Analysis
-
max time kernel
158s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24/11/2022, 10:06
Behavioral task
behavioral1
Sample
7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe
Resource
win7-20221111-en
windows7-x64
26 signatures
150 seconds
General
-
Target
7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe
-
Size
255KB
-
MD5
964a168c893fe207dec50a2da24452b2
-
SHA1
80eb130632534a88a5101a446b4d561a45387572
-
SHA256
7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10
-
SHA512
33afd96b603100dbe871b4950f7074647583652a64e890800056aa33b1c9620c3d8de18065fc4cf5591bddbe8a675046027760759baf73e63a622e45d446f85b
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJ1:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIa
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" udlnmlvlfn.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" udlnmlvlfn.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" udlnmlvlfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" udlnmlvlfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" udlnmlvlfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" udlnmlvlfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" udlnmlvlfn.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" udlnmlvlfn.exe -
Executes dropped EXE 5 IoCs
pid Process 3776 udlnmlvlfn.exe 3872 mdqkoegyuxyywrq.exe 3668 mcrhckzh.exe 3980 rpowolkyqoegt.exe 664 mcrhckzh.exe -
resource yara_rule behavioral2/memory/1492-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0006000000022e30-134.dat upx behavioral2/files/0x0006000000022e30-135.dat upx behavioral2/files/0x0006000000022e31-137.dat upx behavioral2/files/0x0006000000022e33-143.dat upx behavioral2/files/0x0006000000022e32-141.dat upx behavioral2/files/0x0006000000022e32-140.dat upx behavioral2/files/0x0006000000022e31-138.dat upx behavioral2/files/0x0006000000022e33-144.dat upx behavioral2/files/0x0006000000022e32-146.dat upx behavioral2/memory/3776-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3872-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3668-149-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3980-150-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/664-151-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1492-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3776-154-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3872-155-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3668-156-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3980-157-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/664-158-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0006000000022e3a-165.dat upx behavioral2/files/0x000200000001e5aa-169.dat upx behavioral2/files/0x000200000001e6b9-170.dat upx behavioral2/files/0x000200000001e6b9-171.dat upx behavioral2/files/0x000200000001e6b9-172.dat upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" udlnmlvlfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" udlnmlvlfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" udlnmlvlfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" udlnmlvlfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" udlnmlvlfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" udlnmlvlfn.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tbhtjnjn = "mdqkoegyuxyywrq.exe" mdqkoegyuxyywrq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "rpowolkyqoegt.exe" mdqkoegyuxyywrq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run mdqkoegyuxyywrq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mrmrolxp = "udlnmlvlfn.exe" mdqkoegyuxyywrq.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\o: udlnmlvlfn.exe File opened (read-only) \??\u: udlnmlvlfn.exe File opened (read-only) \??\s: mcrhckzh.exe File opened (read-only) \??\z: mcrhckzh.exe File opened (read-only) \??\x: mcrhckzh.exe File opened (read-only) \??\e: mcrhckzh.exe File opened (read-only) \??\f: mcrhckzh.exe File opened (read-only) \??\p: mcrhckzh.exe File opened (read-only) \??\i: mcrhckzh.exe File opened (read-only) \??\y: mcrhckzh.exe File opened (read-only) \??\z: mcrhckzh.exe File opened (read-only) \??