Analysis
-
max time kernel
154s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 12:44
Behavioral task
behavioral1
Sample
f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe
Resource
win7-20221111-en
General
-
Target
f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe
-
Size
255KB
-
MD5
1d310fa4b8a7b86b36b057e1b72b2348
-
SHA1
2ba03be83efc5626d21aeff9ae163337dc298506
-
SHA256
f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78
-
SHA512
3b616e2fc578f198e580187146d9675e66c4fdb399ccd01fcead42866084828d690d8bc235479d5019fdff1d921ce2c5bd5a80d42f5289280f44380e8ea5475b
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJ2:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIp
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
jmjipnuizl.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" jmjipnuizl.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
jmjipnuizl.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" jmjipnuizl.exe -
Processes:
jmjipnuizl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" jmjipnuizl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" jmjipnuizl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" jmjipnuizl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" jmjipnuizl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" jmjipnuizl.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
jmjipnuizl.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jmjipnuizl.exe -
Executes dropped EXE 5 IoCs
Processes:
jmjipnuizl.exerlhwiztpqvyjrew.exetopxayca.exepjqdlzrejpnss.exetopxayca.exepid process 3452 jmjipnuizl.exe 4584 rlhwiztpqvyjrew.exe 4220 topxayca.exe 452 pjqdlzrejpnss.exe 1604 topxayca.exe -
Processes:
resource yara_rule behavioral2/memory/2204-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx C:\Windows\SysWOW64\jmjipnuizl.exe upx C:\Windows\SysWOW64\jmjipnuizl.exe upx C:\Windows\SysWOW64\rlhwiztpqvyjrew.exe upx C:\Windows\SysWOW64\rlhwiztpqvyjrew.exe upx C:\Windows\SysWOW64\topxayca.exe upx C:\Windows\SysWOW64\topxayca.exe upx C:\Windows\SysWOW64\pjqdlzrejpnss.exe upx C:\Windows\SysWOW64\pjqdlzrejpnss.exe upx behavioral2/memory/3452-145-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4584-146-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4220-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/452-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx C:\Windows\SysWOW64\topxayca.exe upx behavioral2/memory/1604-151-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2204-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3452-159-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4584-160-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4220-161-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/452-162-0x0000000000400000-0x00000000004A0000-memory.dmp upx C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe upx behavioral2/memory/1604-164-0x0000000000400000-0x00000000004A0000-memory.dmp upx C:\Users\Admin\Music\PopClose.doc.exe upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
jmjipnuizl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" jmjipnuizl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" jmjipnuizl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" jmjipnuizl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" jmjipnuizl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" jmjipnuizl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" jmjipnuizl.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
rlhwiztpqvyjrew.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kulwanpo = "jmjipnuizl.exe" rlhwiztpqvyjrew.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\appiosbd = "rlhwiztpqvyjrew.exe" rlhwiztpqvyjrew.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "pjqdlzrejpnss.exe" rlhwiztpqvyjrew.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run rlhwiztpqvyjrew.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
jmjipnuizl.exetopxayca.exetopxayca.exedescription ioc process File opened (read-only) \??\l: jmjipnuizl.exe File opened (read-only) \??\m: jmjipnuizl.exe File opened (read-only) \??\t: jmjipnuizl.exe File opened (read-only) \??\u: jmjipnuizl.exe File opened (read-only) \??\x: topxayca.exe File opened (read-only) \??\y: topxayca.exe File opened (read-only) \??\h: topxayca.exe File opened (read-only) \??\b: jmjipnuizl.exe File opened (read-only) \??\r: topxayca.exe File opened (read-only) \??\q: topxayca.exe File opened (read-only) \??\f: topxayca.exe File opened (read-only) \??\j: topxayca.exe File opened (read-only) \??\u: topxayca.exe File opened (read-only) \??\i: jmjipnuizl.exe File opened (read-only) \??\x: jmjipnuizl.exe File opened (read-only) \??\f: topxayca.exe File opened (read-only) \??\u: topxayca.exe File opened (read-only) \??\j: jmjipnuizl.exe File opened (read-only) \??\q: jmjipnuizl.exe File opened (read-only) \??\s: jmjipnuizl.exe File opened (read-only) \??\w: jmjipnuizl.exe File opened (read-only) \??\k: topxayca.exe File opened (read-only) \??\i: topxayca.exe File opened (read-only) \??\n: topxayca.exe File opened (read-only) \??\o: topxayca.exe File opened (read-only) \??\o: jmjipnuizl.exe File opened (read-only) \??\y: jmjipnuizl.exe File opened (read-only) \??\n: topxayca.exe File opened (read-only) \??\b: topxayca.exe File opened (read-only) \??\e: topxayca.exe File opened (read-only) \??\z: topxayca.exe File opened (read-only) \??\e: jmjipnuizl.exe File opened (read-only) \??\g: topxayca.exe File opened (read-only) \??\a: topxayca.exe File opened (read-only) \??\h: topxayca.exe File opened (read-only) \??\s: topxayca.exe File opened (read-only) \??\w: topxayca.exe File opened (read-only) \??\a: jmjipnuizl.exe File opened (read-only) \??\k: jmjipnuizl.exe File opened (read-only) \??\n: jmjipnuizl.exe File opened (read-only) \??\b: topxayca.exe File opened (read-only) \??\m: topxayca.exe File opened (read-only) \??\o: topxayca.exe File opened (read-only) \??\t: topxayca.exe File opened (read-only) \??\j: topxayca.exe File opened (read-only) \??\t: topxayca.exe File opened (read-only) \??\p: jmjipnuizl.exe File opened (read-only) \??\g: topxayca.exe File opened (read-only) \??\i: topxayca.exe File opened (read-only) \??\p: topxayca.exe File opened (read-only) \??\a: topxayca.exe File opened (read-only) \??\m: topxayca.exe File opened (read-only) \??\w: topxayca.exe File opened (read-only) \??\z: topxayca.exe File opened (read-only) \??\l: topxayca.exe File opened (read-only) \??\f: jmjipnuizl.exe File opened (read-only) \??\r: jmjipnuizl.exe File opened (read-only) \??\q: topxayca.exe File opened (read-only) \??\x: topxayca.exe File opened (read-only) \??\z: jmjipnuizl.exe File opened (read-only) \??\e: topxayca.exe File opened (read-only) \??\k: topxayca.exe File opened (read-only) \??\p: topxayca.exe File opened (read-only) \??\r: topxayca.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
jmjipnuizl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" jmjipnuizl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" jmjipnuizl.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/3452-145-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4584-146-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4220-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/452-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1604-151-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2204-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3452-159-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4584-160-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4220-161-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/452-162-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1604-164-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
Processes:
