9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed

General

Target

9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe
Size

255KB
MD5

0ec85e34d65790f28bac1b62486e3c2a
SHA1

a2db6beb471c7001d0dd005fe0e1563e25f844e9
SHA256

9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed
SHA512

2c1caef4daf4a82c4c1ed93a1de4186e5a3d978fdc235318bc665a75c0bd3ea0003b569b3c635b9ded86ba5db79a8eec75c473ceac0f84577ab4ba8a0a5a8141
SSDEEP

6144:1xlZam+akqx6YQJXcNlEHUIQeE3mmBWFv6Z:Plf5j6zCNa0xeE3mo

Score

10^/10

evasion persistence trojan upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

xdvofevigj.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	xdvofevigj.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

xdvofevigj.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	xdvofevigj.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

xdvofevigj.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	xdvofevigj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	xdvofevigj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	xdvofevigj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	xdvofevigj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	xdvofevigj.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

xdvofevigj.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xdvofevigj.exe

Executes dropped EXE 4 IoCs

Processes:

xdvofevigj.exekypkxfmpjmdfgee.exeklnvswir.exedymgckyfjiefc.exe

pid process

2444 xdvofevigj.exe
4560 kypkxfmpjmdfgee.exe
3988 klnvswir.exe
1644 dymgckyfjiefc.exe

pid	process
2444	xdvofevigj.exe
4560	kypkxfmpjmdfgee.exe
3988	klnvswir.exe
1644	dymgckyfjiefc.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3472-132-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral2/memory/3472-133-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
C:\Windows\SysWOW64\xdvofevigj.exe	upx
C:\Windows\SysWOW64\kypkxfmpjmdfgee.exe	upx
C:\Windows\SysWOW64\xdvofevigj.exe	upx
C:\Windows\SysWOW64\kypkxfmpjmdfgee.exe	upx
behavioral2/memory/2444-141-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
C:\Windows\SysWOW64\klnvswir.exe	upx
C:\Windows\SysWOW64\dymgckyfjiefc.exe	upx
C:\Windows\SysWOW64\klnvswir.exe	upx
behavioral2/memory/4560-142-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
C:\Windows\SysWOW64\dymgckyfjiefc.exe	upx
behavioral2/memory/3988-149-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral2/memory/1644-150-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral2/memory/2444-151-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral2/memory/4560-152-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral2/memory/1644-153-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral2/memory/3472-154-0x0000000000400000-0x00000000004A0000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

xdvofevigj.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	xdvofevigj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	xdvofevigj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	xdvofevigj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	xdvofevigj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	xdvofevigj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	xdvofevigj.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kypkxfmpjmdfgee.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "dymgckyfjiefc.exe"	kypkxfmpjmdfgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	kypkxfmpjmdfgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ainwxsxn = "xdvofevigj.exe"	kypkxfmpjmdfgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ndcjvkcg = "kypkxfmpjmdfgee.exe"	kypkxfmpjmdfgee.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

klnvswir.exe

description	ioc	process
File opened (read-only)	\??\a:	klnvswir.exe
File opened (read-only)	\??\b:	klnvswir.exe
File opened (read-only)	\??\f:	klnvswir.exe
File opened (read-only)	\??\m:	klnvswir.exe
File opened (read-only)	\??\o:	klnvswir.exe
File opened (read-only)	\??\s:	klnvswir.exe
File opened (read-only)	\??\w:	klnvswir.exe
File opened (read-only)	\??\z:	klnvswir.exe
File opened (read-only)	\??\j:	klnvswir.exe
File opened (read-only)	\??\e:	klnvswir.exe
File opened (read-only)	\??\i:	klnvswir.exe
File opened (read-only)	\??\l:	klnvswir.exe
File opened (read-only)	\??\n:	klnvswir.exe
File opened (read-only)	\??\q:	klnvswir.exe
File opened (read-only)	\??\t:	klnvswir.exe
File opened (read-only)	\??\u:	klnvswir.exe
File opened (read-only)	\??\v:	klnvswir.exe
File opened (read-only)	\??\g:	klnvswir.exe
File opened (read-only)	\??\h:	klnvswir.exe
File opened (read-only)	\??\k:	klnvswir.exe
File opened (read-only)	\??\p:	klnvswir.exe
File opened (read-only)	\??\r:	klnvswir.exe
File opened (read-only)	\??\x:	klnvswir.exe
File opened (read-only)	\??\y:	klnvswir.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

xdvofevigj.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	xdvofevigj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	xdvofevigj.exe

AutoIT Executable 9 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/3472-133-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral2/memory/2444-141-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral2/memory/4560-142-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral2/memory/3988-149-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral2/memory/1644-150-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral2/memory/2444-151-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral2/memory/4560-152-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral2/memory/1644-153-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral2/memory/3472-154-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe

Drops file in System32 directory 8 IoCs

Processes:

9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe

description	ioc	process
File created	C:\Windows\SysWOW64\xdvofevigj.exe	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe
File opened for modification	C:\Windows\SysWOW64\xdvofevigj.exe	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe
File created	C:\Windows\SysWOW64\kypkxfmpjmdfgee.exe	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe
File opened for modification	C:\Windows\SysWOW64\kypkxfmpjmdfgee.exe	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe
File created	C:\Windows\SysWOW64\klnvswir.exe	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe
File opened for modification	C:\Windows\SysWOW64\klnvswir.exe	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe
File created	C:\Windows\SysWOW64\dymgckyfjiefc.exe	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe
File opened for modification	C:\Windows\SysWOW64\dymgckyfjiefc.exe	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe

Drops file in Windows directory 1 IoCs

Processes:

9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe

description ioc process

File opened for modification C:\Windows\mydoc.rtf 9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\mydoc.rtf	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe

Modifies registry class 20 IoCs

Processes:

9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exexdvofevigj.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F06BC3FE6A22DFD178D1D48B0E9164"	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184EC67515E1DAB1B9B97C94EDE434CE"	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	xdvofevigj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	xdvofevigj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	xdvofevigj.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32322C7C9D5683506A4376D577202CD77DF264AA"	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABEF9BDFE14F19284783B4786963E91B0FC02F94313033FE1C9429E08D6"	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	xdvofevigj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	xdvofevigj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF5FC8E482D856F9142D72C7E9CBD92E141593767426341D7EE"	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	xdvofevigj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	xdvofevigj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC0B15F47E0389D52CDB9D5329CD4C4"	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	xdvofevigj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	xdvofevigj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	xdvofevigj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	xdvofevigj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	xdvofevigj.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exexdvofevigj.exedymgckyfjiefc.exekypkxfmpjmdfgee.exeklnvswir.exe

pid	process
3472	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe
3472	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe
3472	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe
3472	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe
3472	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe
3472	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe
3472	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe
3472	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe
3472	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe
3472	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe
3472	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe
3472	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe
3472	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe
3472	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe
3472	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe
3472	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe
2444	xdvofevigj.exe
2444	xdvofevigj.exe
2444	xdvofevigj.exe
2444	xdvofevigj.exe
1644	dymgckyfjiefc.exe
1644	dymgckyfjiefc.exe
2444	xdvofevigj.exe
2444	xdvofevigj.exe
1644	dymgckyfjiefc.exe
1644	dymgckyfjiefc.exe
2444	xdvofevigj.exe
2444	xdvofevigj.exe
1644	dymgckyfjiefc.exe
1644	dymgckyfjiefc.exe
2444	xdvofevigj.exe
2444	xdvofevigj.exe
1644	dymgckyfjiefc.exe
1644	dymgckyfjiefc.exe
1644	dymgckyfjiefc.exe
1644	dymgckyfjiefc.exe
1644	dymgckyfjiefc.exe
1644	dymgckyfjiefc.exe
4560	kypkxfmpjmdfgee.exe
4560	kypkxfmpjmdfgee.exe
3988	klnvswir.exe
3988	klnvswir.exe
4560	kypkxfmpjmdfgee.exe
4560	kypkxfmpjmdfgee.exe
3988	klnvswir.exe
3988	klnvswir.exe
4560	kypkxfmpjmdfgee.exe
4560	kypkxfmpjmdfgee.exe
3988	klnvswir.exe
3988	klnvswir.exe
4560	kypkxfmpjmdfgee.exe
4560	kypkxfmpjmdfgee.exe
3988	klnvswir.exe
3988	klnvswir.exe
4560	kypkxfmpjmdfgee.exe
4560	kypkxfmpjmdfgee.exe
4560	kypkxfmpjmdfgee.exe
4560	kypkxfmpjmdfgee.exe
1644	dymgckyfjiefc.exe
1644	dymgckyfjiefc.exe
1644	dymgckyfjiefc.exe
1644	dymgckyfjiefc.exe
4560	kypkxfmpjmdfgee.exe
4560	kypkxfmpjmdfgee.exe

Suspicious use of FindShellTrayWindow 15 IoCs

Processes:

9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exexdvofevigj.exekypkxfmpjmdfgee.exedymgckyfjiefc.exeklnvswir.exe

pid	process
3472	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe
3472	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe
3472	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe
2444	xdvofevigj.exe
2444	xdvofevigj.exe
2444	xdvofevigj.exe
4560	kypkxfmpjmdfgee.exe
4560	kypkxfmpjmdfgee.exe
4560	kypkxfmpjmdfgee.exe
1644	dymgckyfjiefc.exe
1644	dymgckyfjiefc.exe
1644	dymgckyfjiefc.exe
3988	klnvswir.exe
3988	klnvswir.exe
3988	klnvswir.exe

Suspicious use of SendNotifyMessage 15 IoCs

Processes:

9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exexdvofevigj.exekypkxfmpjmdfgee.exedymgckyfjiefc.exeklnvswir.exe

pid	process
3472	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe
3472	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe
3472	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe
2444	xdvofevigj.exe
2444	xdvofevigj.exe
2444	xdvofevigj.exe
4560	kypkxfmpjmdfgee.exe
4560	kypkxfmpjmdfgee.exe
4560	kypkxfmpjmdfgee.exe
1644	dymgckyfjiefc.exe
1644	dymgckyfjiefc.exe
1644	dymgckyfjiefc.exe
3988	klnvswir.exe
3988	klnvswir.exe
3988	klnvswir.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe

description	pid	process	target process
PID 3472 wrote to memory of 2444	3472	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe	xdvofevigj.exe
PID 3472 wrote to memory of 2444	3472	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe	xdvofevigj.exe
PID 3472 wrote to memory of 2444	3472	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe	xdvofevigj.exe
PID 3472 wrote to memory of 4560	3472	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe	kypkxfmpjmdfgee.exe
PID 3472 wrote to memory of 4560	3472	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe	kypkxfmpjmdfgee.exe
PID 3472 wrote to memory of 4560	3472	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe	kypkxfmpjmdfgee.exe
PID 3472 wrote to memory of 3988	3472	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe	klnvswir.exe
PID 3472 wrote to memory of 3988	3472	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe	klnvswir.exe
PID 3472 wrote to memory of 3988	3472	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe	klnvswir.exe
PID 3472 wrote to memory of 1644	3472	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe	dymgckyfjiefc.exe
PID 3472 wrote to memory of 1644	3472	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe	dymgckyfjiefc.exe
PID 3472 wrote to memory of 1644	3472	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe	dymgckyfjiefc.exe
PID 3472 wrote to memory of 3772	3472	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe	WINWORD.EXE
PID 3472 wrote to memory of 3772	3472	9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe	WINWORD.EXE

C:\Users\Admin\AppData\Local\Temp\9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe
"C:\Users\Admin\AppData\Local\Temp\9897be71d0d6b67c8a592a4406938378045a05995b38ba2eba163dd669a331ed.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3472

C:\Windows\SysWOW64\xdvofevigj.exe
xdvofevigj.exe
2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Modifies WinLogon
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2444

C:\Windows\SysWOW64\kypkxfmpjmdfgee.exe
kypkxfmpjmdfgee.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4560

C:\Windows\SysWOW64\klnvswir.exe
klnvswir.exe
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3988

C:\Windows\SysWOW64\dymgckyfjiefc.exe
dymgckyfjiefc.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1644

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
2⤵
PID:3772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2

T1158

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Disabling Security Tools

2

T1089

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\dymgckyfjiefc.exe

Filesize
255KB

MD5
d6594ab6b7b81aa9a52d6e3cb7b01093

SHA1
caab19b90b085049e1ed817b755edd98c172b9d6

SHA256
de7e236bf0a39a74545de1c3fdc17c09a164963af7e8ccedf7cdbbb565ee9b6d

SHA512
88b366be51a6b6e6e5da20f550722941321b5ac5781b6d8df2fd5cee5e9255898cff2e89a17b912f1b40cd2592d34449e1f22471a6b2dbb897872dd2bdba52fb

Download Submit
C:\Windows\SysWOW64\dymgckyfjiefc.exe

Filesize
255KB

MD5
d6594ab6b7b81aa9a52d6e3cb7b01093

SHA1
caab19b90b085049e1ed817b755edd98c172b9d6

SHA256
de7e236bf0a39a74545de1c3fdc17c09a164963af7e8ccedf7cdbbb565ee9b6d

SHA512
88b366be51a6b6e6e5da20f550722941321b5ac5781b6d8df2fd5cee5e9255898cff2e89a17b912f1b40cd2592d34449e1f22471a6b2dbb897872dd2bdba52fb

Download Submit
C:\Windows\SysWOW64\klnvswir.exe

Filesize
255KB

MD5
b394ade6ff5eefc195889ef346173375

SHA1
1505a43e02b89b4a857f14747a82072866ffea32

SHA256
0a647f2c82819353547e1007b9cd96190698e43dda0cade60aff7a288fe84e02

SHA512
27d86bf4fedc723cca5c73ad04f7db1d1132bffcabccd47fd2d13c4a2cf87da56d17a7f47aaceea1aea90b0d45ad464b71b29f803bda98ec6f943ca5a4d0eca3

Download Submit
C:\Windows\SysWOW64\klnvswir.exe

Filesize
255KB

MD5
b394ade6ff5eefc195889ef346173375

SHA1
1505a43e02b89b4a857f14747a82072866ffea32

SHA256
0a647f2c82819353547e1007b9cd96190698e43dda0cade60aff7a288fe84e02

SHA512
27d86bf4fedc723cca5c73ad04f7db1d1132bffcabccd47fd2d13c4a2cf87da56d17a7f47aaceea1aea90b0d45ad464b71b29f803bda98ec6f943ca5a4d0eca3

Download Submit
C:\Windows\SysWOW64\kypkxfmpjmdfgee.exe

Filesize
255KB

MD5
0a9da544faf7254b9220aecf1e5c0a47

SHA1
733485dcd8a1d995e83c3edf03a8c8733cd84d68

SHA256
946d710657ddade841655472a5426ba8893771e6d7f5ae4557e7b2fc04ded449

SHA512
e4229d18f17b23faf6560c67a3ea80ff919c2efa91b3a6fd1b35610a6df4cc73c1dee5f078eb404a463ba28ab146f830e76251c273973cff8d5fc4f59b5eb08e

Download Submit
C:\Windows\SysWOW64\kypkxfmpjmdfgee.exe

Filesize
255KB

MD5
0a9da544faf7254b9220aecf1e5c0a47

SHA1
733485dcd8a1d995e83c3edf03a8c8733cd84d68

SHA256
946d710657ddade841655472a5426ba8893771e6d7f5ae4557e7b2fc04ded449

SHA512
e4229d18f17b23faf6560c67a3ea80ff919c2efa91b3a6fd1b35610a6df4cc73c1dee5f078eb404a463ba28ab146f830e76251c273973cff8d5fc4f59b5eb08e

Download Submit
C:\Windows\SysWOW64\xdvofevigj.exe

Filesize
255KB

MD5
40e306881849a92c4f048fd66f9c882f

SHA1
96fc7fe70ccfb4e8acb284dea26005dc8623bbba

SHA256
1c3f79b646c33fb87f2da42991d92cdd05e5de4192cfec8481228f204236fae9

SHA512
340ac47fd13d926b71e5d5eb22605b1b63b9689906240fb6dcfe918f80980a4ec38ddc67cf8347748b40588e216717a072616534142a5381e00a5b942e67d0d0

Download Submit
C:\Windows\SysWOW64\xdvofevigj.exe

Filesize
255KB

MD5
40e306881849a92c4f048fd66f9c882f

SHA1
96fc7fe70ccfb4e8acb284dea26005dc8623bbba

SHA256
1c3f79b646c33fb87f2da42991d92cdd05e5de4192cfec8481228f204236fae9

SHA512
340ac47fd13d926b71e5d5eb22605b1b63b9689906240fb6dcfe918f80980a4ec38ddc67cf8347748b40588e216717a072616534142a5381e00a5b942e67d0d0

Download Submit
memory/1644-150-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1644-145-0x0000000000000000-mapping.dmp

Download
memory/1644-153-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2444-134-0x0000000000000000-mapping.dmp

Download
memory/2444-141-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2444-151-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/3472-133-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/3472-154-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/3472-132-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/3772-148-0x0000000000000000-mapping.dmp

Download
memory/3988-140-0x0000000000000000-mapping.dmp

Download
memory/3988-149-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/4560-152-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/4560-137-0x0000000000000000-mapping.dmp

Download
memory/4560-142-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads