Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
293s -
max time network
341s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
27/11/2022, 01:31
Behavioral task
behavioral1
Sample
9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe
Resource
win10v2004-20221111-en
General
-
Target
9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe
-
Size
255KB
-
MD5
97e439bd06e00539d31641727bfccba7
-
SHA1
a597c080dc652cc2da13305853db37733ad83e10
-
SHA256
9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464
-
SHA512
05886a16c5601017db8de501de329511311cf0055789bb3122e530d880d8b2b3412e67bce4aab853ac78a2c28e946d22123b1cf0bc386371204afbd684391dab
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJK:1xlZam+akqx6YQJXcNlEHUIQeE3mmBID
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" snvmyrtdaq.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" snvmyrtdaq.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" snvmyrtdaq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" snvmyrtdaq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" snvmyrtdaq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" snvmyrtdaq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" snvmyrtdaq.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" snvmyrtdaq.exe -
Executes dropped EXE 5 IoCs
pid Process 4700 snvmyrtdaq.exe 1684 ddygxtxiufomhrz.exe 4904 iygyyiku.exe 4136 nlvqrngpycnod.exe 1452 iygyyiku.exe -
resource yara_rule behavioral2/memory/4536-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000d000000022a51-134.dat upx behavioral2/files/0x000d000000022a51-135.dat upx behavioral2/files/0x0010000000022db2-138.dat upx behavioral2/files/0x0010000000022db2-137.dat upx behavioral2/memory/1684-140-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4700-139-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000d000000022db6-144.dat upx behavioral2/files/0x000d000000022db6-143.dat upx behavioral2/files/0x0008000000022dc1-146.dat upx behavioral2/files/0x0008000000022dc1-147.dat upx behavioral2/files/0x000d000000022db6-149.dat upx behavioral2/memory/1452-152-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4136-151-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4904-150-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4700-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1684-154-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4904-155-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4136-156-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1452-157-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4536-159-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" snvmyrtdaq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" snvmyrtdaq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" snvmyrtdaq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" snvmyrtdaq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" snvmyrtdaq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" snvmyrtdaq.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uptrgpkd = "ddygxtxiufomhrz.exe" ddygxtxiufomhrz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "nlvqrngpycnod.exe" ddygxtxiufomhrz.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ddygxtxiufomhrz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nhapkilh = "snvmyrtdaq.exe" ddygxtxiufomhrz.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\p: iygyyiku.exe File opened (read-only) \??\t: iygyyiku.exe File opened (read-only) \??\b: iygyyiku.exe File opened (read-only) \??\n: iygyyiku.exe File opened (read-only) \??\t: iygyyiku.exe File opened (read-only) \??\u: iygyyiku.exe File opened (read-only) \??\f: iygyyiku.exe File opened (read-only) \??\u: snvmyrtdaq.exe File opened (read-only) \??\w: snvmyrtdaq.exe File opened (read-only) \??\i: iygyyiku.exe File opened (read-only) \??\s: iygyyiku.exe File opened (read-only) \??\r: iygyyiku.exe File opened (read-only) \??\x: iygyyiku.exe File opened (read-only) \??\i: snvmyrtdaq.exe File opened (read-only) \??\b: iygyyiku.exe File opened (read-only) \??\e: iygyyiku.exe File opened (read-only) \??\g: iygyyiku.exe File opened (read-only) \??\p: iygyyiku.exe File opened (read-only) \??\l: iygyyiku.exe File opened (read-only) \??\j: snvmyrtdaq.exe File opened (read-only) \??\n: snvmyrtdaq.exe File opened (read-only) \??\o: snvmyrtdaq.exe File opened (read-only) \??\q: iygyyiku.exe File opened (read-only) \??