Analysis
-
max time kernel
170s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 21:06
Behavioral task
behavioral1
Sample
245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe
Resource
win7-20221111-en
windows7-x64
29 signatures
150 seconds
General
-
Target
245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe
-
Size
255KB
-
MD5
890c6a7f31c5a3d6c62eda68b1f316e8
-
SHA1
10330c54bf001d0ae9ce94d911cc154f02e97e0e
-
SHA256
245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1
-
SHA512
c9d527d3316d8a64f19c0d2b5ea2bb06776b3e31bdc9473e0d2d449a95c5756f4b4c63178da2ef5b573c5f3c0e715caa6c55a01295f46beeaa93afe5a0548338
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJU:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI7
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" gtpfsbuxye.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" gtpfsbuxye.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" gtpfsbuxye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" gtpfsbuxye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" gtpfsbuxye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" gtpfsbuxye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" gtpfsbuxye.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gtpfsbuxye.exe -
Executes dropped EXE 5 IoCs
pid Process 480 gtpfsbuxye.exe 3404 xyjfqvvwvggscra.exe 1292 jeppgnoi.exe 3856 eafxvtjxgxqom.exe 4848 jeppgnoi.exe -
resource yara_rule behavioral2/memory/4740-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0008000000022e13-135.dat upx behavioral2/files/0x0008000000022e13-134.dat upx behavioral2/files/0x0006000000022e18-137.dat upx behavioral2/files/0x0006000000022e18-138.dat upx behavioral2/files/0x0006000000022e19-140.dat upx behavioral2/files/0x0006000000022e19-141.dat upx behavioral2/files/0x0006000000022e1a-144.dat upx behavioral2/files/0x0006000000022e1a-143.dat upx behavioral2/files/0x0006000000022e19-146.dat upx behavioral2/memory/480-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3404-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3856-150-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1292-149-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4848-151-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4740-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0002000000009ded-157.dat upx behavioral2/files/0x0006000000022e1c-158.dat upx behavioral2/memory/480-164-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3404-165-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3856-167-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1292-166-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4848-168-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000200000001e6bd-169.dat upx behavioral2/files/0x000200000001e6be-170.dat upx behavioral2/files/0x000200000001e6be-171.dat upx behavioral2/files/0x0003000000000727-173.dat upx behavioral2/files/0x0003000000000727-174.dat upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" gtpfsbuxye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" gtpfsbuxye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" gtpfsbuxye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" gtpfsbuxye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" gtpfsbuxye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" gtpfsbuxye.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run xyjfqvvwvggscra.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sdsaumun = "gtpfsbuxye.exe" xyjfqvvwvggscra.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wpzuhgdf = "xyjfqvvwvggscra.exe" xyjfqvvwvggscra.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "eafxvtjxgxqom.exe" xyjfqvvwvggscra.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\a: gtpfsbuxye.exe File opened (read-only) \??\t: jeppgnoi.exe File opened (read-only) \??\j: jeppgnoi.exe File opened (read-only) \??\w: jeppgnoi.exe File opened (read-only) \??\e: jeppgnoi.exe File opened (read-only) \??\z: gtpfsbuxye.exe File opened (read-only) \??\u: jeppgnoi.exe File opened (read-only) \??\z: jeppgnoi.exe File opened (read-only) \??\s: jeppgnoi.exe File opened (read-only) \??\y: jeppgnoi.exe File opened (read-only) \??\m: gtpfsbuxye.exe File opened (read-only) \??\r: gtpfsbuxye.exe File opened (read-only) \??\x: gtpfsbuxye.exe File opened (read-only) \??\i: jeppgnoi.exe File opened (read-only) \??\f: gtpfsbuxye.exe File opened (read-only) \??\h: jeppgnoi.exe File opened (read-only) \??\n: jeppgnoi.exe File opened (read-only) \??\r: jeppgnoi.exe File opened (read-only) \??\b: jeppgnoi.exe File opened (read-only) \??\e: gtpfsbuxye.exe File opened (read-only) \??\h: gtpfsbuxye.exe File opened (read-only) \??\v: gtpfsbuxye.exe File opened (read-only) \??\b: jeppgnoi.exe File opened (read-only) \??\l: gtpfsbuxye.exe File opened (read-only) \??\k: jeppgnoi.exe File opened (read-only) \??\m: jeppgnoi.exe File opened (read-only) \??\o: gtpfsbuxye.exe File opened (read-only) \??\y: gtpfsbuxye.exe File opened (read-only) \??\i: jeppgnoi.exe File opened (read-only) \??\s: jeppgnoi.exe File opened (read-only) \??\g: jeppgnoi.exe File opened (read-only) \??\m: jeppgnoi.exe File opened (read-only) \??\p: jeppgnoi.exe File opened (read-only) \??\l: jeppgnoi.exe File opened (read-only) \??\q: jeppgnoi.exe File opened (read-only) \??\x: jeppgnoi.exe File opened (read-only) \??\p: gtpfsbuxye.exe File opened (read-only) \??\f: jeppgnoi.exe File opened (read-only) \??\y: jeppgnoi.exe File opened (read-only) \??\e: jeppgnoi.exe File opened (read-only) \??\h: jeppgnoi.exe File opened (read-only) \??\o: jeppgnoi.exe File opened (read-only) \??\u: jeppgnoi.exe File opened (read-only) \??\a: jeppgnoi.exe File opened (read-only) \??\g: jeppgnoi.exe File opened (read-only) \??\v: jeppgnoi.exe File opened (read-only) \??\u: gtpfsbuxye.exe File opened (read-only) \??\l: jeppgnoi.exe File opened (read-only) \??\v: jeppgnoi.exe File opened (read-only) \??\n: jeppgnoi.exe File opened (read-only) \??\p: jeppgnoi.exe File opened (read-only) \??\t: gtpfsbuxye.exe File opened (read-only) \??\w: gtpfsbuxye.exe File opened (read-only) \??\j: jeppgnoi.exe File opened (read-only) \??\a: jeppgnoi.exe File opened (read-only) \??\t: jeppgnoi.exe File opened (read-only) \??\i: gtpfsbuxye.exe File opened (read-only) \??\j: gtpfsbuxye.exe File opened (read-only) \??\x: jeppgnoi.exe File opened (read-only) \??\s: gtpfsbuxye.exe File opened (read-only) \??\o: jeppgnoi.exe File opened (read-only) \??\f: jeppgnoi.exe File opened (read-only) \??\k: jeppgnoi.exe File opened (read-only) \??\r: jeppgnoi.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" gtpfsbuxye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" gtpfsbuxye.exe -
AutoIT Executable 12 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4740-132-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/480-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3404-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3856-150-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1292-149-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4848-151-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4740-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/480-164-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3404-165-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3856-167-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1292-166-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4848-168-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll gtpfsbuxye.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe jeppgnoi.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe jeppgnoi.exe File created C:\Windows\SysWOW64\gtpfsbuxye.exe 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe File opened for modification C:\Windows\SysWOW64\gtpfsbuxye.exe 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe File created C:\Windows\SysWOW64\xyjfqvvwvggscra.exe 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe File opened for modification C:\Windows\SysWOW64\xyjfqvvwvggscra.exe 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe File created C:\Windows\SysWOW64\jeppgnoi.exe 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe File opened for modification C:\Windows\SysWOW64\jeppgnoi.exe 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe File created C:\Windows\SysWOW64\eafxvtjxgxqom.exe 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe File opened for modification C:\Windows\SysWOW64\eafxvtjxgxqom.exe 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe jeppgnoi.