66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427

Analysis

max time kernel
38s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe
Size

255KB
MD5

1fa7e55e39dd7012d1666556f8012011
SHA1

2d9b7187430db4f4651b28d5ece54079a28beef9
SHA256

66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427
SHA512

1251ffbdd6d519fbd9fbd34affecb86f641758365c308a0910fc2e9dbe5241b6bba78c08b8addcfa2843aaf583cb6722cc5bbf1162d457a2c1023474cc061f53
SSDEEP

3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJk:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI3

Score

10^/10

evasion persistence trojan upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

aynfcjzfiv.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	aynfcjzfiv.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

aynfcjzfiv.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	aynfcjzfiv.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

aynfcjzfiv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	aynfcjzfiv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	aynfcjzfiv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	aynfcjzfiv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	aynfcjzfiv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	aynfcjzfiv.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

aynfcjzfiv.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	aynfcjzfiv.exe

Executes dropped EXE 5 IoCs

Processes:

aynfcjzfiv.exexttispdvkwawaxd.exeeqkirqpw.exeexsiuqzlftgtl.exeeqkirqpw.exe

pid process

1956 aynfcjzfiv.exe
1236 xttispdvkwawaxd.exe
1848 eqkirqpw.exe
468 exsiuqzlftgtl.exe
1812 eqkirqpw.exe

pid	process
1956	aynfcjzfiv.exe
1236	xttispdvkwawaxd.exe
1848	eqkirqpw.exe
468	exsiuqzlftgtl.exe
1812	eqkirqpw.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\SysWOW64\aynfcjzfiv.exe	upx
behavioral1/memory/1944-56-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1944-57-0x0000000003320000-0x00000000033C0000-memory.dmp	upx
\Windows\SysWOW64\xttispdvkwawaxd.exe	upx
C:\Windows\SysWOW64\aynfcjzfiv.exe	upx
C:\Windows\SysWOW64\xttispdvkwawaxd.exe	upx
C:\Windows\SysWOW64\aynfcjzfiv.exe	upx
\Windows\SysWOW64\eqkirqpw.exe	upx
C:\Windows\SysWOW64\eqkirqpw.exe	upx
C:\Windows\SysWOW64\exsiuqzlftgtl.exe	upx
\Windows\SysWOW64\exsiuqzlftgtl.exe	upx
C:\Windows\SysWOW64\exsiuqzlftgtl.exe	upx
behavioral1/memory/1236-77-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/468-81-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
C:\Windows\SysWOW64\eqkirqpw.exe	upx
C:\Windows\SysWOW64\eqkirqpw.exe	upx
\Windows\SysWOW64\eqkirqpw.exe	upx
behavioral1/memory/1956-75-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1812-84-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1944-86-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/468-89-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1956-90-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1812-92-0x0000000000400000-0x00000000004A0000-memory.dmp	upx

Loads dropped DLL 5 IoCs

Processes:

66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exeaynfcjzfiv.exe

pid	process
1944	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe
1944	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe
1944	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe
1944	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe
1956	aynfcjzfiv.exe

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

aynfcjzfiv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	aynfcjzfiv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	aynfcjzfiv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	aynfcjzfiv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	aynfcjzfiv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	aynfcjzfiv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	aynfcjzfiv.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

eqkirqpw.exeaynfcjzfiv.exe

description	ioc	process
File opened (read-only)	\??\y:	eqkirqpw.exe
File opened (read-only)	\??\w:	eqkirqpw.exe
File opened (read-only)	\??\m:	aynfcjzfiv.exe
File opened (read-only)	\??\p:	aynfcjzfiv.exe
File opened (read-only)	\??\q:	aynfcjzfiv.exe
File opened (read-only)	\??\t:	aynfcjzfiv.exe
File opened (read-only)	\??\y:	aynfcjzfiv.exe
File opened (read-only)	\??\z:	aynfcjzfiv.exe
File opened (read-only)	\??\n:	eqkirqpw.exe
File opened (read-only)	\??\j:	aynfcjzfiv.exe
File opened (read-only)	\??\q:	eqkirqpw.exe
File opened (read-only)	\??\r:	eqkirqpw.exe
File opened (read-only)	\??\s:	eqkirqpw.exe
File opened (read-only)	\??\u:	eqkirqpw.exe
File opened (read-only)	\??\x:	eqkirqpw.exe
File opened (read-only)	\??\p:	eqkirqpw.exe
File opened (read-only)	\??\x:	aynfcjzfiv.exe
File opened (read-only)	\??\g:	eqkirqpw.exe
File opened (read-only)	\??\j:	eqkirqpw.exe
File opened (read-only)	\??\m:	eqkirqpw.exe
File opened (read-only)	\??\z:	eqkirqpw.exe
File opened (read-only)	\??\s:	aynfcjzfiv.exe
File opened (read-only)	\??\l:	aynfcjzfiv.exe
File opened (read-only)	\??\n:	aynfcjzfiv.exe
File opened (read-only)	\??\t:	eqkirqpw.exe
File opened (read-only)	\??\g:	aynfcjzfiv.exe
File opened (read-only)	\??\r:	aynfcjzfiv.exe
File opened (read-only)	\??\e:	eqkirqpw.exe
File opened (read-only)	\??\f:	eqkirqpw.exe
File opened (read-only)	\??\h:	aynfcjzfiv.exe
File opened (read-only)	\??\l:	eqkirqpw.exe
File opened (read-only)	\??\e:	aynfcjzfiv.exe
File opened (read-only)	\??\i:	aynfcjzfiv.exe
File opened (read-only)	\??\k:	aynfcjzfiv.exe
File opened (read-only)	\??\u:	aynfcjzfiv.exe
File opened (read-only)	\??\i:	eqkirqpw.exe
File opened (read-only)	\??\k:	eqkirqpw.exe
File opened (read-only)	\??\o:	eqkirqpw.exe
File opened (read-only)	\??\v:	eqkirqpw.exe
File opened (read-only)	\??\f:	aynfcjzfiv.exe
File opened (read-only)	\??\b:	aynfcjzfiv.exe
File opened (read-only)	\??\o:	aynfcjzfiv.exe
File opened (read-only)	\??\v:	aynfcjzfiv.exe
File opened (read-only)	\??\w:	aynfcjzfiv.exe
File opened (read-only)	\??\a:	eqkirqpw.exe
File opened (read-only)	\??\b:	eqkirqpw.exe
File opened (read-only)	\??\h:	eqkirqpw.exe
File opened (read-only)	\??\a:	aynfcjzfiv.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

aynfcjzfiv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	aynfcjzfiv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	aynfcjzfiv.exe

AutoIT Executable 8 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/1944-56-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/468-81-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1956-75-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1812-84-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1944-86-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/468-89-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1956-90-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1812-92-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe

Drops file in System32 directory 9 IoCs

Processes:

66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exeaynfcjzfiv.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\aynfcjzfiv.exe	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe
File created	C:\Windows\SysWOW64\xttispdvkwawaxd.exe	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe
File opened for modification	C:\Windows\SysWOW64\exsiuqzlftgtl.exe	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	aynfcjzfiv.exe
File created	C:\Windows\SysWOW64\aynfcjzfiv.exe	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe
File opened for modification	C:\Windows\SysWOW64\xttispdvkwawaxd.exe	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe
File created	C:\Windows\SysWOW64\eqkirqpw.exe	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe
File opened for modification	C:\Windows\SysWOW64\eqkirqpw.exe	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe
File created	C:\Windows\SysWOW64\exsiuqzlftgtl.exe	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe

Drops file in Windows directory 1 IoCs

Processes:

66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe

description ioc process

File opened for modification C:\Windows\mydoc.rtf 66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\mydoc.rtf	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe

Modifies registry class 19 IoCs

Processes:

aynfcjzfiv.exe66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	aynfcjzfiv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	aynfcjzfiv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33422D089C2783596A3F76A177552CD87D8765DF"	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF4FC8F4F5A8518903DD65F7EE6BDE1E134584367406243D798"	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	aynfcjzfiv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	aynfcjzfiv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	aynfcjzfiv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	aynfcjzfiv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	aynfcjzfiv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	aynfcjzfiv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	aynfcjzfiv.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1948C70C15E6DBBEB8CA7C94ED9737B9"	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBDF9B0FE10F19084083A41869F3E97B0FB03884369023EE1CF45E808D5"	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB7B02B47E539EB52CCB9D333EED4BE"	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F66BB6FF6721ACD20FD0A88A7D906B"	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	aynfcjzfiv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	aynfcjzfiv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	aynfcjzfiv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exeaynfcjzfiv.exeexsiuqzlftgtl.exeeqkirqpw.exe

pid	process
1944	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe
1944	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe
1944	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe
1944	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe
1944	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe
1944	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe
1944	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe
1944	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe
1956	aynfcjzfiv.exe
1956	aynfcjzfiv.exe
1956	aynfcjzfiv.exe
1956	aynfcjzfiv.exe
1956	aynfcjzfiv.exe
468	exsiuqzlftgtl.exe
468	exsiuqzlftgtl.exe
468	exsiuqzlftgtl.exe
468	exsiuqzlftgtl.exe
468	exsiuqzlftgtl.exe
468	exsiuqzlftgtl.exe
468	exsiuqzlftgtl.exe
468	exsiuqzlftgtl.exe
468	exsiuqzlftgtl.exe
468	exsiuqzlftgtl.exe
468	exsiuqzlftgtl.exe
468	exsiuqzlftgtl.exe
468	exsiuqzlftgtl.exe
468	exsiuqzlftgtl.exe
468	exsiuqzlftgtl.exe
468	exsiuqzlftgtl.exe
468	exsiuqzlftgtl.exe
468	exsiuqzlftgtl.exe
468	exsiuqzlftgtl.exe
468	exsiuqzlftgtl.exe
468	exsiuqzlftgtl.exe
468	exsiuqzlftgtl.exe
468	exsiuqzlftgtl.exe
468	exsiuqzlftgtl.exe
468	exsiuqzlftgtl.exe
468	exsiuqzlftgtl.exe
468	exsiuqzlftgtl.exe
468	exsiuqzlftgtl.exe
468	exsiuqzlftgtl.exe
468	exsiuqzlftgtl.exe
468	exsiuqzlftgtl.exe
468	exsiuqzlftgtl.exe
468	exsiuqzlftgtl.exe
468	exsiuqzlftgtl.exe
468	exsiuqzlftgtl.exe
468	exsiuqzlftgtl.exe
468	exsiuqzlftgtl.exe
468	exsiuqzlftgtl.exe
468	exsiuqzlftgtl.exe
468	exsiuqzlftgtl.exe
468	exsiuqzlftgtl.exe
468	exsiuqzlftgtl.exe
468	exsiuqzlftgtl.exe
1812	eqkirqpw.exe
468	exsiuqzlftgtl.exe
1812	eqkirqpw.exe
1812	eqkirqpw.exe
1812	eqkirqpw.exe
468	exsiuqzlftgtl.exe
468	exsiuqzlftgtl.exe
468	exsiuqzlftgtl.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exeaynfcjzfiv.exeexsiuqzlftgtl.exeeqkirqpw.exe

pid	process
1944	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe
1944	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe
1944	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe
1956	aynfcjzfiv.exe
1956	aynfcjzfiv.exe
1956	aynfcjzfiv.exe
468	exsiuqzlftgtl.exe
468	exsiuqzlftgtl.exe
468	exsiuqzlftgtl.exe
1812	eqkirqpw.exe
1812	eqkirqpw.exe
1812	eqkirqpw.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exeaynfcjzfiv.exeexsiuqzlftgtl.exeeqkirqpw.exe

pid	process
1944	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe
1944	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe
1944	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe
1956	aynfcjzfiv.exe
1956	aynfcjzfiv.exe
1956	aynfcjzfiv.exe
468	exsiuqzlftgtl.exe
468	exsiuqzlftgtl.exe
468	exsiuqzlftgtl.exe
1812	eqkirqpw.exe
1812	eqkirqpw.exe
1812	eqkirqpw.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exeaynfcjzfiv.exe

