Analysis
-
max time kernel
152s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 22:44
Behavioral task
behavioral1
Sample
0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe
Resource
win7-20220812-en
General
-
Target
0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe
-
Size
255KB
-
MD5
ea63f6e9fe4e4d4ee9d2bdc72034443d
-
SHA1
57056e636450ead2c8aa711678a264d4894aeb2f
-
SHA256
0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7
-
SHA512
3294facc56e8936dcc2ffba4605088f553bca1531f64a15f7a1ea2247a01959a0f2222bb006836048bfdc55f614b5d7a47081bb08fe43148354155223e7d155f
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJT:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI2
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
yrnbrcqtjz.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" yrnbrcqtjz.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
yrnbrcqtjz.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" yrnbrcqtjz.exe -
Processes:
yrnbrcqtjz.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" yrnbrcqtjz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" yrnbrcqtjz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" yrnbrcqtjz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" yrnbrcqtjz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" yrnbrcqtjz.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
yrnbrcqtjz.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" yrnbrcqtjz.exe -
Executes dropped EXE 5 IoCs
Processes:
yrnbrcqtjz.exewxxxpmeymwdmfcw.exetotpcgxh.exevljjcakagpngu.exetotpcgxh.exepid process 2008 yrnbrcqtjz.exe 3468 wxxxpmeymwdmfcw.exe 4580 totpcgxh.exe 864 vljjcakagpngu.exe 1028 totpcgxh.exe -
Processes:
resource yara_rule behavioral2/memory/4076-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx C:\Windows\SysWOW64\yrnbrcqtjz.exe upx C:\Windows\SysWOW64\yrnbrcqtjz.exe upx C:\Windows\SysWOW64\wxxxpmeymwdmfcw.exe upx C:\Windows\SysWOW64\wxxxpmeymwdmfcw.exe upx C:\Windows\SysWOW64\totpcgxh.exe upx C:\Windows\SysWOW64\totpcgxh.exe upx behavioral2/memory/3468-144-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4580-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx C:\Windows\SysWOW64\vljjcakagpngu.exe upx C:\Windows\SysWOW64\vljjcakagpngu.exe upx behavioral2/memory/2008-142-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4076-151-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/864-152-0x0000000000400000-0x00000000004A0000-memory.dmp upx C:\Windows\SysWOW64\totpcgxh.exe upx behavioral2/memory/1028-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe upx C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe upx behavioral2/memory/3468-164-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2008-165-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4580-166-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/864-167-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1028-168-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
yrnbrcqtjz.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" yrnbrcqtjz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" yrnbrcqtjz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" yrnbrcqtjz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" yrnbrcqtjz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" yrnbrcqtjz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" yrnbrcqtjz.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
wxxxpmeymwdmfcw.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\igvflcuf = "wxxxpmeymwdmfcw.exe" wxxxpmeymwdmfcw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "vljjcakagpngu.exe" wxxxpmeymwdmfcw.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run wxxxpmeymwdmfcw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pzvtlzjn = "yrnbrcqtjz.exe" wxxxpmeymwdmfcw.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
totpcgxh.exeyrnbrcqtjz.exetotpcgxh.exedescription ioc process File opened (read-only) \??\h: totpcgxh.exe File opened (read-only) \??\v: totpcgxh.exe File opened (read-only) \??\x: totpcgxh.exe File opened (read-only) \??\e: yrnbrcqtjz.exe File opened (read-only) \??\h: totpcgxh.exe File opened (read-only) \??\q: totpcgxh.exe File opened (read-only) \??\l: totpcgxh.exe File opened (read-only) \??\y: totpcgxh.exe File opened (read-only) \??\a: totpcgxh.exe File opened (read-only) \??\f: totpcgxh.exe File opened (read-only) \??\k: yrnbrcqtjz.exe File opened (read-only) \??\m: yrnbrcqtjz.exe File opened (read-only) \??\u: yrnbrcqtjz.exe File opened (read-only) \??\t: totpcgxh.exe File opened (read-only) \??\w: totpcgxh.exe File opened (read-only) \??\f: yrnbrcqtjz.exe File opened (read-only) \??\g: totpcgxh.exe File opened (read-only) \??\y: totpcgxh.exe File opened (read-only) \??\i: yrnbrcqtjz.exe File opened (read-only) \??\y: yrnbrcqtjz.exe File opened (read-only) \??\n: totpcgxh.exe File opened (read-only) \??\x: totpcgxh.exe File opened (read-only) \??\i: totpcgxh.exe File opened (read-only) \??\e: totpcgxh.exe File opened (read-only) \??\b: totpcgxh.exe File opened (read-only) \??\w: totpcgxh.exe File opened (read-only) \??\g: totpcgxh.exe File opened (read-only) \??\o: totpcgxh.exe File opened (read-only) \??\p: totpcgxh.exe File opened (read-only) \??\g: yrnbrcqtjz.exe File opened (read-only) \??\o: yrnbrcqtjz.exe File opened (read-only) \??\w: yrnbrcqtjz.exe File opened (read-only) \??\b: totpcgxh.exe File opened (read-only) \??\e: totpcgxh.exe File opened (read-only) \??\q: yrnbrcqtjz.exe File opened (read-only) \??\o: totpcgxh.exe File opened (read-only) \??\s: totpcgxh.exe File opened (read-only) \??\t: totpcgxh.exe File opened (read-only) \??\k: totpcgxh.exe File opened (read-only) \??\p: yrnbrcqtjz.exe File opened (read-only) \??\s: yrnbrcqtjz.exe File opened (read-only) \??\x: yrnbrcqtjz.exe File opened (read-only) \??\v: totpcgxh.exe File opened (read-only) \??\m: totpcgxh.exe File opened (read-only) \??\p: totpcgxh.exe File opened (read-only) \??\m: totpcgxh.exe File opened (read-only) \??\a: yrnbrcqtjz.exe File opened (read-only) \??\v: yrnbrcqtjz.exe File opened (read-only) \??\a: totpcgxh.exe File opened (read-only) \??\i: totpcgxh.exe File opened (read-only) \??\k: totpcgxh.exe File opened (read-only) \??\j: totpcgxh.exe File opened (read-only) \??\s: totpcgxh.exe File opened (read-only) \??\u: totpcgxh.exe File opened (read-only) \??\z: totpcgxh.exe File opened (read-only) \??\l: yrnbrcqtjz.exe File opened (read-only) \??\l: totpcgxh.exe File opened (read-only) \??\r: totpcgxh.exe File opened (read-only) \??\j: yrnbrcqtjz.exe File opened (read-only) \??\q: totpcgxh.exe File opened (read-only) \??\t: yrnbrcqtjz.exe File opened (read-only) \??\f: totpcgxh.exe File opened (read-only) \??\r: totpcgxh.exe File opened (read-only) \??\b: yrnbrcqtjz.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
yrnbrcqtjz.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" yrnbrcqtjz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" yrnbrcqtjz.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/3468-144-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4580-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2008-142-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4076-151-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/864-152-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1028-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3468-164-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2008-165-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4580-166-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/864-167-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1028-168-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
Processes:
