Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
29/10/2022, 10:18
Behavioral task
behavioral1
Sample
a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe
Resource
win7-20220812-en
windows7-x64
26 signatures
150 seconds
General
-
Target
a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe
-
Size
255KB
-
MD5
5c28d79e821071f5c69092dcf826ba5f
-
SHA1
64d69a492d224e0a1d9605b00826bb6cb2c5793a
-
SHA256
a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94
-
SHA512
e18f91e0d5ed860399f8288ba47f5077695ec839e5191d3e9f6044d2c5b998983c2c07077cdc5fd85ede880774b800a51aa60cdc68145856625c787e56050b56
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJ5:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIi
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" vdbqjgqcwn.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" vdbqjgqcwn.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" vdbqjgqcwn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" vdbqjgqcwn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" vdbqjgqcwn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" vdbqjgqcwn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" vdbqjgqcwn.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vdbqjgqcwn.exe -
Executes dropped EXE 5 IoCs
pid Process 2804 vdbqjgqcwn.exe 856 vvehzwijallrbrn.exe 1352 rekpsqfi.exe 2392 koknpumgughim.exe 3920 rekpsqfi.exe -
resource yara_rule behavioral2/memory/1968-135-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0004000000022dc8-137.dat upx behavioral2/files/0x0004000000022dc8-138.dat upx behavioral2/files/0x0004000000022de2-140.dat upx behavioral2/files/0x0003000000022de7-144.dat upx behavioral2/files/0x0003000000022de7-143.dat upx behavioral2/files/0x0002000000022df2-147.dat upx behavioral2/files/0x0002000000022df2-146.dat upx behavioral2/files/0x0004000000022de2-141.dat upx behavioral2/memory/2804-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1352-150-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/856-149-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2392-151-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1968-154-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0003000000022de7-155.dat upx behavioral2/memory/3920-156-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0001000000022df4-163.dat upx behavioral2/memory/2804-166-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/856-167-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1352-168-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2392-169-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3920-170-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000500000001e785-171.dat upx behavioral2/files/0x000500000001e785-173.dat upx behavioral2/files/0x000500000001e785-172.dat upx behavioral2/memory/3920-179-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1352-180-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" vdbqjgqcwn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" vdbqjgqcwn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" vdbqjgqcwn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" vdbqjgqcwn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" vdbqjgqcwn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" vdbqjgqcwn.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run vvehzwijallrbrn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\swmzmpss = "vdbqjgqcwn.exe" vvehzwijallrbrn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dzdkagkl = "vvehzwijallrbrn.exe" vvehzwijallrbrn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "koknpumgughim.exe" vvehzwijallrbrn.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\f: rekpsqfi.exe File opened (read-only) \??\l: rekpsqfi.exe File opened (read-only) \??\q: rekpsqfi.exe File opened (read-only) \??\r: rekpsqfi.exe File opened (read-only) \??\k: rekpsqfi.exe File opened (read-only) \??\t: rekpsqfi.exe File opened (read-only) \??\b: vdbqjgqcwn.exe File opened (read-only) \??\y: vdbqjgqcwn.exe File opened (read-only) \??\u: rekpsqfi.exe File opened (read-only) \??\e: vdbqjgqcwn.exe File opened (read-only) \??\b: rekpsqfi.exe File opened (read-only) \??\f: rekpsqfi.exe File opened (read-only) \??\a: rekpsqfi.exe File opened (read-only) \??\g: vdbqjgqcwn.exe File opened (read-only) \??\k: vdbqjgqcwn.exe File opened (read-only) \??