Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
29/10/2022, 07:53
Behavioral task
behavioral1
Sample
5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe
Resource
win7-20220812-en
windows7-x64
0 signatures
150 seconds
General
-
Target
5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe
-
Size
255KB
-
MD5
7a66cc4a90335b312f78bc9eee5db4ae
-
SHA1
61b79f1f5fcf694655cd4946c4ffc3e3aa1a9991
-
SHA256
5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71
-
SHA512
424f77161efbc165e8ea96abbbde2ae87a181f4196c79629f6002b5a34bee23a272b5010c4e175e07ab4eb86cc4bca2871240f8cc37540dbf0c6709144c0f1a0
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJh:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIi
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" kfeprzydxe.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" kfeprzydxe.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" kfeprzydxe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" kfeprzydxe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" kfeprzydxe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" kfeprzydxe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" kfeprzydxe.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" kfeprzydxe.exe -
Executes dropped EXE 5 IoCs
pid Process 3880 kfeprzydxe.exe 3992 cwvwkcfcwuytztk.exe 3860 qdooqrkq.exe 3592 szxobfuezywgn.exe 3220 qdooqrkq.exe -
resource yara_rule behavioral2/memory/1380-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0004000000022dee-135.dat upx behavioral2/files/0x0001000000022df4-139.dat upx behavioral2/files/0x0001000000022df5-140.dat upx behavioral2/files/0x0001000000022df5-141.dat upx behavioral2/files/0x0001000000022df6-144.dat upx behavioral2/files/0x0001000000022df6-143.dat upx behavioral2/files/0x0001000000022df4-138.dat upx behavioral2/files/0x0004000000022dee-134.dat upx behavioral2/memory/3880-145-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3992-146-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3860-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3592-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0001000000022df5-151.dat upx behavioral2/memory/1380-152-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3220-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x00020000000005a1-159.dat upx behavioral2/files/0x0002000000009de9-161.dat upx behavioral2/files/0x0002000000009de9-160.dat upx behavioral2/memory/3880-165-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3992-166-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3860-167-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3592-168-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3220-169-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000e00000001e6ed-170.dat upx behavioral2/files/0x000200000001e6ef-171.dat upx behavioral2/files/0x000200000001e6ef-172.dat upx behavioral2/files/0x000200000001e6ef-173.dat upx behavioral2/memory/3220-180-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3860-179-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" kfeprzydxe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" kfeprzydxe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" kfeprzydxe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" kfeprzydxe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" kfeprzydxe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" kfeprzydxe.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mjlsaolk = "cwvwkcfcwuytztk.exe" cwvwkcfcwuytztk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "szxobfuezywgn.exe" cwvwkcfcwuytztk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run cwvwkcfcwuytztk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ndessson = "kfeprzydxe.exe" cwvwkcfcwuytztk.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\f: kfeprzydxe.exe File opened (read-only) \??\v: kfeprzydxe.exe File opened (read-only) \??\w: qdooqrkq.exe File opened (read-only) \??\s: qdooqrkq.exe File opened (read-only) \??\m: qdooqrkq.exe File opened (read-only) \??\v: qdooqrkq.exe File opened (read-only) \??\w: qdooqrkq.exe File opened (read-only) \??\g: kfeprzydxe.exe File opened (read-only) \??\t: kfeprzydxe.exe File opened (read-only) \??\y: kfeprzydxe.exe File opened (read-only) \??\g: qdooqrkq.exe File opened (read-only) \??\k: qdooqrkq.exe File opened (read-only) \??\s: qdooqrkq.exe File opened (read-only) \??\r: qdooqrkq.exe File opened (read-only) \??\z: qdooqrkq.exe File opened (read-only) \??\b: qdooqrkq.exe File opened (read-only) \??\i: qdooqrkq.exe File opened (read-only) \??\b: qdooqrkq.exe File opened (read-only) \??\a: qdooqrkq.exe File opened (read-only) \??\i: qdooqrkq.exe File opened (read-only) \??\y: qdooqrkq.exe File opened (read-only) \??\h: kfeprzydxe.exe File opened (read-only) \??\l: kfeprzydxe.exe File opened (read-only) \??\r: kfeprzydxe.exe File opened (read-only) \??\x: kfeprzydxe.exe File opened (read-only) \??\k: qdooqrkq.exe File opened (read-only) \??\z: qdooqrkq.exe File opened (read-only) \??\n: qdooqrkq.exe File opened (read-only) \??\l: qdooqrkq.exe File opened (read-only) \??\i: kfeprzydxe.exe File opened (read-only) \??\y: qdooqrkq.exe File opened (read-only) \??\f: qdooqrkq.exe File opened (read-only) \??\x: qdooqrkq.exe File opened (read-only) \??\z: kfeprzydxe.exe File opened (read-only) \??\m: qdooqrkq.exe File opened (read-only) \??\t: qdooqrkq.exe File opened (read-only) \??\v: qdooqrkq.exe File opened (read-only) \??\a: qdooqrkq.exe File opened (read-only) \??\e: qdooqrkq.exe File opened (read-only) \??\w: kfeprzydxe.exe File opened (read-only) \??\g: qdooqrkq.exe File opened (read-only) \??\o: qdooqrkq.exe File opened (read-only) \??\u: qdooqrkq.exe File opened (read-only) \??\e: kfeprzydxe.exe File opened (read-only) \??\n: qdooqrkq.exe File opened (read-only) \??\u: qdooqrkq.exe File opened (read-only) \??\e: qdooqrkq.exe File opened (read-only) \??\a: kfeprzydxe.exe File opened (read-only) \??\m: kfeprzydxe.exe File opened (read-only) \??\q: qdooqrkq.exe File opened (read-only) \??\r: qdooqrkq.exe File opened (read-only) \??\o: kfeprzydxe.exe File opened (read-only) \??\s: kfeprzydxe.exe File opened (read-only) \??\h: qdooqrkq.exe File opened (read-only) \??\j: qdooqrkq.exe File opened (read-only) \??\p: kfeprzydxe.exe File opened (read-only) \??\j: kfeprzydxe.exe File opened (read-only) \??\k: kfeprzydxe.exe File opened (read-only) \??\q: kfeprzydxe.exe File opened (read-only) \??\u: kfeprzydxe.exe File opened (read-only) \??\f: qdooqrkq.exe File opened (read-only) \??\j: qdooqrkq.exe File opened (read-only) \??\h: qdooqrkq.exe File opened (read-only) \??\t: qdooqrkq.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" kfeprzydxe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" kfeprzydxe.exe -
AutoIT Executable 14 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1380-132-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3880-145-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3992-146-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3860-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3592-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1380-152-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3220-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3880-165-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3992-166-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3860-167-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3592-168-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3220-169-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3220-180-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3860-179-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe qdooqrkq.exe File opened for modification C:\Windows\SysWOW64\kfeprzydxe.exe 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe File created C:\Windows\SysWOW64\qdooqrkq.exe 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe File created C:\Windows\SysWOW64\szxobfuezywgn.exe 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe qdooqrkq.exe File opened for modification C:\Windows\SysWOW64\szxobfuezywgn.exe 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll kfeprzydxe.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe qdooqrkq.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe qdooqrkq.exe File created C:\Windows\SysWOW64\kfeprzydxe.exe 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe File created C:\Windows\SysWOW64\cwvwkcfcwuytztk.exe 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe File opened for modification C:\Windows\SysWOW64\cwvwkcfcwuytztk.exe 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe File opened for modification C:\Windows\SysWOW64\qdooqrkq.exe 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qdooqrkq.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qdooqrkq.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qdooqrkq.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qdooqrkq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qdooqrkq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal qdooqrkq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal qdooqrkq.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qdooqrkq.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qdooqrkq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qdooqrkq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal qdooqrkq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qdooqrkq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal qdooqrkq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qdooqrkq.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe qdooqrkq.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe qdooqrkq.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe qdooqrkq.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe qdooqrkq.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe qdooqrkq.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe qdooqrkq.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe qdooqrkq.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe qdooqrkq.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe qdooqrkq.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe qdooqrkq.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe qdooqrkq.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe qdooqrkq.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe qdooqrkq.exe File opened for modification C:\Windows\mydoc.rtf 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe qdooqrkq.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe qdooqrkq.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe qdooqrkq.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8BFC8D4F28851E9141D7217E90BD93E641583766406342D79A" 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg kfeprzydxe.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33332C7E9C2C82246D3E77A1772F2CDA7C8664DC" 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat kfeprzydxe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" kfeprzydxe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" kfeprzydxe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs kfeprzydxe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" kfeprzydxe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2ECAB12E47E139ED52CFB9D0329ED4BC" 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACDF9CAFE6BF2E7837B3B42869D3992B38803F14261023DE2C4459D08A1" 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh kfeprzydxe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc kfeprzydxe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" kfeprzydxe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf kfeprzydxe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" kfeprzydxe.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184DC67B1597DBC3B8BC7C90ED9234BB" 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" kfeprzydxe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7846BB1FE1822DBD173D1D48A0F9164" 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2680 WINWORD.EXE 2680 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1380 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe 1380 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe 1380 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe 1380 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe 1380 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe 1380 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe 1380 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe 1380 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe 1380 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe 1380 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe 1380 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe 1380 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe 1380 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe 1380 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe 1380 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe 1380 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe 3880 kfeprzydxe.exe 3880 kfeprzydxe.exe 3880 kfeprzydxe.exe 3880 kfeprzydxe.exe 3880 kfeprzydxe.exe 3880 kfeprzydxe.exe 3880 kfeprzydxe.exe 3880 kfeprzydxe.exe 3992 cwvwkcfcwuytztk.exe 3992 cwvwkcfcwuytztk.exe 3992 cwvwkcfcwuytztk.exe 3992 cwvwkcfcwuytztk.exe 3992 cwvwkcfcwuytztk.exe 3992 cwvwkcfcwuytztk.exe 3992 cwvwkcfcwuytztk.exe 3992 cwvwkcfcwuytztk.exe 3860 qdooqrkq.exe 3860 qdooqrkq.exe 3860 qdooqrkq.exe 3860 qdooqrkq.exe 3860 qdooqrkq.exe 3860 qdooqrkq.exe 3860 qdooqrkq.exe 3860 qdooqrkq.exe 3592 szxobfuezywgn.exe 3592 szxobfuezywgn.exe 3592 szxobfuezywgn.exe 3592 szxobfuezywgn.exe 3592 szxobfuezywgn.exe 3592 szxobfuezywgn.exe 3592 szxobfuezywgn.exe 3592 szxobfuezywgn.exe 3880 kfeprzydxe.exe 3880 kfeprzydxe.exe 3592 szxobfuezywgn.exe 3592 szxobfuezywgn.exe 3592 szxobfuezywgn.exe 3592 szxobfuezywgn.exe 3992 cwvwkcfcwuytztk.exe 3992 cwvwkcfcwuytztk.exe 3992 cwvwkcfcwuytztk.exe 3992 cwvwkcfcwuytztk.exe 3592 szxobfuezywgn.exe 3592 szxobfuezywgn.exe 3592 szxobfuezywgn.exe 3592 szxobfuezywgn.exe 3220 qdooqrkq.exe 3220 qdooqrkq.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1380 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe 1380 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe 1380 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe 3880 kfeprzydxe.exe 3880 kfeprzydxe.exe 3880 kfeprzydxe.exe 3992 cwvwkcfcwuytztk.exe 3992 cwvwkcfcwuytztk.exe 3992 cwvwkcfcwuytztk.exe 3592 szxobfuezywgn.exe 3860 qdooqrkq.exe 3592 szxobfuezywgn.exe 3860 qdooqrkq.exe 3592 szxobfuezywgn.exe 3860 qdooqrkq.exe 3220 qdooqrkq.exe 3220 qdooqrkq.exe 3220 qdooqrkq.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1380 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe 1380 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe 1380 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe 3880 kfeprzydxe.exe 3880 kfeprzydxe.exe 3880 kfeprzydxe.exe 3992 cwvwkcfcwuytztk.exe 3992 cwvwkcfcwuytztk.exe 3992 cwvwkcfcwuytztk.exe 3592 szxobfuezywgn.exe 3860 qdooqrkq.exe 3592 szxobfuezywgn.exe 3860 qdooqrkq.exe 3592 szxobfuezywgn.exe 3860 qdooqrkq.exe 3220 qdooqrkq.exe 3220 qdooqrkq.exe 3220 qdooqrkq.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2680 WINWORD.EXE 2680 WINWORD.EXE 2680 WINWORD.EXE 2680 WINWORD.EXE 2680 WINWORD.EXE 2680 WINWORD.EXE 2680 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1380 wrote to memory of 3880 1380 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe 84 PID 1380 wrote to memory of 3880 1380 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe 84 PID 1380 wrote to memory of 3880 1380 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe 84 PID 1380 wrote to memory of 3992 1380 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe 85 PID 1380 wrote to memory of 3992 1380 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe 85 PID 1380 wrote to memory of 3992 1380 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe 85 PID 1380 wrote to memory of 3860 1380 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe 86 PID 1380 wrote to memory of 3860 1380 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe 86 PID 1380 wrote to memory of 3860 1380 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe 86 PID 1380 wrote to memory of 3592 1380 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe 87 PID 1380 wrote to memory of 3592 1380 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe 87 PID 1380 wrote to memory of 3592 1380 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe 87 PID 1380 wrote to memory of 2680 1380 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe 88 PID 1380 wrote to memory of 2680 1380 5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe 88 PID 3880 wrote to memory of 3220 3880 kfeprzydxe.exe 90 PID 3880 wrote to memory of 3220 3880 kfeprzydxe.exe 90 PID 3880 wrote to memory of 3220 3880 kfeprzydxe.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe"C:\Users\Admin\AppData\Local\Temp\5e5be2c4b800c6ca00211a1d7db217ffb735d05fe1da545badc85ddae656fb71.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\kfeprzydxe.exekfeprzydxe.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Windows\SysWOW64\qdooqrkq.exeC:\Windows\system32\qdooqrkq.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3220
-
-
-
C:\Windows\SysWOW64\cwvwkcfcwuytztk.execwvwkcfcwuytztk.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3992
-
-
C:\Windows\SysWOW64\qdooqrkq.exeqdooqrkq.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3860
-
-
C:\Windows\SysWOW64\szxobfuezywgn.exeszxobfuezywgn.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3592
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2680
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5d24ea9837ceae6eabf3294bfdc6c167e
SHA1cb5d74fcccee52cf2344009ede115b86735d4202
SHA25689f2efb8cb32c2a7b90a7c4d01e039419b2dbbb80c9cdb1651d4a19d0367b54c
SHA51276a6696519fcff526e23f65659cc282f7cdfb2c37437f973cbf98514f59ec6320ee6dc725c2c311159341ad2316a3df46f7ec48e6bb9c13a31eff17f2e544d02
-
Filesize
255KB
MD5885edf03b5ef8750d572d4898dbde86a
