660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1

Analysis

max time kernel
152s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 11:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe
Size

255KB
MD5

4e5f9f17b00efcc1e057303309cdc0c4
SHA1

a07629c704adce5663e040d303fa32f926a83609
SHA256

660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1
SHA512

6bed0d9fd78e0486ff57e25fae4cfa519fd7d70d8311d848204f3eb3c3b7c68bfb642bad896b2c3b541a281c414ea65f76b455074877413d910167fc7c074492
SSDEEP

3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJv:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIo

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	iklkokfxfb.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	iklkokfxfb.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	iklkokfxfb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	iklkokfxfb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	iklkokfxfb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	iklkokfxfb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	iklkokfxfb.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	iklkokfxfb.exe

Executes dropped EXE 5 IoCs

pid	Process
1708	iklkokfxfb.exe
1216	ywwdeorvnybbinf.exe
1876	tplocfcd.exe
2044	gciyceuasxeqp.exe
1680	tplocfcd.exe

UPX packed file 30 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1020-55-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x00140000000054ab-56.dat	upx
behavioral1/files/0x00140000000054ab-58.dat	upx
behavioral1/files/0x00140000000054ab-60.dat	upx
behavioral1/files/0x000900000001311a-61.dat	upx
behavioral1/files/0x000900000001311a-63.dat	upx
behavioral1/files/0x00070000000133dd-65.dat	upx
behavioral1/files/0x00070000000133dd-67.dat	upx
behavioral1/files/0x000900000001311a-69.dat	upx
behavioral1/files/0x00070000000133e6-70.dat	upx
behavioral1/files/0x00070000000133dd-72.dat	upx
behavioral1/files/0x00070000000133e6-73.dat	upx
behavioral1/files/0x00070000000133dd-75.dat	upx
behavioral1/files/0x00070000000133dd-77.dat	upx
behavioral1/files/0x00070000000133e6-79.dat	upx
behavioral1/memory/1708-81-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1216-82-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1876-83-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1680-86-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/2044-84-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1020-88-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1708-95-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1216-96-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1876-97-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/2044-98-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1680-99-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x00060000000142e0-101.dat	upx
behavioral1/files/0x00060000000142e0-102.dat	upx
behavioral1/files/0x0006000000014371-104.dat	upx
behavioral1/files/0x0006000000014371-103.dat	upx

Loads dropped DLL 5 IoCs

pid	Process
1020	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe
1020	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe
1020	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe
1020	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe
1708	iklkokfxfb.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	iklkokfxfb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	iklkokfxfb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	iklkokfxfb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	iklkokfxfb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	iklkokfxfb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	iklkokfxfb.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	ywwdeorvnybbinf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cutjgmbi = "iklkokfxfb.exe"	ywwdeorvnybbinf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xmcqqmfu = "ywwdeorvnybbinf.exe"	ywwdeorvnybbinf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "gciyceuasxeqp.exe"	ywwdeorvnybbinf.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\b:	tplocfcd.exe
File opened (read-only)	\??\s:	iklkokfxfb.exe
File opened (read-only)	\??\w:	iklkokfxfb.exe
File opened (read-only)	\??\g:	tplocfcd.exe
File opened (read-only)	\??\w:	tplocfcd.exe
File opened (read-only)	\??\x:	tplocfcd.exe
File opened (read-only)	\??\f:	tplocfcd.exe
File opened (read-only)	\??\y:	tplocfcd.exe
File opened (read-only)	\??\u:	iklkokfxfb.exe
File opened (read-only)	\??\x:	iklkokfxfb.exe
File opened (read-only)	\??\n:	tplocfcd.exe
File opened (read-only)	\??\x:	tplocfcd.exe
File opened (read-only)	\??\e:	iklkokfxfb.exe
File opened (read-only)	\??\m:	iklkokfxfb.exe
File opened (read-only)	\??\n:	iklkokfxfb.exe
File opened (read-only)	\??\b:	tplocfcd.exe
File opened (read-only)	\??\s:	tplocfcd.exe
File opened (read-only)	\??\f:	iklkokfxfb.exe
File opened (read-only)	\??\o:	tplocfcd.exe
File opened (read-only)	\??\q:	tplocfcd.exe
File opened (read-only)	\??\i:	tplocfcd.exe
File opened (read-only)	\??\t:	iklkokfxfb.exe
File opened (read-only)	\??\t:	tplocfcd.exe
File opened (read-only)	\??\o:	tplocfcd.exe
File opened (read-only)	\??\g:	iklkokfxfb.exe
File opened (read-only)	\??\p:	tplocfcd.exe
File opened (read-only)	\??\h:	tplocfcd.exe
File opened (read-only)	\??\l:	tplocfcd.exe
File opened (read-only)	\??\l:	tplocfcd.exe
File opened (read-only)	\??\r:	tplocfcd.exe
File opened (read-only)	\??\u:	tplocfcd.exe
File opened (read-only)	\??\a:	tplocfcd.exe
File opened (read-only)	\??\o:	iklkokfxfb.exe
File opened (read-only)	\??\z:	iklkokfxfb.exe
File opened (read-only)	\??\s:	tplocfcd.exe
File opened (read-only)	\??\p:	tplocfcd.exe
File opened (read-only)	\??\b:	iklkokfxfb.exe
File opened (read-only)	\??\v:	iklkokfxfb.exe
File opened (read-only)	\??\f:	tplocfcd.exe
File opened (read-only)	\??\v:	tplocfcd.exe
File opened (read-only)	\??\y:	tplocfcd.exe
File opened (read-only)	\??\k:	iklkokfxfb.exe
File opened (read-only)	\??\j:	tplocfcd.exe
File opened (read-only)	\??\k:	tplocfcd.exe
File opened (read-only)	\??\u:	tplocfcd.exe
File opened (read-only)	\??\e:	tplocfcd.exe
File opened (read-only)	\??\k:	tplocfcd.exe
File opened (read-only)	\??\v:	tplocfcd.exe
File opened (read-only)	\??\z:	tplocfcd.exe
File opened (read-only)	\??\p:	iklkokfxfb.exe
File opened (read-only)	\??\z:	tplocfcd.exe
File opened (read-only)	\??\q:	tplocfcd.exe
File opened (read-only)	\??\i:	iklkokfxfb.exe
File opened (read-only)	\??\j:	iklkokfxfb.exe
File opened (read-only)	\??\q:	iklkokfxfb.exe
File opened (read-only)	\??\r:	iklkokfxfb.exe
File opened (read-only)	\??\y:	iklkokfxfb.exe
File opened (read-only)	\??\a:	tplocfcd.exe
File opened (read-only)	\??\i:	tplocfcd.exe
File opened (read-only)	\??\m:	tplocfcd.exe
File opened (read-only)	\??\h:	iklkokfxfb.exe
File opened (read-only)	\??\m:	tplocfcd.exe
File opened (read-only)	\??\j:	tplocfcd.exe
File opened (read-only)	\??\n:	tplocfcd.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	iklkokfxfb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	iklkokfxfb.exe

AutoIT Executable 11 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1708-81-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1216-82-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1876-83-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1680-86-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/2044-84-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1020-88-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1708-95-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1216-96-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1876-97-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/2044-98-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1680-99-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ywwdeorvnybbinf.exe	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe
File opened for modification	C:\Windows\SysWOW64\ywwdeorvnybbinf.exe	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe
File created	C:\Windows\SysWOW64\tplocfcd.exe	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe
File opened for modification	C:\Windows\SysWOW64\tplocfcd.exe	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe
File opened for modification	C:\Windows\SysWOW64\gciyceuasxeqp.exe	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	iklkokfxfb.exe
File created	C:\Windows\SysWOW64\iklkokfxfb.exe	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe
File created	C:\Windows\SysWOW64\gciyceuasxeqp.exe	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe
File opened for modification	C:\Windows\SysWOW64\iklkokfxfb.exe	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	tplocfcd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	tplocfcd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	tplocfcd.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	tplocfcd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	tplocfcd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	tplocfcd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	tplocfcd.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	tplocfcd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	tplocfcd.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	tplocfcd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	tplocfcd.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	tplocfcd.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	tplocfcd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	tplocfcd.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\mydoc.rtf	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	iklkokfxfb.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBCF9CAFE6AF1E283753B3781993E97B08103FD4311033BE1BE42EE08D3"	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	iklkokfxfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F268B0FF1B21A9D20ED0A38A7B9163"	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	iklkokfxfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	iklkokfxfb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB0B02A47E239ED53CDBAD432EFD7BB"	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1028	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1020	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe
1020	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe
1020	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe
1020	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe
1020	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe
1020	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe
1020	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe
1708	iklkokfxfb.exe
1708	iklkokfxfb.exe
1708	iklkokfxfb.exe
1708	iklkokfxfb.exe
1708	iklkokfxfb.exe
1020	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe
1216	ywwdeorvnybbinf.exe
1216	ywwdeorvnybbinf.exe
1216	ywwdeorvnybbinf.exe
1216	ywwdeorvnybbinf.exe
1216	ywwdeorvnybbinf.exe
1876	tplocfcd.exe
1876	tplocfcd.exe
1876	tplocfcd.exe
1876	tplocfcd.exe
2044	gciyceuasxeqp.exe
2044	gciyceuasxeqp.exe
2044	gciyceuasxeqp.exe
2044	gciyceuasxeqp.exe
2044	gciyceuasxeqp.exe
2044	gciyceuasxeqp.exe
1680	tplocfcd.exe
1680	tplocfcd.exe
1680	tplocfcd.exe
1680	tplocfcd.exe
1216	ywwdeorvnybbinf.exe
1216	ywwdeorvnybbinf.exe
2044	gciyceuasxeqp.exe
2044	gciyceuasxeqp.exe
1216	ywwdeorvnybbinf.exe
1216	ywwdeorvnybbinf.exe
2044	gciyceuasxeqp.exe
2044	gciyceuasxeqp.exe
1216	ywwdeorvnybbinf.exe
2044	gciyceuasxeqp.exe
2044	gciyceuasxeqp.exe
1216	ywwdeorvnybbinf.exe
2044	gciyceuasxeqp.exe
2044	gciyceuasxeqp.exe
1216	ywwdeorvnybbinf.exe
2044	gciyceuasxeqp.exe
2044	gciyceuasxeqp.exe
1216	ywwdeorvnybbinf.exe
2044	gciyceuasxeqp.exe
2044	gciyceuasxeqp.exe
1216	ywwdeorvnybbinf.exe
2044	gciyceuasxeqp.exe
2044	gciyceuasxeqp.exe
1216	ywwdeorvnybbinf.exe
2044	gciyceuasxeqp.exe
2044	gciyceuasxeqp.exe
1216	ywwdeorvnybbinf.exe
2044	gciyceuasxeqp.exe
2044	gciyceuasxeqp.exe
1216	ywwdeorvnybbinf.exe
2044	gciyceuasxeqp.exe
2044	gciyceuasxeqp.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
1020	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe
1020	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe
1020	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe
1708	iklkokfxfb.exe
1708	iklkokfxfb.exe
1708	iklkokfxfb.exe
1216	ywwdeorvnybbinf.exe
1216	ywwdeorvnybbinf.exe
1216	ywwdeorvnybbinf.exe
1876	tplocfcd.exe
1876	tplocfcd.exe
1876	tplocfcd.exe
2044	gciyceuasxeqp.exe
1680	tplocfcd.exe
1680	tplocfcd.exe
2044	gciyceuasxeqp.exe
1680	tplocfcd.exe
2044	gciyceuasxeqp.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
1020	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe
1020	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe
1020	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe
1708	iklkokfxfb.exe
1708	iklkokfxfb.exe
1708	iklkokfxfb.exe
1216	ywwdeorvnybbinf.exe
1216	ywwdeorvnybbinf.exe
1216	ywwdeorvnybbinf.exe
1876	tplocfcd.exe
1876	tplocfcd.exe
1876	tplocfcd.exe
2044	gciyceuasxeqp.exe
1680	tplocfcd.exe
1680	tplocfcd.exe
2044	gciyceuasxeqp.exe
1680	tplocfcd.exe
2044	gciyceuasxeqp.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1028	WINWORD.EXE
1028	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1020 wrote to memory of 1708	1020	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe	27
PID 1020 wrote to memory of 1708	1020	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe	27
PID 1020 wrote to memory of 1708	1020	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe	27
PID 1020 wrote to memory of 1708	1020	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe	27
PID 1020 wrote to memory of 1216	1020	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe	28
PID 1020 wrote to memory of 1216	1020	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe	28
PID 1020 wrote to memory of 1216	1020	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe	28
PID 1020 wrote to memory of 1216	1020	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe	28
PID 1020 wrote to memory of 1876	1020	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe	29
PID 1020 wrote to memory of 1876	1020	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe	29
PID 1020 wrote to memory of 1876	1020	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe	29
PID 1020 wrote to memory of 1876	1020	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe	29
PID 1020 wrote to memory of 2044	1020	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe	30
PID 1020 wrote to memory of 2044	1020	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe	30
PID 1020 wrote to memory of 2044	1020	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe	30
PID 1020 wrote to memory of 2044	1020	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe	30
PID 1708 wrote to memory of 1680	1708	iklkokfxfb.exe	31
PID 1708 wrote to memory of 1680	1708	iklkokfxfb.exe	31
PID 1708 wrote to memory of 1680	1708	iklkokfxfb.exe	31
PID 1708 wrote to memory of 1680	1708	iklkokfxfb.exe	31
PID 1020 wrote to memory of 1028	1020	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe	32
PID 1020 wrote to memory of 1028	1020	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe	32
PID 1020 wrote to memory of 1028	1020	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe	32
PID 1020 wrote to memory of 1028	1020	660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe	32
PID 1028 wrote to memory of 1300	1028	WINWORD.EXE	36
PID 1028 wrote to memory of 1300	1028	WINWORD.EXE	36
PID 1028 wrote to memory of 1300	1028	WINWORD.EXE	36
PID 1028 wrote to memory of 1300	1028	WINWORD.EXE	36

C:\Users\Admin\AppData\Local\Temp\660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe
"C:\Users\Admin\AppData\Local\Temp\660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1020
- C:\Windows\SysWOW64\iklkokfxfb.exe
  iklkokfxfb.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\SysWOW64\tplocfcd.exe
    C:\Windows\system32\tplocfcd.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1680
- C:\Windows\SysWOW64\ywwdeorvnybbinf.exe
  ywwdeorvnybbinf.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1216
- C:\Windows\SysWOW64\tplocfcd.exe
  tplocfcd.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1876
- C:\Windows\SysWOW64\gciyceuasxeqp.exe
  gciyceuasxeqp.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2044
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1028
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
255KB

MD5
98be8ef4f5c6e009a90345602cca8e96

SHA1
1a86375c7958e33cc76f5e2527bd00e50e1dba6d

SHA256
df1e8529348702c85be55101cd6786ea2eb784601122123978ab4c899d47aaaf

SHA512
62e7f45fd7a63527f8269972acd7fe1500fbaf7d5aa8ccbe503acf3a8e43c83e3ab813f8e072d226e3686f116e62b6372498958171f91c96036101714623df23

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
255KB

MD5
98be8ef4f5c6e009a90345602cca8e96

SHA1
1a86375c7958e33cc76f5e2527bd00e50e1dba6d

SHA256
df1e8529348702c85be55101cd6786ea2eb784601122123978ab4c899d47aaaf

SHA512
62e7f45fd7a63527f8269972acd7fe1500fbaf7d5aa8ccbe503acf3a8e43c83e3ab813f8e072d226e3686f116e62b6372498958171f91c96036101714623df23

Download Submit
C:\Users\Admin\Documents\OpenUninstall.doc.exe

Filesize
255KB

MD5
ab39e79ccb0f6776468482a6f75193ad

SHA1
39ce064fb83e0810aa22e8a8470b2d402388cd72

SHA256
406917143dc62b292087a89f30d52ae2c2457e1e9f8650f5335610078b95dab9

SHA512
caa1cd04abdb5c7833814a0f38f1787eaebc3610e1a652477e047dc5d3403c27ed3aeb3537cb457e46e1ca13bb47fd8d1e98ec5c99b66e4af1f9ad2760f61ded

Download Submit
C:\Windows\SysWOW64\gciyceuasxeqp.exe

Filesize
255KB

MD5
a266f2de3337339ea3b5f6ca1565365e

SHA1
b2924c89fbdd4ddeb095f72abda64f0113c5b296

SHA256
f26fa3c5026458539943e96e6c22ae610646ef09ff451a6dc06bc8a920172ace

SHA512
10765b6656cb5cc7bff21641f2da911e2c7c5f3440119a45625507ed51bbf86790af140f10396ad8871b89ab55062ec3600e4a887662dcc08f28407ba6e061f0

Download Submit
C:\Windows\SysWOW64\gciyceuasxeqp.exe

Filesize
255KB

MD5
a266f2de3337339ea3b5f6ca1565365e

SHA1
b2924c89fbdd4ddeb095f72abda64f0113c5b296

SHA256
f26fa3c5026458539943e96e6c22ae610646ef09ff451a6dc06bc8a920172ace

SHA512
10765b6656cb5cc7bff21641f2da911e2c7c5f3440119a45625507ed51bbf86790af140f10396ad8871b89ab55062ec3600e4a887662dcc08f28407ba6e061f0

Download Submit
C:\Windows\SysWOW64\iklkokfxfb.exe

Filesize
255KB

MD5
c6cb01fdeaf303fda27e6257ac010144

SHA1
b86e6315c04753e1261c6902d58105dc4b2d3b6e

SHA256
ec95aea51f3f3394311271c5abc4f56a3a2370540223858d1bc320287528b757

SHA512
e3b70350f1938522419f2b83c1ead2f9b1f7613c614d5d1dd9309c20f6f7096a29e8457c9969c5167dca0f7706aab13837217d784e933ddb0fe3fffec6ea9e3e

Download Submit
C:\Windows\SysWOW64\iklkokfxfb.exe

Filesize
255KB

MD5
c6cb01fdeaf303fda27e6257ac010144

SHA1
b86e6315c04753e1261c6902d58105dc4b2d3b6e

SHA256
ec95aea51f3f3394311271c5abc4f56a3a2370540223858d1bc320287528b757

SHA512
e3b70350f1938522419f2b83c1ead2f9b1f7613c614d5d1dd9309c20f6f7096a29e8457c9969c5167dca0f7706aab13837217d784e933ddb0fe3fffec6ea9e3e

Download Submit
C:\Windows\SysWOW64\tplocfcd.exe

Filesize
255KB

MD5
46255ecb15ce0468faa53d8735978b87

SHA1
6afada35d28e8da3ce6f3421a7efe0ea2a064bad

SHA256
d37ca8584df5590a70bcf83f47e84c1ec8c73265897e49c38f5182165e83cb70

SHA512
a239b86cfda3214e60c42e8873c6661b38f63135223f48c88239c6e84d09c21d148e6beed115eba3d95952d858fef4615d1926b2a4e36f68d47df9eb39faeb29

Download Submit
C:\Windows\SysWOW64\tplocfcd.exe

Filesize
255KB

MD5
46255ecb15ce0468faa53d8735978b87

SHA1
6afada35d28e8da3ce6f3421a7efe0ea2a064bad

SHA256
d37ca8584df5590a70bcf83f47e84c1ec8c73265897e49c38f5182165e83cb70

SHA512
a239b86cfda3214e60c42e8873c6661b38f63135223f48c88239c6e84d09c21d148e6beed115eba3d95952d858fef4615d1926b2a4e36f68d47df9eb39faeb29

Download Submit
C:\Windows\SysWOW64\tplocfcd.exe

Filesize
255KB

MD5
46255ecb15ce0468faa53d8735978b87

SHA1
6afada35d28e8da3ce6f3421a7efe0ea2a064bad

SHA256
d37ca8584df5590a70bcf83f47e84c1ec8c73265897e49c38f5182165e83cb70

SHA512
a239b86cfda3214e60c42e8873c6661b38f63135223f48c88239c6e84d09c21d148e6beed115eba3d95952d858fef4615d1926b2a4e36f68d47df9eb39faeb29

Download Submit
C:\Windows\SysWOW64\ywwdeorvnybbinf.exe

Filesize
255KB

MD5
6b1f98f0e0b80074476441f117153b66

SHA1
8b67b5b79294cd1af7c1440df587d5fe7fe98dfa

SHA256
e8d27515408b8a29eab8653ac98f13932e4fc72862a9f13dbc4fd59d0225736c

SHA512
558f58e867de4f8ec0431ab01691a2b5430387fbe886ce231dcac35a25477fa69761453ed20d8c29e95b60a4850d1d4b6d9a47c1c4ecd5c405a4c914c8d4686d

Download Submit
C:\Windows\SysWOW64\ywwdeorvnybbinf.exe

Filesize
255KB

MD5
6b1f98f0e0b80074476441f117153b66

SHA1
8b67b5b79294cd1af7c1440df587d5fe7fe98dfa

SHA256
e8d27515408b8a29eab8653ac98f13932e4fc72862a9f13dbc4fd59d0225736c

SHA512
558f58e867de4f8ec0431ab01691a2b5430387fbe886ce231dcac35a25477fa69761453ed20d8c29e95b60a4850d1d4b6d9a47c1c4ecd5c405a4c914c8d4686d

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\??\c:\Users\Admin\Documents\OpenUninstall.doc.exe

Filesize
255KB

MD5
ab39e79ccb0f6776468482a6f75193ad

SHA1
39ce064fb83e0810aa22e8a8470b2d402388cd72

SHA256
406917143dc62b292087a89f30d52ae2c2457e1e9f8650f5335610078b95dab9

SHA512
caa1cd04abdb5c7833814a0f38f1787eaebc3610e1a652477e047dc5d3403c27ed3aeb3537cb457e46e1ca13bb47fd8d1e98ec5c99b66e4af1f9ad2760f61ded

Download Submit
\Windows\SysWOW64\gciyceuasxeqp.exe

Filesize
255KB

MD5
a266f2de3337339ea3b5f6ca1565365e

SHA1
b2924c89fbdd4ddeb095f72abda64f0113c5b296

SHA256
f26fa3c5026458539943e96e6c22ae610646ef09ff451a6dc06bc8a920172ace

SHA512
10765b6656cb5cc7bff21641f2da911e2c7c5f3440119a45625507ed51bbf86790af140f10396ad8871b89ab55062ec3600e4a887662dcc08f28407ba6e061f0

Download Submit
\Windows\SysWOW64\iklkokfxfb.exe

Filesize
255KB

MD5
c6cb01fdeaf303fda27e6257ac010144

SHA1
b86e6315c04753e1261c6902d58105dc4b2d3b6e

SHA256
ec95aea51f3f3394311271c5abc4f56a3a2370540223858d1bc320287528b757

SHA512
e3b70350f1938522419f2b83c1ead2f9b1f7613c614d5d1dd9309c20f6f7096a29e8457c9969c5167dca0f7706aab13837217d784e933ddb0fe3fffec6ea9e3e

Download Submit
\Windows\SysWOW64\tplocfcd.exe

Filesize
255KB

MD5
46255ecb15ce0468faa53d8735978b87

SHA1
6afada35d28e8da3ce6f3421a7efe0ea2a064bad

SHA256
d37ca8584df5590a70bcf83f47e84c1ec8c73265897e49c38f5182165e83cb70

SHA512
a239b86cfda3214e60c42e8873c6661b38f63135223f48c88239c6e84d09c21d148e6beed115eba3d95952d858fef4615d1926b2a4e36f68d47df9eb39faeb29

Download Submit
\Windows\SysWOW64\tplocfcd.exe

Filesize
255KB

MD5
46255ecb15ce0468faa53d8735978b87

SHA1
6afada35d28e8da3ce6f3421a7efe0ea2a064bad

SHA256
d37ca8584df5590a70bcf83f47e84c1ec8c73265897e49c38f5182165e83cb70

SHA512
a239b86cfda3214e60c42e8873c6661b38f63135223f48c88239c6e84d09c21d148e6beed115eba3d95952d858fef4615d1926b2a4e36f68d47df9eb39faeb29

Download Submit
\Windows\SysWOW64\ywwdeorvnybbinf.exe

Filesize
255KB

MD5
6b1f98f0e0b80074476441f117153b66

SHA1
8b67b5b79294cd1af7c1440df587d5fe7fe98dfa

SHA256
e8d27515408b8a29eab8653ac98f13932e4fc72862a9f13dbc4fd59d0225736c

SHA512
558f58e867de4f8ec0431ab01691a2b5430387fbe886ce231dcac35a25477fa69761453ed20d8c29e95b60a4850d1d4b6d9a47c1c4ecd5c405a4c914c8d4686d

Download Submit
memory/1020-80-0x0000000002EE0000-0x0000000002F80000-memory.dmp

Filesize
640KB

Download
memory/1020-54-0x00000000762D1000-0x00000000762D3000-memory.dmp

Filesize
8KB

Download
memory/1020-55-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1020-88-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1028-107-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1028-90-0x00000000700E1000-0x00000000700E3000-memory.dmp

Filesize
8KB

Download
memory/1028-108-0x00000000710CD000-0x00000000710D8000-memory.dmp

Filesize
44KB

Download
memory/1028-100-0x00000000710CD000-0x00000000710D8000-memory.dmp

Filesize
44KB

Download
memory/1028-94-0x00000000710CD000-0x00000000710D8000-memory.dmp

Filesize
44KB

Download
memory/1028-91-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1028-89-0x0000000072661000-0x0000000072664000-memory.dmp

Filesize
12KB

Download
memory/1216-96-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1216-82-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1300-106-0x000007FEFBB41000-0x000007FEFBB43000-memory.dmp

Filesize
8KB

Download
memory/1680-86-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1680-99-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1708-85-0x0000000003880000-0x0000000003920000-memory.dmp

Filesize
640KB

Download
memory/1708-95-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1708-81-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1876-83-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1876-97-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2044-98-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2044-84-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download