Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
157s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23/11/2022, 21:07
Behavioral task
behavioral1
Sample
09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe
Resource
win7-20221111-en
windows7-x64
29 signatures
150 seconds
General
-
Target
09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe
-
Size
255KB
-
MD5
bfecbf7c49b0f539d5dc5b6b6b9ff798
-
SHA1
05fc7e9506066eecd932daf754c2245c7ba95c92
-
SHA256
09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1
-
SHA512
dd955147d18fdc09dd76dc7e00a0ae8092f2a0703e598e7d304ed252956eef4225fe9aa4c976641c9358e4186bb51108ec30fc0d64bdfbd161e95b84841cd306
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJF:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI8
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" rsctjpulom.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" rsctjpulom.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rsctjpulom.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rsctjpulom.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rsctjpulom.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rsctjpulom.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rsctjpulom.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rsctjpulom.exe -
Executes dropped EXE 5 IoCs
pid Process 5020 rsctjpulom.exe 2256 ovlnxvwpjwurwab.exe 4588 zpuinooh.exe 4324 fjuqnojoihikh.exe 4128 zpuinooh.exe -
resource yara_rule behavioral2/memory/4364-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4364-133-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000c000000022f5a-135.dat upx behavioral2/files/0x000c000000022f5a-136.dat upx behavioral2/memory/5020-137-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0008000000022f5e-139.dat upx behavioral2/files/0x0008000000022f5e-140.dat upx behavioral2/files/0x0006000000022f64-142.dat upx behavioral2/files/0x0006000000022f64-143.dat upx behavioral2/files/0x0006000000022f65-145.dat upx behavioral2/files/0x0006000000022f65-146.dat upx behavioral2/memory/2256-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4588-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0006000000022f64-150.dat upx behavioral2/memory/4128-151-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/5020-152-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2256-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4588-154-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4324-155-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4364-157-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4128-158-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0006000000022f72-161.dat upx behavioral2/files/0x0006000000022f72-159.dat upx behavioral2/files/0x0006000000022f72-160.dat upx behavioral2/files/0x0006000000022f73-162.dat upx behavioral2/files/0x000700000001d9f8-171.dat upx behavioral2/files/0x000300000001da29-172.dat upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rsctjpulom.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rsctjpulom.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rsctjpulom.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rsctjpulom.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" rsctjpulom.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rsctjpulom.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ovlnxvwpjwurwab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lncndyoz = "rsctjpulom.exe" ovlnxvwpjwurwab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aetepvez = "ovlnxvwpjwurwab.exe" ovlnxvwpjwurwab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "fjuqnojoihikh.exe" ovlnxvwpjwurwab.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\f: zpuinooh.exe File opened (read-only) \??\w: zpuinooh.exe File opened (read-only) \??\v: zpuinooh.exe File opened (read-only) \??\n: zpuinooh.exe File opened (read-only) \??\s: zpuinooh.exe File opened (read-only) \??\n: zpuinooh.exe File opened (read-only) \??\x: zpuinooh.exe File opened (read-only) \??\l: rsctjpulom.exe File opened (read-only) \??\g: zpuinooh.exe File opened (read-only) \??\v: zpuinooh.exe File opened (read-only) \??\t: rsctjpulom.exe File opened (read-only) \??\e: rsctjpulom.exe File opened (read-only) \??\f: rsctjpulom.exe File opened (read-only) \??\q: rsctjpulom.exe File opened (read-only) \??\j: zpuinooh.exe File opened (read-only) \??\k: zpuinooh.exe File opened (read-only) \??\o: zpuinooh.exe File opened (read-only) \??\r: zpuinooh.exe File opened (read-only) \??\u: zpuinooh.exe File opened (read-only) \??\z: zpuinooh.exe File opened (read-only) \??\n: rsctjpulom.exe File opened (read-only) \??\t: zpuinooh.exe File opened (read-only) \??\k: rsctjpulom.exe File opened (read-only) \??\p: rsctjpulom.exe File opened (read-only) \??\w: rsctjpulom.exe File opened (read-only) \??\r: zpuinooh.exe File opened (read-only) \??\i: zpuinooh.exe File opened (read-only) \??\q: zpuinooh.exe File opened (read-only) \??\l: zpuinooh.exe File opened (read-only) \??\o: zpuinooh.exe File opened (read-only) \??\z: zpuinooh.exe File opened (read-only) \??\e: zpuinooh.exe File opened (read-only) \??\l: zpuinooh.exe File opened (read-only) \??\x: rsctjpulom.exe File opened (read-only) \??\i: zpuinooh.exe File opened (read-only) \??\p: zpuinooh.exe File opened (read-only) \??\g: rsctjpulom.exe File opened (read-only) \??\k: zpuinooh.exe File opened (read-only) \??\a: rsctjpulom.exe File opened (read-only) \??\h: rsctjpulom.exe File opened (read-only) \??\r: rsctjpulom.exe File opened (read-only) \??\e: zpuinooh.exe File opened (read-only) \??\f: zpuinooh.exe File opened (read-only) \??\h: zpuinooh.exe File opened (read-only) \??\m: zpuinooh.exe File opened (read-only) \??\u: zpuinooh.exe File opened (read-only) \??\h: zpuinooh.exe File opened (read-only) \??\y: zpuinooh.exe File opened (read-only) \??\z: rsctjpulom.exe File opened (read-only) \??\b: zpuinooh.exe File opened (read-only) \??\x: zpuinooh.exe File opened (read-only) \??\a: zpuinooh.exe File opened (read-only) \??\u: rsctjpulom.exe File opened (read-only) \??\y: rsctjpulom.exe File opened (read-only) \??\p: zpuinooh.exe File opened (read-only) \??\w: zpuinooh.exe File opened (read-only) \??\y: zpuinooh.exe File opened (read-only) \??\b: zpuinooh.exe File opened (read-only) \??\j: zpuinooh.exe File opened (read-only) \??\m: zpuinooh.exe File opened (read-only) \??\t: zpuinooh.exe File opened (read-only) \??\j: rsctjpulom.exe File opened (read-only) \??\m: rsctjpulom.exe File opened (read-only) \??\o: rsctjpulom.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" rsctjpulom.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" rsctjpulom.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/5020-137-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2256-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4588-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4128-151-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5020-152-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2256-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4588-154-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4324-155-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4364-157-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4128-158-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\rsctjpulom.exe 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe File created C:\Windows\SysWOW64\ovlnxvwpjwurwab.exe 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe File opened for modification C:\Windows\SysWOW64\zpuinooh.exe 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe File created C:\Windows\SysWOW64\fjuqnojoihikh.exe 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe File opened for modification C:\Windows\SysWOW64\rsctjpulom.exe 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe File opened for modification C:\Windows\SysWOW64\ovlnxvwpjwurwab.exe 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe File created C:\Windows\SysWOW64\zpuinooh.exe 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe File opened for modification C:\Windows\SysWOW64\fjuqnojoihikh.exe 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll rsctjpulom.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zpuinooh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zpuinooh.