Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
169s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27/11/2022, 00:02
Behavioral task
behavioral1
Sample
c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe
Resource
win7-20220812-en
windows7-x64
26 signatures
150 seconds
General
-
Target
c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe
-
Size
255KB
-
MD5
5c92c2744a434f94e8edb56a25b2ec2f
-
SHA1
f17731b0ea8846b838c71dab00476de9af341194
-
SHA256
c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033
-
SHA512
b1d0296a9b8b35f8a311ed6a43909022b841657bf28840d521925e1fa76b6125b937f96eab58fe2d61f7c681e12a56f6bd8e3c0861a5f65fc40868e341c4b0cb
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJj:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI2
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cdcofhhnfo.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" cdcofhhnfo.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" cdcofhhnfo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" cdcofhhnfo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" cdcofhhnfo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" cdcofhhnfo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" cdcofhhnfo.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cdcofhhnfo.exe -
Executes dropped EXE 5 IoCs
pid Process 1176 cdcofhhnfo.exe 4596 oxekmfxmaabvnvj.exe 3504 kpibuxsp.exe 872 bvropgauxpfbi.exe 3844 kpibuxsp.exe -
resource yara_rule behavioral2/memory/4948-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0007000000022e71-134.dat upx behavioral2/files/0x0007000000022e71-135.dat upx behavioral2/files/0x0006000000022e76-137.dat upx behavioral2/files/0x0006000000022e76-138.dat upx behavioral2/files/0x0006000000022e77-141.dat upx behavioral2/files/0x0006000000022e77-140.dat upx behavioral2/memory/1176-143-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0006000000022e78-146.dat upx behavioral2/files/0x0006000000022e78-145.dat upx behavioral2/memory/4596-144-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3504-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0006000000022e77-149.dat upx behavioral2/memory/4948-151-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/872-152-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3844-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0002000000009dee-159.dat upx behavioral2/files/0x0006000000022e7a-161.dat upx behavioral2/files/0x0002000000009dee-160.dat upx behavioral2/memory/4596-165-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1176-166-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3504-167-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/872-168-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3844-169-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000300000001e5e7-170.dat upx behavioral2/files/0x000200000001ea05-171.dat upx behavioral2/files/0x000200000001ea05-172.dat upx behavioral2/files/0x000200000001ea05-173.dat upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" cdcofhhnfo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" cdcofhhnfo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" cdcofhhnfo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" cdcofhhnfo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" cdcofhhnfo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" cdcofhhnfo.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run oxekmfxmaabvnvj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xaaczfib = "cdcofhhnfo.exe" oxekmfxmaabvnvj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qpfyaedh = "oxekmfxmaabvnvj.exe" oxekmfxmaabvnvj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "bvropgauxpfbi.exe" oxekmfxmaabvnvj.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\a: kpibuxsp.exe File opened (read-only) \??\m: cdcofhhnfo.exe File opened (read-only) \??\x: cdcofhhnfo.exe File opened (read-only) \??\g: kpibuxsp.exe File opened (read-only) \??\n: kpibuxsp.exe File opened (read-only) \??\t: kpibuxsp.exe File opened (read-only) \??\z: cdcofhhnfo.exe File opened (read-only) \??\a: kpibuxsp.exe File opened (read-only) \??\y: cdcofhhnfo.exe File opened (read-only) \??\f: kpibuxsp.exe File opened (read-only) \??\k: kpibuxsp.exe File opened (read-only) \??