Analysis
-
max time kernel
154s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-10-2022 20:59
Behavioral task
behavioral1
Sample
7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe
Resource
win7-20220812-en
windows7-x64
21 signatures
150 seconds
General
-
Target
7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe
-
Size
255KB
-
MD5
a1981732e7f8dd511707e7b3f5ab7711
-
SHA1
1ef34d7b1561aba00fb338e61e02046ad073a29e
-
SHA256
7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481
-
SHA512
f4a4201ea00cae54acaa45641821431ebf1992a3d61ef3194eb8b36ea8ceec1ffe2da4540a94417106128cf938b3953f57be41d280fb42b808e28f52f4838310
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJA:1xlZam+akqx6YQJXcNlEHUIQeE3mmBID
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" credbdlxai.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" credbdlxai.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" credbdlxai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" credbdlxai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" credbdlxai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" credbdlxai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" credbdlxai.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" credbdlxai.exe -
Executes dropped EXE 4 IoCs
pid Process 1948 credbdlxai.exe 1956 hhevgzsojfqfhjy.exe 2024 tmisxaesxbqkl.exe 520 juteshpk.exe -
resource yara_rule behavioral1/memory/1184-55-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x0007000000005c50-56.dat upx behavioral1/memory/1184-57-0x0000000002F10000-0x0000000002FB0000-memory.dmp upx behavioral1/files/0x000b0000000122cc-60.dat upx behavioral1/files/0x0007000000005c50-59.dat upx behavioral1/files/0x000a0000000122ce-64.dat upx behavioral1/files/0x000b0000000122cc-63.dat upx behavioral1/files/0x0007000000005c50-67.dat upx behavioral1/files/0x000b0000000122cc-68.dat upx behavioral1/memory/1948-70-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x00090000000122dd-74.dat upx behavioral1/files/0x00090000000122dd-73.dat upx behavioral1/memory/1956-72-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x00090000000122dd-76.dat upx behavioral1/memory/2024-81-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x000a0000000122ce-79.dat upx behavioral1/files/0x000a0000000122ce-78.dat upx behavioral1/files/0x000a0000000122ce-82.dat upx behavioral1/memory/520-84-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1184-85-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1956-86-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1948-87-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2024-88-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/520-89-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
Loads dropped DLL 5 IoCs
pid Process 1184 7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe 1184 7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe 1184 7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe 1204 cmd.exe 1948 credbdlxai.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" credbdlxai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" credbdlxai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" credbdlxai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" credbdlxai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" credbdlxai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" credbdlxai.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run hhevgzsojfqfhjy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\hewelmvm = "credbdlxai.exe" hhevgzsojfqfhjy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\hrwkhhct = "hhevgzsojfqfhjy.exe" hhevgzsojfqfhjy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "tmisxaesxbqkl.exe" hhevgzsojfqfhjy.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\v: juteshpk.exe File opened (read-only) \??\b: credbdlxai.exe File opened (read-only) \??\e: credbdlxai.exe File opened (read-only) \??\h: credbdlxai.exe File opened (read-only) \??\s: credbdlxai.exe File opened (read-only) \??\b: juteshpk.exe File opened (read-only) \??\f: juteshpk.exe File opened (read-only) \??\p: juteshpk.exe File opened (read-only) \??\f: credbdlxai.exe File opened (read-only) \??\p: credbdlxai.exe File opened (read-only) \??\x: credbdlxai.exe File opened (read-only) \??\h: juteshpk.exe File opened (read-only) \??\s: juteshpk.exe File opened (read-only) \??\t: juteshpk.exe File opened (read-only) \??\y: juteshpk.exe File opened (read-only) \??\q: credbdlxai.exe File opened (read-only) \??\y: credbdlxai.exe File opened (read-only) \??\i: juteshpk.exe File opened (read-only) \??\q: juteshpk.exe File opened (read-only) \??\j: credbdlxai.exe File opened (read-only) \??\l: credbdlxai.exe File opened (read-only) \??\t: credbdlxai.exe File opened (read-only) \??\g: juteshpk.exe File opened (read-only) \??\j: juteshpk.exe File opened (read-only) \??\m: juteshpk.exe File opened (read-only) \??\o: juteshpk.exe File opened (read-only) \??\i: credbdlxai.exe File opened (read-only) \??\k: credbdlxai.exe File opened (read-only) \??\r: credbdlxai.exe File opened (read-only) \??\e: juteshpk.exe File opened (read-only) \??\r: juteshpk.exe File opened (read-only) \??\w: juteshpk.exe File opened (read-only) \??\a: credbdlxai.exe File opened (read-only) \??\g: credbdlxai.exe File opened (read-only) \??\z: credbdlxai.exe File opened (read-only) \??\l: juteshpk.exe File opened (read-only) \??\x: juteshpk.exe File opened (read-only) \??\n: credbdlxai.exe File opened (read-only) \??\z: juteshpk.exe File opened (read-only) \??\n: juteshpk.exe File opened (read-only) \??\m: credbdlxai.exe File opened (read-only) \??\o: credbdlxai.exe File opened (read-only) \??\u: credbdlxai.exe File opened (read-only) \??\v: credbdlxai.exe File opened (read-only) \??\w: credbdlxai.exe File opened (read-only) \??\a: juteshpk.exe File opened (read-only) \??\k: juteshpk.exe File opened (read-only) \??\u: juteshpk.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" credbdlxai.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" credbdlxai.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/1948-70-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1956-72-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2024-81-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/520-84-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1184-85-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1956-86-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1948-87-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2024-88-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/520-89-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\tmisxaesxbqkl.exe 7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll credbdlxai.exe File created C:\Windows\SysWOW64\credbdlxai.exe 7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe File opened for modification C:\Windows\SysWOW64\hhevgzsojfqfhjy.exe 7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe File created C:\Windows\SysWOW64\tmisxaesxbqkl.exe 7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe File opened for modification C:\Windows\SysWOW64\juteshpk.exe 7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe File opened for modification C:\Windows\SysWOW64\credbdlxai.exe 7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe File created C:\Windows\SysWOW64\hhevgzsojfqfhjy.exe 7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe File created C:\Windows\SysWOW64\juteshpk.exe 7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe -
Drops file in Program Files directory 12 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal juteshpk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe juteshpk.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe juteshpk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal juteshpk.exe File created \??\c:\Program Files\ResumeDeny.doc.exe juteshpk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe juteshpk.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe juteshpk.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe juteshpk.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe juteshpk.exe File opened for modification \??\c:\Program Files\ResumeDeny.doc.exe juteshpk.exe File opened for modification C:\Program Files\ResumeDeny.doc.exe juteshpk.exe File opened for modification C:\Program Files\ResumeDeny.nal juteshpk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 19 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" credbdlxai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" credbdlxai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs credbdlxai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7866BB0FF1A21DDD27CD0A38B7F9167" 7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" credbdlxai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat credbdlxai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc credbdlxai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh credbdlxai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" credbdlxai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf credbdlxai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" credbdlxai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABDFABCF913F2E4830C3A4B819839E5B0FC028B4269033FE1BD42EA09A3" 7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1848C70814E5DAB0B8CC7C95EDE437CD" 7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC1B02F4495399852CDBAA133EED7CD" 7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF5FF8A482982129030D75F7D90BCEEE643594566466335D798" 7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" credbdlxai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg credbdlxai.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33402D7A9C2C83206A3E76D470532DD67D8F64AB" 7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1184 7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe 1184 7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe 1184 7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe 1184 7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe 1184 7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe 1184 7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe 1184 7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe 1948 credbdlxai.exe 1948 credbdlxai.exe 1948 credbdlxai.exe 1948 credbdlxai.exe 1948 credbdlxai.exe 1956 hhevgzsojfqfhjy.exe 1956 hhevgzsojfqfhjy.exe 1956 hhevgzsojfqfhjy.exe 1956 hhevgzsojfqfhjy.exe 1956 hhevgzsojfqfhjy.exe 1956 hhevgzsojfqfhjy.exe 2024 tmisxaesxbqkl.exe 2024 tmisxaesxbqkl.exe 2024 tmisxaesxbqkl.exe 2024 tmisxaesxbqkl.exe 2024 tmisxaesxbqkl.exe 2024 tmisxaesxbqkl.exe 1956 hhevgzsojfqfhjy.exe 1956 hhevgzsojfqfhjy.exe 2024 tmisxaesxbqkl.exe 2024 tmisxaesxbqkl.exe 1956 hhevgzsojfqfhjy.exe 520 juteshpk.exe 520 juteshpk.exe 520 juteshpk.exe 520 juteshpk.exe 1956 hhevgzsojfqfhjy.exe 2024 tmisxaesxbqkl.exe 2024 tmisxaesxbqkl.exe 1956 hhevgzsojfqfhjy.exe 2024 tmisxaesxbqkl.exe 2024 tmisxaesxbqkl.exe 1956 hhevgzsojfqfhjy.exe 2024 tmisxaesxbqkl.exe 2024 tmisxaesxbqkl.exe 1956 hhevgzsojfqfhjy.exe 2024 tmisxaesxbqkl.exe 2024 tmisxaesxbqkl.exe 1956 hhevgzsojfqfhjy.exe 2024 tmisxaesxbqkl.exe 2024 tmisxaesxbqkl.exe 1956 hhevgzsojfqfhjy.exe 2024 tmisxaesxbqkl.exe 2024 tmisxaesxbqkl.exe 1956 hhevgzsojfqfhjy.exe 2024 tmisxaesxbqkl.exe 2024 tmisxaesxbqkl.exe 1956 hhevgzsojfqfhjy.exe 2024 tmisxaesxbqkl.exe 2024 tmisxaesxbqkl.exe 1956 hhevgzsojfqfhjy.exe 2024 tmisxaesxbqkl.exe 2024 tmisxaesxbqkl.exe 1956 hhevgzsojfqfhjy.exe 2024 tmisxaesxbqkl.exe 2024 tmisxaesxbqkl.exe 1956 hhevgzsojfqfhjy.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
