Analysis
-
max time kernel
154s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 17:12
Behavioral task
behavioral1
Sample
6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe
Resource
win7-20221111-en
General
-
Target
6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe
-
Size
255KB
-
MD5
cb1544825f6079d6905dca0feb41ed07
-
SHA1
25f840f9e039d2d2818fc9832bc897b465c48537
-
SHA256
6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43
-
SHA512
2ba6cd94647ca8ae06ae5ead4429ebbd23b989def0941bd70701f09ea560ba5cbd8cd8fcaca371c455602474a091732f64526b24f4791d1f7c88bc1116164fb7
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJf:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIm
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
apypaebubt.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" apypaebubt.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
apypaebubt.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" apypaebubt.exe -
Processes:
apypaebubt.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" apypaebubt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" apypaebubt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" apypaebubt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" apypaebubt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" apypaebubt.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
apypaebubt.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" apypaebubt.exe -
Executes dropped EXE 5 IoCs
Processes:
apypaebubt.exesjviqtrolouhplt.execlopsaqu.exeamxtayxnsivpe.execlopsaqu.exepid process 1156 apypaebubt.exe 872 sjviqtrolouhplt.exe 776 clopsaqu.exe 1556 amxtayxnsivpe.exe 360 clopsaqu.exe -
Processes:
resource yara_rule behavioral1/memory/848-55-0x0000000000400000-0x00000000004A0000-memory.dmp upx \Windows\SysWOW64\apypaebubt.exe upx C:\Windows\SysWOW64\apypaebubt.exe upx \Windows\SysWOW64\sjviqtrolouhplt.exe upx C:\Windows\SysWOW64\sjviqtrolouhplt.exe upx C:\Windows\SysWOW64\apypaebubt.exe upx \Windows\SysWOW64\clopsaqu.exe upx C:\Windows\SysWOW64\sjviqtrolouhplt.exe upx C:\Windows\SysWOW64\clopsaqu.exe upx \Windows\SysWOW64\amxtayxnsivpe.exe upx C:\Windows\SysWOW64\clopsaqu.exe upx C:\Windows\SysWOW64\amxtayxnsivpe.exe upx behavioral1/memory/1156-75-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/872-77-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/776-78-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1556-79-0x0000000000400000-0x00000000004A0000-memory.dmp upx \Windows\SysWOW64\clopsaqu.exe upx C:\Windows\SysWOW64\clopsaqu.exe upx behavioral1/memory/360-84-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/848-86-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1156-93-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/872-94-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/776-95-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/360-96-0x0000000000400000-0x00000000004A0000-memory.dmp upx C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe upx -
Loads dropped DLL 5 IoCs
Processes:
6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exeapypaebubt.exepid process 848 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe 848 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe 848 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe 848 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe 1156 apypaebubt.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
apypaebubt.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" apypaebubt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" apypaebubt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" apypaebubt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" apypaebubt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" apypaebubt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" apypaebubt.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
sjviqtrolouhplt.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "amxtayxnsivpe.exe" sjviqtrolouhplt.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run sjviqtrolouhplt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gfeqbefs = "apypaebubt.exe" sjviqtrolouhplt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gsbyfowk = "sjviqtrolouhplt.exe" sjviqtrolouhplt.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
clopsaqu.execlopsaqu.exeapypaebubt.exedescription ioc process File opened (read-only) \??\l: clopsaqu.exe File opened (read-only) \??\e: clopsaqu.exe File opened (read-only) \??\n: clopsaqu.exe File opened (read-only) \??\m: apypaebubt.exe File opened (read-only) \??\q: clopsaqu.exe File opened (read-only) \??\j: clopsaqu.exe File opened (read-only) \??\h: apypaebubt.exe File opened (read-only) \??\z: apypaebubt.exe File opened (read-only) \??\h: clopsaqu.exe File opened (read-only) \??\w: clopsaqu.exe File opened (read-only) \??\q: clopsaqu.exe File opened (read-only) \??\j: apypaebubt.exe File opened (read-only) \??\l: apypaebubt.exe File opened (read-only) \??\y: clopsaqu.exe File opened (read-only) \??\u: clopsaqu.exe File opened (read-only) \??\a: apypaebubt.exe File opened (read-only) \??\s: clopsaqu.exe File opened (read-only) \??\k: clopsaqu.exe File opened (read-only) \??\t: apypaebubt.exe File opened (read-only) \??\u: apypaebubt.exe File opened (read-only) \??\e: clopsaqu.exe File opened (read-only) \??\x: apypaebubt.exe File opened (read-only) \??\z: clopsaqu.exe File opened (read-only) \??\l: clopsaqu.exe File opened (read-only) \??\w: clopsaqu.exe File opened (read-only) \??\z: clopsaqu.exe File opened (read-only) \??\b: clopsaqu.exe File opened (read-only) \??\i: clopsaqu.exe File opened (read-only) \??\a: clopsaqu.exe File opened (read-only) \??\f: apypaebubt.exe File opened (read-only) \??\q: apypaebubt.exe File opened (read-only) \??\k: apypaebubt.exe File opened (read-only) \??\g: clopsaqu.exe File opened (read-only) \??\g: clopsaqu.exe File opened (read-only) \??\t: clopsaqu.exe File opened (read-only) \??\x: clopsaqu.exe File opened (read-only) \??\n: clopsaqu.exe File opened (read-only) \??\o: clopsaqu.exe File opened (read-only) \??\p: clopsaqu.exe File opened (read-only) \??\e: apypaebubt.exe File opened (read-only) \??\r: apypaebubt.exe File opened (read-only) \??\a: clopsaqu.exe File opened (read-only) \??\t: clopsaqu.exe File opened (read-only) \??\b: clopsaqu.exe File opened (read-only) \??\f: clopsaqu.exe File opened (read-only) \??\i: apypaebubt.exe File opened (read-only) \??\p: clopsaqu.exe File opened (read-only) \??\h: clopsaqu.exe File opened (read-only) \??\i: clopsaqu.exe File opened (read-only) \??\m: clopsaqu.exe File opened (read-only) \??\y: apypaebubt.exe File opened (read-only) \??\j: clopsaqu.exe File opened (read-only) \??\m: clopsaqu.exe File opened (read-only) \??\u: clopsaqu.exe File opened (read-only) \??\s: clopsaqu.exe File opened (read-only) \??\n: apypaebubt.exe File opened (read-only) \??\w: apypaebubt.exe File opened (read-only) \??\v: clopsaqu.exe File opened (read-only) \??\y: clopsaqu.exe File opened (read-only) \??\g: apypaebubt.exe File opened (read-only) \??\r: clopsaqu.exe File opened (read-only) \??\s: apypaebubt.exe File opened (read-only) \??\k: clopsaqu.exe File opened (read-only) \??\o: apypaebubt.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
apypaebubt.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" apypaebubt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" apypaebubt.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/848-55-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1156-75-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/872-77-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/776-78-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/360-84-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/848-86-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1156-93-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/872-94-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/776-95-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/360-96-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
Processes:
6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exeapypaebubt.exedescription ioc process File created C:\Windows\SysWOW64\clopsaqu.exe 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe File created C:\Windows\SysWOW64\apypaebubt.exe 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe File created C:\Windows\SysWOW64\sjviqtrolouhplt.exe 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe File opened for modification C:\Windows\SysWOW64\sjviqtrolouhplt.exe 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe File opened for modification C:\Windows\SysWOW64\amxtayxnsivpe.exe 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll apypaebubt.exe File opened for modification C:\Windows\SysWOW64\apypaebubt.exe 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe File opened for modification C:\Windows\SysWOW64\clopsaqu.exe 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe File created C:\Windows\SysWOW64\amxtayxnsivpe.exe 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe -
Drops file in Program Files directory 21 IoCs
Processes:
clopsaqu.execlopsaqu.exedescription ioc process File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe clopsaqu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal clopsaqu.exe File opened for modification \??\c:\Program Files\WaitUnblock.doc.exe clopsaqu.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe clopsaqu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal clopsaqu.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe clopsaqu.exe File created \??\c:\Program Files\WaitUnblock.doc.exe clopsaqu.exe File opened for modification C:\Program Files\WaitUnblock.nal clopsaqu.exe File opened for modification \??\c:\Program Files\WaitUnblock.doc.exe clopsaqu.exe File opened for modification C:\Program Files\WaitUnblock.doc.exe clopsaqu.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe clopsaqu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe clopsaqu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe clopsaqu.exe File opened for modification C:\Program Files\WaitUnblock.doc.exe clopsaqu.exe File opened for modification C:\Program Files\WaitUnblock.nal clopsaqu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe clopsaqu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal clopsaqu.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe clopsaqu.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe clopsaqu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal clopsaqu.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe clopsaqu.exe -
Drops file in Windows directory 5 IoCs
Processes:
6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exeWINWORD.EXEdescription ioc process File opened for modification C:\Windows\mydoc.rtf 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEapypaebubt.exe6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf apypaebubt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" apypaebubt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" apypaebubt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33422D789D2082246A4676D570242DDB7DF565DD" 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh apypaebubt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB1B15F47E138E252CDBAD333EDD4B8" 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" apypaebubt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" apypaebubt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F66BB3FE1822D9D272D0D28A7F9010" 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs apypaebubt.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1716 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exeapypaebubt.exesjviqtrolouhplt.execlopsaqu.execlopsaqu.exepid process 848 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe 848 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe 848 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe 848 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe 848 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe 848 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe 848 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe 1156 apypaebubt.exe 1156 apypaebubt.exe 1156 apypaebubt.exe 1156 apypaebubt.exe 1156 apypaebubt.exe 848 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe 872 sjviqtrolouhplt.exe 872 sjviqtrolouhplt.exe 872 sjviqtrolouhplt.exe 872 sjviqtrolouhplt.exe 872 sjviqtrolouhplt.exe 776 clopsaqu.exe 776 clopsaqu.exe 776 clopsaqu.exe 776 clopsaqu.exe 872 sjviqtrolouhplt.exe 872 sjviqtrolouhplt.exe 872 sjviqtrolouhplt.exe 360 clopsaqu.exe 360 clopsaqu.exe 360 clopsaqu.exe 360 clopsaqu.exe 872 sjviqtrolouhplt.exe 872 sjviqtrolouhplt.exe 872 sjviqtrolouhplt.exe 872 sjviqtrolouhplt.exe 872 sjviqtrolouhplt.exe 872 sjviqtrolouhplt.exe 872 sjviqtrolouhplt.exe 872 sjviqtrolouhplt.exe 872 sjviqtrolouhplt.exe 872 sjviqtrolouhplt.exe 872 sjviqtrolouhplt.exe 872 sjviqtrolouhplt.exe 872 sjviqtrolouhplt.exe 872 sjviqtrolouhplt.exe 872 sjviqtrolouhplt.exe 872 sjviqtrolouhplt.exe 872 sjviqtrolouhplt.exe 872 sjviqtrolouhplt.exe 872 sjviqtrolouhplt.exe 872 sjviqtrolouhplt.exe 872 sjviqtrolouhplt.exe 872 sjviqtrolouhplt.exe 872 sjviqtrolouhplt.exe 872 sjviqtrolouhplt.exe 872 sjviqtrolouhplt.exe 872 sjviqtrolouhplt.exe 872 sjviqtrolouhplt.exe 872 sjviqtrolouhplt.exe 872 sjviqtrolouhplt.exe 872 sjviqtrolouhplt.exe 872 sjviqtrolouhplt.exe 872 sjviqtrolouhplt.exe 872 sjviqtrolouhplt.exe 872 sjviqtrolouhplt.exe 872 sjviqtrolouhplt.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
Processes:
6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exeapypaebubt.exesjviqtrolouhplt.execlopsaqu.execlopsaqu.exepid process 848 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe 848 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe 848 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe 1156 apypaebubt.exe 1156 apypaebubt.exe 1156 apypaebubt.exe 872 sjviqtrolouhplt.exe 872 sjviqtrolouhplt.exe 872 sjviqtrolouhplt.exe 776 clopsaqu.exe 776 clopsaqu.exe 776 clopsaqu.exe 360 clopsaqu.exe 360 clopsaqu.exe 360 clopsaqu.exe -
Suspicious use of SendNotifyMessage 15 IoCs
Processes:
6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exeapypaebubt.exesjviqtrolouhplt.execlopsaqu.execlopsaqu.exepid process 848 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe 848 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe 848 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe 1156 apypaebubt.exe 1156 apypaebubt.exe 1156 apypaebubt.exe 872 sjviqtrolouhplt.exe 872 sjviqtrolouhplt.exe 872 sjviqtrolouhplt.exe 776 clopsaqu.exe 776 clopsaqu.exe 776 clopsaqu.exe 360 clopsaqu.exe 360 clopsaqu.exe 360 clopsaqu.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1716 WINWORD.EXE 1716 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exeapypaebubt.exeWINWORD.EXEdescription pid process target process PID 848 wrote to memory of 1156 848 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe apypaebubt.exe PID 848 wrote to memory of 1156 848 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe apypaebubt.exe PID 848 wrote to memory of 1156 848 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe apypaebubt.exe PID 848 wrote to memory of 1156 848 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe apypaebubt.exe PID 848 wrote to memory of 872 848 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe sjviqtrolouhplt.exe PID 848 wrote to memory of 872 848 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe sjviqtrolouhplt.exe PID 848 wrote to memory of 872 848 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe sjviqtrolouhplt.exe PID 848 wrote to memory of 872 848 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe sjviqtrolouhplt.exe PID 848 wrote to memory of 776 848 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe clopsaqu.exe PID 848 wrote to memory of 776 848 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe clopsaqu.exe PID 848 wrote to memory of 776 848 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe clopsaqu.exe PID 848 wrote to memory of 776 848 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe clopsaqu.exe PID 848 wrote to memory of 1556 848 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe amxtayxnsivpe.exe PID 848 wrote to memory of 1556 848 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe amxtayxnsivpe.exe PID 848 wrote to memory of 1556 848 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe amxtayxnsivpe.exe PID 848 wrote to memory of 1556 848 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe amxtayxnsivpe.exe PID 1156 wrote to memory of 360 1156 apypaebubt.exe clopsaqu.exe PID 1156 wrote to memory of 360 1156 apypaebubt.exe clopsaqu.exe PID 1156 wrote to memory of 360 1156 apypaebubt.exe clopsaqu.exe PID 1156 wrote to memory of 360 1156 apypaebubt.exe clopsaqu.exe PID 848 wrote to memory of 1716 848 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe WINWORD.EXE PID 848 wrote to memory of 1716 848 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe WINWORD.EXE PID 848 wrote to memory of 1716 848 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe WINWORD.EXE PID 848 wrote to memory of 1716 848 6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe WINWORD.EXE PID 1716 wrote to memory of 912 1716 WINWORD.EXE splwow64.exe PID 1716 wrote to memory of 912 1716 WINWORD.EXE splwow64.exe PID 1716 wrote to memory of 912 1716 WINWORD.EXE splwow64.exe PID 1716 wrote to memory of 912 1716 WINWORD.EXE splwow64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe"C:\Users\Admin\AppData\Local\Temp\6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\apypaebubt.exeapypaebubt.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\clopsaqu.exeC:\Windows\system32\clopsaqu.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\sjviqtrolouhplt.exesjviqtrolouhplt.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\clopsaqu.execlopsaqu.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\amxtayxnsivpe.exeamxtayxnsivpe.exe2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hidden Files and Directories
2Modify Registry
7Disabling Security Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exeFilesize
255KB
MD5b8654da8370128fca2f0eb54665a6c3b
SHA18053b9e5ace655326702841c51a3c65943b968f3
SHA25684ca041f3cbcda85b0755ac1a9c8e25eb1c859128b9625c2bd80b06842c6363e
SHA51202af7ff355ca73789790cc51001fa0e69620a1dc80448cbd0c522ae709189cccdade9b0bc479d068f88568cb8bd7c761b036a887b12dcad02912737732f86f3c
-
C:\Windows\SysWOW64\amxtayxnsivpe.exeFilesize
255KB
MD53e04093323e11e4c70951bf978d9e23c
SHA158a3ac508293e1d6fbb4002c69d9685c06961cfe
SHA256737d12fd51f0e908a02b28c27960393d34c4456e9146bb3f20bedb8f69187746
SHA5123fe3830d6110761b52ae39b942604de2b58403d74aa12e8b3ed244556bdc429a1078aba5ae24e5526b2cba04abc49e2a48e5951a42488346aa32094030b6ff0c
-
C:\Windows\SysWOW64\apypaebubt.exeFilesize
255KB
MD5362953a4c2470a2b9a21b246a5f30666
SHA10a04fb185e5f2d450eff3235439e46589395ff17
SHA2566778a5f188c7bb032ad6e9e4419f34de4c93b6bb9fb225fbf27ed12aefb5356f
SHA512f06b69b56437128210f32a2fd0afb7feb40a4043cb7dd1c860b93ae202a02af12156599a7bae01961ae89297ed6ca3286ee57591a6cc16e55510175340667ed5
-
C:\Windows\SysWOW64\apypaebubt.exeFilesize
255KB
MD5362953a4c2470a2b9a21b246a5f30666
SHA10a04fb185e5f2d450eff3235439e46589395ff17
SHA2566778a5f188c7bb032ad6e9e4419f34de4c93b6bb9fb225fbf27ed12aefb5356f
SHA512f06b69b56437128210f32a2fd0afb7feb40a4043cb7dd1c860b93ae202a02af12156599a7bae01961ae89297ed6ca3286ee57591a6cc16e55510175340667ed5
-
C:\Windows\SysWOW64\clopsaqu.exeFilesize
255KB
MD512daba8a19ad8ff21f8297ac7189522f
SHA17e9e7bc6a03499c8f67a78799efb5d8350ea15bc
SHA256eb4ec5818db62869603651579faa448d7e43bb8fa08ed5ee3587ff47c5d3dd8a
SHA512b40e1e18361761a5c60d73f38f11ed11c3dedd16b28c56042b4e0ad41c1f12a88168560a2be478ae052c2203f18fead3719d7756e3fa84d7746773eb40d6936f
-
C:\Windows\SysWOW64\clopsaqu.exeFilesize
255KB
MD512daba8a19ad8ff21f8297ac7189522f
SHA17e9e7bc6a03499c8f67a78799efb5d8350ea15bc
SHA256eb4ec5818db62869603651579faa448d7e43bb8fa08ed5ee3587ff47c5d3dd8a
SHA512b40e1e18361761a5c60d73f38f11ed11c3dedd16b28c56042b4e0ad41c1f12a88168560a2be478ae052c2203f18fead3719d7756e3fa84d7746773eb40d6936f
-
C:\Windows\SysWOW64\clopsaqu.exeFilesize
255KB
MD512daba8a19ad8ff21f8297ac7189522f
SHA17e9e7bc6a03499c8f67a78799efb5d8350ea15bc
SHA256eb4ec5818db62869603651579faa448d7e43bb8fa08ed5ee3587ff47c5d3dd8a
SHA512b40e1e18361761a5c60d73f38f11ed11c3dedd16b28c56042b4e0ad41c1f12a88168560a2be478ae052c2203f18fead3719d7756e3fa84d7746773eb40d6936f
-
C:\Windows\SysWOW64\sjviqtrolouhplt.exeFilesize
255KB
MD5f3f24854affbfe982a2243e939759ba4
SHA120475a68ab3c193621aeacb0f5d31e10beae9c93
SHA25619926b8f90491699372a52465272cc9ad52dde88e86309fdfbc5e39928da95db
SHA5124192c7d54aefec8bd078cddfd3f045c37e435bf0383c517597569bb08bfd97e893721ce27d02603e333cb6609181ed8d29a23c1deef3aa92473920d2f9dee128
-
C:\Windows\SysWOW64\sjviqtrolouhplt.exeFilesize
255KB
MD5f3f24854affbfe982a2243e939759ba4
SHA120475a68ab3c193621aeacb0f5d31e10beae9c93
SHA25619926b8f90491699372a52465272cc9ad52dde88e86309fdfbc5e39928da95db
SHA5124192c7d54aefec8bd078cddfd3f045c37e435bf0383c517597569bb08bfd97e893721ce27d02603e333cb6609181ed8d29a23c1deef3aa92473920d2f9dee128
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\Windows\SysWOW64\amxtayxnsivpe.exeFilesize
255KB
MD53e04093323e11e4c70951bf978d9e23c
SHA158a3ac508293e1d6fbb4002c69d9685c06961cfe
SHA256737d12fd51f0e908a02b28c27960393d34c4456e9146bb3f20bedb8f69187746
SHA5123fe3830d6110761b52ae39b942604de2b58403d74aa12e8b3ed244556bdc429a1078aba5ae24e5526b2cba04abc49e2a48e5951a42488346aa32094030b6ff0c
-
\Windows\SysWOW64\apypaebubt.exeFilesize
255KB
MD5362953a4c2470a2b9a21b246a5f30666
SHA10a04fb185e5f2d450eff3235439e46589395ff17
SHA2566778a5f188c7bb032ad6e9e4419f34de4c93b6bb9fb225fbf27ed12aefb5356f
SHA512f06b69b56437128210f32a2fd0afb7feb40a4043cb7dd1c860b93ae202a02af12156599a7bae01961ae89297ed6ca3286ee57591a6cc16e55510175340667ed5
-
\Windows\SysWOW64\clopsaqu.exeFilesize
255KB
MD512daba8a19ad8ff21f8297ac7189522f
SHA17e9e7bc6a03499c8f67a78799efb5d8350ea15bc
SHA256eb4ec5818db62869603651579faa448d7e43bb8fa08ed5ee3587ff47c5d3dd8a
SHA512b40e1e18361761a5c60d73f38f11ed11c3dedd16b28c56042b4e0ad41c1f12a88168560a2be478ae052c2203f18fead3719d7756e3fa84d7746773eb40d6936f
-
\Windows\SysWOW64\clopsaqu.exeFilesize
255KB
MD512daba8a19ad8ff21f8297ac7189522f
SHA17e9e7bc6a03499c8f67a78799efb5d8350ea15bc
SHA256eb4ec5818db62869603651579faa448d7e43bb8fa08ed5ee3587ff47c5d3dd8a
SHA512b40e1e18361761a5c60d73f38f11ed11c3dedd16b28c56042b4e0ad41c1f12a88168560a2be478ae052c2203f18fead3719d7756e3fa84d7746773eb40d6936f
-
\Windows\SysWOW64\sjviqtrolouhplt.exeFilesize
255KB
MD5f3f24854affbfe982a2243e939759ba4
SHA120475a68ab3c193621aeacb0f5d31e10beae9c93
SHA25619926b8f90491699372a52465272cc9ad52dde88e86309fdfbc5e39928da95db
SHA5124192c7d54aefec8bd078cddfd3f045c37e435bf0383c517597569bb08bfd97e893721ce27d02603e333cb6609181ed8d29a23c1deef3aa92473920d2f9dee128
-
memory/360-96-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/360-81-0x0000000000000000-mapping.dmp
-
memory/360-84-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/776-78-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/776-67-0x0000000000000000-mapping.dmp
-
memory/776-95-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/848-54-0x00000000766F1000-0x00000000766F3000-memory.dmpFilesize
8KB
-
memory/848-76-0x00000000023F0000-0x0000000002490000-memory.dmpFilesize
640KB
-
memory/848-86-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/848-55-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/872-77-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/872-61-0x0000000000000000-mapping.dmp
-
memory/872-94-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/912-99-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmpFilesize
8KB
-
memory/912-98-0x0000000000000000-mapping.dmp
-
memory/1156-75-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1156-57-0x0000000000000000-mapping.dmp
-
memory/1156-93-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1556-71-0x0000000000000000-mapping.dmp
-
memory/1556-79-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1716-91-0x0000000071A3D000-0x0000000071A48000-memory.dmpFilesize
44KB
-
memory/1716-89-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1716-97-0x0000000071A3D000-0x0000000071A48000-memory.dmpFilesize
44KB
-
memory/1716-88-0x0000000070A51000-0x0000000070A53000-memory.dmpFilesize
8KB
-
memory/1716-87-0x0000000072FD1000-0x0000000072FD4000-memory.dmpFilesize
12KB
-
memory/1716-85-0x0000000000000000-mapping.dmp
-
memory/1716-101-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1716-102-0x0000000071A3D000-0x0000000071A48000-memory.dmpFilesize
44KB