Analysis
-
max time kernel
175s -
max time network
194s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-10-2022 11:01
Behavioral task
behavioral1
Sample
a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe
Resource
win7-20220812-en
windows7-x64
28 signatures
150 seconds
Behavioral task
behavioral2
Sample
a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe
-
Size
255KB
-
MD5
e88d07d695a80c20a9e381b2612eb298
-
SHA1
f7d5c373bd44c95caab84f7ffa49dfec868f6ec3
-
SHA256
a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806
-
SHA512
00b76153cc182b5cf410aa1ec9452f4d871425e5440d21d48e15c8f4307f3e49d515703a36b370af29e66cdaca68de795a588912e16ba6d5ea14623c0d207b14
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJg:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIb
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" izjcmyrmyj.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" izjcmyrmyj.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" izjcmyrmyj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" izjcmyrmyj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" izjcmyrmyj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" izjcmyrmyj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" izjcmyrmyj.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" izjcmyrmyj.exe -
Executes dropped EXE 5 IoCs
pid Process 4072 izjcmyrmyj.exe 3776 chnzwulheucgbrt.exe 2068 wwafseah.exe 3208 qkxyxjhfekcbw.exe 2876 wwafseah.exe -
resource yara_rule behavioral2/memory/5060-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0007000000022e42-134.dat upx behavioral2/files/0x0007000000022e42-135.dat upx behavioral2/files/0x0007000000022e47-137.dat upx behavioral2/files/0x0007000000022e47-138.dat upx behavioral2/files/0x0006000000022e48-140.dat upx behavioral2/files/0x0006000000022e49-143.dat upx behavioral2/files/0x0006000000022e48-141.dat upx behavioral2/files/0x0006000000022e49-144.dat upx behavioral2/memory/4072-145-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3776-146-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2068-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3208-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0006000000022e48-150.dat upx behavioral2/memory/5060-152-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2876-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0006000000022e4b-160.dat upx behavioral2/files/0x0002000000009dee-159.dat upx behavioral2/memory/4072-163-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3776-164-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2068-165-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3208-166-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2876-167-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" izjcmyrmyj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" izjcmyrmyj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" izjcmyrmyj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" izjcmyrmyj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" izjcmyrmyj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" izjcmyrmyj.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run chnzwulheucgbrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xyoobalp = "izjcmyrmyj.exe" chnzwulheucgbrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\akwophkt = "chnzwulheucgbrt.exe" chnzwulheucgbrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "qkxyxjhfekcbw.exe" chnzwulheucgbrt.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\b: wwafseah.exe File opened (read-only) \??\n: wwafseah.exe File opened (read-only) \??\f: wwafseah.exe File opened (read-only) \??\z: wwafseah.exe File opened (read-only) \??\k: izjcmyrmyj.exe File opened (read-only) \??\i: wwafseah.exe File opened (read-only) \??\h: izjcmyrmyj.exe File opened (read-only) \??\u: izjcmyrmyj.exe File opened (read-only) \??\v: wwafseah.exe File opened (read-only) \??\w: wwafseah.exe File opened (read-only) \??\x: wwafseah.exe File opened (read-only) \??\e: izjcmyrmyj.exe File opened (read-only) \??\w: izjcmyrmyj.exe File opened (read-only) \??\k: wwafseah.exe File opened (read-only) \??\p: wwafseah.exe File opened (read-only) \??\g: wwafseah.exe File opened (read-only) \??\s: wwafseah.exe File opened (read-only) \??\n: wwafseah.exe File opened (read-only) \??\r: wwafseah.exe File opened (read-only) \??\g: wwafseah.exe File opened (read-only) \??\h: wwafseah.exe File opened (read-only) \??\b: izjcmyrmyj.exe File opened (read-only) \??\l: izjcmyrmyj.exe File opened (read-only) \??\t: wwafseah.exe File opened (read-only) \??\x: wwafseah.exe File opened (read-only) \??\i: izjcmyrmyj.exe File opened (read-only) \??\y: wwafseah.exe File opened (read-only) \??\a: wwafseah.exe File opened (read-only) \??\r: izjcmyrmyj.exe File opened (read-only) \??\k: wwafseah.exe File opened (read-only) \??\o: izjcmyrmyj.exe File opened (read-only) \??\a: wwafseah.exe File opened (read-only) \??\z: wwafseah.exe File opened (read-only) \??\p: wwafseah.exe File opened (read-only) \??\u: wwafseah.exe File opened (read-only) \??\i: wwafseah.exe File opened (read-only) \??\j: izjcmyrmyj.exe File opened (read-only) \??\m: izjcmyrmyj.exe File opened (read-only) \??\e: wwafseah.exe File opened (read-only) \??\o: wwafseah.exe File opened (read-only) \??\h: wwafseah.exe File opened (read-only) \??\l: wwafseah.exe File opened (read-only) \??\y: wwafseah.exe File opened (read-only) \??\y: izjcmyrmyj.exe File opened (read-only) \??\z: izjcmyrmyj.exe File opened (read-only) \??\j: wwafseah.exe File opened (read-only) \??\w: wwafseah.exe File opened (read-only) \??\a: izjcmyrmyj.exe File opened (read-only) \??\n: izjcmyrmyj.exe File opened (read-only) \??\s: izjcmyrmyj.exe File opened (read-only) \??\t: izjcmyrmyj.exe File opened (read-only) \??\e: wwafseah.exe File opened (read-only) \??\q: wwafseah.exe File opened (read-only) \??\m: wwafseah.exe File opened (read-only) \??\o: wwafseah.exe File opened (read-only) \??\s: wwafseah.exe File opened (read-only) \??\f: izjcmyrmyj.exe File opened (read-only) \??\g: izjcmyrmyj.exe File opened (read-only) \??\x: izjcmyrmyj.exe File opened (read-only) \??\v: wwafseah.exe File opened (read-only) \??\f: wwafseah.exe File opened (read-only) \??\l: wwafseah.exe File opened (read-only) \??\j: wwafseah.exe File opened (read-only) \??\t: wwafseah.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" izjcmyrmyj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" izjcmyrmyj.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4072-145-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3776-146-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2068-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3208-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5060-152-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2876-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4072-163-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3776-164-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2068-165-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3208-166-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2876-167-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll izjcmyrmyj.exe File opened for modification C:\Windows\SysWOW64\chnzwulheucgbrt.exe a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe File created C:\Windows\SysWOW64\wwafseah.exe a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe File created C:\Windows\SysWOW64\qkxyxjhfekcbw.exe a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe File opened for modification C:\Windows\SysWOW64\qkxyxjhfekcbw.exe a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe File created C:\Windows\SysWOW64\izjcmyrmyj.exe a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe File opened for modification C:\Windows\SysWOW64\izjcmyrmyj.exe a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe File created C:\Windows\SysWOW64\chnzwulheucgbrt.exe a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe File opened for modification C:\Windows\SysWOW64\wwafseah.exe a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal wwafseah.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wwafseah.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wwafseah.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wwafseah.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wwafseah.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wwafseah.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal wwafseah.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wwafseah.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wwafseah.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wwafseah.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal wwafseah.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wwafseah.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal wwafseah.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wwafseah.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf izjcmyrmyj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs izjcmyrmyj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACDFABCF963F293840C3A4486973999B08A03F14312033EE1CC459B09D5" a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F89FF8C4F2882189030D72D7D9DBD92E137593567446345D6EA" a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1838C67A14E5DAB4B9BB7C95ED9537CD" a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" izjcmyrmyj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" izjcmyrmyj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg izjcmyrmyj.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33352D0D9C2383256A3177A077242CAC7C8764AA" a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh izjcmyrmyj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" izjcmyrmyj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc izjcmyrmyj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" izjcmyrmyj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" izjcmyrmyj.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E08668C3FE6B21AED272D0D68A75906A" a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat izjcmyrmyj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" izjcmyrmyj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB5B02D47EF399D52CDBAD732EDD7CE" a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3432 WINWORD.EXE 3432 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5060 a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe 5060 a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe 5060 a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe 5060 a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe 5060 a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe 5060 a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe 5060 a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe 5060 a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe 5060 a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe 5060 a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe 5060 a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe 5060 a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe 5060 a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe 5060 a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe 5060 a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe 5060 a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe 4072 izjcmyrmyj.exe 4072 izjcmyrmyj.exe 4072 izjcmyrmyj.exe 4072 izjcmyrmyj.exe 4072 izjcmyrmyj.exe 4072 izjcmyrmyj.exe 4072 izjcmyrmyj.exe 4072 izjcmyrmyj.exe 4072 izjcmyrmyj.exe 4072 izjcmyrmyj.exe 3776 chnzwulheucgbrt.exe 3776 chnzwulheucgbrt.exe 3776 chnzwulheucgbrt.exe 3776 chnzwulheucgbrt.exe 3776 chnzwulheucgbrt.exe 3776 chnzwulheucgbrt.exe 3776 chnzwulheucgbrt.exe 3776 chnzwulheucgbrt.exe 3776 chnzwulheucgbrt.exe 3776 chnzwulheucgbrt.exe 2068 wwafseah.exe 2068 wwafseah.exe 2068 wwafseah.exe 2068 wwafseah.exe 3208 qkxyxjhfekcbw.exe 3208 qkxyxjhfekcbw.exe 2068 wwafseah.exe 3208 qkxyxjhfekcbw.exe 3208 qkxyxjhfekcbw.exe 2068 wwafseah.exe 3208 qkxyxjhfekcbw.exe 3208 qkxyxjhfekcbw.exe 2068 wwafseah.exe 2068 wwafseah.exe 3208 qkxyxjhfekcbw.exe 3208 qkxyxjhfekcbw.exe 3208 qkxyxjhfekcbw.exe 3208 qkxyxjhfekcbw.exe 3208 qkxyxjhfekcbw.exe 3208 qkxyxjhfekcbw.exe 2876 wwafseah.exe 2876 wwafseah.exe 2876 wwafseah.exe 2876 wwafseah.exe 2876 wwafseah.exe 2876 wwafseah.exe 2876 wwafseah.exe 2876 wwafseah.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 5060 a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe 5060 a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe 5060 a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe 4072 izjcmyrmyj.exe 4072 izjcmyrmyj.exe 4072 izjcmyrmyj.exe 3776 chnzwulheucgbrt.exe 3776 chnzwulheucgbrt.exe 3776 chnzwulheucgbrt.exe 2068 wwafseah.exe 2068 wwafseah.exe 2068 wwafseah.exe 3208 qkxyxjhfekcbw.exe 3208 qkxyxjhfekcbw.exe 3208 qkxyxjhfekcbw.exe 2876 wwafseah.exe 2876 wwafseah.exe 2876 wwafseah.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 5060 a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe 5060 a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe 5060 a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe 4072 izjcmyrmyj.exe 4072 izjcmyrmyj.exe 4072 izjcmyrmyj.exe 3776 chnzwulheucgbrt.exe 3776 chnzwulheucgbrt.exe 3776 chnzwulheucgbrt.exe 2068 wwafseah.exe 2068 wwafseah.exe 2068 wwafseah.exe 3208 qkxyxjhfekcbw.exe 3208 qkxyxjhfekcbw.exe 3208 qkxyxjhfekcbw.exe 2876 wwafseah.exe 2876 wwafseah.exe 2876 wwafseah.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3432 WINWORD.EXE 3432 WINWORD.EXE 3432 WINWORD.EXE 3432 WINWORD.EXE 3432 WINWORD.EXE 3432 WINWORD.EXE 3432 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 5060 wrote to memory of 4072 5060 a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe 83 PID 5060 wrote to memory of 4072 5060 a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe 83 PID 5060 wrote to memory of 4072 5060 a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe 83 PID 5060 wrote to memory of 3776 5060 a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe 84 PID 5060 wrote to memory of 3776 5060 a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe 84 PID 5060 wrote to memory of 3776 5060 a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe 84 PID 5060 wrote to memory of 2068 5060 a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe 85 PID 5060 wrote to memory of 2068 5060 a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe 85 PID 5060 wrote to memory of 2068 5060 a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe 85 PID 5060 wrote to memory of 3208 5060 a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe 86 PID 5060 wrote to memory of 3208 5060 a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe 86 PID 5060 wrote to memory of 3208 5060 a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe 86 PID 4072 wrote to memory of 2876 4072 izjcmyrmyj.exe 89 PID 4072 wrote to memory of 2876 4072 izjcmyrmyj.exe 89 PID 4072 wrote to memory of 2876 4072 izjcmyrmyj.exe 89 PID 5060 wrote to memory of 3432 5060 a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe 87 PID 5060 wrote to memory of 3432 5060 a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe"C:\Users\Admin\AppData\Local\Temp\a08d985e5953ef9e9fd082b690b03b9baac8d9355004bfb021c7cbf01760b806.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\izjcmyrmyj.exeizjcmyrmyj.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\wwafseah.exeC:\Windows\system32\wwafseah.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2876
-
-
-
C:\Windows\SysWOW64\chnzwulheucgbrt.exechnzwulheucgbrt.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3776
-
-
C:\Windows\SysWOW64\wwafseah.exewwafseah.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2068
-
-
C:\Windows\SysWOW64\qkxyxjhfekcbw.exeqkxyxjhfekcbw.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3208
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3432
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD58d05fc71d9afa3e2a91ae47b4f04cd64
SHA1849a54cbaefe77de23fb35191386ea2f5f24232b
SHA25659b12c7b787aa12dfc25a26cef564aa9964e4e045d80ab79b1899a95a28ee137
SHA5120c8465216a8d189c3112561c84a346538da11eaf502054d3ee3c8c2a3a2b41989825229dc328f427e3a4650f5cadc3c9f78e0c79f761ddfbe80850421c51d9c2
-
Filesize
255KB
MD55dc2fd067e7881c6f51e07a05e98cbf2
SHA1079c84511cc0cf0a9dca6ceaa4bbfd7c2f0c4cc7
SHA2565f8561452aa9c86f29bd984a6b23eebe0665710a90bfd369548c4a384ac012bd
SHA512ba2b393bf077100e584aa20ae6ce9313f1ffce13850bb05e9bf4ff9008b7cc584339fb33ef5b0dbc14f6393a5ad5046d4f68236dd63dd343ea66ddfe88fad19b
-
Filesize
255KB
MD53fc76882a2abe61e47055b3bc1b5c400
SHA15bc1dd2562ce845f3bddf4c4c34189847214997c
SHA256163559b3e260866b59bdab91f7f809a69561290e403c5009b68bc6a586d29b70
SHA5120993a0ac390788e7c5fc23ae796cc6e9e2e0576a217b78ffe754189e66a91b46e522088fea90b984a6588e713c7efd08311ae4611039f8c0234834097aa59336
-
Filesize
255KB
MD53fc76882a2abe61e47055b3bc1b5c400
SHA15bc1dd2562ce845f3bddf4c4c34189847214997c
SHA256163559b3e260866b59bdab91f7f809a69561290e403c5009b68bc6a586d29b70
SHA5120993a0ac390788e7c5fc23ae796cc6e9e2e0576a217b78ffe754189e66a91b46e522088fea90b984a6588e713c7efd08311ae4611039f8c0234834097aa59336
-
Filesize
255KB
MD5d64c9b36289a41bcf13fac0d10e62f3e
SHA12c0633cf30ebfe326ed7d298d29c1ce761c89fa5
SHA25627b322e5264ab5647940b86ba3bdea299dcfbfbfff49321ecbd008913474e229
SHA512f275051382f1f3ca26ae586c53484175ce95631085363ae5593fe45584c2bb31d374dc36dc26fa4819be3836ab0510512e5ebfdf94c9be6719c1cf4877cc1b37
-
Filesize
255KB
MD5d64c9b36289a41bcf13fac0d10e62f3e
SHA12c0633cf30ebfe326ed7d298d29c1ce761c89fa5
SHA25627b322e5264ab5647940b86ba3bdea299dcfbfbfff49321ecbd008913474e229
SHA512f275051382f1f3ca26ae586c53484175ce95631085363ae5593fe45584c2bb31d374dc36dc26fa4819be3836ab0510512e5ebfdf94c9be6719c1cf4877cc1b37
-
Filesize
255KB
MD5c33de601f1f563198008a3514166fc08
SHA1b6bfef3e2b1dbd11df329a753717bf46a5931240
SHA2563e2e1d8d3411723706cede89dc4b7c29acb1a992cca4ba6f6f4c6e49d0e9f2a0
SHA51243a3aee44f2d9c0fd3f13751f1c392bec341326d0dac7e2103726c5dd41abbe976c60ac0bbdb648cedbfc4af7cb30cc6558812528f21ba827ac70c48be831f5b
-
Filesize
255KB
MD5c33de601f1f563198008a3514166fc08
SHA1b6bfef3e2b1dbd11df329a753717bf46a5931240
SHA2563e2e1d8d3411723706cede89dc4b7c29acb1a992cca4ba6f6f4c6e49d0e9f2a0
SHA51243a3aee44f2d9c0fd3f13751f1c392bec341326d0dac7e2103726c5dd41abbe976c60ac0bbdb648cedbfc4af7cb30cc6558812528f21ba827ac70c48be831f5b
-
Filesize
255KB
MD54e9d398edde75f31c8131239e62de7a9
SHA18ef0f300786e7df12b6cf59cce87989e7f119c34
SHA2561d8add8a0889c5e4291f19cf3e27f2816a93b37ae9b7a02a85ed022e482e1687
SHA5121dcff8d2488e2bac0f07e00cd0100f37a6a056ea13ac3cd6ca1b3adcf00578b64193abb9a1d1006b6500ed0a2caacc38af985fde244742cca191567e60082d6f
-
Filesize
255KB
MD54e9d398edde75f31c8131239e62de7a9
SHA18ef0f300786e7df12b6cf59cce87989e7f119c34
SHA2561d8add8a0889c5e4291f19cf3e27f2816a93b37ae9b7a02a85ed022e482e1687
SHA5121dcff8d2488e2bac0f07e00cd0100f37a6a056ea13ac3cd6ca1b3adcf00578b64193abb9a1d1006b6500ed0a2caacc38af985fde244742cca191567e60082d6f
-
Filesize
255KB
MD54e9d398edde75f31c8131239e62de7a9
SHA18ef0f300786e7df12b6cf59cce87989e7f119c34
SHA2561d8add8a0889c5e4291f19cf3e27f2816a93b37ae9b7a02a85ed022e482e1687
SHA5121dcff8d2488e2bac0f07e00cd0100f37a6a056ea13ac3cd6ca1b3adcf00578b64193abb9a1d1006b6500ed0a2caacc38af985fde244742cca191567e60082d6f
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7