pid Process 1184 7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe 1184 7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe 1184 7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe 1948 credbdlxai.exe 1948 credbdlxai.exe 1948 credbdlxai.exe 1956 hhevgzsojfqfhjy.exe 1956 hhevgzsojfqfhjy.exe 1956 hhevgzsojfqfhjy.exe 2024 tmisxaesxbqkl.exe 2024 tmisxaesxbqkl.exe 2024 tmisxaesxbqkl.exe 520 juteshpk.exe 520 juteshpk.exe 520 juteshpk.exe -
Suspicious use of SendNotifyMessage 15 IoCs
pid Process 1184 7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe 1184 7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe 1184 7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe 1948 credbdlxai.exe 1948 credbdlxai.exe 1948 credbdlxai.exe 1956 hhevgzsojfqfhjy.exe 1956 hhevgzsojfqfhjy.exe 1956 hhevgzsojfqfhjy.exe 2024 tmisxaesxbqkl.exe 2024 tmisxaesxbqkl.exe 2024 tmisxaesxbqkl.exe 520 juteshpk.exe 520 juteshpk.exe 520 juteshpk.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1184 wrote to memory of 1948 1184 7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe 26 PID 1184 wrote to memory of 1948 1184 7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe 26 PID 1184 wrote to memory of 1948 1184 7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe 26 PID 1184 wrote to memory of 1948 1184 7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe 26 PID 1184 wrote to memory of 1956 1184 7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe 27 PID 1184 wrote to memory of 1956 1184 7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe 27 PID 1184 wrote to memory of 1956 1184 7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe 27 PID 1184 wrote to memory of 1956 1184 7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe 27 PID 1184 wrote to memory of 900 1184 7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe 28 PID 1184 wrote to memory of 900 1184 7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe 28 PID 1184 wrote to memory of 900 1184 7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe 28 PID 1184 wrote to memory of 900 1184 7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe 28 PID 1956 wrote to memory of 1204 1956 hhevgzsojfqfhjy.exe 29 PID 1956 wrote to memory of 1204 1956 hhevgzsojfqfhjy.exe 29 PID 1956 wrote to memory of 1204 1956 hhevgzsojfqfhjy.exe 29 PID 1956 wrote to memory of 1204 1956 hhevgzsojfqfhjy.exe 29 PID 1204 wrote to memory of 2024 1204 cmd.exe 31 PID 1204 wrote to memory of 2024 1204 cmd.exe 31 PID 1204 wrote to memory of 2024 1204 cmd.exe 31 PID 1204 wrote to memory of 2024 1204 cmd.exe 31 PID 1948 wrote to memory of 520 1948 credbdlxai.exe 32 PID 1948 wrote to memory of 520 1948 credbdlxai.exe 32 PID 1948 wrote to memory of 520 1948 credbdlxai.exe 32 PID 1948 wrote to memory of 520 1948 credbdlxai.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe"C:\Users\Admin\AppData\Local\Temp\7696a68e36b79705404dda918e91505ec64e4a443ced4aeb7df84bbe3a01c481.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\credbdlxai.execredbdlxai.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\juteshpk.exeC:\Windows\system32\juteshpk.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:520
-
-
-
C:\Windows\SysWOW64\hhevgzsojfqfhjy.exehhevgzsojfqfhjy.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\cmd.execmd.exe /c tmisxaesxbqkl.exe3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\tmisxaesxbqkl.exetmisxaesxbqkl.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2024
-
-
-
-
C:\Windows\SysWOW64\juteshpk.exejuteshpk.exe2⤵PID:900
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5a048c62fe289f9cfff23765fd3c9a678
SHA1f2941b537ddf72c55629351a5e994a7a4c349d45
SHA25613972d48409ecfae615560fbc2fdb4915fe097e6264c7ea0a0d20af00e912efa
SHA51209c0ebaa3019e915e6399fcda4d78dab8dc152fd2365dd0bcb4cd188cbef4507bcaa2c272e38ed7e543d0f6e7b946f81e7db9bd40c50f6066b358c8da0505750
-
Filesize
255KB
MD5a048c62fe289f9cfff23765fd3c9a678
SHA1f2941b537ddf72c55629351a5e994a7a4c349d45
SHA25613972d48409ecfae615560fbc2fdb4915fe097e6264c7ea0a0d20af00e912efa
SHA51209c0ebaa3019e915e6399fcda4d78dab8dc152fd2365dd0bcb4cd188cbef4507bcaa2c272e38ed7e543d0f6e7b946f81e7db9bd40c50f6066b358c8da0505750
-
Filesize
255KB
MD54d6230a19ec168b18709fcd38c84ac79
SHA1c709b68e7fe54d23507ce3b127e50bae94875a6b
SHA2564d7539f93cc7c9072c83ec0817ae5d583e0524492291fae97d12f974c82371a1
SHA512a2cabcd07c3bdd90bee8cdbbf66721cf1b0e41b33d71e1a50df70912faee5f079fe19aa59d46d5276d8f01b2b547cc5a7473525fc38c41511475d038b826448a
-
Filesize
255KB
MD54d6230a19ec168b18709fcd38c84ac79
SHA1c709b68e7fe54d23507ce3b127e50bae94875a6b
SHA2564d7539f93cc7c9072c83ec0817ae5d583e0524492291fae97d12f974c82371a1
SHA512a2cabcd07c3bdd90bee8cdbbf66721cf1b0e41b33d71e1a50df70912faee5f079fe19aa59d46d5276d8f01b2b547cc5a7473525fc38c41511475d038b826448a
-
Filesize
255KB
MD56d852c852d33cc003f63a616735e1e4f
SHA177d45b13429aa30bdcd91deeeeb458342c7e7b18
SHA2561a47f31c71ef8397be52df987582388e01f98c4d5f8f3906fe1e04e6936a81dd
SHA5128564d3c13994829dedd15ed59535db28f6a7bf85c74af47c4c791631b76755bd0e760e4c64b91a1ef5ff771546091e9a9d9f648c74bf5c5f7eade08c8a8a69b2
-
Filesize
255KB
MD56d852c852d33cc003f63a616735e1e4f
SHA177d45b13429aa30bdcd91deeeeb458342c7e7b18
SHA2561a47f31c71ef8397be52df987582388e01f98c4d5f8f3906fe1e04e6936a81dd
SHA5128564d3c13994829dedd15ed59535db28f6a7bf85c74af47c4c791631b76755bd0e760e4c64b91a1ef5ff771546091e9a9d9f648c74bf5c5f7eade08c8a8a69b2
-
Filesize
255KB
MD5d7170bb361ac55f0f70c5a8b1b0811ef
SHA1df33570c23a965c791df49b147062670a1990610
SHA25673db67b978d171de2fde8b27169ff0b3d92a8f1af938381cc98b9b2bfc2280da
SHA512e1f94d64a6189915b4e8ecb5d15946b8e4136ce45897972545e1135cf8cf5444ea36a24b4f9680b174b5cfa84abebb82c7b301c5ef7c4bbc0222f88accad246d
-
Filesize
255KB
MD5d7170bb361ac55f0f70c5a8b1b0811ef
SHA1df33570c23a965c791df49b147062670a1990610
SHA25673db67b978d171de2fde8b27169ff0b3d92a8f1af938381cc98b9b2bfc2280da
SHA512e1f94d64a6189915b4e8ecb5d15946b8e4136ce45897972545e1135cf8cf5444ea36a24b4f9680b174b5cfa84abebb82c7b301c5ef7c4bbc0222f88accad246d
-
Filesize
255KB
MD5a048c62fe289f9cfff23765fd3c9a678
SHA1f2941b537ddf72c55629351a5e994a7a4c349d45
SHA25613972d48409ecfae615560fbc2fdb4915fe097e6264c7ea0a0d20af00e912efa
SHA51209c0ebaa3019e915e6399fcda4d78dab8dc152fd2365dd0bcb4cd188cbef4507bcaa2c272e38ed7e543d0f6e7b946f81e7db9bd40c50f6066b358c8da0505750
-
Filesize
255KB
MD54d6230a19ec168b18709fcd38c84ac79
SHA1c709b68e7fe54d23507ce3b127e50bae94875a6b
SHA2564d7539f93cc7c9072c83ec0817ae5d583e0524492291fae97d12f974c82371a1
SHA512a2cabcd07c3bdd90bee8cdbbf66721cf1b0e41b33d71e1a50df70912faee5f079fe19aa59d46d5276d8f01b2b547cc5a7473525fc38c41511475d038b826448a
-
Filesize
255KB
MD56d852c852d33cc003f63a616735e1e4f
SHA177d45b13429aa30bdcd91deeeeb458342c7e7b18
SHA2561a47f31c71ef8397be52df987582388e01f98c4d5f8f3906fe1e04e6936a81dd
SHA5128564d3c13994829dedd15ed59535db28f6a7bf85c74af47c4c791631b76755bd0e760e4c64b91a1ef5ff771546091e9a9d9f648c74bf5c5f7eade08c8a8a69b2
-
Filesize
255KB
MD56d852c852d33cc003f63a616735e1e4f
SHA177d45b13429aa30bdcd91deeeeb458342c7e7b18
SHA2561a47f31c71ef8397be52df987582388e01f98c4d5f8f3906fe1e04e6936a81dd
SHA5128564d3c13994829dedd15ed59535db28f6a7bf85c74af47c4c791631b76755bd0e760e4c64b91a1ef5ff771546091e9a9d9f648c74bf5c5f7eade08c8a8a69b2
-
Filesize
255KB
MD5d7170bb361ac55f0f70c5a8b1b0811ef
SHA1df33570c23a965c791df49b147062670a1990610
SHA25673db67b978d171de2fde8b27169ff0b3d92a8f1af938381cc98b9b2bfc2280da
SHA512e1f94d64a6189915b4e8ecb5d15946b8e4136ce45897972545e1135cf8cf5444ea36a24b4f9680b174b5cfa84abebb82c7b301c5ef7c4bbc0222f88accad246d