Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
189s -
max time network
193s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27/11/2022, 01:34
Behavioral task
behavioral1
Sample
38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe
Resource
win7-20220812-en
windows7-x64
26 signatures
150 seconds
Behavioral task
behavioral2
Sample
38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe
-
Size
255KB
-
MD5
c8b1edc25dbd7dfe7578baedf9a63b2d
-
SHA1
688a9f06f83463eab66f25cd3f279324d87a456a
-
SHA256
38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea
-
SHA512
03c862c3abc47e691c2fafc4fcb54b9d4d8be50ec75d82ba59715a9a5a05d4821e5123f702a1585abc1bc9f485c010edf9a34837f11d2b29b04150c656633c7d
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJ0:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIR
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" skywxcpgbf.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" skywxcpgbf.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" skywxcpgbf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" skywxcpgbf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" skywxcpgbf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" skywxcpgbf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" skywxcpgbf.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" skywxcpgbf.exe -
Executes dropped EXE 5 IoCs
pid Process 3616 skywxcpgbf.exe 4876 oujdkmhfihbwxcw.exe 4856 enhpumal.exe 4304 ouhuzhvbwunxd.exe 4256 enhpumal.exe -
resource yara_rule behavioral2/memory/1980-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000b000000022de6-134.dat upx behavioral2/files/0x000b000000022de6-135.dat upx behavioral2/files/0x0007000000022e06-137.dat upx behavioral2/files/0x0007000000022e06-138.dat upx behavioral2/memory/3616-139-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4876-140-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0007000000022e0d-143.dat upx behavioral2/files/0x0007000000022e0d-142.dat upx behavioral2/files/0x0007000000022e0e-145.dat upx behavioral2/files/0x0007000000022e0e-146.dat upx behavioral2/files/0x0007000000022e0d-148.dat upx behavioral2/memory/4856-149-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4304-150-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4256-151-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1980-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0006000000022e15-159.dat upx behavioral2/files/0x0006000000022e16-160.dat upx behavioral2/memory/3616-164-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4876-165-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4856-166-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4304-167-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4256-168-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" skywxcpgbf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" skywxcpgbf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" skywxcpgbf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" skywxcpgbf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" skywxcpgbf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" skywxcpgbf.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run oujdkmhfihbwxcw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pixgvtsg = "skywxcpgbf.exe" oujdkmhfihbwxcw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\grjzukpf = "oujdkmhfihbwxcw.exe" oujdkmhfihbwxcw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ouhuzhvbwunxd.exe" oujdkmhfihbwxcw.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\e: enhpumal.exe File opened (read-only) \??\q: skywxcpgbf.exe File opened (read-only) \??\x: skywxcpgbf.exe File opened (read-only) \??\p: enhpumal.exe File opened (read-only) \??\s: enhpumal.exe File opened (read-only) \??\z: enhpumal.exe File opened (read-only) \??\r: enhpumal.exe File opened (read-only) \??\n: skywxcpgbf.exe File opened (read-only) \??\p: skywxcpgbf.exe File opened (read-only) \??\y: enhpumal.exe File opened (read-only) \??\q: enhpumal.exe File opened (read-only) \??\v: enhpumal.exe File opened (read-only) \??\y: enhpumal.exe File opened (read-only) \??\b: skywxcpgbf.exe File opened (read-only) \??\m: enhpumal.exe File opened (read-only) \??\s: enhpumal.exe File opened (read-only) \??\h: skywxcpgbf.exe File opened (read-only) \??\j: skywxcpgbf.exe File opened (read-only) \??\b: enhpumal.exe File opened (read-only) \??\g: enhpumal.exe File opened (read-only) \??\u: enhpumal.exe File opened (read-only) \??\t: skywxcpgbf.exe File opened (read-only) \??\w: enhpumal.exe File opened (read-only) \??\f: enhpumal.exe File opened (read-only) \??\i: enhpumal.exe File opened (read-only) \??\g: enhpumal.exe File opened (read-only) \??\t: enhpumal.exe File opened (read-only) \??\i: skywxcpgbf.exe File opened (read-only) \??\r: skywxcpgbf.exe File opened (read-only) \??\j: enhpumal.exe File opened (read-only) \??\w: enhpumal.exe File opened (read-only) \??\k: skywxcpgbf.exe File opened (read-only) \??\g: skywxcpgbf.exe File opened (read-only) \??\l: skywxcpgbf.exe File opened (read-only) \??\p: enhpumal.exe File opened (read-only) \??\l: enhpumal.exe File opened (read-only) \??\o: enhpumal.exe File opened (read-only) \??\e: skywxcpgbf.exe File opened (read-only) \??\v: skywxcpgbf.exe File opened (read-only) \??\a: enhpumal.exe File opened (read-only) \??\h: enhpumal.exe File opened (read-only) \??\k: enhpumal.exe File opened (read-only) \??\z: enhpumal.exe File opened (read-only) \??\m: skywxcpgbf.exe File opened (read-only) \??\u: skywxcpgbf.exe File opened (read-only) \??\y: skywxcpgbf.exe File opened (read-only) \??\z: skywxcpgbf.exe File opened (read-only) \??\f: skywxcpgbf.exe File opened (read-only) \??\w: skywxcpgbf.exe File opened (read-only) \??\t: enhpumal.exe File opened (read-only) \??\h: enhpumal.exe File opened (read-only) \??\l: enhpumal.exe File opened (read-only) \??\x: enhpumal.exe File opened (read-only) \??\a: skywxcpgbf.exe File opened (read-only) \??\v: enhpumal.exe File opened (read-only) \??\x: enhpumal.exe File opened (read-only) \??\b: enhpumal.exe File opened (read-only) \??\m: enhpumal.exe File opened (read-only) \??\n: enhpumal.exe File opened (read-only) \??\s: skywxcpgbf.exe File opened (read-only) \??\e: enhpumal.exe File opened (read-only) \??\n: enhpumal.exe File opened (read-only) \??\q: enhpumal.exe File opened (read-only) \??\i: enhpumal.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" skywxcpgbf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" skywxcpgbf.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3616-139-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4876-140-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4856-149-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4304-150-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4256-151-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1980-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3616-164-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4876-165-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4856-166-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4304-167-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4256-168-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\enhpumal.exe 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe File created C:\Windows\SysWOW64\ouhuzhvbwunxd.exe 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll skywxcpgbf.exe File created C:\Windows\SysWOW64\skywxcpgbf.exe 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe File opened for modification C:\Windows\SysWOW64\skywxcpgbf.exe 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe File created C:\Windows\SysWOW64\oujdkmhfihbwxcw.exe 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe File opened for modification C:\Windows\SysWOW64\oujdkmhfihbwxcw.exe 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe File opened for modification C:\Windows\SysWOW64\enhpumal.exe 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe File opened for modification C:\Windows\SysWOW64\ouhuzhvbwunxd.exe 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe enhpumal.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe enhpumal.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal enhpumal.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal enhpumal.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe enhpumal.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal enhpumal.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe enhpumal.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal enhpumal.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe enhpumal.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe enhpumal.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe enhpumal.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe enhpumal.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe enhpumal.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe enhpumal.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe enhpumal.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32402C0A9D2082586D3476D377262CD97DF564DF" 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183EC7081591DBB1B9C17C94EC9E34CF" 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc skywxcpgbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf skywxcpgbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" skywxcpgbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB7B15D47E638E252CBBAA632EDD7CA" 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFEFC824828826D9032D72F7E93BDEFE635584267326236D790" 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F16BC3FF6C21DFD109D1D18B7A9114" 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" skywxcpgbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" skywxcpgbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat skywxcpgbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" skywxcpgbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg skywxcpgbf.