Analysis
-
max time kernel
153s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27/11/2022, 11:54
Behavioral task
behavioral1
Sample
660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe
Resource
win7-20220812-en
windows7-x64
26 signatures
150 seconds
General
-
Target
660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe
-
Size
255KB
-
MD5
4e5f9f17b00efcc1e057303309cdc0c4
-
SHA1
a07629c704adce5663e040d303fa32f926a83609
-
SHA256
660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1
-
SHA512
6bed0d9fd78e0486ff57e25fae4cfa519fd7d70d8311d848204f3eb3c3b7c68bfb642bad896b2c3b541a281c414ea65f76b455074877413d910167fc7c074492
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJv:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIo
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" soabnbkkyh.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" soabnbkkyh.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" soabnbkkyh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" soabnbkkyh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" soabnbkkyh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" soabnbkkyh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" soabnbkkyh.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" soabnbkkyh.exe -
Executes dropped EXE 5 IoCs
pid Process 2324 soabnbkkyh.exe 3636 qkxklbfggskrgsm.exe 3108 lktlvgsv.exe 532 lvojozktdpyry.exe 1928 lktlvgsv.exe -
resource yara_rule behavioral2/memory/1400-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1400-133-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0008000000022f71-135.dat upx behavioral2/files/0x0007000000022f77-138.dat upx behavioral2/files/0x0007000000022f77-139.dat upx behavioral2/files/0x0008000000022f71-136.dat upx behavioral2/files/0x0007000000022f78-142.dat upx behavioral2/files/0x0007000000022f78-141.dat upx behavioral2/files/0x0007000000022f7f-145.dat upx behavioral2/memory/2324-146-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3636-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0007000000022f7f-144.dat upx behavioral2/memory/3108-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/532-149-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0007000000022f78-151.dat upx behavioral2/memory/1928-152-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1400-154-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0007000000022f82-155.dat upx behavioral2/files/0x0009000000022f83-156.dat upx behavioral2/memory/2324-162-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3636-163-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3108-164-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/532-165-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1928-168-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000300000001e790-170.dat upx behavioral2/files/0x0007000000022fa1-171.dat upx behavioral2/files/0x000200000001e696-173.dat upx behavioral2/files/0x000200000001e696-172.dat upx behavioral2/files/0x000200000001e696-174.dat upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" soabnbkkyh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" soabnbkkyh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" soabnbkkyh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" soabnbkkyh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" soabnbkkyh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" soabnbkkyh.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntgotqfa = "soabnbkkyh.exe" qkxklbfggskrgsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mwhvszjx = "qkxklbfggskrgsm.exe" qkxklbfggskrgsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "lvojozktdpyry.exe" qkxklbfggskrgsm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run qkxklbfggskrgsm.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\z: lktlvgsv.exe File opened (read-only) \??\t: lktlvgsv.exe File opened (read-only) \??\b: lktlvgsv.exe File opened (read-only) \??\i: lktlvgsv.exe File opened (read-only) \??\p: lktlvgsv.exe File opened (read-only) \??\e: lktlvgsv.exe File opened (read-only) \??\j: soabnbkkyh.exe File opened (read-only) \??\e: lktlvgsv.exe File opened (read-only) \??\r: lktlvgsv.exe File opened (read-only) \??\g: lktlvgsv.exe File opened (read-only) \??\r: lktlvgsv.exe File opened (read-only) \??\x: lktlvgsv.exe File opened (read-only) \??\z: lktlvgsv.exe File opened (read-only) \??\h: lktlvgsv.exe File opened (read-only) \??\s: lktlvgsv.exe File opened (read-only) \??\y: lktlvgsv.exe File opened (read-only) \??\p: soabnbkkyh.exe File opened (read-only) \??\y: soabnbkkyh.exe File opened (read-only) \??\k: lktlvgsv.exe File opened (read-only) \??\n: soabnbkkyh.exe File opened (read-only) \??\f: soabnbkkyh.exe File opened (read-only) \??\h: soabnbkkyh.exe File opened (read-only) \??\x: soabnbkkyh.exe File opened (read-only) \??\q: lktlvgsv.exe File opened (read-only) \??\r: soabnbkkyh.exe File opened (read-only) \??\a: lktlvgsv.exe File opened (read-only) \??\w: lktlvgsv.exe File opened (read-only) \??\u: soabnbkkyh.exe File opened (read-only) \??\f: lktlvgsv.exe File opened (read-only) \??\j: lktlvgsv.exe File opened (read-only) \??\l: lktlvgsv.exe File opened (read-only) \??\o: lktlvgsv.exe File opened (read-only) \??\v: soabnbkkyh.exe File opened (read-only) \??\z: soabnbkkyh.exe File opened (read-only) \??\q: lktlvgsv.exe File opened (read-only) \??\a: lktlvgsv.exe File opened (read-only) \??\e: soabnbkkyh.exe File opened (read-only) \??\k: soabnbkkyh.exe File opened (read-only) \??\m: soabnbkkyh.exe File opened (read-only) \??\s: lktlvgsv.exe File opened (read-only) \??\n: lktlvgsv.exe File opened (read-only) \??\b: soabnbkkyh.exe File opened (read-only) \??\i: soabnbkkyh.exe File opened (read-only) \??\m: lktlvgsv.exe File opened (read-only) \??\x: lktlvgsv.exe File opened (read-only) \??\f: lktlvgsv.exe File opened (read-only) \??\o: soabnbkkyh.exe File opened (read-only) \??\w: soabnbkkyh.exe File opened (read-only) \??\g: lktlvgsv.exe File opened (read-only) \??\k: lktlvgsv.exe File opened (read-only) \??\l: lktlvgsv.exe File opened (read-only) \??\b: lktlvgsv.exe File opened (read-only) \??\i: lktlvgsv.exe File opened (read-only) \??\u: lktlvgsv.exe File opened (read-only) \??\l: soabnbkkyh.exe File opened (read-only) \??\p: lktlvgsv.exe File opened (read-only) \??\v: lktlvgsv.exe File opened (read-only) \??\w: lktlvgsv.exe File opened (read-only) \??\o: lktlvgsv.exe File opened (read-only) \??\u: lktlvgsv.exe File opened (read-only) \??\y: lktlvgsv.exe File opened (read-only) \??\h: lktlvgsv.exe File opened (read-only) \??\m: lktlvgsv.exe File opened (read-only) \??\v: lktlvgsv.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" soabnbkkyh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" soabnbkkyh.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2324-146-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3636-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3108-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/532-149-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1928-152-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1400-154-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2324-162-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3636-163-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3108-164-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/532-165-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1928-168-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\soabnbkkyh.exe 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe File created C:\Windows\SysWOW64\lktlvgsv.exe 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll soabnbkkyh.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe lktlvgsv.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe lktlvgsv.exe File opened for modification C:\Windows\SysWOW64\lvojozktdpyry.exe 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe lktlvgsv.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe lktlvgsv.exe File created C:\Windows\SysWOW64\soabnbkkyh.exe 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe File created C:\Windows\SysWOW64\qkxklbfggskrgsm.exe 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe File opened for modification C:\Windows\SysWOW64\qkxklbfggskrgsm.exe 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe File opened for modification C:\Windows\SysWOW64\lktlvgsv.exe 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe File created C:\Windows\SysWOW64\lvojozktdpyry.exe 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lktlvgsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal lktlvgsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lktlvgsv.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lktlvgsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal lktlvgsv.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lktlvgsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lktlvgsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal lktlvgsv.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lktlvgsv.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lktlvgsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal lktlvgsv.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lktlvgsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lktlvgsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lktlvgsv.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC7B121449539EE52C8BAD533EFD4B9" 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184DC70F1593DBC4B9BE7F97ED9437BA" 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" soabnbkkyh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" soabnbkkyh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" soabnbkkyh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" soabnbkkyh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg soabnbkkyh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78468B1FE1A21AED10FD1D68A7F916B" 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh soabnbkkyh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf soabnbkkyh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32402C779C5783226A3276D270562CAE7C8764A8" 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs soabnbkkyh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" soabnbkkyh.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BB4FABFFE65F192837C3B43869D3996B088038C4363023BE1C9459C08A7" 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFDFCF8482F851B9137D62D7DE5BC90E1365847664E6245D69D" 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat soabnbkkyh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc soabnbkkyh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" soabnbkkyh.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4724 WINWORD.EXE 4724 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1400 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe 1400 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe 1400 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe 1400 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe 1400 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe 1400 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe 1400 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe 1400 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe 1400 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe 1400 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe 1400 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe 1400 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe 1400 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe 1400 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe 1400 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe 1400 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe 2324 soabnbkkyh.exe 2324 soabnbkkyh.exe 2324 soabnbkkyh.exe 2324 soabnbkkyh.exe 2324 soabnbkkyh.exe 2324 soabnbkkyh.exe 2324 soabnbkkyh.exe 2324 soabnbkkyh.exe 2324 soabnbkkyh.exe 2324 soabnbkkyh.exe 3636 qkxklbfggskrgsm.exe 3636 qkxklbfggskrgsm.exe 3636 qkxklbfggskrgsm.exe 3636 qkxklbfggskrgsm.exe 3636 qkxklbfggskrgsm.exe 3636 qkxklbfggskrgsm.exe 3636 qkxklbfggskrgsm.exe 3636 qkxklbfggskrgsm.exe 3108 lktlvgsv.exe 3108 lktlvgsv.exe 3108 lktlvgsv.exe 3108 lktlvgsv.exe 3108 lktlvgsv.exe 3108 lktlvgsv.exe 3108 lktlvgsv.exe 3108 lktlvgsv.exe 3636 qkxklbfggskrgsm.exe 3636 qkxklbfggskrgsm.exe 532 lvojozktdpyry.exe 532 lvojozktdpyry.exe 532 lvojozktdpyry.exe 532 lvojozktdpyry.exe 532 lvojozktdpyry.exe 532 lvojozktdpyry.exe 532 lvojozktdpyry.exe 532 lvojozktdpyry.exe 532 lvojozktdpyry.exe 532 lvojozktdpyry.exe 532 lvojozktdpyry.exe 532 lvojozktdpyry.exe 3636 qkxklbfggskrgsm.exe 3636 qkxklbfggskrgsm.exe 532 lvojozktdpyry.exe 532 lvojozktdpyry.exe 532 lvojozktdpyry.exe 532 lvojozktdpyry.exe 3636 qkxklbfggskrgsm.exe 3636 qkxklbfggskrgsm.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1400 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe 1400 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe 1400 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe 2324 soabnbkkyh.exe 2324 soabnbkkyh.exe 2324 soabnbkkyh.exe 3636 qkxklbfggskrgsm.exe 3636 qkxklbfggskrgsm.exe 3636 qkxklbfggskrgsm.exe 3108 lktlvgsv.exe 3108 lktlvgsv.exe 3108 lktlvgsv.exe 532 lvojozktdpyry.exe 532 lvojozktdpyry.exe 532 lvojozktdpyry.exe 1928 lktlvgsv.exe 1928 lktlvgsv.exe 1928 lktlvgsv.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1400 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe 1400 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe 1400 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe 2324 soabnbkkyh.exe 2324 soabnbkkyh.exe 2324 soabnbkkyh.exe 3636 qkxklbfggskrgsm.exe 3636 qkxklbfggskrgsm.exe 3636 qkxklbfggskrgsm.exe 3108 lktlvgsv.exe 3108 lktlvgsv.exe 3108 lktlvgsv.exe 532 lvojozktdpyry.exe 532 lvojozktdpyry.exe 532 lvojozktdpyry.exe 1928 lktlvgsv.exe 1928 lktlvgsv.exe 1928 lktlvgsv.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4724 WINWORD.EXE 4724 WINWORD.EXE 4724 WINWORD.EXE 4724 WINWORD.EXE 4724 WINWORD.EXE 4724 WINWORD.EXE 4724 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1400 wrote to memory of 2324 1400 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe 80 PID 1400 wrote to memory of 2324 1400 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe 80 PID 1400 wrote to memory of 2324 1400 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe 80 PID 1400 wrote to memory of 3636 1400 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe 81 PID 1400 wrote to memory of 3636 1400 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe 81 PID 1400 wrote to memory of 3636 1400 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe 81 PID 1400 wrote to memory of 3108 1400 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe 82 PID 1400 wrote to memory of 3108 1400 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe 82 PID 1400 wrote to memory of 3108 1400 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe 82 PID 1400 wrote to memory of 532 1400 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe 83 PID 1400 wrote to memory of 532 1400 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe 83 PID 1400 wrote to memory of 532 1400 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe 83 PID 2324 wrote to memory of 1928 2324 soabnbkkyh.exe 84 PID 2324 wrote to memory of 1928 2324 soabnbkkyh.exe 84 PID 2324 wrote to memory of 1928 2324 soabnbkkyh.exe 84 PID 1400 wrote to memory of 4724 1400 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe 85 PID 1400 wrote to memory of 4724 1400 660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe"C:\Users\Admin\AppData\Local\Temp\660687d40281f5eb9aa3a70f7034adbd3ee430a46cce12b925aaab4aab3476d1.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\soabnbkkyh.exesoabnbkkyh.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\lktlvgsv.exeC:\Windows\system32\lktlvgsv.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1928
-
-
-
C:\Windows\SysWOW64\qkxklbfggskrgsm.exeqkxklbfggskrgsm.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3636
-
-
C:\Windows\SysWOW64\lktlvgsv.exelktlvgsv.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3108
-
-
C:\Windows\SysWOW64\lvojozktdpyry.exelvojozktdpyry.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:532
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4724
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD56068f262f11e5c1ff6b6da0736179bf8
SHA105231a9c5ddec374d1c8cc3bec5ecf6d34c33ed8
SHA256ea427f2070f8a0926e5319b8798db2d2d20f7ffce74e8408dc5fa7c58386d3d1
SHA51297c0745c08b2d7fea8fa5b65ffa6a076dd4bd10eebcacbe403b0051739a1bd90ff4d42b862d5afd17a36b511b6de436e2963c5c1e3ff04057aaf3ba264da0e00
-
Filesize
255KB
MD55de3c3084c48b651505a4683d08c0693
SHA17acb3e94792177fc9a607bfdb2870b5a0803db34
SHA256ea9d590f904b343ffd4f5e8113666a2a8d54fee4c8119462631f6e7332866067
SHA512e676ecfc50325db11c48d74e30e8a8094075045f9517cec173ea7c8b59716cf2a318f6cefd677ecb682f2be86a736510d14d16e032b643510951083f6c10de1a
-
Filesize
255KB
MD5026a17999f4ddb5aabc9ddc81d95a4a1
SHA1d49b9b8514a7ac81e2cc98bb0ad7601906a684fb
SHA2569605d871a145c98d7522444c23c22046f4bedbd7221e0308cecc77679bee7129
SHA5120a9613f9df2618f4b3308fc2ba5876951060a65e67487c6f79312e888ebee2319616802c3b635f0e6d21ac367436f66f55cd12d3755b300f73e58b000215cd9e
-
Filesize
255KB
MD5de39918e4db25c1b37c75f1fe4f4abd4
SHA1a4e03d6f1e001333212fce685b9d0a1847ad104e
SHA25638ab1b0bba3ae2a5cfe11b2ec04cebca34b4121b260991e96a75b9a042a067ed
SHA5121be3f1ffe1056f340fbf1ed93ec01724d4dc5c498b5db667f3624a63a59d4930996004fde680bbf6a3dc19c6e34160df5f663ad803d8cba578bbe5881ee847b3
-
Filesize
255KB
MD5952d757c8f811f2cb618cde7a9341b49
SHA1fe7399fe430edc401a8b82829a21aad79be7dbb0
SHA2561dcf6aefe6cb0aa099f4509dd1f03199736b633d1b355ddd7143f736381cb010
SHA5126b39e8c5f447075faa7ef30452b57e1cb97d581fcef0a21d8eac7015833f57dc0262721d642017e422d4d540ec982c6dcffeb240aec2def4482717c46abcb17a
-
Filesize
255KB
MD5952d757c8f811f2cb618cde7a9341b49
SHA1fe7399fe430edc401a8b82829a21aad79be7dbb0
SHA2561dcf6aefe6cb0aa099f4509dd1f03199736b633d1b355ddd7143f736381cb010
SHA5126b39e8c5f447075faa7ef30452b57e1cb97d581fcef0a21d8eac7015833f57dc0262721d642017e422d4d540ec982c6dcffeb240aec2def4482717c46abcb17a
-
Filesize
255KB
MD5952d757c8f811f2cb618cde7a9341b49
SHA1fe7399fe430edc401a8b82829a21aad79be7dbb0
SHA2561dcf6aefe6cb0aa099f4509dd1f03199736b633d1b355ddd7143f736381cb010
SHA5126b39e8c5f447075faa7ef30452b57e1cb97d581fcef0a21d8eac7015833f57dc0262721d642017e422d4d540ec982c6dcffeb240aec2def4482717c46abcb17a
-
Filesize
255KB
MD578683112fd73058d108eca64cf46c3ea
SHA18ac5d2fdc0e2c89c3897382f5d8a0fd6e0548428
SHA256e6a17e3855176a913578a3e08d226365d2f17838d1f706dd3895eb7053666358
SHA5123528c0aa5815b9a70f2ef57763989598bb831db215b7c2e26ca559b1b876767d2373e919f6c6b541ebcd0026afcab5bba5156f34593869e2aca2ccca4043becf
-
Filesize
255KB
MD578683112fd73058d108eca64cf46c3ea
SHA18ac5d2fdc0e2c89c3897382f5d8a0fd6e0548428
SHA256e6a17e3855176a913578a3e08d226365d2f17838d1f706dd3895eb7053666358
SHA5123528c0aa5815b9a70f2ef57763989598bb831db215b7c2e26ca559b1b876767d2373e919f6c6b541ebcd0026afcab5bba5156f34593869e2aca2ccca4043becf
-
Filesize
255KB
MD5c9f872d14eee0e5b4167ceb979b4aa4f
SHA131a86233cbd4f8d216f50be41a68a0ce55339a1a
SHA2564b3a49ccfcf0af06c2a50a142aeb4fb1516942a724f0b9e6a0562236ac262041
SHA512e9eb50a635abcb1008f6c78d12a1c7263ac05e07c9e067321d298868d57cf9c190af5c649ed716d9fe9d4a68412050ff3f286667b50960e0f050aff38ff88ead
-
Filesize
255KB
MD5c9f872d14eee0e5b4167ceb979b4aa4f
SHA131a86233cbd4f8d216f50be41a68a0ce55339a1a
SHA2564b3a49ccfcf0af06c2a50a142aeb4fb1516942a724f0b9e6a0562236ac262041
SHA512e9eb50a635abcb1008f6c78d12a1c7263ac05e07c9e067321d298868d57cf9c190af5c649ed716d9fe9d4a68412050ff3f286667b50960e0f050aff38ff88ead
-
Filesize
255KB
MD55f05ee81e772bb900dbbc3956995ba62
SHA197386bf8289549c94374abb2646a7d87faf1aa1b
SHA256b001aec27586a6f169a5d1f5c62ae1b69688174dd8cd3384d9df311bee63315b
SHA512f9763ba97c5bad5ffe62a7070b0e00104b3d401606b7fa0114f81b5532e1774b376f8fc20e163b83e134373374b17b39888a880b6b8e38daec93383cee8ac16c
-
Filesize
255KB
MD55f05ee81e772bb900dbbc3956995ba62
SHA197386bf8289549c94374abb2646a7d87faf1aa1b
SHA256b001aec27586a6f169a5d1f5c62ae1b69688174dd8cd3384d9df311bee63315b
SHA512f9763ba97c5bad5ffe62a7070b0e00104b3d401606b7fa0114f81b5532e1774b376f8fc20e163b83e134373374b17b39888a880b6b8e38daec93383cee8ac16c
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD5a725f73062d80af2f3fc38262ef23fda
SHA16f328656a61bd79ceca4ed05766501fb4431c866
SHA256d3afd28b5aa073595ee51db3db546364f47034fe2c5417aa016ed661a134ee2a
SHA5127e1e20485cf2e0ebd758479dc79dfe82b42d16edc453777ef0ce9b641adaaf7cbb4510c1e958c7055c1a90c6285a30eb3bd73e89ad4c4a7099d84a0e5bb3a755
-
Filesize
255KB
MD5a725f73062d80af2f3fc38262ef23fda
SHA16f328656a61bd79ceca4ed05766501fb4431c866
SHA256d3afd28b5aa073595ee51db3db546364f47034fe2c5417aa016ed661a134ee2a
SHA5127e1e20485cf2e0ebd758479dc79dfe82b42d16edc453777ef0ce9b641adaaf7cbb4510c1e958c7055c1a90c6285a30eb3bd73e89ad4c4a7099d84a0e5bb3a755
-
Filesize
255KB
MD52ce642e2a6969f639afdbb66bee07c11
SHA162a622e040b66d7c214738f00bd72e7800f4ce6a
SHA256987e5dd054f7a18f27a6a7a3bfd5106436ab63b364b9ad16a09d946ed076d655
SHA5127a236a16457a0c5f7dea32421d876bef883b5c2b630624d1d093f2791c7229dd3471a2a4f6550da66e2a79e679ae8aad3d95b6b705d09535c4b7cff43f7830c1