36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd

Analysis

max time kernel
225s
max time network
32s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe
Size

255KB
MD5

9166a8f9f0b8d5655ccd437bf6edbc98
SHA1

efc27cb3a6158409c9c9bdfb113049690e8d8687
SHA256

36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd
SHA512

152dcfb08b943f63ffb2d92d29c6c660bbc56ddc51e148d711e14be54b164238302c1a36efcb581a239c20fb5a8f013ab425d16509e694ab90b96d13d0737be6
SSDEEP

3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJ/:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI4

Score

10^/10

evasion persistence trojan upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

lteepqnuts.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lteepqnuts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

lteepqnuts.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lteepqnuts.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

lteepqnuts.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	lteepqnuts.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	lteepqnuts.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	lteepqnuts.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	lteepqnuts.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	lteepqnuts.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

lteepqnuts.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lteepqnuts.exe

Executes dropped EXE 5 IoCs

Processes:

lteepqnuts.exewqckrowrzazlcvf.exexdauoqqn.exehjsxtxbodaxhl.exexdauoqqn.exe

pid process

1172 lteepqnuts.exe
1008 wqckrowrzazlcvf.exe
1808 xdauoqqn.exe
1668 hjsxtxbodaxhl.exe
596 xdauoqqn.exe

pid	process
1172	lteepqnuts.exe
1008	wqckrowrzazlcvf.exe
1808	xdauoqqn.exe
1668	hjsxtxbodaxhl.exe
596	xdauoqqn.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1516-54-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1516-56-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
\Windows\SysWOW64\lteepqnuts.exe	upx
\Windows\SysWOW64\wqckrowrzazlcvf.exe	upx
C:\Windows\SysWOW64\lteepqnuts.exe	upx
C:\Windows\SysWOW64\lteepqnuts.exe	upx
C:\Windows\SysWOW64\wqckrowrzazlcvf.exe	upx
\Windows\SysWOW64\xdauoqqn.exe	upx
C:\Windows\SysWOW64\wqckrowrzazlcvf.exe	upx
C:\Windows\SysWOW64\xdauoqqn.exe	upx
\Windows\SysWOW64\hjsxtxbodaxhl.exe	upx
C:\Windows\SysWOW64\xdauoqqn.exe	upx
C:\Windows\SysWOW64\hjsxtxbodaxhl.exe	upx
\Windows\SysWOW64\xdauoqqn.exe	upx
C:\Windows\SysWOW64\xdauoqqn.exe	upx
behavioral1/memory/1172-81-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1008-83-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1808-84-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/596-86-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1516-88-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1172-95-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1008-96-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1808-97-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/596-98-0x0000000000400000-0x00000000004A0000-memory.dmp	upx

Loads dropped DLL 5 IoCs

Processes:

36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exelteepqnuts.exe

pid	process
1516	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe
1516	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe
1516	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe
1516	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe
1172	lteepqnuts.exe

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

lteepqnuts.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	lteepqnuts.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	lteepqnuts.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	lteepqnuts.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	lteepqnuts.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	lteepqnuts.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	lteepqnuts.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wqckrowrzazlcvf.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	wqckrowrzazlcvf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ygydtmkc = "lteepqnuts.exe"	wqckrowrzazlcvf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gcfwrpnc = "wqckrowrzazlcvf.exe"	wqckrowrzazlcvf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "hjsxtxbodaxhl.exe"	wqckrowrzazlcvf.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

