Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
158s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06/11/2022, 16:08
Behavioral task
behavioral1
Sample
23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe
Resource
win10v2004-20220812-en
General
-
Target
23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe
-
Size
255KB
-
MD5
06aa52d3519cbceda0513bf78c4b83f0
-
SHA1
3fdae2728658cf9fb066cb5ede05685936f38892
-
SHA256
23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8
-
SHA512
75356f9627fbbd6c530bc5b5dfa384df87ba25b94ba0a81beb7a5a6ea1d1d2a0294911e2a943fdd2e3d33401b6e81a197f315dbde67c61fa797129653e2bbfa9
-
SSDEEP
6144:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI/4:Plf5j6zCNa0xeE3mI
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" dqcknbomgy.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" dqcknbomgy.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" dqcknbomgy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" dqcknbomgy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" dqcknbomgy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" dqcknbomgy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" dqcknbomgy.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dqcknbomgy.exe -
Executes dropped EXE 5 IoCs
pid Process 1384 dqcknbomgy.exe 2616 dckzpvyntdxbgju.exe 4844 ufmnshpk.exe 1784 btiomosmhekfi.exe 224 ufmnshpk.exe -
resource yara_rule behavioral2/memory/4772-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4772-133-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0009000000022f50-135.dat upx behavioral2/files/0x0009000000022f50-136.dat upx behavioral2/files/0x0007000000022f56-138.dat upx behavioral2/files/0x0007000000022f56-139.dat upx behavioral2/memory/2616-141-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1384-140-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0006000000022f5c-143.dat upx behavioral2/files/0x0006000000022f5c-144.dat upx behavioral2/files/0x0006000000022f5d-147.dat upx behavioral2/files/0x0006000000022f5d-146.dat upx behavioral2/memory/4844-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0006000000022f5c-151.dat upx behavioral2/memory/224-152-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1384-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2616-154-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4844-155-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1784-156-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/224-157-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4772-159-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0006000000022f68-161.dat upx behavioral2/files/0x0006000000022f66-160.dat upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" dqcknbomgy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" dqcknbomgy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" dqcknbomgy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" dqcknbomgy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" dqcknbomgy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" dqcknbomgy.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run dckzpvyntdxbgju.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mshsfuyx = "dqcknbomgy.exe" dckzpvyntdxbgju.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jccanrxk = "dckzpvyntdxbgju.exe" dckzpvyntdxbgju.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "btiomosmhekfi.exe" dckzpvyntdxbgju.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\y: ufmnshpk.exe File opened (read-only) \??\m: dqcknbomgy.exe File opened (read-only) \??\n: dqcknbomgy.exe File opened (read-only) \??\u: dqcknbomgy.exe File opened (read-only) \??\a: ufmnshpk.exe File opened (read-only) \??\e: ufmnshpk.exe File opened (read-only) \??\q: ufmnshpk.exe File opened (read-only) \??\v: ufmnshpk.exe File opened (read-only) \??\r: ufmnshpk.exe File opened (read-only) \??\x: ufmnshpk.exe File opened (read-only) \??\a: dqcknbomgy.exe File opened (read-only) \??