Analysis
-
max time kernel
152s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 21:04
Behavioral task
behavioral1
Sample
650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe
Resource
win10v2004-20220812-en
General
-
Target
650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe
-
Size
255KB
-
MD5
7ca629734460580e992499971725c64b
-
SHA1
742a6823b9366ae5f38526161f034c4da2cf63ea
-
SHA256
650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4
-
SHA512
9dc80fcb22aabc231f9bf835503cf548b150d676c3782dfc99104cdcd34de63e80d713353182230fd10fb6cb4ebdacda3dcf2f4de9ad998b15b920ff63b11ef0
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJx:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIg
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
nmwtrzmvvf.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" nmwtrzmvvf.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
nmwtrzmvvf.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" nmwtrzmvvf.exe -
Processes:
nmwtrzmvvf.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" nmwtrzmvvf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" nmwtrzmvvf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" nmwtrzmvvf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" nmwtrzmvvf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" nmwtrzmvvf.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
nmwtrzmvvf.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" nmwtrzmvvf.exe -
Executes dropped EXE 5 IoCs
Processes:
nmwtrzmvvf.exebitcmyjpnflsbku.exevdhgllrz.exesufucrsvalexm.exevdhgllrz.exepid process 4804 nmwtrzmvvf.exe 3200 bitcmyjpnflsbku.exe 1408 vdhgllrz.exe 3060 sufucrsvalexm.exe 3368 vdhgllrz.exe -
Processes:
resource yara_rule behavioral2/memory/2492-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx C:\Windows\SysWOW64\nmwtrzmvvf.exe upx C:\Windows\SysWOW64\nmwtrzmvvf.exe upx behavioral2/memory/4804-136-0x0000000000400000-0x00000000004A0000-memory.dmp upx C:\Windows\SysWOW64\bitcmyjpnflsbku.exe upx C:\Windows\SysWOW64\bitcmyjpnflsbku.exe upx C:\Windows\SysWOW64\vdhgllrz.exe upx C:\Windows\SysWOW64\vdhgllrz.exe upx behavioral2/memory/3200-143-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1408-144-0x0000000000400000-0x00000000004A0000-memory.dmp upx C:\Windows\SysWOW64\sufucrsvalexm.exe upx C:\Windows\SysWOW64\sufucrsvalexm.exe upx behavioral2/memory/3060-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1408-149-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3060-150-0x0000000000400000-0x00000000004A0000-memory.dmp upx C:\Windows\SysWOW64\vdhgllrz.exe upx behavioral2/memory/3368-154-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2492-156-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3368-162-0x0000000000400000-0x00000000004A0000-memory.dmp upx C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe upx C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe -
Processes:
nmwtrzmvvf.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" nmwtrzmvvf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" nmwtrzmvvf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" nmwtrzmvvf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" nmwtrzmvvf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" nmwtrzmvvf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" nmwtrzmvvf.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
bitcmyjpnflsbku.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ilrlrxlz = "nmwtrzmvvf.exe" bitcmyjpnflsbku.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uwtrexot = "bitcmyjpnflsbku.exe" bitcmyjpnflsbku.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "sufucrsvalexm.exe" bitcmyjpnflsbku.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run bitcmyjpnflsbku.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
vdhgllrz.exevdhgllrz.exenmwtrzmvvf.exedescription ioc process File opened (read-only) \??\f: vdhgllrz.exe File opened (read-only) \??\b: vdhgllrz.exe File opened (read-only) \??\j: nmwtrzmvvf.exe File opened (read-only) \??\x: nmwtrzmvvf.exe File opened (read-only) \??\m: vdhgllrz.exe File opened (read-only) \??\f: vdhgllrz.exe File opened (read-only) \??\t: nmwtrzmvvf.exe File opened (read-only) \??\k: vdhgllrz.exe File opened (read-only) \??\g: vdhgllrz.exe File opened (read-only) \??\i: vdhgllrz.exe File opened (read-only) \??\u: vdhgllrz.exe File opened (read-only) \??\x: vdhgllrz.exe File opened (read-only) \??\v: nmwtrzmvvf.exe File opened (read-only) \??\b: vdhgllrz.exe File opened (read-only) \??\z: vdhgllrz.exe File opened (read-only) \??\t: vdhgllrz.exe File opened (read-only) \??\h: nmwtrzmvvf.exe File opened (read-only) \??\r: nmwtrzmvvf.exe File opened (read-only) \??\a: vdhgllrz.exe File opened (read-only) \??\w: vdhgllrz.exe File opened (read-only) \??\l: nmwtrzmvvf.exe File opened (read-only) \??\x: vdhgllrz.exe File opened (read-only) \??\y: vdhgllrz.exe File opened (read-only) \??\p: vdhgllrz.exe File opened (read-only) \??\m: vdhgllrz.exe File opened (read-only) \??\v: vdhgllrz.exe File opened (read-only) \??\k: nmwtrzmvvf.exe File opened (read-only) \??\a: nmwtrzmvvf.exe File opened (read-only) \??\g: nmwtrzmvvf.exe File opened (read-only) \??\z: nmwtrzmvvf.exe File opened (read-only) \??\a: vdhgllrz.exe File opened (read-only) \??\i: nmwtrzmvvf.exe File opened (read-only) \??\m: nmwtrzmvvf.exe File opened (read-only) \??\o: vdhgllrz.exe File opened (read-only) \??\q: vdhgllrz.exe File opened (read-only) \??\n: nmwtrzmvvf.exe File opened (read-only) \??\e: vdhgllrz.exe File opened (read-only) \??\j: vdhgllrz.exe File opened (read-only) \??\n: vdhgllrz.exe File opened (read-only) \??\j: vdhgllrz.exe File opened (read-only) \??\n: vdhgllrz.exe File opened (read-only) \??\p: vdhgllrz.exe File opened (read-only) \??\r: vdhgllrz.exe File opened (read-only) \??\s: vdhgllrz.exe File opened (read-only) \??\v: vdhgllrz.exe File opened (read-only) \??\w: vdhgllrz.exe File opened (read-only) \??\g: vdhgllrz.exe File opened (read-only) \??\i: vdhgllrz.exe File opened (read-only) \??\w: nmwtrzmvvf.exe File opened (read-only) \??\y: nmwtrzmvvf.exe File opened (read-only) \??\o: vdhgllrz.exe File opened (read-only) \??\y: vdhgllrz.exe File opened (read-only) \??\s: vdhgllrz.exe File opened (read-only) \??\p: nmwtrzmvvf.exe File opened (read-only) \??\r: vdhgllrz.exe File opened (read-only) \??\z: vdhgllrz.exe File opened (read-only) \??\k: vdhgllrz.exe File opened (read-only) \??\e: nmwtrzmvvf.exe File opened (read-only) \??\f: nmwtrzmvvf.exe File opened (read-only) \??\q: nmwtrzmvvf.exe File opened (read-only) \??\u: nmwtrzmvvf.exe File opened (read-only) \??\h: vdhgllrz.exe File opened (read-only) \??\t: vdhgllrz.exe File opened (read-only) \??\h: vdhgllrz.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
nmwtrzmvvf.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" nmwtrzmvvf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" nmwtrzmvvf.exe -
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/4804-136-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3200-143-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1408-144-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1408-149-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3060-150-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3368-154-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2492-156-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3368-162-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
Processes:
650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exenmwtrzmvvf.exedescription ioc process File created C:\Windows\SysWOW64\nmwtrzmvvf.exe 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe File opened for modification C:\Windows\SysWOW64\nmwtrzmvvf.exe 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe File opened for modification C:\Windows\SysWOW64\bitcmyjpnflsbku.exe 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe File created C:\Windows\SysWOW64\vdhgllrz.exe 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll nmwtrzmvvf.exe File created C:\Windows\SysWOW64\bitcmyjpnflsbku.exe 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe File opened for modification C:\Windows\SysWOW64\vdhgllrz.exe 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe File created C:\Windows\SysWOW64\sufucrsvalexm.exe 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe File opened for modification C:\Windows\SysWOW64\sufucrsvalexm.exe 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe -
Drops file in Program Files directory 15 IoCs
Processes:
vdhgllrz.exevdhgllrz.exedescription ioc process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vdhgllrz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vdhgllrz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vdhgllrz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal vdhgllrz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vdhgllrz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vdhgllrz.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vdhgllrz.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vdhgllrz.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vdhgllrz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vdhgllrz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vdhgllrz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal vdhgllrz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vdhgllrz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal vdhgllrz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal vdhgllrz.exe -
Drops file in Windows directory 3 IoCs
Processes:
WINWORD.EXE650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exedescription ioc process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
nmwtrzmvvf.exe650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh nmwtrzmvvf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" nmwtrzmvvf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf nmwtrzmvvf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg nmwtrzmvvf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACEFABDFE10F1E3837D3A3186EA3E91B081028B4364023AE1CC42EB09D6" 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat nmwtrzmvvf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" nmwtrzmvvf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" nmwtrzmvvf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" nmwtrzmvvf.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB6B12E47E6399E53B9BAA533E8D4CC" 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" nmwtrzmvvf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7816BB9FF6621ABD172D1A68A759060" 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc nmwtrzmvvf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1945C70F14E6DBC0B8C17F95ED9137CD" 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs nmwtrzmvvf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" nmwtrzmvvf.