Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24/11/2022, 08:11
Behavioral task
behavioral1
Sample
8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe
Resource
win7-20221111-en
windows7-x64
26 signatures
150 seconds
General
-
Target
8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe
-
Size
255KB
-
MD5
451609383df4e3e362d957df36beda1c
-
SHA1
e56a3f44d707977a98c9d20f011297e5fc008558
-
SHA256
8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5
-
SHA512
8c6b7f0d2696eb0308c4b5fca7e309844d2bfd1cc6b3b8c506d354140c4e067ca6cffc26b5bca6601930c0ae9d9522a2ff5040f9a1febf3f0be23a24737f20c4
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJt:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIw
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" qooidkubgw.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" qooidkubgw.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" qooidkubgw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" qooidkubgw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" qooidkubgw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" qooidkubgw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" qooidkubgw.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qooidkubgw.exe -
Executes dropped EXE 5 IoCs
pid Process 920 qooidkubgw.exe 3468 arsslvotrrjrlpy.exe 4508 qukwuyul.exe 5060 cdgvvbtndtbkx.exe 5112 qukwuyul.exe -
resource yara_rule behavioral2/memory/3060-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0008000000022e07-134.dat upx behavioral2/files/0x0008000000022e07-135.dat upx behavioral2/files/0x0006000000022e39-140.dat upx behavioral2/files/0x0006000000022e3a-143.dat upx behavioral2/files/0x0006000000022e3a-144.dat upx behavioral2/files/0x0006000000022e39-141.dat upx behavioral2/files/0x0008000000022e24-138.dat upx behavioral2/files/0x0008000000022e24-137.dat upx behavioral2/files/0x0006000000022e39-146.dat upx behavioral2/memory/920-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3468-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4508-149-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/5060-150-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/5112-151-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3060-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0002000000009dee-159.dat upx behavioral2/files/0x0008000000022e27-160.dat upx behavioral2/files/0x0006000000022e3c-161.dat upx behavioral2/memory/920-165-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3468-166-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4508-167-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/5060-168-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/5112-169-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000400000001d9f5-170.dat upx behavioral2/files/0x000400000001d9f7-171.dat upx behavioral2/files/0x000a00000001696e-172.dat upx behavioral2/files/0x000a00000001696e-178.dat upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" qooidkubgw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" qooidkubgw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" qooidkubgw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" qooidkubgw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" qooidkubgw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" qooidkubgw.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "cdgvvbtndtbkx.exe" arsslvotrrjrlpy.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run arsslvotrrjrlpy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ldhfslfc = "qooidkubgw.exe" arsslvotrrjrlpy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ftaxyiay = "arsslvotrrjrlpy.exe" arsslvotrrjrlpy.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\o: qukwuyul.exe File opened (read-only) \??\z: qukwuyul.exe File opened (read-only) \??\f: qukwuyul.exe File opened (read-only) \??\r: qooidkubgw.exe File opened (read-only) \??\e: qukwuyul.exe File opened (read-only) \??\n: qukwuyul.exe File opened (read-only) \??\u: qukwuyul.exe File opened (read-only) \??\r: qukwuyul.exe File opened (read-only) \??\q: qooidkubgw.exe File opened (read-only) \??\i: qukwuyul.exe File opened (read-only) \??\k: qukwuyul.exe File opened (read-only) \??\j: qooidkubgw.exe File opened (read-only) \??\l: qooidkubgw.exe File opened (read-only) \??\u: qooidkubgw.exe File opened (read-only) \??\x: qooidkubgw.exe File opened (read-only) \??