Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
154s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
24/11/2022, 11:55
Behavioral task
behavioral1
Sample
3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe
Resource
win7-20220901-en
windows7-x64
29 signatures
150 seconds
Behavioral task
behavioral2
Sample
3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe
-
Size
255KB
-
MD5
a27d02e5127a4a66fde6511641a6bac8
-
SHA1
367825ffb5f069257237d3d145453a5d7265bd80
-
SHA256
3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c
-
SHA512
491b954ec6c9d6f27c24a5ba9e44d04540c603740676d0184cf47dd40be49c76a0c434c4f3d00b3bcb0ee6d529d23440622a440ced95310ae34bca98842a3ef9
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJ+:1xlZam+akqx6YQJXcNlEHUIQeE3mmBId
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ugolyuvovs.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ugolyuvovs.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ugolyuvovs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ugolyuvovs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ugolyuvovs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ugolyuvovs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ugolyuvovs.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ugolyuvovs.exe -
Executes dropped EXE 5 IoCs
pid Process 2000 ugolyuvovs.exe 3364 paqmklhlcroabvg.exe 3732 ltnluzfu.exe 3388 zfxesrftmaffh.exe 4668 ltnluzfu.exe -
resource yara_rule behavioral2/memory/4840-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4840-133-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000e000000022dd3-135.dat upx behavioral2/files/0x0007000000022dea-138.dat upx behavioral2/files/0x0007000000022dfa-141.dat upx behavioral2/files/0x0006000000022dfb-144.dat upx behavioral2/files/0x0007000000022dfa-142.dat upx behavioral2/files/0x0007000000022dea-139.dat upx behavioral2/files/0x000e000000022dd3-136.dat upx behavioral2/memory/2000-145-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3732-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3364-146-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0006000000022dfb-148.dat upx behavioral2/memory/3388-149-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0007000000022dfa-151.dat upx behavioral2/memory/4840-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4668-154-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2000-155-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3364-156-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3732-157-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3388-158-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0007000000022dfd-164.dat upx behavioral2/files/0x0008000000022dfe-165.dat upx behavioral2/files/0x0008000000022dfe-166.dat upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ugolyuvovs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ugolyuvovs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ugolyuvovs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ugolyuvovs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ugolyuvovs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ugolyuvovs.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zyiapmma = "paqmklhlcroabvg.exe" paqmklhlcroabvg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "zfxesrftmaffh.exe" paqmklhlcroabvg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run paqmklhlcroabvg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cnkmtplt = "ugolyuvovs.exe" paqmklhlcroabvg.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\e: ltnluzfu.exe File opened (read-only) \??\x: ltnluzfu.exe File opened (read-only) \??\f: ltnluzfu.exe File opened (read-only) \??\t: ltnluzfu.exe File opened (read-only) \??\n: ugolyuvovs.exe File opened (read-only) \??\x: ugolyuvovs.exe File opened (read-only) \??\a: ltnluzfu.exe File opened (read-only) \??\g: ltnluzfu.exe File opened (read-only) \??\k: ltnluzfu.exe File opened (read-only) \??