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33342C0C9D5582206D3E77A170542DD87CF164DF" 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8BFC824826826D9142D65A7E96BC92E133594B67426236D799" 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2308 WINWORD.EXE 2308 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exenmwtrzmvvf.exebitcmyjpnflsbku.exevdhgllrz.exesufucrsvalexm.exepid process 2492 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe 2492 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe 2492 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe 2492 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe 2492 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe 2492 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe 2492 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe 2492 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe 2492 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe 2492 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe 2492 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe 2492 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe 4804 nmwtrzmvvf.exe 4804 nmwtrzmvvf.exe 4804 nmwtrzmvvf.exe 4804 nmwtrzmvvf.exe 4804 nmwtrzmvvf.exe 4804 nmwtrzmvvf.exe 4804 nmwtrzmvvf.exe 4804 nmwtrzmvvf.exe 4804 nmwtrzmvvf.exe 4804 nmwtrzmvvf.exe 2492 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe 2492 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe 2492 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe 2492 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe 3200 bitcmyjpnflsbku.exe 3200 bitcmyjpnflsbku.exe 1408 vdhgllrz.exe 1408 vdhgllrz.exe 1408 vdhgllrz.exe 1408 vdhgllrz.exe 1408 vdhgllrz.exe 3200 bitcmyjpnflsbku.exe 1408 vdhgllrz.exe 3200 bitcmyjpnflsbku.exe 1408 vdhgllrz.exe 1408 vdhgllrz.exe 3200 bitcmyjpnflsbku.exe 3200 bitcmyjpnflsbku.exe 3200 bitcmyjpnflsbku.exe 3200 bitcmyjpnflsbku.exe 3200 bitcmyjpnflsbku.exe 3200 bitcmyjpnflsbku.exe 3060 sufucrsvalexm.exe 3060 sufucrsvalexm.exe 3060 sufucrsvalexm.exe 3060 sufucrsvalexm.exe 3060 sufucrsvalexm.exe 3060 sufucrsvalexm.exe 3060 sufucrsvalexm.exe 3060 sufucrsvalexm.exe 3060 sufucrsvalexm.exe 3060 sufucrsvalexm.exe 3060 sufucrsvalexm.exe 3060 sufucrsvalexm.exe 3060 sufucrsvalexm.exe 3060 sufucrsvalexm.exe 3060 sufucrsvalexm.exe 3060 sufucrsvalexm.exe 3060 sufucrsvalexm.exe 3060 sufucrsvalexm.exe 3060 sufucrsvalexm.exe 3060 sufucrsvalexm.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exenmwtrzmvvf.exebitcmyjpnflsbku.exevdhgllrz.exesufucrsvalexm.exevdhgllrz.exepid process 2492 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe 2492 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe 2492 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe 4804 nmwtrzmvvf.exe 4804 nmwtrzmvvf.exe 4804 nmwtrzmvvf.exe 3200 bitcmyjpnflsbku.exe 3200 bitcmyjpnflsbku.exe 3200 bitcmyjpnflsbku.exe 1408 vdhgllrz.exe 1408 vdhgllrz.exe 1408 vdhgllrz.exe 3060 sufucrsvalexm.exe 3060 sufucrsvalexm.exe 3060 sufucrsvalexm.exe 3368 vdhgllrz.exe 3368 vdhgllrz.exe 3368 vdhgllrz.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exenmwtrzmvvf.exebitcmyjpnflsbku.exevdhgllrz.exesufucrsvalexm.exevdhgllrz.exepid process 2492 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe 2492 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe 2492 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe 4804 nmwtrzmvvf.exe 4804 nmwtrzmvvf.exe 4804 nmwtrzmvvf.exe 3200 bitcmyjpnflsbku.exe 3200 bitcmyjpnflsbku.exe 3200 bitcmyjpnflsbku.exe 1408 vdhgllrz.exe 1408 vdhgllrz.exe 1408 vdhgllrz.exe 3060 sufucrsvalexm.exe 3060 sufucrsvalexm.exe 3060 sufucrsvalexm.exe 3368 vdhgllrz.exe 3368 vdhgllrz.exe 3368 vdhgllrz.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 2308 WINWORD.EXE 2308 WINWORD.EXE 2308 WINWORD.EXE 2308 WINWORD.EXE 2308 WINWORD.EXE 2308 WINWORD.EXE 2308 WINWORD.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exebitcmyjpnflsbku.exenmwtrzmvvf.exedescription pid process target process PID 2492 wrote to memory of 4804 2492 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe nmwtrzmvvf.exe PID 2492 wrote to memory of 4804 2492 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe nmwtrzmvvf.exe PID 2492 wrote to memory of 4804 2492 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe nmwtrzmvvf.exe PID 2492 wrote to memory of 3200 2492 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe bitcmyjpnflsbku.exe PID 2492 wrote to memory of 3200 2492 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe bitcmyjpnflsbku.exe PID 2492 wrote to memory of 3200 2492 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe bitcmyjpnflsbku.exe PID 2492 wrote to memory of 1408 2492 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe vdhgllrz.exe PID 2492 wrote to memory of 1408 2492 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe vdhgllrz.exe PID 2492 wrote to memory of 1408 2492 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe vdhgllrz.exe PID 2492 wrote to memory of 3060 2492 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe sufucrsvalexm.exe PID 2492 wrote to memory of 3060 2492 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe sufucrsvalexm.exe PID 2492 wrote to memory of 3060 2492 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe sufucrsvalexm.exe PID 3200 wrote to memory of 4840 3200 bitcmyjpnflsbku.exe cmd.exe PID 3200 wrote to memory of 4840 3200 bitcmyjpnflsbku.exe cmd.exe PID 3200 wrote to memory of 4840 3200 bitcmyjpnflsbku.exe cmd.exe PID 4804 wrote to memory of 3368 4804 nmwtrzmvvf.exe vdhgllrz.exe PID 4804 wrote to memory of 3368 4804 nmwtrzmvvf.exe vdhgllrz.exe PID 4804 wrote to memory of 3368 4804 nmwtrzmvvf.exe vdhgllrz.exe PID 2492 wrote to memory of 2308 2492 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe WINWORD.EXE PID 2492 wrote to memory of 2308 2492 650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe WINWORD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe"C:\Users\Admin\AppData\Local\Temp\650383ffc7e7bf7e8de53661c1cf32b240d0411fa2d9b2e14bfeaed523f7bff4.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nmwtrzmvvf.exenmwtrzmvvf.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vdhgllrz.exeC:\Windows\system32\vdhgllrz.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\bitcmyjpnflsbku.exebitcmyjpnflsbku.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c sufucrsvalexm.exe3⤵
-
C:\Windows\SysWOW64\vdhgllrz.exevdhgllrz.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\sufucrsvalexm.exesufucrsvalexm.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hidden Files and Directories
2Modify Registry
6Disabling Security Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exeFilesize
255KB
MD5a7bc8a7b1f6cc0829caa87be4cb6ce4b
SHA164987062702105f36d9d611d5811740c23f8d4ad
SHA25651b9ebbf576c057a45594ac028a3061af1a440eaa39a545f8b0af1bb21353165
SHA512f35676968f33e465aa5fd21e7b0738d1ac924d555fd6b7e55788a1ddd7ff6a4d80fbe7c074795c1a275ec36304ab5e60c74023ef3c271cf6dc33d7c46e0c372e
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
255KB
MD5999704f1ecd881540e94acfc0bdeb000
SHA133f76a21a0b5d3feb106640e4a62f746ed5ec13d
SHA256c2750d496ee69376edf3754f53f51a3890a6bf7b9f151c03711042ac98ae3768
SHA512befec3763784da808180a3b514f89b20c294a158817198a3175adfc8d2fb16842f2e1096d8a99191445a9bcb1a16a15ca97f18859768593303ff7912f95d2e31
-
C:\Windows\SysWOW64\bitcmyjpnflsbku.exeFilesize
255KB
MD5667ba9a2949abfc58693fe605176775f
SHA17e9487e7f0d53fbb63698ff7209de565c74e2c00
SHA256b5c5842ae95ee23685cb1f3fc20f07d0224f1417fba76d665dd0be96cecb5020
SHA512ba789dccf2389986fe0d6003c22ba169b6f74eae1865b3f2f5ea72bdce674eda5b8fd74936d840bf0f68503d1de1e37a12b157b9b620132b96adb3db975322ba
-
C:\Windows\SysWOW64\bitcmyjpnflsbku.exeFilesize
255KB
MD5667ba9a2949abfc58693fe605176775f
SHA17e9487e7f0d53fbb63698ff7209de565c74e2c00
SHA256b5c5842ae95ee23685cb1f3fc20f07d0224f1417fba76d665dd0be96cecb5020
SHA512ba789dccf2389986fe0d6003c22ba169b6f74eae1865b3f2f5ea72bdce674eda5b8fd74936d840bf0f68503d1de1e37a12b157b9b620132b96adb3db975322ba
-
C:\Windows\SysWOW64\nmwtrzmvvf.exeFilesize
255KB
MD5314c029721697648dd6ddcd51736a09a
SHA14afe17f150f862299d5d2eacadf436e5db65e588
SHA256306dc49ff724adc8374e47c2b2a36f28467d9b335a3a9c993ae013d2ec6e0295
SHA51243e1976633e183e88810301263141d218e8acef79ee70286583fd4375e7b3c5a8bae89e63a9200493fa810fe2919d1685a63de49692dfd56fc35d27c0f420f70
-
C:\Windows\SysWOW64\nmwtrzmvvf.exeFilesize
255KB
MD5314c029721697648dd6ddcd51736a09a
SHA14afe17f150f862299d5d2eacadf436e5db65e588
SHA256306dc49ff724adc8374e47c2b2a36f28467d9b335a3a9c993ae013d2ec6e0295
SHA51243e1976633e183e88810301263141d218e8acef79ee70286583fd4375e7b3c5a8bae89e63a9200493fa810fe2919d1685a63de49692dfd56fc35d27c0f420f70
-
C:\Windows\SysWOW64\sufucrsvalexm.exeFilesize
255KB
MD5020323622711288879663f248a3c0ad4
SHA10dcf54a257bdcdec88d4bcbedd9b4b834d71a639
SHA256d5d120ff6a7d80c101511fca322f59345b38076ff9e44e4733147b3f961dc4e8
SHA512fbc09d508364a02e0815e03576e9d5e0060461a5963a2fd113e0bfc038d5d9821d873158027558cbff1a22b961fd0acec4e3541709812563446ffbdb92141b96
-
C:\Windows\SysWOW64\sufucrsvalexm.exeFilesize
255KB
MD5020323622711288879663f248a3c0ad4
SHA10dcf54a257bdcdec88d4bcbedd9b4b834d71a639
SHA256d5d120ff6a7d80c101511fca322f59345b38076ff9e44e4733147b3f961dc4e8
SHA512fbc09d508364a02e0815e03576e9d5e0060461a5963a2fd113e0bfc038d5d9821d873158027558cbff1a22b961fd0acec4e3541709812563446ffbdb92141b96
-
C:\Windows\SysWOW64\vdhgllrz.exeFilesize
255KB
MD583bce8ff8c82da0e97097fff4a9d3932
SHA1dd4d9f3ecf9b4f161fadaa99e8deb58f85c42654
SHA256d17f3af532e5cc0a8ee7c52236ee8b35c24b86229e1149e55ece6acefc26d8b3
SHA512225c92d5a708748e59b40a7972c155a3b4a127fc39ecd735662512413654fc522dab6c2ad4f52a2404c0421f7672fcad09377bc44d8caf318bb995ca9804adb1
-
C:\Windows\SysWOW64\vdhgllrz.exeFilesize
255KB
MD583bce8ff8c82da0e97097fff4a9d3932
SHA1dd4d9f3ecf9b4f161fadaa99e8deb58f85c42654
SHA256d17f3af532e5cc0a8ee7c52236ee8b35c24b86229e1149e55ece6acefc26d8b3
SHA512225c92d5a708748e59b40a7972c155a3b4a127fc39ecd735662512413654fc522dab6c2ad4f52a2404c0421f7672fcad09377bc44d8caf318bb995ca9804adb1
-
C:\Windows\SysWOW64\vdhgllrz.exeFilesize
255KB
MD583bce8ff8c82da0e97097fff4a9d3932
SHA1dd4d9f3ecf9b4f161fadaa99e8deb58f85c42654
SHA256d17f3af532e5cc0a8ee7c52236ee8b35c24b86229e1149e55ece6acefc26d8b3
SHA512225c92d5a708748e59b40a7972c155a3b4a127fc39ecd735662512413654fc522dab6c2ad4f52a2404c0421f7672fcad09377bc44d8caf318bb995ca9804adb1
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
memory/1408-140-0x0000000000000000-mapping.dmp
-
memory/1408-144-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1408-149-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/2308-159-0x00007FFF17CF0000-0x00007FFF17D00000-memory.dmpFilesize
64KB
-
memory/2308-160-0x00007FFF17CF0000-0x00007FFF17D00000-memory.dmpFilesize
64KB
-
memory/2308-166-0x00007FFF15A20000-0x00007FFF15A30000-memory.dmpFilesize
64KB
-
memory/2308-165-0x00007FFF15A20000-0x00007FFF15A30000-memory.dmpFilesize
64KB
-
memory/2308-161-0x00007FFF17CF0000-0x00007FFF17D00000-memory.dmpFilesize
64KB
-
memory/2308-155-0x0000000000000000-mapping.dmp
-
memory/2308-157-0x00007FFF17CF0000-0x00007FFF17D00000-memory.dmpFilesize
64KB
-
memory/2308-158-0x00007FFF17CF0000-0x00007FFF17D00000-memory.dmpFilesize
64KB
-
memory/2492-156-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/2492-132-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/3060-145-0x0000000000000000-mapping.dmp
-
memory/3060-150-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/3060-148-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/3200-143-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/3200-137-0x0000000000000000-mapping.dmp
-
memory/3368-154-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/3368-162-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/3368-152-0x0000000000000000-mapping.dmp
-
memory/4804-136-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/4804-133-0x0000000000000000-mapping.dmp
-
memory/4840-151-0x0000000000000000-mapping.dmp