Analysis
-
max time kernel
158s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 21:05
Behavioral task
behavioral1
Sample
31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe
Resource
win7-20220812-en
windows7-x64
28 signatures
150 seconds
General
-
Target
31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe
-
Size
255KB
-
MD5
73b57a0fdf7d693364f5fc306b50ed49
-
SHA1
7157889ea3ff68fa4d84587cbb568b78081954c4
-
SHA256
31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461
-
SHA512
55393a46823acff8bf3924e8383048172cd17ca813b51f5da4a1e9b4d85833aac91841b8117b5f6ac86e9fa001c96421ed685aa0ddb347dec5fbc2bc86da1674
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJE:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIp
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cgijxpqshx.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" cgijxpqshx.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" cgijxpqshx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" cgijxpqshx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" cgijxpqshx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" cgijxpqshx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" cgijxpqshx.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cgijxpqshx.exe -
Executes dropped EXE 5 IoCs
pid Process 3784 cgijxpqshx.exe 5080 qkntrgtblvfgpvj.exe 3112 leetnulu.exe 920 rsardotdsdhdo.exe 3364 leetnulu.exe -
resource yara_rule behavioral2/memory/4060-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4060-133-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000e000000022f5a-135.dat upx behavioral2/files/0x000e000000022f5a-136.dat upx behavioral2/files/0x0009000000022f6f-138.dat upx behavioral2/files/0x0009000000022f6f-139.dat upx behavioral2/files/0x0006000000022f77-141.dat upx behavioral2/files/0x0006000000022f77-142.dat upx behavioral2/files/0x0006000000022f78-144.dat upx behavioral2/files/0x0006000000022f78-145.dat upx behavioral2/memory/3784-146-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/5080-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3112-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/920-149-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0006000000022f77-151.dat upx behavioral2/memory/3364-152-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4060-154-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3784-160-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/5080-161-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3112-162-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/920-163-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3364-164-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0007000000022f82-165.dat upx behavioral2/files/0x0007000000022f83-166.dat upx behavioral2/files/0x000a00000001e463-170.dat upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" cgijxpqshx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" cgijxpqshx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" cgijxpqshx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" cgijxpqshx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" cgijxpqshx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" cgijxpqshx.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run qkntrgtblvfgpvj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pyltxbpz = "cgijxpqshx.exe" qkntrgtblvfgpvj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\suajqukf = "qkntrgtblvfgpvj.exe" qkntrgtblvfgpvj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "rsardotdsdhdo.exe" qkntrgtblvfgpvj.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\r: leetnulu.exe File opened (read-only) \??\q: cgijxpqshx.exe File opened (read-only) \??\e: leetnulu.exe File opened (read-only) \??\h: leetnulu.exe File opened (read-only) \??\l: leetnulu.exe File opened (read-only) \??\r: leetnulu.exe File opened (read-only) \??\o: cgijxpqshx.exe File opened (read-only) \??\b: leetnulu.exe File opened (read-only) \??\q: leetnulu.exe File opened (read-only) \??\b: cgijxpqshx.exe File opened (read-only) \??\y: cgijxpqshx.exe File opened (read-only) \??\z: cgijxpqshx.exe File opened (read-only) \??\g: leetnulu.exe File opened (read-only) \??\w: leetnulu.exe File opened (read-only) \??\i: leetnulu.exe File opened (read-only) \??\v: leetnulu.exe File opened (read-only) \??\u: leetnulu.exe File opened (read-only) \??\x: leetnulu.exe File opened (read-only) \??\s: leetnulu.exe File opened (read-only) \??\y: leetnulu.exe File opened (read-only) \??\o: leetnulu.exe File opened (read-only) \??\p: leetnulu.exe File opened (read-only) \??\u: leetnulu.exe File opened (read-only) \??\a: leetnulu.exe File opened (read-only) \??\p: leetnulu.exe File opened (read-only) \??\z: leetnulu.exe File opened (read-only) \??\a: cgijxpqshx.exe File opened (read-only) \??\f: leetnulu.exe File opened (read-only) \??\i: leetnulu.exe File opened (read-only) \??\q: leetnulu.exe File opened (read-only) \??