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABAF9B1F967F1E2837B3B3586EC3997B0FD02FC4311023EE2BD429C09D4" 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh skywxcpgbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" skywxcpgbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs skywxcpgbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" skywxcpgbf.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1272 WINWORD.EXE 1272 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1980 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe 1980 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe 1980 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe 1980 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe 1980 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe 1980 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe 1980 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe 1980 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe 1980 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe 1980 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe 1980 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe 1980 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe 1980 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe 1980 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe 3616 skywxcpgbf.exe 3616 skywxcpgbf.exe 3616 skywxcpgbf.exe 3616 skywxcpgbf.exe 3616 skywxcpgbf.exe 3616 skywxcpgbf.exe 3616 skywxcpgbf.exe 3616 skywxcpgbf.exe 3616 skywxcpgbf.exe 3616 skywxcpgbf.exe 1980 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe 1980 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe 4876 oujdkmhfihbwxcw.exe 4876 oujdkmhfihbwxcw.exe 4876 oujdkmhfihbwxcw.exe 4876 oujdkmhfihbwxcw.exe 4876 oujdkmhfihbwxcw.exe 4876 oujdkmhfihbwxcw.exe 4876 oujdkmhfihbwxcw.exe 4876 oujdkmhfihbwxcw.exe 4876 oujdkmhfihbwxcw.exe 4876 oujdkmhfihbwxcw.exe 4876 oujdkmhfihbwxcw.exe 4876 oujdkmhfihbwxcw.exe 4856 enhpumal.exe 4856 enhpumal.exe 4856 enhpumal.exe 4856 enhpumal.exe 4856 enhpumal.exe 4856 enhpumal.exe 4856 enhpumal.exe 4856 enhpumal.exe 4304 ouhuzhvbwunxd.exe 4304 ouhuzhvbwunxd.exe 4304 ouhuzhvbwunxd.exe 4304 ouhuzhvbwunxd.exe 4304 ouhuzhvbwunxd.exe 4304 ouhuzhvbwunxd.exe 4304 ouhuzhvbwunxd.exe 4304 ouhuzhvbwunxd.exe 4304 ouhuzhvbwunxd.exe 4304 ouhuzhvbwunxd.exe 4304 ouhuzhvbwunxd.exe 4304 ouhuzhvbwunxd.exe 4256 enhpumal.exe 4256 enhpumal.exe 4256 enhpumal.exe 4256 enhpumal.exe 4256 enhpumal.exe 4256 enhpumal.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1980 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe 1980 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe 1980 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe 3616 skywxcpgbf.exe 3616 skywxcpgbf.exe 3616 skywxcpgbf.exe 4876 oujdkmhfihbwxcw.exe 4876 oujdkmhfihbwxcw.exe 4876 oujdkmhfihbwxcw.exe 4856 enhpumal.exe 4856 enhpumal.exe 4856 enhpumal.exe 4304 ouhuzhvbwunxd.exe 4304 ouhuzhvbwunxd.exe 4304 ouhuzhvbwunxd.exe 4256 enhpumal.exe 4256 enhpumal.exe 4256 enhpumal.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1980 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe 1980 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe 1980 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe 3616 skywxcpgbf.exe 3616 skywxcpgbf.exe 3616 skywxcpgbf.exe 4876 oujdkmhfihbwxcw.exe 4876 oujdkmhfihbwxcw.exe 4876 oujdkmhfihbwxcw.exe 4856 enhpumal.exe 4856 enhpumal.exe 4856 enhpumal.exe 4304 ouhuzhvbwunxd.exe 4304 ouhuzhvbwunxd.exe 4304 ouhuzhvbwunxd.exe 4256 enhpumal.exe 4256 enhpumal.exe 4256 enhpumal.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1272 WINWORD.EXE 1272 WINWORD.EXE 1272 WINWORD.EXE 1272 WINWORD.EXE 1272 WINWORD.EXE 1272 WINWORD.EXE 1272 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1980 wrote to memory of 3616 1980 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe 79 PID 1980 wrote to memory of 3616 1980 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe 79 PID 1980 wrote to memory of 3616 1980 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe 79 PID 1980 wrote to memory of 4876 1980 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe 80 PID 1980 wrote to memory of 4876 1980 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe 80 PID 1980 wrote to memory of 4876 1980 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe 80 PID 1980 wrote to memory of 4856 1980 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe 81 PID 1980 wrote to memory of 4856 1980 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe 81 PID 1980 wrote to memory of 4856 1980 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe 81 PID 1980 wrote to memory of 4304 1980 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe 82 PID 1980 wrote to memory of 4304 1980 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe 82 PID 1980 wrote to memory of 4304 1980 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe 82 PID 3616 wrote to memory of 4256 3616 skywxcpgbf.exe 83 PID 3616 wrote to memory of 4256 3616 skywxcpgbf.exe 83 PID 3616 wrote to memory of 4256 3616 skywxcpgbf.exe 83 PID 1980 wrote to memory of 1272 1980 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe 84 PID 1980 wrote to memory of 1272 1980 38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe"C:\Users\Admin\AppData\Local\Temp\38d8cd199b4ff063a47f4919a89f97a95483852330ca3eaaaf6e28be6215c0ea.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\skywxcpgbf.exeskywxcpgbf.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\SysWOW64\enhpumal.exeC:\Windows\system32\enhpumal.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4256
-
-
-
C:\Windows\SysWOW64\oujdkmhfihbwxcw.exeoujdkmhfihbwxcw.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4876
-
-
C:\Windows\SysWOW64\enhpumal.exeenhpumal.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4856
-
-
C:\Windows\SysWOW64\ouhuzhvbwunxd.exeouhuzhvbwunxd.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4304
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1272
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5980b0596442b9da50d5cd39463df850e
SHA181c9cd7940cc9023f6019b41f9f44ab916f99318
SHA2562ca9ce798d5f438843d3d1219f154cc2db1cf0fd60afc0f3f4a24781b90610e8
SHA512fb2bd1018cb4c01cb23058a5d71607758b22bfabf509e72751c41bcf777c8f33b5acf550317a88539b2e0a1fd2bf23fd1b1a8c61a7aabb5e4687e7ae4d526762
-
Filesize
255KB
MD5cd243845b57ccabd3ebf379fc588db3f
SHA1191208f0c770c9c889b5d6bf937f3bd6eccb1c2c
SHA25669af90d17954e10c79271090ae2e418d0750fbe485518c9623312723f01b1cfc
SHA512e51475f2e8369c854daa1cdafdb908e5e8cc374c3c42e7edf5444f42d86e74047b6ce492b7caad85010c21854e93f8103075be6ff6c1de92b179ccd2c2c34bcd
-
Filesize
255KB
MD5746a29b9bf1476cab4fd4ccc67456304
SHA1587a0785eaa61dfd9150682054635fc7aaddd575
SHA256607119b521e4ba56b3572e5ae26f877e5aa2851533a0ee6c14175c7825d1e363
SHA512c5c6bd3ab5c5f0775104a477f21f8708e1a5929962706e31cc82301e97abe09b49756921616af9073aec80b1f707d8a46361e4dd8f57ff9eaaac51a7b6661501
-
Filesize
255KB
MD5746a29b9bf1476cab4fd4ccc67456304
SHA1587a0785eaa61dfd9150682054635fc7aaddd575
SHA256607119b521e4ba56b3572e5ae26f877e5aa2851533a0ee6c14175c7825d1e363
SHA512c5c6bd3ab5c5f0775104a477f21f8708e1a5929962706e31cc82301e97abe09b49756921616af9073aec80b1f707d8a46361e4dd8f57ff9eaaac51a7b6661501
-
Filesize
255KB
MD5746a29b9bf1476cab4fd4ccc67456304
SHA1587a0785eaa61dfd9150682054635fc7aaddd575
SHA256607119b521e4ba56b3572e5ae26f877e5aa2851533a0ee6c14175c7825d1e363
SHA512c5c6bd3ab5c5f0775104a477f21f8708e1a5929962706e31cc82301e97abe09b49756921616af9073aec80b1f707d8a46361e4dd8f57ff9eaaac51a7b6661501
-
Filesize
255KB
MD59f55fbb90cdef925ae4951a35b9caee8
SHA1de53b837479f40a9b7c23b1c99687737fd1d9549
SHA256e066a8675e6baf183fb9d13bcf4d7ff2915f78b9e58ea7f102c1418d417249e1
SHA5124c61606919911ca66d62ead9f52a8c713526ba94fdee1d4ed16e89bab1bd11814315c6905261a35e7871da57dd2b061d5d854243e915a9ee5ab491b0524e1ab7
-
Filesize
255KB
MD59f55fbb90cdef925ae4951a35b9caee8
SHA1de53b837479f40a9b7c23b1c99687737fd1d9549
SHA256e066a8675e6baf183fb9d13bcf4d7ff2915f78b9e58ea7f102c1418d417249e1
SHA5124c61606919911ca66d62ead9f52a8c713526ba94fdee1d4ed16e89bab1bd11814315c6905261a35e7871da57dd2b061d5d854243e915a9ee5ab491b0524e1ab7
-
Filesize
255KB
MD5ba6042ee36e2740e7b8f3e7399dcb5c6
SHA17488cf398760608e5925651510622f6fcabd84ca
SHA256309c94a5d738dc2f4cb0e0769c44b603733d87e37cebef0947d4ed4ea5d71da6
SHA512270446b7a077ce724adf35612b8aade7a867a28b436cf533fa2882667e4f3bc1caa7e75101db1f8c9f6e8650c4f3fdb9bae06210dfd84bdd9b5700589e1fb881
-
Filesize
255KB
MD5ba6042ee36e2740e7b8f3e7399dcb5c6
SHA17488cf398760608e5925651510622f6fcabd84ca
SHA256309c94a5d738dc2f4cb0e0769c44b603733d87e37cebef0947d4ed4ea5d71da6
SHA512270446b7a077ce724adf35612b8aade7a867a28b436cf533fa2882667e4f3bc1caa7e75101db1f8c9f6e8650c4f3fdb9bae06210dfd84bdd9b5700589e1fb881
-
Filesize
255KB
MD5dbd19cbcfc02ecafca897222b80adb8d
SHA179e218e31c453c1381d1bc2011d3ce7045749302
SHA25635961888770df0ee439b440eb99fdcc5ac6d6e6197a8c7170921873ca81b086a
SHA512d624a00458f0ce31a3232e4f13a5ed28dbeb40b4475251cf276e85d5bbef2ef0a84f80e4b19c7da9afba075f0628ea050fb079851618ed4b8501aa7439493575
-
Filesize
255KB
MD5dbd19cbcfc02ecafca897222b80adb8d
SHA179e218e31c453c1381d1bc2011d3ce7045749302
SHA25635961888770df0ee439b440eb99fdcc5ac6d6e6197a8c7170921873ca81b086a
SHA512d624a00458f0ce31a3232e4f13a5ed28dbeb40b4475251cf276e85d5bbef2ef0a84f80e4b19c7da9afba075f0628ea050fb079851618ed4b8501aa7439493575
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7