Analysis
-
max time kernel
167s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30/10/2022, 15:08
Behavioral task
behavioral1
Sample
4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe
Resource
win7-20220812-en
windows7-x64
26 signatures
150 seconds
General
-
Target
4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe
-
Size
255KB
-
MD5
81b282e39c7bd5b80196e5680b453d20
-
SHA1
c4e128b550dc99975452bec30d4689697a5540cd
-
SHA256
4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555
-
SHA512
d85dcfdaa65e2d3b3507da9a8f819aef7c7b802412e1bbb2faafe79673e73066759579bde9fe6ee996a0e5b5c30c5f7f62dbae800da5675942d894cdcdd0bddf
-
SSDEEP
6144:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI6T:Plf5j6zCNa0xeE3my
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" nzadxbwctr.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" nzadxbwctr.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" nzadxbwctr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" nzadxbwctr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" nzadxbwctr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" nzadxbwctr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" nzadxbwctr.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" nzadxbwctr.exe -
Executes dropped EXE 5 IoCs
pid Process 4792 nzadxbwctr.exe 2252 frnyccologthwuh.exe 1132 umzmmdwf.exe 3372 bnwfirgcfvxqf.exe 620 umzmmdwf.exe -
resource yara_rule behavioral2/files/0x0008000000022e07-133.dat upx behavioral2/files/0x0008000000022e07-134.dat upx behavioral2/files/0x0008000000022e24-136.dat upx behavioral2/files/0x0006000000022e39-139.dat upx behavioral2/files/0x0006000000022e39-140.dat upx behavioral2/files/0x0008000000022e24-137.dat upx behavioral2/files/0x0006000000022e3a-143.dat upx behavioral2/files/0x0006000000022e3a-142.dat upx behavioral2/memory/4792-145-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2996-144-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2252-146-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1132-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3372-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0006000000022e39-150.dat upx behavioral2/memory/2996-152-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/620-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0008000000022e27-158.dat upx behavioral2/files/0x0006000000022e3f-160.dat upx behavioral2/files/0x0006000000022e40-161.dat upx behavioral2/memory/4792-165-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2252-166-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1132-167-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3372-168-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/620-169-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0006000000016999-170.dat upx behavioral2/files/0x000300000000071d-171.dat upx behavioral2/files/0x000300000000071d-172.dat upx behavioral2/files/0x000300000000071d-173.dat upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" nzadxbwctr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" nzadxbwctr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" nzadxbwctr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" nzadxbwctr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" nzadxbwctr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" nzadxbwctr.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run frnyccologthwuh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\afgqosjg = "nzadxbwctr.exe" frnyccologthwuh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rlpmjkge = "frnyccologthwuh.exe" frnyccologthwuh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "bnwfirgcfvxqf.exe" frnyccologthwuh.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\n: nzadxbwctr.exe File opened (read-only) \??\f: umzmmdwf.exe File opened (read-only) \??\i: umzmmdwf.exe File opened (read-only) \??\w: umzmmdwf.exe File opened (read-only) \??\g: nzadxbwctr.exe File opened (read-only) \??\x: nzadxbwctr.exe File opened (read-only) \??\a: umzmmdwf.exe File opened (read-only) \??\m: umzmmdwf.exe File opened (read-only) \??\b: umzmmdwf.exe File opened (read-only) \??\g: umzmmdwf.exe File opened (read-only) \??\j: umzmmdwf.exe File opened (read-only) \??\z: umzmmdwf.exe File opened (read-only) \??\j: umzmmdwf.exe File opened (read-only) \??\q: umzmmdwf.exe File opened (read-only) \??\t: umzmmdwf.exe File opened (read-only) \??\z: umzmmdwf.exe File opened (read-only) \??\s: nzadxbwctr.exe File opened (read-only) \??\v: nzadxbwctr.exe File opened (read-only) \??\e: umzmmdwf.exe File opened (read-only) \??\k: umzmmdwf.exe File opened (read-only) \??\q: umzmmdwf.exe File opened (read-only) \??\y: umzmmdwf.exe File opened (read-only) \??\b: nzadxbwctr.exe File opened (read-only) \??\h: nzadxbwctr.exe File opened (read-only) \??\r: umzmmdwf.exe File opened (read-only) \??\a: nzadxbwctr.exe File opened (read-only) \??\f: nzadxbwctr.exe File opened (read-only) \??\u: umzmmdwf.exe File opened (read-only) \??\e: nzadxbwctr.exe File opened (read-only) \??\q: nzadxbwctr.exe File opened (read-only) \??\t: nzadxbwctr.exe File opened (read-only) \??\y: nzadxbwctr.exe File opened (read-only) \??\b: umzmmdwf.exe File opened (read-only) \??\s: umzmmdwf.exe File opened (read-only) \??\w: nzadxbwctr.exe File opened (read-only) \??\h: umzmmdwf.exe File opened (read-only) \??\m: umzmmdwf.exe File opened (read-only) \??\v: umzmmdwf.exe File opened (read-only) \??\k: nzadxbwctr.exe File opened (read-only) \??\e: umzmmdwf.exe File opened (read-only) \??\o: umzmmdwf.exe File opened (read-only) \??\v: umzmmdwf.exe File opened (read-only) \??\r: umzmmdwf.exe File opened (read-only) \??\u: nzadxbwctr.exe File opened (read-only) \??\k: umzmmdwf.exe File opened (read-only) \??\l: umzmmdwf.exe File opened (read-only) \??\p: umzmmdwf.exe File opened (read-only) \??\g: umzmmdwf.exe File opened (read-only) \??\n: umzmmdwf.exe File opened (read-only) \??\i: nzadxbwctr.exe File opened (read-only) \??\o: nzadxbwctr.exe File opened (read-only) \??\p: nzadxbwctr.exe File opened (read-only) \??\n: umzmmdwf.exe File opened (read-only) \??\o: umzmmdwf.exe File opened (read-only) \??\x: umzmmdwf.exe File opened (read-only) \??\z: nzadxbwctr.exe File opened (read-only) \??\y: umzmmdwf.exe File opened (read-only) \??\u: umzmmdwf.exe File opened (read-only) \??\l: nzadxbwctr.exe File opened (read-only) \??\r: nzadxbwctr.exe File opened (read-only) \??\x: umzmmdwf.exe File opened (read-only) \??\s: umzmmdwf.exe File opened (read-only) \??\p: umzmmdwf.exe File opened (read-only) \??\w: umzmmdwf.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" nzadxbwctr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" nzadxbwctr.exe -
AutoIT Executable 12 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4792-145-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2996-144-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2252-146-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1132-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3372-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2996-152-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/620-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4792-165-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2252-166-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1132-167-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3372-168-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/620-169-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\nzadxbwctr.exe 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe File created C:\Windows\SysWOW64\frnyccologthwuh.exe 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe File opened for modification C:\Windows\SysWOW64\frnyccologthwuh.exe 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe File opened for modification C:\Windows\SysWOW64\umzmmdwf.exe 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll nzadxbwctr.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe umzmmdwf.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe umzmmdwf.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe umzmmdwf.exe File created C:\Windows\SysWOW64\nzadxbwctr.exe 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe File created C:\Windows\SysWOW64\umzmmdwf.exe 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe File created C:\Windows\SysWOW64\bnwfirgcfvxqf.exe 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe File opened for modification C:\Windows\SysWOW64\bnwfirgcfvxqf.exe 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe umzmmdwf.exe -
Drops file in Program Files directory 21 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe umzmmdwf.exe File opened for modification \??\c:\Program Files\RedoCheckpoint.doc.exe umzmmdwf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal umzmmdwf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe umzmmdwf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal umzmmdwf.exe File created \??\c:\Program Files\RedoCheckpoint.doc.exe umzmmdwf.exe File opened for modification C:\Program Files\RedoCheckpoint.nal umzmmdwf.exe File opened for modification C:\Program Files\RedoCheckpoint.nal umzmmdwf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal umzmmdwf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe umzmmdwf.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe umzmmdwf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe umzmmdwf.exe File opened for modification \??\c:\Program Files\RedoCheckpoint.doc.exe umzmmdwf.exe File opened for modification C:\Program Files\RedoCheckpoint.doc.exe umzmmdwf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe umzmmdwf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe umzmmdwf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe umzmmdwf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal umzmmdwf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe umzmmdwf.exe File opened for modification C:\Program Files\RedoCheckpoint.doc.exe umzmmdwf.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe umzmmdwf.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe umzmmdwf.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe umzmmdwf.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe umzmmdwf.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe umzmmdwf.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe umzmmdwf.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe umzmmdwf.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe umzmmdwf.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe umzmmdwf.exe File opened for modification C:\Windows\mydoc.rtf 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACAF9CDF963F29083083B4286ED39E4B080028842130348E2C9459E08A2" 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F06BB3FE1A22D9D27FD1D48A089114" 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh nzadxbwctr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB7B15C44E439EF53BABAD63392D7B9" 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" nzadxbwctr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" nzadxbwctr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" nzadxbwctr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" nzadxbwctr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33342D0D9C5783206D3476D277212CDD7CF365DB" 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E88FF894F2785689131D65A7D92BDEEE1345841664F623FD7E9" 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1939C67D14E2DAB6B8CE7C94EDE034CC" 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat nzadxbwctr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" nzadxbwctr.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" nzadxbwctr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc nzadxbwctr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf nzadxbwctr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs nzadxbwctr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg nzadxbwctr.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4536 WINWORD.EXE 4536 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2996 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe 2996 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe 2996 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe 2996 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe 2996 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe 2996 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe 2996 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe 2996 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe 2996 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe 2996 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe 2996 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe 2996 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe 2996 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe 2996 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe 2996 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe 2996 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe 2252 frnyccologthwuh.exe 2252 frnyccologthwuh.exe 2252 frnyccologthwuh.exe 2252 frnyccologthwuh.exe 2252 frnyccologthwuh.exe 2252 frnyccologthwuh.exe 2252 frnyccologthwuh.exe 2252 frnyccologthwuh.exe 2252 frnyccologthwuh.exe 2252 frnyccologthwuh.exe 4792 nzadxbwctr.exe 4792 nzadxbwctr.exe 4792 nzadxbwctr.exe 4792 nzadxbwctr.exe 4792 nzadxbwctr.exe 4792 nzadxbwctr.exe 4792 nzadxbwctr.exe 4792 nzadxbwctr.exe 4792 nzadxbwctr.exe 4792 nzadxbwctr.exe 1132 umzmmdwf.exe 1132 umzmmdwf.exe 1132 umzmmdwf.exe 1132 umzmmdwf.exe 1132 umzmmdwf.exe 1132 umzmmdwf.exe 1132 umzmmdwf.exe 1132 umzmmdwf.exe 3372 bnwfirgcfvxqf.exe 3372 bnwfirgcfvxqf.exe 3372 bnwfirgcfvxqf.exe 3372 bnwfirgcfvxqf.exe 3372 bnwfirgcfvxqf.exe 3372 bnwfirgcfvxqf.exe 3372 bnwfirgcfvxqf.exe 3372 bnwfirgcfvxqf.exe 3372 bnwfirgcfvxqf.exe 3372 bnwfirgcfvxqf.exe 3372 bnwfirgcfvxqf.exe 3372 bnwfirgcfvxqf.exe 620 umzmmdwf.exe 620 umzmmdwf.exe 620 umzmmdwf.exe 620 umzmmdwf.exe 620 umzmmdwf.exe 620 umzmmdwf.exe 620 umzmmdwf.exe 620 umzmmdwf.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2996 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe 2996 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe 2996 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe 4792 nzadxbwctr.exe 4792 nzadxbwctr.exe 4792 nzadxbwctr.exe 2252 frnyccologthwuh.exe 2252 frnyccologthwuh.exe 2252 frnyccologthwuh.exe 1132 umzmmdwf.exe 1132 umzmmdwf.exe 1132 umzmmdwf.exe 3372 bnwfirgcfvxqf.exe 3372 bnwfirgcfvxqf.exe 3372 bnwfirgcfvxqf.exe 620 umzmmdwf.exe 620 umzmmdwf.exe 620 umzmmdwf.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2996 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe 2996 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe 2996 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe 4792 nzadxbwctr.exe 4792 nzadxbwctr.exe 4792 nzadxbwctr.exe 2252 frnyccologthwuh.exe 2252 frnyccologthwuh.exe 2252 frnyccologthwuh.exe 1132 umzmmdwf.exe 1132 umzmmdwf.exe 1132 umzmmdwf.exe 3372 bnwfirgcfvxqf.exe 3372 bnwfirgcfvxqf.exe 3372 bnwfirgcfvxqf.exe 620 umzmmdwf.exe 620 umzmmdwf.exe 620 umzmmdwf.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4536 WINWORD.EXE 4536 WINWORD.EXE 4536 WINWORD.EXE 4536 WINWORD.EXE 4536 WINWORD.EXE 4536 WINWORD.EXE 4536 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2996 wrote to memory of 4792 2996 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe 79 PID 2996 wrote to memory of 4792 2996 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe 79 PID 2996 wrote to memory of 4792 2996 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe 79 PID 2996 wrote to memory of 2252 2996 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe 80 PID 2996 wrote to memory of 2252 2996 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe 80 PID 2996 wrote to memory of 2252 2996 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe 80 PID 2996 wrote to memory of 1132 2996 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe 82 PID 2996 wrote to memory of 1132 2996 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe 82 PID 2996 wrote to memory of 1132 2996 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe 82 PID 2996 wrote to memory of 3372 2996 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe 81 PID 2996 wrote to memory of 3372 2996 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe 81 PID 2996 wrote to memory of 3372 2996 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe 81 PID 2996 wrote to memory of 4536 2996 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe 83 PID 2996 wrote to memory of 4536 2996 4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe 83 PID 4792 wrote to memory of 620 4792 nzadxbwctr.exe 85 PID 4792 wrote to memory of 620 4792 nzadxbwctr.exe 85 PID 4792 wrote to memory of 620 4792 nzadxbwctr.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe"C:\Users\Admin\AppData\Local\Temp\4d7a5fb592206ebffe5e32aee5fce14bb9f1599b93dbac5d367c5ac305bd9555.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\nzadxbwctr.exenzadxbwctr.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\umzmmdwf.exeC:\Windows\system32\umzmmdwf.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:620
-
-
-
C:\Windows\SysWOW64\frnyccologthwuh.exefrnyccologthwuh.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2252
-
-
C:\Windows\SysWOW64\bnwfirgcfvxqf.exebnwfirgcfvxqf.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3372
-
-
C:\Windows\SysWOW64\umzmmdwf.exeumzmmdwf.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1132
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4536
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD517fb19c87e5c75409d9318710891d967
SHA1030669fae7a676b564d0a9af0789e6cf2b90ae76
SHA256c80279c80f25ddb8406b37405ad5e4c09e8749d17b22203be6ad2ea41f80729e
SHA51238b347e0b4fbff4e99e7ba17fea3177b572959587ea4749ecdde4e43d43b76a4133c061e3701e01d8120310c2ed73d61c0bea43f8abebe14fad4ae6d560fac06
-
Filesize
255KB
MD5de5df39d3ef4eaacbd110ee49f6ab0d9
SHA1fb819c53583a458c0dc56729afd608593841f4e0
SHA256df929b35f2dbd62a231122594b710ed20fcd188c38ec07653d9e37af8c127a80
SHA5125c2d600dbc40e019bc8755cced57918dbe8150eba8af0dad330bb1c20c8367519840482482ce7510d8457a0780e8e514c2a589d918a2576d04e91c5b8e029c9e
-
Filesize
255KB
MD5106bd43635b8ccad6f72a32c1a26a614
SHA1ce5f6cf2ede8fc9db7eb184806acea3f459d431a
SHA2562c7764aea4d1b368da33f519a73790081a7eebcc765f7816f605eef6ee679139
SHA5123c29da61bc247edf43d4c24452dc242c1165832b1924f671d9b2d184ec82570ac43def3c96342455001093e69f025afbef5b6dbe5df3daff0f97735d0d5bebec
-
Filesize
255KB
MD5ad4f0ab2d475866a55d400d8c947a8b8
SHA115c040a82661765530cef3afdd031288626d0422
SHA2565f9a0869addb748ea4e111bfc87507896c8270e7ae9aa9d61a4bd07365ad79b9
SHA512c621b20f22af0f98f7d6b8e1b1fb838ed559e091e5a0c7c4d9d7aa69dd3386e31e7ef24700a9491578ffcc849b27b895de480b9c3d4b75fc661858072d46a5fc
-
Filesize
255KB
MD5a7988966385ead70e9628792d8921b24
SHA14eca776a5655f3264774149b28a40b6ae37551d1
SHA256b49b28b38897c1a1fe59522bbf9c826b94adf7dccc87832147109d232c85bbd2
SHA512ddb3db7de1f535736ab6b150197e78c78b8a489d116ff175f2bde035a040533f676264ce45ea866e46d090f66b7d1a782c345a7f69aa3599662895b558082c24
-
Filesize
255KB
MD5a7988966385ead70e9628792d8921b24
SHA14eca776a5655f3264774149b28a40b6ae37551d1
SHA256b49b28b38897c1a1fe59522bbf9c826b94adf7dccc87832147109d232c85bbd2
SHA512ddb3db7de1f535736ab6b150197e78c78b8a489d116ff175f2bde035a040533f676264ce45ea866e46d090f66b7d1a782c345a7f69aa3599662895b558082c24
-
Filesize
255KB
MD56210fcc48f90d750efa352c3c059fb62
SHA195fed988f320cfb13735826c2f0a688f6363c8f7
SHA25668f9314b00094443faaa902999eaa8d24feb8ece8046546dc0ced0b963600528
SHA512f3bc5c85ae15f585406917499aac775487fb9cc9c85d07d30652b311ea4920fdbc1f6f874a069c9c21d5ffaaf3c7aa091e34af5552684360989fe81eaf1f4203
-
Filesize
255KB
MD56210fcc48f90d750efa352c3c059fb62
SHA195fed988f320cfb13735826c2f0a688f6363c8f7
SHA25668f9314b00094443faaa902999eaa8d24feb8ece8046546dc0ced0b963600528
SHA512f3bc5c85ae15f585406917499aac775487fb9cc9c85d07d30652b311ea4920fdbc1f6f874a069c9c21d5ffaaf3c7aa091e34af5552684360989fe81eaf1f4203
-
Filesize
255KB
MD5e3bcde887918263e0434fb0c2a947842
SHA178c32b5ec2bddea20cf407d2997878af0ae4dd1e
SHA256e378522afc023c11feeb635914ee52adb0dca5049a01ad78c2f04584cc5475dd
SHA5129f7d8819d8d2f69f5a57ff2c0b8c0cac1019e9eb3df030c20faf486759bd1bcaa2bc810882b44b3baf15f49f8b14fb52fdfbed65f427c5b12f9b38c5b1a274a4
-
Filesize
255KB
MD5e3bcde887918263e0434fb0c2a947842
SHA178c32b5ec2bddea20cf407d2997878af0ae4dd1e
SHA256e378522afc023c11feeb635914ee52adb0dca5049a01ad78c2f04584cc5475dd
SHA5129f7d8819d8d2f69f5a57ff2c0b8c0cac1019e9eb3df030c20faf486759bd1bcaa2bc810882b44b3baf15f49f8b14fb52fdfbed65f427c5b12f9b38c5b1a274a4
-
Filesize
255KB
MD545019f4b0cc1ed0135db2ceff43436ff
SHA1a611dda46481483e5ebe935a0ea227485498fab2
SHA256aedc7b896fea39c6a2cef97295a5430a7b822df29247512f19d38e198bfd3944
SHA512407d43392b0d7b9a273d24c7a570eac0d4657dfd08f22d436cff94e8708b15854700e3cc53643625224b54c2c3366cc2083c400e108b838a6c584ac6c6aa1ded
-
Filesize
255KB
MD545019f4b0cc1ed0135db2ceff43436ff
SHA1a611dda46481483e5ebe935a0ea227485498fab2
SHA256aedc7b896fea39c6a2cef97295a5430a7b822df29247512f19d38e198bfd3944
SHA512407d43392b0d7b9a273d24c7a570eac0d4657dfd08f22d436cff94e8708b15854700e3cc53643625224b54c2c3366cc2083c400e108b838a6c584ac6c6aa1ded
-
Filesize
255KB
MD545019f4b0cc1ed0135db2ceff43436ff
SHA1a611dda46481483e5ebe935a0ea227485498fab2
SHA256aedc7b896fea39c6a2cef97295a5430a7b822df29247512f19d38e198bfd3944
SHA512407d43392b0d7b9a273d24c7a570eac0d4657dfd08f22d436cff94e8708b15854700e3cc53643625224b54c2c3366cc2083c400e108b838a6c584ac6c6aa1ded
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD566256bcb70ac1d649eb67cdef5cdb7d0
SHA1346c324060dee40f2ff53d6ffc508c713858a967
SHA2563dc367d61edfd4f82e80b9ea6960c8b7cc35df9b6ab80d9ebad5e68d2acf249a
SHA5123a5daeef039e77f197fd4d0538c5a8e0f8589c840c61533342cb0af52d844a9f89d7e244f2637491e46b6f4f857f1e8818bfa6e0d1edd726ae41e262c8540c37
-
Filesize
255KB
MD566256bcb70ac1d649eb67cdef5cdb7d0
SHA1346c324060dee40f2ff53d6ffc508c713858a967
SHA2563dc367d61edfd4f82e80b9ea6960c8b7cc35df9b6ab80d9ebad5e68d2acf249a
SHA5123a5daeef039e77f197fd4d0538c5a8e0f8589c840c61533342cb0af52d844a9f89d7e244f2637491e46b6f4f857f1e8818bfa6e0d1edd726ae41e262c8540c37
-
Filesize
255KB
MD51e71d14ae56201a0691cbd1b7f1fbd55
SHA1ba41a98b147657d0b395a7f4e85e08bdfd080d51
SHA256a3a97726bc83fa77017afb96762905b8ccbcb33e6c93aba344673d45e7f639a2
SHA51239ca8e8003ff3bd0c78ef2f2fc672552e38a34a89c23d061076309426a663e4cf1d2eb99a5a0ae85e818d328393ae870552f2c6f74b9f8844bf4b93667fded36