\r: iygyyiku.exe File opened (read-only) \??\j: iygyyiku.exe File opened (read-only) \??\m: snvmyrtdaq.exe File opened (read-only) \??\p: snvmyrtdaq.exe File opened (read-only) \??\v: snvmyrtdaq.exe File opened (read-only) \??\h: iygyyiku.exe File opened (read-only) \??\h: snvmyrtdaq.exe File opened (read-only) \??\k: snvmyrtdaq.exe File opened (read-only) \??\l: snvmyrtdaq.exe File opened (read-only) \??\f: iygyyiku.exe File opened (read-only) \??\k: iygyyiku.exe File opened (read-only) \??\x: iygyyiku.exe File opened (read-only) \??\x: snvmyrtdaq.exe File opened (read-only) \??\b: snvmyrtdaq.exe File opened (read-only) \??\h: iygyyiku.exe File opened (read-only) \??\o: iygyyiku.exe File opened (read-only) \??\s: iygyyiku.exe File opened (read-only) \??\v: iygyyiku.exe File opened (read-only) \??\w: iygyyiku.exe File opened (read-only) \??\f: snvmyrtdaq.exe File opened (read-only) \??\y: snvmyrtdaq.exe File opened (read-only) \??\a: snvmyrtdaq.exe File opened (read-only) \??\z: snvmyrtdaq.exe File opened (read-only) \??\w: iygyyiku.exe File opened (read-only) \??\u: iygyyiku.exe File opened (read-only) \??\z: iygyyiku.exe File opened (read-only) \??\q: iygyyiku.exe File opened (read-only) \??\t: snvmyrtdaq.exe File opened (read-only) \??\j: iygyyiku.exe File opened (read-only) \??\l: iygyyiku.exe File opened (read-only) \??\z: iygyyiku.exe File opened (read-only) \??\a: iygyyiku.exe File opened (read-only) \??\m: iygyyiku.exe File opened (read-only) \??\e: snvmyrtdaq.exe File opened (read-only) \??\m: iygyyiku.exe File opened (read-only) \??\i: iygyyiku.exe File opened (read-only) \??\n: iygyyiku.exe File opened (read-only) \??\e: iygyyiku.exe File opened (read-only) \??\k: iygyyiku.exe File opened (read-only) \??\o: iygyyiku.exe File opened (read-only) \??\v: iygyyiku.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" snvmyrtdaq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" snvmyrtdaq.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1684-140-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4700-139-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1452-152-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4136-151-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4904-150-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4700-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1684-154-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4904-155-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4136-156-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1452-157-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4536-159-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\ddygxtxiufomhrz.exe 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe File opened for modification C:\Windows\SysWOW64\ddygxtxiufomhrz.exe 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe File opened for modification C:\Windows\SysWOW64\iygyyiku.exe 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe File created C:\Windows\SysWOW64\snvmyrtdaq.exe 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe File opened for modification C:\Windows\SysWOW64\snvmyrtdaq.exe 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe File created C:\Windows\SysWOW64\iygyyiku.exe 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe File created C:\Windows\SysWOW64\nlvqrngpycnod.exe 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe File opened for modification C:\Windows\SysWOW64\nlvqrngpycnod.exe 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll snvmyrtdaq.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" snvmyrtdaq.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32402C769D5683526D3577D277222CDA7D8F65D8" 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat snvmyrtdaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" snvmyrtdaq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc snvmyrtdaq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs snvmyrtdaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7846BC4FE1C22D8D27BD0A78A759162" 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1945C70E14E6DBC0B8BA7FE4ED9534CD" 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf snvmyrtdaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" snvmyrtdaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AC8FAB0FE64F1E784783A4581EC3998B38A028B4367034FE1BD459B09A0" 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFFFF8B4F2682699041D7297D92BC94E640594467326331D790" 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh snvmyrtdaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" snvmyrtdaq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg snvmyrtdaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" snvmyrtdaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC2B058479038EB52BEBAA2329ED4B8" 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" snvmyrtdaq.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4536 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe 4536 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe 4536 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe 4536 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe 4536 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe 4536 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe 4536 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe 4536 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe 4536 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe 4536 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe 4536 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe 4536 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe 4536 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe 4536 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe 4700 snvmyrtdaq.exe 4700 snvmyrtdaq.exe 4700 snvmyrtdaq.exe 4700 snvmyrtdaq.exe 4700 snvmyrtdaq.exe 4700 snvmyrtdaq.exe 4700 snvmyrtdaq.exe 4700 snvmyrtdaq.exe 1684 ddygxtxiufomhrz.exe 1684 ddygxtxiufomhrz.exe 4700 snvmyrtdaq.exe 1684 ddygxtxiufomhrz.exe 4700 snvmyrtdaq.exe 1684 ddygxtxiufomhrz.exe 1684 ddygxtxiufomhrz.exe 1684 ddygxtxiufomhrz.exe 1684 ddygxtxiufomhrz.exe 1684 ddygxtxiufomhrz.exe 1684 ddygxtxiufomhrz.exe 1684 ddygxtxiufomhrz.exe 4536 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe 4536 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe 1684 ddygxtxiufomhrz.exe 1684 ddygxtxiufomhrz.exe 4904 iygyyiku.exe 4904 iygyyiku.exe 4904 iygyyiku.exe 4904 iygyyiku.exe 4904 iygyyiku.exe 4904 iygyyiku.exe 4904 iygyyiku.exe 4904 iygyyiku.exe 4136 nlvqrngpycnod.exe 4136 nlvqrngpycnod.exe 4136 nlvqrngpycnod.exe 4136 nlvqrngpycnod.exe 4136 nlvqrngpycnod.exe 4136 nlvqrngpycnod.exe 4136 nlvqrngpycnod.exe 4136 nlvqrngpycnod.exe 4136 nlvqrngpycnod.exe 4136 nlvqrngpycnod.exe 4136 nlvqrngpycnod.exe 4136 nlvqrngpycnod.exe 1452 iygyyiku.exe 1452 iygyyiku.exe 1452 iygyyiku.exe 1452 iygyyiku.exe 1452 iygyyiku.exe 1452 iygyyiku.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4536 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe 4536 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe 4536 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe 4700 snvmyrtdaq.exe 4700 snvmyrtdaq.exe 4700 snvmyrtdaq.exe 1684 ddygxtxiufomhrz.exe 1684 ddygxtxiufomhrz.exe 1684 ddygxtxiufomhrz.exe 4904 iygyyiku.exe 4904 iygyyiku.exe 4904 iygyyiku.exe 4136 nlvqrngpycnod.exe 4136 nlvqrngpycnod.exe 4136 nlvqrngpycnod.exe 1452 iygyyiku.exe 1452 iygyyiku.exe 1452 iygyyiku.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4536 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe 4536 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe 4536 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe 4700 snvmyrtdaq.exe 4700 snvmyrtdaq.exe 4700 snvmyrtdaq.exe 1684 ddygxtxiufomhrz.exe 1684 ddygxtxiufomhrz.exe 1684 ddygxtxiufomhrz.exe 4904 iygyyiku.exe 4904 iygyyiku.exe 4904 iygyyiku.exe 4136 nlvqrngpycnod.exe 4136 nlvqrngpycnod.exe 4136 nlvqrngpycnod.exe 1452 iygyyiku.exe 1452 iygyyiku.exe 1452 iygyyiku.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 4536 wrote to memory of 4700 4536 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe 80 PID 4536 wrote to memory of 4700 4536 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe 80 PID 4536 wrote to memory of 4700 4536 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe 80 PID 4536 wrote to memory of 1684 4536 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe 81 PID 4536 wrote to memory of 1684 4536 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe 81 PID 4536 wrote to memory of 1684 4536 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe 81 PID 1684 wrote to memory of 3624 1684 ddygxtxiufomhrz.exe 83 PID 1684 wrote to memory of 3624 1684 ddygxtxiufomhrz.exe 83 PID 1684 wrote to memory of 3624 1684 ddygxtxiufomhrz.exe 83 PID 4536 