Analysis
-
max time kernel
189s -
max time network
199s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 21:04
Behavioral task
behavioral1
Sample
504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe
Resource
win10v2004-20221111-en
General
-
Target
504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe
-
Size
255KB
-
MD5
88f99e0e2d6e9ad1b8dc33e13eb4a974
-
SHA1
64aacddbbd2f1ba54fb9a0604dff57a22e8c9d0f
-
SHA256
504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8
-
SHA512
20b50dc3d6aae3c603d427ba9e17858a6ccb99e978f3d582d3fda04c5fac97c22c67b7739847e397f2b39582927ebaa56f6135a64daf9b6253ad699a22073e71
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJj:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIc
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
tthqweogpu.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" tthqweogpu.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
tthqweogpu.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" tthqweogpu.exe -
Processes:
tthqweogpu.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" tthqweogpu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" tthqweogpu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" tthqweogpu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" tthqweogpu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" tthqweogpu.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
tthqweogpu.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tthqweogpu.exe -
Executes dropped EXE 5 IoCs
Processes:
tthqweogpu.exebdlmxuuqjhczlzx.exeukmyluld.exebsocdapwauxdg.exeukmyluld.exepid process 1272 tthqweogpu.exe 3532 bdlmxuuqjhczlzx.exe 2708 ukmyluld.exe 4928 bsocdapwauxdg.exe 4900 ukmyluld.exe -
Processes:
resource yara_rule behavioral2/memory/2236-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx C:\Windows\SysWOW64\tthqweogpu.exe upx C:\Windows\SysWOW64\tthqweogpu.exe upx C:\Windows\SysWOW64\bdlmxuuqjhczlzx.exe upx C:\Windows\SysWOW64\bdlmxuuqjhczlzx.exe upx C:\Windows\SysWOW64\ukmyluld.exe upx C:\Windows\SysWOW64\ukmyluld.exe upx C:\Windows\SysWOW64\bsocdapwauxdg.exe upx C:\Windows\SysWOW64\bsocdapwauxdg.exe upx C:\Windows\SysWOW64\ukmyluld.exe upx behavioral2/memory/1272-145-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3532-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2708-149-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4928-150-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2236-152-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4900-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe upx behavioral2/memory/3532-163-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1272-164-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2708-165-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4928-166-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4900-167-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe -
Processes:
tthqweogpu.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" tthqweogpu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" tthqweogpu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" tthqweogpu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" tthqweogpu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" tthqweogpu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" tthqweogpu.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
bdlmxuuqjhczlzx.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run bdlmxuuqjhczlzx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vlxkaxmj = "tthqweogpu.exe" bdlmxuuqjhczlzx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rkhdgppw = "bdlmxuuqjhczlzx.exe" bdlmxuuqjhczlzx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "bsocdapwauxdg.exe" bdlmxuuqjhczlzx.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
tthqweogpu.exeukmyluld.exeukmyluld.exedescription ioc process File opened (read-only) \??\m: tthqweogpu.exe File opened (read-only) \??\n: tthqweogpu.exe File opened (read-only) \??\y: ukmyluld.exe File opened (read-only) \??\h: ukmyluld.exe File opened (read-only) \??\s: ukmyluld.exe File opened (read-only) \??\v: ukmyluld.exe File opened (read-only) \??\b: tthqweogpu.exe File opened (read-only) \??\h: tthqweogpu.exe File opened (read-only) \??\l: tthqweogpu.exe File opened (read-only) \??\p: tthqweogpu.exe File opened (read-only) \??\u: tthqweogpu.exe File opened (read-only) \??\o: ukmyluld.exe File opened (read-only) \??\u: ukmyluld.exe File opened (read-only) \??\a: tthqweogpu.exe File opened (read-only) \??\f: tthqweogpu.exe File opened (read-only) \??