Analysis
-
max time kernel
154s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23/11/2022, 21:03
Behavioral task
behavioral1
Sample
80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe
Resource
win7-20221111-en
windows7-x64
25 signatures
150 seconds
General
-
Target
80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe
-
Size
255KB
-
MD5
9fb988c0d598b2a2cd32cedbcc3bde6b
-
SHA1
d5bb6cb805c3edb68e32298e78440779d3b89263
-
SHA256
80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90
-
SHA512
941f7e08b41d1b1fafdb5246e3c03385923909937fcc0008de3ca341afbbe39071fe55496b236888282bd4b88f4b19ee36b8e8b8cbb9d79501cc29229971de1e
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJz:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIu
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" qbizsqzrkh.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" qbizsqzrkh.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" qbizsqzrkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" qbizsqzrkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" qbizsqzrkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" qbizsqzrkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" qbizsqzrkh.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qbizsqzrkh.exe -
Executes dropped EXE 5 IoCs
pid Process 3036 qbizsqzrkh.exe 2576 sseqzjrnewxknze.exe 5028 myzsowox.exe 5004 wiyodkjyjdvkv.exe 4092 myzsowox.exe -
resource yara_rule behavioral2/memory/1584-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0006000000022e2e-134.dat upx behavioral2/files/0x0006000000022e2e-135.dat upx behavioral2/files/0x0006000000022e2f-138.dat upx behavioral2/files/0x0006000000022e2f-137.dat upx behavioral2/files/0x0006000000022e30-140.dat upx behavioral2/files/0x0006000000022e30-141.dat upx behavioral2/files/0x0006000000022e31-144.dat upx behavioral2/files/0x0006000000022e31-143.dat upx behavioral2/files/0x0006000000022e30-146.dat upx behavioral2/memory/3036-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2576-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/5028-149-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4092-151-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/5004-150-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1584-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0006000000022e34-154.dat upx behavioral2/files/0x0006000000022e35-155.dat upx behavioral2/memory/3036-156-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/5028-158-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2576-157-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/5004-159-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4092-160-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0004000000000723-169.dat upx behavioral2/files/0x000400000000072d-170.dat upx behavioral2/files/0x000300000000072f-171.dat upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" qbizsqzrkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" qbizsqzrkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" qbizsqzrkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" qbizsqzrkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" qbizsqzrkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" qbizsqzrkh.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run sseqzjrnewxknze.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eswbuhpt = "qbizsqzrkh.exe" sseqzjrnewxknze.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uwqpsrlm = "sseqzjrnewxknze.exe" sseqzjrnewxknze.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "wiyodkjyjdvkv.exe" sseqzjrnewxknze.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\p: myzsowox.exe File opened (read-only) \??\i: myzsowox.exe File opened (read-only) \??\l: qbizsqzrkh.exe File opened (read-only) \??\p: qbizsqzrkh.exe File opened (read-only) \??\z: qbizsqzrkh.exe File opened (read-only) \??\y: myzsowox.exe File opened (read-only) \??\t: myzsowox.exe File opened (read-only) \??\g: myzsowox.exe File opened (read-only) \??\z: myzsowox.exe File opened (read-only) \??\x: qbizsqzrkh.exe File opened (read-only) \??