\v: kpibuxsp.exe File opened (read-only) \??\h: cdcofhhnfo.exe File opened (read-only) \??\e: kpibuxsp.exe File opened (read-only) \??\n: kpibuxsp.exe File opened (read-only) \??\s: kpibuxsp.exe File opened (read-only) \??\j: cdcofhhnfo.exe File opened (read-only) \??\p: cdcofhhnfo.exe File opened (read-only) \??\r: cdcofhhnfo.exe File opened (read-only) \??\t: cdcofhhnfo.exe File opened (read-only) \??\b: kpibuxsp.exe File opened (read-only) \??\h: kpibuxsp.exe File opened (read-only) \??\m: kpibuxsp.exe File opened (read-only) \??\r: kpibuxsp.exe File opened (read-only) \??\x: kpibuxsp.exe File opened (read-only) \??\z: kpibuxsp.exe File opened (read-only) \??\s: kpibuxsp.exe File opened (read-only) \??\f: cdcofhhnfo.exe File opened (read-only) \??\o: kpibuxsp.exe File opened (read-only) \??\w: kpibuxsp.exe File opened (read-only) \??\r: kpibuxsp.exe File opened (read-only) \??\y: kpibuxsp.exe File opened (read-only) \??\z: kpibuxsp.exe File opened (read-only) \??\s: cdcofhhnfo.exe File opened (read-only) \??\k: kpibuxsp.exe File opened (read-only) \??\m: kpibuxsp.exe File opened (read-only) \??\u: kpibuxsp.exe File opened (read-only) \??\b: kpibuxsp.exe File opened (read-only) \??\t: kpibuxsp.exe File opened (read-only) \??\g: kpibuxsp.exe File opened (read-only) \??\w: kpibuxsp.exe File opened (read-only) \??\a: cdcofhhnfo.exe File opened (read-only) \??\n: cdcofhhnfo.exe File opened (read-only) \??\l: cdcofhhnfo.exe File opened (read-only) \??\v: cdcofhhnfo.exe File opened (read-only) \??\i: kpibuxsp.exe File opened (read-only) \??\j: kpibuxsp.exe File opened (read-only) \??\o: kpibuxsp.exe File opened (read-only) \??\q: kpibuxsp.exe File opened (read-only) \??\g: cdcofhhnfo.exe File opened (read-only) \??\p: kpibuxsp.exe File opened (read-only) \??\u: cdcofhhnfo.exe File opened (read-only) \??\y: kpibuxsp.exe File opened (read-only) \??\i: cdcofhhnfo.exe File opened (read-only) \??\e: kpibuxsp.exe File opened (read-only) \??\j: kpibuxsp.exe File opened (read-only) \??\i: kpibuxsp.exe File opened (read-only) \??\e: cdcofhhnfo.exe File opened (read-only) \??\f: kpibuxsp.exe File opened (read-only) \??\l: kpibuxsp.exe File opened (read-only) \??\l: kpibuxsp.exe File opened (read-only) \??\b: cdcofhhnfo.exe File opened (read-only) \??\w: cdcofhhnfo.exe File opened (read-only) \??\h: kpibuxsp.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" cdcofhhnfo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" cdcofhhnfo.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1176-143-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4596-144-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3504-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4948-151-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/872-152-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3844-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4596-165-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1176-166-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3504-167-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/872-168-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3844-169-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe kpibuxsp.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe kpibuxsp.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe kpibuxsp.exe File created C:\Windows\SysWOW64\kpibuxsp.exe c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe File created C:\Windows\SysWOW64\bvropgauxpfbi.exe c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe File opened for modification C:\Windows\SysWOW64\bvropgauxpfbi.exe c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe File opened for modification C:\Windows\SysWOW64\oxekmfxmaabvnvj.exe c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe File opened for modification C:\Windows\SysWOW64\kpibuxsp.exe c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll cdcofhhnfo.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe kpibuxsp.exe File created C:\Windows\SysWOW64\cdcofhhnfo.exe c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe File opened for modification C:\Windows\SysWOW64\cdcofhhnfo.exe c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe File created C:\Windows\SysWOW64\oxekmfxmaabvnvj.exe c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kpibuxsp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kpibuxsp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kpibuxsp.