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zpuinooh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zpuinooh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal zpuinooh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zpuinooh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal zpuinooh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zpuinooh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal zpuinooh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zpuinooh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal zpuinooh.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zpuinooh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zpuinooh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zpuinooh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zpuinooh.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat rsctjpulom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh rsctjpulom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" rsctjpulom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf rsctjpulom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32412D7B9C5182206A3677D077232CAB7D8164AF" 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1838C67414E6DABEB9BB7FE2EDE237BC" 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" rsctjpulom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs rsctjpulom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" rsctjpulom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABAF9C9F961F19784783A47819C3E91B0FC03884214023BE2C9429A08A8" 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC1B02A449239EB53BFBADD329AD7CE" 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" rsctjpulom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" rsctjpulom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7FD6BC2FE6721ADD20FD1A78A0F9060" 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc rsctjpulom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" rsctjpulom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg rsctjpulom.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8CFF8D4F5C82699136D7287DE6BDE2E1405930674E6335D79C" 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4424 WINWORD.EXE 4424 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4364 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe 4364 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe 4364 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe 4364 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe 4364 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe 4364 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe 4364 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe 4364 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe 4364 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe 4364 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe 4364 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe 4364 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe 5020 rsctjpulom.exe 5020 rsctjpulom.exe 5020 rsctjpulom.exe 5020 rsctjpulom.exe 5020 rsctjpulom.exe 5020 rsctjpulom.exe 5020 rsctjpulom.exe 5020 rsctjpulom.exe 5020 rsctjpulom.exe 5020 rsctjpulom.exe 4364 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe 4364 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe 4364 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe 4364 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe 2256 ovlnxvwpjwurwab.exe 2256 ovlnxvwpjwurwab.exe 2256 ovlnxvwpjwurwab.exe 2256 ovlnxvwpjwurwab.exe 2256 ovlnxvwpjwurwab.exe 2256 ovlnxvwpjwurwab.exe 2256 ovlnxvwpjwurwab.exe 2256 ovlnxvwpjwurwab.exe 4588 zpuinooh.exe 4588 zpuinooh.exe 4588 zpuinooh.exe 4588 zpuinooh.exe 4588 zpuinooh.exe 4588 zpuinooh.exe 4588 zpuinooh.exe 4588 zpuinooh.exe 2256 ovlnxvwpjwurwab.exe 2256 ovlnxvwpjwurwab.exe 4324 fjuqnojoihikh.exe 4324 fjuqnojoihikh.exe 4324 fjuqnojoihikh.exe 4324 fjuqnojoihikh.exe 4324 fjuqnojoihikh.exe 4324 fjuqnojoihikh.exe 4324 fjuqnojoihikh.exe 4324 fjuqnojoihikh.exe 4324 fjuqnojoihikh.exe 4324 fjuqnojoihikh.exe 4324 fjuqnojoihikh.exe 4324 fjuqnojoihikh.exe 2256 ovlnxvwpjwurwab.exe 2256 ovlnxvwpjwurwab.exe 2256 ovlnxvwpjwurwab.exe 2256 ovlnxvwpjwurwab.exe 4324 fjuqnojoihikh.exe 4324 fjuqnojoihikh.exe 4324 fjuqnojoihikh.exe 4324 fjuqnojoihikh.exe -
Suspicious use of FindShellTrayWindow 19 IoCs
pid Process 4364 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe 4364 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe 4364 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe 4364 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe 5020 rsctjpulom.exe 5020 rsctjpulom.exe 5020 rsctjpulom.exe 2256 ovlnxvwpjwurwab.exe 2256 ovlnxvwpjwurwab.exe 2256 ovlnxvwpjwurwab.exe 4588 zpuinooh.exe 4588 zpuinooh.exe 4588 zpuinooh.exe 4324 fjuqnojoihikh.exe 4324 fjuqnojoihikh.exe 4324 fjuqnojoihikh.exe 4128 zpuinooh.exe 4128 zpuinooh.exe 4128 zpuinooh.exe -
Suspicious use of SendNotifyMessage 19 IoCs
pid Process 4364 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe 4364 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe 4364 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe 4364 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe 5020 rsctjpulom.exe 5020 rsctjpulom.exe 5020 rsctjpulom.exe 2256 ovlnxvwpjwurwab.exe 2256 ovlnxvwpjwurwab.exe 2256 ovlnxvwpjwurwab.exe 4588 zpuinooh.exe 4588 zpuinooh.exe 4588 zpuinooh.exe 4324 fjuqnojoihikh.exe 4324 fjuqnojoihikh.exe 4324 fjuqnojoihikh.exe 4128 zpuinooh.exe 4128 zpuinooh.exe 4128 zpuinooh.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4424 WINWORD.EXE 4424 WINWORD.EXE 4424 WINWORD.EXE 4424 WINWORD.EXE 4424 WINWORD.EXE 4424 WINWORD.EXE 4424 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4364 wrote to memory of 5020 4364 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe 78 PID 4364 wrote to memory of 5020 4364 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe 78 PID 4364 wrote to memory of 5020 4364 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe 78 PID 4364 wrote to memory of 2256 4364 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe 79 PID 4364 wrote to memory of 2256 4364 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe 79 PID 4364 wrote to memory of 2256 4364 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe 79 PID 4364 wrote to memory of 4588 4364 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe 80 PID 4364 wrote to memory of 4588 4364 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe 80 PID 4364 wrote to memory of 4588 4364 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe 80 PID 4364 wrote to memory of 4324 4364 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe 81 PID 4364 wrote to memory of 4324 4364 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe 81 PID 4364 wrote to memory of 4324 4364 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe 81 PID 5020 wrote to memory of 4128 5020 rsctjpulom.exe 84 PID 5020 wrote to memory of 4128 5020 rsctjpulom.exe 84 PID 5020 wrote to memory of 4128 5020 rsctjpulom.exe 84 PID 4364 wrote to memory of 4424 4364 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe 85 PID 4364 wrote to memory of 4424 4364 09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe"C:\Users\Admin\AppData\Local\Temp\09d184bbb93da3e1e152fe48189f882863ad49b06e617f81010f4e23ee1f9bb1.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\SysWOW64\rsctjpulom.exersctjpulom.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\SysWOW64\zpuinooh.exeC:\Windows\system32\zpuinooh.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4128
-
-
-
C:\Windows\SysWOW64\ovlnxvwpjwurwab.exeovlnxvwpjwurwab.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2256
-
-
C:\Windows\SysWOW64\zpuinooh.exezpuinooh.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4588
-
-
C:\Windows\SysWOW64\fjuqnojoihikh.exefjuqnojoihikh.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4324
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4424
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5cce5fc30e25d011641c1783d55ff6788
SHA1997b2d5f785c5a078d7814585c254cf2bac99645
SHA25602a4d42f8c360e026f4554d8c5031bcf05584d89736cd399ec72016f5882794b
SHA512d5bafb25977b25fd8b9f275c4a4c4a4170c28ec37fd814efbd8e339255025007a594f9218a1ba8f485f8a7f5e6c55cddb3ec20969db1b49df11bd31129c6c921
-
Filesize
255KB
MD5cce5fc30e25d011641c1783d55ff6788
SHA1997b2d5f785c5a078d7814585c254cf2bac99645
SHA25602a4d42f8c360e026f4554d8c5031bcf05584d89736cd399ec72016f5882794b
SHA512d5bafb25977b25fd8b9f275c4a4c4a4170c28ec37fd814efbd8e339255025007a594f9218a1ba8f485f8a7f5e6c55cddb3ec20969db1b49df11bd31129c6c921
-
Filesize
255KB
MD5fc6df265ac06d75e0f7d7139d2b67859
SHA16b028862414eb4470beaaaf40262eac825fc6ceb
SHA256d79f62f0400ac9495b4ba211267721cc091fa3910cebff529a97d7a26283685a
SHA512cb061cc134714e5ae6af4227572ba21435fa1873bb3b5e0368576ae5f8bec7b4c71ba43efff0d190c19ccda0fec1c3a17943cc3665b6302042dfaa5d0b7a7c2f
-
Filesize
255KB
MD50655902ee5b3ac1a4a50cb70f507ce72
SHA13d5fb63790614a2b29e4f0b2393115929e4c12b1
SHA2562d883e5cc8485d65e3be52a5ed25f85e2de9e7db7dc8ae3f2cb85a3f6b5bfe24
SHA5124ac90b7106f6d4cf5b54d82a6fd5d3c30bfb17531813cf645a3930f9244c5c8152d3e19a67a49bdc15fcb47e5c436bc74e1c26944fc3ef8e0fda6744a455f48f
-
Filesize
255KB
MD51aea718b27ec17f0316ac4a53a2716b4
SHA1bee5e52589373c2b0f70edb9b93f88823358bbc0
SHA2561f8523c36f3b1c0315add6214f6fe7944d06cfabc1f9ed301b97b0bb9ea8b7d0
SHA512f06f29ef396e43e3e28044da936d17205715180fa3e0998893af1a2f2d8cb6e435d7318ca64f58d332872c9c153a87575fe6f2a7b3f3f75282e1e15e372366f3
-
Filesize
255KB
MD5ec0093a4d9a421ac75cbb8404bc0e80f
SHA114ea0cbf11f51725ca44a071f93088b57ee4e7bb
SHA2565b8e0d028ae6b2acf413ef32c851ca12510888ec1ef97b2ccafccac46f6c787e
SHA512b85662d1ce8775a03c006a4ba7c6c0c817d6de30049181de4984e2cfa0d794d479259084409b40c8b5f195f6a43845fe688f3c5e798c0bf8bb7b406a6f562028
-
Filesize
255KB
MD5ec0093a4d9a421ac75cbb8404bc0e80f
SHA114ea0cbf11f51725ca44a071f93088b57ee4e7bb
SHA2565b8e0d028ae6b2acf413ef32c851ca12510888ec1ef97b2ccafccac46f6c787e
SHA512b85662d1ce8775a03c006a4ba7c6c0c817d6de30049181de4984e2cfa0d794d479259084409b40c8b5f195f6a43845fe688f3c5e798c0bf8bb7b406a6f562028
-
Filesize
255KB
MD553a5535c7d4e607cfc5f97f94844347c
SHA114252a372b5cbc254a7e0bcc9cda5de7785ffa8e
SHA256662bd00ff1fd527ccc1dbc2663e7097f766add8e7f5a5e7e2e90f0cf84350f15
SHA512ca0a6d076891afb17fbc3754f920a70fd101c70cdea7f14f9d93cf72d2abb4148f0b68950c60389f4afc9834a1bab004dd59da7415623876650d012aa5ad76bd
-
Filesize
255KB
MD553a5535c7d4e607cfc5f97f94844347c
SHA114252a372b5cbc254a7e0bcc9cda5de7785ffa8e
SHA256662bd00ff1fd527ccc1dbc2663e7097f766add8e7f5a5e7e2e90f0cf84350f15
SHA512ca0a6d076891afb17fbc3754f920a70fd101c70cdea7f14f9d93cf72d2abb4148f0b68950c60389f4afc9834a1bab004dd59da7415623876650d012aa5ad76bd
-
Filesize
255KB
MD55ef0bb481ca3a30d30375704509da8b9
SHA1acbc0722c972d48a7f48973cd895e0873359fd3a
SHA2566e05dfaca86c6e9379ad504985bac5d5e5ef3466b1aadaa7eef0ec6dc4a71559
SHA512beee3eee5319d2e2a8bd0ee9a4fe501bf85f610d847ddb59bf5a0488dde9af5c90d4213ae3b45702873bdb1f7f6bc6002ead1b078d218708c623db146ea8cd1f
-
Filesize
255KB
MD55ef0bb481ca3a30d30375704509da8b9
SHA1acbc0722c972d48a7f48973cd895e0873359fd3a
SHA2566e05dfaca86c6e9379ad504985bac5d5e5ef3466b1aadaa7eef0ec6dc4a71559
SHA512beee3eee5319d2e2a8bd0ee9a4fe501bf85f610d847ddb59bf5a0488dde9af5c90d4213ae3b45702873bdb1f7f6bc6002ead1b078d218708c623db146ea8cd1f
-
Filesize
255KB
MD534e83597490e571710f298f0b6b9f125
SHA12574430134189ee1e3b9e2b8c991eaed5281b81f
SHA2562cc3d5edd18ebfb6fa776b4c07b2ab5e2870bfdcc15c5557e1a46aca57a5fcb2
SHA512ebcfc6666e3b50f5540e55ba68b3df1d02391648f0cedf4a985cf20f43cd17e031df3b30d860b85b97dae5fd199574924ac2ef0cdb2f3e4ffd4add9a9d8dd8c0
-
Filesize
255KB
MD534e83597490e571710f298f0b6b9f125
SHA12574430134189ee1e3b9e2b8c991eaed5281b81f
SHA2562cc3d5edd18ebfb6fa776b4c07b2ab5e2870bfdcc15c5557e1a46aca57a5fcb2
SHA512ebcfc6666e3b50f5540e55ba68b3df1d02391648f0cedf4a985cf20f43cd17e031df3b30d860b85b97dae5fd199574924ac2ef0cdb2f3e4ffd4add9a9d8dd8c0
-
Filesize
255KB
MD534e83597490e571710f298f0b6b9f125
SHA12574430134189ee1e3b9e2b8c991eaed5281b81f
SHA2562cc3d5edd18ebfb6fa776b4c07b2ab5e2870bfdcc15c5557e1a46aca57a5fcb2
SHA512ebcfc6666e3b50f5540e55ba68b3df1d02391648f0cedf4a985cf20f43cd17e031df3b30d860b85b97dae5fd199574924ac2ef0cdb2f3e4ffd4add9a9d8dd8c0
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD5cce5fc30e25d011641c1783d55ff6788
SHA1997b2d5f785c5a078d7814585c254cf2bac99645
SHA25602a4d42f8c360e026f4554d8c5031bcf05584d89736cd399ec72016f5882794b
SHA512d5bafb25977b25fd8b9f275c4a4c4a4170c28ec37fd814efbd8e339255025007a594f9218a1ba8f485f8a7f5e6c55cddb3ec20969db1b49df11bd31129c6c921