\b: qukwuyul.exe File opened (read-only) \??\h: qukwuyul.exe File opened (read-only) \??\v: qukwuyul.exe File opened (read-only) \??\w: qukwuyul.exe File opened (read-only) \??\h: qooidkubgw.exe File opened (read-only) \??\v: qukwuyul.exe File opened (read-only) \??\y: qukwuyul.exe File opened (read-only) \??\s: qooidkubgw.exe File opened (read-only) \??\v: qooidkubgw.exe File opened (read-only) \??\a: qukwuyul.exe File opened (read-only) \??\g: qukwuyul.exe File opened (read-only) \??\p: qukwuyul.exe File opened (read-only) \??\s: qukwuyul.exe File opened (read-only) \??\a: qukwuyul.exe File opened (read-only) \??\b: qukwuyul.exe File opened (read-only) \??\e: qukwuyul.exe File opened (read-only) \??\j: qukwuyul.exe File opened (read-only) \??\s: qukwuyul.exe File opened (read-only) \??\n: qooidkubgw.exe File opened (read-only) \??\y: qooidkubgw.exe File opened (read-only) \??\f: qukwuyul.exe File opened (read-only) \??\g: qukwuyul.exe File opened (read-only) \??\l: qukwuyul.exe File opened (read-only) \??\p: qukwuyul.exe File opened (read-only) \??\q: qukwuyul.exe File opened (read-only) \??\u: qukwuyul.exe File opened (read-only) \??\z: qooidkubgw.exe File opened (read-only) \??\n: qukwuyul.exe File opened (read-only) \??\o: qukwuyul.exe File opened (read-only) \??\q: qukwuyul.exe File opened (read-only) \??\r: qukwuyul.exe File opened (read-only) \??\x: qukwuyul.exe File opened (read-only) \??\z: qukwuyul.exe File opened (read-only) \??\e: qooidkubgw.exe File opened (read-only) \??\t: qukwuyul.exe File opened (read-only) \??\x: qukwuyul.exe File opened (read-only) \??\k: qukwuyul.exe File opened (read-only) \??\w: qukwuyul.exe File opened (read-only) \??\h: qukwuyul.exe File opened (read-only) \??\t: qukwuyul.exe File opened (read-only) \??\m: qooidkubgw.exe File opened (read-only) \??\w: qooidkubgw.exe File opened (read-only) \??\m: qukwuyul.exe File opened (read-only) \??\i: qukwuyul.exe File opened (read-only) \??\b: qooidkubgw.exe File opened (read-only) \??\f: qooidkubgw.exe File opened (read-only) \??\o: qooidkubgw.exe File opened (read-only) \??\p: qooidkubgw.exe File opened (read-only) \??\m: qukwuyul.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" qooidkubgw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" qooidkubgw.exe -
AutoIT Executable 12 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3060-132-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/920-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3468-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4508-149-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5060-150-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5112-151-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3060-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/920-165-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3468-166-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4508-167-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5060-168-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5112-169-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe qukwuyul.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe qukwuyul.exe File opened for modification C:\Windows\SysWOW64\qooidkubgw.exe 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe File created C:\Windows\SysWOW64\qukwuyul.exe 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe File opened for modification C:\Windows\SysWOW64\cdgvvbtndtbkx.exe 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe File opened for modification C:\Windows\SysWOW64\qukwuyul.exe 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe File created C:\Windows\SysWOW64\cdgvvbtndtbkx.exe 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll qooidkubgw.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe qukwuyul.exe File created C:\Windows\SysWOW64\qooidkubgw.exe 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe File created C:\Windows\SysWOW64\arsslvotrrjrlpy.exe 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe File opened for modification C:\Windows\SysWOW64\arsslvotrrjrlpy.exe 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe -
Drops file in Program Files directory 22 IoCs
