Analysis
-
max time kernel
152s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
29/10/2022, 03:17
Behavioral task
behavioral1
Sample
ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe
Resource
win7-20220901-en
windows7-x64
26 signatures
150 seconds
General
-
Target
ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe
-
Size
255KB
-
MD5
371b4d812fac4f7d2768d217d8d150cc
-
SHA1
c04a7df9fb3cbc3bd450929fdd7913f4265eda12
-
SHA256
ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34
-
SHA512
79e7a3a943121afc45129cd20a04250970ae9a13951b77d83e3b002c0a29f429d4905b43ff8ac00afde6b114f4609c60fcd15762a4858cea72dab3e7a424dfee
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJ3:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIM
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" hjojmbvvhf.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" hjojmbvvhf.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" hjojmbvvhf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" hjojmbvvhf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" hjojmbvvhf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" hjojmbvvhf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" hjojmbvvhf.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" hjojmbvvhf.exe -
Executes dropped EXE 5 IoCs
pid Process 404 hjojmbvvhf.exe 2024 ldwysjptblbgqwx.exe 5060 swvsqzvo.exe 3136 qiujjwprznium.exe 1252 swvsqzvo.exe -
resource yara_rule behavioral2/memory/1968-135-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0004000000022de2-137.dat upx behavioral2/files/0x0003000000022de7-140.dat upx behavioral2/files/0x0003000000022de7-141.dat upx behavioral2/files/0x0004000000022de2-138.dat upx behavioral2/files/0x0002000000022df2-144.dat upx behavioral2/files/0x0002000000022df2-143.dat upx behavioral2/memory/404-146-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0001000000022df3-149.dat upx behavioral2/memory/5060-150-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0001000000022df3-148.dat upx behavioral2/memory/2024-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1968-152-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0002000000022df2-154.dat upx behavioral2/memory/1252-155-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3136-156-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2024-165-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/404-166-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/5060-167-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1252-168-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3136-169-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000500000001e785-170.dat upx behavioral2/files/0x000500000001e785-171.dat upx behavioral2/files/0x000500000001e785-172.dat upx behavioral2/memory/1252-179-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/5060-178-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" hjojmbvvhf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" hjojmbvvhf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" hjojmbvvhf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" hjojmbvvhf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" hjojmbvvhf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" hjojmbvvhf.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bqfkhgir = "ldwysjptblbgqwx.exe" ldwysjptblbgqwx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "qiujjwprznium.exe" ldwysjptblbgqwx.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ldwysjptblbgqwx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bgqvvmih = "hjojmbvvhf.exe" ldwysjptblbgqwx.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\i: swvsqzvo.exe File opened (read-only) \??\x: swvsqzvo.exe File opened (read-only) \??\y: swvsqzvo.exe File opened (read-only) \??\j: swvsqzvo.exe File opened (read-only) \??\p: swvsqzvo.exe File opened (read-only) \??\r: hjojmbvvhf.exe File opened (read-only) \??\q: swvsqzvo.exe File opened (read-only) \??\m: swvsqzvo.exe File opened (read-only) \??\x: hjojmbvvhf.exe File opened (read-only) \??\h: swvsqzvo.exe File opened (read-only) \??\i: swvsqzvo.exe File opened (read-only) \??\f: swvsqzvo.exe File opened (read-only) \??\l: swvsqzvo.exe File opened (read-only) \??\z: swvsqzvo.exe File opened (read-only) \??\t: swvsqzvo.exe File opened (read-only) \??\v: swvsqzvo.exe File opened (read-only) \??\z: hjojmbvvhf.exe File opened (read-only) \??\k: swvsqzvo.exe File opened (read-only) \??\m: swvsqzvo.exe File opened (read-only) \??\b: swvsqzvo.exe File opened (read-only) \??\g: swvsqzvo.exe File opened (read-only) \??\l: swvsqzvo.exe File opened (read-only) \??\n: swvsqzvo.exe File opened (read-only) \??\b: swvsqzvo.exe File opened (read-only) \??\e: swvsqzvo.exe File opened (read-only) \??\n: swvsqzvo.exe File opened (read-only) \??\j: hjojmbvvhf.exe File opened (read-only) \??\o: swvsqzvo.exe File opened (read-only) \??\k: swvsqzvo.exe File opened (read-only) \??\m: hjojmbvvhf.exe File opened (read-only) \??\t: swvsqzvo.exe File opened (read-only) \??\v: swvsqzvo.exe File opened (read-only) \??\w: swvsqzvo.exe File opened (read-only) \??\y: swvsqzvo.exe File opened (read-only) \??\g: swvsqzvo.exe File opened (read-only) \??\r: swvsqzvo.exe File opened (read-only) \??\e: hjojmbvvhf.exe File opened (read-only) \??\q: hjojmbvvhf.exe File opened (read-only) \??\a: swvsqzvo.exe File opened (read-only) \??\e: swvsqzvo.exe File opened (read-only) \??\u: swvsqzvo.exe File opened (read-only) \??\b: hjojmbvvhf.exe File opened (read-only) \??\f: hjojmbvvhf.exe File opened (read-only) \??\s: hjojmbvvhf.exe File opened (read-only) \??\o: swvsqzvo.exe File opened (read-only) \??\l: hjojmbvvhf.exe File opened (read-only) \??\p: hjojmbvvhf.exe File opened (read-only) \??\s: swvsqzvo.exe File opened (read-only) \??\g: hjojmbvvhf.exe File opened (read-only) \??\v: hjojmbvvhf.exe File opened (read-only) \??\a: swvsqzvo.exe File opened (read-only) \??\a: hjojmbvvhf.exe File opened (read-only) \??\i: hjojmbvvhf.exe File opened (read-only) \??\n: hjojmbvvhf.exe File opened (read-only) \??\u: swvsqzvo.exe File opened (read-only) \??\h: swvsqzvo.exe File opened (read-only) \??\u: hjojmbvvhf.exe File opened (read-only) \??\f: swvsqzvo.exe File opened (read-only) \??\r: swvsqzvo.exe File opened (read-only) \??\y: hjojmbvvhf.exe File opened (read-only) \??\j: swvsqzvo.exe File opened (read-only) \??\p: swvsqzvo.exe File opened (read-only) \??\s: swvsqzvo.exe File opened (read-only) \??\w: swvsqzvo.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" hjojmbvvhf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" hjojmbvvhf.exe -
AutoIT Executable 13 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/404-146-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5060-150-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2024-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1968-152-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1252-155-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3136-156-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2024-165-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/404-166-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5060-167-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1252-168-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3136-169-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1252-179-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5060-178-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\hjojmbvvhf.exe ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe File opened for modification C:\Windows\SysWOW64\hjojmbvvhf.exe ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe File opened for modification C:\Windows\SysWOW64\ldwysjptblbgqwx.exe ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe File opened for modification C:\Windows\SysWOW64\swvsqzvo.exe ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe File created C:\Windows\SysWOW64\qiujjwprznium.exe ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll hjojmbvvhf.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe swvsqzvo.exe File created C:\Windows\SysWOW64\ldwysjptblbgqwx.exe ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe File created C:\Windows\SysWOW64\swvsqzvo.exe ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe File opened for modification C:\Windows\SysWOW64\qiujjwprznium.exe ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe swvsqzvo.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe swvsqzvo.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe swvsqzvo.exe -
Drops file in Program Files directory 8 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe swvsqzvo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe swvsqzvo.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe swvsqzvo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal swvsqzvo.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe swvsqzvo.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe swvsqzvo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe swvsqzvo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal swvsqzvo.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe swvsqzvo.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe swvsqzvo.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe swvsqzvo.exe File opened for modification C:\Windows\mydoc.rtf ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe swvsqzvo.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe swvsqzvo.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe swvsqzvo.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe swvsqzvo.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe swvsqzvo.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe swvsqzvo.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe swvsqzvo.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe swvsqzvo.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe swvsqzvo.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe swvsqzvo.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe swvsqzvo.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe swvsqzvo.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe swvsqzvo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F36BB2FF1C22DED109D0A38A099162" ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1839C70915E4DAB0B8CC7CE3ED9737CB" ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33322C0D9C2683556A3176D277202DD87D8664DF" ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB9FAB0FE6AF29084083B4B819B3E95B08D02F84311033EE2CF45E709A2" ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh hjojmbvvhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" hjojmbvvhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc hjojmbvvhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" hjojmbvvhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" hjojmbvvhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg hjojmbvvhf.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" hjojmbvvhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs hjojmbvvhf.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F89FF8E4F5C851B9132D6207E95BCEFE6415932674E6244D799" ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat hjojmbvvhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" hjojmbvvhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf hjojmbvvhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" hjojmbvvhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB1B02D4493389A52CFB9A73393D7C9" ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3852 WINWORD.EXE 3852 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1968 ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe 1968 ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe 1968 ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe 1968 ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe 1968 ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe 1968 ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe 1968 ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe 1968 ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe 1968 ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe 1968 ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe 1968 ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe 1968 ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe 1968 ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe 1968 ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe 1968 ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe 1968 ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe 404 hjojmbvvhf.exe 404 hjojmbvvhf.exe 404 hjojmbvvhf.exe 404 hjojmbvvhf.exe 404 hjojmbvvhf.exe 404 hjojmbvvhf.exe 404 hjojmbvvhf.exe 404 hjojmbvvhf.exe 2024 ldwysjptblbgqwx.exe 2024 ldwysjptblbgqwx.exe 404 hjojmbvvhf.exe 404 hjojmbvvhf.exe 2024 ldwysjptblbgqwx.exe 2024 ldwysjptblbgqwx.exe 2024 ldwysjptblbgqwx.exe 2024 ldwysjptblbgqwx.exe 2024 ldwysjptblbgqwx.exe 2024 ldwysjptblbgqwx.exe 5060 swvsqzvo.exe 5060 swvsqzvo.exe 5060 swvsqzvo.exe 5060 swvsqzvo.exe 5060 swvsqzvo.exe 5060 swvsqzvo.exe 5060 swvsqzvo.exe 5060 swvsqzvo.exe 2024 ldwysjptblbgqwx.exe 2024 ldwysjptblbgqwx.exe 3136 qiujjwprznium.exe 3136 qiujjwprznium.exe 3136 qiujjwprznium.exe 3136 qiujjwprznium.exe 3136 qiujjwprznium.exe 3136 qiujjwprznium.exe 3136 qiujjwprznium.exe 3136 qiujjwprznium.exe 3136 qiujjwprznium.exe 3136 qiujjwprznium.exe 3136 qiujjwprznium.exe 3136 qiujjwprznium.exe 2024 ldwysjptblbgqwx.exe 2024 ldwysjptblbgqwx.exe 3136 qiujjwprznium.exe 3136 qiujjwprznium.exe 3136 qiujjwprznium.exe 3136 qiujjwprznium.exe 2024 ldwysjptblbgqwx.exe 2024 ldwysjptblbgqwx.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1968 ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe 1968 ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe 1968 ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe 404 hjojmbvvhf.exe 404 hjojmbvvhf.exe 404 hjojmbvvhf.exe 2024 ldwysjptblbgqwx.exe 2024 ldwysjptblbgqwx.exe 2024 ldwysjptblbgqwx.exe 5060 swvsqzvo.exe 5060 swvsqzvo.exe 5060 swvsqzvo.exe 3136 qiujjwprznium.exe 3136 qiujjwprznium.exe 3136 qiujjwprznium.exe 1252 swvsqzvo.exe 1252 swvsqzvo.exe 1252 swvsqzvo.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1968 ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe 1968 ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe 1968 ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe 404 hjojmbvvhf.exe 404 hjojmbvvhf.exe 404 hjojmbvvhf.exe 2024 ldwysjptblbgqwx.exe 2024 ldwysjptblbgqwx.exe 2024 ldwysjptblbgqwx.exe 5060 swvsqzvo.exe 5060 swvsqzvo.exe 5060 swvsqzvo.exe 3136 qiujjwprznium.exe 3136 qiujjwprznium.exe 3136 qiujjwprznium.exe 1252 swvsqzvo.exe 1252 swvsqzvo.exe 1252 swvsqzvo.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3852 WINWORD.EXE 3852 WINWORD.EXE 3852 WINWORD.EXE 3852 WINWORD.EXE 3852 WINWORD.EXE 3852 WINWORD.EXE 3852 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1968 wrote to memory of 404 1968 ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe 84 PID 1968 wrote to memory of 404 1968 ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe 84 PID 1968 wrote to memory of 404 1968 ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe 84 PID 1968 wrote to memory of 2024 1968 ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe 85 PID 1968 wrote to memory of 2024 1968 ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe 85 PID 1968 wrote to memory of 2024 1968 ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe 85 PID 1968 wrote to memory of 5060 1968 ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe 86 PID 1968 wrote to memory of 5060 1968 ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe 86 PID 1968 wrote to memory of 5060 1968 ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe 86 PID 1968 wrote to memory of 3136 1968 ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe 87 PID 1968 wrote to memory of 3136 1968 ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe 87 PID 1968 wrote to memory of 3136 1968 ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe 87 PID 1968 wrote to memory of 3852 1968 ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe 88 PID 1968 wrote to memory of 3852 1968 ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe 88 PID 404 wrote to memory of 1252 404 hjojmbvvhf.exe 90 PID 404 wrote to memory of 1252 404 hjojmbvvhf.exe 90 PID 404 wrote to memory of 1252 404 hjojmbvvhf.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe"C:\Users\Admin\AppData\Local\Temp\ba2fdf3ee36904675172a606f90d20723da6b1840bc73f1bef8753ab53bd5a34.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\hjojmbvvhf.exehjojmbvvhf.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\swvsqzvo.exeC:\Windows\system32\swvsqzvo.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1252
-
-
-
C:\Windows\SysWOW64\ldwysjptblbgqwx.exeldwysjptblbgqwx.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2024
-
-
C:\Windows\SysWOW64\swvsqzvo.exeswvsqzvo.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5060
-
-
C:\Windows\SysWOW64\qiujjwprznium.exeqiujjwprznium.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3136
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3852
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD507e4d813182ef5f2487e646aec19a319
SHA13b205235ad247639af4af59970611caecbb69c2a
SHA2567995e5d629a6618b4ac04bb7f47ab3287c8826a6ed4a7ea3e06e5dd35b1a0df5
SHA512a5dbd36178b94932558ab36969f14fe7e3018e0f7ef377be0c6b577a80235fe8262b18e2c84c0d3bca19f0c15f82cd7d364150333d57761dc3e366f045bcb646
-
Filesize
255KB
MD507e4d813182ef5f2487e646aec19a319
SHA13b205235ad247639af4af59970611caecbb69c2a
SHA2567995e5d629a6618b4ac04bb7f47ab3287c8826a6ed4a7ea3e06e5dd35b1a0df5
SHA512a5dbd36178b94932558ab36969f14fe7e3018e0f7ef377be0c6b577a80235fe8262b18e2c84c0d3bca19f0c15f82cd7d364150333d57761dc3e366f045bcb646
-
Filesize
255KB
MD599d15d9c9805a81c8b9ae75329a93db2
SHA15bae7f646e723b1ce0cfb849f8dfee67f595bb19
SHA256a41aa0a7a80bd0daa51426cd223b7f7eaf5c9bd8b4738784e9ee00d6ed26f503
SHA512809a0c1284490c3a937d6d6375f3d96c27757f0dcc055f7c25ed7352e46a0005cecfe925d1303f018ff9460134e29b6e7d719b2fb080921a726766851f81ffed
-
Filesize
255KB
MD599d15d9c9805a81c8b9ae75329a93db2
SHA15bae7f646e723b1ce0cfb849f8dfee67f595bb19
SHA256a41aa0a7a80bd0daa51426cd223b7f7eaf5c9bd8b4738784e9ee00d6ed26f503
SHA512809a0c1284490c3a937d6d6375f3d96c27757f0dcc055f7c25ed7352e46a0005cecfe925d1303f018ff9460134e29b6e7d719b2fb080921a726766851f81ffed
-
Filesize
255KB
MD510f3c936e3e41ee5a6c1fda886dc7bb1
SHA147ea54e03696164891676bc2e84b89ce122785a1
SHA2566b244f0d6263c9306a13b8e081c745e8dd598f9042912db179242ef7221d1dc6
SHA512309d43d91fb3e21567b7e2704a25391d9e53c76a079cdfc0e954d34fc415462938cf65133729c97cbb0a2d3a9e349bbaafb190aa95513cb03c189bf7a89f9e75
-
Filesize
255KB
MD510f3c936e3e41ee5a6c1fda886dc7bb1
SHA147ea54e03696164891676bc2e84b89ce122785a1
SHA2566b244f0d6263c9306a13b8e081c745e8dd598f9042912db179242ef7221d1dc6
SHA512309d43d91fb3e21567b7e2704a25391d9e53c76a079cdfc0e954d34fc415462938cf65133729c97cbb0a2d3a9e349bbaafb190aa95513cb03c189bf7a89f9e75
-
Filesize
255KB
MD51da44d595b4191e30ad1b4045e6c45fb
SHA15eb12f473257302385933b2b9a2ffc72697f3e64
SHA25671016c66ef4c3fa1e6a650e96d05d619227635c82f1416ea9ed1f5a401bebcd2
SHA5128b3f0ac4b1ab7e2ae066d085682c4b14c15646d7125e6dae6936bc41c623a244c2d74f2a086009180321f39f1d0749fc044e6ccb896043ce1af26439177ebd22
-
Filesize
255KB
MD51da44d595b4191e30ad1b4045e6c45fb
SHA15eb12f473257302385933b2b9a2ffc72697f3e64
SHA25671016c66ef4c3fa1e6a650e96d05d619227635c82f1416ea9ed1f5a401bebcd2
SHA5128b3f0ac4b1ab7e2ae066d085682c4b14c15646d7125e6dae6936bc41c623a244c2d74f2a086009180321f39f1d0749fc044e6ccb896043ce1af26439177ebd22
-
Filesize
255KB
MD51da44d595b4191e30ad1b4045e6c45fb
SHA15eb12f473257302385933b2b9a2ffc72697f3e64
SHA25671016c66ef4c3fa1e6a650e96d05d619227635c82f1416ea9ed1f5a401bebcd2
SHA5128b3f0ac4b1ab7e2ae066d085682c4b14c15646d7125e6dae6936bc41c623a244c2d74f2a086009180321f39f1d0749fc044e6ccb896043ce1af26439177ebd22
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD56e13237789cf009696fdd1c6348fa07c
SHA1e1ab9fafbe8d94449bb320aa274813ce00feddbb
SHA256e61c95862388eeb5cd73ce55924b98c83ec7c45cdc7ba5d3385d71ac09a8e17f
SHA512046efa8d3e2cb06ab6ec16e17337f73b020fc1145b3fdad1ab90b5e7712ea21090c2591a29aac0b72550643efc49549f878c6a2ec19e449daadc7d75c7d768c5
-
Filesize
255KB
MD59f404ee5eff6d4bfc0a4ad6335797075
SHA1145df9b4aaa8b23c0148994f5c41abcbf75de1ec
SHA25646265749cc55a3c780ba0f7452b00314ef0cec654deb9de4ad1a82af3422ee79
SHA512f4c4e042addf812cf7960a9aff74e89e1edbf8435b5b6c906b03b4ad114216e5a885084e4619a3fb0d24d2dfa91c892b43b744499e911967a3bcaaaf5f848fd0
-
Filesize
255KB
MD59f404ee5eff6d4bfc0a4ad6335797075
SHA1145df9b4aaa8b23c0148994f5c41abcbf75de1ec
SHA25646265749cc55a3c780ba0f7452b00314ef0cec654deb9de4ad1a82af3422ee79
SHA512f4c4e042addf812cf7960a9aff74e89e1edbf8435b5b6c906b03b4ad114216e5a885084e4619a3fb0d24d2dfa91c892b43b744499e911967a3bcaaaf5f848fd0