\a: ugolyuvovs.exe File opened (read-only) \??\k: ugolyuvovs.exe File opened (read-only) \??\k: ltnluzfu.exe File opened (read-only) \??\n: ltnluzfu.exe File opened (read-only) \??\r: ltnluzfu.exe File opened (read-only) \??\j: ugolyuvovs.exe File opened (read-only) \??\u: ugolyuvovs.exe File opened (read-only) \??\z: ugolyuvovs.exe File opened (read-only) \??\g: ltnluzfu.exe File opened (read-only) \??\w: ltnluzfu.exe File opened (read-only) \??\h: ugolyuvovs.exe File opened (read-only) \??\t: ugolyuvovs.exe File opened (read-only) \??\r: ltnluzfu.exe File opened (read-only) \??\q: ltnluzfu.exe File opened (read-only) \??\w: ltnluzfu.exe File opened (read-only) \??\p: ugolyuvovs.exe File opened (read-only) \??\i: ltnluzfu.exe File opened (read-only) \??\q: ltnluzfu.exe File opened (read-only) \??\x: ltnluzfu.exe File opened (read-only) \??\o: ltnluzfu.exe File opened (read-only) \??\q: ugolyuvovs.exe File opened (read-only) \??\p: ltnluzfu.exe File opened (read-only) \??\z: ltnluzfu.exe File opened (read-only) \??\n: ltnluzfu.exe File opened (read-only) \??\s: ltnluzfu.exe File opened (read-only) \??\z: ltnluzfu.exe File opened (read-only) \??\v: ltnluzfu.exe File opened (read-only) \??\o: ugolyuvovs.exe File opened (read-only) \??\a: ltnluzfu.exe File opened (read-only) \??\u: ltnluzfu.exe File opened (read-only) \??\e: ugolyuvovs.exe File opened (read-only) \??\s: ugolyuvovs.exe File opened (read-only) \??\f: ltnluzfu.exe File opened (read-only) \??\y: ltnluzfu.exe File opened (read-only) \??\r: ugolyuvovs.exe File opened (read-only) \??\y: ltnluzfu.exe File opened (read-only) \??\b: ltnluzfu.exe File opened (read-only) \??\g: ugolyuvovs.exe File opened (read-only) \??\h: ltnluzfu.exe File opened (read-only) \??\j: ltnluzfu.exe File opened (read-only) \??\m: ltnluzfu.exe File opened (read-only) \??\o: ltnluzfu.exe File opened (read-only) \??\v: ltnluzfu.exe File opened (read-only) \??\i: ltnluzfu.exe File opened (read-only) \??\s: ltnluzfu.exe File opened (read-only) \??\i: ugolyuvovs.exe File opened (read-only) \??\m: ugolyuvovs.exe File opened (read-only) \??\t: ltnluzfu.exe File opened (read-only) \??\b: ltnluzfu.exe File opened (read-only) \??\l: ltnluzfu.exe File opened (read-only) \??\u: ltnluzfu.exe File opened (read-only) \??\j: ltnluzfu.exe File opened (read-only) \??\m: ltnluzfu.exe File opened (read-only) \??\p: ltnluzfu.exe File opened (read-only) \??\b: ugolyuvovs.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ugolyuvovs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ugolyuvovs.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4840-133-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2000-145-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3732-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3364-146-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3388-149-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4840-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4668-154-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2000-155-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3364-156-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3732-157-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3388-158-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\ugolyuvovs.exe 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe File opened for modification C:\Windows\SysWOW64\ugolyuvovs.exe 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe File created C:\Windows\SysWOW64\paqmklhlcroabvg.exe 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe File created C:\Windows\SysWOW64\ltnluzfu.exe 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe File opened for modification C:\Windows\SysWOW64\ltnluzfu.exe 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe File created C:\Windows\SysWOW64\zfxesrftmaffh.exe 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe File opened for modification C:\Windows\SysWOW64\paqmklhlcroabvg.exe 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe File opened for modification C:\Windows\SysWOW64\zfxesrftmaffh.exe 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ugolyuvovs.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ltnluzfu.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ltnluzfu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ltnluzfu.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ltnluzfu.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ltnluzfu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ltnluzfu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ltnluzfu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ltnluzfu.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ltnluzfu.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ltnluzfu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ltnluzfu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ltnluzfu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ltnluzfu.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ltnluzfu.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "194AC7781590DAC5B9BB7CE9ED9334C8" 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat ugolyuvovs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh ugolyuvovs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" ugolyuvovs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg ugolyuvovs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc ugolyuvovs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf ugolyuvovs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" ugolyuvovs.exe Key created \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000_Classes\Local Settings 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32462C7F9C2683536D3577D577202CAA7CF165DA" 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC7B02E47E039EE52CBB9A73293D4B8" 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FFBFFF84F28856D9042D65A7D93BC90E144594667416341D79C" 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F26BC2FE6F21ACD10FD1D58A759011" 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ugolyuvovs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" ugolyuvovs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BB5FACCFE17F194837B3B3686EC39E4B08C038F43670338E1CC45E608D4" 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" ugolyuvovs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs ugolyuvovs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" ugolyuvovs.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3060 WINWORD.EXE 3060 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4840 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe 4840 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe 4840 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe 4840 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe 4840 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe 4840 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe 4840 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe 4840 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe 4840 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe 4840 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe 4840 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe 4840 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe 4840 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe 4840 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe 4840 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe 4840 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe 2000 ugolyuvovs.exe 2000 ugolyuvovs.exe 2000 ugolyuvovs.exe 2000 ugolyuvovs.exe 2000 ugolyuvovs.exe 2000 ugolyuvovs.exe 2000 ugolyuvovs.exe 2000 ugolyuvovs.exe 2000 ugolyuvovs.exe 2000 ugolyuvovs.exe 3364 paqmklhlcroabvg.exe 3364 paqmklhlcroabvg.exe 3364 paqmklhlcroabvg.exe 3364 paqmklhlcroabvg.exe 3364 paqmklhlcroabvg.exe 3364 paqmklhlcroabvg.exe 3364 