0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exeyrnbrcqtjz.exedescription ioc process File created C:\Windows\SysWOW64\yrnbrcqtjz.exe 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe File opened for modification C:\Windows\SysWOW64\yrnbrcqtjz.exe 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe File opened for modification C:\Windows\SysWOW64\wxxxpmeymwdmfcw.exe 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe File opened for modification C:\Windows\SysWOW64\totpcgxh.exe 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe File created C:\Windows\SysWOW64\wxxxpmeymwdmfcw.exe 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe File created C:\Windows\SysWOW64\totpcgxh.exe 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe File created C:\Windows\SysWOW64\vljjcakagpngu.exe 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe File opened for modification C:\Windows\SysWOW64\vljjcakagpngu.exe 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll yrnbrcqtjz.exe -
Drops file in Program Files directory 15 IoCs
Processes:
totpcgxh.exetotpcgxh.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe totpcgxh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe totpcgxh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe totpcgxh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe totpcgxh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal totpcgxh.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe totpcgxh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe totpcgxh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe totpcgxh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe totpcgxh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal totpcgxh.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe totpcgxh.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe totpcgxh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal totpcgxh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe totpcgxh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal totpcgxh.exe -
Drops file in Windows directory 3 IoCs
Processes:
WINWORD.EXE0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exedescription ioc process File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
yrnbrcqtjz.exe0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" yrnbrcqtjz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf yrnbrcqtjz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB0B15A449538E253CDBAD5339DD7CE" 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8CFF8B482A851B9142D75F7DE5BD97E135584767326342D691" 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat yrnbrcqtjz.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1849C60F14E4DAC4B8C87CE7ECE234CF" 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" yrnbrcqtjz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg yrnbrcqtjz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" yrnbrcqtjz.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BC9F9BCFE65F29184093B35869E3E98B0F903884313034FE1C8429C09D4" 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F168C6FF1D22DCD27CD1A48A089164" 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh yrnbrcqtjz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc yrnbrcqtjz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs yrnbrcqtjz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" yrnbrcqtjz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32352D7A9C2783226D3E76D377272DDA7D8465AA" 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" yrnbrcqtjz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" yrnbrcqtjz.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2368 WINWORD.EXE 2368 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exeyrnbrcqtjz.exewxxxpmeymwdmfcw.exetotpcgxh.exevljjcakagpngu.exetotpcgxh.exepid process 4076 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe 4076 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe 4076 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe 4076 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe 4076 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe 4076 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe 4076 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe 4076 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe 4076 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe 4076 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe 4076 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe 4076 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe 4076 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe 4076 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe 4076 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe 4076 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe 2008 yrnbrcqtjz.exe 2008 yrnbrcqtjz.exe 2008 yrnbrcqtjz.exe 2008 yrnbrcqtjz.exe 2008 yrnbrcqtjz.exe 2008 yrnbrcqtjz.exe 2008 yrnbrcqtjz.exe 2008 yrnbrcqtjz.exe 2008 yrnbrcqtjz.exe 2008 yrnbrcqtjz.exe 3468 wxxxpmeymwdmfcw.exe 3468 wxxxpmeymwdmfcw.exe 3468 wxxxpmeymwdmfcw.exe 3468 wxxxpmeymwdmfcw.exe 3468 wxxxpmeymwdmfcw.exe 3468 wxxxpmeymwdmfcw.exe 3468 wxxxpmeymwdmfcw.exe 3468 wxxxpmeymwdmfcw.exe 3468 wxxxpmeymwdmfcw.exe 3468 wxxxpmeymwdmfcw.exe 4580 totpcgxh.exe 4580 totpcgxh.exe 4580 totpcgxh.exe 4580 totpcgxh.exe 4580 totpcgxh.exe 4580 totpcgxh.exe 4580 totpcgxh.exe 4580 totpcgxh.exe 864 vljjcakagpngu.exe 864 vljjcakagpngu.exe 864 vljjcakagpngu.exe 864 vljjcakagpngu.exe 864 vljjcakagpngu.exe 864 vljjcakagpngu.exe 864 vljjcakagpngu.exe 864 vljjcakagpngu.exe 864 vljjcakagpngu.exe 864 vljjcakagpngu.exe 864 vljjcakagpngu.exe 864 vljjcakagpngu.exe 3468 wxxxpmeymwdmfcw.exe 3468 wxxxpmeymwdmfcw.exe 1028 totpcgxh.exe 1028 totpcgxh.exe 1028 totpcgxh.exe 1028 totpcgxh.exe 1028 totpcgxh.exe 1028 totpcgxh.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exeyrnbrcqtjz.exewxxxpmeymwdmfcw.exetotpcgxh.exevljjcakagpngu.exetotpcgxh.exepid process 4076 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe 4076 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe 4076 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe 2008 yrnbrcqtjz.exe 2008 yrnbrcqtjz.exe 2008 yrnbrcqtjz.exe 3468 wxxxpmeymwdmfcw.exe 3468 wxxxpmeymwdmfcw.exe 3468 wxxxpmeymwdmfcw.exe 4580 totpcgxh.exe 4580 totpcgxh.exe 4580 totpcgxh.exe 864 vljjcakagpngu.exe 864 vljjcakagpngu.exe 864 vljjcakagpngu.exe 1028 totpcgxh.exe 1028 totpcgxh.exe 1028 totpcgxh.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exeyrnbrcqtjz.exewxxxpmeymwdmfcw.exetotpcgxh.exevljjcakagpngu.exetotpcgxh.exepid process 4076 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe 4076 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe 4076 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe 2008 yrnbrcqtjz.exe 2008 yrnbrcqtjz.exe 2008 yrnbrcqtjz.exe 3468 wxxxpmeymwdmfcw.exe 3468 wxxxpmeymwdmfcw.exe 3468 wxxxpmeymwdmfcw.exe 4580 totpcgxh.exe 4580 totpcgxh.exe 4580 totpcgxh.exe 864 vljjcakagpngu.exe 864 vljjcakagpngu.exe 864 vljjcakagpngu.exe 1028 totpcgxh.exe 1028 totpcgxh.exe 1028 totpcgxh.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 2368 WINWORD.EXE 2368 WINWORD.EXE 2368 WINWORD.EXE 2368 WINWORD.EXE 2368 WINWORD.EXE 2368 WINWORD.EXE 2368 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exeyrnbrcqtjz.exedescription pid process target process PID 4076 wrote to memory of 2008 4076 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe yrnbrcqtjz.exe PID 4076 wrote to memory of 2008 4076 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe yrnbrcqtjz.exe PID 4076 wrote to memory of 2008 4076 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe yrnbrcqtjz.exe PID 4076 wrote to memory of 3468 4076 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe wxxxpmeymwdmfcw.exe PID 4076 wrote to memory of 3468 4076 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe wxxxpmeymwdmfcw.exe PID 4076 wrote to memory of 3468 4076 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe wxxxpmeymwdmfcw.exe PID 4076 wrote to memory of 4580 4076 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe totpcgxh.exe PID 4076 wrote to memory of 4580 4076 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe totpcgxh.exe PID 4076 wrote to memory of 4580 4076 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe totpcgxh.exe PID 4076 wrote to memory of 864 4076 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe vljjcakagpngu.exe PID 4076 wrote to memory of 864 4076 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe vljjcakagpngu.exe PID 4076 wrote to memory of 864 4076 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe vljjcakagpngu.exe PID 4076 wrote to memory of 2368 4076 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe WINWORD.EXE PID 4076 wrote to memory of 2368 4076 0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe WINWORD.EXE PID 2008 wrote to memory of 1028 2008 yrnbrcqtjz.exe totpcgxh.exe PID 2008 wrote to memory of 1028 2008 yrnbrcqtjz.exe totpcgxh.exe PID 2008 wrote to memory of 1028 2008 yrnbrcqtjz.exe totpcgxh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe"C:\Users\Admin\AppData\Local\Temp\0d72351dcd80cfe48ad85f61c842a6ee7e292d1888ee7e9f2124a3d076dd98c7.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\yrnbrcqtjz.exeyrnbrcqtjz.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\totpcgxh.exeC:\Windows\system32\totpcgxh.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\wxxxpmeymwdmfcw.exewxxxpmeymwdmfcw.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\totpcgxh.exetotpcgxh.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\vljjcakagpngu.exevljjcakagpngu.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hidden Files and Directories
2Modify Registry
6Disabling Security Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exeFilesize
255KB
MD5e2d38c3dc5940b3f9992423332639866
SHA1428279d27b2f76f60f81680c927fd4d0fc0a9b71
SHA2561ed6e7ede1c37c691e669e7da9a80d276b7e41b66053b83e38ffb243e4eacedb
SHA5123ff13c1e0c9a856c0e750fec1f5471d0d6766bab49e6ef69a61a6bba99105b7a9a68db5ecfc7e23e06c4dedf3acc615aab5935b40f90060aee2314e66bbacced
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
255KB
MD5cfce3066d90fb5ccc1d4fddf9cefe324
SHA1c38f0a4b9cfe0bca109ae18577cf9c5eb91e714f
SHA25614c6af38ceb1ab8abc6e3e4c2988f2868673f77f1a05c1edc344f682c06f574c
SHA512d1a9a3c8e97f03475ab4be3de6223ae330659d8f1334e0f2ebf82c177a53a1a65a92eeae7ec88a82f6a5886e1b4c8963080280c387c1fb471faae14a5690e472
-
C:\Windows\SysWOW64\totpcgxh.exeFilesize
255KB
MD529309104646f7cfa52569e152675b29c
SHA127329d494ea863f75ded7e933180fbab9d508594
SHA256b30e2e05070e4a21552375b80f4d071b0ec3bcef73c293e58cc9745469c68f53
SHA512b59845ea6582259b8d5e610bc77fc6fd75d1d7698167a800b41eddf5559c217cdaaff3546b68d4c195586a11008e62c366bddbfbab95885d3ae69bde3a51ba4f
-
C:\Windows\SysWOW64\totpcgxh.exeFilesize
255KB
MD529309104646f7cfa52569e152675b29c
SHA127329d494ea863f75ded7e933180fbab9d508594
SHA256b30e2e05070e4a21552375b80f4d071b0ec3bcef73c293e58cc9745469c68f53
SHA512b59845ea6582259b8d5e610bc77fc6fd75d1d7698167a800b41eddf5559c217cdaaff3546b68d4c195586a11008e62c366bddbfbab95885d3ae69bde3a51ba4f
-
C:\Windows\SysWOW64\totpcgxh.exeFilesize
255KB
MD529309104646f7cfa52569e152675b29c
SHA127329d494ea863f75ded7e933180fbab9d508594
SHA256b30e2e05070e4a21552375b80f4d071b0ec3bcef73c293e58cc9745469c68f53
SHA512b59845ea6582259b8d5e610bc77fc6fd75d1d7698167a800b41eddf5559c217cdaaff3546b68d4c195586a11008e62c366bddbfbab95885d3ae69bde3a51ba4f
-
C:\Windows\SysWOW64\vljjcakagpngu.exeFilesize
255KB
MD50243309849ee7ff2f6de0f1f77aa8f9f
SHA1ed4d1e74a6fccfcae87077d808d20d23377cba84
SHA256029debc1c08be0d1bc279ae240cd78c62c2c0ec741d9d812d172faeb30fb8730
SHA512f75b2bba582fc436cdd4e8b05994131e4f67c3ee44a1cdef92c409eaa1e93ddc79bb4cc5242dff5a7b53e0fd27edd933f1ed0289f4e88e5e7d2169e18526257e
-
C:\Windows\SysWOW64\vljjcakagpngu.exeFilesize
255KB
MD50243309849ee7ff2f6de0f1f77aa8f9f
SHA1ed4d1e74a6fccfcae87077d808d20d23377cba84
SHA256029debc1c08be0d1bc279ae240cd78c62c2c0ec741d9d812d172faeb30fb8730
SHA512f75b2bba582fc436cdd4e8b05994131e4f67c3ee44a1cdef92c409eaa1e93ddc79bb4cc5242dff5a7b53e0fd27edd933f1ed0289f4e88e5e7d2169e18526257e
-
C:\Windows\SysWOW64\wxxxpmeymwdmfcw.exeFilesize
255KB
MD5e21148e3dfd583244856ac176f4ba928
SHA121d653541777fc1299c5b7f67e282a24eaae7025
SHA25681ef63429ec9281659475cad5cebbd587ae5ed86bd380187dd16346200236848
SHA512381c9008bb1bd6c11aeaeac6be2101aa9e26af1c19ccf370730b3a0d2a41b73bbeda0c7e0bd0a76a75bd9f888b66c80a868cb2410907963ebd39571d23dfd64d
-
C:\Windows\SysWOW64\wxxxpmeymwdmfcw.exeFilesize
255KB
MD5e21148e3dfd583244856ac176f4ba928
SHA121d653541777fc1299c5b7f67e282a24eaae7025
SHA25681ef63429ec9281659475cad5cebbd587ae5ed86bd380187dd16346200236848
SHA512381c9008bb1bd6c11aeaeac6be2101aa9e26af1c19ccf370730b3a0d2a41b73bbeda0c7e0bd0a76a75bd9f888b66c80a868cb2410907963ebd39571d23dfd64d
-
C:\Windows\SysWOW64\yrnbrcqtjz.exeFilesize
255KB
MD5a1981f2a3fbf93356dc2faade4f6a9fc
SHA1d43467e037e003a461272a4a8616c5868d7ad4ad
SHA256e307c1109a157e2eeb57092d9debde43cc34852a645264d2e97dfaff2ef4ff6b
SHA512ad303cac8c70f8c3ebca5284675efbc40ec0f048ef6de7b7d46abe11fcc5ec4c945af63b9c22f96a7a3f5ba52db4f9c543f7739e613f33e89ebf7f64e2dd5aba
-
C:\Windows\SysWOW64\yrnbrcqtjz.exeFilesize
255KB
MD5a1981f2a3fbf93356dc2faade4f6a9fc
SHA1d43467e037e003a461272a4a8616c5868d7ad4ad
SHA256e307c1109a157e2eeb57092d9debde43cc34852a645264d2e97dfaff2ef4ff6b
SHA512ad303cac8c70f8c3ebca5284675efbc40ec0f048ef6de7b7d46abe11fcc5ec4c945af63b9c22f96a7a3f5ba52db4f9c543f7739e613f33e89ebf7f64e2dd5aba
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
memory/864-143-0x0000000000000000-mapping.dmp
-
memory/864-152-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/864-167-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1028-168-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1028-153-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1028-149-0x0000000000000000-mapping.dmp
-
memory/2008-133-0x0000000000000000-mapping.dmp
-
memory/2008-165-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/2008-142-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/2368-172-0x00007FFE319B0000-0x00007FFE319C0000-memory.dmpFilesize
64KB
-
memory/2368-162-0x00007FFE2F100000-0x00007FFE2F110000-memory.dmpFilesize
64KB
-
memory/2368-155-0x00007FFE319B0000-0x00007FFE319C0000-memory.dmpFilesize
64KB
-
memory/2368-156-0x00007FFE319B0000-0x00007FFE319C0000-memory.dmpFilesize
64KB
-
memory/2368-157-0x00007FFE319B0000-0x00007FFE319C0000-memory.dmpFilesize
64KB
-
memory/2368-158-0x00007FFE319B0000-0x00007FFE319C0000-memory.dmpFilesize
64KB
-
memory/2368-170-0x00007FFE319B0000-0x00007FFE319C0000-memory.dmpFilesize
64KB
-
memory/2368-173-0x00007FFE319B0000-0x00007FFE319C0000-memory.dmpFilesize
64KB
-
memory/2368-161-0x00007FFE2F100000-0x00007FFE2F110000-memory.dmpFilesize
64KB
-
memory/2368-154-0x00007FFE319B0000-0x00007FFE319C0000-memory.dmpFilesize
64KB
-
memory/2368-171-0x00007FFE319B0000-0x00007FFE319C0000-memory.dmpFilesize
64KB
-
memory/2368-148-0x0000000000000000-mapping.dmp
-
memory/3468-164-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/3468-136-0x0000000000000000-mapping.dmp
-
memory/3468-144-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/4076-132-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/4076-151-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/4580-139-0x0000000000000000-mapping.dmp
-
memory/4580-166-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/4580-147-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB