Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
29/10/2022, 02:52
Behavioral task
behavioral1
Sample
a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe
Resource
win7-20220901-en
windows7-x64
26 signatures
150 seconds
General
-
Target
a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe
-
Size
255KB
-
MD5
0846cb3dd0182d5768208d5914dcd21c
-
SHA1
f0dac90a1c5b9ce64551c993970d428daf98151b
-
SHA256
a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74
-
SHA512
5a59c07eb236b17d09b2ef1b5e69115f67e21776aa5d8645e77f23a5ebd3a1930046b3a0908590aed14487424b2274f49c2a50c6acdc6095d9ea594915869a12
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJD:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIm
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" tjjdzbjthm.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" tjjdzbjthm.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" tjjdzbjthm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" tjjdzbjthm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" tjjdzbjthm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" tjjdzbjthm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" tjjdzbjthm.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tjjdzbjthm.exe -
Executes dropped EXE 5 IoCs
pid Process 4708 tjjdzbjthm.exe 4544 ubqsrnfwmxklmzg.exe 1972 umcebapd.exe 1976 llsyhrlrwazmp.exe 312 umcebapd.exe -
resource yara_rule behavioral2/files/0x0004000000022e12-134.dat upx behavioral2/files/0x0004000000022e12-133.dat upx behavioral2/files/0x0004000000022e15-137.dat upx behavioral2/memory/5068-138-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0001000000022e1c-141.dat upx behavioral2/memory/4708-140-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0004000000022e15-136.dat upx behavioral2/files/0x0001000000022e1c-142.dat upx behavioral2/memory/4544-143-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0001000000022e1d-146.dat upx behavioral2/files/0x0001000000022e1d-145.dat upx behavioral2/memory/1972-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1976-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0001000000022e1c-150.dat upx behavioral2/memory/5068-152-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/312-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4708-162-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4544-163-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1972-164-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1976-165-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/312-166-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000a00000001e790-168.dat upx behavioral2/files/0x000a00000001e790-167.dat upx behavioral2/files/0x000a00000001e790-170.dat upx behavioral2/files/0x000a00000001e790-169.dat upx behavioral2/memory/1972-176-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/312-177-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" tjjdzbjthm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" tjjdzbjthm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" tjjdzbjthm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" tjjdzbjthm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" tjjdzbjthm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" tjjdzbjthm.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ubqsrnfwmxklmzg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ppvdiqbq = "tjjdzbjthm.exe" ubqsrnfwmxklmzg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ifyaigke = "ubqsrnfwmxklmzg.exe" ubqsrnfwmxklmzg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "llsyhrlrwazmp.exe" ubqsrnfwmxklmzg.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\r: umcebapd.exe File opened (read-only) \??\n: tjjdzbjthm.exe File opened (read-only) \??\n: umcebapd.exe File opened (read-only) \??\s: umcebapd.exe File opened (read-only) \??\e: tjjdzbjthm.exe File opened (read-only) \??\t: tjjdzbjthm.exe File opened (read-only) \??\w: umcebapd.exe File opened (read-only) \??\b: umcebapd.exe File opened (read-only) \??\r: tjjdzbjthm.exe File opened (read-only) \??\z: tjjdzbjthm.exe File opened (read-only) \??\k: umcebapd.exe File opened (read-only) \??\l: tjjdzbjthm.exe File opened (read-only) \??\m: umcebapd.exe File opened (read-only) \??\m: umcebapd.exe File opened (read-only) \??\x: umcebapd.exe File opened (read-only) \??\a: umcebapd.exe File opened (read-only) \??\p: umcebapd.exe File opened (read-only) \??\l: umcebapd.exe File opened (read-only) \??\g: umcebapd.exe File opened (read-only) \??\f: tjjdzbjthm.exe File opened (read-only) \??\y: tjjdzbjthm.exe File opened (read-only) \??\b: umcebapd.exe File opened (read-only) \??\l: umcebapd.exe File opened (read-only) \??\z: umcebapd.exe File opened (read-only) \??\a: umcebapd.exe File opened (read-only) \??\o: tjjdzbjthm.exe File opened (read-only) \??\x: tjjdzbjthm.exe File opened (read-only) \??\e: umcebapd.exe File opened (read-only) \??\o: umcebapd.exe File opened (read-only) \??\u: umcebapd.exe File opened (read-only) \??\j: tjjdzbjthm.exe File opened (read-only) \??\h: tjjdzbjthm.exe File opened (read-only) \??\p: tjjdzbjthm.exe File opened (read-only) \??\j: umcebapd.exe File opened (read-only) \??\k: umcebapd.exe File opened (read-only) \??\q: umcebapd.exe File opened (read-only) \??\t: umcebapd.exe File opened (read-only) \??\k: tjjdzbjthm.exe File opened (read-only) \??\s: tjjdzbjthm.exe File opened (read-only) \??\y: umcebapd.exe File opened (read-only) \??\i: tjjdzbjthm.exe File opened (read-only) \??\f: umcebapd.exe File opened (read-only) \??\h: umcebapd.exe File opened (read-only) \??\y: umcebapd.exe File opened (read-only) \??\i: umcebapd.exe File opened (read-only) \??\v: umcebapd.exe File opened (read-only) \??\w: umcebapd.exe File opened (read-only) \??\a: tjjdzbjthm.exe File opened (read-only) \??\m: tjjdzbjthm.exe File opened (read-only) \??\u: tjjdzbjthm.exe File opened (read-only) \??\n: umcebapd.exe File opened (read-only) \??\s: umcebapd.exe File opened (read-only) \??\q: umcebapd.exe File opened (read-only) \??\x: umcebapd.exe File opened (read-only) \??\o: umcebapd.exe File opened (read-only) \??\p: umcebapd.exe File opened (read-only) \??\i: umcebapd.exe File opened (read-only) \??\t: umcebapd.exe File opened (read-only) \??\v: umcebapd.exe File opened (read-only) \??\f: umcebapd.exe File opened (read-only) \??\g: umcebapd.exe File opened (read-only) \??\r: umcebapd.exe File opened (read-only) \??\w: tjjdzbjthm.exe File opened (read-only) \??\h: umcebapd.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" tjjdzbjthm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" tjjdzbjthm.exe -
AutoIT Executable 13 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/5068-138-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4708-140-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4544-143-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1972-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5068-152-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/312-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4708-162-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4544-163-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1972-164-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1976-165-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/312-166-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1972-176-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/312-177-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\ubqsrnfwmxklmzg.exe a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll tjjdzbjthm.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe umcebapd.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe umcebapd.exe File opened for modification C:\Windows\SysWOW64\llsyhrlrwazmp.exe a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe umcebapd.exe File created C:\Windows\SysWOW64\tjjdzbjthm.exe a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe File opened for modification C:\Windows\SysWOW64\tjjdzbjthm.exe a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe File opened for modification C:\Windows\SysWOW64\ubqsrnfwmxklmzg.exe a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe File created C:\Windows\SysWOW64\umcebapd.exe a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe File opened for modification C:\Windows\SysWOW64\umcebapd.exe a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe File created C:\Windows\SysWOW64\llsyhrlrwazmp.exe a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe umcebapd.exe -
Drops file in Program Files directory 8 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal umcebapd.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe umcebapd.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe umcebapd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe umcebapd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal umcebapd.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe umcebapd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe umcebapd.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe umcebapd.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe umcebapd.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe umcebapd.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe umcebapd.exe File opened for modification C:\Windows\mydoc.rtf a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe umcebapd.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe umcebapd.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe umcebapd.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe umcebapd.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe umcebapd.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe umcebapd.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe umcebapd.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe umcebapd.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe umcebapd.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe umcebapd.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe umcebapd.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe umcebapd.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe umcebapd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32472C0D9C2383206D3676D270552DDA7D8664AF" a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFDFF8B4F5A82189130D65A7DE0BCEFE635594666366333D6EB" a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" tjjdzbjthm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf tjjdzbjthm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs tjjdzbjthm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" tjjdzbjthm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat tjjdzbjthm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" tjjdzbjthm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" tjjdzbjthm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" tjjdzbjthm.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCFFACDFE17F2E3840B3B30869D3E96B0F903FC4363034CE1BA45EA08D4" a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB7B15C4794399853CCBAD333EED7BB" a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1849C60C1490DAC5B8CD7CE3ED9534CC" a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc tjjdzbjthm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg tjjdzbjthm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F168B5FF1D21DCD279D1D68A7B906B" a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" tjjdzbjthm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh tjjdzbjthm.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4368 WINWORD.EXE 4368 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5068 a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe 5068 a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe 5068 a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe 5068 a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe 5068 a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe 5068 a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe 5068 a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe 5068 a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe 5068 a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe 5068 a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe 5068 a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe 5068 a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe 5068 a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe 5068 a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe 5068 a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe 5068 a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe 4708 tjjdzbjthm.exe 4708 tjjdzbjthm.exe 4708 tjjdzbjthm.exe 4708 tjjdzbjthm.exe 4708 tjjdzbjthm.exe 4708 tjjdzbjthm.exe 4708 tjjdzbjthm.exe 4708 tjjdzbjthm.exe 4544 ubqsrnfwmxklmzg.exe 4544 ubqsrnfwmxklmzg.exe 4544 ubqsrnfwmxklmzg.exe 4544 ubqsrnfwmxklmzg.exe 4544 ubqsrnfwmxklmzg.exe 4544 ubqsrnfwmxklmzg.exe 4544 ubqsrnfwmxklmzg.exe 4544 ubqsrnfwmxklmzg.exe 1972 umcebapd.exe 1972 umcebapd.exe 1972 umcebapd.exe 1972 umcebapd.exe 1972 umcebapd.exe 1972 umcebapd.exe 1972 umcebapd.exe 1972 umcebapd.exe 4708 tjjdzbjthm.exe 4708 tjjdzbjthm.exe 4544 ubqsrnfwmxklmzg.exe 4544 ubqsrnfwmxklmzg.exe 4544 ubqsrnfwmxklmzg.exe 4544 ubqsrnfwmxklmzg.exe 1976 llsyhrlrwazmp.exe 1976 llsyhrlrwazmp.exe 1976 llsyhrlrwazmp.exe 1976 llsyhrlrwazmp.exe 1976 llsyhrlrwazmp.exe 1976 llsyhrlrwazmp.exe 1976 llsyhrlrwazmp.exe 1976 llsyhrlrwazmp.exe 1976 llsyhrlrwazmp.exe 1976 llsyhrlrwazmp.exe 1976 llsyhrlrwazmp.exe 1976 llsyhrlrwazmp.exe 4544 ubqsrnfwmxklmzg.exe 4544 ubqsrnfwmxklmzg.exe 312 umcebapd.exe 312 umcebapd.exe 312 umcebapd.exe 312 umcebapd.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 5068 a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe 5068 a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe 5068 a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe 4708 tjjdzbjthm.exe 4708 tjjdzbjthm.exe 4708 tjjdzbjthm.exe 4544 ubqsrnfwmxklmzg.exe 4544 ubqsrnfwmxklmzg.exe 4544 ubqsrnfwmxklmzg.exe 1972 umcebapd.exe 1972 umcebapd.exe 1972 umcebapd.exe 1976 llsyhrlrwazmp.exe 1976 llsyhrlrwazmp.exe 1976 llsyhrlrwazmp.exe 312 umcebapd.exe 312 umcebapd.exe 312 umcebapd.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 5068 a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe 5068 a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe 5068 a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe 4708 tjjdzbjthm.exe 4708 tjjdzbjthm.exe 4708 tjjdzbjthm.exe 4544 ubqsrnfwmxklmzg.exe 4544 ubqsrnfwmxklmzg.exe 4544 ubqsrnfwmxklmzg.exe 1972 umcebapd.exe 1972 umcebapd.exe 1972 umcebapd.exe 1976 llsyhrlrwazmp.exe 1976 llsyhrlrwazmp.exe 1976 llsyhrlrwazmp.exe 312 umcebapd.exe 312 umcebapd.exe 312 umcebapd.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4368 WINWORD.EXE 4368 WINWORD.EXE 4368 WINWORD.EXE 4368 WINWORD.EXE 4368 WINWORD.EXE 4368 WINWORD.EXE 4368 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 5068 wrote to memory of 4708 5068 a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe 84 PID 5068 wrote to memory of 4708 5068 a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe 84 PID 5068 wrote to memory of 4708 5068 a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe 84 PID 5068 wrote to memory of 4544 5068 a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe 85 PID 5068 wrote to memory of 4544 5068 a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe 85 PID 5068 wrote to memory of 4544 5068 a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe 85 PID 5068 wrote to memory of 1972 5068 a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe 86 PID 5068 wrote to memory of 1972 5068 a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe 86 PID 5068 wrote to memory of 1972 5068 a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe 86 PID 5068 wrote to memory of 1976 5068 a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe 87 PID 5068 wrote to memory of 1976 5068 a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe 87 PID 5068 wrote to memory of 1976 5068 a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe 87 PID 4708 wrote to memory of 312 4708 tjjdzbjthm.exe 88 PID 4708 wrote to memory of 312 4708 tjjdzbjthm.exe 88 PID 4708 wrote to memory of 312 4708 tjjdzbjthm.exe 88 PID 5068 wrote to memory of 4368 5068 a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe 89 PID 5068 wrote to memory of 4368 5068 a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe"C:\Users\Admin\AppData\Local\Temp\a4292584443fc4ffee7e3f68e052274f55e3d4132cf64f79a820a2b7a4c06d74.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\tjjdzbjthm.exetjjdzbjthm.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\umcebapd.exeC:\Windows\system32\umcebapd.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:312
-
-
-
C:\Windows\SysWOW64\ubqsrnfwmxklmzg.exeubqsrnfwmxklmzg.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4544
-
-