SHA16a2314f466eb1a6f7153e1531aa9a8a2c38de748
SHA256e9e46cabe63cfcdb8f1b43e75bc32d0d397464258240fd553d54eb8d4aa408e2
SHA512194f25c81b64c583e81e0556bb91c567ede9e52ab7f2779338d8a7234e73fc1d67330bc5525737e4518ea2b41210ad6f538b8871e57ed27d4b4eb25905e789ad
-
Filesize
255KB
MD5885edf03b5ef8750d572d4898dbde86a
SHA16a2314f466eb1a6f7153e1531aa9a8a2c38de748
SHA256e9e46cabe63cfcdb8f1b43e75bc32d0d397464258240fd553d54eb8d4aa408e2
SHA512194f25c81b64c583e81e0556bb91c567ede9e52ab7f2779338d8a7234e73fc1d67330bc5525737e4518ea2b41210ad6f538b8871e57ed27d4b4eb25905e789ad
-
Filesize
255KB
MD517f043f173382e3096ebb8d1aa7022aa
SHA1158ffe3071f9e66d7430f50908e91c4a34795e21
SHA25676e68157efe710ee54d8031546e9737564b1e1f3d2a23a80f13e55193cbc7912
SHA512c803ee5946f5a93a9104e7cc5c8f444199c8dd62ec533d2e41cf65fb995f03ad21fc2fe1dc3618c1e22cd41b2a5178067d8d5c634722b16b686e059f5f7fb262
-
Filesize
255KB
MD500cf28353ff0e6678e6df80dc3a4ff6e
SHA1d5c63511ce9cb8ba600cbe1c8abefb2f9e9fa447
SHA2562f3c39fac648a504181a2c814836ffca656ab332474553bb5cd04a73f7a3db1d
SHA5123fd565c3d498a18b5109ef592f9cbd4cbc2670797dc2b6e3bd3d75835b1e16db5cc50ac8ce8404b529c5555266aa1677f7b17d71d56c8b2f2e57d890e673a827
-
Filesize
255KB
MD500cf28353ff0e6678e6df80dc3a4ff6e
SHA1d5c63511ce9cb8ba600cbe1c8abefb2f9e9fa447
SHA2562f3c39fac648a504181a2c814836ffca656ab332474553bb5cd04a73f7a3db1d
SHA5123fd565c3d498a18b5109ef592f9cbd4cbc2670797dc2b6e3bd3d75835b1e16db5cc50ac8ce8404b529c5555266aa1677f7b17d71d56c8b2f2e57d890e673a827
-
Filesize
255KB
MD5f6d6f2a1502167125a8c3b3b154e88aa
SHA1c0c54a3d9486fd1272a36ce63e50dc30f39bd77f
SHA256a12d3b214bef7456026def963070bf2417a2a4149b35f4be7345d5498f95a349
SHA512e255964b60637b058a42ce760fbb0b63e414e83f19023474640f246f35ecf67473fd5db2528633ac3248e0beacef00181f0b2f074a76ffeada18be76e3d1536e
-
Filesize
255KB
MD5f6d6f2a1502167125a8c3b3b154e88aa
SHA1c0c54a3d9486fd1272a36ce63e50dc30f39bd77f
SHA256a12d3b214bef7456026def963070bf2417a2a4149b35f4be7345d5498f95a349
SHA512e255964b60637b058a42ce760fbb0b63e414e83f19023474640f246f35ecf67473fd5db2528633ac3248e0beacef00181f0b2f074a76ffeada18be76e3d1536e
-
Filesize
255KB
MD5d2880e0dc6e6184358272f9652f3e9ea
SHA1a66c61ff95ce75f6c07b18f008cb204cd6a9f3f2
SHA256ab992baed2d780ba6e0cc4e0597357e815ca71972845b71af68e30b4845b2455
SHA5123aafeac7a8690143a6b0c134988f817bb65578f1d3eb512d41679210c0752569ba23dbdd838587e79f6987dd8aa6912d28da9f952a8207481b41a527879a4407
-
Filesize
255KB
MD5d2880e0dc6e6184358272f9652f3e9ea
SHA1a66c61ff95ce75f6c07b18f008cb204cd6a9f3f2
SHA256ab992baed2d780ba6e0cc4e0597357e815ca71972845b71af68e30b4845b2455
SHA5123aafeac7a8690143a6b0c134988f817bb65578f1d3eb512d41679210c0752569ba23dbdd838587e79f6987dd8aa6912d28da9f952a8207481b41a527879a4407
-
Filesize
255KB
MD5d2880e0dc6e6184358272f9652f3e9ea
SHA1a66c61ff95ce75f6c07b18f008cb204cd6a9f3f2
SHA256ab992baed2d780ba6e0cc4e0597357e815ca71972845b71af68e30b4845b2455
SHA5123aafeac7a8690143a6b0c134988f817bb65578f1d3eb512d41679210c0752569ba23dbdd838587e79f6987dd8aa6912d28da9f952a8207481b41a527879a4407
-
Filesize
255KB
MD57ae83ef59e4ee9829ea8fd02e8e2d7c6
SHA1a2ee0132e3dfcd9548a636974da5e7aeba13fd6f
SHA2567d38ec4b4a769a2218f5e31b67f55c20a023c2d7998e0f5d4c3059ae0af85b2c
SHA512bbfdf4a4d1fac98f50037a08ff6102289e5fcaa2859094ba8d96d93be42ce1118fd8978c916c0b080b0024488b4dd2a4e9b83e998277aa9dc809601d0b7bd1b9
-
Filesize
255KB
MD57ae83ef59e4ee9829ea8fd02e8e2d7c6
SHA1a2ee0132e3dfcd9548a636974da5e7aeba13fd6f
SHA2567d38ec4b4a769a2218f5e31b67f55c20a023c2d7998e0f5d4c3059ae0af85b2c
SHA512bbfdf4a4d1fac98f50037a08ff6102289e5fcaa2859094ba8d96d93be42ce1118fd8978c916c0b080b0024488b4dd2a4e9b83e998277aa9dc809601d0b7bd1b9
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD5b88c236d3908d8bd48a8b23af684ffc6
SHA10201c9b433ce20cd2709f770eeb2e082a883a949
SHA256c5ab5b8ce77fd8d08173741ca7b4675e0758d6a7f008bb2f606fd27e7aed52f6
SHA51293bb0de94b75562139407bf648537baf657bb9d59b57084c433bac52ec929c3b4c6a723c09be874f0877cf4eb4d1b2c9914d64ba0cabd75d23a930837ca44678
-
Filesize
255KB
MD510f9602c10a84551d9a0764964c80bef
SHA11fc0ca9df09f659ed7ff58022482a859f64f1e3d
SHA2569e11518374462dfb097fc97a53281affec2833d7d36d8c77e0c1fc9f833e7466
SHA51221eeddbdd6ac7d5ca6cfe6c347af26082a692707c69c788e0b7d8e55163f519ce64168260da6bb45076ac2914e6b9332fb19bdfb5e285add179850ae6321c9c3
-
Filesize
255KB
MD510f9602c10a84551d9a0764964c80bef
SHA11fc0ca9df09f659ed7ff58022482a859f64f1e3d
SHA2569e11518374462dfb097fc97a53281affec2833d7d36d8c77e0c1fc9f833e7466
SHA51221eeddbdd6ac7d5ca6cfe6c347af26082a692707c69c788e0b7d8e55163f519ce64168260da6bb45076ac2914e6b9332fb19bdfb5e285add179850ae6321c9c3