lteepqnuts.exexdauoqqn.exexdauoqqn.exe

description	ioc	process
File opened (read-only)	\??\q:	lteepqnuts.exe
File opened (read-only)	\??\s:	xdauoqqn.exe
File opened (read-only)	\??\e:	xdauoqqn.exe
File opened (read-only)	\??\p:	xdauoqqn.exe
File opened (read-only)	\??\z:	xdauoqqn.exe
File opened (read-only)	\??\u:	lteepqnuts.exe
File opened (read-only)	\??\w:	lteepqnuts.exe
File opened (read-only)	\??\m:	xdauoqqn.exe
File opened (read-only)	\??\w:	xdauoqqn.exe
File opened (read-only)	\??\y:	xdauoqqn.exe
File opened (read-only)	\??\h:	xdauoqqn.exe
File opened (read-only)	\??\q:	xdauoqqn.exe
File opened (read-only)	\??\b:	lteepqnuts.exe
File opened (read-only)	\??\z:	lteepqnuts.exe
File opened (read-only)	\??\g:	xdauoqqn.exe
File opened (read-only)	\??\r:	xdauoqqn.exe
File opened (read-only)	\??\y:	xdauoqqn.exe
File opened (read-only)	\??\g:	xdauoqqn.exe
File opened (read-only)	\??\v:	lteepqnuts.exe
File opened (read-only)	\??\i:	xdauoqqn.exe
File opened (read-only)	\??\l:	xdauoqqn.exe
File opened (read-only)	\??\l:	lteepqnuts.exe
File opened (read-only)	\??\n:	xdauoqqn.exe
File opened (read-only)	\??\p:	xdauoqqn.exe
File opened (read-only)	\??\x:	xdauoqqn.exe
File opened (read-only)	\??\z:	xdauoqqn.exe
File opened (read-only)	\??\f:	xdauoqqn.exe
File opened (read-only)	\??\a:	xdauoqqn.exe
File opened (read-only)	\??\j:	xdauoqqn.exe
File opened (read-only)	\??\b:	xdauoqqn.exe
File opened (read-only)	\??\a:	lteepqnuts.exe
File opened (read-only)	\??\e:	lteepqnuts.exe
File opened (read-only)	\??\t:	lteepqnuts.exe
File opened (read-only)	\??\u:	xdauoqqn.exe
File opened (read-only)	\??\w:	xdauoqqn.exe
File opened (read-only)	\??\k:	lteepqnuts.exe
File opened (read-only)	\??\s:	lteepqnuts.exe
File opened (read-only)	\??\x:	lteepqnuts.exe
File opened (read-only)	\??\y:	lteepqnuts.exe
File opened (read-only)	\??\r:	xdauoqqn.exe
File opened (read-only)	\??\j:	lteepqnuts.exe
File opened (read-only)	\??\o:	lteepqnuts.exe
File opened (read-only)	\??\t:	xdauoqqn.exe
File opened (read-only)	\??\t:	xdauoqqn.exe
File opened (read-only)	\??\i:	lteepqnuts.exe
File opened (read-only)	\??\q:	xdauoqqn.exe
File opened (read-only)	\??\v:	xdauoqqn.exe
File opened (read-only)	\??\l:	xdauoqqn.exe
File opened (read-only)	\??\m:	xdauoqqn.exe
File opened (read-only)	\??\f:	lteepqnuts.exe
File opened (read-only)	\??\o:	xdauoqqn.exe
File opened (read-only)	\??\g:	lteepqnuts.exe
File opened (read-only)	\??\a:	xdauoqqn.exe
File opened (read-only)	\??\i:	xdauoqqn.exe
File opened (read-only)	\??\n:	xdauoqqn.exe
File opened (read-only)	\??\s:	xdauoqqn.exe
File opened (read-only)	\??\v:	xdauoqqn.exe
File opened (read-only)	\??\h:	lteepqnuts.exe
File opened (read-only)	\??\p:	lteepqnuts.exe
File opened (read-only)	\??\r:	lteepqnuts.exe
File opened (read-only)	\??\b:	xdauoqqn.exe
File opened (read-only)	\??\u:	xdauoqqn.exe
File opened (read-only)	\??\x:	xdauoqqn.exe
File opened (read-only)	\??\m:	lteepqnuts.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

lteepqnuts.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	lteepqnuts.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	lteepqnuts.exe

AutoIT Executable 10 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/1516-56-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1172-81-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1008-83-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1808-84-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/596-86-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1516-88-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1172-95-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1008-96-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1808-97-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/596-98-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe

Drops file in System32 directory 9 IoCs

Processes:

36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exelteepqnuts.exe

description	ioc	process
File created	C:\Windows\SysWOW64\lteepqnuts.exe	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe
File created	C:\Windows\SysWOW64\wqckrowrzazlcvf.exe	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe
File created	C:\Windows\SysWOW64\hjsxtxbodaxhl.exe	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe
File opened for modification	C:\Windows\SysWOW64\hjsxtxbodaxhl.exe	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	lteepqnuts.exe
File opened for modification	C:\Windows\SysWOW64\lteepqnuts.exe	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe
File opened for modification	C:\Windows\SysWOW64\wqckrowrzazlcvf.exe	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe
File created	C:\Windows\SysWOW64\xdauoqqn.exe	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe
File opened for modification	C:\Windows\SysWOW64\xdauoqqn.exe	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe

Drops file in Windows directory 5 IoCs

Processes:

WINWORD.EXE36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe

description	ioc	process
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\mydoc.rtf	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXElteepqnuts.exe36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	lteepqnuts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	lteepqnuts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	lteepqnuts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	lteepqnuts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	lteepqnuts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

856 WINWORD.EXE

pid	process
856	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exelteepqnuts.exewqckrowrzazlcvf.exexdauoqqn.exexdauoqqn.exe

pid	process
1516	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe
1516	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe
1516	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe
1516	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe
1516	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe
1516	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe
1516	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe
1172	lteepqnuts.exe
1172	lteepqnuts.exe
1172	lteepqnuts.exe
1172	lteepqnuts.exe
1172	lteepqnuts.exe
1516	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe
1008	wqckrowrzazlcvf.exe
1008	wqckrowrzazlcvf.exe
1008	wqckrowrzazlcvf.exe
1008	wqckrowrzazlcvf.exe
1808	xdauoqqn.exe
1808	xdauoqqn.exe
1808	xdauoqqn.exe
1808	xdauoqqn.exe
1008	wqckrowrzazlcvf.exe
596	xdauoqqn.exe
596	xdauoqqn.exe
596	xdauoqqn.exe
596	xdauoqqn.exe
1008	wqckrowrzazlcvf.exe
1008	wqckrowrzazlcvf.exe
1008	wqckrowrzazlcvf.exe
1008	wqckrowrzazlcvf.exe
1008	wqckrowrzazlcvf.exe
1008	wqckrowrzazlcvf.exe
1008	wqckrowrzazlcvf.exe
1008	wqckrowrzazlcvf.exe
1008	wqckrowrzazlcvf.exe
1008	wqckrowrzazlcvf.exe
1008	wqckrowrzazlcvf.exe
1008	wqckrowrzazlcvf.exe
1008	wqckrowrzazlcvf.exe
1008	wqckrowrzazlcvf.exe
1008	wqckrowrzazlcvf.exe
1008	wqckrowrzazlcvf.exe
1008	wqckrowrzazlcvf.exe
1008	wqckrowrzazlcvf.exe
1008	wqckrowrzazlcvf.exe
1008	wqckrowrzazlcvf.exe
1008	wqckrowrzazlcvf.exe
1008	wqckrowrzazlcvf.exe
1008	wqckrowrzazlcvf.exe
1008	wqckrowrzazlcvf.exe
1008	wqckrowrzazlcvf.exe
1008	wqckrowrzazlcvf.exe
1008	wqckrowrzazlcvf.exe
1008	wqckrowrzazlcvf.exe
1008	wqckrowrzazlcvf.exe
1008	wqckrowrzazlcvf.exe
1008	wqckrowrzazlcvf.exe
1008	wqckrowrzazlcvf.exe
1008	wqckrowrzazlcvf.exe
1008	wqckrowrzazlcvf.exe
1008	wqckrowrzazlcvf.exe
1008	wqckrowrzazlcvf.exe
1008	wqckrowrzazlcvf.exe
1008	wqckrowrzazlcvf.exe

Suspicious use of FindShellTrayWindow 16 IoCs

Processes:

36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exelteepqnuts.exewqckrowrzazlcvf.exexdauoqqn.exexdauoqqn.exe

pid	process
1516	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe
1516	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe
1516	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe
1516	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe
1172	lteepqnuts.exe
1172	lteepqnuts.exe
1172	lteepqnuts.exe
1008	wqckrowrzazlcvf.exe
1008	wqckrowrzazlcvf.exe
1008	wqckrowrzazlcvf.exe
1808	xdauoqqn.exe
1808	xdauoqqn.exe
1808	xdauoqqn.exe
596	xdauoqqn.exe
596	xdauoqqn.exe
596	xdauoqqn.exe

Suspicious use of SendNotifyMessage 16 IoCs

Processes:

36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exelteepqnuts.exewqckrowrzazlcvf.exexdauoqqn.exexdauoqqn.exe

pid	process
1516	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe
1516	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe
1516	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe
1516	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe
1172	lteepqnuts.exe
1172	lteepqnuts.exe
1172	lteepqnuts.exe
1008	wqckrowrzazlcvf.exe
1008	wqckrowrzazlcvf.exe
1008	wqckrowrzazlcvf.exe
1808	xdauoqqn.exe
1808	xdauoqqn.exe
1808	xdauoqqn.exe
596	xdauoqqn.exe
596	xdauoqqn.exe
596	xdauoqqn.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

856 WINWORD.EXE
856 WINWORD.EXE

pid	process
856	WINWORD.EXE
856	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exelteepqnuts.exeWINWORD.EXE

description	pid	process	target process
PID 1516 wrote to memory of 1172	1516	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe	lteepqnuts.exe
PID 1516 wrote to memory of 1172	1516	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe	lteepqnuts.exe
PID 1516 wrote to memory of 1172	1516	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe	lteepqnuts.exe
PID 1516 wrote to memory of 1172	1516	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe	lteepqnuts.exe
PID 1516 wrote to memory of 1008	1516	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe	wqckrowrzazlcvf.exe
PID 1516 wrote to memory of 1008	1516	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe	wqckrowrzazlcvf.exe
PID 1516 wrote to memory of 1008	1516	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe	wqckrowrzazlcvf.exe
PID 1516 wrote to memory of 1008	1516	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe	wqckrowrzazlcvf.exe
PID 1516 wrote to memory of 1808	1516	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe	xdauoqqn.exe
PID 1516 wrote to memory of 1808	1516	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe	xdauoqqn.exe
PID 1516 wrote to memory of 1808	1516	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe	xdauoqqn.exe
PID 1516 wrote to memory of 1808	1516	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe	xdauoqqn.exe
PID 1516 wrote to memory of 1668	1516	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe	hjsxtxbodaxhl.exe
PID 1516 wrote to memory of 1668	1516	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe	hjsxtxbodaxhl.exe
PID 1516 wrote to memory of 1668	1516	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe	hjsxtxbodaxhl.exe
PID 1516 wrote to memory of 1668	1516	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe	hjsxtxbodaxhl.exe
PID 1172 wrote to memory of 596	1172	lteepqnuts.exe	xdauoqqn.exe
PID 1172 wrote to memory of 596	1172	lteepqnuts.exe	xdauoqqn.exe
PID 1172 wrote to memory of 596	1172	lteepqnuts.exe	xdauoqqn.exe
PID 1172 wrote to memory of 596	1172	lteepqnuts.exe	xdauoqqn.exe
PID 1516 wrote to memory of 856	1516	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe	WINWORD.EXE
PID 1516 wrote to memory of 856	1516	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe	WINWORD.EXE
PID 1516 wrote to memory of 856	1516	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe	WINWORD.EXE
PID 1516 wrote to memory of 856	1516	36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe	WINWORD.EXE
PID 856 wrote to memory of 576	856	WINWORD.EXE	splwow64.exe
PID 856 wrote to memory of 576	856	WINWORD.EXE	splwow64.exe
PID 856 wrote to memory of 576	856	WINWORD.EXE	splwow64.exe
PID 856 wrote to memory of 576	856	WINWORD.EXE	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe
"C:\Users\Admin\AppData\Local\Temp\36576b591ec239f59a93342e9c6e4b0390abbca28e5044a3a51e5ad1028a94fd.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\SysWOW64\lteepqnuts.exe
lteepqnuts.exe
2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\SysWOW64\xdauoqqn.exe
C:\Windows\system32\xdauoqqn.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:596

C:\Windows\SysWOW64\wqckrowrzazlcvf.exe
wqckrowrzazlcvf.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1008

C:\Windows\SysWOW64\xdauoqqn.exe
xdauoqqn.exe
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1808

C:\Windows\SysWOW64\hjsxtxbodaxhl.exe
hjsxtxbodaxhl.exe
2⤵
- Executes dropped EXE
PID:1668

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hjsxtxbodaxhl.exe

Filesize
255KB

MD5
ca1f52d0ce28896cb9780cdcb7397ad4

SHA1
313bdf42a20c0e5d492054df9989cf0968c6b0d5

SHA256
ff030158fa5d12a168d10048b225443713e81fee36edcfac6338eefd3e7c409e

SHA512
b3380a08c31fff32913d602699f622a677867dd065f5aa3ee53d24842fa98b848000be8a2e87cd7b67ca2fde3fe48053e93eb2ff31bf03abdb216450657a238c