wrote to memory of 4904 4536 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe 84 PID 4536 wrote to memory of 4904 4536 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe 84 PID 4536 wrote to memory of 4904 4536 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe 84 PID 4536 wrote to memory of 4136 4536 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe 86 PID 4536 wrote to memory of 4136 4536 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe 86 PID 4536 wrote to memory of 4136 4536 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe 86 PID 4700 wrote to memory of 1452 4700 snvmyrtdaq.exe 87 PID 4700 wrote to memory of 1452 4700 snvmyrtdaq.exe 87 PID 4700 wrote to memory of 1452 4700 snvmyrtdaq.exe 87 PID 4536 wrote to memory of 932 4536 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe 88 PID 4536 wrote to memory of 932 4536 9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe"C:\Users\Admin\AppData\Local\Temp\9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\snvmyrtdaq.exesnvmyrtdaq.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\SysWOW64\iygyyiku.exeC:\Windows\system32\iygyyiku.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1452
-
-
-
C:\Windows\SysWOW64\ddygxtxiufomhrz.exeddygxtxiufomhrz.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\cmd.execmd.exe /c nlvqrngpycnod.exe3⤵PID:3624
-
-
-
C:\Windows\SysWOW64\iygyyiku.exeiygyyiku.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4904
-
-
C:\Windows\SysWOW64\nlvqrngpycnod.exenlvqrngpycnod.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4136
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵PID:932
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD554573ee20fe41d508ec82358b7cb2d59
SHA101bc8542dd01b04b767181f4875d11e515773407
SHA2568cb4b90e8de912b86445e2f53a922d8789b51fba7b54072c829e2193ca43fb84
SHA5122d5f79e4f80c55311eb48dbc608b5840c0e2da3db549fba33201e80f47cc7591e65d026f579a88052df62e6fc8f5098d5587a987a116a4e9a4a676f6c96d8172
-
Filesize
255KB
MD554573ee20fe41d508ec82358b7cb2d59
SHA101bc8542dd01b04b767181f4875d11e515773407
SHA2568cb4b90e8de912b86445e2f53a922d8789b51fba7b54072c829e2193ca43fb84
SHA5122d5f79e4f80c55311eb48dbc608b5840c0e2da3db549fba33201e80f47cc7591e65d026f579a88052df62e6fc8f5098d5587a987a116a4e9a4a676f6c96d8172
-
Filesize
255KB
MD5476fd2cfa10f0fda164a239b1cbc407e
SHA138b3a26cddcce01fd47bcc792335263b2d9c2927
SHA256cb1eff9b12cf0fa895634d0c798cc1c1b391777ada2842a292aebe09220d3a03
SHA512aa94dda94281eb1bb82096255fe86103e7a16809bc00cd6fd69df22510252ccf93700da57e87457b20c17b1ac7db64dc2dd24bfc42251acbc831ec18ad2b39b4
-
Filesize
255KB
MD5476fd2cfa10f0fda164a239b1cbc407e
SHA138b3a26cddcce01fd47bcc792335263b2d9c2927
SHA256cb1eff9b12cf0fa895634d0c798cc1c1b391777ada2842a292aebe09220d3a03
SHA512aa94dda94281eb1bb82096255fe86103e7a16809bc00cd6fd69df22510252ccf93700da57e87457b20c17b1ac7db64dc2dd24bfc42251acbc831ec18ad2b39b4
-
Filesize
255KB
MD5476fd2cfa10f0fda164a239b1cbc407e
SHA138b3a26cddcce01fd47bcc792335263b2d9c2927
SHA256cb1eff9b12cf0fa895634d0c798cc1c1b391777ada2842a292aebe09220d3a03
SHA512aa94dda94281eb1bb82096255fe86103e7a16809bc00cd6fd69df22510252ccf93700da57e87457b20c17b1ac7db64dc2dd24bfc42251acbc831ec18ad2b39b4
-
Filesize
255KB
MD5b3ec5ad0212b109f567b3a417139f4d1
SHA1b370dcec27659f3e18ca36da6521de05fbf546dd
SHA256dfb7e8e3db6c4204192174746fb3bca2d3e303d773460bc39abdf9b1b725435c
SHA512c120a4d092b1f40caa4971bbf6a8f38416d331652b829ccd7abae1e0ac0828c72d991e22ea22c41d856d8a05189501b70f54d919cef8f469bd3775463d65bd1c
-
Filesize
255KB
MD5b3ec5ad0212b109f567b3a417139f4d1
SHA1b370dcec27659f3e18ca36da6521de05fbf546dd
SHA256dfb7e8e3db6c4204192174746fb3bca2d3e303d773460bc39abdf9b1b725435c
SHA512c120a4d092b1f40caa4971bbf6a8f38416d331652b829ccd7abae1e0ac0828c72d991e22ea22c41d856d8a05189501b70f54d919cef8f469bd3775463d65bd1c
-
Filesize
255KB
MD539c0e425a3a2d0ea9b527984c45f4329
SHA11bc196766be790ee78d454aa96c05eee32da23df
SHA2568ec0763d37d53e7af043ee8c38a948065d0de1ea7c2f4850b573cda674a2bcab
SHA512d6e70012cc2b50786d82c9a3ddbbcb3081f5b0e195e8cf8382713cec48a73677e4d7f32d7ae2d8741ff80e439e4eedb10aebafed22c966f4aae52ed6002df4bf
-
Filesize
255KB
MD539c0e425a3a2d0ea9b527984c45f4329
SHA11bc196766be790ee78d454aa96c05eee32da23df
SHA2568ec0763d37d53e7af043ee8c38a948065d0de1ea7c2f4850b573cda674a2bcab
SHA512d6e70012cc2b50786d82c9a3ddbbcb3081f5b0e195e8cf8382713cec48a73677e4d7f32d7ae2d8741ff80e439e4eedb10aebafed22c966f4aae52ed6002df4bf