Analysis
-
max time kernel
153s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24/11/2022, 01:02
Behavioral task
behavioral1
Sample
3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe
Resource
win7-20220812-en
windows7-x64
28 signatures
150 seconds
General
-
Target
3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe
-
Size
255KB
-
MD5
1f5799971cddf63c9e08588aef21e1c1
-
SHA1
4cb0609159d7479b77db22d74671bfc9019b67f5
-
SHA256
3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5
-
SHA512
a07fa8470ec56f35241c83796fbb05735ffc07cb2787aaea439f8f13f31f632e03023261341cfce5f73e38de1db82b837f5a969fa14ee7a90ac3d17ed2ae52a8
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJP:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIY
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" dasznvsqhk.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" dasznvsqhk.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" dasznvsqhk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" dasznvsqhk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" dasznvsqhk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" dasznvsqhk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" dasznvsqhk.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dasznvsqhk.exe -
Executes dropped EXE 5 IoCs
pid Process 4204 dasznvsqhk.exe 4560 qgwboajgjpcbhdg.exe 4164 uwruolgt.exe 3592 beqsieqpcubyo.exe 2032 uwruolgt.exe -
resource yara_rule behavioral2/files/0x0007000000022e2f-133.dat upx behavioral2/files/0x0007000000022e2f-134.dat upx behavioral2/files/0x0007000000022e32-136.dat upx behavioral2/files/0x0007000000022e32-137.dat upx behavioral2/files/0x0006000000022e38-142.dat upx behavioral2/files/0x0006000000022e38-143.dat upx behavioral2/files/0x0006000000022e37-140.dat upx behavioral2/files/0x0006000000022e37-139.dat upx behavioral2/memory/4172-144-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4560-146-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4204-145-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4164-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3592-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0006000000022e37-150.dat upx behavioral2/memory/4172-152-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2032-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0002000000009ded-159.dat upx behavioral2/files/0x0006000000022e3c-160.dat upx behavioral2/files/0x0006000000022e3c-161.dat upx behavioral2/memory/4204-165-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4560-166-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4164-167-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3592-168-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2032-169-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000300000000072d-175.dat upx behavioral2/files/0x000200000001e59d-176.dat upx behavioral2/files/0x000200000001e59d-177.dat upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" dasznvsqhk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" dasznvsqhk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" dasznvsqhk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" dasznvsqhk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" dasznvsqhk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" dasznvsqhk.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run qgwboajgjpcbhdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\okvihvgq = "dasznvsqhk.exe" qgwboajgjpcbhdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\efyqsial = "qgwboajgjpcbhdg.exe" qgwboajgjpcbhdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "beqsieqpcubyo.exe" qgwboajgjpcbhdg.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\s: uwruolgt.exe File opened (read-only) \??\w: uwruolgt.exe File opened (read-only) \??\z: uwruolgt.exe File opened (read-only) \??\l: dasznvsqhk.exe File opened (read-only) \??\n: dasznvsqhk.exe File opened (read-only) \??\q: uwruolgt.exe File opened (read-only) \??\p: dasznvsqhk.exe File opened (read-only) \??\j: uwruolgt.exe File opened (read-only) \??\o: uwruolgt.exe File opened (read-only) \??\b: uwruolgt.exe File opened (read-only) \??\n: uwruolgt.exe File opened (read-only) \??