Analysis
-
max time kernel
166s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23/11/2022, 21:04
Behavioral task
behavioral1
Sample
5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe
Resource
win7-20220901-en
windows7-x64
26 signatures
150 seconds
Behavioral task
behavioral2
Sample
5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe
-
Size
255KB
-
MD5
8ce2789d98142a308fa12d7eafe6b1bd
-
SHA1
19f6b7421fb6bdcf60b14fe7392ee760437edd06
-
SHA256
5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e
-
SHA512
03e29a2c2ea4a6f17857153447c7c4ded3eb0a3c8f8ca3c781bc864e37c9c3cdf71a0d512d0f8b289936bf65bbdeb533e4160736092238c0acc33b0a7e0994d5
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJx:1xlZam+akqx6YQJXcNlEHUIQeE3mmBII
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ogtjhcfdrd.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ogtjhcfdrd.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ogtjhcfdrd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ogtjhcfdrd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ogtjhcfdrd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ogtjhcfdrd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ogtjhcfdrd.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ogtjhcfdrd.exe -
Executes dropped EXE 5 IoCs
pid Process 4252 ogtjhcfdrd.exe 4056 tndwsjhmdsqtyxx.exe 4632 llcxlnut.exe 1836 lwsfvvsososnr.exe 2672 llcxlnut.exe -
resource yara_rule behavioral2/memory/660-135-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/660-136-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0008000000022dff-138.dat upx behavioral2/files/0x0008000000022dff-139.dat upx behavioral2/files/0x0008000000022e04-144.dat upx behavioral2/files/0x0006000000022e05-147.dat upx behavioral2/files/0x0006000000022e05-148.dat upx behavioral2/files/0x0008000000022e04-145.dat upx behavioral2/files/0x0009000000022e00-142.dat upx behavioral2/files/0x0009000000022e00-141.dat upx behavioral2/memory/4252-149-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4056-150-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4632-151-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1836-152-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0008000000022e04-154.dat upx behavioral2/memory/2672-155-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4252-156-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4056-157-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4632-158-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1836-159-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2672-160-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/660-162-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0007000000022e09-168.dat upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ogtjhcfdrd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ogtjhcfdrd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ogtjhcfdrd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ogtjhcfdrd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ogtjhcfdrd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ogtjhcfdrd.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run tndwsjhmdsqtyxx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cqhpoydb = "ogtjhcfdrd.exe" tndwsjhmdsqtyxx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mgmogysn = "tndwsjhmdsqtyxx.exe" tndwsjhmdsqtyxx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "lwsfvvsososnr.exe" tndwsjhmdsqtyxx.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\a: llcxlnut.exe File opened (read-only) \??\l: llcxlnut.exe File opened (read-only) \??\m: ogtjhcfdrd.exe File opened (read-only) \??\i: llcxlnut.exe File opened (read-only) \??\o: llcxlnut.exe File opened (read-only) \??\f: llcxlnut.exe File opened (read-only) \??\r: llcxlnut.exe File opened (read-only) \??\q: ogtjhcfdrd.exe File opened (read-only) \??