Analysis
-
max time kernel
205s -
max time network
211s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 21:07
Behavioral task
behavioral1
Sample
10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe
Resource
win10v2004-20221111-en
General
-
Target
10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe
-
Size
255KB
-
MD5
5824a9cd18620b9cc5c6886bc28cc1e5
-
SHA1
5fb227dedcd3e171b466da68487fb2606795547c
-
SHA256
10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5
-
SHA512
77780a7393eb5dab9fa9aa8a56b1711ee13e34ed396fad5b6c2b8ea961c4e3300ec7fa1b6d44d15ad42e095da826c6d8cfafabad531e399121c377ed3c755036
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJ0:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIJ
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
qgbxfsagel.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" qgbxfsagel.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
qgbxfsagel.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" qgbxfsagel.exe -
Processes:
qgbxfsagel.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" qgbxfsagel.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" qgbxfsagel.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" qgbxfsagel.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" qgbxfsagel.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" qgbxfsagel.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
qgbxfsagel.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qgbxfsagel.exe -
Executes dropped EXE 5 IoCs
Processes:
qgbxfsagel.exeunjjgjuumigxnab.exezjexiyon.exeadtwvlxztvwer.exezjexiyon.exepid process 3724 qgbxfsagel.exe 5020 unjjgjuumigxnab.exe 4348 zjexiyon.exe 2000 adtwvlxztvwer.exe 3024 zjexiyon.exe -
Processes:
resource yara_rule behavioral2/memory/208-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx C:\Windows\SysWOW64\qgbxfsagel.exe upx C:\Windows\SysWOW64\unjjgjuumigxnab.exe upx C:\Windows\SysWOW64\unjjgjuumigxnab.exe upx C:\Windows\SysWOW64\qgbxfsagel.exe upx behavioral2/memory/3724-140-0x0000000000400000-0x00000000004A0000-memory.dmp upx C:\Windows\SysWOW64\zjexiyon.exe upx C:\Windows\SysWOW64\zjexiyon.exe upx behavioral2/memory/5020-143-0x0000000000400000-0x00000000004A0000-memory.dmp upx C:\Windows\SysWOW64\adtwvlxztvwer.exe upx C:\Windows\SysWOW64\adtwvlxztvwer.exe upx behavioral2/memory/4348-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2000-150-0x0000000000400000-0x00000000004A0000-memory.dmp upx C:\Windows\SysWOW64\zjexiyon.exe upx behavioral2/memory/3024-151-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/208-152-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3724-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/5020-154-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4348-155-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2000-156-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3024-157-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/208-159-0x0000000000400000-0x00000000004A0000-memory.dmp upx C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe upx C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe -
Processes:
qgbxfsagel.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" qgbxfsagel.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" qgbxfsagel.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" qgbxfsagel.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" qgbxfsagel.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" qgbxfsagel.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" qgbxfsagel.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
unjjgjuumigxnab.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run unjjgjuumigxnab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lkhohzvn = "qgbxfsagel.exe" unjjgjuumigxnab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hgejlcmw = "unjjgjuumigxnab.exe" unjjgjuumigxnab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "adtwvlxztvwer.exe" unjjgjuumigxnab.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