description	pid	process	target process
PID 1944 wrote to memory of 1956	1944	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe	aynfcjzfiv.exe
PID 1944 wrote to memory of 1956	1944	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe	aynfcjzfiv.exe
PID 1944 wrote to memory of 1956	1944	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe	aynfcjzfiv.exe
PID 1944 wrote to memory of 1956	1944	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe	aynfcjzfiv.exe
PID 1944 wrote to memory of 1236	1944	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe	xttispdvkwawaxd.exe
PID 1944 wrote to memory of 1236	1944	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe	xttispdvkwawaxd.exe
PID 1944 wrote to memory of 1236	1944	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe	xttispdvkwawaxd.exe
PID 1944 wrote to memory of 1236	1944	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe	xttispdvkwawaxd.exe
PID 1944 wrote to memory of 1848	1944	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe	eqkirqpw.exe
PID 1944 wrote to memory of 1848	1944	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe	eqkirqpw.exe
PID 1944 wrote to memory of 1848	1944	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe	eqkirqpw.exe
PID 1944 wrote to memory of 1848	1944	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe	eqkirqpw.exe
PID 1944 wrote to memory of 468	1944	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe	exsiuqzlftgtl.exe
PID 1944 wrote to memory of 468	1944	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe	exsiuqzlftgtl.exe
PID 1944 wrote to memory of 468	1944	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe	exsiuqzlftgtl.exe
PID 1944 wrote to memory of 468	1944	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe	exsiuqzlftgtl.exe
PID 1956 wrote to memory of 1812	1956	aynfcjzfiv.exe	eqkirqpw.exe
PID 1956 wrote to memory of 1812	1956	aynfcjzfiv.exe	eqkirqpw.exe
PID 1956 wrote to memory of 1812	1956	aynfcjzfiv.exe	eqkirqpw.exe
PID 1956 wrote to memory of 1812	1956	aynfcjzfiv.exe	eqkirqpw.exe
PID 1944 wrote to memory of 1364	1944	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe	WINWORD.EXE
PID 1944 wrote to memory of 1364	1944	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe	WINWORD.EXE
PID 1944 wrote to memory of 1364	1944	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe	WINWORD.EXE
PID 1944 wrote to memory of 1364	1944	66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe	WINWORD.EXE

C:\Users\Admin\AppData\Local\Temp\66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe
"C:\Users\Admin\AppData\Local\Temp\66271b42deb125207e99f414b2f573f4a94f394cf70b02e7650c1a3359efb427.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\SysWOW64\aynfcjzfiv.exe
aynfcjzfiv.exe
2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\SysWOW64\eqkirqpw.exe
C:\Windows\system32\eqkirqpw.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1812

C:\Windows\SysWOW64\xttispdvkwawaxd.exe
xttispdvkwawaxd.exe
2⤵
- Executes dropped EXE
PID:1236

C:\Windows\SysWOW64\eqkirqpw.exe
eqkirqpw.exe
2⤵
- Executes dropped EXE
PID:1848

C:\Windows\SysWOW64\exsiuqzlftgtl.exe
exsiuqzlftgtl.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:468

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
2⤵
PID:1364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\aynfcjzfiv.exe

Filesize
255KB

MD5
99ffaed1f0677caa6f450bab40950984

SHA1
cdeb20cff4f3e5c5fc6e4c9ca160cb0f2e6439c2

SHA256
f4249a530f58f67e402fbbb029d056d3cfdc1fb007c3d538c8120a49475f764c

SHA512
404ee46933f41eff8690b16ce05b6730b28f2f499d2e18977d3a70ba122e8aa1481178abdfadf8e7f04c6005ad4f200ca9c022a45389be2123b53ace954a6c30

Download Submit
C:\Windows\SysWOW64\aynfcjzfiv.exe

Filesize
255KB

MD5
99ffaed1f0677caa6f450bab40950984

SHA1
cdeb20cff4f3e5c5fc6e4c9ca160cb0f2e6439c2

SHA256
f4249a530f58f67e402fbbb029d056d3cfdc1fb007c3d538c8120a49475f764c

SHA512
404ee46933f41eff8690b16ce05b6730b28f2f499d2e18977d3a70ba122e8aa1481178abdfadf8e7f04c6005ad4f200ca9c022a45389be2123b53ace954a6c30

Download Submit
C:\Windows\SysWOW64\eqkirqpw.exe

Filesize
255KB

MD5
f89ce91c3c0427519229469dda5f04ff

SHA1
d8140ea61f07c003ffb18b9214684c7742ce8682

SHA256
a0b7471fb57d37ba868a93870680c8c155265aff92900f8271cea8d722eae596

SHA512
5a4b3029e0a140a70025881b3e01728019b6e6f54a4925c0d175b73b842bc9d949bcf0c7636f7ea1da57dc137ae5ed123fdc2f1221a4097e6319f8a27b92c882

Download Submit
C:\Windows\SysWOW64\eqkirqpw.exe

Filesize
255KB

MD5
f89ce91c3c0427519229469dda5f04ff

SHA1
d8140ea61f07c003ffb18b9214684c7742ce8682

SHA256
a0b7471fb57d37ba868a93870680c8c155265aff92900f8271cea8d722eae596

SHA512
5a4b3029e0a140a70025881b3e01728019b6e6f54a4925c0d175b73b842bc9d949bcf0c7636f7ea1da57dc137ae5ed123fdc2f1221a4097e6319f8a27b92c882

Download Submit
C:\Windows\SysWOW64\eqkirqpw.exe

Filesize
255KB

MD5
f89ce91c3c0427519229469dda5f04ff

SHA1
d8140ea61f07c003ffb18b9214684c7742ce8682

SHA256
a0b7471fb57d37ba868a93870680c8c155265aff92900f8271cea8d722eae596

SHA512
5a4b3029e0a140a70025881b3e01728019b6e6f54a4925c0d175b73b842bc9d949bcf0c7636f7ea1da57dc137ae5ed123fdc2f1221a4097e6319f8a27b92c882

Download Submit
C:\Windows\SysWOW64\exsiuqzlftgtl.exe

Filesize
255KB

MD5
0c994a0fc08ee190d292e6d772d5c286

SHA1
69c6db59fdaa180d5f6762ffeb4c947debfb690b

SHA256
d7a7a3082fbbff7671c9fe51f2e2f6a1937915094ba8c5d0d9282a2f8ed19c7c

SHA512
fa8255af2c0572d1b6fa210d70767d59977831b6cdc5e0b3ab704325b905cbc067d6001df616d525f147968763839681043c8d1efc9aacec9818c10968111ca4

Download Submit
C:\Windows\SysWOW64\exsiuqzlftgtl.exe

Filesize
255KB

MD5
0c994a0fc08ee190d292e6d772d5c286

SHA1
69c6db59fdaa180d5f6762ffeb4c947debfb690b

SHA256
d7a7a3082fbbff7671c9fe51f2e2f6a1937915094ba8c5d0d9282a2f8ed19c7c

SHA512
fa8255af2c0572d1b6fa210d70767d59977831b6cdc5e0b3ab704325b905cbc067d6001df616d525f147968763839681043c8d1efc9aacec9818c10968111ca4

Download Submit
C:\Windows\SysWOW64\xttispdvkwawaxd.exe

Filesize
255KB

MD5
74687bcb0054628d2adf5887c92a4791

SHA1
f0117fa3bfcc17d272c626e099ab31b84845f10e

SHA256
63c6d5dc92e6afc41d94ee91f60d653b9196d3c08acec70cf6de992a8d2ea3f7

SHA512
bc3c52391e1bdf32bc96ee2389d1ca84a6a7731ba07b8106e5c50c9d9ef453ee4f4b6910b0fc3766813b6f964b2cc42cd9fc4813731a0bf30a5061d594bdca50

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\aynfcjzfiv.exe

Filesize
255KB

MD5
99ffaed1f0677caa6f450bab40950984

SHA1
cdeb20cff4f3e5c5fc6e4c9ca160cb0f2e6439c2

SHA256
f4249a530f58f67e402fbbb029d056d3cfdc1fb007c3d538c8120a49475f764c

SHA512
404ee46933f41eff8690b16ce05b6730b28f2f499d2e18977d3a70ba122e8aa1481178abdfadf8e7f04c6005ad4f200ca9c022a45389be2123b53ace954a6c30

Download Submit
\Windows\SysWOW64\eqkirqpw.exe

Filesize
255KB

MD5
f89ce91c3c0427519229469dda5f04ff

SHA1
d8140ea61f07c003ffb18b9214684c7742ce8682

SHA256
a0b7471fb57d37ba868a93870680c8c155265aff92900f8271cea8d722eae596

SHA512
5a4b3029e0a140a70025881b3e01728019b6e6f54a4925c0d175b73b842bc9d949bcf0c7636f7ea1da57dc137ae5ed123fdc2f1221a4097e6319f8a27b92c882

Download Submit
\Windows\SysWOW64\eqkirqpw.exe

Filesize
255KB

MD5
f89ce91c3c0427519229469dda5f04ff

SHA1
d8140ea61f07c003ffb18b9214684c7742ce8682

SHA256
a0b7471fb57d37ba868a93870680c8c155265aff92900f8271cea8d722eae596

SHA512
5a4b3029e0a140a70025881b3e01728019b6e6f54a4925c0d175b73b842bc9d949bcf0c7636f7ea1da57dc137ae5ed123fdc2f1221a4097e6319f8a27b92c882

Download Submit
\Windows\SysWOW64\exsiuqzlftgtl.exe

Filesize
255KB

MD5
0c994a0fc08ee190d292e6d772d5c286

SHA1
69c6db59fdaa180d5f6762ffeb4c947debfb690b

SHA256
d7a7a3082fbbff7671c9fe51f2e2f6a1937915094ba8c5d0d9282a2f8ed19c7c

SHA512
fa8255af2c0572d1b6fa210d70767d59977831b6cdc5e0b3ab704325b905cbc067d6001df616d525f147968763839681043c8d1efc9aacec9818c10968111ca4

Download Submit
\Windows\SysWOW64\xttispdvkwawaxd.exe

Filesize
255KB

MD5
74687bcb0054628d2adf5887c92a4791

SHA1
f0117fa3bfcc17d272c626e099ab31b84845f10e

SHA256
63c6d5dc92e6afc41d94ee91f60d653b9196d3c08acec70cf6de992a8d2ea3f7

SHA512
bc3c52391e1bdf32bc96ee2389d1ca84a6a7731ba07b8106e5c50c9d9ef453ee4f4b6910b0fc3766813b6f964b2cc42cd9fc4813731a0bf30a5061d594bdca50

Download Submit
memory/468-81-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/468-89-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/468-69-0x0000000000000000-mapping.dmp

Download
memory/1236-77-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1236-62-0x0000000000000000-mapping.dmp

Download
memory/1364-85-0x0000000000000000-mapping.dmp

Download
memory/1364-97-0x00000000710BD000-0x00000000710C8000-memory.dmp

Filesize
44KB

Download
memory/1364-94-0x00000000710BD000-0x00000000710C8000-memory.dmp

Filesize
44KB

Download
memory/1364-93-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1364-88-0x00000000700D1000-0x00000000700D3000-memory.dmp

Filesize
8KB

Download
memory/1364-87-0x0000000072651000-0x0000000072654000-memory.dmp

Filesize
12KB

Download
memory/1812-92-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1812-84-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1812-80-0x0000000000000000-mapping.dmp

Download
memory/1848-67-0x0000000000000000-mapping.dmp

Download
memory/1944-86-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1944-57-0x0000000003320000-0x00000000033C0000-memory.dmp

Filesize
640KB

Download
memory/1944-54-0x0000000076391000-0x0000000076393000-memory.dmp

Filesize
8KB

Download
memory/1944-76-0x0000000003320000-0x00000000033C0000-memory.dmp

Filesize
640KB

Download
memory/1944-56-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1956-75-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1956-58-0x0000000000000000-mapping.dmp

Download
memory/1956-90-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1956-91-0x0000000003850000-0x00000000038F0000-memory.dmp

Filesize
640KB

Download