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jeppgnoi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal jeppgnoi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal jeppgnoi.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jeppgnoi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jeppgnoi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jeppgnoi.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jeppgnoi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal jeppgnoi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jeppgnoi.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jeppgnoi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jeppgnoi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal jeppgnoi.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jeppgnoi.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jeppgnoi.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F26BB1FF6721D9D10CD0A38B7C9164" 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" gtpfsbuxye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" gtpfsbuxye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg gtpfsbuxye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBDF9BDF967F1E4840E3A47819D3E96B38902884316023AE1CD459B08D2" 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC1B12F44EE38E253C9BADC329AD7CF" 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat gtpfsbuxye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs gtpfsbuxye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" gtpfsbuxye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" gtpfsbuxye.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF4FFF9482682199045D6587DE6BCE5E135583066466331D799" 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh gtpfsbuxye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" gtpfsbuxye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" gtpfsbuxye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc gtpfsbuxye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf gtpfsbuxye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33442D7C9D5083596D3F76D277232DD67C8764DC" 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193EC70E1491DBBEB8CC7CE3EDE534CF" 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2264 WINWORD.EXE 2264 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4740 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe 4740 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe 4740 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe 4740 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe 4740 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe 4740 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe 4740 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe 4740 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe 4740 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe 4740 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe 4740 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe 4740 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe 4740 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe 4740 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe 4740 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe 4740 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe 480 gtpfsbuxye.exe 480 gtpfsbuxye.exe 480 gtpfsbuxye.exe 480 gtpfsbuxye.exe 480 gtpfsbuxye.exe 480 gtpfsbuxye.exe 480 gtpfsbuxye.exe 480 gtpfsbuxye.exe 3404 xyjfqvvwvggscra.exe 3404 xyjfqvvwvggscra.exe 480 gtpfsbuxye.exe 480 gtpfsbuxye.exe 3404 xyjfqvvwvggscra.exe 3404 xyjfqvvwvggscra.exe 3404 xyjfqvvwvggscra.exe 3404 xyjfqvvwvggscra.exe 3404 xyjfqvvwvggscra.exe 3404 xyjfqvvwvggscra.exe 3404 xyjfqvvwvggscra.exe 3404 xyjfqvvwvggscra.exe 1292 jeppgnoi.exe 1292 jeppgnoi.exe 1292 jeppgnoi.exe 1292 jeppgnoi.exe 1292 jeppgnoi.exe 1292 jeppgnoi.exe 1292 jeppgnoi.exe 1292 jeppgnoi.exe 3856 eafxvtjxgxqom.exe 3856 eafxvtjxgxqom.exe 3856 eafxvtjxgxqom.exe 3856 eafxvtjxgxqom.exe 3856 eafxvtjxgxqom.exe 3856 eafxvtjxgxqom.exe 3856 eafxvtjxgxqom.exe 3856 eafxvtjxgxqom.exe 3856 eafxvtjxgxqom.exe 3856 eafxvtjxgxqom.exe 3856 eafxvtjxgxqom.exe 3856 eafxvtjxgxqom.exe 3404 xyjfqvvwvggscra.exe 3404 xyjfqvvwvggscra.exe 4848 jeppgnoi.exe 4848 jeppgnoi.exe 4848 jeppgnoi.exe 4848 jeppgnoi.exe 4848 jeppgnoi.exe 4848 jeppgnoi.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4740 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe 4740 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe 4740 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe 480 gtpfsbuxye.exe 3404 xyjfqvvwvggscra.exe 480 gtpfsbuxye.exe 3404 xyjfqvvwvggscra.exe 480 gtpfsbuxye.exe 3404 xyjfqvvwvggscra.exe 1292 jeppgnoi.exe 1292 jeppgnoi.exe 1292 jeppgnoi.exe 3856 eafxvtjxgxqom.exe 3856 eafxvtjxgxqom.exe 3856 eafxvtjxgxqom.exe 4848 jeppgnoi.exe 4848 jeppgnoi.exe 4848 jeppgnoi.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4740 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe 4740 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe 4740 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe 480 gtpfsbuxye.exe 3404 xyjfqvvwvggscra.exe 480 gtpfsbuxye.exe 3404 xyjfqvvwvggscra.exe 480 gtpfsbuxye.exe 3404 xyjfqvvwvggscra.exe 1292 jeppgnoi.exe 1292 jeppgnoi.exe 1292 jeppgnoi.exe 3856 eafxvtjxgxqom.exe 3856 eafxvtjxgxqom.exe 3856 eafxvtjxgxqom.exe 4848 jeppgnoi.exe 4848 jeppgnoi.exe 4848 jeppgnoi.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2264 WINWORD.EXE 2264 WINWORD.EXE 2264 WINWORD.EXE 2264 WINWORD.EXE 2264 WINWORD.EXE 2264 WINWORD.EXE 2264 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4740 wrote to memory of 480 4740 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe 80 PID 4740 wrote to memory of 480 4740 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe 80 PID 4740 wrote to memory of 480 4740 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe 80 PID 4740 wrote to memory of 3404 4740 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe 81 PID 4740 wrote to memory of 3404 4740 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe 81 PID 4740 wrote to memory of 3404 4740 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe 81 PID 4740 wrote to memory of 1292 4740 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe 82 PID 4740 wrote to memory of 1292 4740 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe 82 PID 4740 wrote to memory of 1292 4740 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe 82 PID 4740 wrote to memory of 3856 4740 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe 83 PID 4740 wrote to memory of 3856 4740 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe 83 PID 4740 wrote to memory of 3856 4740 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe 83 PID 480 wrote to memory of 4848 480 gtpfsbuxye.exe 84 PID 480 wrote to memory of 4848 480 gtpfsbuxye.exe 84 PID 480 wrote to memory of 4848 480 gtpfsbuxye.exe 84 PID 4740 wrote to memory of 2264 4740 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe 85 PID 4740 wrote to memory of 2264 4740 245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe"C:\Users\Admin\AppData\Local\Temp\245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\gtpfsbuxye.exegtpfsbuxye.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:480 -
C:\Windows\SysWOW64\jeppgnoi.exeC:\Windows\system32\jeppgnoi.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4848
-
-
-
C:\Windows\SysWOW64\xyjfqvvwvggscra.exexyjfqvvwvggscra.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3404
-
-
C:\Windows\SysWOW64\jeppgnoi.exejeppgnoi.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1292
-
-
C:\Windows\SysWOW64\eafxvtjxgxqom.exeeafxvtjxgxqom.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3856
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2264
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD52c911fc7bddd2bd63827af38773faa93
SHA17c94518884d5830cc0b999e7be8256b8fd0fccfe
SHA256d5a4fdbab3e58211c0cd355eee0a77d03b2d05569d2758bde1d35f61f9a6c600
SHA51261bf2a01ba8e42c70736ed5029806a42bb88dcf07afa8f2244bf8d994a31db22bc45c169853db675fe37ea570e1357046287bbb409798dc4ea6fed8d4da7e951
-
Filesize
255KB
MD501c55bab794d27e81f67c96b5cd4d561
SHA1e3ef158453fcd85d8f0051e575113baeb474e960
SHA256605a9d9ae575efc8f2c519234324b53cbaca281c08e255c0316a32a12b565451
SHA512ae0e1e28c5e7bba81032ca9d226c28c06a005c9947ad9093edb9e7122c42c50b0adb5c8cc54566098b604b6e3578dd8d230f4ef64127fc12abf70ca274815446
-
Filesize
255KB
MD544c05e3605018c497efba5f6b9102e70
SHA1d68c32b05048888cd4fcaf257a73b46d1ee60e13
SHA25610e808020cac7311f84879f82579a26587bd11a5cb446c54f5d5316b3170f8ca
SHA512ede2c7c1b6939b3fee57a14d8863872d6b6e4fea1401f0c378a31e5d6ddbfb814893edef0ac47215a57d4f3d7fa0daa310ec239cd86b088474e1912acef7060b
-
Filesize
255KB
MD5685cca34f7b5cf65f2a3519b634b85dc
SHA1268a8e8676f3b01ea1ddc528e87a8879a551d86a
SHA256606013656998518a6efacb71edcd2bd7bf2fbd09c0b5268e4636c6edfadc5351
SHA51269d65e9ea702381b30e1d073120a984b9fd84676b807df75c3c009f7e7d1c23cedc4b94b075b169e996673bf311d423f43ec62aac83b5c111caafd1c5ee44b52
-
Filesize
255KB
MD5931974817e0bcfe050907a3e5e6a61e1
SHA141b11434a56ac3276ba560ba0335fa16cea0b1ee
SHA25644f916f8dbe84ed3964858ce981e790f856185ca35074fa0464b7455c4375b84
SHA5128c7368770a49cb796c090dda4bf8cbb34383edaca53c5d33317380be7d597b5c9edccf01c7c4c809ac9d0c9783fa6314749204d92220c34db883f5a87515abc1
-
Filesize
255KB
MD5bef18912deb75c8edddbc76e788112bb
SHA180627f0d7939b380ea2bd74173ccbf16e207cba4
SHA256e16a998e9d8b145bbc29366831ff766fabba61b5706643d16a691150300f2518
SHA512e2c5fb6e05c52ec0b5292f0849c469f2a67655dc27c5598b6ccfb636f3f9b8a8e91313bff726ef61857f9f5a42151601617ea30257496d21c79ac6993e713866
-
Filesize
255KB
MD5bef18912deb75c8edddbc76e788112bb
SHA180627f0d7939b380ea2bd74173ccbf16e207cba4
SHA256e16a998e9d8b145bbc29366831ff766fabba61b5706643d16a691150300f2518
SHA512e2c5fb6e05c52ec0b5292f0849c469f2a67655dc27c5598b6ccfb636f3f9b8a8e91313bff726ef61857f9f5a42151601617ea30257496d21c79ac6993e713866
-
Filesize
255KB
MD567118608b6079c241d23288cf2de80d6
SHA19a7e82ae8a1c872f28ee56fa4262c97f21dc7a31
SHA2569d813e11ae440e544b6d605ad61c25b8c6e021497d00c0e7ff64d47dbda07032
SHA51222f299d101f1db527a1e9708d8e905b73a5c40ae955229ccae149168ac31a7346d71e76f14bf9b12fc6b8fc5dd6098268e23c475a0e1a473ac06d3305112308b
-
Filesize
255KB
MD567118608b6079c241d23288cf2de80d6
SHA19a7e82ae8a1c872f28ee56fa4262c97f21dc7a31
SHA2569d813e11ae440e544b6d605ad61c25b8c6e021497d00c0e7ff64d47dbda07032
SHA51222f299d101f1db527a1e9708d8e905b73a5c40ae955229ccae149168ac31a7346d71e76f14bf9b12fc6b8fc5dd6098268e23c475a0e1a473ac06d3305112308b
-
Filesize
255KB
MD5b0f7daa8cb88900a5739d8f7851a5f26
SHA15ef4dcca7ab6f7cfb416a19503a8e500fea428f3
SHA256b422a4dec9c83e163a1335ae196f4c6aafc4fafd3aa15cb9a641a4bc6a9c5c46
SHA5128d400a9afaeab9c38e805e1f6e3619fa6b9fe751da21f0b38008256ff8ff456f8f0df9e595ee945be4fac9dc42bb1607aeab55226ae0fccc3f396d416411646d
-
Filesize
255KB
MD5b0f7daa8cb88900a5739d8f7851a5f26
SHA15ef4dcca7ab6f7cfb416a19503a8e500fea428f3
SHA256b422a4dec9c83e163a1335ae196f4c6aafc4fafd3aa15cb9a641a4bc6a9c5c46
SHA5128d400a9afaeab9c38e805e1f6e3619fa6b9fe751da21f0b38008256ff8ff456f8f0df9e595ee945be4fac9dc42bb1607aeab55226ae0fccc3f396d416411646d
-
Filesize
255KB
MD5b0f7daa8cb88900a5739d8f7851a5f26
SHA15ef4dcca7ab6f7cfb416a19503a8e500fea428f3
SHA256b422a4dec9c83e163a1335ae196f4c6aafc4fafd3aa15cb9a641a4bc6a9c5c46
SHA5128d400a9afaeab9c38e805e1f6e3619fa6b9fe751da21f0b38008256ff8ff456f8f0df9e595ee945be4fac9dc42bb1607aeab55226ae0fccc3f396d416411646d
-
Filesize
255KB
MD5ed002c63cc21a41f8c95cfec63e60022
SHA192860cb6412432367a8697b81065e1aef669898b
SHA2568f6f34d3333cbb83ed642b121247e660efbcf72164ac5b6a7ff04c2437556493
SHA5129d86dc73404843eb22b6aacddc826b34400e0100019e5fb90bca49a5ee18d8c1d0154ed029c2694268d0a1d123e64f3389f9b53662d0c88611682c214ae9cf22
-
Filesize
255KB
MD5ed002c63cc21a41f8c95cfec63e60022
SHA192860cb6412432367a8697b81065e1aef669898b
SHA2568f6f34d3333cbb83ed642b121247e660efbcf72164ac5b6a7ff04c2437556493
SHA5129d86dc73404843eb22b6aacddc826b34400e0100019e5fb90bca49a5ee18d8c1d0154ed029c2694268d0a1d123e64f3389f9b53662d0c88611682c214ae9cf22
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD5a6a4389dadf5a6f103ef644616a8f703
SHA1983de5edb1896d0e09040cd87bf6fbeffcb09937
SHA25644a0ff17084d2fd0dbfc36fb02a54520ddfc62918eb035fa2328847978418d8b
SHA512557be09c1784673f69c4b2d92fe9dbcc056c8b122ef190865efb9d0a0dd7f9ef4b3b3983cc4a80002564e9f26cc5705c9219ea38f6d3e665a1921c64a2eb02a4
-
Filesize
255KB
MD5a6d0d26c3547c8cac3763be0776d8af2
SHA155ae58759fe3a61efb01d26edb61e1b8c6896c6a
SHA25650d214dfa046cdcfd2bddbdcf338f1f93f2cbffeba757f5de1d071bb34f10ccd
SHA5129fc929331700503110f7e4722e866d876c4a9c6a15dd76bff4b97dc5f937d57fab05dcca65ae33ae2cbede148eda22990b9b61a79e1872753883613009c7f7a1