\k: udlnmlvlfn.exe File opened (read-only) \??\n: udlnmlvlfn.exe File opened (read-only) \??\v: udlnmlvlfn.exe File opened (read-only) \??\m: mcrhckzh.exe File opened (read-only) \??\a: udlnmlvlfn.exe File opened (read-only) \??\j: udlnmlvlfn.exe File opened (read-only) \??\o: mcrhckzh.exe File opened (read-only) \??\y: udlnmlvlfn.exe File opened (read-only) \??\z: udlnmlvlfn.exe File opened (read-only) \??\b: mcrhckzh.exe File opened (read-only) \??\i: mcrhckzh.exe File opened (read-only) \??\j: mcrhckzh.exe File opened (read-only) \??\m: udlnmlvlfn.exe File opened (read-only) \??\t: udlnmlvlfn.exe File opened (read-only) \??\w: udlnmlvlfn.exe File opened (read-only) \??\l: mcrhckzh.exe File opened (read-only) \??\r: mcrhckzh.exe File opened (read-only) \??\t: mcrhckzh.exe File opened (read-only) \??\v: mcrhckzh.exe File opened (read-only) \??\y: mcrhckzh.exe File opened (read-only) \??\x: udlnmlvlfn.exe File opened (read-only) \??\k: mcrhckzh.exe File opened (read-only) \??\f: mcrhckzh.exe File opened (read-only) \??\x: mcrhckzh.exe File opened (read-only) \??\a: mcrhckzh.exe File opened (read-only) \??\h: mcrhckzh.exe File opened (read-only) \??\j: mcrhckzh.exe File opened (read-only) \??\o: mcrhckzh.exe File opened (read-only) \??\s: mcrhckzh.exe File opened (read-only) \??\s: udlnmlvlfn.exe File opened (read-only) \??\u: mcrhckzh.exe File opened (read-only) \??\g: mcrhckzh.exe File opened (read-only) \??\b: mcrhckzh.exe File opened (read-only) \??\p: mcrhckzh.exe File opened (read-only) \??\u: mcrhckzh.exe File opened (read-only) \??\l: udlnmlvlfn.exe File opened (read-only) \??\p: udlnmlvlfn.exe File opened (read-only) \??\k: mcrhckzh.exe File opened (read-only) \??\e: mcrhckzh.exe File opened (read-only) \??\h: mcrhckzh.exe File opened (read-only) \??\b: udlnmlvlfn.exe File opened (read-only) \??\f: udlnmlvlfn.exe File opened (read-only) \??\w: mcrhckzh.exe File opened (read-only) \??\w: mcrhckzh.exe File opened (read-only) \??\t: mcrhckzh.exe File opened (read-only) \??\q: mcrhckzh.exe File opened (read-only) \??\m: mcrhckzh.exe File opened (read-only) \??\n: mcrhckzh.exe File opened (read-only) \??\q: mcrhckzh.exe File opened (read-only) \??\g: mcrhckzh.exe File opened (read-only) \??\l: mcrhckzh.exe File opened (read-only) \??\v: mcrhckzh.exe File opened (read-only) \??\e: udlnmlvlfn.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" udlnmlvlfn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" udlnmlvlfn.exe -
AutoIT Executable 12 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1492-132-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3776-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3872-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3668-149-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3980-150-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/664-151-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1492-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3776-154-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3872-155-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3668-156-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3980-157-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/664-158-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\mdqkoegyuxyywrq.exe 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe File opened for modification C:\Windows\SysWOW64\mdqkoegyuxyywrq.exe 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe File opened for modification C:\Windows\SysWOW64\mcrhckzh.exe 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe File created C:\Windows\SysWOW64\rpowolkyqoegt.exe 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe mcrhckzh.exe File created C:\Windows\SysWOW64\udlnmlvlfn.exe 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe File opened for modification C:\Windows\SysWOW64\udlnmlvlfn.exe 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe File created C:\Windows\SysWOW64\mcrhckzh.exe 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe File opened for modification C:\Windows\SysWOW64\rpowolkyqoegt.exe 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll udlnmlvlfn.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe mcrhckzh.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe mcrhckzh.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mcrhckzh.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mcrhckzh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mcrhckzh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal mcrhckzh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mcrhckzh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mcrhckzh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mcrhckzh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal mcrhckzh.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mcrhckzh.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mcrhckzh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal mcrhckzh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mcrhckzh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal mcrhckzh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mcrhckzh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mcrhckzh.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc udlnmlvlfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB8FAB0FE17F192837F3B44869C3E98B38A03FC4261024BE2C9459B09D2" 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F88FCFE482F826F9137D72B7DE5BCE4E633593167426342D690" 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7FC68B7FE6922DAD27FD0A28B0E906A" 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf udlnmlvlfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" udlnmlvlfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" udlnmlvlfn.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32462C7C9C2583516A3176DC77202CAB7DF164D7" 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1944C6081593DBBFB8CE7C93ED9434C7" 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh udlnmlvlfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" udlnmlvlfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs udlnmlvlfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC6B129449739EA53CDBAA0339FD7CE" 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat udlnmlvlfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" udlnmlvlfn.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" udlnmlvlfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" udlnmlvlfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg udlnmlvlfn.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3440 WINWORD.EXE 3440 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1492 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe 1492 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe 1492 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe 1492 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe 1492 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe 1492 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe 1492 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe 1492 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe 1492 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe 1492 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe 1492 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe 1492 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe 1492 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe 1492 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe 1492 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe 1492 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe 3776 udlnmlvlfn.exe 3776 udlnmlvlfn.exe 3776 udlnmlvlfn.exe 3776 udlnmlvlfn.exe 3776 udlnmlvlfn.exe 3776 udlnmlvlfn.exe 3776 udlnmlvlfn.exe 3776 udlnmlvlfn.exe 3776 udlnmlvlfn.exe 3776 udlnmlvlfn.exe 3872 mdqkoegyuxyywrq.exe 3872 mdqkoegyuxyywrq.exe 3872 mdqkoegyuxyywrq.exe 3872 mdqkoegyuxyywrq.exe 3872 mdqkoegyuxyywrq.exe 3872 mdqkoegyuxyywrq.exe 3872 mdqkoegyuxyywrq.exe 3872 mdqkoegyuxyywrq.exe 3872 mdqkoegyuxyywrq.exe 3872 mdqkoegyuxyywrq.exe 3668 mcrhckzh.exe 3668 mcrhckzh.exe 3668 mcrhckzh.exe 3668 mcrhckzh.exe 3668 mcrhckzh.exe 3668 mcrhckzh.exe 3668 mcrhckzh.exe 3668 mcrhckzh.exe 3980 rpowolkyqoegt.exe 3980 rpowolkyqoegt.exe 3980 rpowolkyqoegt.exe 3980 rpowolkyqoegt.exe 3980 rpowolkyqoegt.exe 3980 rpowolkyqoegt.exe 3980 rpowolkyqoegt.exe 3980 rpowolkyqoegt.exe 3980 rpowolkyqoegt.exe 3980 rpowolkyqoegt.exe 3980 rpowolkyqoegt.exe 3980 rpowolkyqoegt.exe 664 mcrhckzh.exe 664 mcrhckzh.exe 664 mcrhckzh.exe 664 mcrhckzh.exe 664 mcrhckzh.exe 664 mcrhckzh.exe 664 mcrhckzh.exe 664 mcrhckzh.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1492 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe 1492 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe 1492 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe 3776 udlnmlvlfn.exe 3776 udlnmlvlfn.exe 3776 udlnmlvlfn.exe 3668 mcrhckzh.exe 3668 mcrhckzh.exe 3668 mcrhckzh.exe 3872 mdqkoegyuxyywrq.exe 3872 mdqkoegyuxyywrq.exe 3872 mdqkoegyuxyywrq.exe 3980 rpowolkyqoegt.exe 3980 rpowolkyqoegt.exe 3980 rpowolkyqoegt.exe 664 mcrhckzh.exe 664 mcrhckzh.exe 664 mcrhckzh.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1492 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe 1492 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe 1492 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe 3776 udlnmlvlfn.exe 3776 udlnmlvlfn.exe 3776 udlnmlvlfn.exe 3668 mcrhckzh.exe 3668 mcrhckzh.exe 3668 mcrhckzh.exe 3872 mdqkoegyuxyywrq.exe 3872 mdqkoegyuxyywrq.exe 3872 mdqkoegyuxyywrq.exe 3980 rpowolkyqoegt.exe 3980 rpowolkyqoegt.exe 3980 rpowolkyqoegt.exe 664 mcrhckzh.exe 664 mcrhckzh.exe 664 mcrhckzh.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3440 WINWORD.EXE 3440 WINWORD.EXE 3440 WINWORD.EXE 3440 WINWORD.EXE 3440 WINWORD.EXE 3440 WINWORD.EXE 3440 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1492 wrote to memory of 3776 1492 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe 77 PID 1492 wrote to memory of 3776 1492 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe 77 PID 1492 wrote to memory of 3776 1492 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe 77 PID 1492 wrote to memory of 3872 1492 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe 78 PID 1492 wrote to memory of 3872 1492 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe 78 PID 1492 wrote to memory of 3872 1492 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe 78 PID 1492 wrote to memory of 3668 1492 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe 80 PID 1492 wrote to memory of 3668 1492 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe 80 PID 1492 wrote to memory of 3668 1492 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe 80 PID 1492 wrote to memory of 3980 1492 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe 79 PID 1492 wrote to memory of 3980 1492 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe 79 PID 1492 wrote to memory of 3980 1492 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe 79 PID 3776 wrote to memory of 664 3776 udlnmlvlfn.exe 81 PID 3776 wrote to memory of 664 3776 udlnmlvlfn.exe 81 PID 3776 wrote to memory of 664 3776 udlnmlvlfn.exe 81 PID 1492 wrote to memory of 3440 1492 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe 82 PID 1492 wrote to memory of 3440 1492 7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe"C:\Users\Admin\AppData\Local\Temp\7736f41492f050d6b78b6df77e19afd563ec540bac58a8f3e653381797c01e10.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\udlnmlvlfn.exeudlnmlvlfn.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Windows\SysWOW64\mcrhckzh.exeC:\Windows\system32\mcrhckzh.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:664
-
-
-
C:\Windows\SysWOW64\mdqkoegyuxyywrq.exemdqkoegyuxyywrq.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3872
-
-
C:\Windows\SysWOW64\rpowolkyqoegt.exerpowolkyqoegt.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3980
-
-
C:\Windows\SysWOW64\mcrhckzh.exemcrhckzh.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3668
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3440
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5cb729fc8e83ab5485710535a74030f66
SHA1b0e461eeb86b85a89c9fa28464a2724d97879be4
SHA25606a532741b9fb090cd7984970657850c35371a944f4ccb31a7cdd5b7060d1487