f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exejmjipnuizl.exedescription ioc process File opened for modification C:\Windows\SysWOW64\jmjipnuizl.exe f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe File created C:\Windows\SysWOW64\pjqdlzrejpnss.exe f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe File opened for modification C:\Windows\SysWOW64\pjqdlzrejpnss.exe f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll jmjipnuizl.exe File created C:\Windows\SysWOW64\jmjipnuizl.exe f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe File created C:\Windows\SysWOW64\rlhwiztpqvyjrew.exe f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe File opened for modification C:\Windows\SysWOW64\rlhwiztpqvyjrew.exe f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe File created C:\Windows\SysWOW64\topxayca.exe f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe File opened for modification C:\Windows\SysWOW64\topxayca.exe f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe -
Drops file in Program Files directory 14 IoCs
Processes:
topxayca.exetopxayca.exedescription ioc process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe topxayca.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal topxayca.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe topxayca.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe topxayca.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe topxayca.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe topxayca.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe topxayca.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal topxayca.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe topxayca.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal topxayca.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe topxayca.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe topxayca.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe topxayca.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal topxayca.exe -
Drops file in Windows directory 3 IoCs
Processes:
f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exeWINWORD.EXEdescription ioc process File opened for modification C:\Windows\mydoc.rtf f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exejmjipnuizl.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78368B0FE6822DFD208D0A08B799165" f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" jmjipnuizl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg jmjipnuizl.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" jmjipnuizl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat jmjipnuizl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh jmjipnuizl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc jmjipnuizl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" jmjipnuizl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" jmjipnuizl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCEFAB8F965F2E783793A4B819F3E91B38E038B42610333E2CC429E09D4" f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8EFF8D4F58856E9134D62D7E97BD93E141584767326246D6EE" f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1838C70E14E2DAB2B8CB7FE7EDE734CD" f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" jmjipnuizl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" jmjipnuizl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf jmjipnuizl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs jmjipnuizl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33302C0C9C2383566D4576A577232CD77C8464AC" f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB0B15A44EE38EA53CFB9A232EFD7BC" f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2272 WINWORD.EXE 2272 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exejmjipnuizl.exerlhwiztpqvyjrew.exetopxayca.exepjqdlzrejpnss.exepid process 2204 f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe 2204 