Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
161s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27/11/2022, 19:03
Behavioral task
behavioral1
Sample
20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe
Resource
win7-20221111-en
windows7-x64
24 signatures
150 seconds
General
-
Target
20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe
-
Size
255KB
-
MD5
cc12ce02c458d651196298b6c478dd18
-
SHA1
05a2c264d9a57f3ce49e7d770ac846559b947309
-
SHA256
20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c
-
SHA512
b4a8cf8a775ee4be9f7c655bc8f2c4f06a32ed0bf371033569cd7066927a10a87bc5a629a32b7c3974a805b35a647ab7c903f2bf3753491f66557cd4fcd104b8
-
SSDEEP
6144:1xlZam+akqx6YQJXcNlEHUIQeE3mmBWFv67:Plf5j6zCNa0xeE3mu
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" elcojgevir.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" elcojgevir.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" elcojgevir.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" elcojgevir.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" elcojgevir.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" elcojgevir.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" elcojgevir.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" elcojgevir.exe -
Executes dropped EXE 5 IoCs
pid Process 4204 elcojgevir.exe 1088 rbusubpdaobgajb.exe 1144 brlhjzmc.exe 4004 tgzdhvhpvcoew.exe 4660 brlhjzmc.exe -
resource yara_rule behavioral2/memory/3408-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4204-137-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0006000000022e59-138.dat upx behavioral2/files/0x0006000000022e59-139.dat upx behavioral2/files/0x0006000000022e5a-142.dat upx behavioral2/files/0x0006000000022e5a-141.dat upx behavioral2/files/0x0006000000022e5b-144.dat upx behavioral2/files/0x0006000000022e5b-145.dat upx behavioral2/files/0x0006000000022e58-135.dat upx behavioral2/files/0x0006000000022e58-134.dat upx behavioral2/files/0x0006000000022e5a-147.dat upx behavioral2/memory/1088-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1144-149-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4004-150-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4660-151-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3408-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0007000000022e5d-159.dat upx behavioral2/files/0x0007000000022e5f-160.dat upx behavioral2/memory/4204-161-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0006000000022e63-163.dat upx behavioral2/memory/1088-165-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1144-166-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4660-168-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4004-167-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" elcojgevir.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" elcojgevir.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" elcojgevir.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" elcojgevir.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" elcojgevir.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" elcojgevir.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hdsdromt = "elcojgevir.exe" rbusubpdaobgajb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bxatgmfr = "rbusubpdaobgajb.exe" rbusubpdaobgajb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "tgzdhvhpvcoew.exe" rbusubpdaobgajb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run rbusubpdaobgajb.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\b: elcojgevir.exe File opened (read-only) \??\n: elcojgevir.exe File opened (read-only) \??\p: elcojgevir.exe File opened (read-only) \??\v: elcojgevir.exe File opened (read-only) \??\n: brlhjzmc.exe File opened (read-only) \??\k: brlhjzmc.exe File opened (read-only) \??\z: elcojgevir.exe File opened (read-only) \??\m: elcojgevir.exe File opened (read-only) \??\x: elcojgevir.exe File opened (read-only) \??\h: brlhjzmc.exe File opened (read-only) \??\n: brlhjzmc.exe File opened (read-only) \??\v: brlhjzmc.exe File opened (read-only) \??\w: brlhjzmc.exe File opened (read-only) \??\t: elcojgevir.exe File opened (read-only) \??\r: elcojgevir.exe File opened (read-only) \??\v: brlhjzmc.exe File opened (read-only) \??\z: brlhjzmc.exe File opened (read-only) \??\q: brlhjzmc.exe File opened (read-only) \??\t: brlhjzmc.exe File opened (read-only) \??\s: brlhjzmc.exe File opened (read-only) \??\e: brlhjzmc.exe File opened (read-only) \??\j: elcojgevir.exe File opened (read-only) \??\a: brlhjzmc.exe File opened (read-only) \??\h: elcojgevir.exe File opened (read-only) \??\i: elcojgevir.exe File opened (read-only) \??\o: elcojgevir.exe File opened (read-only) \??\b: brlhjzmc.exe File opened (read-only) \??\r: brlhjzmc.exe File opened (read-only) \??\y: brlhjzmc.exe File opened (read-only) \??\l: brlhjzmc.exe File opened (read-only) \??\m: brlhjzmc.exe File opened (read-only) \??\k: brlhjzmc.exe File opened (read-only) \??\u: brlhjzmc.exe File opened (read-only) \??\e: elcojgevir.exe File opened (read-only) \??\f: elcojgevir.exe File opened (read-only) \??\l: elcojgevir.exe File opened (read-only) \??\j: brlhjzmc.exe File opened (read-only) \??\q: brlhjzmc.exe File opened (read-only) \??\f: brlhjzmc.exe File opened (read-only) \??\k: elcojgevir.exe File opened (read-only) \??\w: elcojgevir.exe File opened (read-only) \??\a: brlhjzmc.exe File opened (read-only) \??\i: brlhjzmc.exe File opened (read-only) \??\u: brlhjzmc.exe File opened (read-only) \??\i: brlhjzmc.exe File opened (read-only) \??\g: elcojgevir.exe File opened (read-only) \??\q: elcojgevir.exe File opened (read-only) \??\s: elcojgevir.exe File opened (read-only) \??\u: elcojgevir.exe File opened (read-only) \??\y: elcojgevir.exe File opened (read-only) \??\m: brlhjzmc.exe File opened (read-only) \??\s: brlhjzmc.exe File opened (read-only) \??\p: brlhjzmc.exe File opened (read-only) \??\z: brlhjzmc.exe File opened (read-only) \??\x: brlhjzmc.exe File opened (read-only) \??\a: elcojgevir.exe File opened (read-only) \??\g: brlhjzmc.exe File opened (read-only) \??\o: brlhjzmc.exe File opened (read-only) \??\w: brlhjzmc.exe File opened (read-only) \??\t: brlhjzmc.exe File opened (read-only) \??\h: brlhjzmc.exe File opened (read-only) \??\l: brlhjzmc.exe File opened (read-only) \??\f: brlhjzmc.exe File opened (read-only) \??\b: brlhjzmc.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" elcojgevir.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" elcojgevir.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4204-137-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1088-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1144-149-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4004-150-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4660-151-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3408-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4204-161-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1088-165-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1144-166-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4660-168-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4004-167-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\brlhjzmc.exe 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe File opened for modification C:\Windows\SysWOW64\brlhjzmc.exe 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe File opened for modification C:\Windows\SysWOW64\tgzdhvhpvcoew.exe 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe File opened for modification C:\Windows\SysWOW64\rbusubpdaobgajb.exe 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe File opened for modification C:\Windows\SysWOW64\elcojgevir.exe 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe File created C:\Windows\SysWOW64\rbusubpdaobgajb.exe 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe File created C:\Windows\SysWOW64\tgzdhvhpvcoew.exe 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll elcojgevir.exe File created C:\Windows\SysWOW64\elcojgevir.exe 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe -
Drops file in Program Files directory 21 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe brlhjzmc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal brlhjzmc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal brlhjzmc.exe File opened for modification C:\Program Files\ResizeConvert.nal brlhjzmc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe brlhjzmc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe brlhjzmc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe brlhjzmc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal brlhjzmc.exe File opened for modification C:\Program Files\ResizeConvert.doc.exe brlhjzmc.exe File opened for modification \??\c:\Program Files\ResizeConvert.doc.exe brlhjzmc.exe File opened for modification C:\Program Files\ResizeConvert.nal brlhjzmc.exe File opened for modification C:\Program Files\ResizeConvert.doc.exe brlhjzmc.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe brlhjzmc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe brlhjzmc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe brlhjzmc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe brlhjzmc.exe File created \??\c:\Program Files\ResizeConvert.doc.exe brlhjzmc.exe File opened for modification \??\c:\Program Files\ResizeConvert.doc.exe brlhjzmc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal brlhjzmc.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe brlhjzmc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe brlhjzmc.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33462C0F9C5183506A3676D770232DD87D8765DB" 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7866BB1FF6721DCD172D0A18A749011" 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1839C77915E3DBBFB8BA7CE9EDE337CB" 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" elcojgevir.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh elcojgevir.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc elcojgevir.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf elcojgevir.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg elcojgevir.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat elcojgevir.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" elcojgevir.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" elcojgevir.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" elcojgevir.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF5FFFB4F2A856E9130D6217D9DBC94E634594467316344D6EA" 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB2B02847E239EA53C4B9A73298D7C5" 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" elcojgevir.