\z: tthqweogpu.exe File opened (read-only) \??\p: ukmyluld.exe File opened (read-only) \??\t: ukmyluld.exe File opened (read-only) \??\m: ukmyluld.exe File opened (read-only) \??\v: ukmyluld.exe File opened (read-only) \??\p: ukmyluld.exe File opened (read-only) \??\i: tthqweogpu.exe File opened (read-only) \??\j: tthqweogpu.exe File opened (read-only) \??\k: tthqweogpu.exe File opened (read-only) \??\b: ukmyluld.exe File opened (read-only) \??\n: ukmyluld.exe File opened (read-only) \??\a: ukmyluld.exe File opened (read-only) \??\n: ukmyluld.exe File opened (read-only) \??\q: ukmyluld.exe File opened (read-only) \??\x: ukmyluld.exe File opened (read-only) \??\l: ukmyluld.exe File opened (read-only) \??\q: ukmyluld.exe File opened (read-only) \??\r: ukmyluld.exe File opened (read-only) \??\g: tthqweogpu.exe File opened (read-only) \??\z: ukmyluld.exe File opened (read-only) \??\b: ukmyluld.exe File opened (read-only) \??\m: ukmyluld.exe File opened (read-only) \??\w: ukmyluld.exe File opened (read-only) \??\z: ukmyluld.exe File opened (read-only) \??\q: tthqweogpu.exe File opened (read-only) \??\r: tthqweogpu.exe File opened (read-only) \??\e: ukmyluld.exe File opened (read-only) \??\o: ukmyluld.exe File opened (read-only) \??\k: ukmyluld.exe File opened (read-only) \??\l: ukmyluld.exe File opened (read-only) \??\y: ukmyluld.exe File opened (read-only) \??\e: tthqweogpu.exe File opened (read-only) \??\s: ukmyluld.exe File opened (read-only) \??\t: ukmyluld.exe File opened (read-only) \??\v: tthqweogpu.exe File opened (read-only) \??\g: ukmyluld.exe File opened (read-only) \??\j: ukmyluld.exe File opened (read-only) \??\u: ukmyluld.exe File opened (read-only) \??\e: ukmyluld.exe File opened (read-only) \??\x: tthqweogpu.exe File opened (read-only) \??\y: tthqweogpu.exe File opened (read-only) \??\k: ukmyluld.exe File opened (read-only) \??\s: tthqweogpu.exe File opened (read-only) \??\t: tthqweogpu.exe File opened (read-only) \??\a: ukmyluld.exe File opened (read-only) \??\i: ukmyluld.exe File opened (read-only) \??\w: tthqweogpu.exe File opened (read-only) \??\f: ukmyluld.exe File opened (read-only) \??\h: ukmyluld.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
tthqweogpu.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" tthqweogpu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" tthqweogpu.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/1272-145-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3532-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2708-149-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4928-150-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2236-152-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4900-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3532-163-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1272-164-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2708-165-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4928-166-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4900-167-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
Processes:
504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exetthqweogpu.exedescription ioc process File opened for modification C:\Windows\SysWOW64\tthqweogpu.exe 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe File created C:\Windows\SysWOW64\bdlmxuuqjhczlzx.exe 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe File opened for modification C:\Windows\SysWOW64\bdlmxuuqjhczlzx.exe 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe File created C:\Windows\SysWOW64\bsocdapwauxdg.exe 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe File created C:\Windows\SysWOW64\tthqweogpu.exe 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe File created C:\Windows\SysWOW64\ukmyluld.exe 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe File opened for modification C:\Windows\SysWOW64\ukmyluld.exe 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe File opened for modification C:\Windows\SysWOW64\bsocdapwauxdg.exe 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll tthqweogpu.exe -
Drops file in Program Files directory 14 IoCs
Processes:
ukmyluld.exeukmyluld.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ukmyluld.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ukmyluld.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ukmyluld.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ukmyluld.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ukmyluld.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ukmyluld.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ukmyluld.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ukmyluld.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ukmyluld.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ukmyluld.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ukmyluld.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ukmyluld.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ukmyluld.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ukmyluld.exe -
