Analysis
-
max time kernel
153s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 07:12
Behavioral task
behavioral1
Sample
d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe
Resource
win7-20220812-en
windows7-x64
26 signatures
150 seconds
General
-
Target
d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe
-
Size
255KB
-
MD5
59619eb2018b4c5697abecdee044e63c
-
SHA1
d9da3d4c896093a02650a817af542f8fac3f9db3
-
SHA256
d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994
-
SHA512
ca6d0387341bc7b62d15612e0b9fa60af8b20c0160ad012f7ceff3e8829118ff34c5eb8fd0dd610f3161e165ff6ae4a0184b3fa9fd153a7f98dc577bd796fab7
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJ4:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIv
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cruftsgopf.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" cruftsgopf.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" cruftsgopf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" cruftsgopf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" cruftsgopf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" cruftsgopf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" cruftsgopf.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cruftsgopf.exe -
Executes dropped EXE 5 IoCs
pid Process 1096 cruftsgopf.exe 1556 xqebthogtjsxcqd.exe 4536 hsuacuyc.exe 3280 wvntliihznioq.exe 4728 hsuacuyc.exe -
resource yara_rule behavioral2/files/0x0009000000022dbc-133.dat upx behavioral2/files/0x0009000000022dbc-134.dat upx behavioral2/files/0x0009000000022dd4-137.dat upx behavioral2/files/0x0009000000022dd4-136.dat upx behavioral2/memory/4232-138-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1096-139-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1556-140-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0007000000022de5-142.dat upx behavioral2/files/0x0007000000022de5-143.dat upx behavioral2/files/0x0007000000022de6-146.dat upx behavioral2/memory/4536-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0007000000022de6-145.dat upx behavioral2/memory/3280-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0007000000022de5-150.dat upx behavioral2/memory/4728-151-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4232-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0008000000022df5-154.dat upx behavioral2/files/0x0007000000022df8-155.dat upx behavioral2/memory/4536-164-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3280-165-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4728-166-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000200000001e6ba-167.dat upx behavioral2/files/0x000200000001e705-168.dat upx behavioral2/files/0x000200000001e705-169.dat upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" cruftsgopf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" cruftsgopf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" cruftsgopf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" cruftsgopf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" cruftsgopf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" cruftsgopf.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run xqebthogtjsxcqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bsublveb = "cruftsgopf.exe" xqebthogtjsxcqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kcmyjfxi = "xqebthogtjsxcqd.exe" xqebthogtjsxcqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "wvntliihznioq.exe" xqebthogtjsxcqd.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\e: hsuacuyc.exe File opened (read-only) \??\z: hsuacuyc.exe File opened (read-only) \??\f: cruftsgopf.exe File opened (read-only) \??\m: cruftsgopf.exe File opened (read-only) \??\u: hsuacuyc.exe File opened (read-only) \??\w: hsuacuyc.exe File opened (read-only) \??\y: hsuacuyc.exe File opened (read-only) \??\j: cruftsgopf.exe File opened (read-only) \??\l: cruftsgopf.exe File opened (read-only) \??\v: cruftsgopf.exe File opened (read-only) \??\z: cruftsgopf.exe File opened (read-only) \??\n: hsuacuyc.exe File opened (read-only) \??\o: cruftsgopf.exe File opened (read-only) \??\r: cruftsgopf.exe File opened (read-only) \??\a: hsuacuyc.exe File opened (read-only) \??\j: hsuacuyc.exe File opened (read-only) \??\k: hsuacuyc.exe File opened (read-only) \??\y: hsuacuyc.exe File opened (read-only) \??\f: hsuacuyc.exe File opened (read-only) \??\u: cruftsgopf.exe File opened (read-only) \??\h: hsuacuyc.exe File opened (read-only) \??\m: hsuacuyc.exe File opened (read-only) \??\u: hsuacuyc.exe File opened (read-only) \??\z: hsuacuyc.exe File opened (read-only) \??\i: hsuacuyc.exe File opened (read-only) \??\p: hsuacuyc.exe File opened (read-only) \??\s: hsuacuyc.exe File opened (read-only) \??\g: cruftsgopf.exe File opened (read-only) \??\h: cruftsgopf.exe File opened (read-only) \??\i: cruftsgopf.exe File opened (read-only) \??\o: hsuacuyc.exe File opened (read-only) \??\v: hsuacuyc.exe File opened (read-only) \??\q: hsuacuyc.exe File opened (read-only) \??\s: hsuacuyc.exe File opened (read-only) \??\m: hsuacuyc.exe File opened (read-only) \??\q: cruftsgopf.exe File opened (read-only) \??\t: cruftsgopf.exe File opened (read-only) \??\x: cruftsgopf.exe File opened (read-only) \??\y: cruftsgopf.exe File opened (read-only) \??\a: hsuacuyc.exe File opened (read-only) \??\b: cruftsgopf.exe File opened (read-only) \??\f: hsuacuyc.exe File opened (read-only) \??\i: hsuacuyc.exe File opened (read-only) \??\k: hsuacuyc.exe File opened (read-only) \??\g: hsuacuyc.exe File opened (read-only) \??\h: hsuacuyc.exe File opened (read-only) \??\j: hsuacuyc.exe File opened (read-only) \??\l: hsuacuyc.exe File opened (read-only) \??\t: hsuacuyc.exe File opened (read-only) \??\r: hsuacuyc.exe File opened (read-only) \??\v: hsuacuyc.exe File opened (read-only) \??\s: cruftsgopf.exe File opened (read-only) \??\b: hsuacuyc.exe File opened (read-only) \??\e: hsuacuyc.exe File opened (read-only) \??\n: hsuacuyc.exe File opened (read-only) \??\g: hsuacuyc.exe File opened (read-only) \??\p: hsuacuyc.exe File opened (read-only) \??\w: hsuacuyc.exe File opened (read-only) \??\k: cruftsgopf.exe File opened (read-only) \??\n: cruftsgopf.exe File opened (read-only) \??\o: hsuacuyc.exe File opened (read-only) \??\x: hsuacuyc.exe File opened (read-only) \??\e: cruftsgopf.exe File opened (read-only) \??\l: hsuacuyc.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" cruftsgopf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" cruftsgopf.exe -
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4232-138-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1096-139-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3280-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4728-151-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4232-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4536-164-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3280-165-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4728-166-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\xqebthogtjsxcqd.exe d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe File created C:\Windows\SysWOW64\hsuacuyc.exe d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe File created C:\Windows\SysWOW64\wvntliihznioq.exe d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe File opened for modification C:\Windows\SysWOW64\wvntliihznioq.exe d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll cruftsgopf.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe hsuacuyc.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe hsuacuyc.exe File created C:\Windows\SysWOW64\xqebthogtjsxcqd.exe d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe hsuacuyc.exe File opened for modification C:\Windows\SysWOW64\cruftsgopf.exe d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe File opened for modification C:\Windows\SysWOW64\hsuacuyc.exe d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe hsuacuyc.exe File created C:\Windows\SysWOW64\cruftsgopf.exe d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal hsuacuyc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hsuacuyc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal hsuacuyc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hsuacuyc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal hsuacuyc.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hsuacuyc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal hsuacuyc.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hsuacuyc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hsuacuyc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hsuacuyc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hsuacuyc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hsuacuyc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hsuacuyc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hsuacuyc.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33402D7A9D2C83596D4177D370212CAA7C8E64DF" d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC3B029449239E353CDB9D7339CD7C5" d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" cruftsgopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBDF9CCF913F1E084743B3286ED3996B38B02FE42120248E1CD459A08D5" d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" cruftsgopf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc cruftsgopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" cruftsgopf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg cruftsgopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184BC60B1594DBB2B8CE7CE2EC9634B9" d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" cruftsgopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" cruftsgopf.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8FFCF8482E826E9134D72E7D9CBDE5E6415932674E6331D6EC" d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F368B6FF1821DAD27CD1A88A7C9113" d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat cruftsgopf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh cruftsgopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" cruftsgopf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf cruftsgopf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs cruftsgopf.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1160 WINWORD.EXE 1160 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4232 d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe 4232 d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe 4232 d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe 4232 d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe 4232 d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe 4232 d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe 4232 d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe 4232 d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe 4232 d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe 4232 d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe 4232 d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe 4232 d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe 4232 d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe 4232 d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe 4232 d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe 4232 d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe 1096 cruftsgopf.exe 1096 cruftsgopf.exe 1556 xqebthogtjsxcqd.exe 1096 cruftsgopf.exe 1096 cruftsgopf.exe 1556 xqebthogtjsxcqd.exe 1096 cruftsgopf.exe 1096 cruftsgopf.exe 1096 cruftsgopf.exe 1096 cruftsgopf.exe 1556 xqebthogtjsxcqd.exe 1096 cruftsgopf.exe 1556 xqebthogtjsxcqd.exe 1096 cruftsgopf.exe 1556 xqebthogtjsxcqd.exe 1556 xqebthogtjsxcqd.exe 1556 xqebthogtjsxcqd.exe 1556 xqebthogtjsxcqd.exe 1556 xqebthogtjsxcqd.exe 1556 xqebthogtjsxcqd.exe 3280 wvntliihznioq.exe 3280 wvntliihznioq.exe 3280 wvntliihznioq.exe 3280 wvntliihznioq.exe 3280 wvntliihznioq.exe 3280 wvntliihznioq.exe 3280 wvntliihznioq.exe 3280 wvntliihznioq.exe 3280 wvntliihznioq.exe 3280 wvntliihznioq.exe 3280 wvntliihznioq.exe 3280 wvntliihznioq.exe 4536 hsuacuyc.exe 4536 hsuacuyc.exe 4536 hsuacuyc.exe 4536 hsuacuyc.exe 4536 hsuacuyc.exe 4536 hsuacuyc.exe 4536 hsuacuyc.exe 4536 hsuacuyc.exe 1556 xqebthogtjsxcqd.exe 1556 xqebthogtjsxcqd.exe 3280 wvntliihznioq.exe 3280 wvntliihznioq.exe 3280 wvntliihznioq.exe 3280 wvntliihznioq.exe 1556 xqebthogtjsxcqd.exe 1556 xqebthogtjsxcqd.exe -
Suspicious use of FindShellTrayWindow 19 IoCs
pid Process 4232 d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe 4232 d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe 4232 d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe 1096 cruftsgopf.exe 1096 cruftsgopf.exe 1096 cruftsgopf.exe 1096 cruftsgopf.exe 1556 xqebthogtjsxcqd.exe 1556 xqebthogtjsxcqd.exe 1556 xqebthogtjsxcqd.exe 3280 wvntliihznioq.exe 3280 wvntliihznioq.exe 3280 wvntliihznioq.exe 4536 hsuacuyc.exe 4536 hsuacuyc.exe 4536 hsuacuyc.exe 4728 hsuacuyc.exe 4728 hsuacuyc.exe 4728 hsuacuyc.exe -
Suspicious use of SendNotifyMessage 19 IoCs
pid Process 4232 d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe 4232 d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe 4232 d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe 1096 cruftsgopf.exe 1096 cruftsgopf.exe 1096 cruftsgopf.exe 1096 cruftsgopf.exe 1556 xqebthogtjsxcqd.exe 1556 xqebthogtjsxcqd.exe 1556 xqebthogtjsxcqd.exe 3280 wvntliihznioq.exe 3280 wvntliihznioq.exe 3280 wvntliihznioq.exe 4536 hsuacuyc.exe 4536 hsuacuyc.exe 4536 hsuacuyc.exe 4728 hsuacuyc.exe 4728 hsuacuyc.exe 4728 hsuacuyc.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1160 WINWORD.EXE 1160 WINWORD.EXE 1160 WINWORD.EXE 1160 WINWORD.EXE 1160 WINWORD.EXE 1160 WINWORD.EXE 1160 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4232 wrote to memory of 1096 4232 d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe 76 PID 4232 wrote to memory of 1096 4232 d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe 76 PID 4232 wrote to memory of 1096 4232 d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe 76 PID 4232 wrote to memory of 1556 4232 d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe 77 PID 4232 wrote to memory of 1556 4232 d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe 77 PID 4232 wrote to memory of 1556 4232 d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe 77 PID 4232 wrote to memory of 4536 4232 d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe 78 PID 4232 wrote to memory of 4536 4232 d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe 78 PID 4232 wrote to memory of 4536 4232 d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe 78 PID 4232 wrote to memory of 3280 4232 d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe 79 PID 4232 wrote to memory of 3280 4232 d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe 79 PID 4232 wrote to memory of 3280 4232 d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe 79 PID 1096 wrote to memory of 4728 1096 cruftsgopf.exe 80 PID 1096 wrote to memory of 4728 1096 cruftsgopf.exe 80 PID 1096 wrote to memory of 4728 1096 cruftsgopf.exe 80 PID 4232 wrote to memory of 1160 4232 d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe 81 PID 4232 wrote to memory of 1160 4232 d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe"C:\Users\Admin\AppData\Local\Temp\d9988c27dcc0b39787eb4fe71999cafc048a7c92d5c4580f0af0952d1e4d3994.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Windows\SysWOW64\cruftsgopf.execruftsgopf.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\hsuacuyc.exeC:\Windows\system32\hsuacuyc.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4728
-
-
-
C:\Windows\SysWOW64\xqebthogtjsxcqd.exexqebthogtjsxcqd.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1556
-
-
C:\Windows\SysWOW64\hsuacuyc.exehsuacuyc.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4536
-
-
C:\Windows\SysWOW64\wvntliihznioq.exewvntliihznioq.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3280
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1160
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5f5a6def8406c086475ffd78426526cdc
SHA1b3f62ecc97dd5462091370e01595c67c8f1893fa
SHA256f73dba3721fed43792685383e9dcad977e5284d7d6adb6ee38be14e6ed1de349
SHA51281f54acf470400143c0d693e15c0adddf3c84d2e7f58f200baca9ccf3860c45c48270f7d73b11f429c6477a32a53e083fef923cdf8b2e7d6b790ec95609187cb
-
Filesize
255KB
MD5bcfe757135ec3cd4a04ad15a83f60f89
SHA1bf93770c0477380610f13ba2f16f1692ec5cb5ce
SHA256879a469e909c20841886d7dfd03d828e640015603555668efdb7c8272d56bdb1
SHA5127d0f532b21fbaf293f23479470daca58b71d3a1205b25f7f8acd6c9065d464e3a88eff4a51eb70d83ada6da3f14192bbd893c8c936131f06057adb6f2eb8a494
-
Filesize
255KB
MD57f164aebc8d658ef2bac79add147ce19
SHA1b8d6af096e8a0cdbb563c13eeb6e9cb3aaa1477f
SHA25617b1698880f98d41b7fa735cb426a183f090016af5272cda6cc21ff67db4a381
SHA5120e52b98c26c8cffe164c3cb19a9f4bf081c64463c9a51a3530a90fa22e8d3496a99de20c5b27a882d97840ef88b3a5578ef690508da170310d0e2fb5e946bf98
-
Filesize
255KB
MD574b2b32b4d7dfb4e7ffde4aff59c72db
SHA1bd233645956bbf6de90c84a1c9b20d021048ccd2
SHA2565183c0a021028c40d88fa883594845b07c8ce170dd1eb11b8a6da24fd95d17ee
SHA5126ecc3dfbb67921d892d1a7f47da7bc69fc32649f67d9317198d89ca1c8dd9354f1a783f09ad80b09d144bb634977c96f4a8d689ed75e2a8850777a9874bd23f9
-
Filesize
255KB
MD574b2b32b4d7dfb4e7ffde4aff59c72db
SHA1bd233645956bbf6de90c84a1c9b20d021048ccd2
SHA2565183c0a021028c40d88fa883594845b07c8ce170dd1eb11b8a6da24fd95d17ee
SHA5126ecc3dfbb67921d892d1a7f47da7bc69fc32649f67d9317198d89ca1c8dd9354f1a783f09ad80b09d144bb634977c96f4a8d689ed75e2a8850777a9874bd23f9
-
Filesize
255KB
MD5f044e0dfdf2c2ca64e827b3449b4ab6d
SHA1ff40d44eac4b0960f0290a34ac5f9b9210b70a89
SHA25636160df2969c4c389c63848af0d7a1c6c7452edd45c7bbd5615e2fe0e0d148d6
SHA51229432ac4abca855d40c0868ebd4d063dd2bc919d991097ffe23f045f8723bc58a63eb8ac8a54630474ef0498719aed80b9297645c65645b9832e2ff8fd406ff6
-
Filesize
255KB
MD5f044e0dfdf2c2ca64e827b3449b4ab6d
SHA1ff40d44eac4b0960f0290a34ac5f9b9210b70a89
SHA25636160df2969c4c389c63848af0d7a1c6c7452edd45c7bbd5615e2fe0e0d148d6
SHA51229432ac4abca855d40c0868ebd4d063dd2bc919d991097ffe23f045f8723bc58a63eb8ac8a54630474ef0498719aed80b9297645c65645b9832e2ff8fd406ff6
-
Filesize
255KB
MD5f044e0dfdf2c2ca64e827b3449b4ab6d
SHA1ff40d44eac4b0960f0290a34ac5f9b9210b70a89
SHA25636160df2969c4c389c63848af0d7a1c6c7452edd45c7bbd5615e2fe0e0d148d6
SHA51229432ac4abca855d40c0868ebd4d063dd2bc919d991097ffe23f045f8723bc58a63eb8ac8a54630474ef0498719aed80b9297645c65645b9832e2ff8fd406ff6
-
Filesize
255KB
MD5d005ab54f93d4aa9cb388aab7f6963ae
SHA1e3a4cd3a51824ac71e4e52398c0bfc29208d6d47
SHA256f67463659cc3188302b8d8c9abb7d4b5bedecda37c92e6f13fe6ebcfab9053fe
SHA5121b14001378733a5d1fe0a3a0b1d87de93499f42c29c836b921e8f793bf044be3a8d308b3984a2a9e34a473e00ba4416b8c5b699ab23dde8e28a69f350eae3eed
-
Filesize
255KB
MD5d005ab54f93d4aa9cb388aab7f6963ae
SHA1e3a4cd3a51824ac71e4e52398c0bfc29208d6d47
SHA256f67463659cc3188302b8d8c9abb7d4b5bedecda37c92e6f13fe6ebcfab9053fe
SHA5121b14001378733a5d1fe0a3a0b1d87de93499f42c29c836b921e8f793bf044be3a8d308b3984a2a9e34a473e00ba4416b8c5b699ab23dde8e28a69f350eae3eed
-
Filesize
255KB
MD591d40ea3589227b9e860bf421d9853a7
SHA125a3096387bbfc1e895c65da6881e79298d21cee
SHA2560ff6e3d869c046aaf20ceda705ee4b157520045fb608f0290a40f0407cac535f
SHA512ced30b88e38ccfccf525022fbf2ea1c8ca83468f12df5fda0f36bd9b0b7684596c8b675fec9b2dd4c6da934a74e93a9d7df94e95f0f4effeabf87c304c334735
-
Filesize
255KB
MD591d40ea3589227b9e860bf421d9853a7
SHA125a3096387bbfc1e895c65da6881e79298d21cee
SHA2560ff6e3d869c046aaf20ceda705ee4b157520045fb608f0290a40f0407cac535f
SHA512ced30b88e38ccfccf525022fbf2ea1c8ca83468f12df5fda0f36bd9b0b7684596c8b675fec9b2dd4c6da934a74e93a9d7df94e95f0f4effeabf87c304c334735
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD508974ac3edd98782d6e311e7ea991200
SHA181cf1b1cd88e6b99098f2b2fe8b271bd04af27ac
SHA2563ec888739e030d0ac806e8427a4a96940447b1f3793275828cb8e4b8068bf8e9
SHA51288aba66d2abd83025c2cec6aa974b2977b8a1330bfd019a705109db37e21b7bcdee166454c5cc2abb8594da555db61422ef1ce0f4c3fe463227eb17f538b1708
-
Filesize
255KB
MD5f9763e55d202973b93b58244c06f2627
SHA186d291409f6ea9d6319285a5380b686d6b9dc90f
SHA25662ce76076695377010b958bfcfd1781cf149d5e8091a48f537cf82e65fedbf6c
SHA5123b65a53f3d981f3e0763b86844eb5cda29e944a353ea4742c6984327625d139fcaf6210046e4b8794d46b0670d35399fca328d9330acd78d28defb09d1d2a3d1