Analysis
-
max time kernel
153s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27/11/2022, 16:24
Behavioral task
behavioral1
Sample
68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe
Resource
win7-20220812-en
windows7-x64
26 signatures
150 seconds
General
-
Target
68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe
-
Size
255KB
-
MD5
9dbf65144e946041570dc0462acde0f2
-
SHA1
cc0e3a5a42468efbf5d9092c64f6be6dffc766b5
-
SHA256
68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab
-
SHA512
be5bd04a30408258a82b4946f88f841f312c3aa839782f5b4699d8d7d16b450905b37b77795208821997baca75849cbe5424471bf70095159193cbbfa6e08918
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJI:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIh
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" sngbjsnmxg.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" sngbjsnmxg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sngbjsnmxg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sngbjsnmxg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sngbjsnmxg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sngbjsnmxg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sngbjsnmxg.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" sngbjsnmxg.exe -
Executes dropped EXE 5 IoCs
pid Process 3288 sngbjsnmxg.exe 4008 tfolfzejkhltyel.exe 256 baseahsh.exe 4088 xmznfmpugqutr.exe 2576 baseahsh.exe -
resource yara_rule behavioral2/memory/2268-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000a000000022e0f-134.dat upx behavioral2/files/0x000a000000022e0f-135.dat upx behavioral2/files/0x0007000000022e21-137.dat upx behavioral2/files/0x0007000000022e21-138.dat upx behavioral2/files/0x0007000000022e22-140.dat upx behavioral2/files/0x0007000000022e22-141.dat upx behavioral2/files/0x0009000000022e3d-143.dat upx behavioral2/files/0x0009000000022e3d-144.dat upx behavioral2/memory/4008-146-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3288-145-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/256-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4088-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0007000000022e22-150.dat upx behavioral2/memory/2268-152-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2576-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0008000000022e3e-159.dat upx behavioral2/files/0x0008000000022e3f-160.dat upx behavioral2/memory/3288-164-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4008-165-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/256-166-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4088-167-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2576-168-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0008000000016988-169.dat upx behavioral2/files/0x001600000001da6c-170.dat upx behavioral2/files/0x000300000001e5e6-171.dat upx behavioral2/files/0x000300000001e5e6-172.dat upx behavioral2/files/0x000300000001e5e6-173.dat upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sngbjsnmxg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sngbjsnmxg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" sngbjsnmxg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sngbjsnmxg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sngbjsnmxg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sngbjsnmxg.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ukseneth = "tfolfzejkhltyel.exe" tfolfzejkhltyel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "xmznfmpugqutr.exe" tfolfzejkhltyel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run tfolfzejkhltyel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yuhzsjjg = "sngbjsnmxg.exe" tfolfzejkhltyel.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\l: baseahsh.exe File opened (read-only) \??\r: sngbjsnmxg.exe File opened (read-only) \??\y: sngbjsnmxg.exe File opened (read-only) \??\x: baseahsh.exe File opened (read-only) \??\e: baseahsh.exe File opened (read-only) \??\w: baseahsh.exe File opened (read-only) \??\u: sngbjsnmxg.exe File opened (read-only) \??\s: baseahsh.exe File opened (read-only) \??\f: baseahsh.exe File opened (read-only) \??\m: sngbjsnmxg.exe File opened (read-only) \??\w: sngbjsnmxg.exe File opened (read-only) \??\z: baseahsh.exe File opened (read-only) \??