Analysis
-
max time kernel
155s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 21:04
Behavioral task
behavioral1
Sample
6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe
Resource
win7-20220812-en
General
-
Target
6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe
-
Size
255KB
-
MD5
7d5dc99d15d0b9b3b86665c091fad166
-
SHA1
c50b78c1dd46fb4a283f1532268390454a7181cf
-
SHA256
6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be
-
SHA512
bd0370c6e297c3ed120e1299fb13591b757d563310b6a2a78b97ed4617eebb5c14702a194d76a9840299ca117d1bab6b14ebf44922b776afb567a36ee383d7e3
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJ1:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI6
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
fthnlolboq.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" fthnlolboq.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
fthnlolboq.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" fthnlolboq.exe -
Processes:
fthnlolboq.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" fthnlolboq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" fthnlolboq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" fthnlolboq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" fthnlolboq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" fthnlolboq.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
fthnlolboq.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" fthnlolboq.exe -
Executes dropped EXE 5 IoCs
Processes:
fthnlolboq.exewzghqusirrviimh.exelxrvdblg.exeazfvcptbxuspr.exelxrvdblg.exepid process 2032 fthnlolboq.exe 1760 wzghqusirrviimh.exe 1636 lxrvdblg.exe 1676 azfvcptbxuspr.exe 1864 lxrvdblg.exe -
Processes:
resource yara_rule behavioral1/memory/1508-55-0x0000000000400000-0x00000000004A0000-memory.dmp upx \Windows\SysWOW64\fthnlolboq.exe upx behavioral1/memory/1508-57-0x00000000032F0000-0x0000000003390000-memory.dmp upx C:\Windows\SysWOW64\fthnlolboq.exe upx C:\Windows\SysWOW64\fthnlolboq.exe upx \Windows\SysWOW64\wzghqusirrviimh.exe upx C:\Windows\SysWOW64\wzghqusirrviimh.exe upx C:\Windows\SysWOW64\wzghqusirrviimh.exe upx \Windows\SysWOW64\lxrvdblg.exe upx C:\Windows\SysWOW64\lxrvdblg.exe upx C:\Windows\SysWOW64\azfvcptbxuspr.exe upx \Windows\SysWOW64\azfvcptbxuspr.exe upx C:\Windows\SysWOW64\lxrvdblg.exe upx C:\Windows\SysWOW64\azfvcptbxuspr.exe upx behavioral1/memory/2032-77-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1760-79-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1676-81-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1636-80-0x0000000000400000-0x00000000004A0000-memory.dmp upx \Windows\SysWOW64\lxrvdblg.exe upx C:\Windows\SysWOW64\lxrvdblg.exe upx behavioral1/memory/1864-86-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1508-88-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2032-91-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1760-92-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1636-93-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1676-94-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1864-95-0x0000000000400000-0x00000000004A0000-memory.dmp upx C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe upx C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe upx C:\Users\Admin\Downloads\ReceiveEnable.doc.exe upx -
Loads dropped DLL 5 IoCs
Processes:
6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exefthnlolboq.exepid process 1508 6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe 1508 6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe 1508 6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe 1508 6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe 2032 fthnlolboq.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
fthnlolboq.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" fthnlolboq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" fthnlolboq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" fthnlolboq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" fthnlolboq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" fthnlolboq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" fthnlolboq.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
wzghqusirrviimh.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run wzghqusirrviimh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qgicvokk = "fthnlolboq.exe" wzghqusirrviimh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\hhkjrano = "wzghqusirrviimh.exe" wzghqusirrviimh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "azfvcptbxuspr.exe" wzghqusirrviimh.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
fthnlolboq.exelxrvdblg.exelxrvdblg.exedescription ioc process File opened (read-only) \??\m: fthnlolboq.exe File opened (read-only) \??\j: lxrvdblg.exe File opened (read-only) \??\a: fthnlolboq.exe File opened (read-only) \??\r: fthnlolboq.exe File opened (read-only) \??\b: lxrvdblg.exe File opened (read-only) \??\y: lxrvdblg.exe File opened (read-only) \??\a: lxrvdblg.exe File opened (read-only) \??\t: lxrvdblg.exe File opened (read-only) \??\a: lxrvdblg.exe File opened (read-only) \??\u: lxrvdblg.exe File opened (read-only) \??\w: lxrvdblg.exe File opened (read-only) \??\z: lxrvdblg.exe File opened (read-only) \??\p: lxrvdblg.exe File opened (read-only) \??\n: fthnlolboq.exe File opened (read-only) \??\x: lxrvdblg.exe File opened (read-only) \??\q: lxrvdblg.exe File opened (read-only) \??\l: fthnlolboq.exe File opened (read-only) \??\n: lxrvdblg.exe File opened (read-only) \??\u: lxrvdblg.exe File opened (read-only) \??\v: lxrvdblg.exe File opened (read-only) \??\s: fthnlolboq.exe File opened (read-only) \??\f: lxrvdblg.exe File opened (read-only) \??\j: lxrvdblg.exe File opened (read-only) \??\l: lxrvdblg.exe File opened (read-only) \??\o: lxrvdblg.exe File opened (read-only) \??\g: lxrvdblg.exe File opened (read-only) \??\k: lxrvdblg.exe File opened (read-only) \??\z: lxrvdblg.exe File opened (read-only) \??\v: fthnlolboq.exe File opened (read-only) \??\m: lxrvdblg.exe File opened (read-only) \??\r: lxrvdblg.exe File opened (read-only) \??\b: lxrvdblg.exe File opened (read-only) \??\g: fthnlolboq.exe File opened (read-only) \??\i: lxrvdblg.exe File opened (read-only) \??\l: lxrvdblg.exe File opened (read-only) \??\s: lxrvdblg.exe File opened (read-only) \??\t: lxrvdblg.exe File opened (read-only) \??\w: lxrvdblg.exe File opened (read-only) \??\i: fthnlolboq.exe File opened (read-only) \??\e: lxrvdblg.exe File opened (read-only) \??\g: lxrvdblg.exe File opened (read-only) \??\o: fthnlolboq.exe File opened (read-only) \??\u: fthnlolboq.exe File opened (read-only) \??\z: fthnlolboq.exe File opened (read-only) \??\e: fthnlolboq.exe File opened (read-only) \??\e: lxrvdblg.exe File opened (read-only) \??\f: lxrvdblg.exe File opened (read-only) \??\m: lxrvdblg.exe File opened (read-only) \??\n: lxrvdblg.exe File opened (read-only) \??\o: lxrvdblg.exe File opened (read-only) \??\r: lxrvdblg.exe File opened (read-only) \??\b: fthnlolboq.exe File opened (read-only) \??\j: fthnlolboq.exe File opened (read-only) \??\p: fthnlolboq.exe File opened (read-only) \??\h: lxrvdblg.exe File opened (read-only) \??\q: lxrvdblg.exe File opened (read-only) \??\w: fthnlolboq.exe File opened (read-only) \??\v: lxrvdblg.exe File opened (read-only) \??\i: lxrvdblg.exe File opened (read-only) \??\f: fthnlolboq.exe File opened (read-only) \??\t: fthnlolboq.exe File opened (read-only) \??\x: fthnlolboq.exe File opened (read-only) \??\y: fthnlolboq.exe File opened (read-only) \??\s: lxrvdblg.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
fthnlolboq.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" fthnlolboq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" fthnlolboq.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/2032-77-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1760-79-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1676-81-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1636-80-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1864-86-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1508-88-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2032-91-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1760-92-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1636-93-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1676-94-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1864-95-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
Processes:
fthnlolboq.exe6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exedescription ioc process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll fthnlolboq.exe File created C:\Windows\SysWOW64\wzghqusirrviimh.exe 6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe File created C:\Windows\SysWOW64\azfvcptbxuspr.exe 6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe File opened for modification C:\Windows\SysWOW64\wzghqusirrviimh.exe 6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe File created C:\Windows\SysWOW64\lxrvdblg.exe 6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe File opened for modification C:\Windows\SysWOW64\lxrvdblg.exe 6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe File opened for modification C:\Windows\SysWOW64\azfvcptbxuspr.exe 6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe File created C:\Windows\SysWOW64\fthnlolboq.exe 6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe File opened for modification C:\Windows\SysWOW64\fthnlolboq.exe 6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe -
Drops file in Program Files directory 14 IoCs
Processes:
lxrvdblg.exelxrvdblg.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal lxrvdblg.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe lxrvdblg.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe lxrvdblg.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe lxrvdblg.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal lxrvdblg.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe lxrvdblg.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe lxrvdblg.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe lxrvdblg.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal lxrvdblg.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe lxrvdblg.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe lxrvdblg.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe lxrvdblg.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal lxrvdblg.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe lxrvdblg.exe -
Drops file in Windows directory 5 IoCs
Processes:
6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exeWINWORD.EXEdescription ioc process File opened for modification C:\Windows\mydoc.rtf 6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEfthnlolboq.exe6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs fthnlolboq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" fthnlolboq.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1848C6791596DAB1B9BD7CE5ED9034C6" 6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E89FC8D482682689142D65C7E91BDEFE64358426644623ED6ED" 6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc fthnlolboq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" fthnlolboq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1524 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exefthnlolboq.exewzghqusirrviimh.exelxrvdblg.exeazfvcptbxuspr.exelxrvdblg.exepid process 1508 6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe 1508 6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe 1508 6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe 1508 6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe 1508 6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe 1508 6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe 2032 fthnlolboq.exe 2032 fthnlolboq.exe 2032 fthnlolboq.exe 2032 fthnlolboq.exe 2032 fthnlolboq.exe 1508 6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe 1508 6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe 1760 wzghqusirrviimh.exe 1760 wzghqusirrviimh.exe 1760 wzghqusirrviimh.exe 1760 wzghqusirrviimh.exe 1760 wzghqusirrviimh.exe 1636 lxrvdblg.exe 1636 lxrvdblg.exe 1636 lxrvdblg.exe 1636 lxrvdblg.exe 1676 azfvcptbxuspr.exe 1676 azfvcptbxuspr.exe 1676 azfvcptbxuspr.exe 1676 azfvcptbxuspr.exe 1676 azfvcptbxuspr.exe 1676 azfvcptbxuspr.exe 1760 wzghqusirrviimh.exe 1760 wzghqusirrviimh.exe 1760 wzghqusirrviimh.exe 1676 azfvcptbxuspr.exe 1676 azfvcptbxuspr.exe 1760 wzghqusirrviimh.exe 1760 wzghqusirrviimh.exe 1676 azfvcptbxuspr.exe 1676 azfvcptbxuspr.exe 1760 wzghqusirrviimh.exe 1864 lxrvdblg.exe 1864 lxrvdblg.exe 1864 lxrvdblg.exe 1864 lxrvdblg.exe 1676 azfvcptbxuspr.exe 1676 azfvcptbxuspr.exe 1760 wzghqusirrviimh.exe 1676 azfvcptbxuspr.exe 1676 azfvcptbxuspr.exe 1760 wzghqusirrviimh.exe 1676 azfvcptbxuspr.exe 1676 azfvcptbxuspr.exe 1760 wzghqusirrviimh.exe 1676 azfvcptbxuspr.exe 1676 azfvcptbxuspr.exe 1760 wzghqusirrviimh.exe 1676 azfvcptbxuspr.exe 1676 azfvcptbxuspr.exe 1760 wzghqusirrviimh.exe 1676 azfvcptbxuspr.exe 1676 azfvcptbxuspr.exe 1760 wzghqusirrviimh.exe 1676 azfvcptbxuspr.exe 1676 azfvcptbxuspr.exe 1760 wzghqusirrviimh.exe 1676 azfvcptbxuspr.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exefthnlolboq.exewzghqusirrviimh.exelxrvdblg.exeazfvcptbxuspr.exelxrvdblg.exepid process 1508 6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe 1508 6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe 1508 6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe 2032 fthnlolboq.exe 2032 fthnlolboq.exe 2032 fthnlolboq.exe 1760 wzghqusirrviimh.exe 1760 wzghqusirrviimh.exe 1760 wzghqusirrviimh.exe 1636 lxrvdblg.exe 1636 lxrvdblg.exe 1636 lxrvdblg.exe 1676 azfvcptbxuspr.exe 1676 azfvcptbxuspr.exe 1676 azfvcptbxuspr.exe 1864 lxrvdblg.exe 1864 lxrvdblg.exe 1864 lxrvdblg.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exefthnlolboq.exewzghqusirrviimh.exelxrvdblg.exeazfvcptbxuspr.exelxrvdblg.exepid process 1508 6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe 1508 6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe 1508 6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe 2032 fthnlolboq.exe 2032 fthnlolboq.exe 2032 fthnlolboq.exe 1760 wzghqusirrviimh.exe 1760 wzghqusirrviimh.exe 1760 wzghqusirrviimh.exe 1636 lxrvdblg.exe 1636 lxrvdblg.exe 1636 lxrvdblg.exe 1676 azfvcptbxuspr.exe 1676 azfvcptbxuspr.exe 1676 azfvcptbxuspr.exe 1864 lxrvdblg.exe 1864 lxrvdblg.exe 1864 lxrvdblg.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1524 WINWORD.EXE 1524 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exefthnlolboq.exeWINWORD.EXEdescription pid process target process PID 1508 wrote to memory of 2032 1508 6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe fthnlolboq.exe PID 1508 wrote to memory of 2032 1508 6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe fthnlolboq.exe PID 1508 wrote to memory of 2032 1508 6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe fthnlolboq.exe PID 1508 wrote to memory of 2032 1508 6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe fthnlolboq.exe PID 1508 wrote to memory of 1760 1508 6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe wzghqusirrviimh.exe PID 1508 wrote to memory of 1760 1508 6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe wzghqusirrviimh.exe PID 1508 wrote to memory of 1760 1508 6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe wzghqusirrviimh.exe PID 1508 wrote to memory of 1760 1508 6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe wzghqusirrviimh.exe PID 1508 wrote to memory of 1636 1508 6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe lxrvdblg.exe PID 1508 wrote to memory of 1636 1508 6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe lxrvdblg.exe PID 1508 wrote to memory of 1636 1508 6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe lxrvdblg.exe PID 1508 wrote to memory of 1636 1508 6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe lxrvdblg.exe PID 1508 wrote to memory of 1676 1508 6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe azfvcptbxuspr.exe PID 1508 wrote to memory of 1676 1508 6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe azfvcptbxuspr.exe PID 1508 wrote to memory of 1676 1508 6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe azfvcptbxuspr.exe PID 1508 wrote to memory of 1676 1508 6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe azfvcptbxuspr.exe PID 2032 wrote to memory of 1864 2032 fthnlolboq.exe lxrvdblg.exe PID 2032 wrote to memory of 1864 2032 fthnlolboq.exe lxrvdblg.exe PID 2032 wrote to memory of 1864 2032 fthnlolboq.exe lxrvdblg.exe PID 2032 wrote to memory of 1864 2032 fthnlolboq.exe lxrvdblg.exe PID 1508 wrote to memory of 1524 1508 6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe WINWORD.EXE PID 1508 wrote to memory of 1524 1508 6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe WINWORD.EXE PID 1508 wrote to memory of 1524 1508 6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe WINWORD.EXE PID 1508 wrote to memory of 1524 1508 6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe WINWORD.EXE PID 1524 wrote to memory of 1648 1524 WINWORD.EXE splwow64.exe PID 1524 wrote to memory of 1648 1524 WINWORD.EXE splwow64.exe PID 1524 wrote to memory of 1648 1524 WINWORD.EXE splwow64.exe PID 1524 wrote to memory of 1648 1524 WINWORD.EXE splwow64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe"C:\Users\Admin\AppData\Local\Temp\6c827141d04dd86281be55e369b256d2ecbc2071ee257a3f78753729b36bf3be.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\fthnlolboq.exefthnlolboq.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\lxrvdblg.exeC:\Windows\system32\lxrvdblg.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1864 -
C:\Windows\SysWOW64\wzghqusirrviimh.exewzghqusirrviimh.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1760 -
C:\Windows\SysWOW64\lxrvdblg.exelxrvdblg.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1636 -
C:\Windows\SysWOW64\azfvcptbxuspr.exeazfvcptbxuspr.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1676 -
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:1648
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD59f7f29a2b40a4282a4d9859c113ccc26
SHA1b3b52d3451d2334faf5cda2cf0688386dff06210
SHA256cd544bc88153ad02edd29f228313c4253a77539780feb6dda4023f18e059c4c0
SHA51297e9454df1ecc65aa182aae7a99255c22a193ea3e143ede69c59e77225896a8b294424915dbd42b5255c486bffa9680bb9b2d836d64e45679abfe7a2a874c491
-
Filesize
255KB
MD58506c8ad1b70a06d7643abda25c9590a
SHA11a7120f3dd90eb9123916b7af2921e07f6f9a12e
SHA256f95ff37a13da1bd7bb425ff5073d06ba5ed630d661081867eb8b058b0ce57e3c
SHA5122bd43dacfd2371210cfbfff3b37d4a641af322c6887cc7c9a0635d71be4b8bb1e5db10d29dcfb9162a00fada49780d833ed5238dbe9c42f090d679ee7a903b69
-
Filesize
255KB
MD586dba3571efd3e1e20abde592138ab49
SHA1dec105c7198f6dc6363829467a2f32599b8374a0
SHA25602ac6c5fbf3fae6e168382aef698ebadd7bef9c4b1b113f0e0699bb3e084633d
SHA512a3b1ff70c6eec9d2e93c7fd1984f6e771714b644139dfdb6aa1338c0240593531894f798ff5c35ea0a4137492bdd00ce008dc9c50f1f09f969d7064514c03ebb
-
Filesize
255KB
MD5fac53a8b70c424b5c256cbca64716254
SHA15dcd6ab7f08987ab5f227bca70f2972c4d34a637
SHA256fe6709da3e47b3c88955df26c873fb0d1bb5a39ec026a1f83f6aaaa955aa083b
SHA512defa963d2ecd8c82dfb7fd6960ae407f8be2394a75002b353e3c291b8aa8920396bd5a987091048bd1ffc1134c60b2db44b875c94e6330c9ee21f343c5959421
-
Filesize
255KB
MD5fac53a8b70c424b5c256cbca64716254
SHA15dcd6ab7f08987ab5f227bca70f2972c4d34a637
SHA256fe6709da3e47b3c88955df26c873fb0d1bb5a39ec026a1f83f6aaaa955aa083b
SHA512defa963d2ecd8c82dfb7fd6960ae407f8be2394a75002b353e3c291b8aa8920396bd5a987091048bd1ffc1134c60b2db44b875c94e6330c9ee21f343c5959421
-
Filesize
255KB
MD5893f0e19d518843b5336e65fdd7c983b
SHA17ca41ecabf62aeb1dd4f15b1e08ae9ab686bf65b
SHA256ee1e4f70a21b8184534f356c28c9463ef7b56b1ef2e23b404313b8358016fa63
SHA512452234b3407c8008b473286348cd6ab769d2fa427c3f23ac695489cb2ebd4235deb39be5b6ae7f6f63d7bb7abfb0945c262f9665b5ffbd50c32f39ca2c6314f0
-
Filesize
255KB
MD5893f0e19d518843b5336e65fdd7c983b
SHA17ca41ecabf62aeb1dd4f15b1e08ae9ab686bf65b
SHA256ee1e4f70a21b8184534f356c28c9463ef7b56b1ef2e23b404313b8358016fa63
SHA512452234b3407c8008b473286348cd6ab769d2fa427c3f23ac695489cb2ebd4235deb39be5b6ae7f6f63d7bb7abfb0945c262f9665b5ffbd50c32f39ca2c6314f0
-
Filesize
255KB
MD55ec6d8a2e922f5ade655ece1e12df490
SHA14882c57060e5860cf17839da375b7b61ffa8c9a1
SHA256eeec854378cc5befb6efd19148915b9d141ceb736235ed33cdc14fec78328adf
SHA512d48c2547af8e99c65085052fcb3687ef8a9680919991ed6ba199ec12ac5a4cf579bc92cc5fe4c00043badbef38e63405f053e0d89d71a61ab6c7079112891141
-
Filesize
255KB
MD55ec6d8a2e922f5ade655ece1e12df490
SHA14882c57060e5860cf17839da375b7b61ffa8c9a1
SHA256eeec854378cc5befb6efd19148915b9d141ceb736235ed33cdc14fec78328adf
SHA512d48c2547af8e99c65085052fcb3687ef8a9680919991ed6ba199ec12ac5a4cf579bc92cc5fe4c00043badbef38e63405f053e0d89d71a61ab6c7079112891141
-
Filesize
255KB
MD55ec6d8a2e922f5ade655ece1e12df490
SHA14882c57060e5860cf17839da375b7b61ffa8c9a1
SHA256eeec854378cc5befb6efd19148915b9d141ceb736235ed33cdc14fec78328adf
SHA512d48c2547af8e99c65085052fcb3687ef8a9680919991ed6ba199ec12ac5a4cf579bc92cc5fe4c00043badbef38e63405f053e0d89d71a61ab6c7079112891141
-
Filesize
255KB
MD58add0a237a18d698731781025a72b950
SHA1314c814ce2bd1cff26204bd31cac753fbb32105c
SHA25643f1a1b88c7d1ac2dde297f69f1087063bf591408a8af3245d39a1df1b3e5daa
SHA5129f71c2fb8df4663c466d7a43eccadaed4a00f58da67869af62914a88e7474640c2322bc4fb73fbb4da29f315768377b50d619cf65c539bef87f8202477d18d75
-
Filesize
255KB
MD58add0a237a18d698731781025a72b950
SHA1314c814ce2bd1cff26204bd31cac753fbb32105c
SHA25643f1a1b88c7d1ac2dde297f69f1087063bf591408a8af3245d39a1df1b3e5daa
SHA5129f71c2fb8df4663c466d7a43eccadaed4a00f58da67869af62914a88e7474640c2322bc4fb73fbb4da29f315768377b50d619cf65c539bef87f8202477d18d75
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD5fac53a8b70c424b5c256cbca64716254
SHA15dcd6ab7f08987ab5f227bca70f2972c4d34a637
SHA256fe6709da3e47b3c88955df26c873fb0d1bb5a39ec026a1f83f6aaaa955aa083b
SHA512defa963d2ecd8c82dfb7fd6960ae407f8be2394a75002b353e3c291b8aa8920396bd5a987091048bd1ffc1134c60b2db44b875c94e6330c9ee21f343c5959421
-
Filesize
255KB
MD5893f0e19d518843b5336e65fdd7c983b
SHA17ca41ecabf62aeb1dd4f15b1e08ae9ab686bf65b
SHA256ee1e4f70a21b8184534f356c28c9463ef7b56b1ef2e23b404313b8358016fa63
SHA512452234b3407c8008b473286348cd6ab769d2fa427c3f23ac695489cb2ebd4235deb39be5b6ae7f6f63d7bb7abfb0945c262f9665b5ffbd50c32f39ca2c6314f0
-
Filesize
255KB
MD55ec6d8a2e922f5ade655ece1e12df490
SHA14882c57060e5860cf17839da375b7b61ffa8c9a1
SHA256eeec854378cc5befb6efd19148915b9d141ceb736235ed33cdc14fec78328adf
SHA512d48c2547af8e99c65085052fcb3687ef8a9680919991ed6ba199ec12ac5a4cf579bc92cc5fe4c00043badbef38e63405f053e0d89d71a61ab6c7079112891141
-
Filesize
255KB
MD55ec6d8a2e922f5ade655ece1e12df490
SHA14882c57060e5860cf17839da375b7b61ffa8c9a1
SHA256eeec854378cc5befb6efd19148915b9d141ceb736235ed33cdc14fec78328adf
SHA512d48c2547af8e99c65085052fcb3687ef8a9680919991ed6ba199ec12ac5a4cf579bc92cc5fe4c00043badbef38e63405f053e0d89d71a61ab6c7079112891141
-
Filesize
255KB
MD58add0a237a18d698731781025a72b950
SHA1314c814ce2bd1cff26204bd31cac753fbb32105c
SHA25643f1a1b88c7d1ac2dde297f69f1087063bf591408a8af3245d39a1df1b3e5daa
SHA5129f71c2fb8df4663c466d7a43eccadaed4a00f58da67869af62914a88e7474640c2322bc4fb73fbb4da29f315768377b50d619cf65c539bef87f8202477d18d75