Analysis
-
max time kernel
185s -
max time network
211s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 21:03
Behavioral task
behavioral1
Sample
87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe
Resource
win10v2004-20221111-en
General
-
Target
87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe
-
Size
255KB
-
MD5
8f1e3fe00745836a1d9446e7c5bccd1d
-
SHA1
fdf9d4553100bc347287d3a187c8277a5c04b2d3
-
SHA256
87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb
-
SHA512
7ba041ad463153089d1d3690be6a015e8210c29bdfc8ac913f4ed7457f4bb89b544c0f93b12b73da1e2231150f0f3a8fbaff2e030ed1a2f4664bde28117d35d0
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJS:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI3
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
vkaubqonkd.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" vkaubqonkd.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
vkaubqonkd.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" vkaubqonkd.exe -
Processes:
vkaubqonkd.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" vkaubqonkd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" vkaubqonkd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" vkaubqonkd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" vkaubqonkd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" vkaubqonkd.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
vkaubqonkd.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vkaubqonkd.exe -
Executes dropped EXE 5 IoCs
Processes:
vkaubqonkd.exezlxpkfgejnskcok.exeguznipwz.exerixnkiyvxakex.exeguznipwz.exepid process 2120 vkaubqonkd.exe 3104 zlxpkfgejnskcok.exe 400 guznipwz.exe 3652 rixnkiyvxakex.exe 3672 guznipwz.exe -
Processes:
resource yara_rule behavioral2/memory/3496-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3496-133-0x0000000000400000-0x00000000004A0000-memory.dmp upx C:\Windows\SysWOW64\vkaubqonkd.exe upx C:\Windows\SysWOW64\vkaubqonkd.exe upx C:\Windows\SysWOW64\zlxpkfgejnskcok.exe upx C:\Windows\SysWOW64\zlxpkfgejnskcok.exe upx C:\Windows\SysWOW64\guznipwz.exe upx C:\Windows\SysWOW64\guznipwz.exe upx C:\Windows\SysWOW64\rixnkiyvxakex.exe upx C:\Windows\SysWOW64\rixnkiyvxakex.exe upx behavioral2/memory/2120-146-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3104-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/400-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3652-149-0x0000000000400000-0x00000000004A0000-memory.dmp upx C:\Windows\SysWOW64\guznipwz.exe upx behavioral2/memory/3672-152-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3496-154-0x0000000000400000-0x00000000004A0000-memory.dmp upx C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe upx C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe upx behavioral2/memory/2120-162-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3104-163-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/400-164-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3652-165-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3672-166-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe -
Processes:
vkaubqonkd.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" vkaubqonkd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" vkaubqonkd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" vkaubqonkd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" vkaubqonkd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" vkaubqonkd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" vkaubqonkd.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
zlxpkfgejnskcok.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run zlxpkfgejnskcok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qzajgoxz = "vkaubqonkd.exe" zlxpkfgejnskcok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pmcssaqd = "zlxpkfgejnskcok.exe" zlxpkfgejnskcok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "rixnkiyvxakex.exe" zlxpkfgejnskcok.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
guznipwz.exevkaubqonkd.exeguznipwz.exedescription ioc process File opened (read-only) \??\u: guznipwz.exe File opened (read-only) \??\z: guznipwz.exe File opened (read-only) \??\e: vkaubqonkd.exe File opened (read-only) \??\y: vkaubqonkd.exe File opened (read-only) \??\y: guznipwz.exe File opened (read-only) \??\g: vkaubqonkd.exe File opened (read-only) \??\x: vkaubqonkd.exe File opened (read-only) \??\s: guznipwz.exe File opened (read-only) \??\l: guznipwz.exe File opened (read-only) \??\j: guznipwz.exe File opened (read-only) \??\b: vkaubqonkd.exe File opened (read-only) \??\n: vkaubqonkd.exe File opened (read-only) \??\o: vkaubqonkd.exe File opened (read-only) \??\g: guznipwz.exe File opened (read-only) \??\t: guznipwz.exe File opened (read-only) \??\o: guznipwz.exe File opened (read-only) \??\l: vkaubqonkd.exe File opened (read-only) \??\t: vkaubqonkd.exe File opened (read-only) \??\f: guznipwz.exe File opened (read-only) \??\h: guznipwz.exe File opened (read-only) \??\z: guznipwz.exe File opened (read-only) \??\b: guznipwz.exe File opened (read-only) \??\e: guznipwz.exe File opened (read-only) \??\j: vkaubqonkd.exe File opened (read-only) \??\r: guznipwz.exe File opened (read-only) \??\v: guznipwz.exe File opened (read-only) \??\i: guznipwz.exe File opened (read-only) \??\g: guznipwz.exe File opened (read-only) \??\p: guznipwz.exe File opened (read-only) \??\f: vkaubqonkd.exe File opened (read-only) \??\u: guznipwz.exe File opened (read-only) \??\f: guznipwz.exe File opened (read-only) \??\h: guznipwz.exe File opened (read-only) \??\s: vkaubqonkd.exe File opened (read-only) \??\u: vkaubqonkd.exe File opened (read-only) \??\a: guznipwz.exe File opened (read-only) \??\m: guznipwz.exe File opened (read-only) \??\l: guznipwz.exe File opened (read-only) \??\t: guznipwz.exe File opened (read-only) \??\i: vkaubqonkd.exe File opened (read-only) \??\m: vkaubqonkd.exe File opened (read-only) \??\q: vkaubqonkd.exe File opened (read-only) \??\v: vkaubqonkd.exe File opened (read-only) \??\v: guznipwz.exe File opened (read-only) \??\r: guznipwz.exe File opened (read-only) \??\y: guznipwz.exe File opened (read-only) \??\h: vkaubqonkd.exe File opened (read-only) \??\n: guznipwz.exe File opened (read-only) \??\x: guznipwz.exe File opened (read-only) \??\k: guznipwz.exe File opened (read-only) \??\n: guznipwz.exe File opened (read-only) \??\z: vkaubqonkd.exe File opened (read-only) \??\e: guznipwz.exe File opened (read-only) \??\w: guznipwz.exe File opened (read-only) \??\m: guznipwz.exe File opened (read-only) \??\s: guznipwz.exe File opened (read-only) \??\a: vkaubqonkd.exe File opened (read-only) \??\w: vkaubqonkd.exe File opened (read-only) \??\q: guznipwz.exe File opened (read-only) \??\a: guznipwz.exe File opened (read-only) \??\p: vkaubqonkd.exe File opened (read-only) \??\o: guznipwz.exe File opened (read-only) \??\i: guznipwz.exe File opened (read-only) \??\q: guznipwz.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
vkaubqonkd.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" vkaubqonkd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" vkaubqonkd.exe -
AutoIT Executable 12 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/3496-133-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2120-146-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3104-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/400-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3652-149-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3672-152-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3496-154-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2120-162-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3104-163-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/400-164-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3652-165-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3672-166-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
Processes:
87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exevkaubqonkd.exedescription ioc process File opened for modification C:\Windows\SysWOW64\guznipwz.exe 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe File created C:\Windows\SysWOW64\rixnkiyvxakex.exe 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe File created C:\Windows\SysWOW64\vkaubqonkd.exe 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe File created C:\Windows\SysWOW64\guznipwz.exe 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe File opened for modification C:\Windows\SysWOW64\zlxpkfgejnskcok.exe 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe File opened for modification C:\Windows\SysWOW64\rixnkiyvxakex.exe 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll vkaubqonkd.exe File opened for modification C:\Windows\SysWOW64\vkaubqonkd.exe 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe File created C:\Windows\SysWOW64\zlxpkfgejnskcok.exe 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe -
Drops file in Program Files directory 14 IoCs
Processes:
guznipwz.exeguznipwz.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe guznipwz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal guznipwz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe guznipwz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe guznipwz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal guznipwz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal guznipwz.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe guznipwz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe guznipwz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe guznipwz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe guznipwz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe guznipwz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe guznipwz.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe guznipwz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal guznipwz.exe -
Drops file in Windows directory 3 IoCs
Processes:
87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exeWINWORD.EXEdescription ioc process File opened for modification C:\Windows\mydoc.rtf 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
vkaubqonkd.exe87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" vkaubqonkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc vkaubqonkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32452C0A9C5782236A3E77D170522CA97D8564DD" 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBFFAB8FE65F299837B3B47869C3994B0FC02FA42120332E1CD42EF08A1" 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F068C6FE1C21A9D20ED0A18B0E9060" 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193FC67C15E1DBC3B9BE7CE5EC9F34CD" 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat vkaubqonkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh vkaubqonkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs vkaubqonkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" vkaubqonkd.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F88FF8E4F28851F9133D72E7E9CBC92E643594667356344D69C" 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf vkaubqonkd.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" vkaubqonkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" vkaubqonkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB5B02F44E439EC53BEB9D23392D4CC" 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" vkaubqonkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" vkaubqonkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg vkaubqonkd.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 1880 WINWORD.EXE 1880 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exevkaubqonkd.exezlxpkfgejnskcok.exeguznipwz.exerixnkiyvxakex.exeguznipwz.exepid process 3496 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe 3496 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe 3496 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe 3496 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe 3496 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe 3496 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe 3496 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe 3496 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe 3496 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe 3496 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe 3496 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe 3496 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe 3496 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe 3496 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe 3496 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe 3496 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe 2120 vkaubqonkd.exe 2120 vkaubqonkd.exe 2120 vkaubqonkd.exe 2120 vkaubqonkd.exe 2120 vkaubqonkd.exe 2120 vkaubqonkd.exe 2120 vkaubqonkd.exe 2120 vkaubqonkd.exe 2120 vkaubqonkd.exe 2120 vkaubqonkd.exe 3104 zlxpkfgejnskcok.exe 3104 zlxpkfgejnskcok.exe 3104 zlxpkfgejnskcok.exe 3104 zlxpkfgejnskcok.exe 3104 zlxpkfgejnskcok.exe 3104 zlxpkfgejnskcok.exe 400 guznipwz.exe 400 guznipwz.exe 3104 zlxpkfgejnskcok.exe 3104 zlxpkfgejnskcok.exe 400 guznipwz.exe 400 guznipwz.exe 400 guznipwz.exe 400 guznipwz.exe 400 guznipwz.exe 400 guznipwz.exe 3104 zlxpkfgejnskcok.exe 3104 zlxpkfgejnskcok.exe 3652 rixnkiyvxakex.exe 3652 rixnkiyvxakex.exe 3652 rixnkiyvxakex.exe 3652 rixnkiyvxakex.exe 3652 rixnkiyvxakex.exe 3652 rixnkiyvxakex.exe 3652 rixnkiyvxakex.exe 3652 rixnkiyvxakex.exe 3652 rixnkiyvxakex.exe 3652 rixnkiyvxakex.exe 3652 rixnkiyvxakex.exe 3652 rixnkiyvxakex.exe 3104 zlxpkfgejnskcok.exe 3104 zlxpkfgejnskcok.exe 3652 rixnkiyvxakex.exe 3652 rixnkiyvxakex.exe 3652 rixnkiyvxakex.exe 3652 rixnkiyvxakex.exe 3672 guznipwz.exe 3672 guznipwz.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exevkaubqonkd.exezlxpkfgejnskcok.exeguznipwz.exerixnkiyvxakex.exeguznipwz.exepid process 3496 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe 3496 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe 3496 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe 2120 vkaubqonkd.exe 2120 vkaubqonkd.exe 2120 vkaubqonkd.exe 3104 zlxpkfgejnskcok.exe 3104 zlxpkfgejnskcok.exe 3104 zlxpkfgejnskcok.exe 400 guznipwz.exe 400 guznipwz.exe 400 guznipwz.exe 3652 rixnkiyvxakex.exe 3652 rixnkiyvxakex.exe 3652 rixnkiyvxakex.exe 3672 guznipwz.exe 3672 guznipwz.exe 3672 guznipwz.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exevkaubqonkd.exezlxpkfgejnskcok.exeguznipwz.exerixnkiyvxakex.exeguznipwz.exepid process 3496 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe 3496 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe 3496 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe 2120 vkaubqonkd.exe 2120 vkaubqonkd.exe 2120 vkaubqonkd.exe 3104 zlxpkfgejnskcok.exe 3104 zlxpkfgejnskcok.exe 3104 zlxpkfgejnskcok.exe 400 guznipwz.exe 400 guznipwz.exe 400 guznipwz.exe 3652 rixnkiyvxakex.exe 3652 rixnkiyvxakex.exe 3652 rixnkiyvxakex.exe 3672 guznipwz.exe 3672 guznipwz.exe 3672 guznipwz.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 1880 WINWORD.EXE 1880 WINWORD.EXE 1880 WINWORD.EXE 1880 WINWORD.EXE 1880 WINWORD.EXE 1880 WINWORD.EXE 1880 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exevkaubqonkd.exedescription pid process target process PID 3496 wrote to memory of 2120 3496 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe vkaubqonkd.exe PID 3496 wrote to memory of 2120 3496 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe vkaubqonkd.exe PID 3496 wrote to memory of 2120 3496 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe vkaubqonkd.exe PID 3496 wrote to memory of 3104 3496 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe zlxpkfgejnskcok.exe PID 3496 wrote to memory of 3104 3496 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe zlxpkfgejnskcok.exe PID 3496 wrote to memory of 3104 3496 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe zlxpkfgejnskcok.exe PID 3496 wrote to memory of 400 3496 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe guznipwz.exe PID 3496 wrote to memory of 400 3496 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe guznipwz.exe PID 3496 wrote to memory of 400 3496 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe guznipwz.exe PID 3496 wrote to memory of 3652 3496 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe rixnkiyvxakex.exe PID 3496 wrote to memory of 3652 3496 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe rixnkiyvxakex.exe PID 3496 wrote to memory of 3652 3496 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe rixnkiyvxakex.exe PID 2120 wrote to memory of 3672 2120 vkaubqonkd.exe guznipwz.exe PID 2120 wrote to memory of 3672 2120 vkaubqonkd.exe guznipwz.exe PID 2120 wrote to memory of 3672 2120 vkaubqonkd.exe guznipwz.exe PID 3496 wrote to memory of 1880 3496 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe WINWORD.EXE PID 3496 wrote to memory of 1880 3496 87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe WINWORD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe"C:\Users\Admin\AppData\Local\Temp\87baaf5877a36d0833ad455ec1f129826a71f747176fe3b3480eafa647c289cb.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\SysWOW64\vkaubqonkd.exevkaubqonkd.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\guznipwz.exeC:\Windows\system32\guznipwz.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3672 -
C:\Windows\SysWOW64\zlxpkfgejnskcok.exezlxpkfgejnskcok.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3104 -
C:\Windows\SysWOW64\guznipwz.exeguznipwz.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:400 -
C:\Windows\SysWOW64\rixnkiyvxakex.exerixnkiyvxakex.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3652 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1880
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exeFilesize
255KB
MD5e87e69b068ca9e3b6e9c63b15294669c
SHA14d0f4c9d0948d81d5074ca5de84468bd502f69f7
SHA256a49433f1bd29a64c07ac5f441faaa148d92561beb9bc36e7628fee94ae67aee7
SHA5126d6c14b98cdd5b924b2dfa14badea4ae9001ac671e625dd4a99df3f6c6b30a18c5da8bbb6bdc4bebd58c61d326a748da23384574ffd9f73f4d4d02413bfbed2b
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
255KB
MD590a0672aadb37c5954c5deaa4cdb3868
SHA15c2605a013cb2a0bd4500f1790d3a35f5500e0b4
SHA2560e2c3f3d401d74eeff7ed0724bd3c39f8e8253a6735e87e4895fca363e762ad3
SHA51254f19458738860d9f5fcd6819b25c0846a8d27ba35e4ed556c172805797b57bcd7ced4b961a490ad23ec98ffc2a870f03b5fb002699b911b9614c19e69077ae6
-
C:\Windows\SysWOW64\guznipwz.exeFilesize
255KB
MD5fb6958628d7cf5a60e5a0f864aa21c93
SHA15085cbafb202ffc5f77cf48f2f07cb30efdb4908
SHA256297427d45c4182df30eba7bce6132ad9766ea8ef107ff1c45e7a514e9fbf6ccd
SHA51240a08f6214c0f9d3157edb360e56c0b753a7694655468e9dd3add5f9d6d1d8f5b2475a081f4d84793be1bf041c386ac9788ca05dd57e379b79a4af5f9f00dd1b
-
C:\Windows\SysWOW64\guznipwz.exeFilesize
255KB
MD5fb6958628d7cf5a60e5a0f864aa21c93
SHA15085cbafb202ffc5f77cf48f2f07cb30efdb4908
SHA256297427d45c4182df30eba7bce6132ad9766ea8ef107ff1c45e7a514e9fbf6ccd
SHA51240a08f6214c0f9d3157edb360e56c0b753a7694655468e9dd3add5f9d6d1d8f5b2475a081f4d84793be1bf041c386ac9788ca05dd57e379b79a4af5f9f00dd1b
-
C:\Windows\SysWOW64\guznipwz.exeFilesize
255KB
MD5fb6958628d7cf5a60e5a0f864aa21c93
SHA15085cbafb202ffc5f77cf48f2f07cb30efdb4908
SHA256297427d45c4182df30eba7bce6132ad9766ea8ef107ff1c45e7a514e9fbf6ccd
SHA51240a08f6214c0f9d3157edb360e56c0b753a7694655468e9dd3add5f9d6d1d8f5b2475a081f4d84793be1bf041c386ac9788ca05dd57e379b79a4af5f9f00dd1b
-
C:\Windows\SysWOW64\rixnkiyvxakex.exeFilesize
255KB
MD5c3745d7b47bca00f0585f07bed72e2e4
SHA1ad6e4bbb6db0fd37bb427d79f4c127c00a1ae1e9
SHA256f1bc12d3be56d1db135d63813417ea189f78c267467a3407587a9db7a537eecc
SHA512148733071f52687e8871b1b43420fe9dd7b8c6594310f55999afdaa9b00898eddd4e4a5bccc71e3aba09cdf3a1bab7605feb48c7ee063693657a7be4b27fa969
-
C:\Windows\SysWOW64\rixnkiyvxakex.exeFilesize
255KB
MD5c3745d7b47bca00f0585f07bed72e2e4
SHA1ad6e4bbb6db0fd37bb427d79f4c127c00a1ae1e9
SHA256f1bc12d3be56d1db135d63813417ea189f78c267467a3407587a9db7a537eecc
SHA512148733071f52687e8871b1b43420fe9dd7b8c6594310f55999afdaa9b00898eddd4e4a5bccc71e3aba09cdf3a1bab7605feb48c7ee063693657a7be4b27fa969
-
C:\Windows\SysWOW64\vkaubqonkd.exeFilesize
255KB
MD5458227e6d82edee894b78ee00a3b12f2
SHA19a8eb8dab1e92a56876d1e6eb35f30f41378ba5a
SHA256b7f8bfdcda83661be2b6beb987ed7588db97dec392ad916461dcd9cbc837f948
SHA512b462fd68df5a74076903e6252a9eb50304772f503bf5c1ec2a4a78e0ef4aa24784251e25272567870d69bd8a00666b919d789c660c9a37e31172b6a78c371807
-
C:\Windows\SysWOW64\vkaubqonkd.exeFilesize
255KB
MD5458227e6d82edee894b78ee00a3b12f2
SHA19a8eb8dab1e92a56876d1e6eb35f30f41378ba5a
SHA256b7f8bfdcda83661be2b6beb987ed7588db97dec392ad916461dcd9cbc837f948
SHA512b462fd68df5a74076903e6252a9eb50304772f503bf5c1ec2a4a78e0ef4aa24784251e25272567870d69bd8a00666b919d789c660c9a37e31172b6a78c371807
-
C:\Windows\SysWOW64\zlxpkfgejnskcok.exeFilesize
255KB
MD5e6eb31293b0c64883137073de9430756
SHA1faf1f7a600a2ad024bf03719b9e7c294a32b81ba
SHA256f1c3c2abf90492e5b13a3fa3c0f40f94dd8fd58c4839e692786d2c79c1e9bf1c
SHA512e0d4f1eb2a66d560a2187ddf2a655e199604f2e108514ad251786574e9784831e73274a5ec7ba73581b9f54d47ed81b28cc36e7278094c875feec843901522bb
-
C:\Windows\SysWOW64\zlxpkfgejnskcok.exeFilesize
255KB
MD5e6eb31293b0c64883137073de9430756
SHA1faf1f7a600a2ad024bf03719b9e7c294a32b81ba
SHA256f1c3c2abf90492e5b13a3fa3c0f40f94dd8fd58c4839e692786d2c79c1e9bf1c
SHA512e0d4f1eb2a66d560a2187ddf2a655e199604f2e108514ad251786574e9784831e73274a5ec7ba73581b9f54d47ed81b28cc36e7278094c875feec843901522bb
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
memory/400-140-0x0000000000000000-mapping.dmp
-
memory/400-148-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/400-164-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1880-159-0x00007FFD16230000-0x00007FFD16240000-memory.dmpFilesize
64KB
-
memory/1880-158-0x00007FFD16230000-0x00007FFD16240000-memory.dmpFilesize
64KB
-
memory/1880-168-0x00007FFD141D0000-0x00007FFD141E0000-memory.dmpFilesize
64KB
-
memory/1880-167-0x00007FFD141D0000-0x00007FFD141E0000-memory.dmpFilesize
64KB
-
memory/1880-161-0x00007FFD16230000-0x00007FFD16240000-memory.dmpFilesize
64KB
-
memory/1880-160-0x00007FFD16230000-0x00007FFD16240000-memory.dmpFilesize
64KB
-
memory/1880-153-0x0000000000000000-mapping.dmp
-
memory/1880-157-0x00007FFD16230000-0x00007FFD16240000-memory.dmpFilesize
64KB
-
memory/2120-134-0x0000000000000000-mapping.dmp
-
memory/2120-146-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/2120-162-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/3104-137-0x0000000000000000-mapping.dmp
-
memory/3104-147-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/3104-163-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/3496-132-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/3496-154-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/3496-133-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/3652-143-0x0000000000000000-mapping.dmp
-
memory/3652-165-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/3652-149-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/3672-152-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/3672-166-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/3672-150-0x0000000000000000-mapping.dmp