Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
29/10/2022, 13:58
Behavioral task
behavioral1
Sample
872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe
Resource
win7-20220812-en
windows7-x64
26 signatures
150 seconds
General
-
Target
872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe
-
Size
255KB
-
MD5
640a930480b7f31226546436130aee04
-
SHA1
16d18a54c3a746fb6bab7a39064042eda5a2e94d
-
SHA256
872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266
-
SHA512
0f2d39f183599c6c29fd5d97c3143c8f47d3b457517b67d758368acb68f0bbfeb09b243a13339728dd19fa7f1c5c1735f4e85a0749c3a8d3b5080dca485766e0
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJt:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI4
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ylerdhrukb.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ylerdhrukb.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ylerdhrukb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ylerdhrukb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ylerdhrukb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ylerdhrukb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ylerdhrukb.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ylerdhrukb.exe -
Executes dropped EXE 5 IoCs
pid Process 2884 ylerdhrukb.exe 2392 gqalctxygxkpshv.exe 2892 canamoyw.exe 4312 vrchwdfnvwiqr.exe 1588 canamoyw.exe -
resource yara_rule behavioral2/memory/1052-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0001000000022dfd-134.dat upx behavioral2/files/0x0001000000022dfd-136.dat upx behavioral2/files/0x0001000000022dfe-138.dat upx behavioral2/files/0x0001000000022dfe-139.dat upx behavioral2/files/0x0001000000022dff-142.dat upx behavioral2/memory/2884-143-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0001000000022e00-145.dat upx behavioral2/files/0x0001000000022e00-144.dat upx behavioral2/files/0x0001000000022dff-141.dat upx behavioral2/memory/2392-146-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2892-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1052-149-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0001000000022dff-151.dat upx behavioral2/memory/1588-152-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4312-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000400000001d9ee-163.dat upx behavioral2/files/0x000500000001d9e9-162.dat upx behavioral2/memory/2884-164-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2392-165-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2892-166-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1588-167-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4312-168-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000200000001e78e-169.dat upx behavioral2/files/0x001000000001e8b6-170.dat upx behavioral2/files/0x001000000001e8b6-171.dat upx behavioral2/files/0x001000000001e8b6-172.dat upx behavioral2/memory/2892-178-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1588-179-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ylerdhrukb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ylerdhrukb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ylerdhrukb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ylerdhrukb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ylerdhrukb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ylerdhrukb.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tdyzdbbl = "gqalctxygxkpshv.exe" gqalctxygxkpshv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "vrchwdfnvwiqr.exe" gqalctxygxkpshv.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run gqalctxygxkpshv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nvksrvba = "ylerdhrukb.exe" gqalctxygxkpshv.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\p: ylerdhrukb.exe File opened (read-only) \??\r: canamoyw.exe File opened (read-only) \??\x: canamoyw.exe File opened (read-only) \??\k: ylerdhrukb.exe File opened (read-only) \??\u: ylerdhrukb.exe File opened (read-only) \??\e: canamoyw.exe File opened (read-only) \??\e: canamoyw.exe File opened (read-only) \??\k: canamoyw.exe File opened (read-only) \??\v: canamoyw.exe File opened (read-only) \??\f: canamoyw.exe File opened (read-only) \??\u: canamoyw.exe File opened (read-only) \??\z: canamoyw.exe File opened (read-only) \??\g: canamoyw.exe File opened (read-only) \??\i: ylerdhrukb.exe File opened (read-only) \??\m: ylerdhrukb.exe File opened (read-only) \??\n: ylerdhrukb.exe File opened (read-only) \??\q: ylerdhrukb.exe File opened (read-only) \??\s: ylerdhrukb.exe File opened (read-only) \??\t: canamoyw.exe File opened (read-only) \??\j: ylerdhrukb.exe File opened (read-only) \??\l: ylerdhrukb.exe File opened (read-only) \??\l: canamoyw.exe File opened (read-only) \??\y: canamoyw.exe File opened (read-only) \??\f: canamoyw.exe File opened (read-only) \??\g: canamoyw.exe File opened (read-only) \??\i: canamoyw.exe File opened (read-only) \??\m: canamoyw.exe File opened (read-only) \??\o: canamoyw.exe File opened (read-only) \??\s: canamoyw.exe File opened (read-only) \??\q: canamoyw.exe File opened (read-only) \??\w: canamoyw.exe File opened (read-only) \??\y: canamoyw.exe File opened (read-only) \??\x: ylerdhrukb.exe File opened (read-only) \??\a: canamoyw.exe File opened (read-only) \??\b: canamoyw.exe File opened (read-only) \??\n: canamoyw.exe File opened (read-only) \??\v: canamoyw.exe File opened (read-only) \??\a: ylerdhrukb.exe File opened (read-only) \??\e: ylerdhrukb.exe File opened (read-only) \??\o: ylerdhrukb.exe File opened (read-only) \??\a: canamoyw.exe File opened (read-only) \??\t: canamoyw.exe File opened (read-only) \??\n: canamoyw.exe File opened (read-only) \??\j: canamoyw.exe File opened (read-only) \??\p: canamoyw.exe File opened (read-only) \??\f: ylerdhrukb.exe File opened (read-only) \??\g: ylerdhrukb.exe File opened (read-only) \??\r: ylerdhrukb.exe File opened (read-only) \??\b: canamoyw.exe File opened (read-only) \??\l: canamoyw.exe File opened (read-only) \??\x: canamoyw.exe File opened (read-only) \??\h: canamoyw.exe File opened (read-only) \??\o: canamoyw.exe File opened (read-only) \??\r: canamoyw.exe File opened (read-only) \??\k: canamoyw.exe File opened (read-only) \??\i: canamoyw.exe File opened (read-only) \??\w: canamoyw.exe File opened (read-only) \??\v: ylerdhrukb.exe File opened (read-only) \??\w: ylerdhrukb.exe File opened (read-only) \??\y: ylerdhrukb.exe File opened (read-only) \??\u: canamoyw.exe File opened (read-only) \??\h: ylerdhrukb.exe File opened (read-only) \??\h: canamoyw.exe File opened (read-only) \??\z: canamoyw.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ylerdhrukb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ylerdhrukb.exe -
AutoIT Executable 13 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2884-143-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2392-146-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2892-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1052-149-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1588-152-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4312-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2884-164-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2392-165-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2892-166-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1588-167-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4312-168-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2892-178-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1588-179-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ylerdhrukb.exe 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe File created C:\Windows\SysWOW64\canamoyw.exe 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe File opened for modification C:\Windows\SysWOW64\canamoyw.exe 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe canamoyw.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe canamoyw.exe File created C:\Windows\SysWOW64\ylerdhrukb.exe 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe File created C:\Windows\SysWOW64\gqalctxygxkpshv.exe 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe File opened for modification C:\Windows\SysWOW64\gqalctxygxkpshv.exe 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe File created C:\Windows\SysWOW64\vrchwdfnvwiqr.exe 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe File opened for modification C:\Windows\SysWOW64\vrchwdfnvwiqr.exe 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ylerdhrukb.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe canamoyw.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe canamoyw.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe canamoyw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal canamoyw.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe canamoyw.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe canamoyw.