f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe 2204 f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe 2204 f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe 2204 f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe 2204 f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe 2204 f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe 2204 f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe 2204 f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe 2204 f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe 2204 f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe 2204 f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe 2204 f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe 2204 f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe 3452 jmjipnuizl.exe 3452 jmjipnuizl.exe 3452 jmjipnuizl.exe 3452 jmjipnuizl.exe 3452 jmjipnuizl.exe 3452 jmjipnuizl.exe 3452 jmjipnuizl.exe 3452 jmjipnuizl.exe 3452 jmjipnuizl.exe 3452 jmjipnuizl.exe 2204 f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe 2204 f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe 4584 rlhwiztpqvyjrew.exe 4584 rlhwiztpqvyjrew.exe 4584 rlhwiztpqvyjrew.exe 4584 rlhwiztpqvyjrew.exe 4584 rlhwiztpqvyjrew.exe 4584 rlhwiztpqvyjrew.exe 4584 rlhwiztpqvyjrew.exe 4584 rlhwiztpqvyjrew.exe 4584 rlhwiztpqvyjrew.exe 4584 rlhwiztpqvyjrew.exe 4220 topxayca.exe 4220 topxayca.exe 4220 topxayca.exe 4220 topxayca.exe 4220 topxayca.exe 4220 topxayca.exe 4220 topxayca.exe 4220 topxayca.exe 452 pjqdlzrejpnss.exe 452 pjqdlzrejpnss.exe 452 pjqdlzrejpnss.exe 452 pjqdlzrejpnss.exe 452 pjqdlzrejpnss.exe 452 pjqdlzrejpnss.exe 452 pjqdlzrejpnss.exe 452 pjqdlzrejpnss.exe 452 pjqdlzrejpnss.exe 452 pjqdlzrejpnss.exe 452 pjqdlzrejpnss.exe 452 pjqdlzrejpnss.exe 4584 rlhwiztpqvyjrew.exe 4584 rlhwiztpqvyjrew.exe 452 pjqdlzrejpnss.exe 452 pjqdlzrejpnss.exe 452 pjqdlzrejpnss.exe 452 pjqdlzrejpnss.exe 4584 rlhwiztpqvyjrew.exe 4584 rlhwiztpqvyjrew.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exejmjipnuizl.exerlhwiztpqvyjrew.exetopxayca.exepjqdlzrejpnss.exetopxayca.exepid process 2204 f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe 2204 f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe 2204 f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe 3452 jmjipnuizl.exe 3452 jmjipnuizl.exe 3452 jmjipnuizl.exe 4584 rlhwiztpqvyjrew.exe 4584 rlhwiztpqvyjrew.exe 4584 rlhwiztpqvyjrew.exe 4220 topxayca.exe 4220 topxayca.exe 4220 topxayca.exe 452 pjqdlzrejpnss.exe 452 pjqdlzrejpnss.exe 452 pjqdlzrejpnss.exe 1604 topxayca.exe 1604 topxayca.exe 1604 topxayca.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exejmjipnuizl.exerlhwiztpqvyjrew.exetopxayca.exepjqdlzrejpnss.exetopxayca.exepid process 2204 f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe 2204 f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe 2204 f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe 3452 jmjipnuizl.exe 3452 jmjipnuizl.exe 3452 jmjipnuizl.exe 4584 rlhwiztpqvyjrew.exe 4584 rlhwiztpqvyjrew.exe 4584 rlhwiztpqvyjrew.exe 4220 topxayca.exe 4220 topxayca.exe 4220 topxayca.exe 452 pjqdlzrejpnss.exe 452 pjqdlzrejpnss.exe 452 pjqdlzrejpnss.exe 1604 topxayca.exe 1604 topxayca.exe 1604 topxayca.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 2272 WINWORD.EXE 2272 WINWORD.EXE 2272 WINWORD.EXE 2272 WINWORD.EXE 2272 WINWORD.EXE 2272 WINWORD.EXE 2272 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exejmjipnuizl.exedescription pid process target process PID 2204 wrote to memory of 3452 2204 f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe jmjipnuizl.exe PID 2204 wrote to memory of 3452 2204 f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe jmjipnuizl.exe PID 2204 wrote to memory of 3452 2204 f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe jmjipnuizl.exe PID 2204 wrote to memory of 4584 2204 f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe rlhwiztpqvyjrew.exe PID 2204 wrote to memory of 4584 2204 f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe rlhwiztpqvyjrew.exe PID 2204 wrote to memory of 4584 2204 f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe rlhwiztpqvyjrew.exe PID 2204 wrote to memory of 4220 2204 f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe topxayca.exe PID 2204 wrote to memory of 4220 2204 f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe topxayca.exe PID 2204 wrote to memory of 4220 2204 f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe topxayca.exe PID 2204 wrote to memory of 452 2204 f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe pjqdlzrejpnss.exe PID 2204 wrote to memory of 452 2204 f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe pjqdlzrejpnss.exe PID 2204 wrote to memory of 452 2204 f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe pjqdlzrejpnss.exe PID 3452 wrote to memory of 1604 3452 jmjipnuizl.exe topxayca.exe PID 3452 wrote to memory of 1604 3452 jmjipnuizl.exe topxayca.exe PID 3452 wrote to memory of 1604 3452 jmjipnuizl.exe topxayca.exe PID 2204 wrote to memory of 2272 2204 f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe WINWORD.EXE PID 2204 wrote to memory of 2272 2204 f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe WINWORD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe"C:\Users\Admin\AppData\Local\Temp\f9f66daa84d33386130dd163d8040c77f884dd5c1f55fe02d0b429684ecd7f78.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\jmjipnuizl.exejmjipnuizl.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\SysWOW64\topxayca.exeC:\Windows\system32\topxayca.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1604 -
C:\Windows\SysWOW64\rlhwiztpqvyjrew.exerlhwiztpqvyjrew.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4584 -
C:\Windows\SysWOW64\topxayca.exetopxayca.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4220 -
C:\Windows\SysWOW64\pjqdlzrejpnss.exepjqdlzrejpnss.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:452 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2272
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
255KB
MD5fe140a7585dce8a5e406241810b65b3c
SHA1de68a924a9c8e604cfd39c13e0a23a40112d9986
SHA25651a0ca4483635de3b67c914971dfdb6423a3e4c260178a0877d927147613cce2
SHA51245d1921142ba37454c88c340d0ab37745a06b07b3709f855e67ec5303a39641d6cc4cbbacceff3fb89b91180ada4913b4aab197019a93ed81708a7da25973e77
-
C:\Users\Admin\Music\PopClose.doc.exeFilesize
255KB
MD54e3c5f05689ffc29fe40fda51e6fe9da
SHA138504edaa9d1cf5f4863f7aeb6695c1e24316acf
SHA256cde4897a9af11f651b99ddba3ed173f9ef4404bc104a68ada2d1d05e10da9822
SHA512742e01fc4b9db3d976d35782a94ca4e56a023db36296e2a4bab5578dfe9e57f99717dc22c40ece9b08b7f102fde8acf6c7ea49ce757658b437ca0c2af158da37
-
C:\Windows\SysWOW64\jmjipnuizl.exeFilesize
255KB
MD57ba4f1f99387477e7ba80e445c88f04b
SHA1c1e03a8a8f9378de3ca2c1e121a6b119ac3ab648
SHA2566fe1b9e6818219f70b7977ea53e2638eef64258d60cf42425f200b3a210e7a2d
SHA512f6bfb56319bba6c0101054acde27f90ade8332df6b82b0879c2eb3b36540f803531ccae9ea971712ebabee390c1f672ae4b418ee354a79e9ae09daf9c4d764e2
-
C:\Windows\SysWOW64\jmjipnuizl.exeFilesize
255KB
MD57ba4f1f99387477e7ba80e445c88f04b
SHA1c1e03a8a8f9378de3ca2c1e121a6b119ac3ab648
SHA2566fe1b9e6818219f70b7977ea53e2638eef64258d60cf42425f200b3a210e7a2d
SHA512f6bfb56319bba6c0101054acde27f90ade8332df6b82b0879c2eb3b36540f803531ccae9ea971712ebabee390c1f672ae4b418ee354a79e9ae09daf9c4d764e2
-
C:\Windows\SysWOW64\pjqdlzrejpnss.exeFilesize
255KB
MD526429596f913221cd3c08aad8e56bae6
SHA1ebb2eb3e56de523903efe2dc0e2bbf5b8a69cac0
SHA2561e69af69a65e5808a88c42d9be70e332552b981a819fac4580f4ee99c8dec9de
SHA512772778a18623e7d76adbc6c4d86118745ba3aa8545bd60b7df7cf032d9fbbd542d551446162983ed7f21493803aaddc955c07cb7b402af147c2349f536ddd53d
-
C:\Windows\SysWOW64\pjqdlzrejpnss.exeFilesize
255KB
MD526429596f913221cd3c08aad8e56bae6
SHA1ebb2eb3e56de523903efe2dc0e2bbf5b8a69cac0
SHA2561e69af69a65e5808a88c42d9be70e332552b981a819fac4580f4ee99c8dec9de
SHA512772778a18623e7d76adbc6c4d86118745ba3aa8545bd60b7df7cf032d9fbbd542d551446162983ed7f21493803aaddc955c07cb7b402af147c2349f536ddd53d
-
C:\Windows\SysWOW64\rlhwiztpqvyjrew.exeFilesize
255KB
MD534d97f614cd8e580b4b8a0828af55fe2
SHA1b5c03ea835225384477e917a7e388d1e6a23ef92
SHA2568488100c870a14fdb787f586ef442e4360dc9097c233bda07c4c2c9bd6cf3b15
SHA512b420859e348f2f682248d4080b2f6873db48c8622d4526bf921eb27b4929972f8a601081ea0644967009baf15eb963f0903c22cd43a1f28a9c8a66d237ba1f7e
-
C:\Windows\SysWOW64\rlhwiztpqvyjrew.exeFilesize
255KB
MD534d97f614cd8e580b4b8a0828af55fe2
SHA1b5c03ea835225384477e917a7e388d1e6a23ef92
SHA2568488100c870a14fdb787f586ef442e4360dc9097c233bda07c4c2c9bd6cf3b15
SHA512b420859e348f2f682248d4080b2f6873db48c8622d4526bf921eb27b4929972f8a601081ea0644967009baf15eb963f0903c22cd43a1f28a9c8a66d237ba1f7e
-
C:\Windows\SysWOW64\topxayca.exeFilesize
255KB
MD574758c751f1f5d023ef62fc6c3fdeada
SHA12ca82c8931ec2c50db8b75bc24038d21ef10bd96
SHA256214654094c1d93f20c68971140bc7a178319c35c0f66d3e9d84263408e97ca21
SHA512dafc3eb9edad3cd4bcf9a7b5819567baf3780bc70978535282d05011726582ff9af8578c580cb8621ed13e9105755bae9259b44bf0f513d2e205a7003acf9fe6
-
C:\Windows\SysWOW64\topxayca.exeFilesize
255KB
MD574758c751f1f5d023ef62fc6c3fdeada
SHA12ca82c8931ec2c50db8b75bc24038d21ef10bd96
SHA256214654094c1d93f20c68971140bc7a178319c35c0f66d3e9d84263408e97ca21
SHA512dafc3eb9edad3cd4bcf9a7b5819567baf3780bc70978535282d05011726582ff9af8578c580cb8621ed13e9105755bae9259b44bf0f513d2e205a7003acf9fe6
-
C:\Windows\SysWOW64\topxayca.exeFilesize
255KB
MD574758c751f1f5d023ef62fc6c3fdeada
SHA12ca82c8931ec2c50db8b75bc24038d21ef10bd96
SHA256214654094c1d93f20c68971140bc7a178319c35c0f66d3e9d84263408e97ca21
SHA512dafc3eb9edad3cd4bcf9a7b5819567baf3780bc70978535282d05011726582ff9af8578c580cb8621ed13e9105755bae9259b44bf0f513d2e205a7003acf9fe6
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
memory/452-162-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/452-148-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/452-142-0x0000000000000000-mapping.dmp
-
memory/1604-164-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1604-149-0x0000000000000000-mapping.dmp
-
memory/1604-151-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/2204-153-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/2204-132-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/2272-166-0x00007FF83A260000-0x00007FF83A270000-memory.dmpFilesize
64KB
-
memory/2272-165-0x00007FF83A260000-0x00007FF83A270000-memory.dmpFilesize
64KB
-
memory/2272-154-0x00007FF83C790000-0x00007FF83C7A0000-memory.dmpFilesize
64KB
-
memory/2272-155-0x00007FF83C790000-0x00007FF83C7A0000-memory.dmpFilesize
64KB
-
memory/2272-156-0x00007FF83C790000-0x00007FF83C7A0000-memory.dmpFilesize
64KB
-
memory/2272-157-0x00007FF83C790000-0x00007FF83C7A0000-memory.dmpFilesize
64KB
-
memory/2272-158-0x00007FF83C790000-0x00007FF83C7A0000-memory.dmpFilesize
64KB
-
memory/2272-173-0x00007FF83C790000-0x00007FF83C7A0000-memory.dmpFilesize
64KB
-
memory/2272-172-0x00007FF83C790000-0x00007FF83C7A0000-memory.dmpFilesize
64KB
-
memory/2272-171-0x00007FF83C790000-0x00007FF83C7A0000-memory.dmpFilesize
64KB
-
memory/2272-170-0x00007FF83C790000-0x00007FF83C7A0000-memory.dmpFilesize
64KB
-
memory/2272-152-0x0000000000000000-mapping.dmp
-
memory/3452-133-0x0000000000000000-mapping.dmp
-
memory/3452-145-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/3452-159-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/4220-139-0x0000000000000000-mapping.dmp
-
memory/4220-147-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/4220-161-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/4584-146-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/4584-136-0x0000000000000000-mapping.dmp
-
memory/4584-160-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB