Analysis
-
max time kernel
154s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26/11/2022, 02:23
Behavioral task
behavioral1
Sample
ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe
Resource
win7-20221111-en
windows7-x64
25 signatures
150 seconds
General
-
Target
ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe
-
Size
255KB
-
MD5
9a8679835552d7454daae460ea9ebda6
-
SHA1
8e1eefabbf0ea4e84ae98210483ff9ff697075b9
-
SHA256
ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed
-
SHA512
e65a769c036a7e14f622d569861474764225f8359425488bc7865c078761b060bb9953dd5249a0ec81a89abafdd5299eadef9d5a96013533720f90bd7d147245
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJ7:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIO
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" tvvztutdje.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" tvvztutdje.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" tvvztutdje.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" tvvztutdje.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" tvvztutdje.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" tvvztutdje.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" tvvztutdje.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tvvztutdje.exe -
Executes dropped EXE 5 IoCs
pid Process 4768 tvvztutdje.exe 4684 smlsfwpymzwusqg.exe 3768 zjanyycv.exe 4124 xepljgnnwxjkw.exe 500 zjanyycv.exe -
resource yara_rule behavioral2/memory/5044-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0007000000022e21-135.dat upx behavioral2/files/0x0007000000022e21-134.dat upx behavioral2/files/0x0006000000022e25-138.dat upx behavioral2/files/0x0006000000022e25-137.dat upx behavioral2/memory/4768-139-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4684-140-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0006000000022e26-143.dat upx behavioral2/files/0x0006000000022e26-142.dat upx behavioral2/files/0x0006000000022e27-147.dat upx behavioral2/files/0x0006000000022e27-146.dat upx behavioral2/memory/3768-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4124-149-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0006000000022e26-151.dat upx behavioral2/memory/500-152-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/5044-154-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0002000000009dee-155.dat upx behavioral2/files/0x0006000000022e2a-156.dat upx behavioral2/memory/4768-165-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4684-166-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3768-167-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4124-168-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/500-169-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" tvvztutdje.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" tvvztutdje.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" tvvztutdje.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" tvvztutdje.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" tvvztutdje.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" tvvztutdje.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run smlsfwpymzwusqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lpplkcmp = "tvvztutdje.exe" smlsfwpymzwusqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fzhtqjvi = "smlsfwpymzwusqg.exe" smlsfwpymzwusqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "xepljgnnwxjkw.exe" smlsfwpymzwusqg.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\y: zjanyycv.exe File opened (read-only) \??\i: zjanyycv.exe File opened (read-only) \??\v: zjanyycv.exe File opened (read-only) \??\y: zjanyycv.exe File opened (read-only) \??\p: tvvztutdje.exe File opened (read-only) \??\s: zjanyycv.exe File opened (read-only) \??\k: tvvztutdje.exe File opened (read-only) \??\q: tvvztutdje.exe File opened (read-only) \??\b: zjanyycv.exe File opened (read-only) \??\m: zjanyycv.exe File opened (read-only) \??\a: zjanyycv.exe File opened (read-only) \??\h: zjanyycv.exe File opened (read-only) \??\n: zjanyycv.exe File opened (read-only) \??\i: tvvztutdje.exe File opened (read-only) \??\r: zjanyycv.exe File opened (read-only) \??\x: zjanyycv.exe File opened (read-only) \??\s: zjanyycv.exe File opened (read-only) \??\t: zjanyycv.exe File opened (read-only) \??\f: tvvztutdje.exe File opened (read-only) \??\p: zjanyycv.exe File opened (read-only) \??\l: zjanyycv.exe File opened (read-only) \??\n: zjanyycv.exe File opened (read-only) \??\t: zjanyycv.exe File opened (read-only) \??\x: zjanyycv.exe File opened (read-only) \??\r: tvvztutdje.exe File opened (read-only) \??\w: tvvztutdje.exe File opened (read-only) \??\a: zjanyycv.exe File opened (read-only) \??\h: zjanyycv.exe File opened (read-only) \??\g: tvvztutdje.exe File opened (read-only) \??\m: tvvztutdje.exe File opened (read-only) \??\s: tvvztutdje.exe File opened (read-only) \??\u: tvvztutdje.exe File opened (read-only) \??\g: zjanyycv.exe File opened (read-only) \??\x: tvvztutdje.exe File opened (read-only) \??\o: zjanyycv.exe File opened (read-only) \??\z: zjanyycv.exe File opened (read-only) \??\u: zjanyycv.exe File opened (read-only) \??\w: zjanyycv.exe File opened (read-only) \??\f: zjanyycv.exe File opened (read-only) \??\j: zjanyycv.exe File opened (read-only) \??\q: zjanyycv.exe File opened (read-only) \??\u: zjanyycv.exe File opened (read-only) \??\z: zjanyycv.exe File opened (read-only) \??\i: zjanyycv.exe File opened (read-only) \??\v: zjanyycv.exe File opened (read-only) \??\k: zjanyycv.exe File opened (read-only) \??\b: tvvztutdje.exe File opened (read-only) \??\j: tvvztutdje.exe File opened (read-only) \??\e: zjanyycv.exe File opened (read-only) \??\f: zjanyycv.exe File opened (read-only) \??\j: zjanyycv.exe File opened (read-only) \??\b: zjanyycv.exe File opened (read-only) \??\w: zjanyycv.exe File opened (read-only) \??\v: tvvztutdje.exe File opened (read-only) \??\z: tvvztutdje.exe File opened (read-only) \??\o: zjanyycv.exe File opened (read-only) \??\l: tvvztutdje.exe File opened (read-only) \??\n: tvvztutdje.exe File opened (read-only) \??\e: tvvztutdje.exe File opened (read-only) \??\g: zjanyycv.exe File opened (read-only) \??\t: tvvztutdje.exe File opened (read-only) \??\y: tvvztutdje.exe File opened (read-only) \??\k: zjanyycv.exe File opened (read-only) \??\q: zjanyycv.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" tvvztutdje.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" tvvztutdje.exe -
AutoIT Executable 12 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/5044-132-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4768-139-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4684-140-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3768-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4124-149-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/500-152-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5044-154-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4768-165-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4684-166-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3768-167-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4124-168-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/500-169-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\tvvztutdje.exe ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe File opened for modification C:\Windows\SysWOW64\tvvztutdje.exe ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe File opened for modification C:\Windows\SysWOW64\smlsfwpymzwusqg.exe ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe File created C:\Windows\SysWOW64\zjanyycv.exe ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe File opened for modification C:\Windows\SysWOW64\zjanyycv.exe ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe File created C:\Windows\SysWOW64\xepljgnnwxjkw.exe ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe File opened for modification C:\Windows\SysWOW64\xepljgnnwxjkw.exe ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe File created C:\Windows\SysWOW64\smlsfwpymzwusqg.exe ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll tvvztutdje.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zjanyycv.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zjanyycv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal zjanyycv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal zjanyycv.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zjanyycv.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zjanyycv.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zjanyycv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zjanyycv.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zjanyycv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zjanyycv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal zjanyycv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal zjanyycv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe zjanyycv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe zjanyycv.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" tvvztutdje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCDFAB9F961F2E3830F3A46819B3E98B0F903FE4216023CE2CD459A08D4" ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183DC77B1593DBBFB9BC7C97ECE334B9" ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat tvvztutdje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" tvvztutdje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc tvvztutdje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" tvvztutdje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs tvvztutdje.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF9FF824F5B851D9132D7207DE2BDE3E635583067366335D6EA" ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" tvvztutdje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" tvvztutdje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg tvvztutdje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" tvvztutdje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7FD68B5FF1F21ABD27BD0D48A74906A" ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32472D7E9D5682556D4177D577222CDA7D8464DC" ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC1B12047EF39EC52BEB9A232EFD4B9" ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh tvvztutdje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf tvvztutdje.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 944 WINWORD.EXE 944 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5044 ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe 5044 ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe 5044 ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe 5044 ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe 5044 ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe 5044 ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe 5044 ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe 5044 ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe 5044 ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe 5044 ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe 5044 ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe 5044 ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe 5044 ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe 5044 ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe 4768 tvvztutdje.exe 4768 tvvztutdje.exe 4768 tvvztutdje.exe 4768 tvvztutdje.exe 4768 tvvztutdje.exe 4768 tvvztutdje.exe 4768 tvvztutdje.exe 4768 tvvztutdje.exe 4768 tvvztutdje.exe 4768 tvvztutdje.exe 4684 smlsfwpymzwusqg.exe 4684 smlsfwpymzwusqg.exe 4684 smlsfwpymzwusqg.exe 4684 smlsfwpymzwusqg.exe 4684 smlsfwpymzwusqg.exe 4684 smlsfwpymzwusqg.exe 4684 smlsfwpymzwusqg.exe 4684 smlsfwpymzwusqg.exe 4684 smlsfwpymzwusqg.exe 4684 smlsfwpymzwusqg.exe 5044 ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe 5044 ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe 4684 smlsfwpymzwusqg.exe 4684 smlsfwpymzwusqg.exe 3768 zjanyycv.exe 3768 zjanyycv.exe 3768 zjanyycv.exe 3768 zjanyycv.exe 3768 zjanyycv.exe 3768 zjanyycv.exe 3768 zjanyycv.exe 3768 zjanyycv.exe 4124 xepljgnnwxjkw.exe 4124 xepljgnnwxjkw.exe 4124 xepljgnnwxjkw.exe 4124 xepljgnnwxjkw.exe 4124 xepljgnnwxjkw.exe 4124 xepljgnnwxjkw.exe 4124 xepljgnnwxjkw.exe 4124 xepljgnnwxjkw.exe 4124 xepljgnnwxjkw.exe 4124 xepljgnnwxjkw.exe 4124 xepljgnnwxjkw.exe 4124 xepljgnnwxjkw.exe 4684 smlsfwpymzwusqg.exe 4684 smlsfwpymzwusqg.exe 500 zjanyycv.exe 500 zjanyycv.exe 500 zjanyycv.exe 500 zjanyycv.exe -
Suspicious use of FindShellTrayWindow 19 IoCs
pid Process 5044 ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe 5044 ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe 5044 ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe 5044 ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe 4768 tvvztutdje.exe 4768 tvvztutdje.exe 4768 tvvztutdje.exe 4684 smlsfwpymzwusqg.exe 4684 smlsfwpymzwusqg.exe 4684 smlsfwpymzwusqg.exe 3768 zjanyycv.exe 3768 zjanyycv.exe 3768 zjanyycv.exe 4124 xepljgnnwxjkw.exe 4124 xepljgnnwxjkw.exe 4124 xepljgnnwxjkw.exe 500 zjanyycv.exe 500 zjanyycv.exe 500 zjanyycv.exe -
Suspicious use of SendNotifyMessage 19 IoCs
pid Process 5044 ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe 5044 ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe 5044 ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe 5044 ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe 4768 tvvztutdje.exe 4768 tvvztutdje.exe 4768 tvvztutdje.exe 4684 smlsfwpymzwusqg.exe 4684 smlsfwpymzwusqg.exe 4684 smlsfwpymzwusqg.exe 3768 zjanyycv.exe 3768 zjanyycv.exe 3768 zjanyycv.exe 4124 xepljgnnwxjkw.exe 4124 xepljgnnwxjkw.exe 4124 xepljgnnwxjkw.exe 500 zjanyycv.exe 500 zjanyycv.exe 500 zjanyycv.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 944 WINWORD.EXE 944 WINWORD.EXE 944 WINWORD.EXE 944 WINWORD.EXE 944 WINWORD.EXE 944 WINWORD.EXE 944 WINWORD.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 5044 wrote to memory of 4768 5044 ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe 81 PID 5044 wrote to memory of 4768 5044 ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe 81 PID 5044 wrote to memory of 4768 5044 ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe 81 PID 5044 wrote to memory of 4684 5044 ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe 82 PID 5044 wrote to memory of 4684 5044 ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe 82 PID 5044 wrote to memory of 4684 5044 ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe 82 PID 5044 wrote to memory of 3768 5044 ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe 83 PID 5044 wrote to memory of 3768 5044 ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe 83 PID 5044 wrote to memory of 3768 5044 ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe 83 PID 5044 wrote to memory of 4124 5044 ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe 84 PID 5044 wrote to memory of 4124 5044 ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe 84 PID 5044 wrote to memory of 4124 5044 ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe 84 PID 4684 wrote to memory of 2084 4684 smlsfwpymzwusqg.exe 85 PID 4684 wrote to memory of 2084 4684 smlsfwpymzwusqg.exe 85 PID 4684 wrote to memory of 2084 4684 smlsfwpymzwusqg.exe 85 PID 4768 wrote to memory of 500 4768 tvvztutdje.exe 87 PID 4768 wrote to memory of 500 4768 tvvztutdje.exe 87 PID 4768 wrote to memory of 500 4768 tvvztutdje.exe 87 PID 5044 wrote to memory of 944 5044 ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe 88 PID 5044 wrote to memory of 944 5044 ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe"C:\Users\Admin\AppData\Local\Temp\ddd2484239217ffce97c08f6369cc449f4fbe70e08ed2ed8c9ec122bf0f6a7ed.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\tvvztutdje.exetvvztutdje.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\zjanyycv.exeC:\Windows\system32\zjanyycv.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:500
-
-
-
C:\Windows\SysWOW64\smlsfwpymzwusqg.exesmlsfwpymzwusqg.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\cmd.execmd.exe /c xepljgnnwxjkw.exe3⤵PID:2084
-
-
-
C:\Windows\SysWOW64\zjanyycv.exezjanyycv.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3768
-
-
C:\Windows\SysWOW64\xepljgnnwxjkw.exexepljgnnwxjkw.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4124
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:944
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD54b6f2b60c1892fbbeabffddc85b80c1e
SHA14e628a59749ff99acceb83f50f32ddd5f0125115
SHA256d873e76c383a62e0c0ab392d64d61380d23152b88c111a59c172784bfc52881f
SHA5121d8890210b3e40a69e4c20c544a5bea5852dddfb1f5a8d469338d0287c5e9b2ba4dbb3bbb254ffbfdd26a8a6c2c40306418b04fc87865344b033f2e553e55588
-
Filesize
255KB
MD53e350b09182f052058988ae03b38ee8b
SHA12653e2ca88dad822ed32afbad2c63a70af402486
SHA256a8cc14715521d21cd487e0d9c7b7e5292827b330f44c0fbcb64def9873bf1486
SHA512bacd57b4a92e4154504f112956465bd93040a405e4d5178fd6079af35d94fbcf2f9298858c50c44ae4189db1e18fb47c45d8670cfca7c76e4f0d2b52a7bcca79
-
Filesize
255KB
MD5dc4cc0f858a92ff24560f9efc3ebfea5
SHA158537d84adcff4f97a88569d34f2d170a7af6466
SHA256dcf6f65804b1bae8c90089b9cf0dd3350c81cf6b6dc64b9ce0d13c2c71eae1fc
SHA512f75e27d9bca2ec99ee6c5b4a12428f6e48196401d0c10988af044d8deaa6e9ace24469b8213d6b2abe63b9042b9394058989ffa67b4ba3ff81b6aa17c942249c
-
Filesize
255KB
MD5dc4cc0f858a92ff24560f9efc3ebfea5
SHA158537d84adcff4f97a88569d34f2d170a7af6466
SHA256dcf6f65804b1bae8c90089b9cf0dd3350c81cf6b6dc64b9ce0d13c2c71eae1fc
SHA512f75e27d9bca2ec99ee6c5b4a12428f6e48196401d0c10988af044d8deaa6e9ace24469b8213d6b2abe63b9042b9394058989ffa67b4ba3ff81b6aa17c942249c
-
Filesize
255KB
MD5b8d5e3a8eda06fdf67e8252e491c735e
SHA19d465f94323ec076668db3f64e0c2e1e41a3427c
SHA256f98d5adebd4bb6d52ac2fbbc972a7883d42abb6a40120600332025e92ef049ea
SHA512409bb8f8e1a094d3afea60a813004a0f57499b7cfc8b19c52a4f6cbd5bf1de6da2f2d9533764b6014f0f4f84ac30860623ae33f22693f9a290f94f8bdb3fa56f
-
Filesize
255KB
MD5b8d5e3a8eda06fdf67e8252e491c735e
SHA19d465f94323ec076668db3f64e0c2e1e41a3427c
SHA256f98d5adebd4bb6d52ac2fbbc972a7883d42abb6a40120600332025e92ef049ea
SHA512409bb8f8e1a094d3afea60a813004a0f57499b7cfc8b19c52a4f6cbd5bf1de6da2f2d9533764b6014f0f4f84ac30860623ae33f22693f9a290f94f8bdb3fa56f
-
Filesize
255KB
MD5337f9ad4b29465b5e9446b2003415f14
SHA1e71f3977577f7b373bf1061a62c38e2b42281b03
SHA256ac82392270381065d577aefd3ba8ad25722195f70b5ddf531d2567a6133c2f9f
SHA51244e68534a7a8863afbe308779bc90dec60e45c02670763e8482910b06fc355a27cd8c45d278573e9474492f7088d31b62d9932a4306305cd75c370edb6e511ae
-
Filesize
255KB
MD5337f9ad4b29465b5e9446b2003415f14
SHA1e71f3977577f7b373bf1061a62c38e2b42281b03
SHA256ac82392270381065d577aefd3ba8ad25722195f70b5ddf531d2567a6133c2f9f
SHA51244e68534a7a8863afbe308779bc90dec60e45c02670763e8482910b06fc355a27cd8c45d278573e9474492f7088d31b62d9932a4306305cd75c370edb6e511ae
-
Filesize
255KB
MD52e80695e8412cda8a86158fc10e13432
SHA11831d27b9b3ad5738f1ce73f9567c37212199364
SHA2566df5a0c2729ce0f2b0917fd8fbc014c6bca0da6a5db991cfd31897ef3985cdb0
SHA5122ec54d4cbdf4f41cad453316a776b53ad5c09fc1f00ef607dca280ec7a7690787afed6f23ee4b80b25dbc43ee51f6bb06e861f06273cc311b474f09011f04ac8
-
Filesize
255KB
MD52e80695e8412cda8a86158fc10e13432
SHA11831d27b9b3ad5738f1ce73f9567c37212199364
SHA2566df5a0c2729ce0f2b0917fd8fbc014c6bca0da6a5db991cfd31897ef3985cdb0
SHA5122ec54d4cbdf4f41cad453316a776b53ad5c09fc1f00ef607dca280ec7a7690787afed6f23ee4b80b25dbc43ee51f6bb06e861f06273cc311b474f09011f04ac8
-
Filesize
255KB
MD52e80695e8412cda8a86158fc10e13432
SHA11831d27b9b3ad5738f1ce73f9567c37212199364
SHA2566df5a0c2729ce0f2b0917fd8fbc014c6bca0da6a5db991cfd31897ef3985cdb0
SHA5122ec54d4cbdf4f41cad453316a776b53ad5c09fc1f00ef607dca280ec7a7690787afed6f23ee4b80b25dbc43ee51f6bb06e861f06273cc311b474f09011f04ac8
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7