Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
29/10/2022, 16:42
Behavioral task
behavioral1
Sample
c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe
Resource
win7-20220901-en
General
-
Target
c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe
-
Size
256KB
-
MD5
a38ae7b8057be4f40b876cc1a3a4abe0
-
SHA1
fb10c7ec9370cc72111560ee8abbe7db3f8202a6
-
SHA256
c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4
-
SHA512
7b142c6d848e9de74f32be7e6528de3d8f542ea7cef3a243ea1454360401789029f9f296608df71b3b33f07e5e81cc95d09607a52fd8a43f06d7659fabdc7f65
-
SSDEEP
6144:1xlZam+akqx6YQJXcNlEHUIQeE3mmBWFv6X:Plf5j6zCNa0xeE3mC
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" dmunkluqnp.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" dmunkluqnp.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" dmunkluqnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" dmunkluqnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" dmunkluqnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" dmunkluqnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" dmunkluqnp.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dmunkluqnp.exe -
Executes dropped EXE 5 IoCs
pid Process 4492 dmunkluqnp.exe 2200 ogiguwybqojmgiz.exe 740 ivdfpbul.exe 628 ssgvgzzarmwhu.exe 4312 ivdfpbul.exe -
resource yara_rule behavioral2/memory/4708-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0005000000022e04-135.dat upx behavioral2/files/0x0005000000022e04-134.dat upx behavioral2/files/0x0006000000022e11-137.dat upx behavioral2/files/0x0006000000022e11-138.dat upx behavioral2/files/0x0001000000022e16-140.dat upx behavioral2/files/0x0001000000022e16-141.dat upx behavioral2/files/0x0001000000022e17-144.dat upx behavioral2/files/0x0001000000022e17-143.dat upx behavioral2/memory/4492-145-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2200-146-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/740-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/628-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4708-150-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0001000000022e16-152.dat upx behavioral2/memory/4312-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000500000001d9e9-162.dat upx behavioral2/memory/4492-163-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2200-164-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/740-165-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/628-166-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4312-167-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000200000001e78f-168.dat upx behavioral2/files/0x000200000001e78f-169.dat upx behavioral2/memory/740-176-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4312-175-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" dmunkluqnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" dmunkluqnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" dmunkluqnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" dmunkluqnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" dmunkluqnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" dmunkluqnp.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ogiguwybqojmgiz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\itgpflpt = "dmunkluqnp.exe" ogiguwybqojmgiz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cqcijbgq = "ogiguwybqojmgiz.exe" ogiguwybqojmgiz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ssgvgzzarmwhu.exe" ogiguwybqojmgiz.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\z: ivdfpbul.exe File opened (read-only) \??\b: ivdfpbul.exe File opened (read-only) \??\g: ivdfpbul.exe File opened (read-only) \??\l: ivdfpbul.exe File opened (read-only) \??\s: ivdfpbul.exe File opened (read-only) \??\o: dmunkluqnp.exe File opened (read-only) \??\p: dmunkluqnp.exe File opened (read-only) \??\w: dmunkluqnp.exe File opened (read-only) \??\z: dmunkluqnp.exe File opened (read-only) \??\e: ivdfpbul.exe File opened (read-only) \??\h: ivdfpbul.exe File opened (read-only) \??\k: ivdfpbul.exe File opened (read-only) \??\v: ivdfpbul.exe File opened (read-only) \??\k: ivdfpbul.exe File opened (read-only) \??\r: ivdfpbul.exe File opened (read-only) \??\x: ivdfpbul.exe File opened (read-only) \??\s: ivdfpbul.exe File opened (read-only) \??\l: ivdfpbul.exe File opened (read-only) \??\n: ivdfpbul.exe File opened (read-only) \??\t: ivdfpbul.exe File opened (read-only) \??\n: dmunkluqnp.exe File opened (read-only) \??\h: ivdfpbul.exe File opened (read-only) \??\w: ivdfpbul.exe File opened (read-only) \??\f: dmunkluqnp.exe File opened (read-only) \??\v: dmunkluqnp.exe File opened (read-only) \??\e: ivdfpbul.exe File opened (read-only) \??\w: ivdfpbul.exe File opened (read-only) \??\j: dmunkluqnp.exe File opened (read-only) \??\g: ivdfpbul.exe File opened (read-only) \??\m: ivdfpbul.exe File opened (read-only) \??\p: ivdfpbul.exe File opened (read-only) \??\r: ivdfpbul.exe File opened (read-only) \??\t: ivdfpbul.exe File opened (read-only) \??\u: ivdfpbul.exe File opened (read-only) \??\o: ivdfpbul.exe File opened (read-only) \??\v: ivdfpbul.exe File opened (read-only) \??\f: ivdfpbul.exe File opened (read-only) \??\b: dmunkluqnp.exe File opened (read-only) \??\q: dmunkluqnp.exe File opened (read-only) \??\x: dmunkluqnp.exe File opened (read-only) \??\y: ivdfpbul.exe File opened (read-only) \??\j: ivdfpbul.exe File opened (read-only) \??\o: ivdfpbul.exe File opened (read-only) \??\g: dmunkluqnp.exe File opened (read-only) \??\r: dmunkluqnp.exe File opened (read-only) \??\j: ivdfpbul.exe File opened (read-only) \??\m: dmunkluqnp.exe File opened (read-only) \??\y: dmunkluqnp.exe File opened (read-only) \??\u: ivdfpbul.exe File opened (read-only) \??\m: ivdfpbul.exe File opened (read-only) \??\y: ivdfpbul.exe File opened (read-only) \??\h: dmunkluqnp.exe File opened (read-only) \??\l: dmunkluqnp.exe File opened (read-only) \??\q: ivdfpbul.exe File opened (read-only) \??\i: dmunkluqnp.exe File opened (read-only) \??\t: dmunkluqnp.exe File opened (read-only) \??\b: ivdfpbul.exe File opened (read-only) \??\p: ivdfpbul.exe File opened (read-only) \??\i: ivdfpbul.exe File opened (read-only) \??\a: ivdfpbul.exe File opened (read-only) \??\n: ivdfpbul.exe File opened (read-only) \??\a: dmunkluqnp.exe File opened (read-only) \??\s: dmunkluqnp.exe File opened (read-only) \??\i: ivdfpbul.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" dmunkluqnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" dmunkluqnp.exe -
AutoIT Executable 14 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4708-132-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4492-145-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2200-146-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/740-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/628-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4708-150-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4312-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4492-163-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2200-164-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/740-165-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/628-166-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4312-167-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/740-176-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4312-175-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ivdfpbul.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ivdfpbul.exe File opened for modification C:\Windows\SysWOW64\dmunkluqnp.exe c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe File created C:\Windows\SysWOW64\ivdfpbul.exe c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe File created C:\Windows\SysWOW64\ssgvgzzarmwhu.exe c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll dmunkluqnp.exe File opened for modification C:\Windows\SysWOW64\ssgvgzzarmwhu.exe c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ivdfpbul.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ivdfpbul.exe File created C:\Windows\SysWOW64\dmunkluqnp.exe c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe File created C:\Windows\SysWOW64\ogiguwybqojmgiz.exe c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe File opened for modification C:\Windows\SysWOW64\ogiguwybqojmgiz.exe c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe File opened for modification C:\Windows\SysWOW64\ivdfpbul.exe c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe -
Drops file in Program Files directory 16 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ivdfpbul.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ivdfpbul.exe File created \??\c:\Program Files\UninstallDisable.doc.exe ivdfpbul.exe File opened for modification C:\Program Files\UninstallDisable.doc.exe ivdfpbul.exe File opened for modification C:\Program Files\UninstallDisable.nal ivdfpbul.exe File opened for modification C:\Program Files\UninstallDisable.nal ivdfpbul.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ivdfpbul.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ivdfpbul.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ivdfpbul.exe File opened for modification \??\c:\Program Files\UninstallDisable.doc.exe ivdfpbul.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ivdfpbul.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ivdfpbul.exe File opened for modification \??\c:\Program Files\UninstallDisable.doc.exe ivdfpbul.exe File opened for modification C:\Program Files\UninstallDisable.doc.exe ivdfpbul.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ivdfpbul.exe File created \??\c:\Program Files\UninstallDisable.doc.exe ivdfpbul.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ivdfpbul.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ivdfpbul.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ivdfpbul.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ivdfpbul.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ivdfpbul.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ivdfpbul.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ivdfpbul.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ivdfpbul.exe File opened for modification C:\Windows\mydoc.rtf c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ivdfpbul.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ivdfpbul.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ivdfpbul.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ivdfpbul.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ivdfpbul.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ivdfpbul.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ivdfpbul.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ivdfpbul.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh dmunkluqnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf dmunkluqnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs dmunkluqnp.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8BFCFF482782689146D62D7EE6BD97E630594A66406336D691" c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78168B1FE1A22D8D209D0A28B799011" c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" dmunkluqnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" dmunkluqnp.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" dmunkluqnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" dmunkluqnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc dmunkluqnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" dmunkluqnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABAFACAF964F1E784753A4681EB3993B38E02FB4362034FE1C942E909A0" c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC2B02C4795399D52CEBAD033E9D7CA" c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat dmunkluqnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg dmunkluqnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33472C0C9D2C83516A3776DC77232DDF7D8065D9" c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183AC70915E1DAB2B8CE7CE6EDE037C8" c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" dmunkluqnp.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3116 WINWORD.EXE 3116 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4708 c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe 4708 c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe 4708 c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe 4708 c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe 4708 c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe 4708 c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe 4708 c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe 4708 c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe 4708 c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe 4708 c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe 4708 c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe 4708 c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe 4708 c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe 4708 c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe 4708 c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe 4708 c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe 2200 ogiguwybqojmgiz.exe 2200 ogiguwybqojmgiz.exe 2200 ogiguwybqojmgiz.exe 2200 ogiguwybqojmgiz.exe 2200 ogiguwybqojmgiz.exe 2200 ogiguwybqojmgiz.exe 2200 ogiguwybqojmgiz.exe 2200 ogiguwybqojmgiz.exe 4492 dmunkluqnp.exe 4492 dmunkluqnp.exe 4492 dmunkluqnp.exe 4492 dmunkluqnp.exe 4492 dmunkluqnp.exe 4492 dmunkluqnp.exe 4492 dmunkluqnp.exe 4492 dmunkluqnp.exe 4492 dmunkluqnp.exe 4492 dmunkluqnp.exe 2200 ogiguwybqojmgiz.exe 2200 ogiguwybqojmgiz.exe 740 ivdfpbul.exe 740 ivdfpbul.exe 740 ivdfpbul.exe 740 ivdfpbul.exe 740 ivdfpbul.exe 740 ivdfpbul.exe 740 ivdfpbul.exe 740 ivdfpbul.exe 628 ssgvgzzarmwhu.exe 628 ssgvgzzarmwhu.exe 628 ssgvgzzarmwhu.exe 628 ssgvgzzarmwhu.exe 628 ssgvgzzarmwhu.exe 628 ssgvgzzarmwhu.exe 628 ssgvgzzarmwhu.exe 628 ssgvgzzarmwhu.exe 628 ssgvgzzarmwhu.exe 628 ssgvgzzarmwhu.exe 628 ssgvgzzarmwhu.exe 628 ssgvgzzarmwhu.exe 2200 ogiguwybqojmgiz.exe 2200 ogiguwybqojmgiz.exe 628 ssgvgzzarmwhu.exe 628 ssgvgzzarmwhu.exe 628 ssgvgzzarmwhu.exe 628 ssgvgzzarmwhu.exe 4312 ivdfpbul.exe 4312 ivdfpbul.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4708 c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe 4708 c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe 4708 c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe 4492 dmunkluqnp.exe 2200 ogiguwybqojmgiz.exe 4492 dmunkluqnp.exe 2200 ogiguwybqojmgiz.exe 4492 dmunkluqnp.exe 2200 ogiguwybqojmgiz.exe 740 ivdfpbul.exe 740 ivdfpbul.exe 740 ivdfpbul.exe 628 ssgvgzzarmwhu.exe 628 ssgvgzzarmwhu.exe 628 ssgvgzzarmwhu.exe 4312 ivdfpbul.exe 4312 ivdfpbul.exe 4312 ivdfpbul.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4708 c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe 4708 c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe 4708 c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe 4492 dmunkluqnp.exe 2200 ogiguwybqojmgiz.exe 4492 dmunkluqnp.exe 2200 ogiguwybqojmgiz.exe 4492 dmunkluqnp.exe 2200 ogiguwybqojmgiz.exe 740 ivdfpbul.exe 740 ivdfpbul.exe 740 ivdfpbul.exe 628 ssgvgzzarmwhu.exe 628 ssgvgzzarmwhu.exe 628 ssgvgzzarmwhu.exe 4312 ivdfpbul.exe 4312 ivdfpbul.exe 4312 ivdfpbul.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3116 WINWORD.EXE 3116 WINWORD.EXE 3116 WINWORD.EXE 3116 WINWORD.EXE 3116 WINWORD.EXE 3116 WINWORD.EXE 3116 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4708 wrote to memory of 4492 4708 c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe 81 PID 4708 wrote to memory of 4492 4708 c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe 81 PID 4708 wrote to memory of 4492 4708 c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe 81 PID 4708 wrote to memory of 2200 4708 c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe 83 PID 4708 wrote to memory of 2200 4708 c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe 83 PID 4708 wrote to memory of 2200 4708 c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe 83 PID 4708 wrote to memory of 740 4708 c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe 82 PID 4708 wrote to memory of 740 4708 c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe 82 PID 4708 wrote to memory of 740 4708 c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe 82 PID 4708 wrote to memory of 628 4708 c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe 84 PID 4708 wrote to memory of 628 4708 c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe 84 PID 4708 wrote to memory of 628 4708 c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe 84 PID 4708 wrote to memory of 3116 4708 c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe 85 PID 4708 wrote to memory of 3116 4708 c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe 85 PID 4492 wrote to memory of 4312 4492 dmunkluqnp.exe 87 PID 4492 wrote to memory of 4312 4492 dmunkluqnp.exe 87 PID 4492 wrote to memory of 4312 4492 dmunkluqnp.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe"C:\Users\Admin\AppData\Local\Temp\c4c4bdf560a1675c1885f97c38d2e45497992fd20f6f38425514998f26f15fa4.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\dmunkluqnp.exedmunkluqnp.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\SysWOW64\ivdfpbul.exeC:\Windows\system32\ivdfpbul.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4312
-
-
-
C:\Windows\SysWOW64\ivdfpbul.exeivdfpbul.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:740
-
-
C:\Windows\SysWOW64\ogiguwybqojmgiz.exeogiguwybqojmgiz.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2200
-
-
C:\Windows\SysWOW64\ssgvgzzarmwhu.exessgvgzzarmwhu.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:628
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3116
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
256KB
MD512aaddc78c8e9721b95f9da19cea38fd
SHA1fcc4d389701f96a310badb5ab3b0f22b93f50fa9
SHA25642ea0f2117b42478173073298ea837709b9fed2f7e2c49471540e08286f790f1
SHA512ca5bed987ccd467f2fbaecd4c07908e2b1270ab1b0bb7899753af93c83622a00d1e92b34bda92a59bc127aa598653fa58f5d9343ffbfabe3aa44cbcea335ef33
-
Filesize
256KB
MD512aaddc78c8e9721b95f9da19cea38fd
SHA1fcc4d389701f96a310badb5ab3b0f22b93f50fa9
SHA25642ea0f2117b42478173073298ea837709b9fed2f7e2c49471540e08286f790f1
SHA512ca5bed987ccd467f2fbaecd4c07908e2b1270ab1b0bb7899753af93c83622a00d1e92b34bda92a59bc127aa598653fa58f5d9343ffbfabe3aa44cbcea335ef33
-
Filesize
256KB
MD5510064142ccd56c30a700781d01546a7
SHA15c48f0acec92d49dc801248e2223d655aeb6d87d
SHA25669d9f2c2e9f3f4bf7a53cd3e8e3c5118b1d226b7c59df033120c5da87b21293b
SHA5124d3af734d1d698f28fa73b4e1f2c7c75204fa7f59d92fcf767f7a7de01f068eab9a52f23471940083183e3c913ba59a7171f4753b6aedaa0ede8fcfee51e640f
-
Filesize
256KB
MD5510064142ccd56c30a700781d01546a7
SHA15c48f0acec92d49dc801248e2223d655aeb6d87d
SHA25669d9f2c2e9f3f4bf7a53cd3e8e3c5118b1d226b7c59df033120c5da87b21293b
SHA5124d3af734d1d698f28fa73b4e1f2c7c75204fa7f59d92fcf767f7a7de01f068eab9a52f23471940083183e3c913ba59a7171f4753b6aedaa0ede8fcfee51e640f
-
Filesize
256KB
MD5510064142ccd56c30a700781d01546a7
SHA15c48f0acec92d49dc801248e2223d655aeb6d87d
SHA25669d9f2c2e9f3f4bf7a53cd3e8e3c5118b1d226b7c59df033120c5da87b21293b
SHA5124d3af734d1d698f28fa73b4e1f2c7c75204fa7f59d92fcf767f7a7de01f068eab9a52f23471940083183e3c913ba59a7171f4753b6aedaa0ede8fcfee51e640f
-
Filesize
256KB
MD52149702d66518faf0afa7230f30ba485
SHA1ac169d48b79087f5ecbad924ab60eb22b51e8ff1
SHA256df28c9387c7466eaab66379e62edbc13483569ee1ae13ecbf3c1b31144a97120
SHA5120bb39d56edb057ebb4f1119bbbbb05a2f35688f1e48b202bd48e661c26108970ea9f655358e3af9d47196f83a1174178e5d84cfcef59b9b1cad89753d4dd13e1
-
Filesize
256KB
MD52149702d66518faf0afa7230f30ba485
SHA1ac169d48b79087f5ecbad924ab60eb22b51e8ff1
SHA256df28c9387c7466eaab66379e62edbc13483569ee1ae13ecbf3c1b31144a97120
SHA5120bb39d56edb057ebb4f1119bbbbb05a2f35688f1e48b202bd48e661c26108970ea9f655358e3af9d47196f83a1174178e5d84cfcef59b9b1cad89753d4dd13e1
-
Filesize
256KB
MD5ce9c939617bc3c4e0c09470670386657
SHA1a9e96495ca2bb7b93e9d4c91ada3ba75a8df8fe9
SHA2564aa24a4137603a0fb31ed6ce24f6f372928f5df3c684faab1eb5e739728e610a
SHA51216fd22a5ec5857471f6cfba5a481e9a55200d9c5900d1625fe14b6092308df6066a7e6274d4ecf1f2a28e188cded66e1ca5ee0c323edfcc1033d6c9186fa43c3
-
Filesize
256KB
MD5ce9c939617bc3c4e0c09470670386657
SHA1a9e96495ca2bb7b93e9d4c91ada3ba75a8df8fe9
SHA2564aa24a4137603a0fb31ed6ce24f6f372928f5df3c684faab1eb5e739728e610a
SHA51216fd22a5ec5857471f6cfba5a481e9a55200d9c5900d1625fe14b6092308df6066a7e6274d4ecf1f2a28e188cded66e1ca5ee0c323edfcc1033d6c9186fa43c3
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
256KB
MD543b4be4a7335d28ff35355823d912dcd
SHA182413257675b6cad2cc2d3d2301d7be7186fd1ee
SHA2565233209e322a4a1ef70d6f61b4d853773bfb4e57959292465a4abff17f3fece6
SHA512d03649ecb451c4acf1a050b5c9a087853ec0f13b7d762230af37b7fb0526985715d3b9cfdf8581f06b065e8abe28902ee570baaddb179409ad51e02259ae664a
-
Filesize
256KB
MD50c09e5412314e4a33bdbe36ad427a647
SHA1c97443880d53a4c746eac314b2adc1cd694271ca
SHA25610b9e34818073e79544e6a75e22308afe4465b963f8a972190b14bcc855d934c
SHA512f9249242bcd29175a1715cbb5374a70aa6bc072beb89febf86cdde72a169d0642c6d46158c99273511a9dc0c2eebe2f7cd635223a6ef02721dd8e628e28d9f19
-
Filesize
256KB
MD59964ed521c955ac5ceeefd3e276812f4
SHA143f37f4f0ca8e30b1098e5274aac8d9e22e19036
SHA2569e65fca40598fc4eca96f8fed853c2494517be915c1b8fc1823b99d3b6726dfe
SHA512db74d6f08b5830f804e1bbcac5967f271e11ddb5a7f1051040a93167073d90f3a05f506cd4cb80834cc5136116fe81abfa64208f057b9669debf526f12ebc97a