\b: dasznvsqhk.exe File opened (read-only) \??\g: dasznvsqhk.exe File opened (read-only) \??\l: uwruolgt.exe File opened (read-only) \??\q: uwruolgt.exe File opened (read-only) \??\r: uwruolgt.exe File opened (read-only) \??\w: uwruolgt.exe File opened (read-only) \??\v: dasznvsqhk.exe File opened (read-only) \??\g: uwruolgt.exe File opened (read-only) \??\h: uwruolgt.exe File opened (read-only) \??\s: uwruolgt.exe File opened (read-only) \??\t: dasznvsqhk.exe File opened (read-only) \??\y: dasznvsqhk.exe File opened (read-only) \??\e: uwruolgt.exe File opened (read-only) \??\a: uwruolgt.exe File opened (read-only) \??\j: uwruolgt.exe File opened (read-only) \??\k: dasznvsqhk.exe File opened (read-only) \??\f: uwruolgt.exe File opened (read-only) \??\m: uwruolgt.exe File opened (read-only) \??\x: dasznvsqhk.exe File opened (read-only) \??\t: uwruolgt.exe File opened (read-only) \??\u: uwruolgt.exe File opened (read-only) \??\v: uwruolgt.exe File opened (read-only) \??\s: dasznvsqhk.exe File opened (read-only) \??\w: dasznvsqhk.exe File opened (read-only) \??\b: uwruolgt.exe File opened (read-only) \??\g: uwruolgt.exe File opened (read-only) \??\l: uwruolgt.exe File opened (read-only) \??\j: dasznvsqhk.exe File opened (read-only) \??\q: dasznvsqhk.exe File opened (read-only) \??\e: uwruolgt.exe File opened (read-only) \??\f: uwruolgt.exe File opened (read-only) \??\v: uwruolgt.exe File opened (read-only) \??\a: uwruolgt.exe File opened (read-only) \??\p: uwruolgt.exe File opened (read-only) \??\r: uwruolgt.exe File opened (read-only) \??\m: dasznvsqhk.exe File opened (read-only) \??\o: dasznvsqhk.exe File opened (read-only) \??\n: uwruolgt.exe File opened (read-only) \??\z: uwruolgt.exe File opened (read-only) \??\i: uwruolgt.exe File opened (read-only) \??\y: uwruolgt.exe File opened (read-only) \??\a: dasznvsqhk.exe File opened (read-only) \??\h: dasznvsqhk.exe File opened (read-only) \??\x: uwruolgt.exe File opened (read-only) \??\r: dasznvsqhk.exe File opened (read-only) \??\t: uwruolgt.exe File opened (read-only) \??\m: uwruolgt.exe File opened (read-only) \??\u: uwruolgt.exe File opened (read-only) \??\y: uwruolgt.exe File opened (read-only) \??\h: uwruolgt.exe File opened (read-only) \??\o: uwruolgt.exe File opened (read-only) \??\u: dasznvsqhk.exe File opened (read-only) \??\z: dasznvsqhk.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" dasznvsqhk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" dasznvsqhk.exe -
AutoIT Executable 12 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4172-144-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4560-146-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4204-145-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4164-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3592-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4172-152-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2032-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4204-165-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4560-166-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4164-167-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3592-168-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2032-169-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\dasznvsqhk.exe 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe File created C:\Windows\SysWOW64\qgwboajgjpcbhdg.exe 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe File created C:\Windows\SysWOW64\uwruolgt.exe 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe File opened for modification C:\Windows\SysWOW64\uwruolgt.exe 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll dasznvsqhk.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe uwruolgt.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe uwruolgt.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe uwruolgt.exe File opened for modification C:\Windows\SysWOW64\dasznvsqhk.exe 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe File opened for modification C:\Windows\SysWOW64\qgwboajgjpcbhdg.exe 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe File created C:\Windows\SysWOW64\beqsieqpcubyo.exe 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe File opened for modification C:\Windows\SysWOW64\beqsieqpcubyo.exe 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe uwruolgt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe uwruolgt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe uwruolgt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal uwruolgt.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe uwruolgt.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe uwruolgt.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe uwruolgt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal uwruolgt.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe uwruolgt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe uwruolgt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe uwruolgt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal uwruolgt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal uwruolgt.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe uwruolgt.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB7B02D4497389853B8BAA53292D4BB" 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf dasznvsqhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs dasznvsqhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg dasznvsqhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh dasznvsqhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" dasznvsqhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BB4FACAFE6AF1E0837F3B4086EA3996B0FC038D4312033BE1BD429D08D4" 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E88FF824F5882129131D75B7E94BC94E131584267456237D79B" 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7876BC5FF1D21D1D278D1A88A7E906B" 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" dasznvsqhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" dasznvsqhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" dasznvsqhk.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33472C799D5182556A3277D677252DDF7D8664AD" 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat dasznvsqhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc dasznvsqhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1845C60C1490DBC5B9BE7C92ED9F34BE" 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" dasznvsqhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" dasznvsqhk.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3192 WINWORD.EXE 3192 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4172 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe 4172 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe 4172 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe 4172 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe 4172 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe 4172 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe 4172 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe 4172 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe 4172 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe 4172 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe 4172 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe 4172 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe 4172 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe 4172 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe 4172 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe 4172 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe 4204 dasznvsqhk.exe 4204 dasznvsqhk.exe 4204 dasznvsqhk.exe 4204 dasznvsqhk.exe 4204 dasznvsqhk.exe 4204 dasznvsqhk.exe 4204 dasznvsqhk.exe 4204 dasznvsqhk.exe 4204 dasznvsqhk.exe 4204 dasznvsqhk.exe 4560 qgwboajgjpcbhdg.exe 4560 qgwboajgjpcbhdg.exe 4560 qgwboajgjpcbhdg.exe 4560 qgwboajgjpcbhdg.exe 4560 qgwboajgjpcbhdg.exe 4560 qgwboajgjpcbhdg.exe 4560 qgwboajgjpcbhdg.exe 4560 qgwboajgjpcbhdg.exe 4560 qgwboajgjpcbhdg.exe 4560 qgwboajgjpcbhdg.exe 4164 uwruolgt.exe 4164 uwruolgt.exe 4164 uwruolgt.exe 4164 uwruolgt.exe 4164 uwruolgt.exe 4164 uwruolgt.exe 4164 uwruolgt.exe 4164 uwruolgt.exe 3592 beqsieqpcubyo.exe 3592 beqsieqpcubyo.exe 3592 beqsieqpcubyo.exe 3592 beqsieqpcubyo.exe 3592 beqsieqpcubyo.exe 3592 beqsieqpcubyo.exe 3592 beqsieqpcubyo.exe 3592 beqsieqpcubyo.exe 3592 beqsieqpcubyo.exe 3592 beqsieqpcubyo.exe 3592 beqsieqpcubyo.exe 3592 beqsieqpcubyo.exe 2032 uwruolgt.exe 2032 uwruolgt.exe 2032 uwruolgt.exe 2032 uwruolgt.exe 2032 uwruolgt.exe 2032 uwruolgt.exe 2032 uwruolgt.exe 2032 uwruolgt.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4172 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe 4172 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe 4172 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe 4560 qgwboajgjpcbhdg.exe 4560 qgwboajgjpcbhdg.exe 4560 qgwboajgjpcbhdg.exe 4204 dasznvsqhk.exe 4204 dasznvsqhk.exe 4204 dasznvsqhk.exe 4164 uwruolgt.exe 4164 uwruolgt.exe 4164 uwruolgt.exe 3592 beqsieqpcubyo.exe 3592 beqsieqpcubyo.exe 3592 beqsieqpcubyo.exe 2032 uwruolgt.exe 2032 uwruolgt.exe 2032 uwruolgt.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4172 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe 4172 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe 4172 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe 4560 qgwboajgjpcbhdg.exe 4560 qgwboajgjpcbhdg.exe 4560 qgwboajgjpcbhdg.exe 4204 dasznvsqhk.exe 4204 dasznvsqhk.exe 4204 dasznvsqhk.exe 4164 uwruolgt.exe 4164 uwruolgt.exe 4164 uwruolgt.exe 3592 beqsieqpcubyo.exe 3592 beqsieqpcubyo.exe 3592 beqsieqpcubyo.exe 2032 uwruolgt.exe 2032 uwruolgt.exe 2032 uwruolgt.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3192 WINWORD.EXE 3192 WINWORD.EXE 3192 WINWORD.EXE 3192 WINWORD.EXE 3192 WINWORD.EXE 3192 WINWORD.EXE 3192 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4172 wrote to memory of 4204 4172 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe 81 PID 4172 wrote to memory of 4204 4172 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe 81 PID 4172 wrote to memory of 4204 4172 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe 81 PID 4172 wrote to memory of 4560 4172 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe 82 PID 4172 wrote to memory of 4560 4172 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe 82 PID 4172 wrote to memory of 4560 4172 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe 82 PID 4172 wrote to memory of 4164 4172 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe 83 PID 4172 wrote to memory of 4164 4172 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe 83 PID 4172 wrote to memory of 4164 4172 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe 83 PID 4172 wrote to memory of 3592 4172 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe 84 PID 4172 wrote to memory of 3592 4172 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe 84 PID 4172 wrote to memory of 3592 4172 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe 84 PID 4172 wrote to memory of 3192 4172 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe 85 PID 4172 wrote to memory of 3192 4172 3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe 85 PID 4204 wrote to memory of 2032 4204 dasznvsqhk.exe 86 PID 4204 wrote to memory of 2032 4204 dasznvsqhk.exe 86 PID 4204 wrote to memory of 2032 4204 dasznvsqhk.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe"C:\Users\Admin\AppData\Local\Temp\3625f77630daaca4b1b2a846bf0b7245eae152992b0299f311e1cde75d4793f5.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Windows\SysWOW64\dasznvsqhk.exedasznvsqhk.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Windows\SysWOW64\uwruolgt.exeC:\Windows\system32\uwruolgt.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2032
-
-
-
C:\Windows\SysWOW64\qgwboajgjpcbhdg.exeqgwboajgjpcbhdg.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4560
-
-
C:\Windows\SysWOW64\uwruolgt.exeuwruolgt.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4164
-
-
C:\Windows\SysWOW64\beqsieqpcubyo.exebeqsieqpcubyo.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3592
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3192
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5ac7b1eadf664a7f26f9eff80f1426797
SHA17a140ce60d60f89a01ff4d8b7fc19f4fc51a9e0d
SHA256851848d59cfcf5f1cc2693c17b697670000f607d4ee0182d54c2608324350a35
SHA5123e81d827571b855e39c4997a6a7fa2d48a245dd58eccb25f9399083a977ef4d7eb3ae74fa4a140134b9d1f9f85528df7142ec15579e15daf8edbeaf2220d6201
-
Filesize
255KB
MD578cb5f4a8d3c3947c2e6e1e921bf9d3c
SHA19025046207f32564504a96961994e9c729fd0bed