SHA5124af33f14d36c433560d1bb49a03b573bb8ea380a8130bd19029b40472c0eef166ba65202c91d1a73c1a9110563646f79c7dba3d55965ce25f79ae8ec44cc82f8
-
Filesize
255KB
MD569c6f771c7fa4a189daac946d6d11d0d
SHA10b91278aa8d8127e17a4d813ce63ac4f2c395c21
SHA2562a7efad8dd8e754a733b8d5d4f7ab874de7c097f1dffef65791430b119145d99
SHA512051d26b881d1a841e974b95648cbbe0ad62de34223e9cbf57b78149a97a33c686637762f458b802f720ac71beb51de02fe0c54403de3cedb6397b0cfc694987f
-
Filesize
255KB
MD53e16efbf50f16c46123c647ec201a3b6
SHA17ddb39e4fef4987bb7768f7a0e974dc9608a6315
SHA25625cb594d69884c2aae31859159beed690d5542d6b963b5172169256b76ccff86
SHA512486d417b4521f74b279ad88bf5cc9bb751880e3ff79e20855b424f807c7c98e6a23ada24dcd0e294fc26ee1dd02f455f829a419a884d3aaedf64a62e996b23a1
-
Filesize
255KB
MD53e16efbf50f16c46123c647ec201a3b6
SHA17ddb39e4fef4987bb7768f7a0e974dc9608a6315
SHA25625cb594d69884c2aae31859159beed690d5542d6b963b5172169256b76ccff86
SHA512486d417b4521f74b279ad88bf5cc9bb751880e3ff79e20855b424f807c7c98e6a23ada24dcd0e294fc26ee1dd02f455f829a419a884d3aaedf64a62e996b23a1
-
Filesize
255KB
MD53e16efbf50f16c46123c647ec201a3b6
SHA17ddb39e4fef4987bb7768f7a0e974dc9608a6315
SHA25625cb594d69884c2aae31859159beed690d5542d6b963b5172169256b76ccff86
SHA512486d417b4521f74b279ad88bf5cc9bb751880e3ff79e20855b424f807c7c98e6a23ada24dcd0e294fc26ee1dd02f455f829a419a884d3aaedf64a62e996b23a1
-
Filesize
255KB
MD5e77259a469a31147a6412c4613a1b81d
SHA1dc5bcea092b3684c9069496c279ad113b64f5896
SHA256332b74a17cf71a95b552f927380c862dbb975d50744fccd260eb1540a1db7e5d
SHA5125f258f383b20dd234170dc209e92f7542d9430ef290b331b706e8fe0cdf20af946a45989517e6ba8dd5a539042e9a5befa09e0ff34cb937343356f5d3c96ac12
-
Filesize
255KB
MD5e77259a469a31147a6412c4613a1b81d
SHA1dc5bcea092b3684c9069496c279ad113b64f5896
SHA256332b74a17cf71a95b552f927380c862dbb975d50744fccd260eb1540a1db7e5d
SHA5125f258f383b20dd234170dc209e92f7542d9430ef290b331b706e8fe0cdf20af946a45989517e6ba8dd5a539042e9a5befa09e0ff34cb937343356f5d3c96ac12
-
Filesize
255KB
MD51a6b4005c9448932d3ec0c942fae6a5b
SHA13369475c7f5b58f1800bba1b6cde08fc11e532e7
SHA2563ae0cc3f337759fff4a05aeb16d60c4737012ca3b1506909974a9ce625ae007a
SHA5125887a1d498f2ef79ede0da58eb53e313c069acfb9f0b9180c01de7320e49a26bd6ba4b2d4b4b1e6cbb44ac5031d26b3b0063c119121763bd350bb24172169e74
-
Filesize
255KB
MD51a6b4005c9448932d3ec0c942fae6a5b
SHA13369475c7f5b58f1800bba1b6cde08fc11e532e7
SHA2563ae0cc3f337759fff4a05aeb16d60c4737012ca3b1506909974a9ce625ae007a
SHA5125887a1d498f2ef79ede0da58eb53e313c069acfb9f0b9180c01de7320e49a26bd6ba4b2d4b4b1e6cbb44ac5031d26b3b0063c119121763bd350bb24172169e74
-
Filesize
255KB
MD5861e95852fbf87026b3ed1bf44fce0e3
SHA116fec2c732c829e027108cd796a05a610a7fe554
SHA256401d55443f82c771deca3a89b8d026624728b23066c402f0d7367a3c173da132
SHA5125ea2c01d14e5efcd8fb80e14e23aade8f6af924ce0589732aab08fe0e174ce20736c7651639b5f711b90371cd47d7985e0f713cc52b36c5d48b97d9be7779326
-
Filesize
255KB
MD5861e95852fbf87026b3ed1bf44fce0e3
SHA116fec2c732c829e027108cd796a05a610a7fe554
SHA256401d55443f82c771deca3a89b8d026624728b23066c402f0d7367a3c173da132
SHA5125ea2c01d14e5efcd8fb80e14e23aade8f6af924ce0589732aab08fe0e174ce20736c7651639b5f711b90371cd47d7985e0f713cc52b36c5d48b97d9be7779326
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD52fe7835251086b9022b35e0c677281bf
SHA18659da377b0f027bbf036f7493293b27f5ede079
SHA2563e73bc01ce23fe6a17da2ec17ecb8c23f858755d4b8cd93e8c06ebdf4e4cd13f
SHA51229d26bcb2af72c46f9e559aed17d89796c04194884a3ea836b98b468efe29083919c727a7d61dc9cb7ac87e67d32eec8f1500f53178888bbb60c5fd12a8a929b
-
Filesize
255KB
MD581cf22f71d1b7831db19a17894c00c93
SHA1a73d21a44b8899bdbdb26a23573b03de5300683a
SHA2565abf6eb6792812b6352dd78a6e6a35850301cbc0c640aac56732170fdc6737df
SHA51228025d36f5a85856ab86543859d69de649536a1cbe4926ba1b3a93e8c2f696f7c61da9198770cff64e187289c8086af45da69cc463dd71802b93868ace2eadc2
-
Filesize
255KB
MD581cf22f71d1b7831db19a17894c00c93
SHA1a73d21a44b8899bdbdb26a23573b03de5300683a
SHA2565abf6eb6792812b6352dd78a6e6a35850301cbc0c640aac56732170fdc6737df
SHA51228025d36f5a85856ab86543859d69de649536a1cbe4926ba1b3a93e8c2f696f7c61da9198770cff64e187289c8086af45da69cc463dd71802b93868ace2eadc2