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe canamoyw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal canamoyw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe canamoyw.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe canamoyw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe canamoyw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe canamoyw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe canamoyw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal canamoyw.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe canamoyw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal canamoyw.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe canamoyw.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe canamoyw.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe canamoyw.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe canamoyw.exe File opened for modification C:\Windows\mydoc.rtf 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe canamoyw.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe canamoyw.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe canamoyw.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe canamoyw.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe canamoyw.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe canamoyw.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe canamoyw.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe canamoyw.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe canamoyw.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe canamoyw.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe canamoyw.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe canamoyw.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe canamoyw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB1B12B47E039E353BABADD339CD4BE" 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" ylerdhrukb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf ylerdhrukb.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc ylerdhrukb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" ylerdhrukb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg ylerdhrukb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1944C6751490DBB1B8C07CE6EDE734BE" 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8CFCFC485A85199046D7587D93BDE3E6345840674E623FD6ED" 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat ylerdhrukb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ylerdhrukb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AC9F9CCF917F19583083A4581EC3E98B08803FC43630239E2CD42E809D3" 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78468B3FE6F22DBD172D1A88A7B916B" 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh ylerdhrukb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" ylerdhrukb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs ylerdhrukb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" ylerdhrukb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" ylerdhrukb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32352C0F9C2C82226A4176A777242DDB7D8564DB" 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 5032 WINWORD.EXE 5032 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1052 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe 1052 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe 1052 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe 1052 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe 1052 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe 1052 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe 1052 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe 1052 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe 1052 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe 1052 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe 1052 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe 1052 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe 1052 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe 1052 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe 1052 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe 1052 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe 2884 ylerdhrukb.exe 2884 ylerdhrukb.exe 2884 ylerdhrukb.exe 2884 ylerdhrukb.exe 2884 ylerdhrukb.exe 2884 ylerdhrukb.exe 2884 ylerdhrukb.exe 2884 ylerdhrukb.exe 2884 ylerdhrukb.exe 2884 ylerdhrukb.exe 2892 canamoyw.exe 2892 canamoyw.exe 2892 canamoyw.exe 2892 canamoyw.exe 2892 canamoyw.exe 2892 canamoyw.exe 2892 canamoyw.exe 2892 canamoyw.exe 2392 gqalctxygxkpshv.exe 2392 gqalctxygxkpshv.exe 2392 gqalctxygxkpshv.exe 2392 gqalctxygxkpshv.exe 2392 gqalctxygxkpshv.exe 2392 gqalctxygxkpshv.exe 2392 gqalctxygxkpshv.exe 2392 gqalctxygxkpshv.exe 4312 vrchwdfnvwiqr.exe 4312 vrchwdfnvwiqr.exe 4312 vrchwdfnvwiqr.exe 4312 vrchwdfnvwiqr.exe 4312 vrchwdfnvwiqr.exe 4312 vrchwdfnvwiqr.exe 4312 vrchwdfnvwiqr.exe 4312 vrchwdfnvwiqr.exe 4312 vrchwdfnvwiqr.exe 4312 vrchwdfnvwiqr.exe 4312 vrchwdfnvwiqr.exe 4312 vrchwdfnvwiqr.exe 2392 gqalctxygxkpshv.exe 2392 gqalctxygxkpshv.exe 2392 gqalctxygxkpshv.exe 2392 gqalctxygxkpshv.exe 4312 vrchwdfnvwiqr.exe 4312 vrchwdfnvwiqr.exe 4312 vrchwdfnvwiqr.exe 4312 vrchwdfnvwiqr.exe 2392 gqalctxygxkpshv.exe 2392 gqalctxygxkpshv.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1052 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe 1052 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe 1052 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe 2884 ylerdhrukb.exe 2884 ylerdhrukb.exe 2884 ylerdhrukb.exe 2892 canamoyw.exe 2392 gqalctxygxkpshv.exe 2892 canamoyw.exe 2392 gqalctxygxkpshv.exe 2892 canamoyw.exe 2392 gqalctxygxkpshv.exe 4312 vrchwdfnvwiqr.exe 4312 vrchwdfnvwiqr.exe 4312 vrchwdfnvwiqr.exe 1588 canamoyw.exe 1588 canamoyw.exe 1588 canamoyw.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1052 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe 1052 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe 1052 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe 2884 ylerdhrukb.exe 2884 ylerdhrukb.exe 2884 ylerdhrukb.exe 2892 canamoyw.exe 2392 gqalctxygxkpshv.exe 2892 canamoyw.exe 2392 gqalctxygxkpshv.exe 2892 canamoyw.exe 2392 gqalctxygxkpshv.exe 4312 vrchwdfnvwiqr.exe 4312 vrchwdfnvwiqr.exe 4312 vrchwdfnvwiqr.exe 1588 canamoyw.exe 1588 canamoyw.exe 1588 canamoyw.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 5032 WINWORD.EXE 5032 WINWORD.EXE 5032 WINWORD.EXE 5032 WINWORD.EXE 5032 WINWORD.EXE 5032 WINWORD.EXE 5032 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1052 wrote to memory of 2884 1052 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe 78 PID 1052 wrote to memory of 2884 1052 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe 78 PID 1052 wrote to memory of 2884 1052 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe 78 PID 1052 wrote to memory of 2392 1052 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe 79 PID 1052 wrote to memory of 2392 1052 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe 79 PID 1052 wrote to memory of 2392 1052 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe 79 PID 1052 wrote to memory of 2892 1052 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe 80 PID 1052 wrote to memory of 2892 1052 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe 80 PID 1052 wrote to memory of 2892 1052 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe 80 PID 1052 wrote to memory of 4312 1052 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe 81 PID 1052 wrote to memory of 4312 1052 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe 81 PID 1052 wrote to memory of 4312 1052 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe 81 PID 1052 wrote to memory of 5032 1052 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe 82 PID 1052 wrote to memory of 5032 1052 872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe 82 PID 2884 wrote to memory of 1588 2884 ylerdhrukb.exe 84 PID 2884 wrote to memory of 1588 2884 ylerdhrukb.exe 84 PID 2884 wrote to memory of 1588 2884 ylerdhrukb.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe"C:\Users\Admin\AppData\Local\Temp\872de1f88890b188659f5420741b5484cb885b85945a8e224ed74873bd9fb266.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\ylerdhrukb.exeylerdhrukb.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\canamoyw.exeC:\Windows\system32\canamoyw.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1588
-
-
-
C:\Windows\SysWOW64\gqalctxygxkpshv.exegqalctxygxkpshv.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2392
-
-
C:\Windows\SysWOW64\canamoyw.execanamoyw.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2892
-
-
C:\Windows\SysWOW64\vrchwdfnvwiqr.exevrchwdfnvwiqr.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4312
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5032
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD57f44a4b06972dba4bd153b050d638a15
SHA1734970423c805dc9af2e0dd9030c7a1c27abc198
SHA256a3012d2f4a5b4c19cabef14bb48bf45093fb00e42dc34708cc421564006c617d
SHA51213b54e88908ee1deb179bd5790faac28d8c61929feeee6d5e30eeaf5db324581af71d155990fb27652ce6eb63d17ed126a71965abd66c1548df2dbea6245ef7c
-
Filesize
255KB
MD5dbdf4b7b4da96b53cc2b907060932e65
SHA10eca4677f9611e3fa5ed2cf82b54791b819d7db6
SHA2565bf90b8964122544eef5d4e902641822ccfde79deb01ced3f3e36c6c6cbebf51
SHA51206aba05567b9e97a32d306a5005afb2eaa5530218d873a1a07e7855c1221c639ae3be207bdabd7c8061502194d405509491ef05328d2bc067ced4e85bf9b3742
-
Filesize
255KB
MD568e7210994824eb91cb8571a861b76ae
SHA14d6262dda7ae187cfc5e1d2c56ca531a410a8a42
SHA2567a3e810ce35fb93ce6592bf268fd70130f22eb7344c4e7decca337b57ce8a0f0
SHA512bac419c8f79f2be67173785f3a67cfbbb61bd9b5d585a6bbc319e49dd4905d11d9f65bf8d34debe275c36be3664de93c3e841cc80055c55a9e37d52c9b126c13
-
Filesize
255KB
MD5a82aff4cf667d0431b1262a22bd8d292
SHA110a121e081433aa16f479019ee050cd8dded9e69
SHA2567d9f7e0db1b1977c9cf841e6a70896995516c66a695d8fe04ba8a291dc5e146e
SHA5129bcd9c1a50bce331bd821699e9ca18485ea7b9dd9020603807b1fe298a999dab187ed593203d06f47148ca5bd03b3fca49aa2a2798a8e72c4266b1829d8ff68b
-
Filesize
255KB
MD5a82aff4cf667d0431b1262a22bd8d292
SHA110a121e081433aa16f479019ee050cd8dded9e69
SHA2567d9f7e0db1b1977c9cf841e6a70896995516c66a695d8fe04ba8a291dc5e146e
SHA5129bcd9c1a50bce331bd821699e9ca18485ea7b9dd9020603807b1fe298a999dab187ed593203d06f47148ca5bd03b3fca49aa2a2798a8e72c4266b1829d8ff68b
-
Filesize
255KB
MD5a82aff4cf667d0431b1262a22bd8d292
SHA110a121e081433aa16f479019ee050cd8dded9e69
SHA2567d9f7e0db1b1977c9cf841e6a70896995516c66a695d8fe04ba8a291dc5e146e
SHA5129bcd9c1a50bce331bd821699e9ca18485ea7b9dd9020603807b1fe298a999dab187ed593203d06f47148ca5bd03b3fca49aa2a2798a8e72c4266b1829d8ff68b
-
Filesize
255KB
MD5a9a7147b8388196e124fddc63142b752
SHA1b4f9f801fb5cac70477ede22cca7b344ad68ae64
SHA2562d08a0c3a077f2cd8e6b778c82b37388a1435f05751427148b4c0cc9d50a9594
SHA512dfbd26abda68f29c00c88e856c67e67892589be1c9c8dde3ee8745b4332162d2d5f5bb723b38a5723958bd207e3dd246c9281f971d4b804a27b2dd56ac568141
-
Filesize
255KB
MD5a9a7147b8388196e124fddc63142b752
SHA1b4f9f801fb5cac70477ede22cca7b344ad68ae64
SHA2562d08a0c3a077f2cd8e6b778c82b37388a1435f05751427148b4c0cc9d50a9594
SHA512dfbd26abda68f29c00c88e856c67e67892589be1c9c8dde3ee8745b4332162d2d5f5bb723b38a5723958bd207e3dd246c9281f971d4b804a27b2dd56ac568141
-
Filesize
255KB
MD50591a024c92221a5935fc2dcc276cb1c
SHA1bfdb71445090a9ed2eaad280a416ff016f9f369b
SHA256c2965106be3a2ede764733fe0128d81e7e64d84f122c11eb9e3aca616392fb7d
SHA51267cd690b9ab8621c97b5768e1cf9a749e2de018eb8e5c9e39e6080569263c9dc892acb3f44de95ecbbf0bb73bb2e9ff6a57df45e6a93e80163711c62d0cb2fae
-
Filesize
255KB
MD50591a024c92221a5935fc2dcc276cb1c
SHA1bfdb71445090a9ed2eaad280a416ff016f9f369b
SHA256c2965106be3a2ede764733fe0128d81e7e64d84f122c11eb9e3aca616392fb7d
SHA51267cd690b9ab8621c97b5768e1cf9a749e2de018eb8e5c9e39e6080569263c9dc892acb3f44de95ecbbf0bb73bb2e9ff6a57df45e6a93e80163711c62d0cb2fae
-
Filesize
255KB
MD5bb242820a90914615b35e5073e6433e2
SHA1dd69d4e0074af631058266c4235a31322a3c5b28
SHA2566a8a5c6443b2bf699261bc397d4a139542cfbf7665f251728c8ccb4c6884578e
SHA512ae7e20a288b18025caf0bdb65c45e5b93601c3936f18714a937667706f33c2bd31ed8ace60a95ad13f809f4899226599a0961912060ee86098f9b402fb5ea8e1
-
Filesize
255KB
MD5bb242820a90914615b35e5073e6433e2
SHA1dd69d4e0074af631058266c4235a31322a3c5b28
SHA2566a8a5c6443b2bf699261bc397d4a139542cfbf7665f251728c8ccb4c6884578e
SHA512ae7e20a288b18025caf0bdb65c45e5b93601c3936f18714a937667706f33c2bd31ed8ace60a95ad13f809f4899226599a0961912060ee86098f9b402fb5ea8e1
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD5549189ed0858972cf31a7b11e51faa5f
SHA16bdda34645c5f24ab6442c8de2b5ab6f96a7f78f
SHA2565d9440160e5da605e0b8df0c08fbbdf4a351f52198d6dec13c5f127f13f51450
SHA5123cdf4301827433a34f55a54390d3b44066e46b5c5819ed06e7e5d9bbe2d1660a4575f15ab2cf80f01cbb570a9ed87f6f454c2df9e5aa43bd5f592694575a2c17
-
Filesize
255KB
MD5560e463d672929796ddef79523682744
SHA159bead314f81457d20973b00e30a7a8d5efeb122
SHA256b05899485ed0b7e3fde4616b4a37708ba6e620f70d6b32f4b42b850bdd33de4f
SHA51224965034370efb9bdb6413b92a5a6bd3d7dd9c0cef50d9792ae749b8c14da175024f91b18f24d4121ee3e0f5cb627a921793069c8dfcc1239d7aba021e10c342
-
Filesize
255KB
MD5560e463d672929796ddef79523682744
SHA159bead314f81457d20973b00e30a7a8d5efeb122
SHA256b05899485ed0b7e3fde4616b4a37708ba6e620f70d6b32f4b42b850bdd33de4f
SHA51224965034370efb9bdb6413b92a5a6bd3d7dd9c0cef50d9792ae749b8c14da175024f91b18f24d4121ee3e0f5cb627a921793069c8dfcc1239d7aba021e10c342