\m: vdbqjgqcwn.exe File opened (read-only) \??\r: vdbqjgqcwn.exe File opened (read-only) \??\l: rekpsqfi.exe File opened (read-only) \??\w: vdbqjgqcwn.exe File opened (read-only) \??\g: rekpsqfi.exe File opened (read-only) \??\h: rekpsqfi.exe File opened (read-only) \??\y: rekpsqfi.exe File opened (read-only) \??\p: vdbqjgqcwn.exe File opened (read-only) \??\p: rekpsqfi.exe File opened (read-only) \??\y: rekpsqfi.exe File opened (read-only) \??\i: rekpsqfi.exe File opened (read-only) \??\n: rekpsqfi.exe File opened (read-only) \??\q: vdbqjgqcwn.exe File opened (read-only) \??\a: rekpsqfi.exe File opened (read-only) \??\i: rekpsqfi.exe File opened (read-only) \??\m: rekpsqfi.exe File opened (read-only) \??\x: rekpsqfi.exe File opened (read-only) \??\b: rekpsqfi.exe File opened (read-only) \??\m: rekpsqfi.exe File opened (read-only) \??\x: rekpsqfi.exe File opened (read-only) \??\j: rekpsqfi.exe File opened (read-only) \??\o: rekpsqfi.exe File opened (read-only) \??\g: rekpsqfi.exe File opened (read-only) \??\h: rekpsqfi.exe File opened (read-only) \??\u: rekpsqfi.exe File opened (read-only) \??\w: rekpsqfi.exe File opened (read-only) \??\i: vdbqjgqcwn.exe File opened (read-only) \??\n: vdbqjgqcwn.exe File opened (read-only) \??\o: vdbqjgqcwn.exe File opened (read-only) \??\v: vdbqjgqcwn.exe File opened (read-only) \??\w: rekpsqfi.exe File opened (read-only) \??\p: rekpsqfi.exe File opened (read-only) \??\a: vdbqjgqcwn.exe File opened (read-only) \??\o: rekpsqfi.exe File opened (read-only) \??\s: rekpsqfi.exe File opened (read-only) \??\q: rekpsqfi.exe File opened (read-only) \??\s: rekpsqfi.exe File opened (read-only) \??\t: rekpsqfi.exe File opened (read-only) \??\l: vdbqjgqcwn.exe File opened (read-only) \??\s: vdbqjgqcwn.exe File opened (read-only) \??\x: vdbqjgqcwn.exe File opened (read-only) \??\j: rekpsqfi.exe File opened (read-only) \??\k: rekpsqfi.exe File opened (read-only) \??\r: rekpsqfi.exe File opened (read-only) \??\h: vdbqjgqcwn.exe File opened (read-only) \??\z: vdbqjgqcwn.exe File opened (read-only) \??\v: rekpsqfi.exe File opened (read-only) \??\e: rekpsqfi.exe File opened (read-only) \??\z: rekpsqfi.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" vdbqjgqcwn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" vdbqjgqcwn.exe -
AutoIT Executable 14 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1968-135-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2804-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1352-150-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/856-149-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2392-151-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1968-154-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3920-156-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2804-166-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/856-167-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1352-168-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2392-169-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3920-170-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3920-179-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1352-180-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe rekpsqfi.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe rekpsqfi.exe File created C:\Windows\SysWOW64\vdbqjgqcwn.exe a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe File created C:\Windows\SysWOW64\vvehzwijallrbrn.exe a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe File opened for modification C:\Windows\SysWOW64\vvehzwijallrbrn.exe a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe File created C:\Windows\SysWOW64\koknpumgughim.exe a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe rekpsqfi.exe File opened for modification C:\Windows\SysWOW64\vdbqjgqcwn.exe a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe File created C:\Windows\SysWOW64\rekpsqfi.exe a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe File opened for modification C:\Windows\SysWOW64\rekpsqfi.exe a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe File opened for modification C:\Windows\SysWOW64\koknpumgughim.exe a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll vdbqjgqcwn.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rekpsqfi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rekpsqfi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal rekpsqfi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rekpsqfi.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rekpsqfi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal rekpsqfi.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rekpsqfi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rekpsqfi.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rekpsqfi.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rekpsqfi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal rekpsqfi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal rekpsqfi.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rekpsqfi.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rekpsqfi.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe rekpsqfi.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe rekpsqfi.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe rekpsqfi.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe rekpsqfi.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe rekpsqfi.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe rekpsqfi.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe rekpsqfi.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe rekpsqfi.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe rekpsqfi.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe rekpsqfi.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe rekpsqfi.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe rekpsqfi.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe rekpsqfi.exe File opened for modification C:\Windows\mydoc.rtf a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe rekpsqfi.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe rekpsqfi.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe rekpsqfi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" vdbqjgqcwn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFAFF88482B851F9047D65B7DE7BD95E6375940674F6337D799" a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1844C77B15E6DAB0B8BC7CE3ED9534BE" a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh vdbqjgqcwn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" vdbqjgqcwn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" vdbqjgqcwn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCAF9C9F913F191847A3A4686EB39E2B08E02F84364023BE1CC459B08A4" a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB2B12F47E538E252CDB9D33293D7CF" a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat vdbqjgqcwn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg vdbqjgqcwn.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32452C7C9C5282276A3676D777272CDD7CF264D7" a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F268B2FE6922A9D27DD1D58B7A9010" a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" vdbqjgqcwn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc vdbqjgqcwn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs vdbqjgqcwn.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" vdbqjgqcwn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf vdbqjgqcwn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" vdbqjgqcwn.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3752 WINWORD.EXE 3752 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1968 a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe 1968 a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe 1968 a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe 1968 a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe 1968 a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe 1968 a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe 1968 a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe 1968 a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe 1968 a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe 1968 a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe 1968 a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe 1968 a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe 1968 a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe 1968 a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe 1968 a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe 1968 a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe 2804 vdbqjgqcwn.exe 2804 vdbqjgqcwn.exe 2804 vdbqjgqcwn.exe 2804 vdbqjgqcwn.exe 2804 vdbqjgqcwn.exe 2804 vdbqjgqcwn.exe 2804 vdbqjgqcwn.exe 2804 vdbqjgqcwn.exe 2804 vdbqjgqcwn.exe 2804 vdbqjgqcwn.exe 856 vvehzwijallrbrn.exe 856 vvehzwijallrbrn.exe 856 vvehzwijallrbrn.exe 856 vvehzwijallrbrn.exe 856 vvehzwijallrbrn.exe 856 vvehzwijallrbrn.exe 856 vvehzwijallrbrn.exe 856 vvehzwijallrbrn.exe 2392 koknpumgughim.exe 2392 koknpumgughim.exe 2392 koknpumgughim.exe 2392 koknpumgughim.exe 2392 koknpumgughim.exe 2392 koknpumgughim.exe 2392 koknpumgughim.exe 2392 koknpumgughim.exe 2392 koknpumgughim.exe 2392 koknpumgughim.exe 2392 koknpumgughim.exe 2392 koknpumgughim.exe 1352 rekpsqfi.exe 1352 rekpsqfi.exe 1352 rekpsqfi.exe 1352 rekpsqfi.exe 856 vvehzwijallrbrn.exe 856 vvehzwijallrbrn.exe 1352 rekpsqfi.exe 1352 rekpsqfi.exe 1352 rekpsqfi.exe 1352 rekpsqfi.exe 856 vvehzwijallrbrn.exe 856 vvehzwijallrbrn.exe 2392 koknpumgughim.exe 2392 koknpumgughim.exe 2392 koknpumgughim.exe 2392 koknpumgughim.exe 856 vvehzwijallrbrn.exe 856 vvehzwijallrbrn.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1968 a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe 1968 a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe 1968 a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe 2804 vdbqjgqcwn.exe 2804 vdbqjgqcwn.exe 2804 vdbqjgqcwn.exe 856 vvehzwijallrbrn.exe 856 vvehzwijallrbrn.exe 856 vvehzwijallrbrn.exe 1352 rekpsqfi.exe 2392 koknpumgughim.exe 1352 rekpsqfi.exe 2392 koknpumgughim.exe 1352 rekpsqfi.exe 2392 koknpumgughim.exe 3920 rekpsqfi.exe 3920 rekpsqfi.exe 3920 rekpsqfi.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1968 a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe 1968 a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe 1968 a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe 2804 vdbqjgqcwn.exe 2804 vdbqjgqcwn.exe 2804 vdbqjgqcwn.exe 856 vvehzwijallrbrn.exe 856 vvehzwijallrbrn.exe 856 vvehzwijallrbrn.exe 1352 rekpsqfi.exe 2392 koknpumgughim.exe 1352 rekpsqfi.exe 2392 koknpumgughim.exe 1352 rekpsqfi.exe 2392 koknpumgughim.exe 3920 rekpsqfi.exe 3920 rekpsqfi.exe 3920 rekpsqfi.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3752 WINWORD.EXE 3752 WINWORD.EXE 3752 WINWORD.EXE 3752 WINWORD.EXE 3752 WINWORD.EXE 3752 WINWORD.EXE 3752 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1968 wrote to memory of 2804 1968 a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe 83 PID 1968 wrote to memory of 2804 1968 a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe 83 PID 1968 wrote to memory of 2804 1968 a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe 83 PID 1968 wrote to memory of 856 1968 a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe 86 PID 1968 wrote to memory of 856 1968 a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe 86 PID 1968 wrote to memory of 856 1968 a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe 86 PID 1968 wrote to memory of 1352 1968 a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe 84 PID 1968 wrote to memory of 1352 1968 a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe 84 PID 1968 wrote to memory of 1352 1968 a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe 84 PID 1968 wrote to memory of 2392 1968 a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe 85 PID 1968 wrote to memory of 2392 1968 a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe 85 PID 1968 wrote to memory of 2392 1968 a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe 85 PID 1968 wrote to memory of 3752 1968 a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe 87 PID 1968 wrote to memory of 3752 1968 a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe 87 PID 2804 wrote to memory of 3920 2804 vdbqjgqcwn.exe 89 PID 2804 wrote to memory of 3920 2804 vdbqjgqcwn.exe 89 PID 2804 wrote to memory of 3920 2804 vdbqjgqcwn.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe"C:\Users\Admin\AppData\Local\Temp\a68246a07e3c256e4eac750dfc5458e2eebe23cae1c7e60bd8e63feca8c60a94.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\vdbqjgqcwn.exevdbqjgqcwn.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\rekpsqfi.exeC:\Windows\system32\rekpsqfi.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3920
-
-
-
C:\Windows\SysWOW64\rekpsqfi.exerekpsqfi.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1352
-
-
C:\Windows\SysWOW64\koknpumgughim.exekoknpumgughim.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2392
-
-
C:\Windows\SysWOW64\vvehzwijallrbrn.exevvehzwijallrbrn.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:856
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3752
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD50f319d64bbed892214c4f76fd8543b13
SHA14411b4b6523aa02b8c2eb6dc7aac108f1a9fc895
SHA256e3e824af1e18caee43908e3d7b5adb826928c0aebaa6a81495ccdb420b15c5ec
SHA512d2980b62eb72af153c225414fdd5be74b2f7e95483f5cef7dc340b0341d27b392baabb73aee8ef16d5e05d1136d93c605c812b0ed774e23811bb468aa80b2926
-
Filesize
255KB
MD552dea7700499cafea5068166a2caa885
SHA1c3a29f58998d8cefa04602599318f38f6e57d599
SHA256c685341e3f7ff3636e5d0ac877e38beda59721d96498ade73cbc8cb3e12a0a9e
SHA512bb71280988f0980e2bbfbde65b0dc0f45787b4eefd57df8d59a79abcec8a4f121b7a71d3bd9c716f6302939e31f82389bbbb97c05dd4b1ac7f6eb4a227f0aec2
-
Filesize
255KB
MD552dea7700499cafea5068166a2caa885
SHA1c3a29f58998d8cefa04602599318f38f6e57d599
SHA256c685341e3f7ff3636e5d0ac877e38beda59721d96498ade73cbc8cb3e12a0a9e
SHA512bb71280988f0980e2bbfbde65b0dc0f45787b4eefd57df8d59a79abcec8a4f121b7a71d3bd9c716f6302939e31f82389bbbb97c05dd4b1ac7f6eb4a227f0aec2
-
Filesize
255KB
MD5472871b7eac9b4df3a987d4d6778adb0
SHA119aab26418287423c06a7ae73fc5359dcfce826c
SHA25611aba67b036d44bdc37d8b782269c4eb2fdff11c9ee2f28f6cec32052775797d
SHA512c02a04c3f8524165fffea7586d272ba95e7a572c4c2d6f3c9559d45b79968d9f172a5e28d247c1d92f69a3e3b3662f81c6fa53f05283ede6f2327108310c03a2
-
Filesize
255KB
MD5472871b7eac9b4df3a987d4d6778adb0
SHA119aab26418287423c06a7ae73fc5359dcfce826c
SHA25611aba67b036d44bdc37d8b782269c4eb2fdff11c9ee2f28f6cec32052775797d
SHA512c02a04c3f8524165fffea7586d272ba95e7a572c4c2d6f3c9559d45b79968d9f172a5e28d247c1d92f69a3e3b3662f81c6fa53f05283ede6f2327108310c03a2
-
Filesize
255KB
MD5472871b7eac9b4df3a987d4d6778adb0
SHA119aab26418287423c06a7ae73fc5359dcfce826c
SHA25611aba67b036d44bdc37d8b782269c4eb2fdff11c9ee2f28f6cec32052775797d
SHA512c02a04c3f8524165fffea7586d272ba95e7a572c4c2d6f3c9559d45b79968d9f172a5e28d247c1d92f69a3e3b3662f81c6fa53f05283ede6f2327108310c03a2
-
Filesize
255KB
MD5287098e43fc5d3dfbecd09bc57e47f3e
SHA10b7f4b6aa529bf73ff2cfef9b5d47268a918fffa
SHA256cdd95a11858ed1876d50957c2ad11b0ecf59a701bc3fdee101672f035b2f8437
SHA512c7884d251ab76ee9da3d9923552db1bfff30f28f941a5d16d45c7b85f6c8b1596bb98ba23d9b7e460828409a2d9ac0ab44e550d16edd8cd093f3b1dc09bbdddc
-
Filesize
255KB
MD5287098e43fc5d3dfbecd09bc57e47f3e
SHA10b7f4b6aa529bf73ff2cfef9b5d47268a918fffa
SHA256cdd95a11858ed1876d50957c2ad11b0ecf59a701bc3fdee101672f035b2f8437
SHA512c7884d251ab76ee9da3d9923552db1bfff30f28f941a5d16d45c7b85f6c8b1596bb98ba23d9b7e460828409a2d9ac0ab44e550d16edd8cd093f3b1dc09bbdddc
-
Filesize
255KB
MD5ffa291f5b35e3c69ab60eb19206c1f64
SHA11fad9f6be3b17c806e699104a04949078b54443d
SHA256240867014ebd8fa8a7d0ca9f832fd106d9c6b55b20bbe3265c41212460e0f0d2
SHA512bff07d06322dafae461d3ee5706f989a6569b010c35c0256a7d2f71a8a9f9e34269834ad34435a04a3b98e25a005bdd7a4e2cb42de92cfe1bf4612efbb994e87
-
Filesize
255KB
MD5ffa291f5b35e3c69ab60eb19206c1f64
SHA11fad9f6be3b17c806e699104a04949078b54443d
SHA256240867014ebd8fa8a7d0ca9f832fd106d9c6b55b20bbe3265c41212460e0f0d2
SHA512bff07d06322dafae461d3ee5706f989a6569b010c35c0256a7d2f71a8a9f9e34269834ad34435a04a3b98e25a005bdd7a4e2cb42de92cfe1bf4612efbb994e87
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD52da9e8e3754f56c922b240487882f465
SHA1d5ba729e9757f9e390180f9da9f077b008a0cf24
SHA2560d7f7d00fef498c3aa2ba8089cf67b2bd240f267079792e53e68758fff0e5941
SHA5121cfd8134db6db5280692a0647db129fe203e20579365b14b6559a4510e59274ca7ef80416fed4828ab1684efee8c506d43ae044bb60a7f0e21b62519239148d7
-
Filesize
255KB
MD56ca1e48e2156d151d87e676dd81a269c
SHA1310351ac7d7b4becc211705fad0f005bf7b0fc0f
SHA2567db002a5c0e72b09f3c22d012fc53f2dddc484031ffc4ac43753b6b517f94ecf
SHA5123ca34a7aadfb4add7d9093f0378f7c0fa2b7308bfbce6f211aa150fe452880bbf7297c9679ca52b14871d17551648036bef92da0d1baec596534f1b1ec7c371b
-
Filesize
255KB
MD56ca1e48e2156d151d87e676dd81a269c
SHA1310351ac7d7b4becc211705fad0f005bf7b0fc0f
SHA2567db002a5c0e72b09f3c22d012fc53f2dddc484031ffc4ac43753b6b517f94ecf
SHA5123ca34a7aadfb4add7d9093f0378f7c0fa2b7308bfbce6f211aa150fe452880bbf7297c9679ca52b14871d17551648036bef92da0d1baec596534f1b1ec7c371b