\z: llcxlnut.exe File opened (read-only) \??\k: ogtjhcfdrd.exe File opened (read-only) \??\h: ogtjhcfdrd.exe File opened (read-only) \??\w: ogtjhcfdrd.exe File opened (read-only) \??\e: ogtjhcfdrd.exe File opened (read-only) \??\a: ogtjhcfdrd.exe File opened (read-only) \??\y: llcxlnut.exe File opened (read-only) \??\q: llcxlnut.exe File opened (read-only) \??\v: llcxlnut.exe File opened (read-only) \??\x: llcxlnut.exe File opened (read-only) \??\j: ogtjhcfdrd.exe File opened (read-only) \??\f: llcxlnut.exe File opened (read-only) \??\z: ogtjhcfdrd.exe File opened (read-only) \??\g: llcxlnut.exe File opened (read-only) \??\r: ogtjhcfdrd.exe File opened (read-only) \??\f: ogtjhcfdrd.exe File opened (read-only) \??\h: llcxlnut.exe File opened (read-only) \??\n: llcxlnut.exe File opened (read-only) \??\z: llcxlnut.exe File opened (read-only) \??\s: ogtjhcfdrd.exe File opened (read-only) \??\x: ogtjhcfdrd.exe File opened (read-only) \??\q: llcxlnut.exe File opened (read-only) \??\v: llcxlnut.exe File opened (read-only) \??\l: ogtjhcfdrd.exe File opened (read-only) \??\u: llcxlnut.exe File opened (read-only) \??\b: llcxlnut.exe File opened (read-only) \??\m: llcxlnut.exe File opened (read-only) \??\u: llcxlnut.exe File opened (read-only) \??\t: llcxlnut.exe File opened (read-only) \??\l: llcxlnut.exe File opened (read-only) \??\m: llcxlnut.exe File opened (read-only) \??\p: llcxlnut.exe File opened (read-only) \??\b: ogtjhcfdrd.exe File opened (read-only) \??\v: ogtjhcfdrd.exe File opened (read-only) \??\t: llcxlnut.exe File opened (read-only) \??\b: llcxlnut.exe File opened (read-only) \??\g: llcxlnut.exe File opened (read-only) \??\i: llcxlnut.exe File opened (read-only) \??\o: llcxlnut.exe File opened (read-only) \??\n: ogtjhcfdrd.exe File opened (read-only) \??\t: ogtjhcfdrd.exe File opened (read-only) \??\s: llcxlnut.exe File opened (read-only) \??\e: llcxlnut.exe File opened (read-only) \??\r: llcxlnut.exe File opened (read-only) \??\s: llcxlnut.exe File opened (read-only) \??\w: llcxlnut.exe File opened (read-only) \??\i: ogtjhcfdrd.exe File opened (read-only) \??\p: ogtjhcfdrd.exe File opened (read-only) \??\u: ogtjhcfdrd.exe File opened (read-only) \??\y: ogtjhcfdrd.exe File opened (read-only) \??\j: llcxlnut.exe File opened (read-only) \??\k: llcxlnut.exe File opened (read-only) \??\p: llcxlnut.exe File opened (read-only) \??\x: llcxlnut.exe File opened (read-only) \??\e: llcxlnut.exe File opened (read-only) \??\n: llcxlnut.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ogtjhcfdrd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ogtjhcfdrd.exe -
AutoIT Executable 12 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/660-136-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4252-149-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4056-150-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4632-151-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1836-152-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2672-155-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4252-156-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4056-157-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4632-158-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1836-159-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2672-160-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/660-162-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\lwsfvvsososnr.exe 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ogtjhcfdrd.exe File created C:\Windows\SysWOW64\tndwsjhmdsqtyxx.exe 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe File opened for modification C:\Windows\SysWOW64\llcxlnut.exe 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe File opened for modification C:\Windows\SysWOW64\tndwsjhmdsqtyxx.exe 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe File created C:\Windows\SysWOW64\llcxlnut.exe 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe File created C:\Windows\SysWOW64\lwsfvvsososnr.exe 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe File created C:\Windows\SysWOW64\ogtjhcfdrd.exe 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe File opened for modification C:\Windows\SysWOW64\ogtjhcfdrd.exe 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe llcxlnut.