description ioc Process File opened for modification C:\Program Files\RedoCheckpoint.nal qukwuyul.exe File opened for modification \??\c:\Program Files\RedoCheckpoint.doc.exe qukwuyul.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qukwuyul.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qukwuyul.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal qukwuyul.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qukwuyul.exe File created \??\c:\Program Files\RedoCheckpoint.doc.exe qukwuyul.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal qukwuyul.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal qukwuyul.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qukwuyul.exe File opened for modification \??\c:\Program Files\RedoCheckpoint.doc.exe qukwuyul.exe File opened for modification C:\Program Files\RedoCheckpoint.doc.exe qukwuyul.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qukwuyul.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qukwuyul.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qukwuyul.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qukwuyul.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal qukwuyul.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qukwuyul.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qukwuyul.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qukwuyul.exe File opened for modification C:\Program Files\RedoCheckpoint.doc.exe qukwuyul.exe File opened for modification C:\Program Files\RedoCheckpoint.nal qukwuyul.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB4F9CDFE11F2E3837C3A4786ED3E95B38D038F4362023BE1B9459909A3" 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8BFF83482782689045D75A7E91BDE3E136584367456335D69C" 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" qooidkubgw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" qooidkubgw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf qooidkubgw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" qooidkubgw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" qooidkubgw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32422C779C2683566A4176A277232CDC7DF265DE" 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc qooidkubgw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs qooidkubgw.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2ECAB02F47E5389E52CBB9A233E9D7CA" 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7FD6BB1FE6C21DED173D0A28A7F9110" 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh qooidkubgw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg qooidkubgw.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183DC77515E3DBB3B9CD7C92ED9F37B9" 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat qooidkubgw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" qooidkubgw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" qooidkubgw.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3320 WINWORD.EXE 3320 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3060 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe 3060 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe 3060 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe 3060 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe 3060 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe 3060 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe 3060 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe 3060 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe 3060 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe 3060 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe 3060 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe 3060 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe 3060 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe 3060 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe 3060 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe 3060 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe 3468 arsslvotrrjrlpy.exe 3468 arsslvotrrjrlpy.exe 3468 arsslvotrrjrlpy.exe 3468 arsslvotrrjrlpy.exe 3468 arsslvotrrjrlpy.exe 920 qooidkubgw.exe 3468 arsslvotrrjrlpy.exe 920 qooidkubgw.exe 3468 arsslvotrrjrlpy.exe 3468 arsslvotrrjrlpy.exe 920 qooidkubgw.exe 920 qooidkubgw.exe 920 qooidkubgw.exe 920 qooidkubgw.exe 920 qooidkubgw.exe 920 qooidkubgw.exe 920 qooidkubgw.exe 920 qooidkubgw.exe 3468 arsslvotrrjrlpy.exe 3468 arsslvotrrjrlpy.exe 5060 cdgvvbtndtbkx.exe 5060 cdgvvbtndtbkx.exe 5060 cdgvvbtndtbkx.exe 5060 cdgvvbtndtbkx.exe 5060 cdgvvbtndtbkx.exe 5060 cdgvvbtndtbkx.exe 5060 cdgvvbtndtbkx.exe 5060 cdgvvbtndtbkx.exe 5060 cdgvvbtndtbkx.exe 5060 cdgvvbtndtbkx.exe 5060 cdgvvbtndtbkx.exe 5060 cdgvvbtndtbkx.exe 4508 qukwuyul.exe 4508 qukwuyul.exe 4508 qukwuyul.exe 4508 qukwuyul.exe 4508 qukwuyul.exe 4508 qukwuyul.exe 4508 qukwuyul.exe 4508 qukwuyul.exe 5112 qukwuyul.exe 5112 qukwuyul.exe 5112 qukwuyul.exe 5112 qukwuyul.exe 5112 qukwuyul.exe 5112 qukwuyul.exe 5112 qukwuyul.exe 5112 qukwuyul.