Analysis
-
max time kernel
173s -
max time network
197s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-10-2022 16:44
Behavioral task
behavioral1
Sample
1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe
Resource
win7-20220812-en
windows7-x64
26 signatures
150 seconds
General
-
Target
1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe
-
Size
255KB
-
MD5
8459365432914e1c8d8ee9f7788f8f50
-
SHA1
cc92ee546f3d3c5748a515ac1f7714a814edaf31
-
SHA256
1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2
-
SHA512
e3d40d89482d3a2d01b503feaf19fde64d0917f86073550cacf1acf4bf99b35f2b88a18b448228aa39f79496febce22d5e566e609ec02feb2d16b8a73a389ecb
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJB:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI6
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" mxpeihhpen.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" mxpeihhpen.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" mxpeihhpen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" mxpeihhpen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" mxpeihhpen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" mxpeihhpen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" mxpeihhpen.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mxpeihhpen.exe -
Executes dropped EXE 5 IoCs
pid Process 4932 mxpeihhpen.exe 4840 iontjitzqkiptto.exe 1812 krdhljlf.exe 4564 dbjxrlaoimqfd.exe 2700 krdhljlf.exe -
resource yara_rule behavioral2/memory/4952-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0008000000022df8-134.dat upx behavioral2/files/0x0008000000022df8-135.dat upx behavioral2/files/0x000b000000022e01-138.dat upx behavioral2/files/0x000b000000022e01-137.dat upx behavioral2/files/0x0009000000022e02-140.dat upx behavioral2/files/0x0009000000022e02-141.dat upx behavioral2/files/0x0007000000022e03-143.dat upx behavioral2/files/0x0007000000022e03-144.dat upx behavioral2/memory/4932-145-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4840-146-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1812-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4564-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0009000000022e02-150.dat upx behavioral2/memory/2700-151-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4952-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4932-154-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4840-155-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1812-156-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4564-157-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2700-158-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4952-159-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0006000000022e0c-165.dat upx behavioral2/files/0x0006000000022e0d-166.dat upx behavioral2/files/0x0006000000022e0d-167.dat upx behavioral2/files/0x0006000000022e11-168.dat upx behavioral2/files/0x0003000000000721-172.dat upx behavioral2/files/0x0003000000000723-173.dat upx behavioral2/files/0x000300000000072b-174.dat upx behavioral2/files/0x000300000000072b-175.dat upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" mxpeihhpen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" mxpeihhpen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" mxpeihhpen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" mxpeihhpen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" mxpeihhpen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" mxpeihhpen.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run iontjitzqkiptto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fbdqhjvb = "mxpeihhpen.exe" iontjitzqkiptto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oowhalkx = "iontjitzqkiptto.exe" iontjitzqkiptto.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "dbjxrlaoimqfd.exe" iontjitzqkiptto.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\o: mxpeihhpen.exe File opened (read-only) \??\q: mxpeihhpen.exe File opened (read-only) \??\t: mxpeihhpen.exe File opened (read-only) \??\v: mxpeihhpen.exe File opened (read-only) \??\b: krdhljlf.exe File opened (read-only) \??\n: krdhljlf.exe File opened (read-only) \??\p: krdhljlf.exe File opened (read-only) \??\e: mxpeihhpen.exe File opened (read-only) \??\h: krdhljlf.exe File opened (read-only) \??\m: krdhljlf.exe File opened (read-only) \??\x: krdhljlf.exe File opened (read-only) \??\i: krdhljlf.exe File opened (read-only) \??\r: krdhljlf.exe File opened (read-only) \??\w: krdhljlf.exe File opened (read-only) \??\j: mxpeihhpen.exe File opened (read-only) \??\n: mxpeihhpen.exe File opened (read-only) \??\s: krdhljlf.exe File opened (read-only) \??\l: krdhljlf.exe File opened (read-only) \??\q: krdhljlf.exe File opened (read-only) \??\y: krdhljlf.exe File opened (read-only) \??\i: mxpeihhpen.exe File opened (read-only) \??\a: krdhljlf.exe File opened (read-only) \??\h: krdhljlf.exe File opened (read-only) \??\o: krdhljlf.exe File opened (read-only) \??\s: mxpeihhpen.exe File opened (read-only) \??\w: mxpeihhpen.exe File opened (read-only) \??\g: krdhljlf.exe File opened (read-only) \??\l: mxpeihhpen.exe File opened (read-only) \??\a: krdhljlf.exe File opened (read-only) \??\h: mxpeihhpen.exe File opened (read-only) \??\k: krdhljlf.exe File opened (read-only) \??\k: mxpeihhpen.exe File opened (read-only) \??\u: mxpeihhpen.exe File opened (read-only) \??\i: krdhljlf.exe File opened (read-only) \??\q: krdhljlf.exe File opened (read-only) \??\j: krdhljlf.exe File opened (read-only) \??\k: krdhljlf.exe File opened (read-only) \??\p: krdhljlf.exe File opened (read-only) \??\y: mxpeihhpen.exe File opened (read-only) \??\v: krdhljlf.exe File opened (read-only) \??\z: krdhljlf.exe File opened (read-only) \??\b: mxpeihhpen.exe File opened (read-only) \??\b: krdhljlf.exe File opened (read-only) \??\g: krdhljlf.exe File opened (read-only) \??\z: krdhljlf.exe File opened (read-only) \??\s: krdhljlf.exe File opened (read-only) \??\j: krdhljlf.exe File opened (read-only) \??\l: krdhljlf.exe File opened (read-only) \??\y: krdhljlf.exe File opened (read-only) \??\e: krdhljlf.exe File opened (read-only) \??\x: mxpeihhpen.exe File opened (read-only) \??\o: krdhljlf.exe File opened (read-only) \??\t: krdhljlf.exe File opened (read-only) \??\a: mxpeihhpen.exe File opened (read-only) \??\f: mxpeihhpen.exe File opened (read-only) \??\g: mxpeihhpen.exe File opened (read-only) \??\p: mxpeihhpen.exe File opened (read-only) \??\r: mxpeihhpen.exe File opened (read-only) \??\e: krdhljlf.exe File opened (read-only) \??\u: krdhljlf.exe File opened (read-only) \??\t: krdhljlf.exe File opened (read-only) \??\m: mxpeihhpen.exe File opened (read-only) \??\u: krdhljlf.exe File opened (read-only) \??\r: krdhljlf.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" mxpeihhpen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" mxpeihhpen.exe -
AutoIT Executable 12 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4932-145-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4840-146-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1812-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4564-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2700-151-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4952-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4932-154-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4840-155-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1812-156-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4564-157-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2700-158-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4952-159-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\iontjitzqkiptto.exe 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe File created C:\Windows\SysWOW64\dbjxrlaoimqfd.exe 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe krdhljlf.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe krdhljlf.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe krdhljlf.exe File opened for modification C:\Windows\SysWOW64\mxpeihhpen.exe 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe File created C:\Windows\SysWOW64\iontjitzqkiptto.exe 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe File opened for modification C:\Windows\SysWOW64\krdhljlf.exe 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe File opened for modification C:\Windows\SysWOW64\dbjxrlaoimqfd.exe 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll mxpeihhpen.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe krdhljlf.exe File created C:\Windows\SysWOW64\mxpeihhpen.exe 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe File created C:\Windows\SysWOW64\krdhljlf.exe 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe -
Drops file in Program Files directory 22 IoCs
description ioc Process File created \??\c:\Program Files\SuspendReset.doc.exe krdhljlf.exe File opened for modification \??\c:\Program Files\SuspendReset.doc.exe krdhljlf.exe File opened for modification C:\Program Files\SuspendReset.nal krdhljlf.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe krdhljlf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe krdhljlf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe krdhljlf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal krdhljlf.exe File opened for modification C:\Program Files\SuspendReset.doc.exe krdhljlf.exe File opened for modification \??\c:\Program Files\SuspendReset.doc.exe krdhljlf.exe File opened for modification C:\Program Files\SuspendReset.nal krdhljlf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe krdhljlf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe krdhljlf.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe krdhljlf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe krdhljlf.exe File opened for modification C:\Program Files\SuspendReset.doc.exe krdhljlf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe krdhljlf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal krdhljlf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe krdhljlf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe krdhljlf.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe krdhljlf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal krdhljlf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal krdhljlf.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "334E2D0B9D5083236A3576A7702E2DDE7DF464D7" 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" mxpeihhpen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf mxpeihhpen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs mxpeihhpen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg mxpeihhpen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF5FFFC482A82199041D72B7D94BDE2E140594A66466341D790" 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184FC67E14E5DAB3B8BC7CE8ED9537BA" 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh mxpeihhpen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" mxpeihhpen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" mxpeihhpen.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC0B028479539EA53B9BAA73299D7B9" 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F76BB7FE1B22D9D278D0A48B7F9113" 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" mxpeihhpen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" mxpeihhpen.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABCFABBF963F2E2837A3B31819F3EE2B38E02FF43610239E2CA459D08A5" 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat mxpeihhpen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc mxpeihhpen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" mxpeihhpen.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 960 WINWORD.EXE 960 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4952 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe 4952 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe 4952 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe 4952 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe 4952 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe 4952 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe 4952 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe 4952 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe 4952 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe 4952 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe 4952 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe 4952 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe 4932 mxpeihhpen.exe 4932 mxpeihhpen.exe 4932 mxpeihhpen.exe 4932 mxpeihhpen.exe 4932 mxpeihhpen.exe 4932 mxpeihhpen.exe 4932 mxpeihhpen.exe 4932 mxpeihhpen.exe 4932 mxpeihhpen.exe 4932 mxpeihhpen.exe 4952 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe 4952 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe 4952 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe 4952 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe 1812 krdhljlf.exe 1812 krdhljlf.exe 1812 krdhljlf.exe 1812 krdhljlf.exe 1812 krdhljlf.exe 1812 krdhljlf.exe 1812 krdhljlf.exe 1812 krdhljlf.exe 4840 iontjitzqkiptto.exe 4840 iontjitzqkiptto.exe 4840 iontjitzqkiptto.exe 4840 iontjitzqkiptto.exe 4840 iontjitzqkiptto.exe 4840 iontjitzqkiptto.exe 4840 iontjitzqkiptto.exe 4840 iontjitzqkiptto.exe 4840 iontjitzqkiptto.exe 4840 iontjitzqkiptto.exe 4564 dbjxrlaoimqfd.exe 4564 dbjxrlaoimqfd.exe 4564 dbjxrlaoimqfd.exe 4564 dbjxrlaoimqfd.exe 4564 dbjxrlaoimqfd.exe 4564 dbjxrlaoimqfd.exe 4564 dbjxrlaoimqfd.exe 4564 dbjxrlaoimqfd.exe 4564 dbjxrlaoimqfd.exe 4564 dbjxrlaoimqfd.exe 4564 dbjxrlaoimqfd.exe 4564 dbjxrlaoimqfd.exe 4840 iontjitzqkiptto.exe 4840 iontjitzqkiptto.exe 2700 krdhljlf.exe 2700 krdhljlf.exe 2700 krdhljlf.exe 2700 krdhljlf.exe 2700 krdhljlf.exe 2700 krdhljlf.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4952 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe 4952 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe 4952 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe 4932 mxpeihhpen.exe 4932 mxpeihhpen.exe 4932 mxpeihhpen.exe 1812 krdhljlf.exe 4840 iontjitzqkiptto.exe 1812 krdhljlf.exe 1812 krdhljlf.exe 4840 iontjitzqkiptto.exe 4840 iontjitzqkiptto.exe 4564 dbjxrlaoimqfd.exe 4564 dbjxrlaoimqfd.exe 4564 dbjxrlaoimqfd.exe 2700 krdhljlf.exe 2700 krdhljlf.exe 2700 krdhljlf.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4952 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe 4952 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe 4952 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe 4932 mxpeihhpen.exe 4932 mxpeihhpen.exe 4932 mxpeihhpen.exe 1812 krdhljlf.exe 4840 iontjitzqkiptto.exe 1812 krdhljlf.exe 1812 krdhljlf.exe 4840 iontjitzqkiptto.exe 4840 iontjitzqkiptto.exe 4564 dbjxrlaoimqfd.exe 4564 dbjxrlaoimqfd.exe 4564 dbjxrlaoimqfd.exe 2700 krdhljlf.exe 2700 krdhljlf.exe 2700 krdhljlf.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 960 WINWORD.EXE 960 WINWORD.EXE 960 WINWORD.EXE 960 WINWORD.EXE 960 WINWORD.EXE 960 WINWORD.EXE 960 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4952 wrote to memory of 4932 4952 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe 80 PID 4952 wrote to memory of 4932 4952 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe 80 PID 4952 wrote to memory of 4932 4952 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe 80 PID 4952 wrote to memory of 4840 4952 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe 81 PID 4952 wrote to memory of 4840 4952 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe 81 PID 4952 wrote to memory of 4840 4952 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe 81 PID 4952 wrote to memory of 1812 4952 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe 82 PID 4952 wrote to memory of 1812 4952 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe 82 PID 4952 wrote to memory of 1812 4952 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe 82 PID 4952 wrote to memory of 4564 4952 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe 83 PID 4952 wrote to memory of 4564 4952 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe 83 PID 4952 wrote to memory of 4564 4952 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe 83 PID 4932 wrote to memory of 2700 4932 mxpeihhpen.exe 84 PID 4932 wrote to memory of 2700 4932 mxpeihhpen.exe 84 PID 4932 wrote to memory of 2700 4932 mxpeihhpen.exe 84 PID 4952 wrote to memory of 960 4952 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe 85 PID 4952 wrote to memory of 960 4952 1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe"C:\Users\Admin\AppData\Local\Temp\1e23132b8db1e56d20c9e915cd8cfac60e1cb85d70a1272355f0af7fc097ced2.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\mxpeihhpen.exemxpeihhpen.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\SysWOW64\krdhljlf.exeC:\Windows\system32\krdhljlf.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2700
-
-
-
C:\Windows\SysWOW64\iontjitzqkiptto.exeiontjitzqkiptto.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4840
-
-
C:\Windows\SysWOW64\krdhljlf.exekrdhljlf.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1812
-
-
C:\Windows\SysWOW64\dbjxrlaoimqfd.exedbjxrlaoimqfd.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4564
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:960
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD512d990cfb4fd17ccea658a9080dc9b7a
SHA1e43f66d7e895f94dcb3b70efd4eaf3d71e89329a
SHA256150512b0c11a574732abc9fc990b6668b93e0bd42c2e707e345a46eaa2ff4eb0
SHA51218ecd04aefa285780b2d3e0b86b3d79d32cd13157b1c8e85f854b92675e80b5dd8890d56d975687b3101a33eeca9b8e24b4d8f149a953266aead9ec3f8077702
-
Filesize
255KB
MD5c1d19c015590ba52d1ffbf0679674074
SHA1771e4bef23d3d8e42ffe1d50bc8d3eb8bb92f7aa
SHA2561e328b148b9df1bdc2b9d2a4d6f0a7ffa4b3160f08a62094f3ad3c3ffab69b16
SHA5124281114bcd9e8e2fbe8fe0742287b484477c2fb4f5d077c04c07158e5fbfb0c6953cdf2c713df8f3077603a7a0766b6a1732ef8a0777dce6bc1ee544375ba569
-
Filesize
255KB
MD5c1d19c015590ba52d1ffbf0679674074
SHA1771e4bef23d3d8e42ffe1d50bc8d3eb8bb92f7aa
SHA2561e328b148b9df1bdc2b9d2a4d6f0a7ffa4b3160f08a62094f3ad3c3ffab69b16
SHA5124281114bcd9e8e2fbe8fe0742287b484477c2fb4f5d077c04c07158e5fbfb0c6953cdf2c713df8f3077603a7a0766b6a1732ef8a0777dce6bc1ee544375ba569
-
Filesize
255KB
MD5f17a60bd1ca84148b0edc20dff2ca80a
SHA112212ee8d2341d33c5f6ee19fb50e5970a955bc2
SHA256952f8369a44d6db793b24dee471933433d6985ed7bbed3602eeaf0408d6fc46a
SHA51290e1e025e622ed87224c78b9a83022cc845877af25d283ae601d30fe607f09ab9aedcf305327d910492a816dd228a833e816b5611136216c0db178d97246c8ac
-
Filesize
255KB
MD538e53a220a16125543335a6f07e23ddf
SHA15b7a35fa8fe3222a93a91496402cf94bb7f366d4
SHA256513cb3c158ee1cd0f2303fafd7cf7f3a358f69952f0ac7f05f1920007763fba3
SHA51279c1ebe0bd0a4d0e281f6d21f95ea25f0a8d330850f769512ed24b1d4e4047028406d734433a57806bd27b481db5e08143810e32fbfcc545e15570f8bea151a4
-
Filesize
255KB
MD5eed939096ac0a873230ecb0efbb2819e
SHA117fb0f133cf935e4f57501b0153b554bf2648a66
SHA25698d68590abab2f023bd7659d2c796a793a799f37f9dbdefc6dba1d69d276231d
SHA51251ed62079391c71e603187f0bb38be9ecba47ba822e5dd995d6ab61b2dcb65e8f82def55cef71f84366d83a17bf3307e2e0a0cfd784a50dd530ef1070db04de4
-
Filesize
255KB
MD589c6f814ca5ff454aeec68785e202dcc
SHA1d23976900597919df93f43f25b505745f654d938
SHA25687f55b9833da93fc2e25884956efab667242a6ecf75b569a57b5fd597bf2e697
SHA512d514cb5be3291e0aba4f6daae2ffe1369c0d890cabb89537299fc0c0d95e37785208404d816b927fc315ab8cebec32a35fd6d4ed7acc61a4e54aca23530c85cf
-
Filesize
255KB
MD589c6f814ca5ff454aeec68785e202dcc
SHA1d23976900597919df93f43f25b505745f654d938
SHA25687f55b9833da93fc2e25884956efab667242a6ecf75b569a57b5fd597bf2e697
SHA512d514cb5be3291e0aba4f6daae2ffe1369c0d890cabb89537299fc0c0d95e37785208404d816b927fc315ab8cebec32a35fd6d4ed7acc61a4e54aca23530c85cf
-
Filesize
255KB
MD55d8f262c0688223e3a3984c928eb8c6e
SHA1087a00bf210e2284d753a59bea7a87bc89bf9f59
SHA256b0f3ae15a91a48c3a338ac1e423526a8946b6042b760ea4ed8d0019928808e57
SHA51299f3e9759f52c9d47f31bd702b8ff6dfb1c3cab79912bbe725f070c38f3f5ab94483c54079fbaeba8341d2c12819c7cdb910441f3fad43566137f6cc178dbb22
-
Filesize
255KB
MD55d8f262c0688223e3a3984c928eb8c6e
SHA1087a00bf210e2284d753a59bea7a87bc89bf9f59
SHA256b0f3ae15a91a48c3a338ac1e423526a8946b6042b760ea4ed8d0019928808e57
SHA51299f3e9759f52c9d47f31bd702b8ff6dfb1c3cab79912bbe725f070c38f3f5ab94483c54079fbaeba8341d2c12819c7cdb910441f3fad43566137f6cc178dbb22
-
Filesize
255KB
MD535d75cc4dbcc14a67d21760522a8d1f2
SHA176c18d226fbd4f3e007ccdd83ec62410f13a2b87
SHA2566f17adf44cb6e85ad32184697ae8dd47b03f4a7316bbb10214fe1eaf81f05934
SHA5128c8791b336c0d813148fcf4e5528b62ecebd825475feaec60248835b1bfb77a6c2bc37f2f86066980a53fd1a79fac8385835250e346d6061e631d098ed3f7d1b
-
Filesize
255KB
MD535d75cc4dbcc14a67d21760522a8d1f2
SHA176c18d226fbd4f3e007ccdd83ec62410f13a2b87
SHA2566f17adf44cb6e85ad32184697ae8dd47b03f4a7316bbb10214fe1eaf81f05934
SHA5128c8791b336c0d813148fcf4e5528b62ecebd825475feaec60248835b1bfb77a6c2bc37f2f86066980a53fd1a79fac8385835250e346d6061e631d098ed3f7d1b
-
Filesize
255KB
MD535d75cc4dbcc14a67d21760522a8d1f2
SHA176c18d226fbd4f3e007ccdd83ec62410f13a2b87
SHA2566f17adf44cb6e85ad32184697ae8dd47b03f4a7316bbb10214fe1eaf81f05934
SHA5128c8791b336c0d813148fcf4e5528b62ecebd825475feaec60248835b1bfb77a6c2bc37f2f86066980a53fd1a79fac8385835250e346d6061e631d098ed3f7d1b
-
Filesize
255KB
MD51246e9e533c11f1c35debe36bd9ae4a0
SHA18b0ff78fc76f01e2d8738dbce83d4a2e7eeb3445
SHA2568fb565267ebbb17d740e494940153b286ce8f505813d1d68229e30a5ac168c0f
SHA5121ab288ed83cc2139f3c76c4edf87afd1c8e663480287d32ff4ff54437e29d34f9b7750615cbb3e1f4318cc1ea0a5bcf035f528b805fba1bad019b70eec2d294c
-
Filesize
255KB
MD51246e9e533c11f1c35debe36bd9ae4a0
SHA18b0ff78fc76f01e2d8738dbce83d4a2e7eeb3445
SHA2568fb565267ebbb17d740e494940153b286ce8f505813d1d68229e30a5ac168c0f
SHA5121ab288ed83cc2139f3c76c4edf87afd1c8e663480287d32ff4ff54437e29d34f9b7750615cbb3e1f4318cc1ea0a5bcf035f528b805fba1bad019b70eec2d294c
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD54ab6f3c152db666fe5e7d39ae6f8ac34
SHA18c4fd294de38a8d5fe45fab5173c6d6778961eb5
SHA25627dc407e379e3efa1f91d865e8be60a64df05f52b9bc84dbb5a4541d397a074d
SHA5127dc84e5ee112b69b7d5136480879a493056f2b51ec7775a02ed8c5f0cb7cdd3c55b56fa12ebc3048bec29bbc519a5ff49fc4c338f7b32811ce3bc507ca1b3483
-
Filesize
255KB
MD55cd5b2e00d20ca45ea76b30a27766360
SHA120cd4c5869cb62e9b8afc2fb6d1c1ed462e156b6
SHA2568f471c76ebb331dbe004efc77b4903c19805521cc781e01257753cfa168ff622
SHA5128268dc27868310925df4c9a8c5b5a9852f80ca4072bbf67bcc563f49048f0efbf60b997b196d7c62f43f0144c70d382da948a005dd4b2b84d8fef89ce5f29609