\s: baseahsh.exe File opened (read-only) \??\f: baseahsh.exe File opened (read-only) \??\g: baseahsh.exe File opened (read-only) \??\m: baseahsh.exe File opened (read-only) \??\u: baseahsh.exe File opened (read-only) \??\e: baseahsh.exe File opened (read-only) \??\j: baseahsh.exe File opened (read-only) \??\t: baseahsh.exe File opened (read-only) \??\g: baseahsh.exe File opened (read-only) \??\q: baseahsh.exe File opened (read-only) \??\o: sngbjsnmxg.exe File opened (read-only) \??\q: sngbjsnmxg.exe File opened (read-only) \??\z: sngbjsnmxg.exe File opened (read-only) \??\i: baseahsh.exe File opened (read-only) \??\l: baseahsh.exe File opened (read-only) \??\p: baseahsh.exe File opened (read-only) \??\v: baseahsh.exe File opened (read-only) \??\z: baseahsh.exe File opened (read-only) \??\b: sngbjsnmxg.exe File opened (read-only) \??\k: sngbjsnmxg.exe File opened (read-only) \??\p: baseahsh.exe File opened (read-only) \??\j: baseahsh.exe File opened (read-only) \??\f: sngbjsnmxg.exe File opened (read-only) \??\h: baseahsh.exe File opened (read-only) \??\m: baseahsh.exe File opened (read-only) \??\w: baseahsh.exe File opened (read-only) \??\a: baseahsh.exe File opened (read-only) \??\h: sngbjsnmxg.exe File opened (read-only) \??\q: baseahsh.exe File opened (read-only) \??\b: baseahsh.exe File opened (read-only) \??\e: sngbjsnmxg.exe File opened (read-only) \??\a: baseahsh.exe File opened (read-only) \??\u: baseahsh.exe File opened (read-only) \??\h: baseahsh.exe File opened (read-only) \??\i: sngbjsnmxg.exe File opened (read-only) \??\s: sngbjsnmxg.exe File opened (read-only) \??\x: sngbjsnmxg.exe File opened (read-only) \??\k: baseahsh.exe File opened (read-only) \??\r: baseahsh.exe File opened (read-only) \??\n: baseahsh.exe File opened (read-only) \??\o: baseahsh.exe File opened (read-only) \??\n: sngbjsnmxg.exe File opened (read-only) \??\v: baseahsh.exe File opened (read-only) \??\k: baseahsh.exe File opened (read-only) \??\a: sngbjsnmxg.exe File opened (read-only) \??\p: sngbjsnmxg.exe File opened (read-only) \??\b: baseahsh.exe File opened (read-only) \??\o: baseahsh.exe File opened (read-only) \??\r: baseahsh.exe File opened (read-only) \??\g: sngbjsnmxg.exe File opened (read-only) \??\i: baseahsh.exe File opened (read-only) \??\x: baseahsh.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" sngbjsnmxg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" sngbjsnmxg.exe -
AutoIT Executable 12 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2268-132-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4008-146-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3288-145-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/256-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4088-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2268-152-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2576-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3288-164-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4008-165-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/256-166-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4088-167-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2576-168-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\xmznfmpugqutr.exe 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe File opened for modification C:\Windows\SysWOW64\xmznfmpugqutr.exe 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll sngbjsnmxg.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe baseahsh.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe baseahsh.exe File opened for modification C:\Windows\SysWOW64\baseahsh.exe 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe baseahsh.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe baseahsh.exe File created C:\Windows\SysWOW64\sngbjsnmxg.exe 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe File opened for modification C:\Windows\SysWOW64\sngbjsnmxg.exe 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe File created C:\Windows\SysWOW64\tfolfzejkhltyel.exe 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe File opened for modification C:\Windows\SysWOW64\tfolfzejkhltyel.exe 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe File created C:\Windows\SysWOW64\baseahsh.exe 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe baseahsh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal baseahsh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe baseahsh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal baseahsh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe baseahsh.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe baseahsh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe baseahsh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal baseahsh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe baseahsh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe baseahsh.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe baseahsh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe baseahsh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe baseahsh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal baseahsh.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc sngbjsnmxg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" sngbjsnmxg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg sngbjsnmxg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" sngbjsnmxg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh sngbjsnmxg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB2B12B4494399853CFBAA133EFD7CE" 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF9FF8A4F2A851F9145D72A7E95BC93E135584666426243D6ED" 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E08168B0FE6C22A9D173D0A48A089114" 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" sngbjsnmxg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs sngbjsnmxg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32402C769C5583226A3677D370512CAC7C8664DE" 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" sngbjsnmxg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BC8FAC9F962F195830F3A4B869E39E2B0FB02FC4364023DE2BE429E08A6" 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1945C67A14E1DABEB8CA7CE1ECE534BA" 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat sngbjsnmxg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" sngbjsnmxg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf sngbjsnmxg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" sngbjsnmxg.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4000 WINWORD.EXE 4000 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2268 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe 2268 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe 2268 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe 2268 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe 2268 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe 2268 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe 2268 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe 2268 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe 2268 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe 2268 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe 2268 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe 2268 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe 2268 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe 2268 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe 2268 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe 2268 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe 3288 sngbjsnmxg.exe 3288 sngbjsnmxg.exe 3288 sngbjsnmxg.exe 3288 sngbjsnmxg.exe 3288 sngbjsnmxg.exe 3288 sngbjsnmxg.exe 3288 sngbjsnmxg.exe 3288 sngbjsnmxg.exe 3288 sngbjsnmxg.exe 3288 sngbjsnmxg.exe 4008 tfolfzejkhltyel.exe 4008 tfolfzejkhltyel.exe 4008 tfolfzejkhltyel.exe 4008 tfolfzejkhltyel.exe 4008 tfolfzejkhltyel.exe 4008 tfolfzejkhltyel.exe 4008 tfolfzejkhltyel.exe 4008 tfolfzejkhltyel.exe 256 baseahsh.exe 256 baseahsh.exe 256 baseahsh.exe 256 baseahsh.exe 4008 tfolfzejkhltyel.exe 4008 tfolfzejkhltyel.exe 256 baseahsh.exe 256 baseahsh.exe 4088 xmznfmpugqutr.exe 4088 xmznfmpugqutr.exe 256 baseahsh.exe 256 baseahsh.exe 4088 xmznfmpugqutr.exe 4088 xmznfmpugqutr.exe 4088 xmznfmpugqutr.exe 4088 xmznfmpugqutr.exe 4088 xmznfmpugqutr.exe 4088 xmznfmpugqutr.exe 4088 xmznfmpugqutr.exe 4088 xmznfmpugqutr.exe 4088 xmznfmpugqutr.exe 4088 xmznfmpugqutr.exe 2576 baseahsh.exe 2576 baseahsh.exe 2576 baseahsh.exe 2576 baseahsh.exe 2576 baseahsh.exe 2576 baseahsh.exe 2576 baseahsh.exe 2576 baseahsh.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2268 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe 2268 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe 2268 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe 3288 sngbjsnmxg.exe 3288 sngbjsnmxg.exe 3288 sngbjsnmxg.exe 4008 tfolfzejkhltyel.exe 4008 tfolfzejkhltyel.exe 4008 tfolfzejkhltyel.exe 256 baseahsh.exe 256 baseahsh.exe 256 baseahsh.exe 4088 xmznfmpugqutr.exe 4088 xmznfmpugqutr.exe 4088 xmznfmpugqutr.exe 2576 baseahsh.exe 2576 baseahsh.exe 2576 baseahsh.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2268 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe 2268 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe 2268 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe 3288 sngbjsnmxg.exe 3288 sngbjsnmxg.exe 3288 sngbjsnmxg.exe 4008 tfolfzejkhltyel.exe 4008 tfolfzejkhltyel.exe 4008 tfolfzejkhltyel.exe 256 baseahsh.exe 256 baseahsh.exe 256 baseahsh.exe 4088 xmznfmpugqutr.exe 4088 xmznfmpugqutr.exe 4088 xmznfmpugqutr.exe 2576 baseahsh.exe 2576 baseahsh.exe 2576 baseahsh.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4000 WINWORD.EXE 4000 WINWORD.EXE 4000 WINWORD.EXE 4000 WINWORD.EXE 4000 WINWORD.EXE 4000 WINWORD.EXE 4000 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2268 wrote to memory of 3288 2268 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe 80 PID 2268 wrote to memory of 3288 2268 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe 80 PID 2268 wrote to memory of 3288 2268 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe 80 PID 2268 wrote to memory of 4008 2268 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe 81 PID 2268 wrote to memory of 4008 2268 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe 81 PID 2268 wrote to memory of 4008 2268 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe 81 PID 2268 wrote to memory of 256 2268 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe 82 PID 2268 wrote to memory of 256 2268 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe 82 PID 2268 wrote to memory of 256 2268 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe 82 PID 2268 wrote to memory of 4088 2268 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe 83 PID 2268 wrote to memory of 4088 2268 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe 83 PID 2268 wrote to memory of 4088 2268 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe 83 PID 2268 wrote to memory of 4000 2268 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe 84 PID 2268 wrote to memory of 4000 2268 68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe 84 PID 3288 wrote to memory of 2576 3288 sngbjsnmxg.exe 85 PID 3288 wrote to memory of 2576 3288 sngbjsnmxg.exe 85 PID 3288 wrote to memory of 2576 3288 sngbjsnmxg.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe"C:\Users\Admin\AppData\Local\Temp\68d19a1f01d6a2015000076f49b3123c19da3957963c5c63075f42c3f2fc86ab.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\sngbjsnmxg.exesngbjsnmxg.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Windows\SysWOW64\baseahsh.exeC:\Windows\system32\baseahsh.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2576
-
-
-
C:\Windows\SysWOW64\tfolfzejkhltyel.exetfolfzejkhltyel.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4008
-
-
C:\Windows\SysWOW64\baseahsh.exebaseahsh.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:256
-
-
C:\Windows\SysWOW64\xmznfmpugqutr.exexmznfmpugqutr.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4088
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4000
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5e18c60c4cf25baa39dd256f4c46e042c
SHA1508d7c08a49321ae9366ba48dd08446b694731fe
SHA256b545c0c6c339e1720dda35a9c4a82ba497f01e3064375863a2176d7ad70098a9
SHA51276efd6135294bc7edf24bf2768100a42562128fdcbc1d14eb82dbb937dacd2446e9f4b100d6b5b3bbc7272d26d26af1f7d585f2e5e1cc248161655000fea6235
-
Filesize
255KB
MD5efd96d5e1ae1aa622f9269e5b16f653c
SHA13b418725f305b7771656424a1333162a86c1772d
SHA256270ab685701715f501fe059e1b2a04f82c29efd32638d8828e73329d2963ed4d
SHA5127566b048987cac571741ae0f98d8b93d723707e68c19fc3858f888e29cda0b5358120edd83593c5b6a1998b423b6bdab7dc7de892edf5c2efd85c59d0c7cbdb7
-
Filesize
255KB
MD5748a5086536ee5a1351894eca76f2301
SHA19db6b11e80fc2da4839f7ef41edaf20fe6b8b86b
SHA2562c8af2afc0c288e31afa3136133d8dcb34643fb2efb9be3e6e7742a208fa18c3
SHA5128553e4c2ca48f51d85c5b01d083e918cbf2e2d7b265fa1d60383459d71e566a7f65e10652c355c1f4d0d70c5e39a883655cd8b4c5e1406d2cb437747855e9800
-
Filesize
255KB
MD58b0b507b769110904e0b5bc89caa95ce
SHA1eec17a7e419f73d29ae6957e8aacb26a762cfd52
SHA25687c4de9c0d9028a4fbfb78bdbde449414ff4d3c16340f176141844b788102e7d
SHA512ce3fea754adeb3b67a2cd7fbefe531dc800d9cd74459835adaa6ce4e716d544f030240d020e97a545128fbf0dfaf6a2fc8cfb7ddc2a1c3f07b10676229651b9a
-
Filesize
255KB
MD5d9fac926f1e7540e4c485462550d8570
SHA1382b669fa585fcc360aca9f7ce2fa3e2de46eb1c
SHA25664ff6d18437d3b16aae65af2a97e87763bbab9a098b3aa430c120afec6924a05
SHA512e0a09e1ac9cc21a02c7886023ebdeadfe45051a0d3985b517d1229f8e691e0d1c9562934247ea09796c566a401aa1ad655b2401eacfa97fbdda3a4fe79015d08
-
Filesize
255KB
MD5d9fac926f1e7540e4c485462550d8570
SHA1382b669fa585fcc360aca9f7ce2fa3e2de46eb1c
SHA25664ff6d18437d3b16aae65af2a97e87763bbab9a098b3aa430c120afec6924a05
SHA512e0a09e1ac9cc21a02c7886023ebdeadfe45051a0d3985b517d1229f8e691e0d1c9562934247ea09796c566a401aa1ad655b2401eacfa97fbdda3a4fe79015d08
-
Filesize
255KB
MD5d9fac926f1e7540e4c485462550d8570
SHA1382b669fa585fcc360aca9f7ce2fa3e2de46eb1c
SHA25664ff6d18437d3b16aae65af2a97e87763bbab9a098b3aa430c120afec6924a05
SHA512e0a09e1ac9cc21a02c7886023ebdeadfe45051a0d3985b517d1229f8e691e0d1c9562934247ea09796c566a401aa1ad655b2401eacfa97fbdda3a4fe79015d08
-
Filesize
255KB
MD56d7c1d38da8725967daa0041efb2c6fd
SHA1835c607c7843a1b4f385d6eddb0c28eea21784f8
SHA256a413a0ffdb1c9951a1e9f458b9d7ac75802a54c7c3fa0ff067f5e8a1a715e44a
SHA5123cb54032a0f47d768076897588e38d2923913af6dfa9e44ad220e4dbca6be8ff042f923e27e97475fb165e014956f4501a68114be1ce90fe06589e6c13acde30
-
Filesize
255KB
MD56d7c1d38da8725967daa0041efb2c6fd
SHA1835c607c7843a1b4f385d6eddb0c28eea21784f8
SHA256a413a0ffdb1c9951a1e9f458b9d7ac75802a54c7c3fa0ff067f5e8a1a715e44a
SHA5123cb54032a0f47d768076897588e38d2923913af6dfa9e44ad220e4dbca6be8ff042f923e27e97475fb165e014956f4501a68114be1ce90fe06589e6c13acde30
-
Filesize
255KB
MD5f666e8408f7e4561a9de2889b24b45ae
SHA1acf3782afcbc27c80ffc165e91ae1fcd9784e643
SHA256e817204b9ff860e2434c72b24d000c348cfa909f04cdc5bb73b08cac1ccbdca6
SHA51283df41f96cb1c5c669944bd0b10d2f7491586ecda31368a9876492fea4f6709edbf69cf449f2f9350c00f85a22e1532ebc1f38d212549396856eb6f9cd47d0d8
-
Filesize
255KB
MD5f666e8408f7e4561a9de2889b24b45ae
SHA1acf3782afcbc27c80ffc165e91ae1fcd9784e643
SHA256e817204b9ff860e2434c72b24d000c348cfa909f04cdc5bb73b08cac1ccbdca6
SHA51283df41f96cb1c5c669944bd0b10d2f7491586ecda31368a9876492fea4f6709edbf69cf449f2f9350c00f85a22e1532ebc1f38d212549396856eb6f9cd47d0d8
-
Filesize
255KB
MD57010de70a56ee3e44ddb2cf45c0f6f16
SHA15e5d40ee6780704d2249bb24e42502fd32097b8e
SHA2564382aaba404dcdcbb1caa8d1ba63b4c10049d333d0b523df523d37d338145215
SHA5124785d19606bd5dca1c12379efde178fb35b9d2377a2e8a82a04772b77707555c51a1ca896f3e9f1b086773d67e4058203b707d5cfbbdbd6c7e4993cd3b018f86
-
Filesize
255KB
MD57010de70a56ee3e44ddb2cf45c0f6f16
SHA15e5d40ee6780704d2249bb24e42502fd32097b8e
SHA2564382aaba404dcdcbb1caa8d1ba63b4c10049d333d0b523df523d37d338145215
SHA5124785d19606bd5dca1c12379efde178fb35b9d2377a2e8a82a04772b77707555c51a1ca896f3e9f1b086773d67e4058203b707d5cfbbdbd6c7e4993cd3b018f86
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD53b4206a67b34caa61f58de9de0bde6fe
SHA187df37f469bb8aebaf95de4c5b37b1ef6d21d4f5
SHA256b161214a7ee3d2130c6fc4f6e8fe54212b4cf0096e7d2c4b3f5a981854de69f7
SHA512bef21a8fae7f7c7b95377714804de43592df077bcabeed2bff61a3ef6a557b6d05e8c3314fdefe1c68ee794271b5033695f75fc1000ee63fa083b7d015b85477
-
Filesize
255KB
MD5a9bc6d178def36f17f710d19656ea2b4
SHA1c4a0263d18f3e5d54f5acce1b3c87e946ca4208a
SHA2568be10140d72a803280b66ac854fb0956c24ba662c51ddbe994e38c68e0ba39e7
SHA512cdede3a03c966519693858bc4b26bb1a3b187fbd175c91b132dc6bf9fce6b51281254ce62c1263b84be4ae9b8cfcd028313b18e1b8e3785ad66702c77b7bd848
-
Filesize
255KB
MD5a9bc6d178def36f17f710d19656ea2b4
SHA1c4a0263d18f3e5d54f5acce1b3c87e946ca4208a
SHA2568be10140d72a803280b66ac854fb0956c24ba662c51ddbe994e38c68e0ba39e7
SHA512cdede3a03c966519693858bc4b26bb1a3b187fbd175c91b132dc6bf9fce6b51281254ce62c1263b84be4ae9b8cfcd028313b18e1b8e3785ad66702c77b7bd848