paqmklhlcroabvg.exe 3364 paqmklhlcroabvg.exe 3732 ltnluzfu.exe 3732 ltnluzfu.exe 3364 paqmklhlcroabvg.exe 3364 paqmklhlcroabvg.exe 3732 ltnluzfu.exe 3732 ltnluzfu.exe 3732 ltnluzfu.exe 3732 ltnluzfu.exe 3732 ltnluzfu.exe 3732 ltnluzfu.exe 3388 zfxesrftmaffh.exe 3388 zfxesrftmaffh.exe 3388 zfxesrftmaffh.exe 3388 zfxesrftmaffh.exe 3388 zfxesrftmaffh.exe 3388 zfxesrftmaffh.exe 3388 zfxesrftmaffh.exe 3388 zfxesrftmaffh.exe 3388 zfxesrftmaffh.exe 3388 zfxesrftmaffh.exe 3388 zfxesrftmaffh.exe 3388 zfxesrftmaffh.exe 4668 ltnluzfu.exe 4668 ltnluzfu.exe 4668 ltnluzfu.exe 4668 ltnluzfu.exe 4668 ltnluzfu.exe 4668 ltnluzfu.exe 4668 ltnluzfu.exe 4668 ltnluzfu.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4840 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe 4840 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe 4840 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe 2000 ugolyuvovs.exe 2000 ugolyuvovs.exe 2000 ugolyuvovs.exe 3364 paqmklhlcroabvg.exe 3364 paqmklhlcroabvg.exe 3364 paqmklhlcroabvg.exe 3732 ltnluzfu.exe 3732 ltnluzfu.exe 3732 ltnluzfu.exe 3388 zfxesrftmaffh.exe 3388 zfxesrftmaffh.exe 3388 zfxesrftmaffh.exe 4668 ltnluzfu.exe 4668 ltnluzfu.exe 4668 ltnluzfu.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4840 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe 4840 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe 4840 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe 2000 ugolyuvovs.exe 2000 ugolyuvovs.exe 2000 ugolyuvovs.exe 3364 paqmklhlcroabvg.exe 3364 paqmklhlcroabvg.exe 3364 paqmklhlcroabvg.exe 3732 ltnluzfu.exe 3732 ltnluzfu.exe 3732 ltnluzfu.exe 3388 zfxesrftmaffh.exe 3388 zfxesrftmaffh.exe 3388 zfxesrftmaffh.exe 4668 ltnluzfu.exe 4668 ltnluzfu.exe 4668 ltnluzfu.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3060 WINWORD.EXE 3060 WINWORD.EXE 3060 WINWORD.EXE 3060 WINWORD.EXE 3060 WINWORD.EXE 3060 WINWORD.EXE 3060 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4840 wrote to memory of 2000 4840 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe 84 PID 4840 wrote to memory of 2000 4840 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe 84 PID 4840 wrote to memory of 2000 4840 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe 84 PID 4840 wrote to memory of 3364 4840 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe 85 PID 4840 wrote to memory of 3364 4840 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe 85 PID 4840 wrote to memory of 3364 4840 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe 85 PID 4840 wrote to memory of 3732 4840 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe 86 PID 4840 wrote to memory of 3732 4840 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe 86 PID 4840 wrote to memory of 3732 4840 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe 86 PID 4840 wrote to memory of 3388 4840 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe 87 PID 4840 wrote to memory of 3388 4840 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe 87 PID 4840 wrote to memory of 3388 4840 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe 87 PID 2000 wrote to memory of 4668 2000 ugolyuvovs.exe 88 PID 2000 wrote to memory of 4668 2000 ugolyuvovs.exe 88 PID 2000 wrote to memory of 4668 2000 ugolyuvovs.exe 88 PID 4840 wrote to memory of 3060 4840 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe 89 PID 4840 wrote to memory of 3060 4840 3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe"C:\Users\Admin\AppData\Local\Temp\3c69c77b9857d74e42720a1f2907afcf18066c3a6e3a36f5d0c6258e36c7dd6c.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\SysWOW64\ugolyuvovs.exeugolyuvovs.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\ltnluzfu.exeC:\Windows\system32\ltnluzfu.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4668
-
-
-
C:\Windows\SysWOW64\paqmklhlcroabvg.exepaqmklhlcroabvg.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3364
-
-
C:\Windows\SysWOW64\ltnluzfu.exeltnluzfu.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3732
-
-
C:\Windows\SysWOW64\zfxesrftmaffh.exezfxesrftmaffh.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3388
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3060
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD50e673d11f874d267c5ca88c349c40abe
SHA1f963215067e4048b8e29bb4affe2df57005acd27
SHA25658324956dc7e913cebb24823667ff4b0f005f6065ed535f4e51202b340498688
SHA5128a9babede7756a723a5f2fac1ff04c7986b9259202685f6acaa19e4ea26087f802dd4b5d27307fe2c6fc3276efd0f2eac1ad264a703c4e41ba1a6159874de809
-
Filesize
255KB
MD5cd9ab4000b728aa94e0a4e3fa319ae43
SHA1566dcad4d25f65bbcf0e63d82171510c7ace2c15
SHA2566486ee8953278c8e1d889f6d070bd28f2f1a1ff97822bf4c8657237244db58f8
SHA51212488d406b45c9e37e3740e728bc4d93481ca537dfffa631d611b1d638ce23b2d0bf5fa73d2e82ac3bf2e975ddbf8f7f519efb114def9fc9d9e614150215a489
-
Filesize
255KB
MD52a7f3611a2340ce6e60a7ecc187cce66
SHA198658843acbf0428d2b29080f39130b2c1705135
SHA2568ab13794555e44361a0ac3a52ea3faa65772402e2de880cfe2cde2fca12f892a
SHA5125540e8acea1031c0822a5478be5aaa50a19b048762cceecacc47fc7a973b30df354cc6505649373e21ac4ca116f61824233b6711a61f0b386aa7b8dc99db6489
-
Filesize
255KB
MD52a7f3611a2340ce6e60a7ecc187cce66
SHA198658843acbf0428d2b29080f39130b2c1705135
SHA2568ab13794555e44361a0ac3a52ea3faa65772402e2de880cfe2cde2fca12f892a
SHA5125540e8acea1031c0822a5478be5aaa50a19b048762cceecacc47fc7a973b30df354cc6505649373e21ac4ca116f61824233b6711a61f0b386aa7b8dc99db6489
-
Filesize
255KB
MD52a7f3611a2340ce6e60a7ecc187cce66
SHA198658843acbf0428d2b29080f39130b2c1705135
SHA2568ab13794555e44361a0ac3a52ea3faa65772402e2de880cfe2cde2fca12f892a
SHA5125540e8acea1031c0822a5478be5aaa50a19b048762cceecacc47fc7a973b30df354cc6505649373e21ac4ca116f61824233b6711a61f0b386aa7b8dc99db6489
-
Filesize
255KB
MD521a22edb4466e0e83d117bff47f530e3
SHA15b5f7dcbbd11e135e712a5a7e6513abd8ea1cc02
SHA25628fe70e31d7bde4a113dd11d29dc2f884a63d266299cced6cb789c0b3d653152
SHA512b0613cc6d5f8453d94fc5ee0c093d4bc393ed403a879916e61a353c7d6e088379137916e297e8bf1b46e852fbfa1473e88604cfa372d6c6f41f78f6537af7608
-
Filesize
255KB
MD521a22edb4466e0e83d117bff47f530e3
SHA15b5f7dcbbd11e135e712a5a7e6513abd8ea1cc02
SHA25628fe70e31d7bde4a113dd11d29dc2f884a63d266299cced6cb789c0b3d653152
SHA512b0613cc6d5f8453d94fc5ee0c093d4bc393ed403a879916e61a353c7d6e088379137916e297e8bf1b46e852fbfa1473e88604cfa372d6c6f41f78f6537af7608
-
Filesize
255KB
MD5fe4e98ed5a3d8985c6bada7535a00143
SHA1ed72b243983f1d73b6193bba1d0fc3cabb8de1b9
SHA256beb916c3e8953e246fbc1b2b239df5c89d6e3dc789f195d33e393cbb72960959
SHA51264384ab0f564f29bd472a0757cf5bbd34df862d74a79d04d7215d3660dc1cefccb41d3d0531a74c959837ecf7e39db6da6430ce0a01540290d7fd478ae8ed5b5
-
Filesize
255KB
MD5fe4e98ed5a3d8985c6bada7535a00143
SHA1ed72b243983f1d73b6193bba1d0fc3cabb8de1b9
SHA256beb916c3e8953e246fbc1b2b239df5c89d6e3dc789f195d33e393cbb72960959
SHA51264384ab0f564f29bd472a0757cf5bbd34df862d74a79d04d7215d3660dc1cefccb41d3d0531a74c959837ecf7e39db6da6430ce0a01540290d7fd478ae8ed5b5
-
Filesize
255KB
MD59e511cd9f9a975d0e73e3bf95d7b7328
SHA18182ebd787674046a1233d7df40331ca911b3f6c
SHA256ebd44e433c03d0f844f4e8191da1726909ec6a9898d791e2c6e6c1d4d482436d
SHA512dcb5966ce89b973ea637633c4f7be72c3ec9ceefc6bab383be834c6e18ce1c6ef1ca459b99b1592b34ba7a387264098896696d17581ea5ed1a2cb6031409f8d5
-
Filesize
255KB
MD59e511cd9f9a975d0e73e3bf95d7b7328
SHA18182ebd787674046a1233d7df40331ca911b3f6c
SHA256ebd44e433c03d0f844f4e8191da1726909ec6a9898d791e2c6e6c1d4d482436d
SHA512dcb5966ce89b973ea637633c4f7be72c3ec9ceefc6bab383be834c6e18ce1c6ef1ca459b99b1592b34ba7a387264098896696d17581ea5ed1a2cb6031409f8d5
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD5cd9ab4000b728aa94e0a4e3fa319ae43
SHA1566dcad4d25f65bbcf0e63d82171510c7ace2c15
SHA2566486ee8953278c8e1d889f6d070bd28f2f1a1ff97822bf4c8657237244db58f8
SHA51212488d406b45c9e37e3740e728bc4d93481ca537dfffa631d611b1d638ce23b2d0bf5fa73d2e82ac3bf2e975ddbf8f7f519efb114def9fc9d9e614150215a489