Analysis
-
max time kernel
188s -
max time network
191s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 02:44
Behavioral task
behavioral1
Sample
f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe
Resource
win7-20221111-en
windows7-x64
26 signatures
150 seconds
General
-
Target
f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe
-
Size
255KB
-
MD5
5b23df162ac213018b285769ec31ebdb
-
SHA1
94e4fa23f5880b1267dbff6a4c96576b4bd3f23f
-
SHA256
f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d
-
SHA512
bfe7ea4b0affb892ea4a24c07603f3a0732444285c9ba42c1c9464bbb3ec2449d857b19923b0e3961a1fd8033b3020e139ff2e32c1f8bad379f18992a5738c59
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJD:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIM
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" xlerugirwi.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" xlerugirwi.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" xlerugirwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" xlerugirwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" xlerugirwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" xlerugirwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" xlerugirwi.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xlerugirwi.exe -
Executes dropped EXE 5 IoCs
pid Process 4960 xlerugirwi.exe 1448 tnmvwcdinolhswl.exe 2268 iakxpyjw.exe 3308 udvqgjnsmayak.exe 4240 iakxpyjw.exe -
resource yara_rule behavioral2/memory/5072-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000d000000022e26-134.dat upx behavioral2/files/0x0008000000022e2a-137.dat upx behavioral2/files/0x0008000000022e2a-138.dat upx behavioral2/files/0x0006000000022e31-140.dat upx behavioral2/files/0x0006000000022e31-141.dat upx behavioral2/files/0x000d000000022e26-136.dat upx behavioral2/files/0x0006000000022e32-143.dat upx behavioral2/files/0x0006000000022e32-144.dat upx behavioral2/files/0x0006000000022e31-146.dat upx behavioral2/memory/2268-149-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1448-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4960-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3308-150-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4240-151-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/5072-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0006000000022e35-159.dat upx behavioral2/memory/4960-162-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1448-163-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2268-164-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3308-165-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4240-166-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000200000001e6bb-173.dat upx behavioral2/files/0x000200000001e6bc-174.dat upx behavioral2/files/0x000200000001e6bd-175.dat upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" xlerugirwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" xlerugirwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" xlerugirwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" xlerugirwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" xlerugirwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" xlerugirwi.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "udvqgjnsmayak.exe" tnmvwcdinolhswl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run tnmvwcdinolhswl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mmokofhy = "xlerugirwi.exe" tnmvwcdinolhswl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vrywljis = "tnmvwcdinolhswl.exe" tnmvwcdinolhswl.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\r: iakxpyjw.exe File opened (read-only) \??\m: iakxpyjw.exe File opened (read-only) \??\w: iakxpyjw.exe File opened (read-only) \??\z: iakxpyjw.exe File opened (read-only) \??\l: iakxpyjw.exe File opened (read-only) \??\b: iakxpyjw.exe File opened (read-only) \??\j: iakxpyjw.exe File opened (read-only) \??\o: iakxpyjw.exe File opened (read-only) \??\p: iakxpyjw.exe File opened (read-only) \??\r: xlerugirwi.exe File opened (read-only) \??\q: iakxpyjw.exe File opened (read-only) \??\a: iakxpyjw.exe File opened (read-only) \??\v: iakxpyjw.exe File opened (read-only) \??\l: xlerugirwi.exe File opened (read-only) \??\q: xlerugirwi.exe File opened (read-only) \??\m: iakxpyjw.exe File opened (read-only) \??\x: xlerugirwi.exe File opened (read-only) \??\j: iakxpyjw.exe File opened (read-only) \??\n: xlerugirwi.exe File opened (read-only) \??\x: iakxpyjw.exe File opened (read-only) \??\o: xlerugirwi.exe File opened (read-only) \??\z: xlerugirwi.exe File opened (read-only) \??\l: iakxpyjw.exe File opened (read-only) \??\q: iakxpyjw.exe File opened (read-only) \??\s: xlerugirwi.exe File opened (read-only) \??\y: xlerugirwi.exe File opened (read-only) \??\r: iakxpyjw.exe File opened (read-only) \??\w: iakxpyjw.exe File opened (read-only) \??\t: iakxpyjw.exe File opened (read-only) \??\y: iakxpyjw.exe File opened (read-only) \??\k: xlerugirwi.exe File opened (read-only) \??\f: iakxpyjw.exe File opened (read-only) \??\v: xlerugirwi.exe File opened (read-only) \??\h: iakxpyjw.exe File opened (read-only) \??\o: iakxpyjw.exe File opened (read-only) \??\s: iakxpyjw.exe File opened (read-only) \??\u: iakxpyjw.exe File opened (read-only) \??\x: iakxpyjw.exe File opened (read-only) \??\f: xlerugirwi.exe File opened (read-only) \??\n: iakxpyjw.exe File opened (read-only) \??\m: xlerugirwi.exe File opened (read-only) \??\t: xlerugirwi.exe File opened (read-only) \??\k: iakxpyjw.exe File opened (read-only) \??\e: iakxpyjw.exe File opened (read-only) \??\s: iakxpyjw.exe File opened (read-only) \??\z: iakxpyjw.exe File opened (read-only) \??\p: xlerugirwi.exe File opened (read-only) \??\v: iakxpyjw.exe File opened (read-only) \??\y: iakxpyjw.exe File opened (read-only) \??\h: iakxpyjw.exe File opened (read-only) \??\j: xlerugirwi.exe File opened (read-only) \??\w: xlerugirwi.exe File opened (read-only) \??\t: iakxpyjw.exe File opened (read-only) \??\g: iakxpyjw.exe File opened (read-only) \??\i: xlerugirwi.exe File opened (read-only) \??\e: iakxpyjw.exe File opened (read-only) \??\f: iakxpyjw.exe File opened (read-only) \??\a: xlerugirwi.exe File opened (read-only) \??\b: xlerugirwi.exe File opened (read-only) \??\g: xlerugirwi.exe File opened (read-only) \??\u: xlerugirwi.exe File opened (read-only) \??\a: iakxpyjw.exe File opened (read-only) \??\u: iakxpyjw.exe File opened (read-only) \??\h: xlerugirwi.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" xlerugirwi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" xlerugirwi.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2268-149-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1448-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4960-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3308-150-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4240-151-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5072-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4960-162-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1448-163-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2268-164-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3308-165-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4240-166-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\xlerugirwi.exe f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe File created C:\Windows\SysWOW64\tnmvwcdinolhswl.exe f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe File opened for modification C:\Windows\SysWOW64\tnmvwcdinolhswl.exe f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe File opened for modification C:\Windows\SysWOW64\iakxpyjw.exe f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe File created C:\Windows\SysWOW64\udvqgjnsmayak.exe f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe File opened for modification C:\Windows\SysWOW64\udvqgjnsmayak.exe f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe File created C:\Windows\SysWOW64\xlerugirwi.exe f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll xlerugirwi.exe File created C:\Windows\SysWOW64\iakxpyjw.exe f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe iakxpyjw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal iakxpyjw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe iakxpyjw.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe iakxpyjw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe iakxpyjw.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe iakxpyjw.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe iakxpyjw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal iakxpyjw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe iakxpyjw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal iakxpyjw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe iakxpyjw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal iakxpyjw.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe iakxpyjw.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe iakxpyjw.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" xlerugirwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf xlerugirwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32322C0F9C2C82226D4276D7702F2DDC7CF264AB" f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7FC6BB8FE6B21AAD27FD0A88A0E9063" f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" xlerugirwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs xlerugirwi.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BC8FABAF960F2E4840C3B42869F3998B08102FB43640348E2CD45E708A6" f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193DC7081490DBC7B8C87C97ED9737CA" f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat xlerugirwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh xlerugirwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" xlerugirwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" xlerugirwi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg xlerugirwi.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC2B12B47E538EA52CEB9A2329FD4BE" f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" xlerugirwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" xlerugirwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF4FF834F2682699146D72D7DE2BCEEE1445946664E633FD79F" f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc xlerugirwi.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3564 WINWORD.EXE 3564 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5072 f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe 5072 f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe 5072 f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe 5072 f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe 5072 f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe 5072 f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe 5072 f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe 5072 f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe 5072 f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe 5072 f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe 5072 f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe 5072 f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe 5072 f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe 5072 f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe 5072 f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe 5072 f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe 4960 xlerugirwi.exe 4960 xlerugirwi.exe 4960 xlerugirwi.exe 4960 xlerugirwi.exe 4960 xlerugirwi.exe 4960 xlerugirwi.exe 4960 xlerugirwi.exe 4960 xlerugirwi.exe 4960 xlerugirwi.exe 4960 xlerugirwi.exe 1448 tnmvwcdinolhswl.exe 1448 tnmvwcdinolhswl.exe 2268 iakxpyjw.exe 1448 tnmvwcdinolhswl.exe 2268 iakxpyjw.exe 1448 tnmvwcdinolhswl.exe 1448 tnmvwcdinolhswl.exe 1448 tnmvwcdinolhswl.exe 1448 tnmvwcdinolhswl.exe 1448 tnmvwcdinolhswl.exe 2268 iakxpyjw.exe 2268 iakxpyjw.exe 2268 iakxpyjw.exe 2268 iakxpyjw.exe 1448 tnmvwcdinolhswl.exe 1448 tnmvwcdinolhswl.exe 2268 iakxpyjw.exe 2268 iakxpyjw.exe 3308 udvqgjnsmayak.exe 3308 udvqgjnsmayak.exe 3308 udvqgjnsmayak.exe 3308 udvqgjnsmayak.exe 3308 udvqgjnsmayak.exe 3308 udvqgjnsmayak.exe 3308 udvqgjnsmayak.exe 3308 udvqgjnsmayak.exe 3308 udvqgjnsmayak.exe 3308 udvqgjnsmayak.exe 3308 udvqgjnsmayak.exe 3308 udvqgjnsmayak.exe 4240 iakxpyjw.exe 4240 iakxpyjw.exe 4240 iakxpyjw.exe 4240 iakxpyjw.exe 4240 iakxpyjw.exe 4240 iakxpyjw.exe 4240 iakxpyjw.exe 4240 iakxpyjw.