Analysis
-
max time kernel
190s -
max time network
184s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-10-2022 10:34
Behavioral task
behavioral1
Sample
b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe
Resource
win7-20220812-en
windows7-x64
24 signatures
150 seconds
Behavioral task
behavioral2
Sample
b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe
-
Size
255KB
-
MD5
866daf1c9571af0e7de8315ac31ae12c
-
SHA1
487f516edbb34fc796af0cf1d7f5ebf4680d05a7
-
SHA256
b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3
-
SHA512
363925d604e4b4e52b901edda4ca60648d0e29bc68421794835a374189fe540497991cd19fdba42f8fa5028c957cf91aae625dcff5611cbe02e6d2fd3ba01081
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJO:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIb
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" midcudoxfi.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" midcudoxfi.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" midcudoxfi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" midcudoxfi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" midcudoxfi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" midcudoxfi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" midcudoxfi.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" midcudoxfi.exe -
Executes dropped EXE 5 IoCs
pid Process 2024 midcudoxfi.exe 4380 oeomphlwdlbpeys.exe 2252 kssacebx.exe 1452 ajbvraemxxbmf.exe 4252 kssacebx.exe -
resource yara_rule behavioral2/memory/540-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/540-133-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000300000000072d-135.dat upx behavioral2/files/0x000300000000072d-136.dat upx behavioral2/files/0x000400000000072f-138.dat upx behavioral2/files/0x000400000000072f-139.dat upx behavioral2/memory/2024-140-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4380-141-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0003000000000731-143.dat upx behavioral2/files/0x0003000000000731-144.dat upx behavioral2/files/0x0003000000000733-146.dat upx behavioral2/files/0x0003000000000733-147.dat upx behavioral2/memory/2252-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0003000000000731-151.dat upx behavioral2/memory/4252-152-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/540-154-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000900000001621d-155.dat upx behavioral2/memory/2024-161-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4380-162-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2252-163-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1452-164-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4252-165-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" midcudoxfi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" midcudoxfi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" midcudoxfi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" midcudoxfi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" midcudoxfi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" midcudoxfi.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run oeomphlwdlbpeys.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lzbulycb = "midcudoxfi.exe" oeomphlwdlbpeys.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gmvbbkuy = "oeomphlwdlbpeys.exe" oeomphlwdlbpeys.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ajbvraemxxbmf.exe" oeomphlwdlbpeys.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\u: kssacebx.exe File opened (read-only) \??\x: kssacebx.exe File opened (read-only) \??\h: kssacebx.exe File opened (read-only) \??\m: kssacebx.exe File opened (read-only) \??\x: kssacebx.exe File opened (read-only) \??\m: midcudoxfi.exe File opened (read-only) \??\z: midcudoxfi.exe File opened (read-only) \??\v: kssacebx.exe File opened (read-only) \??\a: kssacebx.exe File opened (read-only) \??\g: kssacebx.exe File opened (read-only) \??\k: midcudoxfi.exe File opened (read-only) \??\o: midcudoxfi.exe File opened (read-only) \??\r: midcudoxfi.exe File opened (read-only) \??\l: kssacebx.exe File opened (read-only) \??\p: kssacebx.exe File opened (read-only) \??\w: kssacebx.exe File opened (read-only) \??\i: kssacebx.exe File opened (read-only) \??\y: kssacebx.exe File opened (read-only) \??\n: midcudoxfi.exe File opened (read-only) \??\v: midcudoxfi.exe File opened (read-only) \??\k: kssacebx.exe File opened (read-only) \??\k: kssacebx.exe File opened (read-only) \??\g: midcudoxfi.exe File opened (read-only) \??\q: kssacebx.exe File opened (read-only) \??\x: midcudoxfi.exe File opened (read-only) \??\z: kssacebx.exe File opened (read-only) \??\b: kssacebx.exe File opened (read-only) \??\o: kssacebx.exe File opened (read-only) \??\a: midcudoxfi.exe File opened (read-only) \??\f: midcudoxfi.exe File opened (read-only) \??