Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
155s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2022, 21:35
Behavioral task
behavioral1
Sample
9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe
Resource
win7-20220812-en
General
-
Target
9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe
-
Size
255KB
-
MD5
02ae9753ce806ffeb5ce51acafbecba1
-
SHA1
9348aeb1b26556db5de9f94fd2931615c8cef86b
-
SHA256
9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6
-
SHA512
0cbed35394f4b81bb56dbda507ad548cba5097665df4acb7440f4332d5d2faf619b9ea4d415b5fdf3dc1449045f064e69b67462ff5208ca8dd153a700ae25e97
-
SSDEEP
6144:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI6l:Plf5j6zCNa0xeE3my
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" dknfmokczg.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" dknfmokczg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" dknfmokczg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" dknfmokczg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" dknfmokczg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" dknfmokczg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" dknfmokczg.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dknfmokczg.exe -
Executes dropped EXE 5 IoCs
pid Process 5012 dknfmokczg.exe 4928 kjaxvlulopkmpom.exe 4896 txpmnkxl.exe 376 kbxefqplduoms.exe 860 txpmnkxl.exe -
resource yara_rule behavioral2/memory/2376-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0004000000022dc0-134.dat upx behavioral2/files/0x0004000000022dc0-135.dat upx behavioral2/files/0x0003000000022de0-138.dat upx behavioral2/files/0x0003000000022de0-137.dat upx behavioral2/files/0x0003000000022de1-140.dat upx behavioral2/files/0x0003000000022de1-141.dat upx behavioral2/memory/4928-143-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/5012-142-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0002000000022de2-146.dat upx behavioral2/files/0x0002000000022de2-147.dat upx behavioral2/memory/4896-144-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0003000000022de1-149.dat upx behavioral2/memory/376-150-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/860-151-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2376-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0002000000022de7-160.dat upx behavioral2/files/0x0002000000022de8-161.dat upx behavioral2/memory/5012-164-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4928-165-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4896-166-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/376-167-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/860-168-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000c00000001e6d8-170.dat upx behavioral2/files/0x000c00000001e6d8-171.dat upx behavioral2/files/0x000c00000001e6d8-169.dat upx behavioral2/files/0x000c00000001e6d8-172.dat upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" dknfmokczg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" dknfmokczg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" dknfmokczg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" dknfmokczg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" dknfmokczg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" dknfmokczg.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bfvmoebb = "dknfmokczg.exe" kjaxvlulopkmpom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\urkhdqlu = "kjaxvlulopkmpom.exe" kjaxvlulopkmpom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "kbxefqplduoms.exe" kjaxvlulopkmpom.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run kjaxvlulopkmpom.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\v: txpmnkxl.exe File opened (read-only) \??\k: txpmnkxl.exe File opened (read-only) \??\g: dknfmokczg.exe File opened (read-only) \??\j: dknfmokczg.exe File opened (read-only) \??\f: txpmnkxl.exe File opened (read-only) \??\o: txpmnkxl.exe File opened (read-only) \??\s: dknfmokczg.exe File opened (read-only) \??\i: txpmnkxl.exe File opened (read-only) \??\u: dknfmokczg.exe File opened (read-only) \??\y: dknfmokczg.exe File opened (read-only) \??\g: txpmnkxl.exe File opened (read-only) \??\h: txpmnkxl.exe File opened (read-only) \??\g: txpmnkxl.exe File opened (read-only) \??\h: txpmnkxl.exe File opened (read-only) \??\w: txpmnkxl.exe File opened (read-only) \??\h: dknfmokczg.exe File opened (read-only) \??\p: dknfmokczg.exe File opened (read-only) \??\p: txpmnkxl.exe File opened (read-only) \??\r: txpmnkxl.exe File opened (read-only) \??\y: txpmnkxl.exe File opened (read-only) \??\r: txpmnkxl.exe File opened (read-only) \??\e: dknfmokczg.exe File opened (read-only) \??\l: dknfmokczg.exe File opened (read-only) \??\o: dknfmokczg.exe File opened (read-only) \??\j: txpmnkxl.exe File opened (read-only) \??\l: txpmnkxl.exe File opened (read-only) \??\b: dknfmokczg.exe File opened (read-only) \??\t: dknfmokczg.exe File opened (read-only) \??\q: txpmnkxl.exe File opened (read-only) \??\w: dknfmokczg.exe File opened (read-only) \??\y: txpmnkxl.exe File opened (read-only) \??\k: dknfmokczg.exe File opened (read-only) \??\b: txpmnkxl.exe File opened (read-only) \??\e: txpmnkxl.exe File opened (read-only) \??\v: txpmnkxl.exe File opened (read-only) \??\x: txpmnkxl.exe File opened (read-only) \??\m: dknfmokczg.exe File opened (read-only) \??\x: txpmnkxl.exe File opened (read-only) \??\s: txpmnkxl.exe File opened (read-only) \??\f: dknfmokczg.exe File opened (read-only) \??\m: txpmnkxl.exe File opened (read-only) \??\s: txpmnkxl.exe File opened (read-only) \??\o: txpmnkxl.exe File opened (read-only) \??\e: txpmnkxl.exe File opened (read-only) \??\i: txpmnkxl.exe File opened (read-only) \??\a: dknfmokczg.exe File opened (read-only) \??\i: dknfmokczg.exe File opened (read-only) \??\v: dknfmokczg.exe File opened (read-only) \??\m: txpmnkxl.exe File opened (read-only) \??\p: txpmnkxl.exe File opened (read-only) \??\u: txpmnkxl.exe File opened (read-only) \??\n: dknfmokczg.exe File opened (read-only) \??\u: txpmnkxl.exe File opened (read-only) \??\a: txpmnkxl.exe File opened (read-only) \??\b: txpmnkxl.exe File opened (read-only) \??\f: txpmnkxl.exe File opened (read-only) \??\t: txpmnkxl.exe File opened (read-only) \??\z: txpmnkxl.exe File opened (read-only) \??\l: txpmnkxl.exe File opened (read-only) \??\t: txpmnkxl.exe File opened (read-only) \??\q: dknfmokczg.exe File opened (read-only) \??\j: txpmnkxl.exe File opened (read-only) \??\w: txpmnkxl.exe File opened (read-only) \??\n: txpmnkxl.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" dknfmokczg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" dknfmokczg.exe -
AutoIT Executable 12 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2376-132-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4928-143-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5012-142-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4896-144-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/376-150-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/860-151-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2376-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5012-164-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4928-165-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4896-166-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/376-167-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/860-168-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\kjaxvlulopkmpom.exe 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe File created C:\Windows\SysWOW64\txpmnkxl.exe 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe File created C:\Windows\SysWOW64\kbxefqplduoms.exe 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe File opened for modification C:\Windows\SysWOW64\kbxefqplduoms.exe 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe txpmnkxl.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe txpmnkxl.exe File created C:\Windows\SysWOW64\dknfmokczg.exe 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe File opened for modification C:\Windows\SysWOW64\dknfmokczg.exe 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe File created C:\Windows\SysWOW64\kjaxvlulopkmpom.exe 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe File opened for modification C:\Windows\SysWOW64\txpmnkxl.exe 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll dknfmokczg.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe txpmnkxl.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe txpmnkxl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe txpmnkxl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe txpmnkxl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal txpmnkxl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe txpmnkxl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe txpmnkxl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal txpmnkxl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe txpmnkxl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal txpmnkxl.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe txpmnkxl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe txpmnkxl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe txpmnkxl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe txpmnkxl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal txpmnkxl.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe txpmnkxl.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe txpmnkxl.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe txpmnkxl.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe txpmnkxl.exe File opened for modification C:\Windows\mydoc.rtf 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe txpmnkxl.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe txpmnkxl.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe txpmnkxl.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe txpmnkxl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" dknfmokczg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F36BB3FF1D21ACD27FD0D28A7B9113" 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat dknfmokczg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc dknfmokczg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" dknfmokczg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg dknfmokczg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB0B05B44EE39EF53BFBAA0339DD7CA" 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1945C7081596DAB3B8C07FE5ED9237CC" 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs dknfmokczg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33472C0A9C2783596A3176A670562CDD7C8464DE" 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABEFABEF917F291840F3B36819E39E4B080038D4363034FE2CE42EF08A7" 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFAFFFC4F28856D9145D65F7E95BDE1E136584267316333D6EE" 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" dknfmokczg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh dknfmokczg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" dknfmokczg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf dknfmokczg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" dknfmokczg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" dknfmokczg.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 548 WINWORD.EXE 548 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2376 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 2376 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 2376 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 2376 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 2376 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 2376 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 2376 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 2376 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 2376 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 2376 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 2376 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 2376 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 2376 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 2376 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 2376 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 2376 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 5012 dknfmokczg.exe 5012 dknfmokczg.exe 5012 dknfmokczg.exe 5012 dknfmokczg.exe 5012 dknfmokczg.exe 5012 dknfmokczg.exe 5012 dknfmokczg.exe 5012 dknfmokczg.exe 5012 dknfmokczg.exe 5012 dknfmokczg.exe 4928 kjaxvlulopkmpom.exe 4928 kjaxvlulopkmpom.exe 4928 kjaxvlulopkmpom.exe 4928 kjaxvlulopkmpom.exe 4928 kjaxvlulopkmpom.exe 4928 kjaxvlulopkmpom.exe 4928 kjaxvlulopkmpom.exe 4928 kjaxvlulopkmpom.exe 4896 txpmnkxl.exe 4896 txpmnkxl.exe 4896 txpmnkxl.exe 4896 txpmnkxl.exe 4896 txpmnkxl.exe 4896 txpmnkxl.exe 4896 txpmnkxl.exe 4896 txpmnkxl.exe 4928 kjaxvlulopkmpom.exe 4928 kjaxvlulopkmpom.exe 376 kbxefqplduoms.exe 376 kbxefqplduoms.exe 376 kbxefqplduoms.exe 376 kbxefqplduoms.exe 376 kbxefqplduoms.exe 376 kbxefqplduoms.exe 376 kbxefqplduoms.exe 376 kbxefqplduoms.exe 376 kbxefqplduoms.exe 376 kbxefqplduoms.exe 376 kbxefqplduoms.exe 376 kbxefqplduoms.exe 4928 kjaxvlulopkmpom.exe 4928 kjaxvlulopkmpom.exe 860 txpmnkxl.exe 860 txpmnkxl.exe 860 txpmnkxl.exe 860 txpmnkxl.exe 860 txpmnkxl.exe 860 txpmnkxl.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2376 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 2376 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 2376 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 5012 dknfmokczg.exe 5012 dknfmokczg.exe 5012 dknfmokczg.exe 4928 kjaxvlulopkmpom.exe 4928 kjaxvlulopkmpom.exe 4928 kjaxvlulopkmpom.exe 4896 txpmnkxl.exe 4896 txpmnkxl.exe 4896 txpmnkxl.exe 376 kbxefqplduoms.exe 376 kbxefqplduoms.exe 376 kbxefqplduoms.exe 860 txpmnkxl.exe 860 txpmnkxl.exe 860 txpmnkxl.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2376 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 2376 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 2376 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 5012 dknfmokczg.exe 5012 dknfmokczg.exe 5012 dknfmokczg.exe 4928 kjaxvlulopkmpom.exe 4928 kjaxvlulopkmpom.exe 4928 kjaxvlulopkmpom.exe 4896 txpmnkxl.exe 4896 txpmnkxl.exe 4896 txpmnkxl.exe 376 kbxefqplduoms.exe 376 kbxefqplduoms.exe 376 kbxefqplduoms.exe 860 txpmnkxl.exe 860 txpmnkxl.exe 860 txpmnkxl.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 548 WINWORD.EXE 548 WINWORD.EXE 548 WINWORD.EXE 548 WINWORD.EXE 548 WINWORD.EXE 548 WINWORD.EXE 548 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2376 wrote to memory of 5012 2376 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 80 PID 2376 wrote to memory of 5012 2376 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 80 PID 2376 wrote to memory of 5012 2376 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 80 PID 2376 wrote to memory of 4928 2376 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 81 PID 2376 wrote to memory of 4928 2376 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 81 PID 2376 wrote to memory of 4928 2376 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 81 PID 2376 wrote to memory of 4896 2376 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 82 PID 2376 wrote to memory of 4896 2376 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 82 PID 2376 wrote to memory of 4896 2376 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 82 PID 2376 wrote to memory of 376 2376 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 83 PID 2376 wrote to memory of 376 2376 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 83 PID 2376 wrote to memory of 376 2376 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 83 PID 5012 wrote to memory of 860 5012 dknfmokczg.exe 84 PID 5012 wrote to memory of 860 5012 dknfmokczg.exe 84 PID 5012 wrote to memory of 860 5012 dknfmokczg.exe 84 PID 2376 wrote to memory of 548 2376 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 85 PID 2376 wrote to memory of 548 2376 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe"C:\Users\Admin\AppData\Local\Temp\9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\dknfmokczg.exedknfmokczg.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\txpmnkxl.exeC:\Windows\system32\txpmnkxl.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:860
-
-
-
C:\Windows\SysWOW64\kjaxvlulopkmpom.exekjaxvlulopkmpom.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4928
-
-
C:\Windows\SysWOW64\txpmnkxl.exetxpmnkxl.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4896
-
-
C:\Windows\SysWOW64\kbxefqplduoms.exekbxefqplduoms.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:376
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:548
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5c4bd88e13b4ea4f2de6bcbfb09e28460
SHA119c2b8493fda68c49e4230f572539dafb9aa6eaa
SHA256650d5b413612b4b31ba834d3fd6885a6a709a65d41aa6f50694f7c351577d469
SHA5121a0cb7dba6fc75073a3e7838c8b3bfb96c2f0f611bf56586a49eb854ba03ca2e013b9b87bfa17aa5863bda1e0e3574208c4db4ef50102a575359a48845f4f421
-
Filesize
255KB
MD5c68b7af7be1d40089fec76d63f47d436
SHA13dfc89f8b67af2d54bdd459cc5698d12d3378809
SHA256f66e5d130c39f6a05341b68ff5b871723de2ad2f1c185fc53a99c94205cbd769
SHA512ecef58f01cc544db1322fdbaa4ab0009a01454d33c3895b5c10c5bbd0687f75f72f36e16ea13f51bcdae03ce23585cc1431ddb9e88c177d4c9444428829f16de
-
Filesize
255KB
MD5caa2ba0e4567f484df86b788cdbd3a24
SHA172c0e70becbed0b94705065ed0938acd61e85f4a
SHA25609493b4d2f86b2499a06dc1b627f9498c2b8699d244fdda880fee92cbe7feba9
SHA512e26d9dab987fd47c5b539bfdbc6c444a161156244fdfba2a7230e3a515e9c299f37fc6e8ddbd55c21d0a7c48bc7c9bdfe302ea0592269ce69e59ab2b3fe83436
-
Filesize
255KB
MD5caa2ba0e4567f484df86b788cdbd3a24
SHA172c0e70becbed0b94705065ed0938acd61e85f4a
SHA25609493b4d2f86b2499a06dc1b627f9498c2b8699d244fdda880fee92cbe7feba9
SHA512e26d9dab987fd47c5b539bfdbc6c444a161156244fdfba2a7230e3a515e9c299f37fc6e8ddbd55c21d0a7c48bc7c9bdfe302ea0592269ce69e59ab2b3fe83436
-
Filesize
255KB
MD57341855733f690b4bbf8ee4301f325ce
SHA16251c6d04fd35e3b3554a58849b05fb1c31b7353
SHA25676db14363d5f879e2e269a6704246cd39a34ba0a7dcfa92809c220295eb6ebd0
SHA512dbf869ab48ad36e7dc2b51181b3fbe06c1edc5147f8098a3fdfbe563f2b2b4ac55c9d91aa1ce4d3130a8e3215f1aba4824a29df7860814c9d93af72b5f44ba82
-
Filesize
255KB
MD57341855733f690b4bbf8ee4301f325ce
SHA16251c6d04fd35e3b3554a58849b05fb1c31b7353
SHA25676db14363d5f879e2e269a6704246cd39a34ba0a7dcfa92809c220295eb6ebd0
SHA512dbf869ab48ad36e7dc2b51181b3fbe06c1edc5147f8098a3fdfbe563f2b2b4ac55c9d91aa1ce4d3130a8e3215f1aba4824a29df7860814c9d93af72b5f44ba82
-
Filesize
255KB
MD55002c9e146901de423b9a6f778610344
SHA1346889ee7bfffa5f5320e589f87ad9fd113783cd
SHA256680b5a5a9faecf6aca39c9a755d56af6040d1dd7de7152a8ddf72b5720a802b0
SHA512734c9cc4660b42d87f4cd7b439c9531435a0e0902253deb6c3b428637cd12f6a0d0fc708b5c33d12f796994dc111da633ee5af6666e713ac0aae9c5e20a3623d
-
Filesize
255KB
MD55002c9e146901de423b9a6f778610344
SHA1346889ee7bfffa5f5320e589f87ad9fd113783cd
SHA256680b5a5a9faecf6aca39c9a755d56af6040d1dd7de7152a8ddf72b5720a802b0
SHA512734c9cc4660b42d87f4cd7b439c9531435a0e0902253deb6c3b428637cd12f6a0d0fc708b5c33d12f796994dc111da633ee5af6666e713ac0aae9c5e20a3623d
-
Filesize
255KB
MD58a093bd1aea05cc83b7b4b3fc9cc172d
SHA1e8ee5e3b19afdf1110c225ee1f906cc2b34925c3
SHA2569dcebb89aa05e0c516043a1eb3beb796267819588e2aae9b22e8a50c7176a3ac
SHA51286f370c869a1897f0d357416c1d264d23caacb7ebab963a0cf946f018c7767b176b41608d530304c46fc8b6676d86b417628ccce2a5700013f9cbbf271729459
-
Filesize
255KB
MD58a093bd1aea05cc83b7b4b3fc9cc172d
SHA1e8ee5e3b19afdf1110c225ee1f906cc2b34925c3
SHA2569dcebb89aa05e0c516043a1eb3beb796267819588e2aae9b22e8a50c7176a3ac
SHA51286f370c869a1897f0d357416c1d264d23caacb7ebab963a0cf946f018c7767b176b41608d530304c46fc8b6676d86b417628ccce2a5700013f9cbbf271729459
-
Filesize
255KB
MD58a093bd1aea05cc83b7b4b3fc9cc172d
SHA1e8ee5e3b19afdf1110c225ee1f906cc2b34925c3
SHA2569dcebb89aa05e0c516043a1eb3beb796267819588e2aae9b22e8a50c7176a3ac
SHA51286f370c869a1897f0d357416c1d264d23caacb7ebab963a0cf946f018c7767b176b41608d530304c46fc8b6676d86b417628ccce2a5700013f9cbbf271729459
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD56f2ddf24dbe404ba94a7baaf9c7be923
SHA11a8da2eee6121a59ce4bea73a8266958ae163caa
SHA256e3ff57f8fa61adca0298a40dcd3e6216a78515e6a09d69c5f6950f4f72ad69c1
SHA512cd1854c3d2ac24cd3d1f342247589392a0bc213b6a1999b6bca857d86f9e4b0cf2729ab786b07799a8ba4391be456651d916d7e38704459d62c546b7fd680fb5
-
Filesize
255KB
MD56f2ddf24dbe404ba94a7baaf9c7be923
SHA11a8da2eee6121a59ce4bea73a8266958ae163caa
SHA256e3ff57f8fa61adca0298a40dcd3e6216a78515e6a09d69c5f6950f4f72ad69c1
SHA512cd1854c3d2ac24cd3d1f342247589392a0bc213b6a1999b6bca857d86f9e4b0cf2729ab786b07799a8ba4391be456651d916d7e38704459d62c546b7fd680fb5
-
Filesize
255KB
MD56f2ddf24dbe404ba94a7baaf9c7be923
SHA11a8da2eee6121a59ce4bea73a8266958ae163caa
SHA256e3ff57f8fa61adca0298a40dcd3e6216a78515e6a09d69c5f6950f4f72ad69c1
SHA512cd1854c3d2ac24cd3d1f342247589392a0bc213b6a1999b6bca857d86f9e4b0cf2729ab786b07799a8ba4391be456651d916d7e38704459d62c546b7fd680fb5
-
Filesize
255KB
MD558fd4975f3f9919763800ce3a518d492
SHA1876a089c68f9583e957eb089809d81226c5492f0
SHA256fc5bc5593432abb2905199920e360af738bcc2e08907fee108daf7b56121fab8
SHA512fc196a80959d936431991a76a200dd6ecc89e973e41f6920e3edad738e942b48b9a794fdbf7c3421d931b95c0d31b6dc58803d8478c54cae621ab56861842dab