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 5072 f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe 5072 f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe 5072 f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe 4960 xlerugirwi.exe 4960 xlerugirwi.exe 4960 xlerugirwi.exe 1448 tnmvwcdinolhswl.exe 1448 tnmvwcdinolhswl.exe 1448 tnmvwcdinolhswl.exe 2268 iakxpyjw.exe 2268 iakxpyjw.exe 2268 iakxpyjw.exe 3308 udvqgjnsmayak.exe 3308 udvqgjnsmayak.exe 3308 udvqgjnsmayak.exe 4240 iakxpyjw.exe 4240 iakxpyjw.exe 4240 iakxpyjw.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 5072 f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe 5072 f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe 5072 f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe 4960 xlerugirwi.exe 4960 xlerugirwi.exe 4960 xlerugirwi.exe 1448 tnmvwcdinolhswl.exe 1448 tnmvwcdinolhswl.exe 1448 tnmvwcdinolhswl.exe 2268 iakxpyjw.exe 2268 iakxpyjw.exe 2268 iakxpyjw.exe 3308 udvqgjnsmayak.exe 3308 udvqgjnsmayak.exe 3308 udvqgjnsmayak.exe 4240 iakxpyjw.exe 4240 iakxpyjw.exe 4240 iakxpyjw.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3564 WINWORD.EXE 3564 WINWORD.EXE 3564 WINWORD.EXE 3564 WINWORD.EXE 3564 WINWORD.EXE 3564 WINWORD.EXE 3564 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 5072 wrote to memory of 4960 5072 f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe 80 PID 5072 wrote to memory of 4960 5072 f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe 80 PID 5072 wrote to memory of 4960 5072 f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe 80 PID 5072 wrote to memory of 1448 5072 f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe 81 PID 5072 wrote to memory of 1448 5072 f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe 81 PID 5072 wrote to memory of 1448 5072 f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe 81 PID 5072 wrote to memory of 2268 5072 f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe 82 PID 5072 wrote to memory of 2268 5072 f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe 82 PID 5072 wrote to memory of 2268 5072 f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe 82 PID 5072 wrote to memory of 3308 5072 f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe 83 PID 5072 wrote to memory of 3308 5072 f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe 83 PID 5072 wrote to memory of 3308 5072 f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe 83 PID 4960 wrote to memory of 4240 4960 xlerugirwi.exe 84 PID 4960 wrote to memory of 4240 4960 xlerugirwi.exe 84 PID 4960 wrote to memory of 4240 4960 xlerugirwi.exe 84 PID 5072 wrote to memory of 3564 5072 f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe 85 PID 5072 wrote to memory of 3564 5072 f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe"C:\Users\Admin\AppData\Local\Temp\f431eca6f8e7839f59c68539e4c2db3621662b3c713254c65aa4fab8ff27a93d.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\SysWOW64\xlerugirwi.exexlerugirwi.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\SysWOW64\iakxpyjw.exeC:\Windows\system32\iakxpyjw.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4240
-
-
-
C:\Windows\SysWOW64\tnmvwcdinolhswl.exetnmvwcdinolhswl.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1448
-
-
C:\Windows\SysWOW64\iakxpyjw.exeiakxpyjw.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2268
-
-
C:\Windows\SysWOW64\udvqgjnsmayak.exeudvqgjnsmayak.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3308
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3564
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5f8935461f6a8eeb4640af84d78a062ff
SHA1f7a63a5d093037d51d84caaee2990dc10933f591
SHA256b5542012f2a0e76eda7952e28fd8011630f71180e24c518ff96d3d2baa41e4e6
SHA5127b89b141de7a6b16aa0459fa683f3f014fc4717dceec9e6c9d03e8d214a21edbbe3579bc635cf72efc90a9f2842376c07d704b57845448a8778a43dd3338a257
-
Filesize
255KB
MD552471acecb8f32a64fe061db4b7f5c40
SHA115208aabc6f8bc15acd5caea6352cc69d23542c5
SHA256b15e9d401093cb4f513882098db2bbf8bbde82cba523f6af52365f0b9351c1dc
SHA51269d6cf30438b1091ef0f87d19a7035c43f947ea7025a850509de2cb183e8a6988c545062fa3f8e5f9bc3e5b4a6ed264a9fa2b2bfee91d5b646e4d28ed9992d4b
-
Filesize
255KB
MD516bc035ed24b00a1c9119e050d24fa7a
SHA1fd5f50ac5232d5c6af9d25c7a0a71a67ef13498f
SHA256d3958db66b2a59b15ab5bf8d1a315e06e3e13ea44517ab356bfb9082288283c0
SHA51246787fcddc816cf1b46a133565eb8d89658f573646e6a950203eddf5f62d98e1de1c4167e183e63a60e1bb68e4569736f61e5aa67edc74fef13bc0b03738fab7
-
Filesize
255KB
MD530d63e1b6f1dc1eabd4bc5ac42293e08
SHA173284b3bcf74156a9ce2086f53aaf2b3b5d6b27c
SHA256c8087deeaee2a8cc1b4807f4daf6d54c8d659b9994a3ef841970c21288240510
SHA512db9a1dda63c5340f8cf2f385c33017db65fb48ad7cb16af49207bbb70013bfc20d036838b3402fc799550e655f193e95c2c2cc76eb1739f6a7e39a6de056401d
-
Filesize
255KB
MD5afd1608b4ed6e0318a4994f537bd6f90
SHA19a091888ce410eff348aa5f75034f16254750158
SHA256ce6c8ed44a2b3fa1412f67bea18801cccc6fbfe0759f109d522a349a17136a3a
SHA5127037cc0740a61b5508390ddb7419a433fba83203775e04a6f0cc481483c1aef6ce5a8fcf1c5584e5ef4ff554fd4dd9e0981b9c2f71eb407b151c8aafb6f3d6a2
-
Filesize
255KB
MD5afd1608b4ed6e0318a4994f537bd6f90
SHA19a091888ce410eff348aa5f75034f16254750158
SHA256ce6c8ed44a2b3fa1412f67bea18801cccc6fbfe0759f109d522a349a17136a3a
SHA5127037cc0740a61b5508390ddb7419a433fba83203775e04a6f0cc481483c1aef6ce5a8fcf1c5584e5ef4ff554fd4dd9e0981b9c2f71eb407b151c8aafb6f3d6a2
-
Filesize
255KB
MD5afd1608b4ed6e0318a4994f537bd6f90
SHA19a091888ce410eff348aa5f75034f16254750158
SHA256ce6c8ed44a2b3fa1412f67bea18801cccc6fbfe0759f109d522a349a17136a3a
SHA5127037cc0740a61b5508390ddb7419a433fba83203775e04a6f0cc481483c1aef6ce5a8fcf1c5584e5ef4ff554fd4dd9e0981b9c2f71eb407b151c8aafb6f3d6a2
-
Filesize
255KB
MD5e9e64224cc6206d3ad66ab8471f137e7
SHA12f17d379eff46beaec3ad0300677d44cac8fc12d
SHA256e9515ff7477f58ddec4cdf86b2898f127855108cbef7646820e46ed66262bccf
SHA51267580e787537dd244d38ff72ce440e54e3821d02b1063ed09f7374e78af3dc49fd45487a6607587d6301e964899ba47dcdd57b95308bc3f098bbf5230d1ef7e5
-
Filesize
255KB
MD5e9e64224cc6206d3ad66ab8471f137e7
SHA12f17d379eff46beaec3ad0300677d44cac8fc12d
SHA256e9515ff7477f58ddec4cdf86b2898f127855108cbef7646820e46ed66262bccf
SHA51267580e787537dd244d38ff72ce440e54e3821d02b1063ed09f7374e78af3dc49fd45487a6607587d6301e964899ba47dcdd57b95308bc3f098bbf5230d1ef7e5
-
Filesize
255KB
MD529ddcafff79a46b993bdeafc16ace690
SHA12b6a5c07d65270d3ae12ae76484450492a866f24
SHA256d75c22523f541bc59c2d0a3739ef00944a5e5ce2cb7df999ef3db6c69f8fb764
SHA5123665cb8f443e9323f6db43fe55be407c93f38c2560d4b7c3278ad111b6c2c24de39b08ff0857d964ea094307f954a7d83ba444f39f929f78da1c07b99e7b1e16
-
Filesize
255KB
MD529ddcafff79a46b993bdeafc16ace690
SHA12b6a5c07d65270d3ae12ae76484450492a866f24
SHA256d75c22523f541bc59c2d0a3739ef00944a5e5ce2cb7df999ef3db6c69f8fb764
SHA5123665cb8f443e9323f6db43fe55be407c93f38c2560d4b7c3278ad111b6c2c24de39b08ff0857d964ea094307f954a7d83ba444f39f929f78da1c07b99e7b1e16
-
Filesize
255KB
MD5703c0b23e8f33d1444f1927f871ff19d
SHA191bb585e16c8e8b9123f8c71923102a621d7b7bb
SHA256c49773b7c06c3f8fab3f5962d767688a7edded03620aea28fdffa58acdc541b4
SHA5120157db322d34c3a55b771e0b7c3a07d456ae61716ba55b69e7b9b21ae2f69d7849a82f69be6cd0c9554365f0e674b6c1f562c12e64b02b85f3c5afc2c59018e9
-
Filesize
255KB
MD5703c0b23e8f33d1444f1927f871ff19d
SHA191bb585e16c8e8b9123f8c71923102a621d7b7bb
SHA256c49773b7c06c3f8fab3f5962d767688a7edded03620aea28fdffa58acdc541b4
SHA5120157db322d34c3a55b771e0b7c3a07d456ae61716ba55b69e7b9b21ae2f69d7849a82f69be6cd0c9554365f0e674b6c1f562c12e64b02b85f3c5afc2c59018e9
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7