\m: myzsowox.exe File opened (read-only) \??\f: qbizsqzrkh.exe File opened (read-only) \??\o: qbizsqzrkh.exe File opened (read-only) \??\b: myzsowox.exe File opened (read-only) \??\m: myzsowox.exe File opened (read-only) \??\r: myzsowox.exe File opened (read-only) \??\u: myzsowox.exe File opened (read-only) \??\v: myzsowox.exe File opened (read-only) \??\i: qbizsqzrkh.exe File opened (read-only) \??\r: qbizsqzrkh.exe File opened (read-only) \??\u: myzsowox.exe File opened (read-only) \??\y: myzsowox.exe File opened (read-only) \??\v: qbizsqzrkh.exe File opened (read-only) \??\i: myzsowox.exe File opened (read-only) \??\j: myzsowox.exe File opened (read-only) \??\k: myzsowox.exe File opened (read-only) \??\a: qbizsqzrkh.exe File opened (read-only) \??\j: qbizsqzrkh.exe File opened (read-only) \??\w: myzsowox.exe File opened (read-only) \??\p: myzsowox.exe File opened (read-only) \??\k: qbizsqzrkh.exe File opened (read-only) \??\e: myzsowox.exe File opened (read-only) \??\r: myzsowox.exe File opened (read-only) \??\f: myzsowox.exe File opened (read-only) \??\n: myzsowox.exe File opened (read-only) \??\z: myzsowox.exe File opened (read-only) \??\o: myzsowox.exe File opened (read-only) \??\j: myzsowox.exe File opened (read-only) \??\l: myzsowox.exe File opened (read-only) \??\a: myzsowox.exe File opened (read-only) \??\b: myzsowox.exe File opened (read-only) \??\g: qbizsqzrkh.exe File opened (read-only) \??\n: qbizsqzrkh.exe File opened (read-only) \??\y: qbizsqzrkh.exe File opened (read-only) \??\k: myzsowox.exe File opened (read-only) \??\s: myzsowox.exe File opened (read-only) \??\t: myzsowox.exe File opened (read-only) \??\q: qbizsqzrkh.exe File opened (read-only) \??\u: qbizsqzrkh.exe File opened (read-only) \??\g: myzsowox.exe File opened (read-only) \??\b: qbizsqzrkh.exe File opened (read-only) \??\s: qbizsqzrkh.exe File opened (read-only) \??\t: qbizsqzrkh.exe File opened (read-only) \??\a: myzsowox.exe File opened (read-only) \??\s: myzsowox.exe File opened (read-only) \??\x: myzsowox.exe File opened (read-only) \??\x: myzsowox.exe File opened (read-only) \??\e: qbizsqzrkh.exe File opened (read-only) \??\f: myzsowox.exe File opened (read-only) \??\h: myzsowox.exe File opened (read-only) \??\m: qbizsqzrkh.exe File opened (read-only) \??\w: qbizsqzrkh.exe File opened (read-only) \??\q: myzsowox.exe File opened (read-only) \??\h: qbizsqzrkh.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" qbizsqzrkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" qbizsqzrkh.exe -
AutoIT Executable 12 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1584-132-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3036-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2576-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5028-149-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4092-151-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5004-150-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1584-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3036-156-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5028-158-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2576-157-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5004-159-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4092-160-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\sseqzjrnewxknze.exe 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe File created C:\Windows\SysWOW64\wiyodkjyjdvkv.exe 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe File created C:\Windows\SysWOW64\qbizsqzrkh.exe 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe File opened for modification C:\Windows\SysWOW64\qbizsqzrkh.exe 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe File opened for modification C:\Windows\SysWOW64\sseqzjrnewxknze.exe 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe File created C:\Windows\SysWOW64\myzsowox.exe 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe File opened for modification C:\Windows\SysWOW64\myzsowox.exe 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe File opened for modification C:\Windows\SysWOW64\wiyodkjyjdvkv.exe 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll qbizsqzrkh.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe myzsowox.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe myzsowox.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal myzsowox.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe myzsowox.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe myzsowox.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe myzsowox.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe myzsowox.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal myzsowox.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe myzsowox.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe myzsowox.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal myzsowox.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe myzsowox.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe myzsowox.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal myzsowox.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe myzsowox.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat qbizsqzrkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" qbizsqzrkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC6B05844E4389A53B8B9D5329AD4CE" 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" qbizsqzrkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf qbizsqzrkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg qbizsqzrkh.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCDF9CEF913F298847A3B4B819939E6B08A038842600332E1BF45EA08D6" 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh qbizsqzrkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc qbizsqzrkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" qbizsqzrkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" qbizsqzrkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" qbizsqzrkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32422C7A9C2082556D3F77D177552DDC7D8564A8" 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8FFF8E4F29851E913CD72C7DE6BCE4E141594366416335D6E9" 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F468B6FF1A21DAD10CD0A68B799011" 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1945C70F14E3DBC2B9BE7FE6ED9234BD" 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" qbizsqzrkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs qbizsqzrkh.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2240 WINWORD.EXE 2240 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1584 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe 1584 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe 1584 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe 1584 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe 1584 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe 1584 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe 1584 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe 1584 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe 1584 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe 1584 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe 1584 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe 1584 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe 1584 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe 1584 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe 1584 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe 1584 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe 3036 qbizsqzrkh.exe 3036 qbizsqzrkh.exe 3036 qbizsqzrkh.exe 3036 qbizsqzrkh.exe 3036 qbizsqzrkh.exe 3036 qbizsqzrkh.exe 3036 qbizsqzrkh.exe 3036 qbizsqzrkh.exe 3036 qbizsqzrkh.exe 3036 qbizsqzrkh.exe 5028 myzsowox.exe 5028 myzsowox.exe 5028 myzsowox.exe 5028 myzsowox.exe 5028 myzsowox.exe 5028 myzsowox.exe 5028 myzsowox.exe 5028 myzsowox.exe 2576 sseqzjrnewxknze.exe 2576 sseqzjrnewxknze.exe 2576 sseqzjrnewxknze.exe 2576 sseqzjrnewxknze.exe 2576 sseqzjrnewxknze.exe 2576 sseqzjrnewxknze.exe 2576 sseqzjrnewxknze.exe 2576 sseqzjrnewxknze.exe 2576 sseqzjrnewxknze.exe 2576 sseqzjrnewxknze.exe 5004 wiyodkjyjdvkv.exe 5004 wiyodkjyjdvkv.exe 5004 wiyodkjyjdvkv.exe 5004 wiyodkjyjdvkv.exe 5004 wiyodkjyjdvkv.exe 5004 wiyodkjyjdvkv.exe 5004 wiyodkjyjdvkv.exe 5004 wiyodkjyjdvkv.exe 5004 wiyodkjyjdvkv.exe 5004 wiyodkjyjdvkv.exe 5004 wiyodkjyjdvkv.exe 5004 wiyodkjyjdvkv.exe 4092 myzsowox.exe 4092 myzsowox.exe 4092 myzsowox.exe 4092 myzsowox.exe 4092 myzsowox.exe 4092 myzsowox.exe 4092 myzsowox.exe 4092 myzsowox.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1584 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe 1584 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe 1584 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe 3036 qbizsqzrkh.exe 3036 qbizsqzrkh.exe 3036 qbizsqzrkh.exe 2576 sseqzjrnewxknze.exe 2576 sseqzjrnewxknze.exe 2576 sseqzjrnewxknze.exe 5028 myzsowox.exe 5028 myzsowox.exe 5028 myzsowox.exe 5004 wiyodkjyjdvkv.exe 5004 wiyodkjyjdvkv.exe 5004 wiyodkjyjdvkv.exe 4092 myzsowox.exe 4092 myzsowox.exe 4092 myzsowox.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1584 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe 1584 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe 1584 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe 3036 qbizsqzrkh.exe 3036 qbizsqzrkh.exe 3036 qbizsqzrkh.exe 2576 sseqzjrnewxknze.exe 2576 sseqzjrnewxknze.exe 2576 sseqzjrnewxknze.exe 5028 myzsowox.exe 5028 myzsowox.exe 5028 myzsowox.exe 5004 wiyodkjyjdvkv.exe 5004 wiyodkjyjdvkv.exe 5004 wiyodkjyjdvkv.exe 4092 myzsowox.exe 4092 myzsowox.exe 4092 myzsowox.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2240 WINWORD.EXE 2240 WINWORD.EXE 2240 WINWORD.EXE 2240 WINWORD.EXE 2240 WINWORD.EXE 2240 WINWORD.EXE 2240 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1584 wrote to memory of 3036 1584 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe 82 PID 1584 wrote to memory of 3036 1584 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe 82 PID 1584 wrote to memory of 3036 1584 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe 82 PID 1584 wrote to memory of 2576 1584 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe 83 PID 1584 wrote to memory of 2576 1584 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe 83 PID 1584 wrote to memory of 2576 1584 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe 83 PID 1584 wrote to memory of 5028 1584 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe 84 PID 1584 wrote to memory of 5028 1584 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe 84 PID 1584 wrote to memory of 5028 1584 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe 84 PID 1584 wrote to memory of 5004 1584 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe 85 PID 1584 wrote to memory of 5004 1584 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe 85 PID 1584 wrote to memory of 5004 1584 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe 85 PID 3036 wrote to memory of 4092 3036 qbizsqzrkh.exe 86 PID 3036 wrote to memory of 4092 3036 qbizsqzrkh.exe 86 PID 3036 wrote to memory of 4092 3036 qbizsqzrkh.exe 86 PID 1584 wrote to memory of 2240 1584 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe 87 PID 1584 wrote to memory of 2240 1584 80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe"C:\Users\Admin\AppData\Local\Temp\80e6879c65ddc99979b659f90f47ebff9a7f248b550b2a789e4228490fcc7d90.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\qbizsqzrkh.exeqbizsqzrkh.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\myzsowox.exeC:\Windows\system32\myzsowox.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4092
-
-
-
C:\Windows\SysWOW64\sseqzjrnewxknze.exesseqzjrnewxknze.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2576
-
-
C:\Windows\SysWOW64\myzsowox.exemyzsowox.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5028
-
-
C:\Windows\SysWOW64\wiyodkjyjdvkv.exewiyodkjyjdvkv.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5004
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2240
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5868a896726ed8a3e06800133ef72ce82
SHA1bd9aba9bc92bb83d5355a33db64098ac97c1183b
SHA256f2bbb3c5af2f5434549aa87eced8816c842a9a571188fcbb788ff2c48aaef5b5
SHA5128182caa3d0dc80ac728eaf0d434cb29b6a4e36c14965a6d60efb847748cadd42e33fde9f69d9bd6c1c6cfe48aa2c9555d5a8a159499112f7ad3025031a8cbba8
-
Filesize
255KB
MD580b9d250f995a580af3037e5f6673aee
SHA1d80eb783ef18bc94d997f3049148e817c4480d31
SHA2569c09d8157fa540548c52c47e3163aae71a8e0fe9ed11a9b51d50f024eb18030a
SHA5128dbda8ed2c26dfa0448abe269cb7afb2914d775c9b31fa77bc441385bf3b68e427d1365587069fd0dfc704d214c524f41dc1909d694565029c79ae76d3da5943
-
Filesize
255KB
MD544e5ccf3718af3027b7e0a34636c2828
SHA1c2856dfb0a468729873feace78c60a05df456e2f
SHA256fb04a7597b3da39ac01081f0ff506ed044e056b501fed417ddaa079e16b640a8
SHA51246067479e09d0f1e18db0d5d7751de9b6309c0433e006a44ea4a1ca4a5cd242f26abae44c5d603e6c6cdd889e641f8634442daefd9fbe2061fdcb75ea3244554
-
Filesize
255KB
MD5f37dea72caf32bea75d158fa79b8d1d4
SHA1f20cda09a20ef7b20b89e1a53511596bb31e8350
SHA256a2d97578d0827dec35a50dd05c62b17527626b8d680629a67b53c7a7401ca313
SHA51250c6832acce8645fdf71e833652fcd514c67bc442bffa5fec2a7e0cbd150b6329b9fe4bbc43c68de3ca59f135786dfbf46b9b13722bb50f924b8a93e21683099
-
Filesize
255KB
MD5cc5a7a87654769653094206e4b182349
SHA156267a563567a41ff32d0b51a10cb997498045dd
SHA25652dba3953210a1e5a5239f1cbe0fc971c2c539fe3fe154e7fcfda8ef10c1b692
SHA51269927e8f8a6581d30c1a2b0c9468d0f09c120a40514aed954bb1fc438b21ceb2e29f6e0cd7e1501cc62255866a428377b4406e4db3f9bb0d9c4cd3241f598b54
-
Filesize
255KB
MD5da1bafb65b72c6abbf696522a2e38375
SHA1b2e5076b489a16ed313940e3270912749acb5a0c
SHA256389a3e285e7503f76df5252e519d34d2f9fe30127011d87f24bdb95ad812597c
SHA512d7b85c18215a050b10a621b2844208f35c946fad1905904ae77a9a76d33120f34e82eead4d300795dc4b8d6881f8a83684c305f8e009a30f72bc4e261e6b791c
-
Filesize
255KB
MD5da1bafb65b72c6abbf696522a2e38375
SHA1b2e5076b489a16ed313940e3270912749acb5a0c
SHA256389a3e285e7503f76df5252e519d34d2f9fe30127011d87f24bdb95ad812597c
SHA512d7b85c18215a050b10a621b2844208f35c946fad1905904ae77a9a76d33120f34e82eead4d300795dc4b8d6881f8a83684c305f8e009a30f72bc4e261e6b791c
-
Filesize
255KB
MD5da1bafb65b72c6abbf696522a2e38375
SHA1b2e5076b489a16ed313940e3270912749acb5a0c
SHA256389a3e285e7503f76df5252e519d34d2f9fe30127011d87f24bdb95ad812597c
SHA512d7b85c18215a050b10a621b2844208f35c946fad1905904ae77a9a76d33120f34e82eead4d300795dc4b8d6881f8a83684c305f8e009a30f72bc4e261e6b791c
-
Filesize
255KB
MD5fec71a629022ee9f346bd3e691149ac8
SHA1bf85497e489171097511eab4bd4a675f8b574a15
SHA256e6ec5521be23c815c15e1f6011fe736d421f4cfc4793afcf32fb68f17d13faab
SHA5120d5c8e7d4f184eb9b791ecedc7ea1b2c0aab8239ba2eda2dd8bde0628d490ce5a68794c3a7a7636615ed7a70b13a6195d4e494d27799a6773dd6cf5ecd9074d8
-
Filesize
255KB
MD5fec71a629022ee9f346bd3e691149ac8
SHA1bf85497e489171097511eab4bd4a675f8b574a15
SHA256e6ec5521be23c815c15e1f6011fe736d421f4cfc4793afcf32fb68f17d13faab
SHA5120d5c8e7d4f184eb9b791ecedc7ea1b2c0aab8239ba2eda2dd8bde0628d490ce5a68794c3a7a7636615ed7a70b13a6195d4e494d27799a6773dd6cf5ecd9074d8
-
Filesize
255KB
MD557707cb21454a1411dda5efab00d3197
SHA1f17a7540ec5c2d096db4dc8018e290a02f1c62d9
SHA2564d92379e5ef51d7f4bbc4813bd466cb6f49c7b818d53de6ec249ea6fc03e0ce6
SHA512455d5f4b39eea55cb61738368cf93d1bbfc045c0f3b51800c711d6bbdc5df6ac3d3ada29ed3d8f6d096ab9c9e5445911d55aa76efd5c35526ccf5a3afd48dbc6
-
Filesize
255KB
MD557707cb21454a1411dda5efab00d3197
SHA1f17a7540ec5c2d096db4dc8018e290a02f1c62d9
SHA2564d92379e5ef51d7f4bbc4813bd466cb6f49c7b818d53de6ec249ea6fc03e0ce6
SHA512455d5f4b39eea55cb61738368cf93d1bbfc045c0f3b51800c711d6bbdc5df6ac3d3ada29ed3d8f6d096ab9c9e5445911d55aa76efd5c35526ccf5a3afd48dbc6
-
Filesize
255KB
MD5638aa8fc0aa32aaa45696d24ec01d1e9
SHA1f047697266e0f09c4002bfc4619297d10fd07c55
SHA2564a7f968a2dd84c9739776cd7145f9a18ff2c66f7a73b5c35ca86153339bcd559
SHA51291b07e1c3a7fea839bd4679554a30e162e4bc2d43318f9576e455e913d15ad0a76eeb0560c68d3647195f484e0815ece2bff389d8e41945c57b99ea3963d357b
-
Filesize
255KB
MD5638aa8fc0aa32aaa45696d24ec01d1e9
SHA1f047697266e0f09c4002bfc4619297d10fd07c55
SHA2564a7f968a2dd84c9739776cd7145f9a18ff2c66f7a73b5c35ca86153339bcd559
SHA51291b07e1c3a7fea839bd4679554a30e162e4bc2d43318f9576e455e913d15ad0a76eeb0560c68d3647195f484e0815ece2bff389d8e41945c57b99ea3963d357b
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7