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kpibuxsp.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kpibuxsp.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kpibuxsp.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kpibuxsp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kpibuxsp.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kpibuxsp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal kpibuxsp.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kpibuxsp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal kpibuxsp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal kpibuxsp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal kpibuxsp.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kpibuxsp.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" cdcofhhnfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC0B02A47E7399952CBB9A133EFD4BF" c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0866BB4FE1C21DBD17AD0A88A099113" c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1938C70E15E4DBB2B8BC7CE1EDE534BA" c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat cdcofhhnfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg cdcofhhnfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33402C7C9C5183506A4376A7702E2CA97DF164D6" c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh cdcofhhnfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf cdcofhhnfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs cdcofhhnfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" cdcofhhnfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" cdcofhhnfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" cdcofhhnfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABAF9BCF913F192837D3B4781EC39E3B08E028A4311023FE1BF45E608A0" c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E88FCF84F5D851E9047D7207D94BC93E643584767416345D79D" c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" cdcofhhnfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc cdcofhhnfo.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" cdcofhhnfo.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1764 WINWORD.EXE 1764 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4948 c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe 4948 c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe 4948 c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe 4948 c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe 4948 c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe 4948 c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe 4948 c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe 4948 c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe 4948 c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe 4948 c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe 4948 c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe 4948 c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe 4948 c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe 4948 c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe 4948 c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe 4948 c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe 1176 cdcofhhnfo.exe 4596 oxekmfxmaabvnvj.exe 4596 oxekmfxmaabvnvj.exe 1176 cdcofhhnfo.exe 4596 oxekmfxmaabvnvj.exe 4596 oxekmfxmaabvnvj.exe 1176 cdcofhhnfo.exe 1176 cdcofhhnfo.exe 4596 oxekmfxmaabvnvj.exe 4596 oxekmfxmaabvnvj.exe 1176 cdcofhhnfo.exe 1176 cdcofhhnfo.exe 4596 oxekmfxmaabvnvj.exe 4596 oxekmfxmaabvnvj.exe 1176 cdcofhhnfo.exe 1176 cdcofhhnfo.exe 1176 cdcofhhnfo.exe 1176 cdcofhhnfo.exe 4596 oxekmfxmaabvnvj.exe 4596 oxekmfxmaabvnvj.exe 3504 kpibuxsp.exe 872 bvropgauxpfbi.exe 3504 kpibuxsp.exe 872 bvropgauxpfbi.exe 3504 kpibuxsp.exe 3504 kpibuxsp.exe 3504 kpibuxsp.exe 3504 kpibuxsp.exe 3504 kpibuxsp.exe 3504 kpibuxsp.exe 872 bvropgauxpfbi.exe 872 bvropgauxpfbi.exe 872 bvropgauxpfbi.exe 872 bvropgauxpfbi.exe 872 bvropgauxpfbi.exe 872 bvropgauxpfbi.exe 872 bvropgauxpfbi.exe 872 bvropgauxpfbi.exe 872 bvropgauxpfbi.exe 872 bvropgauxpfbi.exe 3844 kpibuxsp.exe 3844 kpibuxsp.exe 3844 kpibuxsp.exe 3844 kpibuxsp.exe 3844 kpibuxsp.exe 3844 kpibuxsp.exe 3844 kpibuxsp.exe 3844 kpibuxsp.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4948 c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe 4948 c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe 4948 c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe 1176 cdcofhhnfo.exe 1176 cdcofhhnfo.exe 1176 cdcofhhnfo.exe 4596 oxekmfxmaabvnvj.exe 4596 oxekmfxmaabvnvj.exe 4596 oxekmfxmaabvnvj.exe 3504 kpibuxsp.exe 3504 kpibuxsp.exe 3504 kpibuxsp.exe 872 bvropgauxpfbi.exe 872 bvropgauxpfbi.exe 872 bvropgauxpfbi.exe 3844 kpibuxsp.exe 3844 kpibuxsp.exe 3844 kpibuxsp.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4948 c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe 4948 c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe 4948 c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe 1176 cdcofhhnfo.exe 1176 cdcofhhnfo.exe 1176 cdcofhhnfo.exe 4596 oxekmfxmaabvnvj.exe 4596 oxekmfxmaabvnvj.exe 4596 oxekmfxmaabvnvj.exe 3504 kpibuxsp.exe 3504 kpibuxsp.exe 3504 kpibuxsp.exe 872 bvropgauxpfbi.exe 872 bvropgauxpfbi.exe 872 bvropgauxpfbi.exe 3844 kpibuxsp.exe 3844 kpibuxsp.exe 3844 kpibuxsp.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1764 WINWORD.EXE 1764 WINWORD.EXE 1764 WINWORD.EXE 1764 WINWORD.EXE 1764 WINWORD.EXE 1764 WINWORD.EXE 1764 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4948 wrote to memory of 1176 4948 c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe 80 PID 4948 wrote to memory of 1176 4948 c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe 80 PID 4948 wrote to memory of 1176 4948 c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe 80 PID 4948 wrote to memory of 4596 4948 c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe 81 PID 4948 wrote to memory of 4596 4948 c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe 81 PID 4948 wrote to memory of 4596 4948 c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe 81 PID 4948 wrote to memory of 3504 4948 c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe 82 PID 4948 wrote to memory of 3504 4948 c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe 82 PID 4948 wrote to memory of 3504 4948 c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe 82 PID 4948 wrote to memory of 872 4948 c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe 83 PID 4948 wrote to memory of 872 4948 c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe 83 PID 4948 wrote to memory of 872 4948 c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe 83 PID 4948 wrote to memory of 1764 4948 c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe 84 PID 4948 wrote to memory of 1764 4948 c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe 84 PID 1176 wrote to memory of 3844 1176 cdcofhhnfo.exe 85 PID 1176 wrote to memory of 3844 1176 cdcofhhnfo.exe 85 PID 1176 wrote to memory of 3844 1176 cdcofhhnfo.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe"C:\Users\Admin\AppData\Local\Temp\c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\cdcofhhnfo.execdcofhhnfo.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\kpibuxsp.exeC:\Windows\system32\kpibuxsp.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3844
-
-
-
C:\Windows\SysWOW64\oxekmfxmaabvnvj.exeoxekmfxmaabvnvj.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4596
-
-
C:\Windows\SysWOW64\kpibuxsp.exekpibuxsp.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3504
-
-
C:\Windows\SysWOW64\bvropgauxpfbi.exebvropgauxpfbi.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:872
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1764
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD58bf166c4220b96939b6acbe87e54978e
SHA1435e986c81c058bb24eab40a2d06c3e4c5df7b32
SHA256ce7caf989c113ce9dfdcc363e94c1b81e92da4edb69f408260288645d951f967
SHA51212506cd7c8d8344cd9794f9601351de91b8db892d6b83638116bfb16fd3e005fe977bceaf412fe7b8f595197eaa44099e5339d06b8e9d7052c6a7aa904c8e1ac
-
Filesize
255KB
MD5d217228d529e7f4037b5d2922645b471
SHA11459b5934eab3ee78b218517eb7bc6a5c80e54bd
SHA256fed6078385584e166ba65c6c728f05f05b0695cb12f12b4c16db6ba92d6eb2d4
SHA51246cee7853c556fdd9231da7054d93d97c2101120f54dbac0d87af822fbc7fc8cf3bc9daf78e3c61d5a6abf2d2da5d200d2cb17b0589658926e344a46f8bb01f7
-
Filesize
255KB
MD5b48158a45c8c1aac28f89f086865567c
SHA159505a5d29deee3802b69ac50de4da7be9379f1d
SHA256c77e2f2c48554794fd739554199ab8a5285b1123b44d1bc83e2b9cfc12056f03
SHA5122843c8db420db7286ea31b8a65bd22bcd847ab44c4d488c7ef922794ad49a1eed015a4900a207821bcce0be6226230bc6a28c912689f47f5d0ab91f44b1bb690
-
Filesize
255KB
MD54f71327970ad947e3739b8a31582cc92
SHA1ea377218c5d52997b80cdfb8d61534986c60e1ac
SHA25691f3a4d58d945637d81d939d8683eb3d26275586a6211d05848a0f3d6b6b637c
SHA5121404c72ff0733bb3efc33dd718e2ecef82592c3c3b5b0dbee67f607a57edc7be4eaefceaab04b063bbff893a1c4def9edb37361ec1e417efa97f4ccc09286118
-
Filesize
255KB
MD54f71327970ad947e3739b8a31582cc92
SHA1ea377218c5d52997b80cdfb8d61534986c60e1ac
SHA25691f3a4d58d945637d81d939d8683eb3d26275586a6211d05848a0f3d6b6b637c
SHA5121404c72ff0733bb3efc33dd718e2ecef82592c3c3b5b0dbee67f607a57edc7be4eaefceaab04b063bbff893a1c4def9edb37361ec1e417efa97f4ccc09286118
-
Filesize
255KB
MD5550a5b49a0915928b4327f577250033a
SHA1b927952c2b3456f8c3630562e1901e887da7cb6d
SHA2567a34fbbb9e3e7ea7dab26182357a95f594655887a590f6503ad0d858a8e344a2
SHA512ef59a171decd54508d53f725997296c6b520a5c24fb28ba5e5f40499d46a82d133b3b47989a899fdafbfcb53896da4da81275079093220021b2304f08839df31
-
Filesize
255KB
MD5550a5b49a0915928b4327f577250033a
SHA1b927952c2b3456f8c3630562e1901e887da7cb6d
SHA2567a34fbbb9e3e7ea7dab26182357a95f594655887a590f6503ad0d858a8e344a2
SHA512ef59a171decd54508d53f725997296c6b520a5c24fb28ba5e5f40499d46a82d133b3b47989a899fdafbfcb53896da4da81275079093220021b2304f08839df31
-
Filesize
255KB
MD526581fa7982fe67526cc2fbd3e0aa173
SHA158554cdd9986806e781076fdd8e7a2b51a290f13
SHA25654ed88088e42bf336807ebabed2d99eec360582c4298d2dfbeee87444e53875e
SHA5121821101c2e1ab826ab7ddfb3a3a8144891c5b7a945152faf154953362806bac470f3b38b9fc4bf9cca921fa8eca06e93e82fc6a37cb754279dbd98c3713b5c08
-
Filesize
255KB
MD526581fa7982fe67526cc2fbd3e0aa173
SHA158554cdd9986806e781076fdd8e7a2b51a290f13
SHA25654ed88088e42bf336807ebabed2d99eec360582c4298d2dfbeee87444e53875e
SHA5121821101c2e1ab826ab7ddfb3a3a8144891c5b7a945152faf154953362806bac470f3b38b9fc4bf9cca921fa8eca06e93e82fc6a37cb754279dbd98c3713b5c08
-
Filesize
255KB
MD526581fa7982fe67526cc2fbd3e0aa173
SHA158554cdd9986806e781076fdd8e7a2b51a290f13
SHA25654ed88088e42bf336807ebabed2d99eec360582c4298d2dfbeee87444e53875e
SHA5121821101c2e1ab826ab7ddfb3a3a8144891c5b7a945152faf154953362806bac470f3b38b9fc4bf9cca921fa8eca06e93e82fc6a37cb754279dbd98c3713b5c08
-
Filesize
255KB
MD56290a0e8622ed11f9b85948273916e53
SHA124fb0a8926f0c9623b39f7e81b6c8c8edb605a65
SHA2564e216c37ecfaa9e530f0362a1bd8b437c71b99467d2ffad00ebf54ebf73d6ffa
SHA512d6b0331639a2edbe12e3938bf648226d0e501604525c161249d08902fbbeb6ae3b85c0342cc732c9011071663779593d7aea5fb634ee5ac216e23584478cffa6
-
Filesize
255KB
MD56290a0e8622ed11f9b85948273916e53
SHA124fb0a8926f0c9623b39f7e81b6c8c8edb605a65
SHA2564e216c37ecfaa9e530f0362a1bd8b437c71b99467d2ffad00ebf54ebf73d6ffa
SHA512d6b0331639a2edbe12e3938bf648226d0e501604525c161249d08902fbbeb6ae3b85c0342cc732c9011071663779593d7aea5fb634ee5ac216e23584478cffa6
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD58bf166c4220b96939b6acbe87e54978e
SHA1435e986c81c058bb24eab40a2d06c3e4c5df7b32
SHA256ce7caf989c113ce9dfdcc363e94c1b81e92da4edb69f408260288645d951f967
SHA51212506cd7c8d8344cd9794f9601351de91b8db892d6b83638116bfb16fd3e005fe977bceaf412fe7b8f595197eaa44099e5339d06b8e9d7052c6a7aa904c8e1ac
-
Filesize
255KB
MD525b79941724c1e142d72c1a972ab2ca4
SHA1b4e9b6652aeacbbcaa9f0e6b9559afd455aa0e3b
SHA256a28059d9f295eb7bced1cf2edbf5482a6b19bff62868e42aede92f289846cb66
SHA5120e670295dc0a3c642227bef32abd3dcbe5ecf72f4fc1cbfaa831df42bd8fdb8ed572299c408c0ab5ff886d6792e302d2b5a801bc023f30154c279f109126d97e
-
Filesize
255KB
MD537ca757651de61870fbaca1bca4a8fd5
SHA1c72082d61d6bff7a255abb924ca978f76f67501b
SHA2561844f23fb4d7af11cf13b1c0662f5bc4a990f67708a405f3e0447b91d14ca8ab
SHA51249120616844a31d88376946bbfcb4c1f2fc92ecc70ef722005f9b8cc7d1cf4f394832a671e37da0966f4d985ea57b6526334889649dd68ea4e2a6d183b97a19f
-
Filesize
255KB
MD537ca757651de61870fbaca1bca4a8fd5
SHA1c72082d61d6bff7a255abb924ca978f76f67501b
SHA2561844f23fb4d7af11cf13b1c0662f5bc4a990f67708a405f3e0447b91d14ca8ab
SHA51249120616844a31d88376946bbfcb4c1f2fc92ecc70ef722005f9b8cc7d1cf4f394832a671e37da0966f4d985ea57b6526334889649dd68ea4e2a6d183b97a19f