Analysis
-
max time kernel
166s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07-11-2022 21:35
Behavioral task
behavioral1
Sample
3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe
Resource
win7-20220812-en
General
-
Target
3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe
-
Size
255KB
-
MD5
037cc30aa2051f1d9c0c7611e3816d91
-
SHA1
cc1e284a10e23122239b2c9cae356c2470a058dc
-
SHA256
3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457
-
SHA512
6279b269daa1728b5de5cea5707a21c9f0aa83bb22e77f59b0f4c43cbed49fb0e471f90b16f211d9610b863546eded8c52e604872a4db18d72aaa92a7b399efc
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJc:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIf
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" vzgipjlqnt.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" vzgipjlqnt.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" vzgipjlqnt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" vzgipjlqnt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" vzgipjlqnt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" vzgipjlqnt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" vzgipjlqnt.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vzgipjlqnt.exe -
Executes dropped EXE 5 IoCs
pid Process 4864 vzgipjlqnt.exe 5056 gcrkzpkrgtocyhn.exe 4920 jrsssaiy.exe 1756 lxkwsepbsywyg.exe 4080 jrsssaiy.exe -
resource yara_rule behavioral2/memory/3516-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0008000000022e2d-134.dat upx behavioral2/files/0x0008000000022e2d-135.dat upx behavioral2/files/0x0008000000022e2e-137.dat upx behavioral2/files/0x0008000000022e2e-138.dat upx behavioral2/files/0x0008000000022e39-141.dat upx behavioral2/files/0x0006000000022e3c-144.dat upx behavioral2/files/0x0006000000022e3c-143.dat upx behavioral2/files/0x0008000000022e39-140.dat upx behavioral2/memory/4864-145-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/5056-146-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4920-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1756-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0008000000022e39-150.dat upx behavioral2/memory/3516-152-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4080-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0006000000022e3e-159.dat upx behavioral2/files/0x0006000000022e3f-160.dat upx behavioral2/memory/4864-164-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/5056-165-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4920-166-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1756-167-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4080-168-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000200000001e6b9-169.dat upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" vzgipjlqnt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" vzgipjlqnt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" vzgipjlqnt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" vzgipjlqnt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" vzgipjlqnt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" vzgipjlqnt.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run gcrkzpkrgtocyhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jajcnvly = "vzgipjlqnt.exe" gcrkzpkrgtocyhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yyjkisvw = "gcrkzpkrgtocyhn.exe" gcrkzpkrgtocyhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "lxkwsepbsywyg.exe" gcrkzpkrgtocyhn.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\x: vzgipjlqnt.exe File opened (read-only) \??\y: vzgipjlqnt.exe File opened (read-only) \??\o: jrsssaiy.exe File opened (read-only) \??\w: jrsssaiy.exe File opened (read-only) \??\h: vzgipjlqnt.exe File opened (read-only) \??\n: jrsssaiy.exe File opened (read-only) \??\j: vzgipjlqnt.exe File opened (read-only) \??\m: jrsssaiy.exe File opened (read-only) \??\g: jrsssaiy.exe File opened (read-only) \??\b: jrsssaiy.exe File opened (read-only) \??\v: jrsssaiy.exe File opened (read-only) \??\w: jrsssaiy.exe File opened (read-only) \??\v: vzgipjlqnt.exe File opened (read-only) \??\h: jrsssaiy.exe File opened (read-only) \??\l: jrsssaiy.exe File opened (read-only) \??\n: jrsssaiy.exe File opened (read-only) \??\o: vzgipjlqnt.exe File opened (read-only) \??\i: jrsssaiy.exe File opened (read-only) \??\r: jrsssaiy.exe File opened (read-only) \??\f: jrsssaiy.exe File opened (read-only) \??\g: jrsssaiy.exe File opened (read-only) \??\y: jrsssaiy.exe File opened (read-only) \??\u: vzgipjlqnt.exe File opened (read-only) \??\e: vzgipjlqnt.exe File opened (read-only) \??\k: vzgipjlqnt.exe File opened (read-only) \??\p: vzgipjlqnt.exe File opened (read-only) \??\q: jrsssaiy.exe File opened (read-only) \??\t: jrsssaiy.exe File opened (read-only) \??\r: jrsssaiy.exe File opened (read-only) \??\u: jrsssaiy.exe File opened (read-only) \??\z: vzgipjlqnt.exe File opened (read-only) \??\p: jrsssaiy.exe File opened (read-only) \??\l: jrsssaiy.exe File opened (read-only) \??\b: vzgipjlqnt.exe File opened (read-only) \??\q: jrsssaiy.exe File opened (read-only) \??\z: jrsssaiy.exe File opened (read-only) \??\q: vzgipjlqnt.exe File opened (read-only) \??\j: jrsssaiy.exe File opened (read-only) \??\s: jrsssaiy.exe File opened (read-only) \??\b: jrsssaiy.exe File opened (read-only) \??\f: jrsssaiy.exe File opened (read-only) \??\a: vzgipjlqnt.exe File opened (read-only) \??\m: vzgipjlqnt.exe File opened (read-only) \??\w: vzgipjlqnt.exe File opened (read-only) \??\p: jrsssaiy.exe File opened (read-only) \??\v: jrsssaiy.exe File opened (read-only) \??\i: vzgipjlqnt.exe File opened (read-only) \??\r: vzgipjlqnt.exe File opened (read-only) \??\k: jrsssaiy.exe File opened (read-only) \??\m: jrsssaiy.exe File opened (read-only) \??\f: vzgipjlqnt.exe File opened (read-only) \??\t: vzgipjlqnt.exe File opened (read-only) \??\h: jrsssaiy.exe File opened (read-only) \??\s: vzgipjlqnt.exe File opened (read-only) \??\o: jrsssaiy.exe File opened (read-only) \??\g: vzgipjlqnt.exe File opened (read-only) \??\n: vzgipjlqnt.exe File opened (read-only) \??\e: jrsssaiy.exe File opened (read-only) \??\i: jrsssaiy.exe File opened (read-only) \??\k: jrsssaiy.exe File opened (read-only) \??\x: jrsssaiy.exe File opened (read-only) \??\y: jrsssaiy.exe File opened (read-only) \??\z: jrsssaiy.exe File opened (read-only) \??\s: jrsssaiy.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" vzgipjlqnt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" vzgipjlqnt.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4864-145-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5056-146-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4920-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1756-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3516-152-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4080-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4864-164-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5056-165-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4920-166-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1756-167-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4080-168-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll vzgipjlqnt.exe File opened for modification C:\Windows\SysWOW64\vzgipjlqnt.exe 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe File created C:\Windows\SysWOW64\jrsssaiy.exe 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe File opened for modification C:\Windows\SysWOW64\jrsssaiy.exe 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe File created C:\Windows\SysWOW64\lxkwsepbsywyg.exe 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe File opened for modification C:\Windows\SysWOW64\lxkwsepbsywyg.exe 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe File created C:\Windows\SysWOW64\vzgipjlqnt.exe 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe File created C:\Windows\SysWOW64\gcrkzpkrgtocyhn.exe 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe File opened for modification C:\Windows\SysWOW64\gcrkzpkrgtocyhn.exe 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe -
Drops file in Program Files directory 16 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal jrsssaiy.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jrsssaiy.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal jrsssaiy.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jrsssaiy.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jrsssaiy.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jrsssaiy.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jrsssaiy.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jrsssaiy.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jrsssaiy.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jrsssaiy.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal jrsssaiy.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jrsssaiy.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jrsssaiy.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal jrsssaiy.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jrsssaiy.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jrsssaiy.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC1B0284494389A52CDBAD3329CD4CF" 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFDFC8F482B826F9042D75B7E95BDEFE631583766406237D7EA" 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat vzgipjlqnt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" vzgipjlqnt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg vzgipjlqnt.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32452D0D9C5583566D4576A170532DDF7D8065DD" 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc vzgipjlqnt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf vzgipjlqnt.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AC9FACEFE16F192847A3A4186E93E93B08803F04367033AE2BE42E808A4" 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7806BB4FE6E21DBD27ED1A88A759063" 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" vzgipjlqnt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" vzgipjlqnt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1949C7781591DAB0B8CD7FE7ECE337CE" 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" vzgipjlqnt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" vzgipjlqnt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs vzgipjlqnt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh vzgipjlqnt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" vzgipjlqnt.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2784 WINWORD.EXE 2784 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3516 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe 3516 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe 3516 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe 3516 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe 3516 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe 3516 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe 3516 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe 3516 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe 3516 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe 3516 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe 3516 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe 3516 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe 3516 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe 3516 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe 3516 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe 3516 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe 5056 gcrkzpkrgtocyhn.exe 5056 gcrkzpkrgtocyhn.exe 5056 gcrkzpkrgtocyhn.exe 5056 gcrkzpkrgtocyhn.exe 5056 gcrkzpkrgtocyhn.exe 5056 gcrkzpkrgtocyhn.exe 5056 gcrkzpkrgtocyhn.exe 4864 vzgipjlqnt.exe 5056 gcrkzpkrgtocyhn.exe 4864 vzgipjlqnt.exe 4864 vzgipjlqnt.exe 4864 vzgipjlqnt.exe 4864 vzgipjlqnt.exe 5056 gcrkzpkrgtocyhn.exe 4864 vzgipjlqnt.exe 5056 gcrkzpkrgtocyhn.exe 4864 vzgipjlqnt.exe 4864 vzgipjlqnt.exe 4864 vzgipjlqnt.exe 4864 vzgipjlqnt.exe 4920 jrsssaiy.exe 4920 jrsssaiy.exe 1756 lxkwsepbsywyg.exe 4920 jrsssaiy.exe 1756 lxkwsepbsywyg.exe 4920 jrsssaiy.exe 1756 lxkwsepbsywyg.exe 4920 jrsssaiy.exe 4920 jrsssaiy.exe 1756 lxkwsepbsywyg.exe 1756 lxkwsepbsywyg.exe 4920 jrsssaiy.exe 1756 lxkwsepbsywyg.exe 4920 jrsssaiy.exe 1756 lxkwsepbsywyg.exe 1756 lxkwsepbsywyg.exe 1756 lxkwsepbsywyg.exe 1756 lxkwsepbsywyg.exe 1756 lxkwsepbsywyg.exe 1756 lxkwsepbsywyg.exe 5056 gcrkzpkrgtocyhn.exe 5056 gcrkzpkrgtocyhn.exe 4080 jrsssaiy.exe 4080 jrsssaiy.exe 4080 jrsssaiy.exe 4080 jrsssaiy.exe 4080 jrsssaiy.exe 4080 jrsssaiy.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 3516 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe 3516 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe 3516 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe 4864 vzgipjlqnt.exe 4864 vzgipjlqnt.exe 4864 vzgipjlqnt.exe 5056 gcrkzpkrgtocyhn.exe 5056 gcrkzpkrgtocyhn.exe 5056 gcrkzpkrgtocyhn.exe 4920 jrsssaiy.exe 4920 jrsssaiy.exe 4920 jrsssaiy.exe 1756 lxkwsepbsywyg.exe 1756 lxkwsepbsywyg.exe 1756 lxkwsepbsywyg.exe 4080 jrsssaiy.exe 4080 jrsssaiy.exe 4080 jrsssaiy.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 3516 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe 3516 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe 3516 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe 4864 vzgipjlqnt.exe 4864 vzgipjlqnt.exe 4864 vzgipjlqnt.exe 5056 gcrkzpkrgtocyhn.exe 5056 gcrkzpkrgtocyhn.exe 5056 gcrkzpkrgtocyhn.exe 4920 jrsssaiy.exe 4920 jrsssaiy.exe 4920 jrsssaiy.exe 1756 lxkwsepbsywyg.exe 1756 lxkwsepbsywyg.exe 1756 lxkwsepbsywyg.exe 4080 jrsssaiy.exe 4080 jrsssaiy.exe 4080 jrsssaiy.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2784 WINWORD.EXE 2784 WINWORD.EXE 2784 WINWORD.EXE 2784 WINWORD.EXE 2784 WINWORD.EXE 2784 WINWORD.EXE 2784 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3516 wrote to memory of 4864 3516 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe 79 PID 3516 wrote to memory of 4864 3516 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe 79 PID 3516 wrote to memory of 4864 3516 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe 79 PID 3516 wrote to memory of 5056 3516 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe 80 PID 3516 wrote to memory of 5056 3516 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe 80 PID 3516 wrote to memory of 5056 3516 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe 80 PID 3516 wrote to memory of 4920 3516 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe 81 PID 3516 wrote to memory of 4920 3516 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe 81 PID 3516 wrote to memory of 4920 3516 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe 81 PID 3516 wrote to memory of 1756 3516 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe 82 PID 3516 wrote to memory of 1756 3516 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe 82 PID 3516 wrote to memory of 1756 3516 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe 82 PID 4864 wrote to memory of 4080 4864 vzgipjlqnt.exe 83 PID 4864 wrote to memory of 4080 4864 vzgipjlqnt.exe 83 PID 4864 wrote to memory of 4080 4864 vzgipjlqnt.exe 83 PID 3516 wrote to memory of 2784 3516 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe 84 PID 3516 wrote to memory of 2784 3516 3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe"C:\Users\Admin\AppData\Local\Temp\3c8346c61e2b8b076c8c463c69864ad2ffc2d942bedb1fd0b40b539ae6817457.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\SysWOW64\vzgipjlqnt.exevzgipjlqnt.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\jrsssaiy.exeC:\Windows\system32\jrsssaiy.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4080
-
-
-
C:\Windows\SysWOW64\gcrkzpkrgtocyhn.exegcrkzpkrgtocyhn.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5056
-
-
C:\Windows\SysWOW64\jrsssaiy.exejrsssaiy.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4920
-
-
C:\Windows\SysWOW64\lxkwsepbsywyg.exelxkwsepbsywyg.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1756
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2784
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5bf67167194302715508569e2f5d9f7a0
SHA184380a3a5cb07b667dd8ee3770feff122e40b25d
SHA2563aff96a2c3de796df2fd03eacb7c50a5c32062f7a1bb75ae4c393d93cf94351f
SHA512de5fa3af63560d910c1b21e59aebb9a62d64ef2e7505aa7fbc9a8b4e2169359b6cd9c5a6eac490503c6f4ac5ee64daa22ec392bd5b8d398fe65b03c3706587ac
-
Filesize
255KB
MD5fac08b4367b8daad3ba03b8a6497e011
SHA125d69ffefb9b585394ae1f6b4a8ae643ecabb349
SHA256d5e025378654d2935c894f84789f345989c9ffcc4236247a9e4f828f038c411c
SHA51208a2996dcccb7fb1b75d25b5fb9b38408681e33a1a3e846b6f4a9a0842a5c2efe1f4b36b27f52a851b0147ae961d4eef11e12cb4d1bfa4f8cfef3db5a58b118b
-
Filesize
255KB
MD58e1a0c8e2996cef6248590a48482be56
SHA15a0276cb9c53daff29516b9a2d7b03f9f08e43ef
SHA256332e50f70f54f4198d797a5064338d5ccf2bcdf73ae69a8f64c0441e2b4dc0b7
SHA512bcb8cee30756c4b9711f6cdda8cba6ac6a01c00c6117de9e6f9d1ad4634de8921363682e56ea33770585cf71c0ba0ef7cdc64dc027cfd6b385e1dc1258b272e0
-
Filesize
255KB
MD572be35d722580e3a59cacc5bcb7e67e5
SHA1f0a4052246f4a24a37f7636aa4a13ca8c155cb18
SHA2562382dc17c5c34bb3c494a453278a17abc8416e4b25e87c691fb5ee83eca00586
SHA5124bfed1389b6641a57fde2c7bfb88475c18274e3731184efc1753669c402c3f80283744c778732d0877054c55c2f602d40908f53cdb63ead2dbb799f91492a902
-
Filesize
255KB
MD572be35d722580e3a59cacc5bcb7e67e5
SHA1f0a4052246f4a24a37f7636aa4a13ca8c155cb18
SHA2562382dc17c5c34bb3c494a453278a17abc8416e4b25e87c691fb5ee83eca00586
SHA5124bfed1389b6641a57fde2c7bfb88475c18274e3731184efc1753669c402c3f80283744c778732d0877054c55c2f602d40908f53cdb63ead2dbb799f91492a902
-
Filesize
255KB
MD575180fa64f501773ca4471ea4dbaae57
SHA1acc393a3e8bae8f4e9f456885c425e677590accb
SHA25677f32417b42cf5566546dd232395348df0daae71ab581cd620cdadcc58d2bc8b
SHA5123ee477a53ffc6cdcec254fbd5caf7bd15472f95dc029f28edc8659bdffb5b4481e20cef27f6845bdc7887160d05524f2ff3a52c885de2e64c4bfa881f2d2a5b2
-
Filesize
255KB
MD575180fa64f501773ca4471ea4dbaae57
SHA1acc393a3e8bae8f4e9f456885c425e677590accb
SHA25677f32417b42cf5566546dd232395348df0daae71ab581cd620cdadcc58d2bc8b
SHA5123ee477a53ffc6cdcec254fbd5caf7bd15472f95dc029f28edc8659bdffb5b4481e20cef27f6845bdc7887160d05524f2ff3a52c885de2e64c4bfa881f2d2a5b2
-
Filesize
255KB
MD575180fa64f501773ca4471ea4dbaae57
SHA1acc393a3e8bae8f4e9f456885c425e677590accb
SHA25677f32417b42cf5566546dd232395348df0daae71ab581cd620cdadcc58d2bc8b
SHA5123ee477a53ffc6cdcec254fbd5caf7bd15472f95dc029f28edc8659bdffb5b4481e20cef27f6845bdc7887160d05524f2ff3a52c885de2e64c4bfa881f2d2a5b2
-
Filesize
255KB
MD5b906c3bc2caa62fc5626c379b864bf4a
SHA17433930fb231e156fc802d4ff2c718afa156c140
SHA256b3efe8e0cb910d7a102ea5215c1c470d173b85181bae090d9a423c92d5559163
SHA512a87666f2300895021f94c3149c2cf88d245a749154f706a38222127a67bf4eac836f6c0905793cfe807d7fa7840309493550d5c0bcb88104cb93ff110173c8b3
-
Filesize
255KB
MD5b906c3bc2caa62fc5626c379b864bf4a
SHA17433930fb231e156fc802d4ff2c718afa156c140
SHA256b3efe8e0cb910d7a102ea5215c1c470d173b85181bae090d9a423c92d5559163
SHA512a87666f2300895021f94c3149c2cf88d245a749154f706a38222127a67bf4eac836f6c0905793cfe807d7fa7840309493550d5c0bcb88104cb93ff110173c8b3
-
Filesize
255KB
MD50f4a8a9f7933b670989c6b7cde79445f
SHA10afb8f5a890ab7b56b510b62d40e7b6982f7861c
SHA256e84e6ea37ef457ca36188714070e82d671354195a21e92493c12afe68c939d5f
SHA512b6bab8a434416384ba0d24193ca8dbb3359ecc1c27312dcfb8285b613deead097b75ee90214d724c01c75f25cd98329eed2c1bcaba7b6d7b3077825ece757328
-
Filesize
255KB
MD50f4a8a9f7933b670989c6b7cde79445f
SHA10afb8f5a890ab7b56b510b62d40e7b6982f7861c
SHA256e84e6ea37ef457ca36188714070e82d671354195a21e92493c12afe68c939d5f
SHA512b6bab8a434416384ba0d24193ca8dbb3359ecc1c27312dcfb8285b613deead097b75ee90214d724c01c75f25cd98329eed2c1bcaba7b6d7b3077825ece757328
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7