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe llcxlnut.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe llcxlnut.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe llcxlnut.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe llcxlnut.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal llcxlnut.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal llcxlnut.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe llcxlnut.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal llcxlnut.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe llcxlnut.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe llcxlnut.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal llcxlnut.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe llcxlnut.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe llcxlnut.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC7B15F479438EA53B9BADC33E9D4BB" 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf ogtjhcfdrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs ogtjhcfdrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" ogtjhcfdrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BC8FABAF910F2E784083B4B86EC39E3B08B038C4269023DE2BE45E809A2" 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat ogtjhcfdrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" ogtjhcfdrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh ogtjhcfdrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ogtjhcfdrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" ogtjhcfdrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc ogtjhcfdrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" ogtjhcfdrd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg ogtjhcfdrd.exe Key created \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\Local Settings 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33372C7F9D2D83556A3476D370202CDA7CF564DD" 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFDFCFB4F5A85689045D6217E96BDE2E631593166446330D6ED" 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F268B4FE6C22D8D27FD1A78A7D9113" 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184DC60F1594DAB4B8BA7F92ECE434C7" 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" ogtjhcfdrd.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3424 WINWORD.EXE 3424 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 660 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe 660 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe 660 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe 660 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe 660 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe 660 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe 660 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe 660 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe 660 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe 660 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe 660 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe 660 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe 660 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe 660 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe 660 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe 660 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe 4252 ogtjhcfdrd.exe 4252 ogtjhcfdrd.exe 4252 ogtjhcfdrd.exe 4252 ogtjhcfdrd.exe 4252 ogtjhcfdrd.exe 4252 ogtjhcfdrd.exe 4252 ogtjhcfdrd.exe 4252 ogtjhcfdrd.exe 4056 tndwsjhmdsqtyxx.exe 4056 tndwsjhmdsqtyxx.exe 4252 ogtjhcfdrd.exe 4252 ogtjhcfdrd.exe 4056 tndwsjhmdsqtyxx.exe 4056 tndwsjhmdsqtyxx.exe 4056 tndwsjhmdsqtyxx.exe 4056 tndwsjhmdsqtyxx.exe 4056 tndwsjhmdsqtyxx.exe 4056 tndwsjhmdsqtyxx.exe 4632 llcxlnut.exe 4632 llcxlnut.exe 4632 llcxlnut.exe 4632 llcxlnut.exe 4632 llcxlnut.exe 4632 llcxlnut.exe 4632 llcxlnut.exe 4632 llcxlnut.exe 1836 lwsfvvsososnr.exe 1836 lwsfvvsososnr.exe 1836 lwsfvvsososnr.exe 1836 lwsfvvsososnr.exe 1836 lwsfvvsososnr.exe 1836 lwsfvvsososnr.exe 1836 lwsfvvsososnr.exe 1836 lwsfvvsososnr.exe 1836 lwsfvvsososnr.exe 1836 lwsfvvsososnr.exe 1836 lwsfvvsososnr.exe 1836 lwsfvvsososnr.exe 4056 tndwsjhmdsqtyxx.exe 4056 tndwsjhmdsqtyxx.exe 4056 tndwsjhmdsqtyxx.exe 4056 tndwsjhmdsqtyxx.exe 1836 lwsfvvsososnr.exe 1836 lwsfvvsososnr.exe 1836 lwsfvvsososnr.exe 1836 lwsfvvsososnr.exe 4056 tndwsjhmdsqtyxx.exe 4056 tndwsjhmdsqtyxx.exe -
Suspicious use of FindShellTrayWindow 19 IoCs
pid Process 660 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe 660 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe 660 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe 660 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe 4252 ogtjhcfdrd.exe 4252 ogtjhcfdrd.exe 4252 ogtjhcfdrd.exe 4056 tndwsjhmdsqtyxx.exe 4056 tndwsjhmdsqtyxx.exe 4056 tndwsjhmdsqtyxx.exe 4632 llcxlnut.exe 4632 llcxlnut.exe 4632 llcxlnut.exe 1836 lwsfvvsososnr.exe 1836 lwsfvvsososnr.exe 1836 lwsfvvsososnr.exe 2672 llcxlnut.exe 2672 llcxlnut.exe 2672 llcxlnut.exe -
Suspicious use of SendNotifyMessage 19 IoCs
pid Process 660 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe 660 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe 660 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe 660 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe 4252 ogtjhcfdrd.exe 4252 ogtjhcfdrd.exe 4252 ogtjhcfdrd.exe 4056 tndwsjhmdsqtyxx.exe 4056 tndwsjhmdsqtyxx.exe 4056 tndwsjhmdsqtyxx.exe 4632 llcxlnut.exe 4632 llcxlnut.exe 4632 llcxlnut.exe 1836 lwsfvvsososnr.exe 1836 lwsfvvsososnr.exe 1836 lwsfvvsososnr.exe 2672 llcxlnut.exe 2672 llcxlnut.exe 2672 llcxlnut.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3424 WINWORD.EXE 3424 WINWORD.EXE 3424 WINWORD.EXE 3424 WINWORD.EXE 3424 WINWORD.EXE 3424 WINWORD.EXE 3424 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 660 wrote to memory of 4252 660 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe 82 PID 660 wrote to memory of 4252 660 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe 82 PID 660 wrote to memory of 4252 660 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe 82 PID 660 wrote to memory of 4056 660 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe 83 PID 660 wrote to memory of 4056 660 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe 83 PID 660 wrote to memory of 4056 660 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe 83 PID 660 wrote to memory of 4632 660 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe 84 PID 660 wrote to memory of 4632 660 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe 84 PID 660 wrote to memory of 4632 660 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe 84 PID 660 wrote to memory of 1836 660 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe 85 PID 660 wrote to memory of 1836 660 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe 85 PID 660 wrote to memory of 1836 660 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe 85 PID 4252 wrote to memory of 2672 4252 ogtjhcfdrd.exe 87 PID 4252 wrote to memory of 2672 4252 ogtjhcfdrd.exe 87 PID 4252 wrote to memory of 2672 4252 ogtjhcfdrd.exe 87 PID 660 wrote to memory of 3424 660 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe 88 PID 660 wrote to memory of 3424 660 5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe"C:\Users\Admin\AppData\Local\Temp\5b957c2cca9566a4a1a7e05dca913d85a8c519421e1866fafee0cffe25c7c41e.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Windows\SysWOW64\ogtjhcfdrd.exeogtjhcfdrd.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\SysWOW64\llcxlnut.exeC:\Windows\system32\llcxlnut.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2672
-
-
-
C:\Windows\SysWOW64\tndwsjhmdsqtyxx.exetndwsjhmdsqtyxx.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4056
-
-
C:\Windows\SysWOW64\llcxlnut.exellcxlnut.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4632
-
-
C:\Windows\SysWOW64\lwsfvvsososnr.exelwsfvvsososnr.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1836
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3424
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD58082d3f87bbd583c88534651521cbfd2
SHA1c5efd9afb489781ddf73d4799a36b00cbe12fd41
SHA256233f5936996ec946e56915ab1d91fd1b88dc6a26a35b05a53bb31f2f8e38dc55
SHA512251df0d0b8e57b76011a45a9ec716cbcd9de4278b225a815a28ef1def9d096019590a057e2b23d6af8cb9da1581a93dbe5777e9ec9b3ef4acc739e7770fe6520
-
Filesize
255KB
MD58ca73f2cfa5b1e353b3a6ad51a8bde7e
SHA134277beec61795bc7ceff44fc220847bcd584690
SHA2566b42f7a15c3ef56c94ddb0a5a3d7f713259da86216061e391919eb9a3eaf4999
SHA512c98fdabc47331f0e5d838e667ec06ea1a755f9a802dd6e6189537dfe222534a907a9e9a2a392eb29e781cee861211d423be11ecb7c0840242fbff4e94eb76227
-
Filesize
255KB
MD58ca73f2cfa5b1e353b3a6ad51a8bde7e
SHA134277beec61795bc7ceff44fc220847bcd584690
SHA2566b42f7a15c3ef56c94ddb0a5a3d7f713259da86216061e391919eb9a3eaf4999
SHA512c98fdabc47331f0e5d838e667ec06ea1a755f9a802dd6e6189537dfe222534a907a9e9a2a392eb29e781cee861211d423be11ecb7c0840242fbff4e94eb76227
-
Filesize
255KB
MD58ca73f2cfa5b1e353b3a6ad51a8bde7e
SHA134277beec61795bc7ceff44fc220847bcd584690
SHA2566b42f7a15c3ef56c94ddb0a5a3d7f713259da86216061e391919eb9a3eaf4999
SHA512c98fdabc47331f0e5d838e667ec06ea1a755f9a802dd6e6189537dfe222534a907a9e9a2a392eb29e781cee861211d423be11ecb7c0840242fbff4e94eb76227
-
Filesize
255KB
MD5f22002371aadccb02f452e0da163abba
SHA1823561c4ad534a3c4393b41de34c41e00a12a206
SHA2566ce0c096d1f3bd3f95e7aca48e9a5b514e36f33c8e2df804d1d79067a2b9eb81
SHA512719d5d6fe7f1a7722a98a6b0288dc6d2e8abded9133b6fb957eaa94d5f92ad003eee8c13a9ab3b18e23bb882c050d9bf548c1e26b899489cb3c01af6e05a685d
-
Filesize
255KB
MD5f22002371aadccb02f452e0da163abba
SHA1823561c4ad534a3c4393b41de34c41e00a12a206
SHA2566ce0c096d1f3bd3f95e7aca48e9a5b514e36f33c8e2df804d1d79067a2b9eb81
SHA512719d5d6fe7f1a7722a98a6b0288dc6d2e8abded9133b6fb957eaa94d5f92ad003eee8c13a9ab3b18e23bb882c050d9bf548c1e26b899489cb3c01af6e05a685d
-
Filesize
255KB
MD57e2f0a7ee7e56b4e6941f2d0952fde65
SHA1ed2334369a097a4cc128751f7bc5d7147663648c
SHA256e97aea5aea0eda79c7d47ad0883bc40c43aa3ec870433d6471babb415adad044
SHA512d5f1639f0257918a55036b27a5129aa99cb2f932c71e35b65d5a2ddf5cae02af5d5e256ed636aad352390175b8fb4ab98c54a60e8ccd8945347b1f1e216ae9f9
-
Filesize
255KB
MD57e2f0a7ee7e56b4e6941f2d0952fde65
SHA1ed2334369a097a4cc128751f7bc5d7147663648c
SHA256e97aea5aea0eda79c7d47ad0883bc40c43aa3ec870433d6471babb415adad044
SHA512d5f1639f0257918a55036b27a5129aa99cb2f932c71e35b65d5a2ddf5cae02af5d5e256ed636aad352390175b8fb4ab98c54a60e8ccd8945347b1f1e216ae9f9
-
Filesize
255KB
MD5ece75d4f321c47c851728575ff4b3d75
SHA113426ae13bb171201dbb88a0be2fae57916a5087
SHA25652fbe329cc10a90b1e172dbc3b5bbe8aff63b5327242d75c4968eb7cdfa31e6d
SHA5124b77ffbb3a7f5b34b168662629c937fa61785c9b28af11788347c3a99606a28efe3f36fc0098d0065d4be8d24a14d77c9b58b38d4656027c87557511e568720c
-
Filesize
255KB
MD5ece75d4f321c47c851728575ff4b3d75
SHA113426ae13bb171201dbb88a0be2fae57916a5087
SHA25652fbe329cc10a90b1e172dbc3b5bbe8aff63b5327242d75c4968eb7cdfa31e6d
SHA5124b77ffbb3a7f5b34b168662629c937fa61785c9b28af11788347c3a99606a28efe3f36fc0098d0065d4be8d24a14d77c9b58b38d4656027c87557511e568720c
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7