158-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4256-165-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4496-167-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1360-166-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2336-168-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/936-169-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/936-179-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4496-178-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe gbjuagld.exe File opened for modification C:\Windows\SysWOW64\bwyjqcdowo.exe 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe File created C:\Windows\SysWOW64\hfajyfcagkreghw.exe 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe File opened for modification C:\Windows\SysWOW64\hfajyfcagkreghw.exe 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe File created C:\Windows\SysWOW64\gbjuagld.exe 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe File opened for modification C:\Windows\SysWOW64\gbjuagld.exe 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe File created C:\Windows\SysWOW64\hhtcwbmyazals.exe 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe File opened for modification C:\Windows\SysWOW64\hhtcwbmyazals.exe 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe gbjuagld.exe File created C:\Windows\SysWOW64\bwyjqcdowo.exe 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll bwyjqcdowo.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe gbjuagld.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gbjuagld.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gbjuagld.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gbjuagld.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gbjuagld.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gbjuagld.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal gbjuagld.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal gbjuagld.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gbjuagld.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal gbjuagld.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gbjuagld.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gbjuagld.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gbjuagld.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gbjuagld.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gbjuagld.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal gbjuagld.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe gbjuagld.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe gbjuagld.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe gbjuagld.exe File opened for modification C:\Windows\mydoc.rtf 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe gbjuagld.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe gbjuagld.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe gbjuagld.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe gbjuagld.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe gbjuagld.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe gbjuagld.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe gbjuagld.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe gbjuagld.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe gbjuagld.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe gbjuagld.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe gbjuagld.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe gbjuagld.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe gbjuagld.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf bwyjqcdowo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" bwyjqcdowo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat bwyjqcdowo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" bwyjqcdowo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh bwyjqcdowo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" bwyjqcdowo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33412D7F9D2083556D4676D370222CAA7CF264D6" 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABDFAC9F917F19384793B4786983990B08802FF4211033CE1C942E809D4" 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB5B12847E4389853CFBAD53299D7BB" 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF9FF8F4F5F85129046D75A7DE7BCE4E133583667466332D6EE" 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" bwyjqcdowo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc bwyjqcdowo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" bwyjqcdowo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs bwyjqcdowo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg bwyjqcdowo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78768C6FF1B21D0D108D1D18A7D9167" 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184DC77514E4DBC3B9CC7C90EDE334BC" 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" bwyjqcdowo.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3788 WINWORD.EXE 3788 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1664 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe 1664 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe 1664 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe 1664 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe 1664 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe 1664 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe 1664 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe 1664 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe 1664 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe 1664 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe 1664 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe 1664 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe 1664 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe 1664 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe 1664 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe 1664 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe 4256 hfajyfcagkreghw.exe 4256 hfajyfcagkreghw.exe 4256 hfajyfcagkreghw.exe 4256 hfajyfcagkreghw.exe 4256 hfajyfcagkreghw.exe 4256 hfajyfcagkreghw.exe 4256 hfajyfcagkreghw.exe 4256 hfajyfcagkreghw.exe 4256 hfajyfcagkreghw.exe 4256 hfajyfcagkreghw.exe 1360 bwyjqcdowo.exe 1360 bwyjqcdowo.exe 1360 bwyjqcdowo.exe 1360 bwyjqcdowo.exe 1360 bwyjqcdowo.exe 1360 bwyjqcdowo.exe 1360 bwyjqcdowo.exe 1360 bwyjqcdowo.exe 1360 bwyjqcdowo.exe 1360 bwyjqcdowo.exe 4496 gbjuagld.exe 4496 gbjuagld.exe 4496 gbjuagld.exe 4496 gbjuagld.exe 4496 gbjuagld.exe 4496 gbjuagld.exe 4496 gbjuagld.exe 4496 gbjuagld.exe 2336 hhtcwbmyazals.exe 2336 hhtcwbmyazals.exe 2336 hhtcwbmyazals.exe 2336 hhtcwbmyazals.exe 2336 hhtcwbmyazals.exe 2336 hhtcwbmyazals.exe 2336 hhtcwbmyazals.exe 2336 hhtcwbmyazals.exe 4256 hfajyfcagkreghw.exe 4256 hfajyfcagkreghw.exe 4256 hfajyfcagkreghw.exe 4256 hfajyfcagkreghw.exe 2336 hhtcwbmyazals.exe 2336 hhtcwbmyazals.exe 2336 hhtcwbmyazals.exe 2336 hhtcwbmyazals.exe 4256 hfajyfcagkreghw.exe 4256 hfajyfcagkreghw.exe 936 gbjuagld.exe 936 gbjuagld.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1664 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe 1664 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe 1664 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe 1360 bwyjqcdowo.exe 1360 bwyjqcdowo.exe 1360 bwyjqcdowo.exe 4256 hfajyfcagkreghw.exe 4256 hfajyfcagkreghw.exe 4256 hfajyfcagkreghw.exe 4496 gbjuagld.exe 4496 gbjuagld.exe 4496 gbjuagld.exe 2336 hhtcwbmyazals.exe 2336 hhtcwbmyazals.exe 2336 hhtcwbmyazals.exe 936 gbjuagld.exe 936 gbjuagld.exe 936 gbjuagld.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1664 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe 1664 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe 1664 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe 1360 bwyjqcdowo.exe 1360 bwyjqcdowo.exe 1360 bwyjqcdowo.exe 4256 hfajyfcagkreghw.exe 4256 hfajyfcagkreghw.exe 4256 hfajyfcagkreghw.exe 4496 gbjuagld.exe 4496 gbjuagld.exe 4496 gbjuagld.exe 2336 hhtcwbmyazals.exe 2336 hhtcwbmyazals.exe 2336 hhtcwbmyazals.exe 936 gbjuagld.exe 936 gbjuagld.exe 936 gbjuagld.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3788 WINWORD.EXE 3788 WINWORD.EXE 3788 WINWORD.EXE 3788 WINWORD.EXE 3788 WINWORD.EXE 3788 WINWORD.EXE 3788 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1664 wrote to memory of 1360 1664 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe 83 PID 1664 wrote to memory of 1360 1664 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe 83 PID 1664 wrote to memory of 1360 1664 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe 83 PID 1664 wrote to memory of 4256 1664 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe 84 PID 1664 wrote to memory of 4256 1664 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe 84 PID 1664 wrote to memory of 4256 1664 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe 84 PID 1664 wrote to memory of 4496 1664 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe 85 PID 1664 wrote to memory of 4496 1664 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe 85 PID 1664 wrote to memory of 4496 1664 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe 85 PID 1664 wrote to memory of 2336 1664 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe 86 PID 1664 wrote to memory of 2336 1664 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe 86 PID 1664 wrote to memory of 2336 1664 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe 86 PID 1664 wrote to memory of 3788 1664 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe 87 PID 1664 wrote to memory of 3788 1664 9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe 87 PID 1360 wrote to memory of 936 1360 bwyjqcdowo.exe 89 PID 1360 wrote to memory of 936 1360 bwyjqcdowo.exe 89 PID 1360 wrote to memory of 936 1360 bwyjqcdowo.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe"C:\Users\Admin\AppData\Local\Temp\9790c3a24acde2557b4609a511eb11d0e851b8fd37fa673fbb3dd0e206a45d93.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\bwyjqcdowo.exebwyjqcdowo.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\gbjuagld.exeC:\Windows\system32\gbjuagld.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:936
-
-
-
C:\Windows\SysWOW64\hfajyfcagkreghw.exehfajyfcagkreghw.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4256
-
-
C:\Windows\SysWOW64\gbjuagld.exegbjuagld.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4496
-
-
C:\Windows\SysWOW64\hhtcwbmyazals.exehhtcwbmyazals.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2336
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3788
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5fe6b1587974f54ec7d6557f83b40e30b
SHA1adc8bc621509abddc4ae38fb5c0a4a7bbfc5cf84
SHA25683fa34602062edaa9e269a4f09b4553c0fdb4a048f2abc777bc2e5f1750bad50
SHA512f1b367fc84eac3f0ac9671d8f75fbb9fa7525f1fa70ce0ce2b64a52684f1353ad5f74a00990e2b88cd303dabd2d74b79b5bc7bc4f6a3fbd20199252c7490b7d6
-
Filesize
255KB
MD54bcb8f9b2e851b419ed9a4beeb450bc9
SHA15803e3f40530b9c79c8a6c22dcdd21a6738c50f3
SHA2563871375d120fb6c7058afb098f727ab3abfc538a7b8a55e872e809ebea3c3f08
SHA5120f7b06067970a8ff4868facf2bc8843785787668c8400edf749939b74616d6b635413b516bd69dfe470463693652b8246fff182f9798669adb36a2696fba2b45
-
Filesize
255KB
MD5c6eaee2020caeec96efac3c557e0bfcf
SHA1daf3d2141d6237b4fd6a50910aa71e8f61cabd17
SHA256569b95326b0341d83a370e19ce701f83af6147e52b0fd1a88b0737362943b7f6
SHA512062137bdaec747b873208224df6bd4d173ab393bd45544ab6b941bfefaf374c5ff5a5d3c50a6692403d6df7e4c60cb3bfdcb82872bf7d5dc45fb5635e17a4dee
-
Filesize
255KB
MD5742aff43bd340f151e8d9f6be7f0f73f
SHA1146e81314848d35160d48cfa5ce70616a2b2e0a7
SHA2561b19236840933ac34ee8f988202874b84e5533a1ec7727cc2cb415d7d0a6e9c9
SHA5129ff99226dcaae7836d8e3a030789e6c50e84c254e14ee58750d939c315cada759327c987cc6893e2f038f16b4ea7cf0adc82b4e82e5971826ccd740d0ec5e658
-
Filesize
255KB
MD5742aff43bd340f151e8d9f6be7f0f73f
SHA1146e81314848d35160d48cfa5ce70616a2b2e0a7
SHA2561b19236840933ac34ee8f988202874b84e5533a1ec7727cc2cb415d7d0a6e9c9
SHA5129ff99226dcaae7836d8e3a030789e6c50e84c254e14ee58750d939c315cada759327c987cc6893e2f038f16b4ea7cf0adc82b4e82e5971826ccd740d0ec5e658
-
Filesize
255KB
MD5d7c99c82ee6aedebb9b17a57594288c3
SHA16bdf320b8bdff4d3d982191521239d9f07e3b221
SHA2562751b4cf2bc0c7ed1dcfa48799079cb16a1561f6bef71b672a745f7770eff4d5
SHA512d7e7f60e0fcc8799fded5d5e1a1d8d4ec71a8d3147220bccce0296a094aad375eddfb0f834ea646d59961a9fd94de3b147079ace507700ff389c9872d74b834d
-
Filesize
255KB
MD5d7c99c82ee6aedebb9b17a57594288c3
SHA16bdf320b8bdff4d3d982191521239d9f07e3b221
SHA2562751b4cf2bc0c7ed1dcfa48799079cb16a1561f6bef71b672a745f7770eff4d5
SHA512d7e7f60e0fcc8799fded5d5e1a1d8d4ec71a8d3147220bccce0296a094aad375eddfb0f834ea646d59961a9fd94de3b147079ace507700ff389c9872d74b834d
-
Filesize
255KB
MD5d7c99c82ee6aedebb9b17a57594288c3
SHA16bdf320b8bdff4d3d982191521239d9f07e3b221
SHA2562751b4cf2bc0c7ed1dcfa48799079cb16a1561f6bef71b672a745f7770eff4d5
SHA512d7e7f60e0fcc8799fded5d5e1a1d8d4ec71a8d3147220bccce0296a094aad375eddfb0f834ea646d59961a9fd94de3b147079ace507700ff389c9872d74b834d
-
Filesize
255KB
MD5b15d99bed99f6db438f92e0727548499
SHA18f46a82b0f6424043c0b39050f670daa2169d714
SHA256642a73bb41ccc189d339b27e42d14026b0f865f7f91ddb19159313a4533f377d
SHA5124811bc2ae5225f708de12fe1ae80faea55db9680bc59881892e2bf77c93ee5ea374e884de9781a3ba10967b6c40fd23a4aaaf2ab0f9d1db0de9a2133d6f7aeea
-
Filesize
255KB
MD5b15d99bed99f6db438f92e0727548499
SHA18f46a82b0f6424043c0b39050f670daa2169d714
SHA256642a73bb41ccc189d339b27e42d14026b0f865f7f91ddb19159313a4533f377d
SHA5124811bc2ae5225f708de12fe1ae80faea55db9680bc59881892e2bf77c93ee5ea374e884de9781a3ba10967b6c40fd23a4aaaf2ab0f9d1db0de9a2133d6f7aeea
-
Filesize
255KB
MD54813b9c2cd39253455caf46d577372b3
SHA19991ff3fb8531aba20ea5b2aaa00496dda215063
SHA256d77126a5001e592d95e975085804eaeffee31f1a11d1ce42b576945396a1fd8a
SHA512329da28af5a2c45fc2ef78e7e79c1ee1d0c2886413617b08a72101fadcaabc72203ce202a9682bd8c1e6c6cc80f27041eed9ff5df2bc460e17e6d16fe1beac3c
-
Filesize
255KB
MD54813b9c2cd39253455caf46d577372b3
SHA19991ff3fb8531aba20ea5b2aaa00496dda215063
SHA256d77126a5001e592d95e975085804eaeffee31f1a11d1ce42b576945396a1fd8a
SHA512329da28af5a2c45fc2ef78e7e79c1ee1d0c2886413617b08a72101fadcaabc72203ce202a9682bd8c1e6c6cc80f27041eed9ff5df2bc460e17e6d16fe1beac3c
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD54bcb8f9b2e851b419ed9a4beeb450bc9
SHA15803e3f40530b9c79c8a6c22dcdd21a6738c50f3
SHA2563871375d120fb6c7058afb098f727ab3abfc538a7b8a55e872e809ebea3c3f08
SHA5120f7b06067970a8ff4868facf2bc8843785787668c8400edf749939b74616d6b635413b516bd69dfe470463693652b8246fff182f9798669adb36a2696fba2b45
-
Filesize
255KB
MD52d255ceb922cee800e99a3546dc511b8
SHA1d4a2b9bb5218e4357789dffd3103e6cebe2e7561
SHA256de90de3b5d4e73ecbd144d3dea5960c27a8c905ea662c1eec1a4836d8e08f5a7
SHA512aa5e4301bbda8d31764521ccebf301f5d32b6282f8385b6c3a4c04aad5174612e4598a88ada09fdd2c316161dddb60960404432be2250c49f9d291fc1588be3b
-
Filesize
255KB
MD57b1b6770cca56c48eff9a9f6dcb741c6
SHA1eaadec0d33e871478f9d13968eb598acc2e6b190
SHA2562d6f2c186898f2923232d8485e35feb74d13e1010c449b90220b7e9da506bd27
SHA512701dbd49a670a5c1d4736655a19c9ce68f398abcf09baa30f5cdfb8a9b35bf8264c247c474485267e736ff123124c22138c5bb8cf968b111d5a689ad63f0a7f8