Download Submit
C:\Windows\SysWOW64\lteepqnuts.exe

Filesize
255KB

MD5
fa507b8fabf285f60c25ad0a6dd05932

SHA1
7fff2db8188127a7d593976391193a67ddd30b32

SHA256
90de05835f473a5306b4bd0ec8c519b4e554c63d44f90d39805c6d8b56a120d0

SHA512
792174e4f49484f80496b71980ab80e208da60172e0a15ef2ef433d8ceeb6aa459c6697bcbf47158e62807e043c95c1204769fedeb5f889b4b3916c053b6687a

Download Submit
C:\Windows\SysWOW64\lteepqnuts.exe

Filesize
255KB

MD5
fa507b8fabf285f60c25ad0a6dd05932

SHA1
7fff2db8188127a7d593976391193a67ddd30b32

SHA256
90de05835f473a5306b4bd0ec8c519b4e554c63d44f90d39805c6d8b56a120d0

SHA512
792174e4f49484f80496b71980ab80e208da60172e0a15ef2ef433d8ceeb6aa459c6697bcbf47158e62807e043c95c1204769fedeb5f889b4b3916c053b6687a

Download Submit
C:\Windows\SysWOW64\wqckrowrzazlcvf.exe

Filesize
255KB

MD5
3594b66bae1f298891520fba61cfa559

SHA1
077eecc14ff39fe3c51694b0f46a2af1fca7b7f5

SHA256
4afef0ce33d02c8c9355f4e0cc1e616fd6a4835e53f7603732d19a235a8d0b0c

SHA512
69ace7333663cf778f433e22d69e1b2a47d67c71818607fe929cd2d0854ae7745e9bb2043ab85ff1ba7fbd10209656c8ba219230bd915b6cb9d6cd88ffead887

Download Submit
C:\Windows\SysWOW64\wqckrowrzazlcvf.exe

Filesize
255KB

MD5
3594b66bae1f298891520fba61cfa559

SHA1
077eecc14ff39fe3c51694b0f46a2af1fca7b7f5

SHA256
4afef0ce33d02c8c9355f4e0cc1e616fd6a4835e53f7603732d19a235a8d0b0c

SHA512
69ace7333663cf778f433e22d69e1b2a47d67c71818607fe929cd2d0854ae7745e9bb2043ab85ff1ba7fbd10209656c8ba219230bd915b6cb9d6cd88ffead887

Download Submit
C:\Windows\SysWOW64\xdauoqqn.exe

Filesize
255KB

MD5
c8e07d1663dc8fd4bdd04c210807af27

SHA1
9e6163d57842d90aa9c77e22539043d036ecc77f

SHA256
b1f6a33c17006e683fd3c7dcb813104ea1ad7380697f3a87e0ee8872a341c5ae

SHA512
57aa68c1ce6e0b7ab11e88a37687ee0a737be977488877300529470f747e3b3f94820817c822a1770366f820150b80e4abcd311c0ecf50d9d905ec02a7ab1c45

Download Submit
C:\Windows\SysWOW64\xdauoqqn.exe

Filesize
255KB

MD5
c8e07d1663dc8fd4bdd04c210807af27

SHA1
9e6163d57842d90aa9c77e22539043d036ecc77f

SHA256
b1f6a33c17006e683fd3c7dcb813104ea1ad7380697f3a87e0ee8872a341c5ae

SHA512
57aa68c1ce6e0b7ab11e88a37687ee0a737be977488877300529470f747e3b3f94820817c822a1770366f820150b80e4abcd311c0ecf50d9d905ec02a7ab1c45

Download Submit
C:\Windows\SysWOW64\xdauoqqn.exe

Filesize
255KB

MD5
c8e07d1663dc8fd4bdd04c210807af27

SHA1
9e6163d57842d90aa9c77e22539043d036ecc77f

SHA256
b1f6a33c17006e683fd3c7dcb813104ea1ad7380697f3a87e0ee8872a341c5ae

SHA512
57aa68c1ce6e0b7ab11e88a37687ee0a737be977488877300529470f747e3b3f94820817c822a1770366f820150b80e4abcd311c0ecf50d9d905ec02a7ab1c45

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\hjsxtxbodaxhl.exe

Filesize
255KB

MD5
ca1f52d0ce28896cb9780cdcb7397ad4

SHA1
313bdf42a20c0e5d492054df9989cf0968c6b0d5

SHA256
ff030158fa5d12a168d10048b225443713e81fee36edcfac6338eefd3e7c409e

SHA512
b3380a08c31fff32913d602699f622a677867dd065f5aa3ee53d24842fa98b848000be8a2e87cd7b67ca2fde3fe48053e93eb2ff31bf03abdb216450657a238c

Download Submit
\Windows\SysWOW64\lteepqnuts.exe

Filesize
255KB

MD5
fa507b8fabf285f60c25ad0a6dd05932

SHA1
7fff2db8188127a7d593976391193a67ddd30b32

SHA256
90de05835f473a5306b4bd0ec8c519b4e554c63d44f90d39805c6d8b56a120d0

SHA512
792174e4f49484f80496b71980ab80e208da60172e0a15ef2ef433d8ceeb6aa459c6697bcbf47158e62807e043c95c1204769fedeb5f889b4b3916c053b6687a

Download Submit
\Windows\SysWOW64\wqckrowrzazlcvf.exe

Filesize
255KB

MD5
3594b66bae1f298891520fba61cfa559

SHA1
077eecc14ff39fe3c51694b0f46a2af1fca7b7f5

SHA256
4afef0ce33d02c8c9355f4e0cc1e616fd6a4835e53f7603732d19a235a8d0b0c

SHA512
69ace7333663cf778f433e22d69e1b2a47d67c71818607fe929cd2d0854ae7745e9bb2043ab85ff1ba7fbd10209656c8ba219230bd915b6cb9d6cd88ffead887

Download Submit
\Windows\SysWOW64\xdauoqqn.exe

Filesize
255KB

MD5
c8e07d1663dc8fd4bdd04c210807af27

SHA1
9e6163d57842d90aa9c77e22539043d036ecc77f

SHA256
b1f6a33c17006e683fd3c7dcb813104ea1ad7380697f3a87e0ee8872a341c5ae

SHA512
57aa68c1ce6e0b7ab11e88a37687ee0a737be977488877300529470f747e3b3f94820817c822a1770366f820150b80e4abcd311c0ecf50d9d905ec02a7ab1c45

Download Submit
\Windows\SysWOW64\xdauoqqn.exe

Filesize
255KB

MD5
c8e07d1663dc8fd4bdd04c210807af27

SHA1
9e6163d57842d90aa9c77e22539043d036ecc77f

SHA256
b1f6a33c17006e683fd3c7dcb813104ea1ad7380697f3a87e0ee8872a341c5ae

SHA512
57aa68c1ce6e0b7ab11e88a37687ee0a737be977488877300529470f747e3b3f94820817c822a1770366f820150b80e4abcd311c0ecf50d9d905ec02a7ab1c45

Download Submit
memory/576-101-0x000007FEFC0B1000-0x000007FEFC0B3000-memory.dmp

Filesize
8KB

Download
memory/576-100-0x0000000000000000-mapping.dmp

Download
memory/596-86-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/596-98-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/596-77-0x0000000000000000-mapping.dmp

Download
memory/856-99-0x000000007160D000-0x0000000071618000-memory.dmp

Filesize
44KB

Download
memory/856-94-0x000000007160D000-0x0000000071618000-memory.dmp

Filesize
44KB

Download
memory/856-91-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/856-90-0x0000000070621000-0x0000000070623000-memory.dmp

Filesize
8KB

Download
memory/856-87-0x0000000000000000-mapping.dmp

Download
memory/856-89-0x0000000072BA1000-0x0000000072BA4000-memory.dmp

Filesize
12KB

Download
memory/1008-62-0x0000000000000000-mapping.dmp

Download
memory/1008-96-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1008-83-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1172-85-0x0000000003890000-0x0000000003930000-memory.dmp

Filesize
640KB

Download
memory/1172-95-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1172-58-0x0000000000000000-mapping.dmp

Download
memory/1172-81-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1516-82-0x0000000003750000-0x00000000037F0000-memory.dmp

Filesize
640KB

Download
memory/1516-55-0x0000000076931000-0x0000000076933000-memory.dmp

Filesize
8KB

Download
memory/1516-80-0x0000000003750000-0x00000000037F0000-memory.dmp

Filesize
640KB

Download
memory/1516-88-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1516-56-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1516-54-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1668-72-0x0000000000000000-mapping.dmp

Download
memory/1808-84-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1808-97-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1808-68-0x0000000000000000-mapping.dmp

Download