\z: leetnulu.exe File opened (read-only) \??\f: leetnulu.exe File opened (read-only) \??\j: leetnulu.exe File opened (read-only) \??\v: cgijxpqshx.exe File opened (read-only) \??\g: cgijxpqshx.exe File opened (read-only) \??\l: cgijxpqshx.exe File opened (read-only) \??\v: leetnulu.exe File opened (read-only) \??\y: leetnulu.exe File opened (read-only) \??\e: leetnulu.exe File opened (read-only) \??\k: cgijxpqshx.exe File opened (read-only) \??\m: cgijxpqshx.exe File opened (read-only) \??\p: cgijxpqshx.exe File opened (read-only) \??\x: cgijxpqshx.exe File opened (read-only) \??\m: leetnulu.exe File opened (read-only) \??\i: cgijxpqshx.exe File opened (read-only) \??\s: cgijxpqshx.exe File opened (read-only) \??\n: leetnulu.exe File opened (read-only) \??\l: leetnulu.exe File opened (read-only) \??\w: leetnulu.exe File opened (read-only) \??\a: leetnulu.exe File opened (read-only) \??\k: leetnulu.exe File opened (read-only) \??\b: leetnulu.exe File opened (read-only) \??\g: leetnulu.exe File opened (read-only) \??\e: cgijxpqshx.exe File opened (read-only) \??\f: cgijxpqshx.exe File opened (read-only) \??\h: cgijxpqshx.exe File opened (read-only) \??\w: cgijxpqshx.exe File opened (read-only) \??\s: leetnulu.exe File opened (read-only) \??\o: leetnulu.exe File opened (read-only) \??\t: leetnulu.exe File opened (read-only) \??\j: cgijxpqshx.exe File opened (read-only) \??\r: cgijxpqshx.exe File opened (read-only) \??\u: cgijxpqshx.exe File opened (read-only) \??\j: leetnulu.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" cgijxpqshx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" cgijxpqshx.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3784-146-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5080-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3112-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/920-149-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3364-152-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4060-154-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3784-160-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5080-161-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3112-162-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/920-163-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3364-164-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\cgijxpqshx.exe 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe File created C:\Windows\SysWOW64\leetnulu.exe 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe File opened for modification C:\Windows\SysWOW64\leetnulu.exe 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe File created C:\Windows\SysWOW64\cgijxpqshx.exe 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe File created C:\Windows\SysWOW64\qkntrgtblvfgpvj.exe 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe File opened for modification C:\Windows\SysWOW64\qkntrgtblvfgpvj.exe 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe File created C:\Windows\SysWOW64\rsardotdsdhdo.exe 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe File opened for modification C:\Windows\SysWOW64\rsardotdsdhdo.exe 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll cgijxpqshx.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe leetnulu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal leetnulu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal leetnulu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal leetnulu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe leetnulu.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe leetnulu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe leetnulu.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe leetnulu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe leetnulu.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe leetnulu.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe leetnulu.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe leetnulu.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe leetnulu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal leetnulu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe leetnulu.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" cgijxpqshx.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33402C7F9C2083556D3477D077272DDD7D8665A8" 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat cgijxpqshx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" cgijxpqshx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf cgijxpqshx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" cgijxpqshx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F168C3FE6822DCD178D0D38B799060" 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" cgijxpqshx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc cgijxpqshx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs cgijxpqshx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" cgijxpqshx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" cgijxpqshx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg cgijxpqshx.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BB4FABFF963F2E2840B3B46819F3993B0FA038B4315033EE2CE45E608A0" 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC7B12F4792389F53BFB9D73299D4B8" 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F88FCFF48588213913CD7287E91BD90E6315943674F6343D79B" 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193AC77415E3DAB1B9BC7FE1ED9534CF" 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh cgijxpqshx.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 5100 WINWORD.EXE 5100 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4060 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe 4060 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe 4060 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe 4060 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe 4060 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe 4060 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe 4060 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe 4060 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe 4060 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe 4060 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe 4060 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe 4060 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe 4060 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe 4060 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe 3784 cgijxpqshx.exe 3784 cgijxpqshx.exe 3784 cgijxpqshx.exe 3784 cgijxpqshx.exe 3784 cgijxpqshx.exe 3784 cgijxpqshx.exe 3784 cgijxpqshx.exe 3784 cgijxpqshx.exe 3784 cgijxpqshx.exe 3784 cgijxpqshx.exe 4060 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe 4060 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe 5080 qkntrgtblvfgpvj.exe 5080 qkntrgtblvfgpvj.exe 5080 qkntrgtblvfgpvj.exe 5080 qkntrgtblvfgpvj.exe 5080 qkntrgtblvfgpvj.exe 5080 qkntrgtblvfgpvj.exe 5080 qkntrgtblvfgpvj.exe 5080 qkntrgtblvfgpvj.exe 5080 qkntrgtblvfgpvj.exe 5080 qkntrgtblvfgpvj.exe 3112 leetnulu.exe 3112 leetnulu.exe 3112 leetnulu.exe 3112 leetnulu.exe 3112 leetnulu.exe 3112 leetnulu.exe 3112 leetnulu.exe 3112 leetnulu.exe 5080 qkntrgtblvfgpvj.exe 5080 qkntrgtblvfgpvj.exe 920 rsardotdsdhdo.exe 920 rsardotdsdhdo.exe 920 rsardotdsdhdo.exe 920 rsardotdsdhdo.exe 920 rsardotdsdhdo.exe 920 rsardotdsdhdo.exe 920 rsardotdsdhdo.exe 920 rsardotdsdhdo.exe 920 rsardotdsdhdo.exe 920 rsardotdsdhdo.exe 920 rsardotdsdhdo.exe 920 rsardotdsdhdo.exe 5080 qkntrgtblvfgpvj.exe 5080 qkntrgtblvfgpvj.exe 3364 leetnulu.exe 3364 leetnulu.exe 3364 leetnulu.exe 3364 leetnulu.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4060 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe 4060 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe 4060 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe 3784 cgijxpqshx.exe 3784 cgijxpqshx.exe 3784 cgijxpqshx.exe 5080 qkntrgtblvfgpvj.exe 5080 qkntrgtblvfgpvj.exe 5080 qkntrgtblvfgpvj.exe 3112 leetnulu.exe 3112 leetnulu.exe 3112 leetnulu.exe 920 rsardotdsdhdo.exe 920 rsardotdsdhdo.exe 920 rsardotdsdhdo.exe 3364 leetnulu.exe 3364 leetnulu.exe 3364 leetnulu.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4060 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe 4060 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe 4060 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe 3784 cgijxpqshx.exe 3784 cgijxpqshx.exe 3784 cgijxpqshx.exe 5080 qkntrgtblvfgpvj.exe 5080 qkntrgtblvfgpvj.exe 5080 qkntrgtblvfgpvj.exe 3112 leetnulu.exe 3112 leetnulu.exe 3112 leetnulu.exe 920 rsardotdsdhdo.exe 920 rsardotdsdhdo.exe 920 rsardotdsdhdo.exe 3364 leetnulu.exe 3364 leetnulu.exe 3364 leetnulu.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 5100 WINWORD.EXE 5100 WINWORD.EXE 5100 WINWORD.EXE 5100 WINWORD.EXE 5100 WINWORD.EXE 5100 WINWORD.EXE 5100 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4060 wrote to memory of 3784 4060 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe 78 PID 4060 wrote to memory of 3784 4060 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe 78 PID 4060 wrote to memory of 3784 4060 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe 78 PID 4060 wrote to memory of 5080 4060 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe 79 PID 4060 wrote to memory of 5080 4060 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe 79 PID 4060 wrote to memory of 5080 4060 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe 79 PID 4060 wrote to memory of 3112 4060 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe 80 PID 4060 wrote to memory of 3112 4060 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe 80 PID 4060 wrote to memory of 3112 4060 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe 80 PID 4060 wrote to memory of 920 4060 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe 81 PID 4060 wrote to memory of 920 4060 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe 81 PID 4060 wrote to memory of 920 4060 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe 81 PID 3784 wrote to memory of 3364 3784 cgijxpqshx.exe 82 PID 3784 wrote to memory of 3364 3784 cgijxpqshx.exe 82 PID 3784 wrote to memory of 3364 3784 cgijxpqshx.exe 82 PID 4060 wrote to memory of 5100 4060 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe 83 PID 4060 wrote to memory of 5100 4060 31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe"C:\Users\Admin\AppData\Local\Temp\31968b19e0a9eac84639489471ba5d98c3c7d145035ee9bccee49d94bf391461.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\SysWOW64\cgijxpqshx.execgijxpqshx.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\SysWOW64\leetnulu.exeC:\Windows\system32\leetnulu.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3364
-
-
-
C:\Windows\SysWOW64\qkntrgtblvfgpvj.exeqkntrgtblvfgpvj.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5080
-
-
C:\Windows\SysWOW64\leetnulu.exeleetnulu.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3112
-
-
C:\Windows\SysWOW64\rsardotdsdhdo.exersardotdsdhdo.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:920
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5100
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5fd2b4eb26db7efdd234b395ab8ab69ca
SHA18542dca4c575d45e5ba80099a78ee552ba3105d8
SHA2564441a87954169e16d2920e3ea43c5b4af1faf6a16c93cfb891d03d916de7110b
SHA512af8eb8e0b6791d705cd8c6ad147042549b3a49f3a36417faaba44b4653b5843001169336b99c7a69beb9c9f5adf20518b73875a964de865fee5e4033d0a7eb3e
-
Filesize
255KB
MD52eee16b60927cc921a8a83f2e151c6af
SHA1f690d8c2ac48242e2571e91bfe1657b44baa7de2
SHA256166f7bef1b43963a39cff6151b04db1aa5898a7781972efc143414846124ea8e
SHA512c8cf7fc417ccf2e1ecff1e955a47082e380fc686e427975b0c59150a09bf5cfee3c54cbe3bac0ce42dd183ef9ccb3acee885e309f381b2edb7c750ac0415e417
-
Filesize
255KB
MD526ca4af6707b938c8c1c8c3f3ccf69c7
SHA18ccfd79f6b852b5ebfeb34b101988a736639659a
SHA256271d21645d6b0f79a81e7dde938b2bec6b22cb55c805943a8008f70500cc834c
SHA512f1cec422d47fed61086d031faf8772b9363d1d05dfc53b263ea42027e29969a2cc0eeff12969a170d21f2eb0c1afc3f68dbe9a5e1e1dfd4f3a3579370faa6b5c
-
Filesize
255KB
MD54f91868c3798b7e8ba8542cbd1ccb506
SHA14b0e1912c6a6cc96c5aa062197a839d9ea1a8834
SHA2562a7b79f4f9ba9acf20713eca63cfa74ea271d022417b5650fdee2d7f512516e7
SHA512ee2959ecd00c91c6e664cb69f76729bc2c80ce528e6cf5efe15350a138be7e15fb0aac563038899741a4bb4881948562d3a56f689e843886fed5a7c9665527d1
-
Filesize
255KB
MD54f91868c3798b7e8ba8542cbd1ccb506
SHA14b0e1912c6a6cc96c5aa062197a839d9ea1a8834
SHA2562a7b79f4f9ba9acf20713eca63cfa74ea271d022417b5650fdee2d7f512516e7
SHA512ee2959ecd00c91c6e664cb69f76729bc2c80ce528e6cf5efe15350a138be7e15fb0aac563038899741a4bb4881948562d3a56f689e843886fed5a7c9665527d1
-
Filesize
255KB
MD5d8e6cbedaec964be64b17bbf064a6058
SHA154e3561697ae4993ee36294a91fc17671b248086
SHA256ee435589455439734aed46b8b194c822a0215cbcdaf5f2cc73ed78327b052adb
SHA5127ae4e9ff5e00885f5982b36171bec17d8f602e06a493e3057e3f7d7fe8be9930957362a25f0896501e7f2c33e87267976b10e6058eddfc96cae689129e685241
-
Filesize
255KB
MD5d8e6cbedaec964be64b17bbf064a6058
SHA154e3561697ae4993ee36294a91fc17671b248086
SHA256ee435589455439734aed46b8b194c822a0215cbcdaf5f2cc73ed78327b052adb
SHA5127ae4e9ff5e00885f5982b36171bec17d8f602e06a493e3057e3f7d7fe8be9930957362a25f0896501e7f2c33e87267976b10e6058eddfc96cae689129e685241
-
Filesize
255KB
MD5d8e6cbedaec964be64b17bbf064a6058
SHA154e3561697ae4993ee36294a91fc17671b248086
SHA256ee435589455439734aed46b8b194c822a0215cbcdaf5f2cc73ed78327b052adb
SHA5127ae4e9ff5e00885f5982b36171bec17d8f602e06a493e3057e3f7d7fe8be9930957362a25f0896501e7f2c33e87267976b10e6058eddfc96cae689129e685241
-
Filesize
255KB
MD556ffa2f985c0443a5ea9b1288b49428b
SHA192994065e901d9d6ed7e82a9651e67efdaacf19f
SHA2568f9898e24250c3df520083bce7ea0c011eede52c3d22e0d338ab6c650de3e7dd
SHA51235333a8d80f610511c1e249b32d156c7c2c52718c173b3515369ad66d59dc854183a3411631989c4dc82765061fcea11383c37c9d880c2142264b115184e981b
-
Filesize
255KB
MD556ffa2f985c0443a5ea9b1288b49428b
SHA192994065e901d9d6ed7e82a9651e67efdaacf19f
SHA2568f9898e24250c3df520083bce7ea0c011eede52c3d22e0d338ab6c650de3e7dd
SHA51235333a8d80f610511c1e249b32d156c7c2c52718c173b3515369ad66d59dc854183a3411631989c4dc82765061fcea11383c37c9d880c2142264b115184e981b
-
Filesize
255KB
MD59e24756d080c526c677dc3e868a668a5
SHA173d954812758cf2268585146de9c1a9a206a1dc3
SHA25697ed61be5a8cfbe4129455fce6bca8039e3b3db830a49391c7c0950b7bc171c9
SHA512a9b29ea23ed8da7ad64bea652711bc1602235aff847f0bef3499dad9c2b196a4ca351127042576ea3f005687449e690e9420affa56facf48ea3d9cfc705de222
-
Filesize
255KB
MD59e24756d080c526c677dc3e868a668a5
SHA173d954812758cf2268585146de9c1a9a206a1dc3
SHA25697ed61be5a8cfbe4129455fce6bca8039e3b3db830a49391c7c0950b7bc171c9
SHA512a9b29ea23ed8da7ad64bea652711bc1602235aff847f0bef3499dad9c2b196a4ca351127042576ea3f005687449e690e9420affa56facf48ea3d9cfc705de222
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7