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 3060 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe 3060 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe 3060 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe 920 qooidkubgw.exe 920 qooidkubgw.exe 920 qooidkubgw.exe 3468 arsslvotrrjrlpy.exe 3468 arsslvotrrjrlpy.exe 3468 arsslvotrrjrlpy.exe 5060 cdgvvbtndtbkx.exe 5060 cdgvvbtndtbkx.exe 5060 cdgvvbtndtbkx.exe 4508 qukwuyul.exe 4508 qukwuyul.exe 4508 qukwuyul.exe 5112 qukwuyul.exe 5112 qukwuyul.exe 5112 qukwuyul.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 3060 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe 3060 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe 3060 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe 920 qooidkubgw.exe 920 qooidkubgw.exe 920 qooidkubgw.exe 3468 arsslvotrrjrlpy.exe 3468 arsslvotrrjrlpy.exe 3468 arsslvotrrjrlpy.exe 5060 cdgvvbtndtbkx.exe 5060 cdgvvbtndtbkx.exe 5060 cdgvvbtndtbkx.exe 4508 qukwuyul.exe 4508 qukwuyul.exe 4508 qukwuyul.exe 5112 qukwuyul.exe 5112 qukwuyul.exe 5112 qukwuyul.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3320 WINWORD.EXE 3320 WINWORD.EXE 3320 WINWORD.EXE 3320 WINWORD.EXE 3320 WINWORD.EXE 3320 WINWORD.EXE 3320 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3060 wrote to memory of 920 3060 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe 78 PID 3060 wrote to memory of 920 3060 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe 78 PID 3060 wrote to memory of 920 3060 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe 78 PID 3060 wrote to memory of 3468 3060 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe 79 PID 3060 wrote to memory of 3468 3060 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe 79 PID 3060 wrote to memory of 3468 3060 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe 79 PID 3060 wrote to memory of 4508 3060 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe 80 PID 3060 wrote to memory of 4508 3060 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe 80 PID 3060 wrote to memory of 4508 3060 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe 80 PID 3060 wrote to memory of 5060 3060 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe 81 PID 3060 wrote to memory of 5060 3060 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe 81 PID 3060 wrote to memory of 5060 3060 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe 81 PID 920 wrote to memory of 5112 920 qooidkubgw.exe 82 PID 920 wrote to memory of 5112 920 qooidkubgw.exe 82 PID 920 wrote to memory of 5112 920 qooidkubgw.exe 82 PID 3060 wrote to memory of 3320 3060 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe 83 PID 3060 wrote to memory of 3320 3060 8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe"C:\Users\Admin\AppData\Local\Temp\8e7a2998080ef3ddcb5e95484fb402ae65bcfc81ced65d8073b1fa46d8f125a5.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\qooidkubgw.exeqooidkubgw.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\SysWOW64\qukwuyul.exeC:\Windows\system32\qukwuyul.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5112
-
-
-
C:\Windows\SysWOW64\arsslvotrrjrlpy.exearsslvotrrjrlpy.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3468
-
-
C:\Windows\SysWOW64\qukwuyul.exequkwuyul.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4508
-
-
C:\Windows\SysWOW64\cdgvvbtndtbkx.execdgvvbtndtbkx.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5060
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3320
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD568af8282653d0889f3b4f17dc94bd99d
SHA1a734cbc75667b6c38406f81f5eb118b799f65bb0
SHA2568427e7e2a945bcc90d1af816290208eb4a14e696ac1e7f478ef965c34eec6b98
SHA512432c8325bf0ce13296111a24c9f2e36e762d4448e1483f82e739bb76c0183bae49e16d9110f691581915fc0874fe4acb6274e8fd235ac148a0ec08dfe852c112
-
Filesize
255KB
MD5ffcf037c400016743c69041310866e88
SHA15d4999175f6aebe86f014b0ebe65116563a56f54
SHA256b60d28062e38c21cc889e3df3cf4c90d4073d83ed7960c50f0b7c0809dbcef4f
SHA51249b1e6ddf461b6b65d0685dbb28b94ebf19de8a6076b363bea63c83a9785b59aafef3db092712d2cbaec783a24f7955ee72bd589d73865fc6f184a95d43168b7
-
Filesize
255KB
MD5824533c479967bcdb766530e690db366
SHA177d07c5da5f416fa1a2b88aa9245940c25db2690
SHA2564d4ccd3fde0bd062d699383812030e54a090ad3cbbac212b099acadedcfa8dd9
SHA5124496d11291032887c40b3545838d6ce1a253cafc796c047182e44cf4eb5c3ecf87604bdbda9748c4e354f9b54241c36ef835935df1cfe42886050f8ed38b37af
-
Filesize
255KB
MD5875ce2322e807bf8602927f08de7722b
SHA102d5d5f5da17228a7e1dd50eeaa422cbef4f4ba6
SHA2560d4b6b482a333d37d92269b86f1745bdc15817038c5ef191bcdf1afc41cb4586
SHA51211a00b61334126eefb55d45a51ca78f3aa613d13e131692436103b52b773dac1aafad4e1f87c8a1647562c6d7a4e27738d695e1c29bb58cdab909099caaa1126
-
Filesize
255KB
MD5d6a91d7616c4117fee460948f6281911
SHA126870aa806d99e020bf3b6d628642ffc34103dd0
SHA256c31aaa7dd28293ab3cb37c6cc63d117f3c8dffbf1d254ea37c4f541801d21720
SHA512d3ff528357f8c924aef31efc1aafd7045e0aa696f4a52f3161c5c83a65f5f64d16941e2d71b1f76a652e7cc654a4b63c5da1912f5b0515e5467de5d18b866bdf
-
Filesize
255KB
MD53a208bb1ba7093f6312a7c17dd5cdb3d
SHA1f716e8438a170e1da8841cba55a78de8d8122746
SHA256803fbb5100a525caa2bccc54a5b420142c5ebdcd19261c268939ace385afb924
SHA51252b1f5b872a25f029f3d91ec7f64e46a2c39a258112a5963fba09421d8af96b1da05c2af3bcae6ef9970234cddf8ca8d4bd842c74164d7a377ea08b2f98cb5f3
-
Filesize
255KB
MD53a208bb1ba7093f6312a7c17dd5cdb3d
SHA1f716e8438a170e1da8841cba55a78de8d8122746
SHA256803fbb5100a525caa2bccc54a5b420142c5ebdcd19261c268939ace385afb924
SHA51252b1f5b872a25f029f3d91ec7f64e46a2c39a258112a5963fba09421d8af96b1da05c2af3bcae6ef9970234cddf8ca8d4bd842c74164d7a377ea08b2f98cb5f3
-
Filesize
255KB
MD56c880b08ba669a3d2cf89c9084677d2e
SHA101bc42beaf363e3e05ed0753fb4be9165f8fc137
SHA256b702af43cfe29aa53e6e942cd890b3d8c017c433fc8e3f682b090395c5fc84c3
SHA512ec206f602e36c121484a513811b2b9fe04f2523ee4ffde567a9c873931e896bd6a998f8e48b4302ae74fd4d78359ce82c87f55fd8f7946bbd8056e79d8e02b0f
-
Filesize
255KB
MD56c880b08ba669a3d2cf89c9084677d2e
SHA101bc42beaf363e3e05ed0753fb4be9165f8fc137
SHA256b702af43cfe29aa53e6e942cd890b3d8c017c433fc8e3f682b090395c5fc84c3
SHA512ec206f602e36c121484a513811b2b9fe04f2523ee4ffde567a9c873931e896bd6a998f8e48b4302ae74fd4d78359ce82c87f55fd8f7946bbd8056e79d8e02b0f
-
Filesize
255KB
MD58e33978f1a0abd98da63259670a2191e
SHA1bc852a79f367106dc76243cfdde6cbef47b231b8
SHA256fcd1d9cf230270b83e35d5bcee68b45b9cb19b370b1f4ed1aa6d50b7371a40c2
SHA51292f99e3611c7dc90d41f0f7589c66aae3488b1678a4a838a40e9c2996e6a858197b631e8117bc7c79386d7e0dffe210fed642866afc9975f547af858eb044594
-
Filesize
255KB
MD58e33978f1a0abd98da63259670a2191e
SHA1bc852a79f367106dc76243cfdde6cbef47b231b8
SHA256fcd1d9cf230270b83e35d5bcee68b45b9cb19b370b1f4ed1aa6d50b7371a40c2
SHA51292f99e3611c7dc90d41f0f7589c66aae3488b1678a4a838a40e9c2996e6a858197b631e8117bc7c79386d7e0dffe210fed642866afc9975f547af858eb044594
-
Filesize
255KB
MD5db964d2f45a3a75593a5de73e81d5224
SHA13d3a757082c65281bc0dd85cbaaaef73e314c807
SHA25604081c99777b0e66f8024d8801b120cbea9a39af5f86eefda2cf8a310e4f74ab
SHA512e7eb89adfd1102c24280a093694264ff46dd1bdeb90fe081782afd27e9b29bf68aad18e40b97cbcb3998b381481b3ce96cdc7c4650089e4bf40572454d2f2833
-
Filesize
255KB
MD5db964d2f45a3a75593a5de73e81d5224
SHA13d3a757082c65281bc0dd85cbaaaef73e314c807
SHA25604081c99777b0e66f8024d8801b120cbea9a39af5f86eefda2cf8a310e4f74ab
SHA512e7eb89adfd1102c24280a093694264ff46dd1bdeb90fe081782afd27e9b29bf68aad18e40b97cbcb3998b381481b3ce96cdc7c4650089e4bf40572454d2f2833
-
Filesize
255KB
MD5db964d2f45a3a75593a5de73e81d5224
SHA13d3a757082c65281bc0dd85cbaaaef73e314c807
SHA25604081c99777b0e66f8024d8801b120cbea9a39af5f86eefda2cf8a310e4f74ab
SHA512e7eb89adfd1102c24280a093694264ff46dd1bdeb90fe081782afd27e9b29bf68aad18e40b97cbcb3998b381481b3ce96cdc7c4650089e4bf40572454d2f2833
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD535d37578a4bc227f25dc08ffb5e0c226
SHA1424107569e7ffb34f2a9e8a8261ec83f95b06906
SHA256af42676a95c568392af11509af6e43ba664f83a793e138598c65b87a8aad33ba
SHA512ef9b9628c4b0c1d1374faad5f98454a32c027fafeb7c858cdc49e220f22cf3fa4b41f38fe10e86492fd6a76d08ffbb98825a220ecba07bc45b7586086cb87c11
-
Filesize
255KB
MD5e24ae7a6f80d69f7b69418034c72abe0
SHA1d43a703140b13a10c4b7757fc95f7bf8efc9df30
SHA2564328a5ebf2f86342a12ae1f095dfaba36ade41fc6778fa1a23601fff39dc3508
SHA512b9692a17de9e8ceb98286e99eb7c08677af9d8e1fce33b19c1ead78234f8fd73f1829fc4ed4d509c4b443faebc6f86036a6925471640e0f286ed476ecd63ccc7