Analysis
-
max time kernel
173s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23/11/2022, 21:05
Behavioral task
behavioral1
Sample
4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe
Resource
win7-20220901-en
windows7-x64
28 signatures
150 seconds
Behavioral task
behavioral2
Sample
4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe
-
Size
255KB
-
MD5
68abf81d82533a16dd859e2578d7be6c
-
SHA1
ae6fd12bbfdee685b31238af4632e0382d65e974
-
SHA256
4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7
-
SHA512
c1ef75829f31c4a23bdfaa4b22dda8e2c87c75eac46f8042c09066448f39854866fd6d046168ee1a357a9c3916965cbdb18fcc6b88e60e1ac33cda84d02fc590
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJw:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIt
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" zvowgxlyjd.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" zvowgxlyjd.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" zvowgxlyjd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" zvowgxlyjd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" zvowgxlyjd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" zvowgxlyjd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" zvowgxlyjd.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" zvowgxlyjd.exe -
Executes dropped EXE 5 IoCs
pid Process 3168 zvowgxlyjd.exe 392 idepceytvcntnzw.exe 1908 xipvqdwg.exe 1936 koosakedtloik.exe 3340 xipvqdwg.exe -
resource yara_rule behavioral2/memory/4412-133-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0008000000022e0c-135.dat upx behavioral2/files/0x0008000000022e0c-136.dat upx behavioral2/files/0x0006000000022e1a-139.dat upx behavioral2/files/0x0006000000022e1a-138.dat upx behavioral2/files/0x0006000000022e1b-142.dat upx behavioral2/files/0x0006000000022e1c-144.dat upx behavioral2/files/0x0006000000022e1c-145.dat upx behavioral2/files/0x0006000000022e1b-143.dat upx behavioral2/memory/3168-146-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/392-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1908-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1936-149-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4412-151-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0006000000022e1b-153.dat upx behavioral2/memory/3340-154-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0006000000022e21-163.dat upx behavioral2/memory/3168-164-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/392-165-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1908-166-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1936-167-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3340-168-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" zvowgxlyjd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" zvowgxlyjd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" zvowgxlyjd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" zvowgxlyjd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" zvowgxlyjd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" zvowgxlyjd.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run idepceytvcntnzw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ndzuofoe = "zvowgxlyjd.exe" idepceytvcntnzw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\egydkkzf = "idepceytvcntnzw.exe" idepceytvcntnzw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "koosakedtloik.exe" idepceytvcntnzw.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\j: xipvqdwg.exe File opened (read-only) \??\e: zvowgxlyjd.exe File opened (read-only) \??\l: zvowgxlyjd.exe File opened (read-only) \??\x: xipvqdwg.exe File opened (read-only) \??\f: zvowgxlyjd.exe File opened (read-only) \??\v: zvowgxlyjd.exe File opened (read-only) \??\b: xipvqdwg.exe File opened (read-only) \??\k: xipvqdwg.exe File opened (read-only) \??\u: xipvqdwg.exe File opened (read-only) \??\h: zvowgxlyjd.exe File opened (read-only) \??\i: xipvqdwg.exe File opened (read-only) \??\n: xipvqdwg.exe File opened (read-only) \??\s: xipvqdwg.exe File opened (read-only) \??\v: xipvqdwg.exe File opened (read-only) \??\w: xipvqdwg.exe File opened (read-only) \??\x: xipvqdwg.exe File opened (read-only) \??\e: xipvqdwg.exe File opened (read-only) \??\i: xipvqdwg.exe File opened (read-only) \??\z: xipvqdwg.exe File opened (read-only) \??\t: zvowgxlyjd.exe File opened (read-only) \??\u: zvowgxlyjd.exe File opened (read-only) \??\p: xipvqdwg.exe File opened (read-only) \??\o: xipvqdwg.exe File opened (read-only) \??\y: xipvqdwg.exe File opened (read-only) \??\b: zvowgxlyjd.exe File opened (read-only) \??\r: zvowgxlyjd.exe File opened (read-only) \??\x: zvowgxlyjd.exe File opened (read-only) \??\h: xipvqdwg.exe File opened (read-only) \??\n: zvowgxlyjd.exe File opened (read-only) \??\o: xipvqdwg.exe File opened (read-only) \??\v: xipvqdwg.exe File opened (read-only) \??\o: zvowgxlyjd.exe File opened (read-only) \??\w: zvowgxlyjd.exe File opened (read-only) \??\g: xipvqdwg.exe File opened (read-only) \??\j: xipvqdwg.exe File opened (read-only) \??\t: xipvqdwg.exe File opened (read-only) \??\g: xipvqdwg.exe File opened (read-only) \??\t: xipvqdwg.exe File opened (read-only) \??\f: xipvqdwg.exe File opened (read-only) \??\k: xipvqdwg.exe File opened (read-only) \??\m: xipvqdwg.exe File opened (read-only) \??\q: xipvqdwg.exe File opened (read-only) \??\q: xipvqdwg.exe File opened (read-only) \??\g: zvowgxlyjd.exe File opened (read-only) \??\s: zvowgxlyjd.exe File opened (read-only) \??\l: xipvqdwg.exe File opened (read-only) \??\z: xipvqdwg.exe File opened (read-only) \??\p: xipvqdwg.exe File opened (read-only) \??\k: zvowgxlyjd.exe File opened (read-only) \??\p: zvowgxlyjd.exe File opened (read-only) \??\b: xipvqdwg.exe File opened (read-only) \??\i: zvowgxlyjd.exe File opened (read-only) \??\r: xipvqdwg.exe File opened (read-only) \??\e: xipvqdwg.exe File opened (read-only) \??\l: xipvqdwg.exe File opened (read-only) \??\n: xipvqdwg.exe File opened (read-only) \??\q: zvowgxlyjd.exe File opened (read-only) \??\y: zvowgxlyjd.exe File opened (read-only) \??\z: zvowgxlyjd.exe File opened (read-only) \??\a: xipvqdwg.exe File opened (read-only) \??\r: xipvqdwg.exe File opened (read-only) \??\j: zvowgxlyjd.exe File opened (read-only) \??\u: xipvqdwg.exe File opened (read-only) \??\a: xipvqdwg.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" zvowgxlyjd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" zvowgxlyjd.exe -
AutoIT Executable 12 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4412-133-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3168-146-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/392-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1908-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1936-149-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4412-151-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3340-154-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3168-164-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/392-165-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1908-166-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1936-167-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3340-168-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\xipvqdwg.exe 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe File opened for modification C:\Windows\SysWOW64\xipvqdwg.exe 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe File opened for modification C:\Windows\SysWOW64\koosakedtloik.exe 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll zvowgxlyjd.exe File created C:\Windows\SysWOW64\zvowgxlyjd.exe 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe File created C:\Windows\SysWOW64\idepceytvcntnzw.exe 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe File opened for modification C:\Windows\SysWOW64\idepceytvcntnzw.exe 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe File created C:\Windows\SysWOW64\koosakedtloik.exe 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe File opened for modification C:\Windows\SysWOW64\zvowgxlyjd.exe 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xipvqdwg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal xipvqdwg.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xipvqdwg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xipvqdwg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xipvqdwg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal xipvqdwg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal xipvqdwg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xipvqdwg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xipvqdwg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xipvqdwg.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xipvqdwg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xipvqdwg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xipvqdwg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal xipvqdwg.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh zvowgxlyjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc zvowgxlyjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf zvowgxlyjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" zvowgxlyjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFAFF88482F82129140D72C7D90BD90E636594B67316337D79F" 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1845C60F1490DABFB8CF7C94EC9434CF" 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat zvowgxlyjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" zvowgxlyjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" zvowgxlyjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs zvowgxlyjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg zvowgxlyjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32302D7E9C2682586A4477A770532DD77D8464DD" 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABCFAB0F913F29983083B4481EB3E95B389028C4366023DE1BF45EA09D4" 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7846BB1FF6E22DDD27FD0A88A0F9116" 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC3B15844EE389D52CFBAD63392D7BE" 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" zvowgxlyjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" zvowgxlyjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" zvowgxlyjd.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4132 WINWORD.EXE 4132 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4412 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe 4412 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe 4412 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe 4412 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe 4412 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe 4412 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe 4412 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe 4412 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe 4412 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe 4412 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe 4412 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe 4412 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe 4412 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe 4412 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe 4412 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe 4412 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe 3168 zvowgxlyjd.exe 3168 zvowgxlyjd.exe 3168 zvowgxlyjd.exe 3168 zvowgxlyjd.exe 3168 zvowgxlyjd.exe 3168 zvowgxlyjd.exe 3168 zvowgxlyjd.exe 3168 zvowgxlyjd.exe 392 idepceytvcntnzw.exe 3168 zvowgxlyjd.exe 3168 zvowgxlyjd.exe 392 idepceytvcntnzw.exe 392 idepceytvcntnzw.exe 392 idepceytvcntnzw.exe 392 idepceytvcntnzw.exe 392 idepceytvcntnzw.exe 392 idepceytvcntnzw.exe 392 idepceytvcntnzw.exe 1908 xipvqdwg.exe 1908 xipvqdwg.exe 1908 xipvqdwg.exe 1908 xipvqdwg.exe 1908 xipvqdwg.exe 1908 xipvqdwg.exe 1908 xipvqdwg.exe 1908 xipvqdwg.exe 392 idepceytvcntnzw.exe 392 idepceytvcntnzw.exe 1936 koosakedtloik.exe 1936 koosakedtloik.exe 1936 koosakedtloik.exe 1936 koosakedtloik.exe 1936 koosakedtloik.exe 1936 koosakedtloik.exe 1936 koosakedtloik.exe 1936 koosakedtloik.exe 1936 koosakedtloik.exe 1936 koosakedtloik.exe 1936 koosakedtloik.exe 1936 koosakedtloik.exe 392 idepceytvcntnzw.exe 392 idepceytvcntnzw.exe 3340 xipvqdwg.exe 3340 xipvqdwg.exe 3340 xipvqdwg.exe 3340 xipvqdwg.exe 3340 xipvqdwg.exe 3340 xipvqdwg.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4412 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe 4412 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe 4412 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe 3168 zvowgxlyjd.exe 3168 zvowgxlyjd.exe 3168 zvowgxlyjd.exe 392 idepceytvcntnzw.exe 392 idepceytvcntnzw.exe 392 idepceytvcntnzw.exe 1908 xipvqdwg.exe 1908 xipvqdwg.exe 1908 xipvqdwg.exe 1936 koosakedtloik.exe 1936 koosakedtloik.exe 1936 koosakedtloik.exe 3340 xipvqdwg.exe 3340 xipvqdwg.exe 3340 xipvqdwg.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4412 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe 4412 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe 4412 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe 3168 zvowgxlyjd.exe 3168 zvowgxlyjd.exe 3168 zvowgxlyjd.exe 392 idepceytvcntnzw.exe 392 idepceytvcntnzw.exe 392 idepceytvcntnzw.exe 1908 xipvqdwg.exe 1908 xipvqdwg.exe 1908 xipvqdwg.exe 1936 koosakedtloik.exe 1936 koosakedtloik.exe 1936 koosakedtloik.exe 3340 xipvqdwg.exe 3340 xipvqdwg.exe 3340 xipvqdwg.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4132 WINWORD.EXE 4132 WINWORD.EXE 4132 WINWORD.EXE 4132 WINWORD.EXE 4132 WINWORD.EXE 4132 WINWORD.EXE 4132 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4412 wrote to memory of 3168 4412 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe 83 PID 4412 wrote to memory of 3168 4412 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe 83 PID 4412 wrote to memory of 3168 4412 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe 83 PID 4412 wrote to memory of 392 4412 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe 84 PID 4412 wrote to memory of 392 4412 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe 84 PID 4412 wrote to memory of 392 4412 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe 84 PID 4412 wrote to memory of 1908 4412 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe 85 PID 4412 wrote to memory of 1908 4412 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe 85 PID 4412 wrote to memory of 1908 4412 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe 85 PID 4412 wrote to memory of 1936 4412 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe 86 PID 4412 wrote to memory of 1936 4412 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe 86 PID 4412 wrote to memory of 1936 4412 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe 86 PID 4412 wrote to memory of 4132 4412 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe 87 PID 4412 wrote to memory of 4132 4412 4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe 87 PID 3168 wrote to memory of 3340 3168 zvowgxlyjd.exe 89 PID 3168 wrote to memory of 3340 3168 zvowgxlyjd.exe 89 PID 3168 wrote to memory of 3340 3168 zvowgxlyjd.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe"C:\Users\Admin\AppData\Local\Temp\4dd62906a903e885eb8831bb2fb890059d139e93aee6cf4e3fe2a615b374b4a7.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\zvowgxlyjd.exezvowgxlyjd.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\SysWOW64\xipvqdwg.exeC:\Windows\system32\xipvqdwg.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3340
-
-
-
C:\Windows\SysWOW64\idepceytvcntnzw.exeidepceytvcntnzw.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:392
-
-
C:\Windows\SysWOW64\xipvqdwg.exexipvqdwg.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1908
-
-
C:\Windows\SysWOW64\koosakedtloik.exekoosakedtloik.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1936
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4132
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5a51854ef56d4a572902cc5b6848baf7c
SHA11a758abfc0a8496c1e5552d25a8a496c9dfe5688
SHA25685169170e25fe66c3e40dd2d15cbbb3bdf5c8bff9c9acf6b7fbec951fba56a07
SHA512bcca67e41e1d98911ade4d0f68973e0d143d8e661123b59f06c0467ea94dec157f56bfc44293d1ad43aa7b879b92ad631606d93f01438550188ed04d376cdd90
-
Filesize
255KB
MD5f312d8503717ccb05496434dc0bdb83c
SHA1eb490ac01c97819b368d5e56636303fa4c156e02
SHA25649ba5c2e1f42b7d4985fb6e1cd0604f4999def51b0da0ed520e30c929b5dd408
SHA5121f640d29b76029d07b13ea38d331f849a1747d683182b7f998c0a33ded66c7a2cc32b4f753c53c3ce4783818784e2b838be1a74a12cc360426aa8568eebff47b
-
Filesize
255KB
MD5f312d8503717ccb05496434dc0bdb83c
SHA1eb490ac01c97819b368d5e56636303fa4c156e02
SHA25649ba5c2e1f42b7d4985fb6e1cd0604f4999def51b0da0ed520e30c929b5dd408
SHA5121f640d29b76029d07b13ea38d331f849a1747d683182b7f998c0a33ded66c7a2cc32b4f753c53c3ce4783818784e2b838be1a74a12cc360426aa8568eebff47b
-
Filesize
255KB
MD52263ab19f211220d2c4d367119dc4744
SHA19bc79a79cbdc7ee3e4ce5590fd3d012e2fc5d745
SHA256b5fcc8c2fd6641400150fc06ae0cf678f0b73a823f07b278990b2062a7652629
SHA512988eb469ed0bea06de555f70ebfe616eb2eb5798c00b7f3e0aeee31f3cea97d95558ed33df9b022875b31ff2c4d702738e9d5f6cfe6750b2c01520b28b0ddae7
-
Filesize
255KB
MD52263ab19f211220d2c4d367119dc4744
SHA19bc79a79cbdc7ee3e4ce5590fd3d012e2fc5d745
SHA256b5fcc8c2fd6641400150fc06ae0cf678f0b73a823f07b278990b2062a7652629
SHA512988eb469ed0bea06de555f70ebfe616eb2eb5798c00b7f3e0aeee31f3cea97d95558ed33df9b022875b31ff2c4d702738e9d5f6cfe6750b2c01520b28b0ddae7
-
Filesize
255KB
MD584d07028567802ba16489e0d95f1b989
SHA19f2598097dc637e11b8fa39edec0c18a07d2c72b
SHA25691b6e98eb1b3c6e82c987e45bcdd47dbfd85edd4644aa45028a2904af81c1751
SHA5122f27d5a966434a0f5dbc753129114d5e2777ec40c0fb6ddb5b60e84c2c82d0826d4fff251397a40045c8a53829794f968eece4f58b901fde9eaa856f8a4c7e7a
-
Filesize
255KB
MD584d07028567802ba16489e0d95f1b989
SHA19f2598097dc637e11b8fa39edec0c18a07d2c72b
SHA25691b6e98eb1b3c6e82c987e45bcdd47dbfd85edd4644aa45028a2904af81c1751
SHA5122f27d5a966434a0f5dbc753129114d5e2777ec40c0fb6ddb5b60e84c2c82d0826d4fff251397a40045c8a53829794f968eece4f58b901fde9eaa856f8a4c7e7a
-
Filesize
255KB
MD584d07028567802ba16489e0d95f1b989
SHA19f2598097dc637e11b8fa39edec0c18a07d2c72b
SHA25691b6e98eb1b3c6e82c987e45bcdd47dbfd85edd4644aa45028a2904af81c1751
SHA5122f27d5a966434a0f5dbc753129114d5e2777ec40c0fb6ddb5b60e84c2c82d0826d4fff251397a40045c8a53829794f968eece4f58b901fde9eaa856f8a4c7e7a
-
Filesize
255KB
MD53056d4faad561d5a4b91caf1b3389b0d
SHA16a066f69d70ace13ee91b1945501e83d2df3e496
SHA25628426c45236b53c8ddabddb57ad7d57a93b18d6c7b1b1ad36fe2f63e1e041ad0
SHA512d6db223fcc8f73353109d4d5b6806761e2aff15b6761cf29397c1878a3c68b41dabe4010b9e61d9ae55332555f9f5419b20b3cbc3ba1d8661d3471069b1c07cc
-
Filesize
255KB
MD53056d4faad561d5a4b91caf1b3389b0d
SHA16a066f69d70ace13ee91b1945501e83d2df3e496
SHA25628426c45236b53c8ddabddb57ad7d57a93b18d6c7b1b1ad36fe2f63e1e041ad0
SHA512d6db223fcc8f73353109d4d5b6806761e2aff15b6761cf29397c1878a3c68b41dabe4010b9e61d9ae55332555f9f5419b20b3cbc3ba1d8661d3471069b1c07cc
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7