Analysis
-
max time kernel
154s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 16:22
Behavioral task
behavioral1
Sample
8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe
Resource
win7-20220901-en
windows7-x64
26 signatures
150 seconds
General
-
Target
8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe
-
Size
255KB
-
MD5
5db163844ea1dfc37cb1824d3d90a7a1
-
SHA1
4c51fd19f9f52a79e287f09b35f3de4dadc17c42
-
SHA256
8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb
-
SHA512
3c3bc460f14a4f0d3cfd7d2a7bbf09de9cd37e87e1a533d75eeb1ae41937b8be4921e12208e2edcefe525e2e9131f52dc351df3059e0055ab2546cb6d232e756
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJO:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIf
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" xemtqmsolc.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" xemtqmsolc.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" xemtqmsolc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" xemtqmsolc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" xemtqmsolc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" xemtqmsolc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" xemtqmsolc.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xemtqmsolc.exe -
Executes dropped EXE 5 IoCs
pid Process 4296 xemtqmsolc.exe 5064 ogalhgtbejagoqn.exe 4200 gbqbarhi.exe 1232 xysjhdhoycxkt.exe 3384 gbqbarhi.exe -
resource yara_rule behavioral2/memory/3612-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0007000000022f84-134.dat upx behavioral2/files/0x0007000000022f84-135.dat upx behavioral2/files/0x0006000000022f89-138.dat upx behavioral2/files/0x0006000000022f89-137.dat upx behavioral2/files/0x0006000000022f8a-140.dat upx behavioral2/files/0x0006000000022f8a-141.dat upx behavioral2/memory/4296-142-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/5064-143-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4200-144-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0006000000022f8b-147.dat upx behavioral2/files/0x0006000000022f8b-146.dat upx behavioral2/memory/1232-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0006000000022f8a-150.dat upx behavioral2/memory/3384-151-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3612-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0002000000009df0-154.dat upx behavioral2/memory/4296-160-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/5064-161-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4200-162-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1232-163-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0006000000022f91-164.dat upx behavioral2/files/0x0006000000022f92-165.dat upx behavioral2/memory/3384-166-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0003000000000723-170.dat upx behavioral2/files/0x0003000000000723-171.dat upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" xemtqmsolc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" xemtqmsolc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" xemtqmsolc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" xemtqmsolc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" xemtqmsolc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" xemtqmsolc.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rtzazljd = "ogalhgtbejagoqn.exe" ogalhgtbejagoqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "xysjhdhoycxkt.exe" ogalhgtbejagoqn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ogalhgtbejagoqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zvzsutwl = "xemtqmsolc.exe" ogalhgtbejagoqn.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\g: gbqbarhi.exe File opened (read-only) \??\m: gbqbarhi.exe File opened (read-only) \??\e: gbqbarhi.exe File opened (read-only) \??\k: gbqbarhi.exe File opened (read-only) \??\r: gbqbarhi.exe File opened (read-only) \??\e: gbqbarhi.exe File opened (read-only) \??\q: xemtqmsolc.exe File opened (read-only) \??\j: gbqbarhi.exe File opened (read-only) \??\s: gbqbarhi.exe File opened (read-only) \??\l: xemtqmsolc.exe File opened (read-only) \??\o: xemtqmsolc.exe File opened (read-only) \??\s: xemtqmsolc.exe File opened (read-only) \??\w: xemtqmsolc.exe File opened (read-only) \??\h: gbqbarhi.exe File opened (read-only) \??\x: gbqbarhi.exe File opened (read-only) \??\e: xemtqmsolc.exe File opened (read-only) \??\f: xemtqmsolc.exe File opened (read-only) \??\o: gbqbarhi.exe File opened (read-only) \??\w: gbqbarhi.exe File opened (read-only) \??\h: xemtqmsolc.exe File opened (read-only) \??\f: gbqbarhi.exe File opened (read-only) \??\g: xemtqmsolc.exe File opened (read-only) \??\b: gbqbarhi.exe File opened (read-only) \??\v: gbqbarhi.exe File opened (read-only) \??\l: gbqbarhi.exe File opened (read-only) \??\i: gbqbarhi.exe File opened (read-only) \??\o: gbqbarhi.exe File opened (read-only) \??\s: gbqbarhi.exe File opened (read-only) \??\t: gbqbarhi.exe File opened (read-only) \??\u: gbqbarhi.exe File opened (read-only) \??\y: gbqbarhi.exe File opened (read-only) \??\a: gbqbarhi.exe File opened (read-only) \??\r: xemtqmsolc.exe File opened (read-only) \??\y: xemtqmsolc.exe File opened (read-only) \??\p: gbqbarhi.exe File opened (read-only) \??\l: gbqbarhi.exe File opened (read-only) \??\p: gbqbarhi.exe File opened (read-only) \??\r: gbqbarhi.exe File opened (read-only) \??\z: gbqbarhi.exe File opened (read-only) \??\g: gbqbarhi.exe File opened (read-only) \??\m: gbqbarhi.exe File opened (read-only) \??\n: xemtqmsolc.exe File opened (read-only) \??\i: gbqbarhi.exe File opened (read-only) \??\n: gbqbarhi.exe File opened (read-only) \??\w: gbqbarhi.exe File opened (read-only) \??\k: xemtqmsolc.exe File opened (read-only) \??\n: gbqbarhi.exe File opened (read-only) \??\b: gbqbarhi.exe File opened (read-only) \??\j: gbqbarhi.exe File opened (read-only) \??\y: gbqbarhi.exe File opened (read-only) \??\a: xemtqmsolc.exe File opened (read-only) \??\q: gbqbarhi.exe File opened (read-only) \??\h: gbqbarhi.exe File opened (read-only) \??\x: xemtqmsolc.exe File opened (read-only) \??\x: gbqbarhi.exe File opened (read-only) \??\z: gbqbarhi.exe File opened (read-only) \??\b: xemtqmsolc.exe File opened (read-only) \??\m: xemtqmsolc.exe File opened (read-only) \??\v: xemtqmsolc.exe File opened (read-only) \??\q: gbqbarhi.exe File opened (read-only) \??\t: gbqbarhi.exe File opened (read-only) \??\p: xemtqmsolc.exe File opened (read-only) \??\t: xemtqmsolc.exe File opened (read-only) \??\f: gbqbarhi.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" xemtqmsolc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" xemtqmsolc.exe -
AutoIT Executable 12 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3612-132-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4296-142-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5064-143-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4200-144-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1232-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3384-151-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3612-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4296-160-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5064-161-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4200-162-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1232-163-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3384-166-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\xemtqmsolc.exe 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe File opened for modification C:\Windows\SysWOW64\gbqbarhi.exe 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe File created C:\Windows\SysWOW64\xysjhdhoycxkt.exe 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll xemtqmsolc.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe gbqbarhi.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe gbqbarhi.exe File created C:\Windows\SysWOW64\xemtqmsolc.exe 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe File created C:\Windows\SysWOW64\ogalhgtbejagoqn.exe 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe File opened for modification C:\Windows\SysWOW64\ogalhgtbejagoqn.exe 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe File created C:\Windows\SysWOW64\gbqbarhi.exe 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe File opened for modification C:\Windows\SysWOW64\xysjhdhoycxkt.exe 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe gbqbarhi.exe -
Drops file in Program Files directory 21 IoCs
description ioc Process File opened for modification C:\Program Files\GroupClear.doc.exe gbqbarhi.exe File opened for modification C:\Program Files\GroupClear.nal gbqbarhi.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gbqbarhi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gbqbarhi.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gbqbarhi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gbqbarhi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal gbqbarhi.exe File opened for modification C:\Program Files\GroupClear.nal gbqbarhi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal gbqbarhi.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gbqbarhi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gbqbarhi.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gbqbarhi.exe File opened for modification C:\Program Files\GroupClear.doc.exe gbqbarhi.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gbqbarhi.exe File created \??\c:\Program Files\GroupClear.doc.exe gbqbarhi.exe File opened for modification \??\c:\Program Files\GroupClear.doc.exe gbqbarhi.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gbqbarhi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gbqbarhi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal gbqbarhi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal gbqbarhi.exe File opened for modification \??\c:\Program Files\GroupClear.doc.exe gbqbarhi.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB5B12844EF399953CFB9D0329DD7CF" 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" xemtqmsolc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" xemtqmsolc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" xemtqmsolc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs xemtqmsolc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" xemtqmsolc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABAFACAF917F19583783B46819F3993B08A02FE4369033EE1B8459A08A4" 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF9FC8E4F5A851B9130D7587D9DBDE2E6405944664F6335D690" 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E08068B3FF6E22DBD10CD1D18B7E9166" 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" xemtqmsolc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc xemtqmsolc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf xemtqmsolc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh xemtqmsolc.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32322C7D9C2482206D4676DD77252CAA7D8264DA" 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1939C7751491DAC5B9CE7CE8ED9434CD" 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat xemtqmsolc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" xemtqmsolc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg xemtqmsolc.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2384 WINWORD.EXE 2384 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3612 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe 3612 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe 3612 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe 3612 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe 3612 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe 3612 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe 3612 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe 3612 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe 3612 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe 3612 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe 3612 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe 3612 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe 3612 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe 3612 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe 3612 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe 3612 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe 4296 xemtqmsolc.exe 4296 xemtqmsolc.exe 4296 xemtqmsolc.exe 4296 xemtqmsolc.exe 4296 xemtqmsolc.exe 4296 xemtqmsolc.exe 4296 xemtqmsolc.exe 4296 xemtqmsolc.exe 4296 xemtqmsolc.exe 4296 xemtqmsolc.exe 5064 ogalhgtbejagoqn.exe 5064 ogalhgtbejagoqn.exe 5064 ogalhgtbejagoqn.exe 5064 ogalhgtbejagoqn.exe 5064 ogalhgtbejagoqn.exe 5064 ogalhgtbejagoqn.exe 5064 ogalhgtbejagoqn.exe 5064 ogalhgtbejagoqn.exe 4200 gbqbarhi.exe 4200 gbqbarhi.exe 4200 gbqbarhi.exe 4200 gbqbarhi.exe 4200 gbqbarhi.exe 4200 gbqbarhi.exe 4200 gbqbarhi.exe 4200 gbqbarhi.exe 5064 ogalhgtbejagoqn.exe 5064 ogalhgtbejagoqn.exe 1232 xysjhdhoycxkt.exe 1232 xysjhdhoycxkt.exe 1232 xysjhdhoycxkt.exe 1232 xysjhdhoycxkt.exe 1232 xysjhdhoycxkt.exe 1232 xysjhdhoycxkt.exe 1232 xysjhdhoycxkt.exe 1232 xysjhdhoycxkt.exe 1232 xysjhdhoycxkt.exe 1232 xysjhdhoycxkt.exe 1232 xysjhdhoycxkt.exe 1232 xysjhdhoycxkt.exe 5064 ogalhgtbejagoqn.exe 5064 ogalhgtbejagoqn.exe 1232 xysjhdhoycxkt.exe 1232 xysjhdhoycxkt.exe 1232 xysjhdhoycxkt.exe 1232 xysjhdhoycxkt.exe 5064 ogalhgtbejagoqn.exe 5064 ogalhgtbejagoqn.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 3612 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe 3612 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe 3612 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe 4296 xemtqmsolc.exe 4296 xemtqmsolc.exe 4296 xemtqmsolc.exe 5064 ogalhgtbejagoqn.exe 5064 ogalhgtbejagoqn.exe 5064 ogalhgtbejagoqn.exe 4200 gbqbarhi.exe 4200 gbqbarhi.exe 4200 gbqbarhi.exe 1232 xysjhdhoycxkt.exe 1232 xysjhdhoycxkt.exe 1232 xysjhdhoycxkt.exe 3384 gbqbarhi.exe 3384 gbqbarhi.exe 3384 gbqbarhi.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 3612 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe 3612 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe 3612 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe 4296 xemtqmsolc.exe 4296 xemtqmsolc.exe 4296 xemtqmsolc.exe 5064 ogalhgtbejagoqn.exe 5064 ogalhgtbejagoqn.exe 5064 ogalhgtbejagoqn.exe 4200 gbqbarhi.exe 4200 gbqbarhi.exe 4200 gbqbarhi.exe 1232 xysjhdhoycxkt.exe 1232 xysjhdhoycxkt.exe 1232 xysjhdhoycxkt.exe 3384 gbqbarhi.exe 3384 gbqbarhi.exe 3384 gbqbarhi.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2384 WINWORD.EXE 2384 WINWORD.EXE 2384 WINWORD.EXE 2384 WINWORD.EXE 2384 WINWORD.EXE 2384 WINWORD.EXE 2384 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3612 wrote to memory of 4296 3612 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe 80 PID 3612 wrote to memory of 4296 3612 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe 80 PID 3612 wrote to memory of 4296 3612 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe 80 PID 3612 wrote to memory of 5064 3612 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe 81 PID 3612 wrote to memory of 5064 3612 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe 81 PID 3612 wrote to memory of 5064 3612 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe 81 PID 3612 wrote to memory of 4200 3612 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe 82 PID 3612 wrote to memory of 4200 3612 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe 82 PID 3612 wrote to memory of 4200 3612 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe 82 PID 3612 wrote to memory of 1232 3612 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe 83 PID 3612 wrote to memory of 1232 3612 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe 83 PID 3612 wrote to memory of 1232 3612 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe 83 PID 4296 wrote to memory of 3384 4296 xemtqmsolc.exe 84 PID 4296 wrote to memory of 3384 4296 xemtqmsolc.exe 84 PID 4296 wrote to memory of 3384 4296 xemtqmsolc.exe 84 PID 3612 wrote to memory of 2384 3612 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe 85 PID 3612 wrote to memory of 2384 3612 8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe"C:\Users\Admin\AppData\Local\Temp\8fff1bc3cb2df193acaf385c00f4ba184564e8888d092ba33f994c09af935fcb.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\xemtqmsolc.exexemtqmsolc.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\gbqbarhi.exeC:\Windows\system32\gbqbarhi.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3384
-
-
-
C:\Windows\SysWOW64\ogalhgtbejagoqn.exeogalhgtbejagoqn.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5064
-
-
C:\Windows\SysWOW64\gbqbarhi.exegbqbarhi.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4200
-
-
C:\Windows\SysWOW64\xysjhdhoycxkt.exexysjhdhoycxkt.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1232
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2384
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5b3eaf4c71f86b30fbffd112f2940a4bd
SHA1394ea025c6aeffc92adbbb4ef6a929010c26f1cb
SHA256f89141754428a4ffbb9a15c47c98964e63a1b80b9c24616cc893e0626f15b7c9
SHA512ef77c6f9f035c9544d8513ede65cd19f0fa4cbe96826a13eb42ab48a5e377ef4f38158f41a9e66a92f60baa31b6dde2a4f283a5583257002ed2b9097cadae549
-
Filesize
255KB
MD541eeaa22242ca9a33a97e5ea1ee1d957
SHA17ec099ca19a800014ca8064b6c3c105492bc0b89
SHA2562f468b08e32f57950f7d904b0ee039cc8dc50bc3ee0ae4040d3a431da7819026
SHA5122fcc56beb5534b1a1001092376942defdb3e1dbf55caee716cbecf8680694307763a74998b52ba662c90923fe965c0a12381e151260753969b3d52545ffba056
-
Filesize
255KB
MD55d1ba97e6d51f0b8fc41c0ce89b5aaf4
SHA158c37403f0a7f79e1e417c386f8dd1cde449160a
SHA256a29661dd0d9aa21c3fb20bf7cf95e0a05a1a8aacb30689f99cb1f6a4c5127810
SHA512fa314e70d7b74de931e2e8a3946773b6899057583c7f78d9910c73b9135444dfb8488fda1d8c85796fa55e4259ea04e6047e1b476080d56fdcfa05e6742def58
-
Filesize
255KB
MD51aad87bdb7fdf71cd9e2e08098f404f3
SHA1642315657aebaa59142d0f81a64b50c13a705c26
SHA256cbd4d71406fb1f86ed40244ed4f287c86ebbe92288ca9b4f0f3908e8c3f5f837
SHA51255acc82f9076686a8547561391f12f565f6aee6210e7f23244e7c734235469d4710bc4a3598cf58da45c179a8d55b65efeedbb38367f3072ced7b2fe038e84f6
-
Filesize
255KB
MD51aad87bdb7fdf71cd9e2e08098f404f3
SHA1642315657aebaa59142d0f81a64b50c13a705c26
SHA256cbd4d71406fb1f86ed40244ed4f287c86ebbe92288ca9b4f0f3908e8c3f5f837
SHA51255acc82f9076686a8547561391f12f565f6aee6210e7f23244e7c734235469d4710bc4a3598cf58da45c179a8d55b65efeedbb38367f3072ced7b2fe038e84f6
-
Filesize
255KB
MD51aad87bdb7fdf71cd9e2e08098f404f3
SHA1642315657aebaa59142d0f81a64b50c13a705c26
SHA256cbd4d71406fb1f86ed40244ed4f287c86ebbe92288ca9b4f0f3908e8c3f5f837
SHA51255acc82f9076686a8547561391f12f565f6aee6210e7f23244e7c734235469d4710bc4a3598cf58da45c179a8d55b65efeedbb38367f3072ced7b2fe038e84f6
-
Filesize
255KB
MD569b00457220cd9fd0ec877554fd5c288
SHA11a01400ccca2308cbc94e536ddb9a6b5eda9c165
SHA2563882eb5ee723f7fcd7e61c5ac749dc18c05f065a87c1ff26b483b2454b663a79
SHA5121793cedf0b7ceeb3fa5a71ee111b3b94f0a2ba3fd3fd5ad137b2378450c1f5eb9872925d74c0b932915486173ec8812a7c04c16e2379c9f37d1e18543ea33cb0
-
Filesize
255KB
MD569b00457220cd9fd0ec877554fd5c288
SHA11a01400ccca2308cbc94e536ddb9a6b5eda9c165
SHA2563882eb5ee723f7fcd7e61c5ac749dc18c05f065a87c1ff26b483b2454b663a79
SHA5121793cedf0b7ceeb3fa5a71ee111b3b94f0a2ba3fd3fd5ad137b2378450c1f5eb9872925d74c0b932915486173ec8812a7c04c16e2379c9f37d1e18543ea33cb0
-
Filesize
255KB
MD559d97d09a573d44eb365a36cd2483f74
SHA1a4b312195bede49245c60a265a80a021c1b45911
SHA256c6b2dafd537237f827fe9c081d45df6b2aaf30b707c63c46c9c4c463ca61f850
SHA512ca4651e13e6a9cc883b512d0b0c8857474e7b6921e1c4fe18d281cbd2c5effa84bac65cf6c7005ebcb687f409550b4c8f42df88d3b6eb16cb75ffa34a64074a2
-
Filesize
255KB
MD559d97d09a573d44eb365a36cd2483f74
SHA1a4b312195bede49245c60a265a80a021c1b45911
SHA256c6b2dafd537237f827fe9c081d45df6b2aaf30b707c63c46c9c4c463ca61f850
SHA512ca4651e13e6a9cc883b512d0b0c8857474e7b6921e1c4fe18d281cbd2c5effa84bac65cf6c7005ebcb687f409550b4c8f42df88d3b6eb16cb75ffa34a64074a2
-
Filesize
255KB
MD52feacc7a00f93a3b520b6852e0ac3772
SHA19064722da8405803b8f8f5cb97b33a840848dd4f
SHA2562b06db0ce662104a186b3f2ac582c59dc0eab7d17bff9b420bac9eb658a86308
SHA5120a8337f1270c86198e6a3f8db529e51daf6ecc2eaa61b22f41997d618a66d72ed826125ba953a5d06f54b18124cbe670111087b439a989418eef9d774aa48b61
-
Filesize
255KB
MD52feacc7a00f93a3b520b6852e0ac3772
SHA19064722da8405803b8f8f5cb97b33a840848dd4f
SHA2562b06db0ce662104a186b3f2ac582c59dc0eab7d17bff9b420bac9eb658a86308
SHA5120a8337f1270c86198e6a3f8db529e51daf6ecc2eaa61b22f41997d618a66d72ed826125ba953a5d06f54b18124cbe670111087b439a989418eef9d774aa48b61
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD5bae092502c7cff3f1f46a4eb5d981042
SHA1ba4424f6b6c99f66bd31fc673c70498afe777809
SHA256c2c47930ab92f1956e3339664ea1253403f513fe1e81ac343d2d62992eb8a1bc
SHA5126f8e287e312e5dc944a8b79accc3cd56b8772708abb1ae974a4234b13d6e520ffa2839b94bf3c4c440267849d7449a91eed74e05264110aaf62db0a39cf7bfa4
-
Filesize
255KB
MD5085d1743a80a5c0e77f4cb333832d8d2
SHA16098ed8b2cb48cb614a31717d71eaff23150cc72
SHA256ac7a934fbf24919490f036d1506627ce79621a4cf091ca36c922602c12f25718
SHA512d9025601be8262db620b90d7e9c7f51485edcde89ac4511157a930aba9ecd4a1fac50b624ebd62cec02a7eb84f0dda2c44920bc835e064b1feb627d084a20540