\g: kssacebx.exe File opened (read-only) \??\i: kssacebx.exe File opened (read-only) \??\o: kssacebx.exe File opened (read-only) \??\t: kssacebx.exe File opened (read-only) \??\h: kssacebx.exe File opened (read-only) \??\v: kssacebx.exe File opened (read-only) \??\s: midcudoxfi.exe File opened (read-only) \??\f: kssacebx.exe File opened (read-only) \??\w: kssacebx.exe File opened (read-only) \??\j: kssacebx.exe File opened (read-only) \??\q: kssacebx.exe File opened (read-only) \??\w: midcudoxfi.exe File opened (read-only) \??\n: kssacebx.exe File opened (read-only) \??\y: midcudoxfi.exe File opened (read-only) \??\b: kssacebx.exe File opened (read-only) \??\s: kssacebx.exe File opened (read-only) \??\u: kssacebx.exe File opened (read-only) \??\p: kssacebx.exe File opened (read-only) \??\l: midcudoxfi.exe File opened (read-only) \??\q: midcudoxfi.exe File opened (read-only) \??\e: kssacebx.exe File opened (read-only) \??\s: kssacebx.exe File opened (read-only) \??\e: kssacebx.exe File opened (read-only) \??\n: kssacebx.exe File opened (read-only) \??\j: kssacebx.exe File opened (read-only) \??\h: midcudoxfi.exe File opened (read-only) \??\m: kssacebx.exe File opened (read-only) \??\j: midcudoxfi.exe File opened (read-only) \??\u: midcudoxfi.exe File opened (read-only) \??\f: kssacebx.exe File opened (read-only) \??\l: kssacebx.exe File opened (read-only) \??\i: midcudoxfi.exe File opened (read-only) \??\y: kssacebx.exe File opened (read-only) \??\r: kssacebx.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" midcudoxfi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" midcudoxfi.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/540-133-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2024-140-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4380-141-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2252-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4252-152-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/540-154-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2024-161-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4380-162-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2252-163-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1452-164-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4252-165-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ajbvraemxxbmf.exe b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe File opened for modification C:\Windows\SysWOW64\midcudoxfi.exe b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe File opened for modification C:\Windows\SysWOW64\oeomphlwdlbpeys.exe b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe File opened for modification C:\Windows\SysWOW64\kssacebx.exe b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe File created C:\Windows\SysWOW64\ajbvraemxxbmf.exe b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll midcudoxfi.exe File created C:\Windows\SysWOW64\midcudoxfi.exe b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe File created C:\Windows\SysWOW64\oeomphlwdlbpeys.exe b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe File created C:\Windows\SysWOW64\kssacebx.exe b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kssacebx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kssacebx.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kssacebx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal kssacebx.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kssacebx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kssacebx.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kssacebx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal kssacebx.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kssacebx.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kssacebx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal kssacebx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal kssacebx.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kssacebx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kssacebx.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC0B029449439E353CDBAD732E8D4CE" b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E89FF8D485D82689041D75F7D90BDE0E643583067456333D7E9" b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" midcudoxfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg midcudoxfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh midcudoxfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs midcudoxfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" midcudoxfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "334E2C089C2D83256D4276D470522DD67DF164AB" b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABAFAB1F962F19484093B3286973E96B08B02F843110239E1CB45E909A9" b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183EC67C14E4DAC0B8BD7C94ECE237B9" b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat midcudoxfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" midcudoxfi.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" midcudoxfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" midcudoxfi.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7FD68C6FE6622DDD27CD1A78A7A9113" b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc midcudoxfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf midcudoxfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" midcudoxfi.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 488 WINWORD.EXE 488 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 540 b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe 540 b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe 540 b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe 540 b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe 540 b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe 540 b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe 540 b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe 540 b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe 540 b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe 540 b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe 540 b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe 540 b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe 540 b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe 540 b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe 2024 midcudoxfi.exe 2024 midcudoxfi.exe 2024 midcudoxfi.exe 2024 midcudoxfi.exe 2024 midcudoxfi.exe 2024 midcudoxfi.exe 4380 oeomphlwdlbpeys.exe 4380 oeomphlwdlbpeys.exe 4380 oeomphlwdlbpeys.exe 4380 oeomphlwdlbpeys.exe 4380 oeomphlwdlbpeys.exe 4380 oeomphlwdlbpeys.exe 4380 oeomphlwdlbpeys.exe 4380 oeomphlwdlbpeys.exe 2024 midcudoxfi.exe 2024 midcudoxfi.exe 2024 midcudoxfi.exe 2024 midcudoxfi.exe 4380 oeomphlwdlbpeys.exe 4380 oeomphlwdlbpeys.exe 540 b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe 540 b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe 2252 kssacebx.exe 2252 kssacebx.exe 2252 kssacebx.exe 2252 kssacebx.exe 2252 kssacebx.exe 2252 kssacebx.exe 2252 kssacebx.exe 2252 kssacebx.exe 1452 ajbvraemxxbmf.exe 1452 ajbvraemxxbmf.exe 1452 ajbvraemxxbmf.exe 1452 ajbvraemxxbmf.exe 1452 ajbvraemxxbmf.exe 1452 ajbvraemxxbmf.exe 1452 ajbvraemxxbmf.exe 1452 ajbvraemxxbmf.exe 1452 ajbvraemxxbmf.exe 1452 ajbvraemxxbmf.exe 1452 ajbvraemxxbmf.exe 1452 ajbvraemxxbmf.exe 1452 ajbvraemxxbmf.exe 1452 ajbvraemxxbmf.exe 1452 ajbvraemxxbmf.exe 1452 ajbvraemxxbmf.exe 1452 ajbvraemxxbmf.exe 1452 ajbvraemxxbmf.exe 1452 ajbvraemxxbmf.exe 1452 ajbvraemxxbmf.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 540 b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe 540 b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe 540 b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe 2024 midcudoxfi.exe 2024 midcudoxfi.exe 2024 midcudoxfi.exe 4380 oeomphlwdlbpeys.exe 4380 oeomphlwdlbpeys.exe 4380 oeomphlwdlbpeys.exe 2252 kssacebx.exe 2252 kssacebx.exe 2252 kssacebx.exe 1452 ajbvraemxxbmf.exe 1452 ajbvraemxxbmf.exe 1452 ajbvraemxxbmf.exe 4252 kssacebx.exe 4252 kssacebx.exe 4252 kssacebx.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 540 b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe 540 b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe 540 b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe 2024 midcudoxfi.exe 2024 midcudoxfi.exe 2024 midcudoxfi.exe 4380 oeomphlwdlbpeys.exe 4380 oeomphlwdlbpeys.exe 4380 oeomphlwdlbpeys.exe 2252 kssacebx.exe 2252 kssacebx.exe 2252 kssacebx.exe 1452 ajbvraemxxbmf.exe 1452 ajbvraemxxbmf.exe 1452 ajbvraemxxbmf.exe 4252 kssacebx.exe 4252 kssacebx.exe 4252 kssacebx.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 488 WINWORD.EXE 488 WINWORD.EXE 488 WINWORD.EXE 488 WINWORD.EXE 488 WINWORD.EXE 488 WINWORD.EXE 488 WINWORD.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 540 wrote to memory of 2024 540 b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe 82 PID 540 wrote to memory of 2024 540 b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe 82 PID 540 wrote to memory of 2024 540 b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe 82 PID 540 wrote to memory of 4380 540 b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe 84 PID 540 wrote to memory of 4380 540 b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe 84 PID 540 wrote to memory of 4380 540 b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe 84 PID 540 wrote to memory of 2252 540 b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe 85 PID 540 wrote to memory of 2252 540 b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe 85 PID 540 wrote to memory of 2252 540 b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe 85 PID 540 wrote to memory of 1452 540 b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe 86 PID 540 wrote to memory of 1452 540 b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe 86 PID 540 wrote to memory of 1452 540 b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe 86 PID 4380 wrote to memory of 2216 4380 oeomphlwdlbpeys.exe 87 PID 4380 wrote to memory of 2216 4380 oeomphlwdlbpeys.exe 87 PID 4380 wrote to memory of 2216 4380 oeomphlwdlbpeys.exe 87 PID 2024 wrote to memory of 4252 2024 midcudoxfi.exe 89 PID 2024 wrote to memory of 4252 2024 midcudoxfi.exe 89 PID 2024 wrote to memory of 4252 2024 midcudoxfi.exe 89 PID 540 wrote to memory of 488 540 b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe 90 PID 540 wrote to memory of 488 540 b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe"C:\Users\Admin\AppData\Local\Temp\b112d6576b5329d2a8c728be653db7012e0c817a50e3fe118f44f5415e693ad3.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\midcudoxfi.exemidcudoxfi.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\kssacebx.exeC:\Windows\system32\kssacebx.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4252
-
-
-
C:\Windows\SysWOW64\oeomphlwdlbpeys.exeoeomphlwdlbpeys.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ajbvraemxxbmf.exe3⤵PID:2216
-
-
-
C:\Windows\SysWOW64\kssacebx.exekssacebx.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2252
-
-
C:\Windows\SysWOW64\ajbvraemxxbmf.exeajbvraemxxbmf.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1452
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:488
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD51e1b09ad56afa20ef911e00b77747ef5
SHA14bcd5e870c2d2e68e60134ce68aab965173765c4
SHA2569394127e9cecb232f7604826c5a63fb971b74dd5fd7483679b051c3c2ec10014
SHA512053d0568557f8e84c280894c54bfa3f5cfb5524ac849102dbd8f70c9421b08730704cca21fc6d08db4822b9b77175be658570ef722acd9d8888383c56c9b7d22
-
Filesize
255KB
MD50bf26a8d837fa36916721164cc5aae3e
SHA1cbd034f3edda97062d1c2a0e9743ed00da1e0add
SHA256b4fde756d8cd01a49c37f3fc6996b96e60ab160f62c0b3acad245fb646bcf380
SHA5129874d2029f2c7299396879278a960d2e978559deb30cedec4377eb2db7502288f94e8fcd14dd4b9f8f41d71fcbc24e013b739155416d8543609f8b53b8afefa8
-
Filesize
255KB
MD50bf26a8d837fa36916721164cc5aae3e
SHA1cbd034f3edda97062d1c2a0e9743ed00da1e0add
SHA256b4fde756d8cd01a49c37f3fc6996b96e60ab160f62c0b3acad245fb646bcf380
SHA5129874d2029f2c7299396879278a960d2e978559deb30cedec4377eb2db7502288f94e8fcd14dd4b9f8f41d71fcbc24e013b739155416d8543609f8b53b8afefa8
-
Filesize
255KB
MD5475ed67e807248da04b296603f87886e
SHA17b9153f3b71642fe42bfc03e3d3b13b23a48dcf5
SHA256bf2fa0542d8205adacd6b93de483e6ddca8d654cc3adaae0b2f2e4f72294e0d8
SHA51278145ce6646f11c7ad8219d648cd487eeee954318b57768f6952f0785bb22034df147683dbeed90b3c343d6117e96165bbd6095537cf791ae4fd9228675be1df
-
Filesize
255KB
MD5475ed67e807248da04b296603f87886e
SHA17b9153f3b71642fe42bfc03e3d3b13b23a48dcf5
SHA256bf2fa0542d8205adacd6b93de483e6ddca8d654cc3adaae0b2f2e4f72294e0d8
SHA51278145ce6646f11c7ad8219d648cd487eeee954318b57768f6952f0785bb22034df147683dbeed90b3c343d6117e96165bbd6095537cf791ae4fd9228675be1df
-
Filesize
255KB
MD5475ed67e807248da04b296603f87886e
SHA17b9153f3b71642fe42bfc03e3d3b13b23a48dcf5
SHA256bf2fa0542d8205adacd6b93de483e6ddca8d654cc3adaae0b2f2e4f72294e0d8
SHA51278145ce6646f11c7ad8219d648cd487eeee954318b57768f6952f0785bb22034df147683dbeed90b3c343d6117e96165bbd6095537cf791ae4fd9228675be1df
-
Filesize
255KB
MD520ddd83ab57a8fbdf2c4f15222bd6d41
SHA12e96f7c7ee540ec92805d5cd5e454e1146171548
SHA25613765ecbe401c9571cd514beda6ecae0b0aefbf96a16142b12566afa738a0ebe
SHA512c0c429ee8734b87d2fb58a1237ddccd035964db55e6ea6375f65367dc3065bd92481bca32cdfd3e8300a86a28bc67d06944fce5b6adadf1073940f3a34c71d01
-
Filesize
255KB
MD520ddd83ab57a8fbdf2c4f15222bd6d41
SHA12e96f7c7ee540ec92805d5cd5e454e1146171548
SHA25613765ecbe401c9571cd514beda6ecae0b0aefbf96a16142b12566afa738a0ebe
SHA512c0c429ee8734b87d2fb58a1237ddccd035964db55e6ea6375f65367dc3065bd92481bca32cdfd3e8300a86a28bc67d06944fce5b6adadf1073940f3a34c71d01
-
Filesize
255KB
MD55a9c9f3271fda16a1e41b011c3571c6e
SHA1ae0d53f5b25f41e489042d3347e9361a6a895f8b
SHA256de800902aff6eeb4ce52781598cee035d34d96e523e00b4934064513d00ad865
SHA512975a90bf492cf03c7adfe72a1859067648af8577dad60e0881d22ad4b1367c0d93937a1d93c01477c0cbac7cdd7b2fef610aee16de46575a20c5c9141e42c759
-
Filesize
255KB
MD55a9c9f3271fda16a1e41b011c3571c6e
SHA1ae0d53f5b25f41e489042d3347e9361a6a895f8b
SHA256de800902aff6eeb4ce52781598cee035d34d96e523e00b4934064513d00ad865
SHA512975a90bf492cf03c7adfe72a1859067648af8577dad60e0881d22ad4b1367c0d93937a1d93c01477c0cbac7cdd7b2fef610aee16de46575a20c5c9141e42c759
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7