Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
29-10-2022 09:37
Behavioral task
behavioral1
Sample
29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe
Resource
win7-20220901-en
windows7-x64
26 signatures
150 seconds
General
-
Target
29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe
-
Size
255KB
-
MD5
78acf165f0969f340fdf40bff6cde495
-
SHA1
f2556b32d49b35bce2bfb9424f3f9a74cab06757
-
SHA256
29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38
-
SHA512
1f8911589797fb1f581d214ffd64dc84bd059b07f29765a29243c8bcf1984e123eb9e286f1d8e3ab48b5090a2be0eb5e55401ed94d7046c2228c3ff97af420bc
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJ1:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIK
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" mgdomioves.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" mgdomioves.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" mgdomioves.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" mgdomioves.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" mgdomioves.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" mgdomioves.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" mgdomioves.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mgdomioves.exe -
Executes dropped EXE 5 IoCs
pid Process 3496 mgdomioves.exe 1240 xvspipqhfpmuvow.exe 1612 pbwnbsdn.exe 3532 gsewadebwheob.exe 212 pbwnbsdn.exe -
resource yara_rule behavioral2/memory/4556-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0002000000022df0-134.dat upx behavioral2/files/0x0002000000022df0-135.dat upx behavioral2/files/0x0002000000022df1-137.dat upx behavioral2/files/0x0002000000022df1-138.dat upx behavioral2/files/0x0002000000022df2-140.dat upx behavioral2/files/0x0002000000022df2-141.dat upx behavioral2/files/0x0002000000022df3-144.dat upx behavioral2/files/0x0002000000022df3-143.dat upx behavioral2/memory/3496-145-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1240-146-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1612-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3532-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4556-150-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0002000000022df2-152.dat upx behavioral2/memory/212-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x00030000000006fd-162.dat upx behavioral2/files/0x0003000000000703-163.dat upx behavioral2/files/0x0003000000000703-164.dat upx behavioral2/memory/3496-165-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1240-166-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1612-167-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3532-168-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/212-169-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000200000001e5b1-170.dat upx behavioral2/files/0x000200000001e5b1-171.dat upx behavioral2/files/0x000200000001e5b1-172.dat upx behavioral2/files/0x000200000001e5b1-173.dat upx behavioral2/memory/1612-180-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/212-179-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" mgdomioves.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" mgdomioves.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" mgdomioves.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" mgdomioves.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" mgdomioves.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" mgdomioves.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "gsewadebwheob.exe" xvspipqhfpmuvow.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run xvspipqhfpmuvow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\trisrtcb = "mgdomioves.exe" xvspipqhfpmuvow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ghpungzy = "xvspipqhfpmuvow.exe" xvspipqhfpmuvow.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\p: mgdomioves.exe File opened (read-only) \??\g: pbwnbsdn.exe File opened (read-only) \??\w: pbwnbsdn.exe File opened (read-only) \??\n: pbwnbsdn.exe File opened (read-only) \??\u: pbwnbsdn.exe File opened (read-only) \??\o: mgdomioves.exe File opened (read-only) \??\o: pbwnbsdn.exe File opened (read-only) \??\z: pbwnbsdn.exe File opened (read-only) \??\k: mgdomioves.exe File opened (read-only) \??\m: mgdomioves.exe File opened (read-only) \??\s: mgdomioves.exe File opened (read-only) \??\f: pbwnbsdn.exe File opened (read-only) \??\i: pbwnbsdn.exe File opened (read-only) \??\k: pbwnbsdn.exe File opened (read-only) \??\k: pbwnbsdn.exe File opened (read-only) \??\u: pbwnbsdn.exe File opened (read-only) \??\f: mgdomioves.exe File opened (read-only) \??\v: mgdomioves.exe File opened (read-only) \??\w: mgdomioves.exe File opened (read-only) \??\z: mgdomioves.exe File opened (read-only) \??\l: pbwnbsdn.exe File opened (read-only) \??\g: pbwnbsdn.exe File opened (read-only) \??\w: pbwnbsdn.exe File opened (read-only) \??\e: mgdomioves.exe File opened (read-only) \??\q: pbwnbsdn.exe File opened (read-only) \??\i: pbwnbsdn.exe File opened (read-only) \??\j: mgdomioves.exe File opened (read-only) \??\l: mgdomioves.exe File opened (read-only) \??\t: pbwnbsdn.exe File opened (read-only) \??\f: pbwnbsdn.exe File opened (read-only) \??\s: pbwnbsdn.exe File opened (read-only) \??\t: pbwnbsdn.exe File opened (read-only) \??\a: pbwnbsdn.exe File opened (read-only) \??\b: pbwnbsdn.exe File opened (read-only) \??\y: pbwnbsdn.exe File opened (read-only) \??\a: pbwnbsdn.exe File opened (read-only) \??\e: pbwnbsdn.exe File opened (read-only) \??\h: pbwnbsdn.exe File opened (read-only) \??\v: pbwnbsdn.exe File opened (read-only) \??\r: mgdomioves.exe File opened (read-only) \??\h: pbwnbsdn.exe File opened (read-only) \??\x: mgdomioves.exe File opened (read-only) \??\x: pbwnbsdn.exe File opened (read-only) \??\y: pbwnbsdn.exe File opened (read-only) \??\h: mgdomioves.exe File opened (read-only) \??\n: mgdomioves.exe File opened (read-only) \??\q: mgdomioves.exe File opened (read-only) \??\u: mgdomioves.exe File opened (read-only) \??\r: pbwnbsdn.exe File opened (read-only) \??\b: pbwnbsdn.exe File opened (read-only) \??\p: pbwnbsdn.exe File opened (read-only) \??\q: pbwnbsdn.exe File opened (read-only) \??\j: pbwnbsdn.exe File opened (read-only) \??\g: mgdomioves.exe File opened (read-only) \??\i: mgdomioves.exe File opened (read-only) \??\p: pbwnbsdn.exe File opened (read-only) \??\s: pbwnbsdn.exe File opened (read-only) \??\r: pbwnbsdn.exe File opened (read-only) \??\z: pbwnbsdn.exe File opened (read-only) \??\a: mgdomioves.exe File opened (read-only) \??\b: mgdomioves.exe File opened (read-only) \??\y: mgdomioves.exe File opened (read-only) \??\x: pbwnbsdn.exe File opened (read-only) \??\m: pbwnbsdn.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" mgdomioves.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" mgdomioves.exe -
AutoIT Executable 13 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3496-145-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1240-146-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1612-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3532-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4556-150-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/212-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3496-165-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1240-166-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1612-167-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3532-168-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/212-169-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1612-180-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/212-179-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll mgdomioves.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe pbwnbsdn.exe File opened for modification C:\Windows\SysWOW64\mgdomioves.exe 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe File opened for modification C:\Windows\SysWOW64\xvspipqhfpmuvow.exe 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe File created C:\Windows\SysWOW64\pbwnbsdn.exe 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe File created C:\Windows\SysWOW64\gsewadebwheob.exe 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe File opened for modification C:\Windows\SysWOW64\gsewadebwheob.exe 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe pbwnbsdn.exe File created C:\Windows\SysWOW64\mgdomioves.exe 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe File created C:\Windows\SysWOW64\xvspipqhfpmuvow.exe 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe File opened for modification C:\Windows\SysWOW64\pbwnbsdn.exe 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe pbwnbsdn.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe pbwnbsdn.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe pbwnbsdn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe pbwnbsdn.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe pbwnbsdn.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe pbwnbsdn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal pbwnbsdn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe pbwnbsdn.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe pbwnbsdn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe pbwnbsdn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal pbwnbsdn.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe pbwnbsdn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal pbwnbsdn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe pbwnbsdn.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe pbwnbsdn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal pbwnbsdn.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe pbwnbsdn.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe pbwnbsdn.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe pbwnbsdn.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe pbwnbsdn.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe pbwnbsdn.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe pbwnbsdn.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe pbwnbsdn.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe pbwnbsdn.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe pbwnbsdn.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe pbwnbsdn.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe pbwnbsdn.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe pbwnbsdn.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe pbwnbsdn.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe pbwnbsdn.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe pbwnbsdn.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe pbwnbsdn.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "334E2C7F9C2D83506A3176A070522DD87DF465DA" 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2ECBB128449039EC53CCB9D132EAD7C8" 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8FFCFF485C826F9140D7587D90BDEFE635593067426331D7ED" 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" mgdomioves.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc mgdomioves.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg mgdomioves.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf mgdomioves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" mgdomioves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBDF9C9FE11F29983793A41819A3999B089038D4365023CE2C842EF09D4" 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F568B7FE6D22DBD172D1D18A7A9113" 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183EC67914E2DBBEB8CA7CE3EC9437B9" 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" mgdomioves.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh mgdomioves.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs mgdomioves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" mgdomioves.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat mgdomioves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" mgdomioves.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" mgdomioves.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3832 WINWORD.EXE 3832 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4556 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe 4556 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe 4556 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe 4556 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe 4556 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe 4556 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe 4556 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe 4556 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe 4556 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe 4556 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe 4556 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe 4556 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe 4556 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe 4556 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe 4556 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe 4556 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe 3496 mgdomioves.exe 3496 mgdomioves.exe 3496 mgdomioves.exe 3496 mgdomioves.exe 3496 mgdomioves.exe 3496 mgdomioves.exe 3496 mgdomioves.exe 3496 mgdomioves.exe 3496 mgdomioves.exe 1240 xvspipqhfpmuvow.exe 3496 mgdomioves.exe 1240 xvspipqhfpmuvow.exe 1240 xvspipqhfpmuvow.exe 1240 xvspipqhfpmuvow.exe 1240 xvspipqhfpmuvow.exe 1240 xvspipqhfpmuvow.exe 1240 xvspipqhfpmuvow.exe 1240 xvspipqhfpmuvow.exe 1612 pbwnbsdn.exe 1612 pbwnbsdn.exe 1612 pbwnbsdn.exe 1612 pbwnbsdn.exe 1612 pbwnbsdn.exe 1612 pbwnbsdn.exe 1612 pbwnbsdn.exe 1612 pbwnbsdn.exe 1240 xvspipqhfpmuvow.exe 1240 xvspipqhfpmuvow.exe 3532 gsewadebwheob.exe 3532 gsewadebwheob.exe 3532 gsewadebwheob.exe 3532 gsewadebwheob.exe 3532 gsewadebwheob.exe 3532 gsewadebwheob.exe 3532 gsewadebwheob.exe 3532 gsewadebwheob.exe 3532 gsewadebwheob.exe 3532 gsewadebwheob.exe 3532 gsewadebwheob.exe 3532 gsewadebwheob.exe 1240 xvspipqhfpmuvow.exe 1240 xvspipqhfpmuvow.exe 212 pbwnbsdn.exe 212 pbwnbsdn.exe 212 pbwnbsdn.exe 212 pbwnbsdn.exe 212 pbwnbsdn.exe 212 pbwnbsdn.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4556 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe 4556 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe 4556 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe 3496 mgdomioves.exe 3496 mgdomioves.exe 3496 mgdomioves.exe 1240 xvspipqhfpmuvow.exe 1240 xvspipqhfpmuvow.exe 1240 xvspipqhfpmuvow.exe 1612 pbwnbsdn.exe 1612 pbwnbsdn.exe 1612 pbwnbsdn.exe 3532 gsewadebwheob.exe 3532 gsewadebwheob.exe 3532 gsewadebwheob.exe 212 pbwnbsdn.exe 212 pbwnbsdn.exe 212 pbwnbsdn.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4556 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe 4556 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe 4556 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe 3496 mgdomioves.exe 3496 mgdomioves.exe 3496 mgdomioves.exe 1240 xvspipqhfpmuvow.exe 1240 xvspipqhfpmuvow.exe 1240 xvspipqhfpmuvow.exe 1612 pbwnbsdn.exe 1612 pbwnbsdn.exe 1612 pbwnbsdn.exe 3532 gsewadebwheob.exe 3532 gsewadebwheob.exe 3532 gsewadebwheob.exe 212 pbwnbsdn.exe 212 pbwnbsdn.exe 212 pbwnbsdn.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3832 WINWORD.EXE 3832 WINWORD.EXE 3832 WINWORD.EXE 3832 WINWORD.EXE 3832 WINWORD.EXE 3832 WINWORD.EXE 3832 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4556 wrote to memory of 3496 4556 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe 84 PID 4556 wrote to memory of 3496 4556 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe 84 PID 4556 wrote to memory of 3496 4556 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe 84 PID 4556 wrote to memory of 1240 4556 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe 85 PID 4556 wrote to memory of 1240 4556 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe 85 PID 4556 wrote to memory of 1240 4556 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe 85 PID 4556 wrote to memory of 1612 4556 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe 86 PID 4556 wrote to memory of 1612 4556 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe 86 PID 4556 wrote to memory of 1612 4556 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe 86 PID 4556 wrote to memory of 3532 4556 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe 87 PID 4556 wrote to memory of 3532 4556 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe 87 PID 4556 wrote to memory of 3532 4556 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe 87 PID 4556 wrote to memory of 3832 4556 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe 88 PID 4556 wrote to memory of 3832 4556 29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe 88 PID 3496 wrote to memory of 212 3496 mgdomioves.exe 90 PID 3496 wrote to memory of 212 3496 mgdomioves.exe 90 PID 3496 wrote to memory of 212 3496 mgdomioves.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe"C:\Users\Admin\AppData\Local\Temp\29f13d9d338620a65275b07169bdafc25ab6129aac3f63581541aae0c99e9e38.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\SysWOW64\mgdomioves.exemgdomioves.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\SysWOW64\pbwnbsdn.exeC:\Windows\system32\pbwnbsdn.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:212
-
-
-
C:\Windows\SysWOW64\xvspipqhfpmuvow.exexvspipqhfpmuvow.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1240
-
-
C:\Windows\SysWOW64\pbwnbsdn.exepbwnbsdn.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1612
-
-
C:\Windows\SysWOW64\gsewadebwheob.exegsewadebwheob.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3532
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3832
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD520c7e3c578ca7353e57c26624185bbd3
SHA18e5b2182360e49b430987f791c65419470ce5933
SHA256e54f49ffae13689b224ba4e98dab0958a25d542efe56b8925cfbae9cfac97fc2
SHA51206bd6feea642d6ed46225a2ea5d19b7febeb00eb6618eb57b74fa679c7d2ab98716a43cbd1762f5bcfbea35cbf5021663d500d15abd0acab53e666e65b92b706
-
Filesize
255KB
MD5c207f6fb25bfd82cb96e70189ab4ce69
SHA1e409710a747c8e19677ee59179343568305bd124
SHA2560a8312b90adee2ceb65f3501e14e1815026993bc0b895babbdc14bb082823d92
SHA51238023461e317ada1bce6625a5959993a2f0deb92137434d0e9691385ea612f81cd6974099f4c1bcd5577222e23c19634bfcb5b88e1e491e6ea81d150b4dddce2
-
Filesize
255KB
MD5c207f6fb25bfd82cb96e70189ab4ce69
SHA1e409710a747c8e19677ee59179343568305bd124
SHA2560a8312b90adee2ceb65f3501e14e1815026993bc0b895babbdc14bb082823d92
SHA51238023461e317ada1bce6625a5959993a2f0deb92137434d0e9691385ea612f81cd6974099f4c1bcd5577222e23c19634bfcb5b88e1e491e6ea81d150b4dddce2
-
Filesize
255KB
MD5bf12916e54a8d5b5aa17e76a340e6ece
SHA17c754868aa1bf54a52786f35a0baca06bce0c993
SHA25691bac2452d2639185adce7dfa4b482c20dcf77d06225ee2670206cc1fd97c95c
SHA512035c022492a5e0cddc4a7eda89f1befeb4293bd02cecdb894139115bd4e230d1294ee8f1d4f8b679bb8bcabbe744055c48d15ed59e7a1b92fe80c34879e00eae
-
Filesize
255KB
MD5bf12916e54a8d5b5aa17e76a340e6ece
SHA17c754868aa1bf54a52786f35a0baca06bce0c993
SHA25691bac2452d2639185adce7dfa4b482c20dcf77d06225ee2670206cc1fd97c95c
SHA512035c022492a5e0cddc4a7eda89f1befeb4293bd02cecdb894139115bd4e230d1294ee8f1d4f8b679bb8bcabbe744055c48d15ed59e7a1b92fe80c34879e00eae
-
Filesize
255KB
MD5eb7a2babcf3aa3387a9daf67351a9e27
SHA19d940e5befe88172609df171282dc62ee502049e
SHA2564739c9311777f0ca1ee998a83ad925be6fc38d3491e70198bfb44ab47c9f66f8
SHA512c0238347446b970cc98edf7d7cd518ff68f1e0017ff9c0299c497b4b4076af702ee678d0340742c645e7174079b996570ee9063f7ac61243aa4f81abe50270c0
-
Filesize
255KB
MD5eb7a2babcf3aa3387a9daf67351a9e27
SHA19d940e5befe88172609df171282dc62ee502049e
SHA2564739c9311777f0ca1ee998a83ad925be6fc38d3491e70198bfb44ab47c9f66f8
SHA512c0238347446b970cc98edf7d7cd518ff68f1e0017ff9c0299c497b4b4076af702ee678d0340742c645e7174079b996570ee9063f7ac61243aa4f81abe50270c0
-
Filesize
255KB
MD5535965eab032fde5f163b57341b6e63c
SHA16f1c59dc9c795fa7122a05ccf9192defd6fecda7
SHA25683af2a03044268db5ceffd4c772ca037194ed6fc19ab2b0b566dfcc72cbc377e
SHA5127ca5bb20c891b59efb4f6aec92d5f13a0c862c48cf8203f7c0abf6f95defb0366e3b8ce3353803a28e7d43a8ed0afc40c463d6dc69ccfc8fa2469a4b1e9f61de
-
Filesize
255KB
MD5535965eab032fde5f163b57341b6e63c
SHA16f1c59dc9c795fa7122a05ccf9192defd6fecda7
SHA25683af2a03044268db5ceffd4c772ca037194ed6fc19ab2b0b566dfcc72cbc377e
SHA5127ca5bb20c891b59efb4f6aec92d5f13a0c862c48cf8203f7c0abf6f95defb0366e3b8ce3353803a28e7d43a8ed0afc40c463d6dc69ccfc8fa2469a4b1e9f61de
-
Filesize
255KB
MD5535965eab032fde5f163b57341b6e63c
SHA16f1c59dc9c795fa7122a05ccf9192defd6fecda7
SHA25683af2a03044268db5ceffd4c772ca037194ed6fc19ab2b0b566dfcc72cbc377e
SHA5127ca5bb20c891b59efb4f6aec92d5f13a0c862c48cf8203f7c0abf6f95defb0366e3b8ce3353803a28e7d43a8ed0afc40c463d6dc69ccfc8fa2469a4b1e9f61de
-
Filesize
255KB
MD5c7f67702b40a27fb432709ae11b35736
SHA1701c31687971695947b9b75f8591507f3ab193ec
SHA25605b3f1905590f9653f97691c826cae2dfb9b0ab25cf169cc1cf14055e20ce50c
SHA5127a0fb549f0fa5e3e2727090e266ac01388f34f1fef066be671a8ad9d88197be551eff5be47592550c2ab0afe56547694ae6588b6f9f7d3c0844ee7d8087e180e
-
Filesize
255KB
MD5c7f67702b40a27fb432709ae11b35736
SHA1701c31687971695947b9b75f8591507f3ab193ec
SHA25605b3f1905590f9653f97691c826cae2dfb9b0ab25cf169cc1cf14055e20ce50c
SHA5127a0fb549f0fa5e3e2727090e266ac01388f34f1fef066be671a8ad9d88197be551eff5be47592550c2ab0afe56547694ae6588b6f9f7d3c0844ee7d8087e180e
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD5b7346e8422a5875245caaf3c810a7af4
SHA13eca2af5d4945e02e623e7310fca91ecc017bcca
SHA25670a133a8dc54c411d8ddae94347033aec970b499ee057c56ed266b75d7689073
SHA512179bc86d77819ee2800b03e8c81251f4d19f2d515af477bd7bc8388ecae092998805bd36171403b12f25bed0dddc6064b1732b37c0761bcd7e3eaf3349619e9d
-
Filesize
255KB
MD5b7346e8422a5875245caaf3c810a7af4
SHA13eca2af5d4945e02e623e7310fca91ecc017bcca
SHA25670a133a8dc54c411d8ddae94347033aec970b499ee057c56ed266b75d7689073
SHA512179bc86d77819ee2800b03e8c81251f4d19f2d515af477bd7bc8388ecae092998805bd36171403b12f25bed0dddc6064b1732b37c0761bcd7e3eaf3349619e9d
-
Filesize
255KB
MD50ceb21255b75806ca5b890c0f64c2953
SHA1462467cb13ac9d096edb875e49bb8dd2777387e2
SHA256eb1e96c6088b75c24027ebae4dc93197ef5fc1bd122177316b23b3edfef325e3
SHA51292209d8e9238b37a89b2e4723938e57e74e5736a435ae9b326412afab272fb4e355e3eec929e9319a1ab1338162cec3e240d3af29c6ba4d3ba1bd854de4b2393
-
Filesize
255KB
MD50ceb21255b75806ca5b890c0f64c2953
SHA1462467cb13ac9d096edb875e49bb8dd2777387e2
SHA256eb1e96c6088b75c24027ebae4dc93197ef5fc1bd122177316b23b3edfef325e3
SHA51292209d8e9238b37a89b2e4723938e57e74e5736a435ae9b326412afab272fb4e355e3eec929e9319a1ab1338162cec3e240d3af29c6ba4d3ba1bd854de4b2393