C:\Windows\SysWOW64\umcebapd.exeumcebapd.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1972
-
-
C:\Windows\SysWOW64\llsyhrlrwazmp.exellsyhrlrwazmp.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1976
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4368
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD544165246019455fbf07bb0ca14cebda3
SHA18b6d9f295cf1948d87327e6be41172c94da140c8
SHA256f8062ff485b2141a12a04ddcc22b70b42529be1008c6c7f537a2efba571e89f5
SHA512a81def7ead257a85b7064df335f82b487eb37e09391de8b0f8dc690f4cdac73639d89bcf4852cb78c055322fdde7f9f0e0c97359ca6fb83e514b26f33b435ce0
-
Filesize
255KB
MD544165246019455fbf07bb0ca14cebda3
SHA18b6d9f295cf1948d87327e6be41172c94da140c8
SHA256f8062ff485b2141a12a04ddcc22b70b42529be1008c6c7f537a2efba571e89f5
SHA512a81def7ead257a85b7064df335f82b487eb37e09391de8b0f8dc690f4cdac73639d89bcf4852cb78c055322fdde7f9f0e0c97359ca6fb83e514b26f33b435ce0
-
Filesize
255KB
MD5a59ff5f7734182f906cd8fa3f04b56c4
SHA1efa2a6a39485a4cbd8dfcd89c71d533f94e9c0f7
SHA25615c4668c9204aa577242a56697e560d5e1af8adee63edc905358ab5978cb068b
SHA512fa962ae9f361aca012a319da87e2f8db0bf0d8cc9174402e040c37d13f1d2a32b5f7aad8053c2912305028296481584d6e83210566343f567a014f1ed505ace9
-
Filesize
255KB
MD5a59ff5f7734182f906cd8fa3f04b56c4
SHA1efa2a6a39485a4cbd8dfcd89c71d533f94e9c0f7
SHA25615c4668c9204aa577242a56697e560d5e1af8adee63edc905358ab5978cb068b
SHA512fa962ae9f361aca012a319da87e2f8db0bf0d8cc9174402e040c37d13f1d2a32b5f7aad8053c2912305028296481584d6e83210566343f567a014f1ed505ace9
-
Filesize
255KB
MD53f22861cf8342dc9006e238e095b9a45
SHA1ccaca02ca7b9542f9f0b658849b7d50c619646e8
SHA256b5307e775ea95538d1412471c5853e08705464a117e9f4f4ea7fd4a6922329da
SHA512373ae9849d57d07dba607f1c1efc9c1cbe321e0c0fa9f92397be8bddcf2373499586d2bdc5590b6405e6bf1031581a21a07f6604720c2779b9c45facea566996
-
Filesize
255KB
MD53f22861cf8342dc9006e238e095b9a45
SHA1ccaca02ca7b9542f9f0b658849b7d50c619646e8
SHA256b5307e775ea95538d1412471c5853e08705464a117e9f4f4ea7fd4a6922329da
SHA512373ae9849d57d07dba607f1c1efc9c1cbe321e0c0fa9f92397be8bddcf2373499586d2bdc5590b6405e6bf1031581a21a07f6604720c2779b9c45facea566996
-
Filesize
255KB
MD5081cbc3d0c42c99e2e772171bffb4576
SHA18f0a93192cf3174ec67fd2f67c34d78e9950be1a
SHA256fcca92d9d626d63a987d3125acde8c2bd1dbc64b938a3ecf88c9cad2d53c745b
SHA51278349ce09170b6f95e22ede192630a5c2694e0905286eeb9e61139545f790bf45c6152954ed717a7185db4915def3dba5a71aa324f9ca1f6a90a0734b83e9fa1
-
Filesize
255KB
MD5081cbc3d0c42c99e2e772171bffb4576
SHA18f0a93192cf3174ec67fd2f67c34d78e9950be1a
SHA256fcca92d9d626d63a987d3125acde8c2bd1dbc64b938a3ecf88c9cad2d53c745b
SHA51278349ce09170b6f95e22ede192630a5c2694e0905286eeb9e61139545f790bf45c6152954ed717a7185db4915def3dba5a71aa324f9ca1f6a90a0734b83e9fa1
-
Filesize
255KB
MD5081cbc3d0c42c99e2e772171bffb4576
SHA18f0a93192cf3174ec67fd2f67c34d78e9950be1a
SHA256fcca92d9d626d63a987d3125acde8c2bd1dbc64b938a3ecf88c9cad2d53c745b
SHA51278349ce09170b6f95e22ede192630a5c2694e0905286eeb9e61139545f790bf45c6152954ed717a7185db4915def3dba5a71aa324f9ca1f6a90a0734b83e9fa1
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD51ded3f3176f48731e87f99504c497de1
SHA11ca9009582674fa629826bfa5c6264744876773c
SHA256fd31547dac5ddc10a8c4b8ffd27fc60558671eab76f03355b45061a4e54601ad
SHA512a4d164f3e8cf633cc5d799c2d6d81490ba68bf30e5b2b7b2997fbc0f5258611d7e79fb0d40edb34754dbb7f58013b51ebb2fa40dbee0b8df191450f9fc2d12b9
-
Filesize
255KB
MD51ded3f3176f48731e87f99504c497de1
SHA11ca9009582674fa629826bfa5c6264744876773c
SHA256fd31547dac5ddc10a8c4b8ffd27fc60558671eab76f03355b45061a4e54601ad
SHA512a4d164f3e8cf633cc5d799c2d6d81490ba68bf30e5b2b7b2997fbc0f5258611d7e79fb0d40edb34754dbb7f58013b51ebb2fa40dbee0b8df191450f9fc2d12b9
-
Filesize
255KB
MD56bdaa603930fb8c235ab7195fa2c75fc
SHA14e2e180dd8412344a7461fbecb9566168933325a
SHA256e30393abacfb777994cd688cfe3b2d4f0bf4cf4aed6486ff92af76cf535de54b
SHA512080b7afd844ffb7ffb7c3ef42b281fa50ed781133665f8e6c28ab3af9ae315c1e1ff83c8ed3205166325c4bd3241a7f457dd04c9103577cbffa45bf9ac979a9b
-
Filesize
255KB
MD56bdaa603930fb8c235ab7195fa2c75fc
SHA14e2e180dd8412344a7461fbecb9566168933325a
SHA256e30393abacfb777994cd688cfe3b2d4f0bf4cf4aed6486ff92af76cf535de54b
SHA512080b7afd844ffb7ffb7c3ef42b281fa50ed781133665f8e6c28ab3af9ae315c1e1ff83c8ed3205166325c4bd3241a7f457dd04c9103577cbffa45bf9ac979a9b