Analysis
-
max time kernel
158s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
23/11/2022, 21:07
Behavioral task
behavioral1
Sample
02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe
Resource
win7-20220901-en
windows7-x64
26 signatures
150 seconds
General
-
Target
02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe
-
Size
255KB
-
MD5
49874467754c225319c6c50cc23fc6bd
-
SHA1
7f4def809ff27b8266ff6c5bbf65e2c46f130d94
-
SHA256
02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b
-
SHA512
121fdb9bbdc4e70dd7d9425060ea954e003c07eabdf101938b8c35c71cfd281b81bd34b145033f4472577cc5ae096585abdf6225b60136b7cf0196dc2dfc329f
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJ9:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI6
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ckqzcyrllx.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ckqzcyrllx.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ckqzcyrllx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ckqzcyrllx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ckqzcyrllx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ckqzcyrllx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ckqzcyrllx.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ckqzcyrllx.exe -
Executes dropped EXE 5 IoCs
pid Process 5072 ckqzcyrllx.exe 5056 wclmuuhzutjhcld.exe 4972 lrwbxxfr.exe 5052 pbnkgcbzaqbxy.exe 2332 lrwbxxfr.exe -
resource yara_rule behavioral2/memory/2200-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0004000000022dd3-134.dat upx behavioral2/files/0x0004000000022dd3-135.dat upx behavioral2/files/0x0002000000022df3-137.dat upx behavioral2/files/0x0002000000022df4-140.dat upx behavioral2/files/0x0002000000022df4-141.dat upx behavioral2/files/0x0002000000022df3-138.dat upx behavioral2/files/0x0002000000022df5-143.dat upx behavioral2/files/0x0002000000022df5-144.dat upx behavioral2/memory/5072-145-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/5056-146-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4972-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/5052-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0002000000022df4-150.dat upx behavioral2/memory/2332-151-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2200-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0003000000022dfa-154.dat upx behavioral2/memory/5072-161-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/5056-162-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4972-163-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/5052-165-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2332-166-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000d00000001e5b1-168.dat upx behavioral2/files/0x000d00000001e5b1-169.dat upx behavioral2/files/0x000d00000001e5b1-170.dat upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ckqzcyrllx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ckqzcyrllx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ckqzcyrllx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ckqzcyrllx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ckqzcyrllx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ckqzcyrllx.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run wclmuuhzutjhcld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lruzukkt = "ckqzcyrllx.exe" wclmuuhzutjhcld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aukkuadt = "wclmuuhzutjhcld.exe" wclmuuhzutjhcld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "pbnkgcbzaqbxy.exe" wclmuuhzutjhcld.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\g: lrwbxxfr.exe File opened (read-only) \??\l: lrwbxxfr.exe File opened (read-only) \??\n: lrwbxxfr.exe File opened (read-only) \??\t: lrwbxxfr.exe File opened (read-only) \??\v: lrwbxxfr.exe File opened (read-only) \??\t: ckqzcyrllx.exe File opened (read-only) \??\f: lrwbxxfr.exe File opened (read-only) \??\w: lrwbxxfr.exe File opened (read-only) \??\i: lrwbxxfr.exe File opened (read-only) \??\l: lrwbxxfr.exe File opened (read-only) \??\l: ckqzcyrllx.exe File opened (read-only) \??\i: lrwbxxfr.exe File opened (read-only) \??\p: lrwbxxfr.exe File opened (read-only) \??\y: lrwbxxfr.exe File opened (read-only) \??\s: lrwbxxfr.exe File opened (read-only) \??\y: lrwbxxfr.exe File opened (read-only) \??\e: ckqzcyrllx.exe File opened (read-only) \??\h: lrwbxxfr.exe File opened (read-only) \??\t: lrwbxxfr.exe File opened (read-only) \??\x: lrwbxxfr.exe File opened (read-only) \??\a: ckqzcyrllx.exe File opened (read-only) \??\i: ckqzcyrllx.exe File opened (read-only) \??\j: lrwbxxfr.exe File opened (read-only) \??\r: lrwbxxfr.exe File opened (read-only) \??\o: lrwbxxfr.exe File opened (read-only) \??\q: lrwbxxfr.exe File opened (read-only) \??\s: lrwbxxfr.exe File opened (read-only) \??\w: lrwbxxfr.exe File opened (read-only) \??\y: ckqzcyrllx.exe File opened (read-only) \??\a: lrwbxxfr.exe File opened (read-only) \??\k: lrwbxxfr.exe File opened (read-only) \??\o: ckqzcyrllx.exe File opened (read-only) \??\s: ckqzcyrllx.exe File opened (read-only) \??\b: lrwbxxfr.exe File opened (read-only) \??\r: lrwbxxfr.exe File opened (read-only) \??\j: ckqzcyrllx.exe File opened (read-only) \??\u: lrwbxxfr.exe File opened (read-only) \??\g: lrwbxxfr.exe File opened (read-only) \??\q: ckqzcyrllx.exe File opened (read-only) \??\v: ckqzcyrllx.exe File opened (read-only) \??\x: ckqzcyrllx.exe File opened (read-only) \??\o: lrwbxxfr.exe File opened (read-only) \??\v: lrwbxxfr.exe File opened (read-only) \??\z: lrwbxxfr.exe File opened (read-only) \??\p: lrwbxxfr.exe File opened (read-only) \??\q: lrwbxxfr.exe File opened (read-only) \??\h: ckqzcyrllx.exe File opened (read-only) \??\r: ckqzcyrllx.exe File opened (read-only) \??\f: lrwbxxfr.exe File opened (read-only) \??\m: lrwbxxfr.exe File opened (read-only) \??\n: lrwbxxfr.exe File opened (read-only) \??\f: ckqzcyrllx.exe File opened (read-only) \??\x: lrwbxxfr.exe File opened (read-only) \??\b: lrwbxxfr.exe File opened (read-only) \??\e: lrwbxxfr.exe File opened (read-only) \??\m: lrwbxxfr.exe File opened (read-only) \??\e: lrwbxxfr.exe File opened (read-only) \??\h: lrwbxxfr.exe File opened (read-only) \??\u: lrwbxxfr.exe File opened (read-only) \??\w: ckqzcyrllx.exe File opened (read-only) \??\u: ckqzcyrllx.exe File opened (read-only) \??\a: lrwbxxfr.exe File opened (read-only) \??\b: ckqzcyrllx.exe File opened (read-only) \??\g: ckqzcyrllx.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ckqzcyrllx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ckqzcyrllx.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/5072-145-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5056-146-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4972-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5052-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2332-151-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2200-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5072-161-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5056-162-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4972-163-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5052-165-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2332-166-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\ckqzcyrllx.exe 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe File created C:\Windows\SysWOW64\wclmuuhzutjhcld.exe 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe File created C:\Windows\SysWOW64\lrwbxxfr.exe 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe File opened for modification C:\Windows\SysWOW64\lrwbxxfr.exe 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe File created C:\Windows\SysWOW64\pbnkgcbzaqbxy.exe 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe File opened for modification C:\Windows\SysWOW64\pbnkgcbzaqbxy.exe 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe lrwbxxfr.exe File opened for modification C:\Windows\SysWOW64\ckqzcyrllx.exe 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe File opened for modification C:\Windows\SysWOW64\wclmuuhzutjhcld.exe 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ckqzcyrllx.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe lrwbxxfr.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe lrwbxxfr.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe lrwbxxfr.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal lrwbxxfr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal lrwbxxfr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lrwbxxfr.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lrwbxxfr.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lrwbxxfr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal lrwbxxfr.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lrwbxxfr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lrwbxxfr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal lrwbxxfr.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lrwbxxfr.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lrwbxxfr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lrwbxxfr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lrwbxxfr.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lrwbxxfr.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe lrwbxxfr.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe lrwbxxfr.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe lrwbxxfr.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe lrwbxxfr.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe lrwbxxfr.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe lrwbxxfr.exe File opened for modification C:\Windows\mydoc.rtf 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe lrwbxxfr.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe lrwbxxfr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" ckqzcyrllx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs ckqzcyrllx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" ckqzcyrllx.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7FD68B7FF1822A9D10CD0A58A0B9011" 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1838C7741596DAB0B9C17CE5EDE537CD" 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat ckqzcyrllx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf ckqzcyrllx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg ckqzcyrllx.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC7B0284490399952BDB9A13293D4C4" 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8EFFFC482E851A9146D75D7D97BCE7E133584667456236D69D" 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ckqzcyrllx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" ckqzcyrllx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" ckqzcyrllx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33402C0A9D5782556A3F77A077242CAB7D8265A8" 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BC9FACEF961F19484753A4486EC3EE2B38A03F043620348E1CD42EC08D5" 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" ckqzcyrllx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh ckqzcyrllx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc ckqzcyrllx.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1840 WINWORD.EXE 1840 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2200 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe 2200 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe 2200 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe 2200 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe 2200 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe 2200 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe 2200 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe 2200 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe 2200 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe 2200 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe 2200 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe 2200 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe 2200 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe 2200 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe 2200 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe 2200 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe 5072 ckqzcyrllx.exe 5072 ckqzcyrllx.exe 5072 ckqzcyrllx.exe 5072 ckqzcyrllx.exe 5072 ckqzcyrllx.exe 5072 ckqzcyrllx.exe 5072 ckqzcyrllx.exe 5072 ckqzcyrllx.exe 5072 ckqzcyrllx.exe 5072 ckqzcyrllx.exe 5056 wclmuuhzutjhcld.exe 5056 wclmuuhzutjhcld.exe 5056 wclmuuhzutjhcld.exe 5056 wclmuuhzutjhcld.exe 5056 wclmuuhzutjhcld.exe 5056 wclmuuhzutjhcld.exe 5056 wclmuuhzutjhcld.exe 5056 wclmuuhzutjhcld.exe 5056 wclmuuhzutjhcld.exe 5056 wclmuuhzutjhcld.exe 4972 lrwbxxfr.exe 4972 lrwbxxfr.exe 4972 lrwbxxfr.exe 4972 lrwbxxfr.exe 4972 lrwbxxfr.exe 4972 lrwbxxfr.exe 4972 lrwbxxfr.exe 4972 lrwbxxfr.exe 5052 pbnkgcbzaqbxy.exe 5052 pbnkgcbzaqbxy.exe 5052 pbnkgcbzaqbxy.exe 5052 pbnkgcbzaqbxy.exe 5052 pbnkgcbzaqbxy.exe 5052 pbnkgcbzaqbxy.exe 5052 pbnkgcbzaqbxy.exe 5052 pbnkgcbzaqbxy.exe 5052 pbnkgcbzaqbxy.exe 5052 pbnkgcbzaqbxy.exe 5052 pbnkgcbzaqbxy.exe 5052 pbnkgcbzaqbxy.exe 5056 wclmuuhzutjhcld.exe 5056 wclmuuhzutjhcld.exe 5052 pbnkgcbzaqbxy.exe 5052 pbnkgcbzaqbxy.exe 5052 pbnkgcbzaqbxy.exe 5052 pbnkgcbzaqbxy.exe 5056 wclmuuhzutjhcld.exe 5056 wclmuuhzutjhcld.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2200 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe 2200 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe 2200 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe 5072 ckqzcyrllx.exe 5072 ckqzcyrllx.exe 5072 ckqzcyrllx.exe 5056 wclmuuhzutjhcld.exe 5056 wclmuuhzutjhcld.exe 5056 wclmuuhzutjhcld.exe 4972 lrwbxxfr.exe 5052 pbnkgcbzaqbxy.exe 4972 lrwbxxfr.exe 5052 pbnkgcbzaqbxy.exe 4972 lrwbxxfr.exe 5052 pbnkgcbzaqbxy.exe 2332 lrwbxxfr.exe 2332 lrwbxxfr.exe 2332 lrwbxxfr.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2200 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe 2200 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe 2200 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe 5072 ckqzcyrllx.exe 5072 ckqzcyrllx.exe 5072 ckqzcyrllx.exe 5056 wclmuuhzutjhcld.exe 5056 wclmuuhzutjhcld.exe 5056 wclmuuhzutjhcld.exe 4972 lrwbxxfr.exe 5052 pbnkgcbzaqbxy.exe 4972 lrwbxxfr.exe 5052 pbnkgcbzaqbxy.exe 4972 lrwbxxfr.exe 5052 pbnkgcbzaqbxy.exe 2332 lrwbxxfr.exe 2332 lrwbxxfr.exe 2332 lrwbxxfr.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1840 WINWORD.EXE 1840 WINWORD.EXE 1840 WINWORD.EXE 1840 WINWORD.EXE 1840 WINWORD.EXE 1840 WINWORD.EXE 1840 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2200 wrote to memory of 5072 2200 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe 80 PID 2200 wrote to memory of 5072 2200 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe 80 PID 2200 wrote to memory of 5072 2200 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe 80 PID 2200 wrote to memory of 5056 2200 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe 81 PID 2200 wrote to memory of 5056 2200 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe 81 PID 2200 wrote to memory of 5056 2200 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe 81 PID 2200 wrote to memory of 4972 2200 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe 82 PID 2200 wrote to memory of 4972 2200 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe 82 PID 2200 wrote to memory of 4972 2200 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe 82 PID 2200 wrote to memory of 5052 2200 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe 83 PID 2200 wrote to memory of 5052 2200 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe 83 PID 2200 wrote to memory of 5052 2200 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe 83 PID 5072 wrote to memory of 2332 5072 ckqzcyrllx.exe 84 PID 5072 wrote to memory of 2332 5072 ckqzcyrllx.exe 84 PID 5072 wrote to memory of 2332 5072 ckqzcyrllx.exe 84 PID 2200 wrote to memory of 1840 2200 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe 85 PID 2200 wrote to memory of 1840 2200 02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe"C:\Users\Admin\AppData\Local\Temp\02f383fb419a9561ae021131f4aa474e21abdf346435a2d7cc7f1b7ef39b190b.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\ckqzcyrllx.execkqzcyrllx.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\lrwbxxfr.exeC:\Windows\system32\lrwbxxfr.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2332
-
-
-
C:\Windows\SysWOW64\wclmuuhzutjhcld.exewclmuuhzutjhcld.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5056
-
-
C:\Windows\SysWOW64\lrwbxxfr.exelrwbxxfr.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4972
-
-
C:\Windows\SysWOW64\pbnkgcbzaqbxy.exepbnkgcbzaqbxy.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5052
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1840
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5c67f0b951273db163a46f982e776a4f0
SHA15864bae5db4473db69ad878b23af98a1681c37c2
SHA256cf92db4e5389bb4fca94e144f0796c29d2874d2e3b8bd23254c76256ff7229d6
SHA5128f0a0afab7f10a3470274b77c759a90a37361ade723650010c65eec4a913ed9842cd32c41cd3474bd9586a87e53dc96a0636e3a8b8a9c13284d12bb389761a5b
-
Filesize
255KB
MD53271b8811ff20836c49de49958a5d4c5
SHA1f79f99e0c38840c693d474507d8da54169e2e457
SHA2560b1bfccd633a760a01f68fdea3dad6e4767471f6ba7425cce1c7801a0c1803e4
SHA512ccdfbf21b8a16bf57e82be00237442f35a5cb2a6d6a062b0b2b1ec69549ef9ff0e18cab57e752556bae6420798a2dc549a70772fdefccf696444cce298a29e85
-
Filesize
255KB
MD53271b8811ff20836c49de49958a5d4c5
SHA1f79f99e0c38840c693d474507d8da54169e2e457
SHA2560b1bfccd633a760a01f68fdea3dad6e4767471f6ba7425cce1c7801a0c1803e4
SHA512ccdfbf21b8a16bf57e82be00237442f35a5cb2a6d6a062b0b2b1ec69549ef9ff0e18cab57e752556bae6420798a2dc549a70772fdefccf696444cce298a29e85
-
Filesize
255KB
MD56a07cf39212377929694d8175d3bfb3d
SHA1784a2bbf2ff82a1a1d3d4c51cdc32704a853b316
SHA2565a08f809b6c071290986b916cf997b1c792bdcf26620059182b628987bfb428a
SHA512742455b864a99caaedbdd21e746fe46b48a8b734c148191218ca063d891588bb8064a67171a00429a6b87414e1e5ff2a19de70b70ba1427635651e6c82b2469c
-
Filesize
255KB
MD56a07cf39212377929694d8175d3bfb3d
SHA1784a2bbf2ff82a1a1d3d4c51cdc32704a853b316
SHA2565a08f809b6c071290986b916cf997b1c792bdcf26620059182b628987bfb428a
SHA512742455b864a99caaedbdd21e746fe46b48a8b734c148191218ca063d891588bb8064a67171a00429a6b87414e1e5ff2a19de70b70ba1427635651e6c82b2469c
-
Filesize
255KB
MD56a07cf39212377929694d8175d3bfb3d
SHA1784a2bbf2ff82a1a1d3d4c51cdc32704a853b316
SHA2565a08f809b6c071290986b916cf997b1c792bdcf26620059182b628987bfb428a
SHA512742455b864a99caaedbdd21e746fe46b48a8b734c148191218ca063d891588bb8064a67171a00429a6b87414e1e5ff2a19de70b70ba1427635651e6c82b2469c
-
Filesize
255KB
MD58d66f1efa30d0bdd14f193742d93df2a
SHA1270093661f73ba422a9cb4e52b569ede6556ae79
SHA25625609b9ece891b7df9c3f417b07d2e57867792a5b2cc27327df8ef13d265cfd7
SHA51249f43eb70d4c3067facaba97e9ff4d8c249a78747f7c474e4b5c012f9eae115c1092cc1e2a3bd51dde123c13ddc511158c1641c8271b6aa8411ee06a3aa47ad5
-
Filesize
255KB
MD58d66f1efa30d0bdd14f193742d93df2a
SHA1270093661f73ba422a9cb4e52b569ede6556ae79
SHA25625609b9ece891b7df9c3f417b07d2e57867792a5b2cc27327df8ef13d265cfd7
SHA51249f43eb70d4c3067facaba97e9ff4d8c249a78747f7c474e4b5c012f9eae115c1092cc1e2a3bd51dde123c13ddc511158c1641c8271b6aa8411ee06a3aa47ad5
-
Filesize
255KB
MD597368e96fcfd79bb0eca986e58ae8767
SHA115e29aeafc883d343e0c002d3160cd5f798d0230
SHA256a601894f0c17f4ba4566073688fe73aa5550ccc9af190547056f13c8a26830b2
SHA512b5b2b5264fb505bbb36fa4a278bfe84bf504f6378c580904793940e95f4a75351761f59184ba27ea832ebee8051a842bbf1512b3338936db4957e986a1906040
-
Filesize
255KB
MD597368e96fcfd79bb0eca986e58ae8767
SHA115e29aeafc883d343e0c002d3160cd5f798d0230
SHA256a601894f0c17f4ba4566073688fe73aa5550ccc9af190547056f13c8a26830b2
SHA512b5b2b5264fb505bbb36fa4a278bfe84bf504f6378c580904793940e95f4a75351761f59184ba27ea832ebee8051a842bbf1512b3338936db4957e986a1906040
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD52d408889ed70a67615ae7b68d06b4083
SHA156d427a20b8745ccb8b31332be0628648961cdf8
SHA2562b2fb6ba6f26efd16ca0df3fd05371960deb6ebe376e9c908ef11bb807fb057c
SHA512c469eff7f97eeff207350914c5df2790a0895291cdc9e31e29c1316251c795d4c07c909a3a5d2e295ef45cb6c055ec0eef05e8aa95583b7161e3cd0f8f613235
-
Filesize
255KB
MD58fc6b86efc5f35512558b064b309b2fa
SHA130456afe5d3706eff11746e7a92cd6e63a827c26
SHA256ba4b001c87d58b5d5c0abab2ff3b67fcf8aae8b4a18faab98b9c747df0185c10
SHA5120647d2fa70bf6c9829891065e4b4db06a5398cf7889ec6e17e5c3afe8e931d68226b0cd573a242dfaf4d4162482e6e85c1d9017532e82f33e32a316107c90afc
-
Filesize
255KB
MD58fc6b86efc5f35512558b064b309b2fa
SHA130456afe5d3706eff11746e7a92cd6e63a827c26
SHA256ba4b001c87d58b5d5c0abab2ff3b67fcf8aae8b4a18faab98b9c747df0185c10
SHA5120647d2fa70bf6c9829891065e4b4db06a5398cf7889ec6e17e5c3afe8e931d68226b0cd573a242dfaf4d4162482e6e85c1d9017532e82f33e32a316107c90afc