zjexiyon.exeqgbxfsagel.exezjexiyon.exedescription ioc process File opened (read-only) \??\k: zjexiyon.exe File opened (read-only) \??\r: zjexiyon.exe File opened (read-only) \??\y: zjexiyon.exe File opened (read-only) \??\f: qgbxfsagel.exe File opened (read-only) \??\i: qgbxfsagel.exe File opened (read-only) \??\j: qgbxfsagel.exe File opened (read-only) \??\y: qgbxfsagel.exe File opened (read-only) \??\h: zjexiyon.exe File opened (read-only) \??\m: zjexiyon.exe File opened (read-only) \??\w: zjexiyon.exe File opened (read-only) \??\i: zjexiyon.exe File opened (read-only) \??\s: zjexiyon.exe File opened (read-only) \??\n: qgbxfsagel.exe File opened (read-only) \??\z: zjexiyon.exe File opened (read-only) \??\s: qgbxfsagel.exe File opened (read-only) \??\n: zjexiyon.exe File opened (read-only) \??\l: zjexiyon.exe File opened (read-only) \??\a: qgbxfsagel.exe File opened (read-only) \??\b: qgbxfsagel.exe File opened (read-only) \??\g: qgbxfsagel.exe File opened (read-only) \??\x: zjexiyon.exe File opened (read-only) \??\w: zjexiyon.exe File opened (read-only) \??\o: zjexiyon.exe File opened (read-only) \??\q: zjexiyon.exe File opened (read-only) \??\v: zjexiyon.exe File opened (read-only) \??\b: zjexiyon.exe File opened (read-only) \??\b: zjexiyon.exe File opened (read-only) \??\m: zjexiyon.exe File opened (read-only) \??\x: zjexiyon.exe File opened (read-only) \??\g: zjexiyon.exe File opened (read-only) \??\i: zjexiyon.exe File opened (read-only) \??\p: zjexiyon.exe File opened (read-only) \??\r: qgbxfsagel.exe File opened (read-only) \??\u: qgbxfsagel.exe File opened (read-only) \??\h: zjexiyon.exe File opened (read-only) \??\a: zjexiyon.exe File opened (read-only) \??\e: zjexiyon.exe File opened (read-only) \??\z: qgbxfsagel.exe File opened (read-only) \??\q: zjexiyon.exe File opened (read-only) \??\e: qgbxfsagel.exe File opened (read-only) \??\k: qgbxfsagel.exe File opened (read-only) \??\m: qgbxfsagel.exe File opened (read-only) \??\o: qgbxfsagel.exe File opened (read-only) \??\w: qgbxfsagel.exe File opened (read-only) \??\f: zjexiyon.exe File opened (read-only) \??\e: zjexiyon.exe File opened (read-only) \??\y: zjexiyon.exe File opened (read-only) \??\j: zjexiyon.exe File opened (read-only) \??\t: zjexiyon.exe File opened (read-only) \??\u: zjexiyon.exe File opened (read-only) \??\h: qgbxfsagel.exe File opened (read-only) \??\t: qgbxfsagel.exe File opened (read-only) \??\g: zjexiyon.exe File opened (read-only) \??\j: zjexiyon.exe File opened (read-only) \??\f: zjexiyon.exe File opened (read-only) \??\p: zjexiyon.exe File opened (read-only) \??\t: zjexiyon.exe File opened (read-only) \??\z: zjexiyon.exe File opened (read-only) \??\l: zjexiyon.exe File opened (read-only) \??\v: qgbxfsagel.exe File opened (read-only) \??\k: zjexiyon.exe File opened (read-only) \??\r: zjexiyon.exe File opened (read-only) \??\o: zjexiyon.exe File opened (read-only) \??\x: qgbxfsagel.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
qgbxfsagel.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" qgbxfsagel.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" qgbxfsagel.exe -
AutoIT Executable 13 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/208-132-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3724-140-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5020-143-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4348-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2000-150-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3024-151-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/208-152-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3724-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5020-154-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4348-155-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2000-156-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3024-157-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/208-159-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
Processes:
10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exeqgbxfsagel.exedescription ioc process File opened for modification C:\Windows\SysWOW64\qgbxfsagel.exe 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe File created C:\Windows\SysWOW64\unjjgjuumigxnab.exe 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe File opened for modification C:\Windows\SysWOW64\unjjgjuumigxnab.exe 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe File opened for modification C:\Windows\SysWOW64\zjexiyon.exe 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe File created C:\Windows\SysWOW64\adtwvlxztvwer.exe 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe File opened for modification C:\Windows\SysWOW64\adtwvlxztvwer.exe 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe File created C:\Windows\SysWOW64\qgbxfsagel.exe 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe File created C:\Windows\SysWOW64\zjexiyon.exe 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll qgbxfsagel.exe -
Drops file in Program Files directory 14 IoCs
Processes:
zjexiyon.exezjexiyon.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal zjexiyon.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zjexiyon.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zjexiyon.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zjexiyon.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal zjexiyon.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal zjexiyon.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zjexiyon.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zjexiyon.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zjexiyon.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zjexiyon.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zjexiyon.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal zjexiyon.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zjexiyon.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zjexiyon.exe -
Drops file in Windows directory 3 IoCs
Processes:
10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exeWINWORD.EXEdescription ioc process File opened for modification C:\Windows\mydoc.rtf 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
qgbxfsagel.exe10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" qgbxfsagel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg qgbxfsagel.exe Key created \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\Local Settings 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E89FF834F5F826F9045D72B7E9DBCE7E636584166406344D6ED" 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat qgbxfsagel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh qgbxfsagel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" qgbxfsagel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs qgbxfsagel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" qgbxfsagel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC1B120479238EA53BEB9A2329AD7C8" 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7FD6BC5FE6C21AED278D1A48B7F9164" 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" qgbxfsagel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc qgbxfsagel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf qgbxfsagel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" qgbxfsagel.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCFFABAF967F193830C3B4B819E3E94B0F902FD43160248E1BF429A08A8" 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" qgbxfsagel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32422C7F9C5282576A4377D370272CD97DF464AC" 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1848C60F15E7DAB1B8C87CE7ED9337CE" 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4024 WINWORD.EXE 4024 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exeqgbxfsagel.exeunjjgjuumigxnab.exezjexiyon.exeadtwvlxztvwer.exezjexiyon.exepid process 208 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe 208 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe 208 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe 208 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe 208 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe 208 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe 208 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe 208 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe 208 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe 208 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe 208 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe 208 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe 208 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe 208 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe 208 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe 208 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe 3724 qgbxfsagel.exe 3724 qgbxfsagel.exe 3724 qgbxfsagel.exe 3724 qgbxfsagel.exe 3724 qgbxfsagel.exe 3724 qgbxfsagel.exe 5020 unjjgjuumigxnab.exe 5020 unjjgjuumigxnab.exe 3724 qgbxfsagel.exe 3724 qgbxfsagel.exe 5020 unjjgjuumigxnab.exe 5020 unjjgjuumigxnab.exe 3724 qgbxfsagel.exe 3724 qgbxfsagel.exe 5020 unjjgjuumigxnab.exe 5020 unjjgjuumigxnab.exe 5020 unjjgjuumigxnab.exe 5020 unjjgjuumigxnab.exe 4348 zjexiyon.exe 4348 zjexiyon.exe 5020 unjjgjuumigxnab.exe 5020 unjjgjuumigxnab.exe 4348 zjexiyon.exe 4348 zjexiyon.exe 4348 zjexiyon.exe 4348 zjexiyon.exe 4348 zjexiyon.exe 4348 zjexiyon.exe 2000 adtwvlxztvwer.exe 2000 adtwvlxztvwer.exe 2000 adtwvlxztvwer.exe 2000 adtwvlxztvwer.exe 2000 adtwvlxztvwer.exe 2000 adtwvlxztvwer.exe 2000 adtwvlxztvwer.exe 2000 adtwvlxztvwer.exe 2000 adtwvlxztvwer.exe 2000 adtwvlxztvwer.exe 2000 adtwvlxztvwer.exe 2000 adtwvlxztvwer.exe 5020 unjjgjuumigxnab.exe 5020 unjjgjuumigxnab.exe 2000 adtwvlxztvwer.exe 2000 adtwvlxztvwer.exe 2000 adtwvlxztvwer.exe 2000 adtwvlxztvwer.exe 3024 zjexiyon.exe 3024 zjexiyon.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exeqgbxfsagel.exeunjjgjuumigxnab.exezjexiyon.exeadtwvlxztvwer.exezjexiyon.exepid process 208 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe 208 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe 208 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe 3724 qgbxfsagel.exe 3724 qgbxfsagel.exe 3724 qgbxfsagel.exe 5020 unjjgjuumigxnab.exe 5020 unjjgjuumigxnab.exe 5020 unjjgjuumigxnab.exe 4348 zjexiyon.exe 4348 zjexiyon.exe 4348 zjexiyon.exe 2000 adtwvlxztvwer.exe 2000 adtwvlxztvwer.exe 2000 adtwvlxztvwer.exe 3024 zjexiyon.exe 3024 zjexiyon.exe 3024 zjexiyon.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exeqgbxfsagel.exeunjjgjuumigxnab.exezjexiyon.exeadtwvlxztvwer.exezjexiyon.exepid process 208 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe 208 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe 208 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe 3724 qgbxfsagel.exe 3724 qgbxfsagel.exe 3724 qgbxfsagel.exe 5020 unjjgjuumigxnab.exe 5020 unjjgjuumigxnab.exe 5020 unjjgjuumigxnab.exe 4348 zjexiyon.exe 4348 zjexiyon.exe 4348 zjexiyon.exe 2000 adtwvlxztvwer.exe 2000 adtwvlxztvwer.exe 2000 adtwvlxztvwer.exe 3024 zjexiyon.exe 3024 zjexiyon.exe 3024 zjexiyon.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 4024 WINWORD.EXE 4024 WINWORD.EXE 4024 WINWORD.EXE 4024 WINWORD.EXE 4024 WINWORD.EXE 4024 WINWORD.EXE 4024 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exeqgbxfsagel.exedescription pid process target process PID 208 wrote to memory of 3724 208 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe qgbxfsagel.exe PID 208 wrote to memory of 3724 208 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe qgbxfsagel.exe PID 208 wrote to memory of 3724 208 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe qgbxfsagel.exe PID 208 wrote to memory of 5020 208 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe unjjgjuumigxnab.exe PID 208 wrote to memory of 5020 208 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe unjjgjuumigxnab.exe PID 208 wrote to memory of 5020 208 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe unjjgjuumigxnab.exe PID 208 wrote to memory of 4348 208 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe zjexiyon.exe PID 208 wrote to memory of 4348 208 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe zjexiyon.exe PID 208 wrote to memory of 4348 208 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe zjexiyon.exe PID 208 wrote to memory of 2000 208 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe adtwvlxztvwer.exe PID 208 wrote to memory of 2000 208 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe adtwvlxztvwer.exe PID 208 wrote to memory of 2000 208 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe adtwvlxztvwer.exe PID 3724 wrote to memory of 3024 3724 qgbxfsagel.exe zjexiyon.exe PID 3724 wrote to memory of 3024 3724 qgbxfsagel.exe zjexiyon.exe PID 3724 wrote to memory of 3024 3724 qgbxfsagel.exe zjexiyon.exe PID 208 wrote to memory of 4024 208 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe WINWORD.EXE PID 208 wrote to memory of 4024 208 10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe WINWORD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe"C:\Users\Admin\AppData\Local\Temp\10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\qgbxfsagel.exeqgbxfsagel.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\zjexiyon.exeC:\Windows\system32\zjexiyon.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\unjjgjuumigxnab.exeunjjgjuumigxnab.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\zjexiyon.exezjexiyon.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\adtwvlxztvwer.exeadtwvlxztvwer.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hidden Files and Directories
2Modify Registry
6Disabling Security Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
255KB
MD5ee8b7e442c5874e9c5ea74ecb78ef75d
SHA13d1167a33a215a242b9a5480386de4411c8f8658
SHA25659a2ed5010e44c264a4dc56fccb7fdb51d20eecddc52226982567a9133b252d3
SHA5128a80e42f08b47e9fcd586550bf4ab50cbf6136f38aa5a4cfc9261dcd9a886dec1fb2a093278322a7f91cc7329f6222c73fc9483429289989d86a1cacc163cbec
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
255KB
MD5ee8b7e442c5874e9c5ea74ecb78ef75d
SHA13d1167a33a215a242b9a5480386de4411c8f8658
SHA25659a2ed5010e44c264a4dc56fccb7fdb51d20eecddc52226982567a9133b252d3
SHA5128a80e42f08b47e9fcd586550bf4ab50cbf6136f38aa5a4cfc9261dcd9a886dec1fb2a093278322a7f91cc7329f6222c73fc9483429289989d86a1cacc163cbec
-
C:\Windows\SysWOW64\adtwvlxztvwer.exeFilesize
255KB
MD5e5f4bcc7b0df58f581c43bd86b46aab7
SHA154506795b79938e0cacf3cec31573cfebbc74c58
SHA2568c7ce65c1650122634e8ec234099b1caa4c7554c6b84dc6537290b30b26725bf
SHA5126ca4b01c33120c9088f231c2e9cd67255ad3d969f6e59dca4b0f597c2466fa0360de0fd83e4703499a0c45c4a679cda71de8e650ad8d8274caf4be53deb9939a
-
C:\Windows\SysWOW64\adtwvlxztvwer.exeFilesize
255KB
MD5e5f4bcc7b0df58f581c43bd86b46aab7
SHA154506795b79938e0cacf3cec31573cfebbc74c58
SHA2568c7ce65c1650122634e8ec234099b1caa4c7554c6b84dc6537290b30b26725bf
SHA5126ca4b01c33120c9088f231c2e9cd67255ad3d969f6e59dca4b0f597c2466fa0360de0fd83e4703499a0c45c4a679cda71de8e650ad8d8274caf4be53deb9939a
-
C:\Windows\SysWOW64\qgbxfsagel.exeFilesize
255KB
MD5ca9b6a1eed7bf0ba0f546221411c7bc2
SHA1f9b90997aa16945030a5f7d0bf9e1ee3e3eb1546
SHA256d6de5ac19fbba294980183f1fd91378eef8c873fc2ae1397c62827aa56a9cbae
SHA512709fea81532f97da2053a05b0783f90195635ade203c165e292d871d351e2da33033d33475d2cd979e4f72cef36fd564f262aed4be0c7d9c1fc29dbd668cea67
-
C:\Windows\SysWOW64\qgbxfsagel.exeFilesize
255KB
MD5ca9b6a1eed7bf0ba0f546221411c7bc2
SHA1f9b90997aa16945030a5f7d0bf9e1ee3e3eb1546
SHA256d6de5ac19fbba294980183f1fd91378eef8c873fc2ae1397c62827aa56a9cbae
SHA512709fea81532f97da2053a05b0783f90195635ade203c165e292d871d351e2da33033d33475d2cd979e4f72cef36fd564f262aed4be0c7d9c1fc29dbd668cea67
-
C:\Windows\SysWOW64\unjjgjuumigxnab.exeFilesize
255KB
MD529a47a75f5496ea343e83d590b0f1630
SHA10fadd5eaca97014789376edb76494db8282e4ecb
SHA256a2e664a5a6e866e7feabb247090a9376f17d7d11f3a3561474f08d089b2c1418
SHA512cb6303879f624d9686f8426cceaf30a028e9efe78bfda96f02e59af3a6cef75b98a1efcbde34e9ea5d3a2f845770fd4603b985166bc1e13dbfea74dda7e80c3f
-
C:\Windows\SysWOW64\unjjgjuumigxnab.exeFilesize
255KB
MD529a47a75f5496ea343e83d590b0f1630
SHA10fadd5eaca97014789376edb76494db8282e4ecb
SHA256a2e664a5a6e866e7feabb247090a9376f17d7d11f3a3561474f08d089b2c1418
SHA512cb6303879f624d9686f8426cceaf30a028e9efe78bfda96f02e59af3a6cef75b98a1efcbde34e9ea5d3a2f845770fd4603b985166bc1e13dbfea74dda7e80c3f
-
C:\Windows\SysWOW64\zjexiyon.exeFilesize
255KB
MD5193b9b88ee6b426e29f8dc835b4dabc0
SHA1424d71f2d2b8494c2fe584ae7051e6a2ab45f3d3
SHA256112f535d7798c0a9d5ec59570e9a4f8f6a8ecf464da9987495903c3774c573da
SHA512171dbe46c0b34c7a8d2f75d005a050011f0255131b2b14c0408869ccb27df75b09ef008f4ea325c6fa8e0f8c9389811c31831111825a814d2dfc5210ee136a59
-
C:\Windows\SysWOW64\zjexiyon.exeFilesize
255KB
MD5193b9b88ee6b426e29f8dc835b4dabc0
SHA1424d71f2d2b8494c2fe584ae7051e6a2ab45f3d3
SHA256112f535d7798c0a9d5ec59570e9a4f8f6a8ecf464da9987495903c3774c573da
SHA512171dbe46c0b34c7a8d2f75d005a050011f0255131b2b14c0408869ccb27df75b09ef008f4ea325c6fa8e0f8c9389811c31831111825a814d2dfc5210ee136a59
-
C:\Windows\SysWOW64\zjexiyon.exeFilesize
255KB
MD5193b9b88ee6b426e29f8dc835b4dabc0
SHA1424d71f2d2b8494c2fe584ae7051e6a2ab45f3d3
SHA256112f535d7798c0a9d5ec59570e9a4f8f6a8ecf464da9987495903c3774c573da
SHA512171dbe46c0b34c7a8d2f75d005a050011f0255131b2b14c0408869ccb27df75b09ef008f4ea325c6fa8e0f8c9389811c31831111825a814d2dfc5210ee136a59
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
memory/208-159-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/208-132-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/208-152-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/2000-156-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/2000-144-0x0000000000000000-mapping.dmp
-
memory/2000-150-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/3024-147-0x0000000000000000-mapping.dmp
-
memory/3024-157-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/3024-151-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/3724-133-0x0000000000000000-mapping.dmp
-
memory/3724-153-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/3724-140-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/4024-162-0x00007FFA31B10000-0x00007FFA31B20000-memory.dmpFilesize
64KB
-
memory/4024-166-0x00007FFA31B10000-0x00007FFA31B20000-memory.dmpFilesize
64KB
-
memory/4024-158-0x0000000000000000-mapping.dmp
-
memory/4024-168-0x00007FFA2F950000-0x00007FFA2F960000-memory.dmpFilesize
64KB
-
memory/4024-167-0x00007FFA2F950000-0x00007FFA2F960000-memory.dmpFilesize
64KB
-
memory/4024-165-0x00007FFA31B10000-0x00007FFA31B20000-memory.dmpFilesize
64KB
-
memory/4024-164-0x00007FFA31B10000-0x00007FFA31B20000-memory.dmpFilesize
64KB
-
memory/4024-163-0x00007FFA31B10000-0x00007FFA31B20000-memory.dmpFilesize
64KB
-
memory/4348-155-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/4348-148-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/4348-139-0x0000000000000000-mapping.dmp
-
memory/5020-154-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/5020-136-0x0000000000000000-mapping.dmp
-
memory/5020-143-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB