Analysis
-
max time kernel
181s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
27/11/2022, 18:19
Behavioral task
behavioral1
Sample
214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe
Resource
win7-20220812-en
windows7-x64
28 signatures
150 seconds
Behavioral task
behavioral2
Sample
214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe
-
Size
255KB
-
MD5
79a454741c1f9b09aed3c3030317dcee
-
SHA1
2d9fef5487de70307aa578f57a14fa3b4098298d
-
SHA256
214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc
-
SHA512
9343a317dab5d4702574aeb99f0b83ac800e53d059a24b396a3fbd8209732835f4633cdaa77da4649236cbfe1541d076d753f2774f9dbdff0720745e9427cdec
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJw:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIv
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ulaqhbksiw.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ulaqhbksiw.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ulaqhbksiw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ulaqhbksiw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ulaqhbksiw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ulaqhbksiw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ulaqhbksiw.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ulaqhbksiw.exe -
Executes dropped EXE 5 IoCs
pid Process 2740 ulaqhbksiw.exe 3796 cajjgdkowzhnbnd.exe 4352 vegxbwhx.exe 776 easpwiuvirwxp.exe 3592 vegxbwhx.exe -
resource yara_rule behavioral2/memory/1576-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1576-133-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0007000000022e49-135.dat upx behavioral2/files/0x0007000000022e49-136.dat upx behavioral2/files/0x0007000000022e4a-138.dat upx behavioral2/files/0x0007000000022e4b-141.dat upx behavioral2/files/0x0007000000022e4b-142.dat upx behavioral2/files/0x0007000000022e4a-139.dat upx behavioral2/files/0x0007000000022e4c-145.dat upx behavioral2/files/0x0007000000022e4c-144.dat upx behavioral2/files/0x0007000000022e4b-147.dat upx behavioral2/memory/2740-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3796-149-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4352-150-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/776-151-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1576-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3592-154-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2740-155-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3796-156-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/776-157-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0007000000022e54-164.dat upx behavioral2/files/0x0007000000022e53-163.dat upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ulaqhbksiw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ulaqhbksiw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ulaqhbksiw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ulaqhbksiw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ulaqhbksiw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ulaqhbksiw.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run cajjgdkowzhnbnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zfsprtbu = "ulaqhbksiw.exe" cajjgdkowzhnbnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pgpgldfi = "cajjgdkowzhnbnd.exe" cajjgdkowzhnbnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "easpwiuvirwxp.exe" cajjgdkowzhnbnd.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\s: vegxbwhx.exe File opened (read-only) \??\f: vegxbwhx.exe File opened (read-only) \??\q: vegxbwhx.exe File opened (read-only) \??\i: ulaqhbksiw.exe File opened (read-only) \??\m: ulaqhbksiw.exe File opened (read-only) \??\s: ulaqhbksiw.exe File opened (read-only) \??\l: ulaqhbksiw.exe File opened (read-only) \??\o: ulaqhbksiw.exe File opened (read-only) \??\a: vegxbwhx.exe File opened (read-only) \??\u: vegxbwhx.exe File opened (read-only) \??\g: vegxbwhx.exe File opened (read-only) \??\l: vegxbwhx.exe File opened (read-only) \??\o: vegxbwhx.exe File opened (read-only) \??\i: vegxbwhx.exe File opened (read-only) \??\s: vegxbwhx.exe File opened (read-only) \??\h: ulaqhbksiw.exe File opened (read-only) \??\u: ulaqhbksiw.exe File opened (read-only) \??\j: vegxbwhx.exe File opened (read-only) \??\n: vegxbwhx.exe File opened (read-only) \??\j: vegxbwhx.exe File opened (read-only) \??\z: vegxbwhx.exe File opened (read-only) \??\j: ulaqhbksiw.exe File opened (read-only) \??\r: ulaqhbksiw.exe File opened (read-only) \??\e: vegxbwhx.exe File opened (read-only) \??\t: vegxbwhx.exe File opened (read-only) \??\k: vegxbwhx.exe File opened (read-only) \??\e: ulaqhbksiw.exe File opened (read-only) \??\n: ulaqhbksiw.exe File opened (read-only) \??\z: ulaqhbksiw.exe File opened (read-only) \??\r: vegxbwhx.exe File opened (read-only) \??\v: vegxbwhx.exe File opened (read-only) \??\w: vegxbwhx.exe File opened (read-only) \??\h: vegxbwhx.exe File opened (read-only) \??\l: vegxbwhx.exe File opened (read-only) \??\o: vegxbwhx.exe File opened (read-only) \??\p: vegxbwhx.exe File opened (read-only) \??\t: ulaqhbksiw.exe File opened (read-only) \??\a: vegxbwhx.exe File opened (read-only) \??\b: vegxbwhx.exe File opened (read-only) \??\y: vegxbwhx.exe File opened (read-only) \??\f: ulaqhbksiw.exe File opened (read-only) \??\q: vegxbwhx.exe File opened (read-only) \??\u: vegxbwhx.exe File opened (read-only) \??\b: vegxbwhx.exe File opened (read-only) \??\g: ulaqhbksiw.exe File opened (read-only) \??\x: ulaqhbksiw.exe File opened (read-only) \??\h: vegxbwhx.exe File opened (read-only) \??\g: vegxbwhx.exe File opened (read-only) \??\v: ulaqhbksiw.exe File opened (read-only) \??\i: vegxbwhx.exe File opened (read-only) \??\m: vegxbwhx.exe File opened (read-only) \??\e: vegxbwhx.exe File opened (read-only) \??\m: vegxbwhx.exe File opened (read-only) \??\w: vegxbwhx.exe File opened (read-only) \??\w: ulaqhbksiw.exe File opened (read-only) \??\y: ulaqhbksiw.exe File opened (read-only) \??\f: vegxbwhx.exe File opened (read-only) \??\y: vegxbwhx.exe File opened (read-only) \??\n: vegxbwhx.exe File opened (read-only) \??\p: ulaqhbksiw.exe File opened (read-only) \??\v: vegxbwhx.exe File opened (read-only) \??\a: ulaqhbksiw.exe File opened (read-only) \??\p: vegxbwhx.exe File opened (read-only) \??\x: vegxbwhx.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ulaqhbksiw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ulaqhbksiw.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1576-133-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2740-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3796-149-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4352-150-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/776-151-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1576-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3592-154-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2740-155-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3796-156-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/776-157-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ulaqhbksiw.exe 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe File created C:\Windows\SysWOW64\easpwiuvirwxp.exe 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe File opened for modification C:\Windows\SysWOW64\easpwiuvirwxp.exe 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ulaqhbksiw.exe File created C:\Windows\SysWOW64\ulaqhbksiw.exe 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe File created C:\Windows\SysWOW64\cajjgdkowzhnbnd.exe 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe File opened for modification C:\Windows\SysWOW64\cajjgdkowzhnbnd.exe 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe File created C:\Windows\SysWOW64\vegxbwhx.exe 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe File opened for modification C:\Windows\SysWOW64\vegxbwhx.exe 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vegxbwhx.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vegxbwhx.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vegxbwhx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal vegxbwhx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vegxbwhx.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vegxbwhx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vegxbwhx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vegxbwhx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vegxbwhx.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vegxbwhx.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vegxbwhx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal vegxbwhx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal vegxbwhx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal vegxbwhx.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" ulaqhbksiw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs ulaqhbksiw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" ulaqhbksiw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32462C0F9C5782276A3476D270562DDD7D8765DE" 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB6B12F479038EA53CCB9D5329DD4CE" 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF4FFF94F5A826A9046D72E7E90BC92E140584566406236D6EB" 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh ulaqhbksiw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" ulaqhbksiw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" ulaqhbksiw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ulaqhbksiw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc ulaqhbksiw.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACDFACCF967F193830C3B4586E939E5B38803FE4360034EE1CC42EE08D5" 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0806BB3FF6722D8D172D1D18A7B9016" 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193FC60F14E2DAC7B8C87CE0EDE334B9" 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat ulaqhbksiw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" ulaqhbksiw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf ulaqhbksiw.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg ulaqhbksiw.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3908 WINWORD.EXE 3908 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1576 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe 1576 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe 1576 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe 1576 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe 1576 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe 1576 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe 1576 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe 1576 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe 1576 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe 1576 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe 1576 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe 1576 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe 1576 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe 1576 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe 1576 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe 1576 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe 3796 cajjgdkowzhnbnd.exe 3796 cajjgdkowzhnbnd.exe 3796 cajjgdkowzhnbnd.exe 3796 cajjgdkowzhnbnd.exe 2740 ulaqhbksiw.exe 3796 cajjgdkowzhnbnd.exe 3796 cajjgdkowzhnbnd.exe 2740 ulaqhbksiw.exe 3796 cajjgdkowzhnbnd.exe 3796 cajjgdkowzhnbnd.exe 2740 ulaqhbksiw.exe 2740 ulaqhbksiw.exe 2740 ulaqhbksiw.exe 2740 ulaqhbksiw.exe 3796 cajjgdkowzhnbnd.exe 3796 cajjgdkowzhnbnd.exe 2740 ulaqhbksiw.exe 2740 ulaqhbksiw.exe 2740 ulaqhbksiw.exe 2740 ulaqhbksiw.exe 4352 vegxbwhx.exe 4352 vegxbwhx.exe 4352 vegxbwhx.exe 4352 vegxbwhx.exe 4352 vegxbwhx.exe 4352 vegxbwhx.exe 4352 vegxbwhx.exe 4352 vegxbwhx.exe 776 easpwiuvirwxp.exe 776 easpwiuvirwxp.exe 776 easpwiuvirwxp.exe 776 easpwiuvirwxp.exe 776 easpwiuvirwxp.exe 776 easpwiuvirwxp.exe 776 easpwiuvirwxp.exe 776 easpwiuvirwxp.exe 776 easpwiuvirwxp.exe 776 easpwiuvirwxp.exe 776 easpwiuvirwxp.exe 776 easpwiuvirwxp.exe 3592 vegxbwhx.exe 3592 vegxbwhx.exe 3592 vegxbwhx.exe 3592 vegxbwhx.exe 3592 vegxbwhx.exe 3592 vegxbwhx.exe 3592 vegxbwhx.exe 3592 vegxbwhx.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1576 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe 1576 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe 1576 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe 2740 ulaqhbksiw.exe 2740 ulaqhbksiw.exe 2740 ulaqhbksiw.exe 3796 cajjgdkowzhnbnd.exe 3796 cajjgdkowzhnbnd.exe 3796 cajjgdkowzhnbnd.exe 4352 vegxbwhx.exe 4352 vegxbwhx.exe 4352 vegxbwhx.exe 776 easpwiuvirwxp.exe 776 easpwiuvirwxp.exe 776 easpwiuvirwxp.exe 3592 vegxbwhx.exe 3592 vegxbwhx.exe 3592 vegxbwhx.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1576 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe 1576 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe 1576 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe 2740 ulaqhbksiw.exe 2740 ulaqhbksiw.exe 2740 ulaqhbksiw.exe 3796 cajjgdkowzhnbnd.exe 3796 cajjgdkowzhnbnd.exe 3796 cajjgdkowzhnbnd.exe 4352 vegxbwhx.exe 4352 vegxbwhx.exe 4352 vegxbwhx.exe 776 easpwiuvirwxp.exe 776 easpwiuvirwxp.exe 776 easpwiuvirwxp.exe 3592 vegxbwhx.exe 3592 vegxbwhx.exe 3592 vegxbwhx.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3908 WINWORD.EXE 3908 WINWORD.EXE 3908 WINWORD.EXE 3908 WINWORD.EXE 3908 WINWORD.EXE 3908 WINWORD.EXE 3908 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1576 wrote to memory of 2740 1576 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe 82 PID 1576 wrote to memory of 2740 1576 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe 82 PID 1576 wrote to memory of 2740 1576 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe 82 PID 1576 wrote to memory of 3796 1576 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe 83 PID 1576 wrote to memory of 3796 1576 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe 83 PID 1576 wrote to memory of 3796 1576 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe 83 PID 1576 wrote to memory of 4352 1576 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe 84 PID 1576 wrote to memory of 4352 1576 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe 84 PID 1576 wrote to memory of 4352 1576 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe 84 PID 1576 wrote to memory of 776 1576 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe 85 PID 1576 wrote to memory of 776 1576 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe 85 PID 1576 wrote to memory of 776 1576 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe 85 PID 1576 wrote to memory of 3908 1576 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe 86 PID 1576 wrote to memory of 3908 1576 214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe 86 PID 2740 wrote to memory of 3592 2740 ulaqhbksiw.exe 88 PID 2740 wrote to memory of 3592 2740 ulaqhbksiw.exe 88 PID 2740 wrote to memory of 3592 2740 ulaqhbksiw.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe"C:\Users\Admin\AppData\Local\Temp\214cfb183179ea8133cc9ccc9c541b3853b3117257f45f1f26ca3bb8639220fc.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\ulaqhbksiw.exeulaqhbksiw.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\vegxbwhx.exeC:\Windows\system32\vegxbwhx.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3592
-
-
-
C:\Windows\SysWOW64\cajjgdkowzhnbnd.execajjgdkowzhnbnd.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3796
-
-
C:\Windows\SysWOW64\vegxbwhx.exevegxbwhx.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4352
-
-
C:\Windows\SysWOW64\easpwiuvirwxp.exeeaspwiuvirwxp.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:776
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3908
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5129e1f368cddd99bc8dc766a06a53078
SHA1fd2e7f95ef8e82d2fb9d144d33db66ce74788d0e
SHA256531211d0dbfd945f887756565f6883106f1d8a8ca9c969d5007464e37d465841
SHA512848b4eb92388ba7e8bec6a1d8ada94120b552061f7935f252a10de826d7011d7cfed1ae02d43800ec94df50ba5301bed7a6ffabb7b9b0a972518557576f2d415
-
Filesize
255KB
MD5dffedbb2a44123fe9b69a13ee4cb3321
SHA18076041381e7ceb16ec977165adfc16694f6b3be
SHA256755f1cfec40053e39530eefae83e861c6b84bbfb54bcefdfd4283066e0c540ec
SHA51264acc20d90aa03a1378add114a51624f9eda3792e017b276149023601ed46ab6804bb720c02eee91998183db4942263d7a79c8a5eae2c5b49c6a617c300e6850
-
Filesize
255KB
MD5fe9f239004684a7738efb69bffc63f29
SHA12ff8ca44f577431a04914d4584aae99d15c336f0
SHA256a51d9f9c25244f3ee05754f5e9f98e909dfdfc4adfab55180678a10ee54cde38
SHA5123f5c6af4f654bf04eaf770423297299e0b35ab5cdcf7d9dd733c6f5040e687fbb78a721aa3eb06dc6a7305bcf4fb6b78e3bbb6b22fe551656402cfb891f45ceb
-
Filesize
255KB
MD5fe9f239004684a7738efb69bffc63f29
SHA12ff8ca44f577431a04914d4584aae99d15c336f0
SHA256a51d9f9c25244f3ee05754f5e9f98e909dfdfc4adfab55180678a10ee54cde38
SHA5123f5c6af4f654bf04eaf770423297299e0b35ab5cdcf7d9dd733c6f5040e687fbb78a721aa3eb06dc6a7305bcf4fb6b78e3bbb6b22fe551656402cfb891f45ceb
-
Filesize
255KB
MD503b8ecba9b33ec412ab2952e82d5338c
SHA138dc79b4bc257bed9eec888e21dec212601a3937
SHA256abe19ffb2eef7488fd1171efbf14e0d0ebe594113051f83e63566d0c6e7ff1e6
SHA512ddd9a2abb31ecc8b057934a1353503816fd5c41bd4db1122b286f0f0e964faad3f0f728a2f1358ea9b419ae7ed68938307d4ae67567fc23e6c06dcf0eba5cb8f
-
Filesize
255KB
MD503b8ecba9b33ec412ab2952e82d5338c
SHA138dc79b4bc257bed9eec888e21dec212601a3937
SHA256abe19ffb2eef7488fd1171efbf14e0d0ebe594113051f83e63566d0c6e7ff1e6
SHA512ddd9a2abb31ecc8b057934a1353503816fd5c41bd4db1122b286f0f0e964faad3f0f728a2f1358ea9b419ae7ed68938307d4ae67567fc23e6c06dcf0eba5cb8f
-
Filesize
255KB
MD57e6a4ed5e2c33cd95bda9b3fd93a0022
SHA1ed814c22fe9184ad7406efd7afffa45af43a7775
SHA256d7c9ed6170c6bcdffe2ba266ad2c9d65165bd65ca07ad5b0aa374858f64ae31c
SHA5121557ee24a06b8252da607e63781a4d9afefa41e010c9fe953b52dd737cd5c39f395e214dc843a6abf22764fa67546e0e3f55124cb02005013e7bb0c7f9813603
-
Filesize
255KB
MD57e6a4ed5e2c33cd95bda9b3fd93a0022
SHA1ed814c22fe9184ad7406efd7afffa45af43a7775
SHA256d7c9ed6170c6bcdffe2ba266ad2c9d65165bd65ca07ad5b0aa374858f64ae31c
SHA5121557ee24a06b8252da607e63781a4d9afefa41e010c9fe953b52dd737cd5c39f395e214dc843a6abf22764fa67546e0e3f55124cb02005013e7bb0c7f9813603
-
Filesize
255KB
MD5360e6c5ce58fb7e31fdd5291617ff051
SHA1cff56ebfb4aeee23967f09bdd670c7d0b3dd0358
SHA256686a3387c5bc22366020b76c7c5ec667bf90995f6544d8f851883217f8fee796
SHA51251db6246b0da0d9e3b962daa0c31550d957491cb5b39d31b25b424e94848e6d9e2af09da3961a441d089e1390e1ca13a22a26b64dbdccd3017c008e4a3d65ac5
-
Filesize
255KB
MD5360e6c5ce58fb7e31fdd5291617ff051
SHA1cff56ebfb4aeee23967f09bdd670c7d0b3dd0358
SHA256686a3387c5bc22366020b76c7c5ec667bf90995f6544d8f851883217f8fee796
SHA51251db6246b0da0d9e3b962daa0c31550d957491cb5b39d31b25b424e94848e6d9e2af09da3961a441d089e1390e1ca13a22a26b64dbdccd3017c008e4a3d65ac5
-
Filesize
255KB
MD5360e6c5ce58fb7e31fdd5291617ff051
SHA1cff56ebfb4aeee23967f09bdd670c7d0b3dd0358
SHA256686a3387c5bc22366020b76c7c5ec667bf90995f6544d8f851883217f8fee796
SHA51251db6246b0da0d9e3b962daa0c31550d957491cb5b39d31b25b424e94848e6d9e2af09da3961a441d089e1390e1ca13a22a26b64dbdccd3017c008e4a3d65ac5
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7