Drops file in Windows directory 3 IoCs
Processes:
504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exeWINWORD.EXEdescription ioc process File opened for modification C:\Windows\mydoc.rtf 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exetthqweogpu.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F76BB9FF6C21AAD208D1A68A749160" 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" tthqweogpu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg tthqweogpu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" tthqweogpu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E88FCFF482F8512913CD75F7E95BC95E1335842664F6343D7EA" 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh tthqweogpu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf tthqweogpu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" tthqweogpu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs tthqweogpu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32472D7C9C2182276D4476D570522CD97C8E65DC" 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB7B12147E338EB53B9B9D73299D7BB" 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" tthqweogpu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" tthqweogpu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" tthqweogpu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc tthqweogpu.exe Key created \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\Local Settings 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACEFAB0F961F19484783A44819E3E90B0FC02FC43120233E1B945EA09A2" 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1939C67A1593DABFB8BA7FE4EC9E37CE" 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat tthqweogpu.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2952 WINWORD.EXE 2952 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exetthqweogpu.exebdlmxuuqjhczlzx.exeukmyluld.exebsocdapwauxdg.exeukmyluld.exepid process 2236 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe 2236 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe 2236 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe 2236 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe 2236 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe 2236 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe 2236 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe 2236 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe 2236 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe 2236 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe 2236 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe 2236 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe 2236 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe 2236 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe 2236 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe 2236 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe 1272 tthqweogpu.exe 1272 tthqweogpu.exe 1272 tthqweogpu.exe 1272 tthqweogpu.exe 1272 tthqweogpu.exe 1272 tthqweogpu.exe 3532 bdlmxuuqjhczlzx.exe 3532 bdlmxuuqjhczlzx.exe 1272 tthqweogpu.exe 1272 tthqweogpu.exe 3532 bdlmxuuqjhczlzx.exe 3532 bdlmxuuqjhczlzx.exe 3532 bdlmxuuqjhczlzx.exe 3532 bdlmxuuqjhczlzx.exe 1272 tthqweogpu.exe 1272 tthqweogpu.exe 3532 bdlmxuuqjhczlzx.exe 3532 bdlmxuuqjhczlzx.exe 3532 bdlmxuuqjhczlzx.exe 3532 bdlmxuuqjhczlzx.exe 2708 ukmyluld.exe 4928 bsocdapwauxdg.exe 2708 ukmyluld.exe 4928 bsocdapwauxdg.exe 4928 bsocdapwauxdg.exe 4928 bsocdapwauxdg.exe 2708 ukmyluld.exe 4928 bsocdapwauxdg.exe 4928 bsocdapwauxdg.exe 2708 ukmyluld.exe 4928 bsocdapwauxdg.exe 4928 bsocdapwauxdg.exe 2708 ukmyluld.exe 2708 ukmyluld.exe 4928 bsocdapwauxdg.exe 4928 bsocdapwauxdg.exe 4928 bsocdapwauxdg.exe 2708 ukmyluld.exe 4928 bsocdapwauxdg.exe 2708 ukmyluld.exe 3532 bdlmxuuqjhczlzx.exe 3532 bdlmxuuqjhczlzx.exe 4928 bsocdapwauxdg.exe 4928 bsocdapwauxdg.exe 4928 bsocdapwauxdg.exe 4928 bsocdapwauxdg.exe 4900 ukmyluld.exe 4900 ukmyluld.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exetthqweogpu.exebdlmxuuqjhczlzx.exeukmyluld.exebsocdapwauxdg.exeukmyluld.exepid process 2236 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe 2236 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe 2236 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe 1272 tthqweogpu.exe 1272 tthqweogpu.exe 1272 tthqweogpu.exe 3532 bdlmxuuqjhczlzx.exe 3532 bdlmxuuqjhczlzx.exe 3532 bdlmxuuqjhczlzx.exe 2708 ukmyluld.exe 2708 ukmyluld.exe 2708 ukmyluld.exe 4928 bsocdapwauxdg.exe 4928 bsocdapwauxdg.exe 4928 bsocdapwauxdg.exe 4900 ukmyluld.exe 4900 ukmyluld.exe 4900 ukmyluld.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exetthqweogpu.exebdlmxuuqjhczlzx.exeukmyluld.exebsocdapwauxdg.exeukmyluld.exepid process 2236 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe 2236 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe 2236 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe 1272 tthqweogpu.exe 1272 tthqweogpu.exe 1272 tthqweogpu.exe 3532 bdlmxuuqjhczlzx.exe 3532 bdlmxuuqjhczlzx.exe 3532 bdlmxuuqjhczlzx.exe 2708 ukmyluld.exe 2708 ukmyluld.exe 2708 ukmyluld.exe 4928 bsocdapwauxdg.exe 4928 bsocdapwauxdg.exe 4928 bsocdapwauxdg.exe 4900 ukmyluld.exe 4900 ukmyluld.exe 4900 ukmyluld.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 2952 WINWORD.EXE 2952 WINWORD.EXE 2952 WINWORD.EXE 2952 WINWORD.EXE 2952 WINWORD.EXE 2952 WINWORD.EXE 2952 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exetthqweogpu.exedescription pid process target process PID 2236 wrote to memory of 1272 2236 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe tthqweogpu.exe PID 2236 wrote to memory of 1272 2236 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe tthqweogpu.exe PID 2236 wrote to memory of 1272 2236 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe tthqweogpu.exe PID 2236 wrote to memory of 3532 2236 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe bdlmxuuqjhczlzx.exe PID 2236 wrote to memory of 3532 2236 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe bdlmxuuqjhczlzx.exe PID 2236 wrote to memory of 3532 2236 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe bdlmxuuqjhczlzx.exe PID 2236 wrote to memory of 2708 2236 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe ukmyluld.exe PID 2236 wrote to memory of 2708 2236 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe ukmyluld.exe PID 2236 wrote to memory of 2708 2236 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe ukmyluld.exe PID 2236 wrote to memory of 4928 2236 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe bsocdapwauxdg.exe PID 2236 wrote to memory of 4928 2236 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe bsocdapwauxdg.exe PID 2236 wrote to memory of 4928 2236 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe bsocdapwauxdg.exe PID 1272 wrote to memory of 4900 1272 tthqweogpu.exe ukmyluld.exe PID 1272 wrote to memory of 4900 1272 tthqweogpu.exe ukmyluld.exe PID 1272 wrote to memory of 4900 1272 tthqweogpu.exe ukmyluld.exe PID 2236 wrote to memory of 2952 2236 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe WINWORD.EXE PID 2236 wrote to memory of 2952 2236 504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe WINWORD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe"C:\Users\Admin\AppData\Local\Temp\504aa4e36446ba5adfcee7c611c0f17e9d002f15c52bed6a8b7602151f0b34e8.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\tthqweogpu.exetthqweogpu.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\ukmyluld.exeC:\Windows\system32\ukmyluld.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4900 -
C:\Windows\SysWOW64\bdlmxuuqjhczlzx.exebdlmxuuqjhczlzx.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3532 -
C:\Windows\SysWOW64\ukmyluld.exeukmyluld.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2708 -
C:\Windows\SysWOW64\bsocdapwauxdg.exebsocdapwauxdg.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4928 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2952
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
255KB
MD518d5360d5f00faa718e3477dda5ecc07
SHA168be2ef320d0bf876275a4558d5a03cc83c6612d
SHA256b0b69419e26afbaadfd7a565bfe22694b1b5ddc93fa3eb5b1df7283d7ef6fe45
SHA512eab1145b4b1f3ff55664af46b25f569ecd990a85f2483084eca28b1a02c48692dc542e4c06d3b939854312d706128481a453a74dd0de697c37a52c35f0d6df67
-
C:\Windows\SysWOW64\bdlmxuuqjhczlzx.exeFilesize
255KB
MD5964509325e0287226a3c96c89c193c68
SHA16c8d19d87ed76aed170909713eaca1c50409f87a
SHA256288318ae9376d25e32b96fb3c39449b5b00e7bd482d1b2caa7352b76e58d54f7
SHA5128e555038ea028b5f6238fd069ad35bc5a72ac4ade09a30cdb02549fe58df8849a8d1303c97100fcb21d1735d6d01626433703e8088625146ebcd61f5054637b7
-
C:\Windows\SysWOW64\bdlmxuuqjhczlzx.exeFilesize
255KB
MD5964509325e0287226a3c96c89c193c68
SHA16c8d19d87ed76aed170909713eaca1c50409f87a
SHA256288318ae9376d25e32b96fb3c39449b5b00e7bd482d1b2caa7352b76e58d54f7
SHA5128e555038ea028b5f6238fd069ad35bc5a72ac4ade09a30cdb02549fe58df8849a8d1303c97100fcb21d1735d6d01626433703e8088625146ebcd61f5054637b7
-
C:\Windows\SysWOW64\bsocdapwauxdg.exeFilesize
255KB
MD5328f11b2b2c8b207818aa0fdb0f2b55c
SHA188f4f8d4ca5b3b27af6513699416c5d65f517ec9
SHA256882e9d805a61c7e5c48058a990cb834a90b5244f0826c09920064a7b3bb4c9a5
SHA5120e33651898b7e0f3a05d4c82c98d646517d11a108c01041a1cd3e4e3af22d4758e1dfea26109eec2188f03f6c541d0d5d8d1c870ffcb6db79d5980cf59888fa6
-
C:\Windows\SysWOW64\bsocdapwauxdg.exeFilesize
255KB
MD5328f11b2b2c8b207818aa0fdb0f2b55c
SHA188f4f8d4ca5b3b27af6513699416c5d65f517ec9
SHA256882e9d805a61c7e5c48058a990cb834a90b5244f0826c09920064a7b3bb4c9a5
SHA5120e33651898b7e0f3a05d4c82c98d646517d11a108c01041a1cd3e4e3af22d4758e1dfea26109eec2188f03f6c541d0d5d8d1c870ffcb6db79d5980cf59888fa6
-
C:\Windows\SysWOW64\tthqweogpu.exeFilesize
255KB
MD55e1b7c095a1f611e7be8c63ddb72b524
SHA1622cfaa2efea6f274cd11771b3112c7969f84c37
SHA2569ea43881b682fc39045d02a3e36a78434636538cb3fe6e92cf527ff394eaf21c
SHA512e50f21d34d78150b9ba0cc155c59e62d0eb33fbca49a046160a3e36c0559553d79175d360c7abeae18646c6e459e6396d99d9020ebe1a2e6f8194c4635b4a987
-
C:\Windows\SysWOW64\tthqweogpu.exeFilesize
255KB
MD55e1b7c095a1f611e7be8c63ddb72b524
SHA1622cfaa2efea6f274cd11771b3112c7969f84c37
SHA2569ea43881b682fc39045d02a3e36a78434636538cb3fe6e92cf527ff394eaf21c
SHA512e50f21d34d78150b9ba0cc155c59e62d0eb33fbca49a046160a3e36c0559553d79175d360c7abeae18646c6e459e6396d99d9020ebe1a2e6f8194c4635b4a987
-
C:\Windows\SysWOW64\ukmyluld.exeFilesize
255KB
MD557a9cdfe890405710b7535645a0f18b5
SHA124c6a828af9aebc63fb83398187ad4e07be4ef61
SHA256693fab897fa105c28fc9fed82b4028ec122c22febbc9a057e4064a597acbf67b
SHA512488fd46fc4b89ae8d0685a02c825ef691faeba05b462874487ed7c65a7a5c7dc969bb7e6935d58734ab8b075080388c8c13c7234c43bfbd5c224467a209bd9e6
-
C:\Windows\SysWOW64\ukmyluld.exeFilesize
255KB
MD557a9cdfe890405710b7535645a0f18b5
SHA124c6a828af9aebc63fb83398187ad4e07be4ef61
SHA256693fab897fa105c28fc9fed82b4028ec122c22febbc9a057e4064a597acbf67b
SHA512488fd46fc4b89ae8d0685a02c825ef691faeba05b462874487ed7c65a7a5c7dc969bb7e6935d58734ab8b075080388c8c13c7234c43bfbd5c224467a209bd9e6
-
C:\Windows\SysWOW64\ukmyluld.exeFilesize
255KB
MD557a9cdfe890405710b7535645a0f18b5
SHA124c6a828af9aebc63fb83398187ad4e07be4ef61
SHA256693fab897fa105c28fc9fed82b4028ec122c22febbc9a057e4064a597acbf67b
SHA512488fd46fc4b89ae8d0685a02c825ef691faeba05b462874487ed7c65a7a5c7dc969bb7e6935d58734ab8b075080388c8c13c7234c43bfbd5c224467a209bd9e6
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
memory/1272-164-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1272-133-0x0000000000000000-mapping.dmp
-
memory/1272-145-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/2236-152-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/2236-132-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/2708-165-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/2708-149-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/2708-139-0x0000000000000000-mapping.dmp
-
memory/2952-159-0x00007FF7E02B0000-0x00007FF7E02C0000-memory.dmpFilesize
64KB
-
memory/2952-155-0x00007FF7E02B0000-0x00007FF7E02C0000-memory.dmpFilesize
64KB
-
memory/2952-172-0x00007FF7E02B0000-0x00007FF7E02C0000-memory.dmpFilesize
64KB
-
memory/2952-171-0x00007FF7E02B0000-0x00007FF7E02C0000-memory.dmpFilesize
64KB
-
memory/2952-158-0x00007FF7E02B0000-0x00007FF7E02C0000-memory.dmpFilesize
64KB
-
memory/2952-157-0x00007FF7E02B0000-0x00007FF7E02C0000-memory.dmpFilesize
64KB
-
memory/2952-156-0x00007FF7E02B0000-0x00007FF7E02C0000-memory.dmpFilesize
64KB
-
memory/2952-151-0x0000000000000000-mapping.dmp
-
memory/2952-170-0x00007FF7E02B0000-0x00007FF7E02C0000-memory.dmpFilesize
64KB
-
memory/2952-160-0x00007FF7DD950000-0x00007FF7DD960000-memory.dmpFilesize
64KB
-
memory/2952-161-0x00007FF7DD950000-0x00007FF7DD960000-memory.dmpFilesize
64KB
-
memory/2952-169-0x00007FF7E02B0000-0x00007FF7E02C0000-memory.dmpFilesize
64KB
-
memory/3532-163-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/3532-136-0x0000000000000000-mapping.dmp
-
memory/3532-147-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/4900-167-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/4900-146-0x0000000000000000-mapping.dmp
-
memory/4900-153-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/4928-166-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/4928-150-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/4928-142-0x0000000000000000-mapping.dmp