\q: dqcknbomgy.exe File opened (read-only) \??\t: dqcknbomgy.exe File opened (read-only) \??\v: dqcknbomgy.exe File opened (read-only) \??\g: ufmnshpk.exe File opened (read-only) \??\h: ufmnshpk.exe File opened (read-only) \??\l: ufmnshpk.exe File opened (read-only) \??\h: ufmnshpk.exe File opened (read-only) \??\u: ufmnshpk.exe File opened (read-only) \??\i: dqcknbomgy.exe File opened (read-only) \??\r: dqcknbomgy.exe File opened (read-only) \??\f: ufmnshpk.exe File opened (read-only) \??\o: ufmnshpk.exe File opened (read-only) \??\t: ufmnshpk.exe File opened (read-only) \??\i: ufmnshpk.exe File opened (read-only) \??\f: ufmnshpk.exe File opened (read-only) \??\m: ufmnshpk.exe File opened (read-only) \??\h: dqcknbomgy.exe File opened (read-only) \??\w: dqcknbomgy.exe File opened (read-only) \??\j: ufmnshpk.exe File opened (read-only) \??\x: ufmnshpk.exe File opened (read-only) \??\g: dqcknbomgy.exe File opened (read-only) \??\k: dqcknbomgy.exe File opened (read-only) \??\t: ufmnshpk.exe File opened (read-only) \??\w: ufmnshpk.exe File opened (read-only) \??\q: ufmnshpk.exe File opened (read-only) \??\e: dqcknbomgy.exe File opened (read-only) \??\p: dqcknbomgy.exe File opened (read-only) \??\b: ufmnshpk.exe File opened (read-only) \??\r: ufmnshpk.exe File opened (read-only) \??\e: ufmnshpk.exe File opened (read-only) \??\z: ufmnshpk.exe File opened (read-only) \??\b: dqcknbomgy.exe File opened (read-only) \??\l: dqcknbomgy.exe File opened (read-only) \??\y: dqcknbomgy.exe File opened (read-only) \??\z: dqcknbomgy.exe File opened (read-only) \??\v: ufmnshpk.exe File opened (read-only) \??\o: ufmnshpk.exe File opened (read-only) \??\j: dqcknbomgy.exe File opened (read-only) \??\x: dqcknbomgy.exe File opened (read-only) \??\w: ufmnshpk.exe File opened (read-only) \??\l: ufmnshpk.exe File opened (read-only) \??\n: ufmnshpk.exe File opened (read-only) \??\s: dqcknbomgy.exe File opened (read-only) \??\k: ufmnshpk.exe File opened (read-only) \??\i: ufmnshpk.exe File opened (read-only) \??\g: ufmnshpk.exe File opened (read-only) \??\j: ufmnshpk.exe File opened (read-only) \??\m: ufmnshpk.exe File opened (read-only) \??\a: ufmnshpk.exe File opened (read-only) \??\n: ufmnshpk.exe File opened (read-only) \??\p: ufmnshpk.exe File opened (read-only) \??\y: ufmnshpk.exe File opened (read-only) \??\b: ufmnshpk.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" dqcknbomgy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" dqcknbomgy.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4772-133-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2616-141-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1384-140-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4844-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/224-152-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1384-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2616-154-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4844-155-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1784-156-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/224-157-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4772-159-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\dqcknbomgy.exe 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe File created C:\Windows\SysWOW64\dckzpvyntdxbgju.exe 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe File created C:\Windows\SysWOW64\ufmnshpk.exe 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll dqcknbomgy.exe File opened for modification C:\Windows\SysWOW64\btiomosmhekfi.exe 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe File opened for modification C:\Windows\SysWOW64\dqcknbomgy.exe 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe File opened for modification C:\Windows\SysWOW64\dckzpvyntdxbgju.exe 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe File opened for modification C:\Windows\SysWOW64\ufmnshpk.exe 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe File created C:\Windows\SysWOW64\btiomosmhekfi.exe 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe -
Drops file in Program Files directory 16 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ufmnshpk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ufmnshpk.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ufmnshpk.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ufmnshpk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ufmnshpk.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ufmnshpk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ufmnshpk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ufmnshpk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ufmnshpk.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ufmnshpk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ufmnshpk.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ufmnshpk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ufmnshpk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ufmnshpk.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ufmnshpk.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ufmnshpk.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB7B12C47E339EC52CDBAA133EED7CD" 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7FC68B6FE6C22DBD209D1D28B099062" 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" dqcknbomgy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc dqcknbomgy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" dqcknbomgy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" dqcknbomgy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AC8FACEF966F29384093A4781EB39E6B38B02F04260033BE1C942EA09D6" 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" dqcknbomgy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" dqcknbomgy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs dqcknbomgy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg dqcknbomgy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh dqcknbomgy.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33472D799C5183546A3276D270522CAC7DF265AB" 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E88FC834829851E9135D7287E96BDE0E143594267356341D79D" 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184AC60B15E1DAC5B8CA7FE6EC9634BB" 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat dqcknbomgy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf dqcknbomgy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" dqcknbomgy.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4452 WINWORD.EXE 4452 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4772 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe 4772 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe 4772 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe 4772 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe 4772 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe 4772 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe 4772 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe 4772 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe 4772 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe 4772 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe 4772 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe 4772 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe 1384 dqcknbomgy.exe 1384 dqcknbomgy.exe 1384 dqcknbomgy.exe 1384 dqcknbomgy.exe 1384 dqcknbomgy.exe 1384 dqcknbomgy.exe 1384 dqcknbomgy.exe 1384 dqcknbomgy.exe 1384 dqcknbomgy.exe 1384 dqcknbomgy.exe 4772 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe 4772 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe 4772 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe 4772 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe 2616 dckzpvyntdxbgju.exe 2616 dckzpvyntdxbgju.exe 2616 dckzpvyntdxbgju.exe 2616 dckzpvyntdxbgju.exe 2616 dckzpvyntdxbgju.exe 2616 dckzpvyntdxbgju.exe 2616 dckzpvyntdxbgju.exe 2616 dckzpvyntdxbgju.exe 2616 dckzpvyntdxbgju.exe 2616 dckzpvyntdxbgju.exe 4844 ufmnshpk.exe 4844 ufmnshpk.exe 4844 ufmnshpk.exe 4844 ufmnshpk.exe 4844 ufmnshpk.exe 4844 ufmnshpk.exe 4844 ufmnshpk.exe 4844 ufmnshpk.exe 2616 dckzpvyntdxbgju.exe 2616 dckzpvyntdxbgju.exe 1784 btiomosmhekfi.exe 1784 btiomosmhekfi.exe 1784 btiomosmhekfi.exe 1784 btiomosmhekfi.exe 1784 btiomosmhekfi.exe 1784 btiomosmhekfi.exe 1784 btiomosmhekfi.exe 1784 btiomosmhekfi.exe 1784 btiomosmhekfi.exe 1784 btiomosmhekfi.exe 1784 btiomosmhekfi.exe 1784 btiomosmhekfi.exe 2616 dckzpvyntdxbgju.exe 2616 dckzpvyntdxbgju.exe 1784 btiomosmhekfi.exe 1784 btiomosmhekfi.exe 1784 btiomosmhekfi.exe 1784 btiomosmhekfi.exe -
Suspicious use of FindShellTrayWindow 19 IoCs
pid Process 4772 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe 4772 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe 4772 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe 4772 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe 1384 dqcknbomgy.exe 1384 dqcknbomgy.exe 1384 dqcknbomgy.exe 2616 dckzpvyntdxbgju.exe 2616 dckzpvyntdxbgju.exe 2616 dckzpvyntdxbgju.exe 4844 ufmnshpk.exe 4844 ufmnshpk.exe 4844 ufmnshpk.exe 1784 btiomosmhekfi.exe 1784 btiomosmhekfi.exe 1784 btiomosmhekfi.exe 224 ufmnshpk.exe 224 ufmnshpk.exe 224 ufmnshpk.exe -
Suspicious use of SendNotifyMessage 19 IoCs
pid Process 4772 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe 4772 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe 4772 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe 4772 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe 1384 dqcknbomgy.exe 1384 dqcknbomgy.exe 1384 dqcknbomgy.exe 2616 dckzpvyntdxbgju.exe 2616 dckzpvyntdxbgju.exe 2616 dckzpvyntdxbgju.exe 4844 ufmnshpk.exe 4844 ufmnshpk.exe 4844 ufmnshpk.exe 1784 btiomosmhekfi.exe 1784 btiomosmhekfi.exe 1784 btiomosmhekfi.exe 224 ufmnshpk.exe 224 ufmnshpk.exe 224 ufmnshpk.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4452 WINWORD.EXE 4452 WINWORD.EXE 4452 WINWORD.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 4772 wrote to memory of 1384 4772 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe 80 PID 4772 wrote to memory of 1384 4772 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe 80 PID 4772 wrote to memory of 1384 4772 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe 80 PID 4772 wrote to memory of 2616 4772 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe 81 PID 4772 wrote to memory of 2616 4772 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe 81 PID 4772 wrote to memory of 2616 4772 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe 81 PID 4772 wrote to memory of 4844 4772 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe 82 PID 4772 wrote to memory of 4844 4772 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe 82 PID 4772 wrote to memory of 4844 4772 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe 82 PID 4772 wrote to memory of 1784 4772 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe 83 PID 4772 wrote to memory of 1784 4772 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe 83 PID 4772 wrote to memory of 1784 4772 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe 83 PID 2616 wrote to memory of 2348 2616 dckzpvyntdxbgju.exe 84 PID 2616 wrote to memory of 2348 2616 dckzpvyntdxbgju.exe 84 PID 2616 wrote to memory of 2348 2616 dckzpvyntdxbgju.exe 84 PID 1384 wrote to memory of 224 1384 dqcknbomgy.exe 86 PID 1384 wrote to memory of 224 1384 dqcknbomgy.exe 86 PID 1384 wrote to memory of 224 1384 dqcknbomgy.exe 86 PID 4772 wrote to memory of 4452 4772 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe 88 PID 4772 wrote to memory of 4452 4772 23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe"C:\Users\Admin\AppData\Local\Temp\23a174d61c8e5cb4e8d88c5c39b39e57e7b4584bdd0b92e98908f6196b7f8ef8.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\SysWOW64\dqcknbomgy.exedqcknbomgy.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\ufmnshpk.exeC:\Windows\system32\ufmnshpk.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:224
