Analysis
-
max time kernel
156s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
27/11/2022, 00:44
Behavioral task
behavioral1
Sample
e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe
Resource
win7-20221111-en
windows7-x64
26 signatures
150 seconds
Behavioral task
behavioral2
Sample
e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
20 signatures
150 seconds
General
-
Target
e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe
-
Size
255KB
-
MD5
243705cd60e3075a23510a24874abaf1
-
SHA1
a3d580c94030f86b2745e6e2fead1917e417bb95
-
SHA256
e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567
-
SHA512
187248119417f295e33535cf5908f58cce818e5a39f6a80e0cfe4e0f7be71a2c342d73c2aab811dfee01c91d15c998eb7e76400ad02af0e97836b93849690d68
-
SSDEEP
6144:1xlZam+akqx6YQJXcNlEHUIQeE3mmBWFv6T:Plf5j6zCNa0xeE3mC
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" mnsspcctbi.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" mnsspcctbi.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" mnsspcctbi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" mnsspcctbi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" mnsspcctbi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" mnsspcctbi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" mnsspcctbi.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mnsspcctbi.exe -
Executes dropped EXE 5 IoCs
pid Process 2960 mnsspcctbi.exe 3200 rqkgjuyagvzqsgg.exe 900 oooezyjc.exe 1548 jklchhgxfyauf.exe 4764 oooezyjc.exe -
resource yara_rule behavioral2/memory/1060-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000700000002314f-134.dat upx behavioral2/files/0x000700000002314f-135.dat upx behavioral2/files/0x000800000002265f-137.dat upx behavioral2/files/0x000800000002265f-139.dat upx behavioral2/files/0x0009000000023151-141.dat upx behavioral2/files/0x0008000000023155-144.dat upx behavioral2/files/0x0008000000023155-143.dat upx behavioral2/files/0x0009000000023151-140.dat upx behavioral2/memory/2960-145-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3200-146-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/900-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1548-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2960-149-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3200-150-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/900-151-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1548-152-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0009000000023151-154.dat upx behavioral2/memory/4764-155-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1060-157-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4764-158-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" mnsspcctbi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" mnsspcctbi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" mnsspcctbi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" mnsspcctbi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" mnsspcctbi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" mnsspcctbi.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tbadinle = "mnsspcctbi.exe" rqkgjuyagvzqsgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\acuzifdt = "rqkgjuyagvzqsgg.exe" rqkgjuyagvzqsgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "jklchhgxfyauf.exe" rqkgjuyagvzqsgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run rqkgjuyagvzqsgg.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\w: oooezyjc.exe File opened (read-only) \??\y: oooezyjc.exe File opened (read-only) \??\q: mnsspcctbi.exe File opened (read-only) \??\v: mnsspcctbi.exe File opened (read-only) \??\e: oooezyjc.exe File opened (read-only) \??\i: oooezyjc.exe File opened (read-only) \??\j: oooezyjc.exe File opened (read-only) \??\s: oooezyjc.exe File opened (read-only) \??\z: oooezyjc.exe File opened (read-only) \??\h: oooezyjc.exe File opened (read-only) \??\l: oooezyjc.exe File opened (read-only) \??\t: oooezyjc.exe File opened (read-only) \??\a: oooezyjc.exe File opened (read-only) \??\q: oooezyjc.exe File opened (read-only) \??\r: oooezyjc.exe File opened (read-only) \??\u: oooezyjc.exe File opened (read-only) \??\h: oooezyjc.exe File opened (read-only) \??\r: oooezyjc.exe File opened (read-only) \??\b: mnsspcctbi.exe File opened (read-only) \??\a: oooezyjc.exe File opened (read-only) \??\g: oooezyjc.exe File opened (read-only) \??\p: mnsspcctbi.exe File opened (read-only) \??\b: oooezyjc.exe File opened (read-only) \??\k: oooezyjc.exe File opened (read-only) \??\x: oooezyjc.exe File opened (read-only) \??\h: mnsspcctbi.exe File opened (read-only) \??\i: mnsspcctbi.exe File opened (read-only) \??\m: mnsspcctbi.exe File opened (read-only) \??\l: oooezyjc.exe File opened (read-only) \??\t: mnsspcctbi.exe File opened (read-only) \??\u: mnsspcctbi.exe File opened (read-only) \??\z: oooezyjc.exe File opened (read-only) \??\s: mnsspcctbi.exe File opened (read-only) \??\o: mnsspcctbi.exe File opened (read-only) \??\r: mnsspcctbi.exe File opened (read-only) \??\z: mnsspcctbi.exe File opened (read-only) \??\m: oooezyjc.exe File opened (read-only) \??\t: oooezyjc.exe File opened (read-only) \??\u: oooezyjc.exe File opened (read-only) \??\o: oooezyjc.exe File opened (read-only) \??\f: mnsspcctbi.exe File opened (read-only) \??\o: oooezyjc.exe File opened (read-only) \??\e: mnsspcctbi.exe File opened (read-only) \??\g: mnsspcctbi.exe File opened (read-only) \??\j: mnsspcctbi.exe File opened (read-only) \??\f: oooezyjc.exe File opened (read-only) \??\g: oooezyjc.exe File opened (read-only) \??\e: oooezyjc.exe File opened (read-only) \??\p: oooezyjc.exe File opened (read-only) \??\a: mnsspcctbi.exe File opened (read-only) \??\p: oooezyjc.exe File opened (read-only) \??\y: mnsspcctbi.exe File opened (read-only) \??\n: oooezyjc.exe File opened (read-only) \??\w: oooezyjc.exe File opened (read-only) \??\y: oooezyjc.exe File opened (read-only) \??\b: oooezyjc.exe File opened (read-only) \??\n: oooezyjc.exe File opened (read-only) \??\q: oooezyjc.exe File opened (read-only) \??\l: mnsspcctbi.exe File opened (read-only) \??\n: mnsspcctbi.exe File opened (read-only) \??\j: oooezyjc.exe File opened (read-only) \??\s: oooezyjc.exe File opened (read-only) \??\v: oooezyjc.exe File opened (read-only) \??\x: oooezyjc.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" mnsspcctbi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" mnsspcctbi.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2960-145-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3200-146-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/900-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1548-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2960-149-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3200-150-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/900-151-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1548-152-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4764-155-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1060-157-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4764-158-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\rqkgjuyagvzqsgg.exe e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe File created C:\Windows\SysWOW64\oooezyjc.exe e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe File opened for modification C:\Windows\SysWOW64\oooezyjc.exe e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe File created C:\Windows\SysWOW64\jklchhgxfyauf.exe e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe File opened for modification C:\Windows\SysWOW64\jklchhgxfyauf.exe e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe File created C:\Windows\SysWOW64\mnsspcctbi.exe e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe File opened for modification C:\Windows\SysWOW64\rqkgjuyagvzqsgg.exe e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll mnsspcctbi.exe File opened for modification C:\Windows\SysWOW64\mnsspcctbi.exe e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F56BB7FE1C21DCD279D0A08A759116" e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" mnsspcctbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" mnsspcctbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "334E2C769D5182256D4576D370252DDA7DF564AB" e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" mnsspcctbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh mnsspcctbi.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCEF9CCF966F1E7837A3A4481EB3990B088038B42620238E2CD42E708D4" e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1838C60B14E7DBB1B8CD7CE2EDE537CD" e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat mnsspcctbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc mnsspcctbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs mnsspcctbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" mnsspcctbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC4B15A47E1399852C4B9A2329FD7C5" e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFBFF8C482C85129130D72F7D92BCE5E134583767466244D7E9" e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" mnsspcctbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf mnsspcctbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" mnsspcctbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg mnsspcctbi.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1060 e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe 1060 e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe 1060 e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe 1060 e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe 1060 e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe 1060 e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe 1060 e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe 1060 e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe 1060 e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe 1060 e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe 1060 e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe 1060 e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe 1060 e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe 1060 e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe 1060 e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe 1060 e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe 2960 mnsspcctbi.exe 2960 mnsspcctbi.exe 2960 mnsspcctbi.exe 2960 mnsspcctbi.exe 2960 mnsspcctbi.exe 2960 mnsspcctbi.exe 2960 mnsspcctbi.exe 2960 mnsspcctbi.exe 2960 mnsspcctbi.exe 2960 mnsspcctbi.exe 1548 jklchhgxfyauf.exe 1548 jklchhgxfyauf.exe 1548 jklchhgxfyauf.exe 3200 rqkgjuyagvzqsgg.exe 1548 jklchhgxfyauf.exe 3200 rqkgjuyagvzqsgg.exe 1548 jklchhgxfyauf.exe 3200 rqkgjuyagvzqsgg.exe 1548 jklchhgxfyauf.exe 3200 rqkgjuyagvzqsgg.exe 3200 rqkgjuyagvzqsgg.exe 1548 jklchhgxfyauf.exe 3200 rqkgjuyagvzqsgg.exe 1548 jklchhgxfyauf.exe 3200 rqkgjuyagvzqsgg.exe 1548 jklchhgxfyauf.exe 3200 rqkgjuyagvzqsgg.exe 1548 jklchhgxfyauf.exe 1548 jklchhgxfyauf.exe 1548 jklchhgxfyauf.exe 3200 rqkgjuyagvzqsgg.exe 3200 rqkgjuyagvzqsgg.exe 900 oooezyjc.exe 900 oooezyjc.exe 900 oooezyjc.exe 900 oooezyjc.exe 900 oooezyjc.exe 900 oooezyjc.exe 900 oooezyjc.exe 900 oooezyjc.exe 3200 rqkgjuyagvzqsgg.exe 3200 rqkgjuyagvzqsgg.exe 1548 jklchhgxfyauf.exe 1548 jklchhgxfyauf.exe 1548 jklchhgxfyauf.exe 1548 jklchhgxfyauf.exe 3200 rqkgjuyagvzqsgg.exe 3200 rqkgjuyagvzqsgg.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1060 e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe 1060 e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe 1060 e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe 2960 mnsspcctbi.exe 2960 mnsspcctbi.exe 2960 mnsspcctbi.exe 3200 rqkgjuyagvzqsgg.exe 3200 rqkgjuyagvzqsgg.exe 3200 rqkgjuyagvzqsgg.exe 900 oooezyjc.exe 900 oooezyjc.exe 900 oooezyjc.exe 1548 jklchhgxfyauf.exe 1548 jklchhgxfyauf.exe 1548 jklchhgxfyauf.exe 4764 oooezyjc.exe 4764 oooezyjc.exe 4764 oooezyjc.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1060 e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe 1060 e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe 1060 e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe 2960 mnsspcctbi.exe 2960 mnsspcctbi.exe 2960 mnsspcctbi.exe 3200 rqkgjuyagvzqsgg.exe 3200 rqkgjuyagvzqsgg.exe 3200 rqkgjuyagvzqsgg.exe 900 oooezyjc.exe 900 oooezyjc.exe 900 oooezyjc.exe 1548 jklchhgxfyauf.exe 1548 jklchhgxfyauf.exe 1548 jklchhgxfyauf.exe 4764 oooezyjc.exe 4764 oooezyjc.exe 4764 oooezyjc.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1060 wrote to memory of 2960 1060 e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe 83 PID 1060 wrote to memory of 2960 1060 e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe 83 PID 1060 wrote to memory of 2960 1060 e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe 83 PID 1060 wrote to memory of 3200 1060 e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe 85 PID 1060 wrote to memory of 3200 1060 e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe 85 PID 1060 wrote to memory of 3200 1060 e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe 85 PID 1060 wrote to memory of 900 1060 e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe 86 PID 1060 wrote to memory of 900 1060 e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe 86 PID 1060 wrote to memory of 900 1060 e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe 86 PID 1060 wrote to memory of 1548 1060 e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe 87 PID 1060 wrote to memory of 1548 1060 e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe 87 PID 1060 wrote to memory of 1548 1060 e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe 87 PID 2960 wrote to memory of 4764 2960 mnsspcctbi.exe 89 PID 2960 wrote to memory of 4764 2960 mnsspcctbi.exe 89 PID 2960 wrote to memory of 4764 2960 mnsspcctbi.exe 89 PID 1060 wrote to memory of 1228 1060 e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe 90 PID 1060 wrote to memory of 1228 1060 e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe"C:\Users\Admin\AppData\Local\Temp\e370e7dcfeb45d9142e9fa04d5d6a0bd92fa39e3a72cb8b88fc98397da7fa567.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\mnsspcctbi.exemnsspcctbi.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\oooezyjc.exeC:\Windows\system32\oooezyjc.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4764
-
-
-
C:\Windows\SysWOW64\rqkgjuyagvzqsgg.exerqkgjuyagvzqsgg.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3200
-
-
C:\Windows\SysWOW64\oooezyjc.exeoooezyjc.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:900
-
-
C:\Windows\SysWOW64\jklchhgxfyauf.exejklchhgxfyauf.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1548
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵PID:1228
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5e793534021d3cd65b356911c1d83e09a
SHA14be92de612d2f9702960135bb663af4799b58751
SHA2568287b8bf305d38f423175a33b54ea867b4ad0d49db09263a15b8100bd90647c6
SHA512da00f23e4cd6825ecfe945691b11c464a17b7ff73749820d05d3d8bce18f1b21cf4e5c557f49a79772621fce649f5038a4bf5dbbfd018739991f9a4a66b13f36
-
Filesize
255KB
MD5e793534021d3cd65b356911c1d83e09a
SHA14be92de612d2f9702960135bb663af4799b58751
SHA2568287b8bf305d38f423175a33b54ea867b4ad0d49db09263a15b8100bd90647c6
SHA512da00f23e4cd6825ecfe945691b11c464a17b7ff73749820d05d3d8bce18f1b21cf4e5c557f49a79772621fce649f5038a4bf5dbbfd018739991f9a4a66b13f36
-
Filesize
255KB
MD55b4e694e6fbf32667c5df3cd93350d68
SHA1b5918fa2117aa1ab0fa7699fb927f54dd346ee12
SHA256b65562891a9c8546a2de8c6d87ec451567375679da3b7e35dd838b82a4e00eab
SHA512f6c34aabf06617fb3d5cb05dfb38ff9d3b86e7fbcf96f7735c5d68c67fb96b05f777b45bc588b94f3b1df30258801a1b1b85037369ce89f9a4f7dd422e31c07b
-
Filesize
255KB
MD55b4e694e6fbf32667c5df3cd93350d68
SHA1b5918fa2117aa1ab0fa7699fb927f54dd346ee12
SHA256b65562891a9c8546a2de8c6d87ec451567375679da3b7e35dd838b82a4e00eab
SHA512f6c34aabf06617fb3d5cb05dfb38ff9d3b86e7fbcf96f7735c5d68c67fb96b05f777b45bc588b94f3b1df30258801a1b1b85037369ce89f9a4f7dd422e31c07b
-
Filesize
255KB
MD5c78653f3a1db53920a89e1882c7efc14
SHA1d5f809c2adc32e8623b9b14e714f2cb0e153b737
SHA256c762aad0ecc898ae0677e5821a412685f025abe8289c001317db059a952e6fd5
SHA5122be4e921bff0dd525fdb8c942c94403c2682d1e513558356e2f581f9c45176491adef51181baa766bac4a3f25b3bac1c3aec5a23850e215bcd8f6a3c8cf1b2bb
-
Filesize
255KB
MD5c78653f3a1db53920a89e1882c7efc14
SHA1d5f809c2adc32e8623b9b14e714f2cb0e153b737
SHA256c762aad0ecc898ae0677e5821a412685f025abe8289c001317db059a952e6fd5
SHA5122be4e921bff0dd525fdb8c942c94403c2682d1e513558356e2f581f9c45176491adef51181baa766bac4a3f25b3bac1c3aec5a23850e215bcd8f6a3c8cf1b2bb
-
Filesize
255KB
MD5c78653f3a1db53920a89e1882c7efc14
SHA1d5f809c2adc32e8623b9b14e714f2cb0e153b737
SHA256c762aad0ecc898ae0677e5821a412685f025abe8289c001317db059a952e6fd5
SHA5122be4e921bff0dd525fdb8c942c94403c2682d1e513558356e2f581f9c45176491adef51181baa766bac4a3f25b3bac1c3aec5a23850e215bcd8f6a3c8cf1b2bb
-
Filesize
255KB
MD5561677c54aa8de0e3f2cb6018497b91a
SHA1886e71189fcd5c4c38cf3d5b09f9d07cd8278e8d
SHA256309df6748dfa5049a38a119e36985363eff473982abd1961e1c8d01a5de930e2
SHA512485a3e1652a6c867f640ea6a09c019239297ff505b7f1a61214f2f8ec4ae05b4081252930e639970e5ac74ac5d04941608b2ddc59e55b40cabd6de6da34fb346
-
Filesize
255KB
MD5561677c54aa8de0e3f2cb6018497b91a
SHA1886e71189fcd5c4c38cf3d5b09f9d07cd8278e8d
SHA256309df6748dfa5049a38a119e36985363eff473982abd1961e1c8d01a5de930e2
SHA512485a3e1652a6c867f640ea6a09c019239297ff505b7f1a61214f2f8ec4ae05b4081252930e639970e5ac74ac5d04941608b2ddc59e55b40cabd6de6da34fb346