SHA256af3da1cd0dc48010c6f27d3b4c3cb9667d48bda22cec71234ae78242db9bff54
SHA5122252061fb8b4b2ecd56ad06b66d2823c570971a2f0d5ab0531494eb97ca605113e6f39c34008d46dc26d2b239363515bb03ccbfb5bf12f003e95d0d8225f27f1
-
Filesize
255KB
MD583d9ebb90fbe3a572a27468f4f39808b
SHA19ddb52915075d9f43ad7c42752a5f6bc3b0126a8
SHA2560dbcd3d64cba1afa21aa23445c0ae693c96e1d3faa29a3a27428cfd46f6d58ef
SHA512817f23a92657235b635b35accc5509daf5b17fc11e375d6d1ef77abf9f4de5af22f6d55e7b1ca7f3734e94447a31cfe2fcbe1dee0ca50945e69a11b2c99e5178
-
Filesize
255KB
MD57913650fdce2ac0fbc6c0917b8286f93
SHA14b3ffea6c3c559a94c3133f3718c56fa4b662940
SHA256020444cebf3ce25eea0b23c5bb5c2e30cbeb81d3d147f1499d2e905c3f14b0de
SHA512a3f7cb5996fb29ad46e8d0e0c463ec5eef48e07596652fb83fa6f6ccfc1c8f5b7e8acdba4d4939001f2d6604d5c8883b2a957501f9b3ecb8647fcdb194299d2b
-
Filesize
255KB
MD57913650fdce2ac0fbc6c0917b8286f93
SHA14b3ffea6c3c559a94c3133f3718c56fa4b662940
SHA256020444cebf3ce25eea0b23c5bb5c2e30cbeb81d3d147f1499d2e905c3f14b0de
SHA512a3f7cb5996fb29ad46e8d0e0c463ec5eef48e07596652fb83fa6f6ccfc1c8f5b7e8acdba4d4939001f2d6604d5c8883b2a957501f9b3ecb8647fcdb194299d2b
-
Filesize
255KB
MD5e4aa840ad2c5611ec438c703fe336cd6
SHA15e12dc0a04a03c2380c2d54e43e3bb3ac5e9b34d
SHA256879ca579ad1dd57d5b3530efc4bd7a0c668916114b6ee1b3d39e6a0c99a7fd5d
SHA512f78b68043bed8e6e60b9b279d3f2994938c4f33b0bd64432d5bbfd75c886632a3e2e2d5c8bc21aabb0d9db2a46f81694da4a4a4504b0495b9726c5284d712b1d
-
Filesize
255KB
MD5e4aa840ad2c5611ec438c703fe336cd6
SHA15e12dc0a04a03c2380c2d54e43e3bb3ac5e9b34d
SHA256879ca579ad1dd57d5b3530efc4bd7a0c668916114b6ee1b3d39e6a0c99a7fd5d
SHA512f78b68043bed8e6e60b9b279d3f2994938c4f33b0bd64432d5bbfd75c886632a3e2e2d5c8bc21aabb0d9db2a46f81694da4a4a4504b0495b9726c5284d712b1d
-
Filesize
255KB
MD5a2609168d381baaee2a7beb3bf9d39a4
SHA107322ef5df4456f1cb89ef2364788fac88911d37
SHA256542fa99d6c179e8d5dfe5fcc4e63df9a8c419837ea41b9e61a7a0e684cf5c3cd
SHA512c774397ce91fd4560dafcd46f9dd3a3a17a1e439d27a0c0fc30b1491db985dc76817632ec8ee65958b5f3862454764c54ef930d691f7611485813368d3224285
-
Filesize
255KB
MD5a2609168d381baaee2a7beb3bf9d39a4
SHA107322ef5df4456f1cb89ef2364788fac88911d37
SHA256542fa99d6c179e8d5dfe5fcc4e63df9a8c419837ea41b9e61a7a0e684cf5c3cd
SHA512c774397ce91fd4560dafcd46f9dd3a3a17a1e439d27a0c0fc30b1491db985dc76817632ec8ee65958b5f3862454764c54ef930d691f7611485813368d3224285
-
Filesize
255KB
MD514329fcf90df33f8178155e032b77cd8
SHA10b29866563a1a5d5690b7cae87a6f9dde7dfbf37
SHA256c7083420bcf8dbadde98e3e239c127aff8daa173de50f4bc38693a2ced203538
SHA512fc19af17fb92e5e72ed2e080a013a03c244887fdb8960bd2804aa7b7f81baeabbfc7776b7b4bfa99c09b11abfb0699d34b69a3e0afdfd101de41a1227832b430
-
Filesize
255KB
MD514329fcf90df33f8178155e032b77cd8
SHA10b29866563a1a5d5690b7cae87a6f9dde7dfbf37
SHA256c7083420bcf8dbadde98e3e239c127aff8daa173de50f4bc38693a2ced203538
SHA512fc19af17fb92e5e72ed2e080a013a03c244887fdb8960bd2804aa7b7f81baeabbfc7776b7b4bfa99c09b11abfb0699d34b69a3e0afdfd101de41a1227832b430
-
Filesize
255KB
MD514329fcf90df33f8178155e032b77cd8
SHA10b29866563a1a5d5690b7cae87a6f9dde7dfbf37
SHA256c7083420bcf8dbadde98e3e239c127aff8daa173de50f4bc38693a2ced203538
SHA512fc19af17fb92e5e72ed2e080a013a03c244887fdb8960bd2804aa7b7f81baeabbfc7776b7b4bfa99c09b11abfb0699d34b69a3e0afdfd101de41a1227832b430
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD578cb5f4a8d3c3947c2e6e1e921bf9d3c
SHA19025046207f32564504a96961994e9c729fd0bed
SHA256af3da1cd0dc48010c6f27d3b4c3cb9667d48bda22cec71234ae78242db9bff54
SHA5122252061fb8b4b2ecd56ad06b66d2823c570971a2f0d5ab0531494eb97ca605113e6f39c34008d46dc26d2b239363515bb03ccbfb5bf12f003e95d0d8225f27f1
-
Filesize
255KB
MD5026108103f4f5b87b86d5e9f141e2318
SHA1c5ff61c9a2b61e81a255b4da81046151e03128bd
SHA256f14d8cf690414c22fdd416b412680372b66f7fa5c6611cc5b1d37ebf74282f19
SHA5121233c51614afd3aa316db915abf46b72ab27d387c4979c0136835351e0b2f1896f6eea2cb2eb41db83e6dd8d24fa845dbb3e43a910c46cb4c95891932de8fa81
-
Filesize
255KB
MD5d782ed8190d2e7d15a0edd438d9a8a4f
SHA164d7aff01cdd546b0a07fedb19b0710587a23dc5
SHA25648ace9fd64decedb1797974bc0fbdb7f4f9d88e3e7cfd986420cb8c169ef40a9
SHA512e7fa0b3470b9d9969d077d8753c0deddbaec991435bc7e88bfa02c42466fbc09d1c04f3bcf32c5de64ebeae63b86be2fdb27976be9012f62b8984e8b1cfbfaee