-
-
-
C:\Windows\SysWOW64\dckzpvyntdxbgju.exedckzpvyntdxbgju.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\cmd.execmd.exe /c btiomosmhekfi.exe3⤵PID:2348
-
-
-
C:\Windows\SysWOW64\ufmnshpk.exeufmnshpk.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4844
-
-
C:\Windows\SysWOW64\btiomosmhekfi.exebtiomosmhekfi.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1784
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4452
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD56a37c4f03fe4ead4ae900f79e6991c73
SHA16c1706ed697739a22bf9f275ef67ca1d4609da9d
SHA2567b705534c2fe3617674fea24b1082085ea502d0c4164fa2cee221d01fea43416
SHA5120ceb4031acd419290050de2bd0654b9404397d302fcd8ec6c11fc1d7d42644d1e1a8c6ead160f4080f1049f4511c9413a4e2274e330d4364d96a2acbd85289f1
-
Filesize
255KB
MD5aa9aa482dfa173c8b6a11990151818a7
SHA119903cab78cee566175dfb3ee9e92c2e94e38272
SHA256605c8867f37ce432fcb617f113891de3f3b441924584e49ca303c1c177fb1398
SHA512002fe26c1dcbd592d007c5296286aeaa40209707c282d5ff18bc6b4043ac0d2ec55b3f0f806fd3a57aaa158bd770fef055eb9b3a64707dc10041af507657985c
-
Filesize
255KB
MD5aa9aa482dfa173c8b6a11990151818a7
SHA119903cab78cee566175dfb3ee9e92c2e94e38272
SHA256605c8867f37ce432fcb617f113891de3f3b441924584e49ca303c1c177fb1398
SHA512002fe26c1dcbd592d007c5296286aeaa40209707c282d5ff18bc6b4043ac0d2ec55b3f0f806fd3a57aaa158bd770fef055eb9b3a64707dc10041af507657985c
-
Filesize
255KB
MD5593413356aeeac86c25154003a895710
SHA1ef02bf3cc0e01d65b7260d215551975652fcd1f8
SHA256c29c43ed4edae79bcc09fbe99551444d1b9532b1de95e031e71b0cb0ebbfa054
SHA5122a0d36795df0807140406850ea9b6b1e3de2b4dc793ad0c2a9ad2795cbb55c94e81341d84a880ac21ccdb55e71006106d0c2660bdbc461a8b9f8cf9c44f62a8f
-
Filesize
255KB
MD5593413356aeeac86c25154003a895710
SHA1ef02bf3cc0e01d65b7260d215551975652fcd1f8
SHA256c29c43ed4edae79bcc09fbe99551444d1b9532b1de95e031e71b0cb0ebbfa054
SHA5122a0d36795df0807140406850ea9b6b1e3de2b4dc793ad0c2a9ad2795cbb55c94e81341d84a880ac21ccdb55e71006106d0c2660bdbc461a8b9f8cf9c44f62a8f
-
Filesize
255KB
MD50e262e058015d45e0d86805d590018f5
SHA1430759cb5dc64f50ff7d07474c1079f16b288c95
SHA256543dbcb17eafd88b83c021136f62c48ecbe271f3678e5b8e084279c01b1be82b
SHA51231bcaf0cc916ec4ec6e00e758c533fe78b61d4e1c9a53c63cf074cb8af8ce768accce662f05e9475bfaf7365c7f16e11ccbb7bc6d420c58b3a54d3c7a1d13397
-
Filesize
255KB
MD50e262e058015d45e0d86805d590018f5
SHA1430759cb5dc64f50ff7d07474c1079f16b288c95
SHA256543dbcb17eafd88b83c021136f62c48ecbe271f3678e5b8e084279c01b1be82b
SHA51231bcaf0cc916ec4ec6e00e758c533fe78b61d4e1c9a53c63cf074cb8af8ce768accce662f05e9475bfaf7365c7f16e11ccbb7bc6d420c58b3a54d3c7a1d13397
-
Filesize
255KB
MD5d27b3fb583639bcd89c6049300e37f9e
SHA1908d69a80fdc2ea40d5edd3836f36d036794bc92
SHA25649a5a3cc86917999fdadb767a5d002c6a3754f4ab0035c4360902c1e6779c703
SHA5128da7d095896a7e13a6c53b6e54ba8b71d4aecbcbf5923901db4ed16f2476c28997c35e6d32e147ed2def76e2888e8869427b0734b268a65f1524375221457a3a
-
Filesize
255KB
MD5d27b3fb583639bcd89c6049300e37f9e
SHA1908d69a80fdc2ea40d5edd3836f36d036794bc92
SHA25649a5a3cc86917999fdadb767a5d002c6a3754f4ab0035c4360902c1e6779c703
SHA5128da7d095896a7e13a6c53b6e54ba8b71d4aecbcbf5923901db4ed16f2476c28997c35e6d32e147ed2def76e2888e8869427b0734b268a65f1524375221457a3a
-
Filesize
255KB
MD5d27b3fb583639bcd89c6049300e37f9e
SHA1908d69a80fdc2ea40d5edd3836f36d036794bc92
SHA25649a5a3cc86917999fdadb767a5d002c6a3754f4ab0035c4360902c1e6779c703
SHA5128da7d095896a7e13a6c53b6e54ba8b71d4aecbcbf5923901db4ed16f2476c28997c35e6d32e147ed2def76e2888e8869427b0734b268a65f1524375221457a3a
-
Filesize
255KB
MD583c5f81494a5a564ef997c876a0f63d1
SHA1f63f68612ade39ce85c50fd4816bed03df54ae29
SHA25695483133c8066996e98309b863543e23dd805fbcc59d9e605cb1ceedc7a307ed
SHA512a53137fdc395f887fc82bb67604f126f321003be631bc4d6ed54f972058d733c1983cc40cb71f27e8e633e518cabe963c4a2a9348d912a5672093aaec28c44ab