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs elcojgevir.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" elcojgevir.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCEFACDFE13F2E384753B43819B3995B08E02FB4311033EE1CF42EA08A8" 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 688 WINWORD.EXE 688 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3408 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe 3408 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe 3408 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe 3408 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe 3408 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe 3408 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe 3408 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe 3408 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe 3408 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe 3408 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe 3408 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe 3408 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe 3408 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe 3408 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe 3408 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe 3408 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe 1088 rbusubpdaobgajb.exe 1088 rbusubpdaobgajb.exe 1088 rbusubpdaobgajb.exe 1088 rbusubpdaobgajb.exe 1088 rbusubpdaobgajb.exe 1088 rbusubpdaobgajb.exe 1088 rbusubpdaobgajb.exe 1088 rbusubpdaobgajb.exe 4204 elcojgevir.exe 4204 elcojgevir.exe 4204 elcojgevir.exe 4204 elcojgevir.exe 4204 elcojgevir.exe 4204 elcojgevir.exe 1088 rbusubpdaobgajb.exe 1088 rbusubpdaobgajb.exe 4204 elcojgevir.exe 4204 elcojgevir.exe 4204 elcojgevir.exe 4204 elcojgevir.exe 1144 brlhjzmc.exe 1144 brlhjzmc.exe 4004 tgzdhvhpvcoew.exe 4004 tgzdhvhpvcoew.exe 1144 brlhjzmc.exe 1144 brlhjzmc.exe 1144 brlhjzmc.exe 4004 tgzdhvhpvcoew.exe 1144 brlhjzmc.exe 4004 tgzdhvhpvcoew.exe 1144 brlhjzmc.exe 4004 tgzdhvhpvcoew.exe 1144 brlhjzmc.exe 4004 tgzdhvhpvcoew.exe 4004 tgzdhvhpvcoew.exe 4004 tgzdhvhpvcoew.exe 4004 tgzdhvhpvcoew.exe 4004 tgzdhvhpvcoew.exe 4004 tgzdhvhpvcoew.exe 4004 tgzdhvhpvcoew.exe 4660 brlhjzmc.exe 4660 brlhjzmc.exe 4660 brlhjzmc.exe 4660 brlhjzmc.exe 4660 brlhjzmc.exe 4660 brlhjzmc.exe 4660 brlhjzmc.exe 4660 brlhjzmc.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 3408 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe 3408 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe 3408 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe 4204 elcojgevir.exe 4204 elcojgevir.exe 4204 elcojgevir.exe 1088 rbusubpdaobgajb.exe 1088 rbusubpdaobgajb.exe 1088 rbusubpdaobgajb.exe 1144 brlhjzmc.exe 1144 brlhjzmc.exe 1144 brlhjzmc.exe 4004 tgzdhvhpvcoew.exe 4004 tgzdhvhpvcoew.exe 4004 tgzdhvhpvcoew.exe 4660 brlhjzmc.exe 4660 brlhjzmc.exe 4660 brlhjzmc.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 3408 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe 3408 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe 3408 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe 4204 elcojgevir.exe 4204 elcojgevir.exe 4204 elcojgevir.exe 1088 rbusubpdaobgajb.exe 1088 rbusubpdaobgajb.exe 1088 rbusubpdaobgajb.exe 1144 brlhjzmc.exe 1144 brlhjzmc.exe 1144 brlhjzmc.exe 4004 tgzdhvhpvcoew.exe 4004 tgzdhvhpvcoew.exe 4004 tgzdhvhpvcoew.exe 4660 brlhjzmc.exe 4660 brlhjzmc.exe 4660 brlhjzmc.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 688 WINWORD.EXE 688 WINWORD.EXE 688 WINWORD.EXE 688 WINWORD.EXE 688 WINWORD.EXE 688 WINWORD.EXE 688 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3408 wrote to memory of 4204 3408 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe 81 PID 3408 wrote to memory of 4204 3408 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe 81 PID 3408 wrote to memory of 4204 3408 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe 81 PID 3408 wrote to memory of 1088 3408 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe 82 PID 3408 wrote to memory of 1088 3408 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe 82 PID 3408 wrote to memory of 1088 3408 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe 82 PID 3408 wrote to memory of 1144 3408 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe 84 PID 3408 wrote to memory of 1144 3408 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe 84 PID 3408 wrote to memory of 1144 3408 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe 84 PID 3408 wrote to memory of 4004 3408 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe 83 PID 3408 wrote to memory of 4004 3408 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe 83 PID 3408 wrote to memory of 4004 3408 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe 83 PID 3408 wrote to memory of 688 3408 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe 85 PID 3408 wrote to memory of 688 3408 20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe 85 PID 4204 wrote to memory of 4660 4204 elcojgevir.exe 87 PID 4204 wrote to memory of 4660 4204 elcojgevir.exe 87 PID 4204 wrote to memory of 4660 4204 elcojgevir.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe"C:\Users\Admin\AppData\Local\Temp\20d1cff3ade88e1313ad34e3cb857908831ae6cf18487037614a288cceb8472c.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Windows\SysWOW64\elcojgevir.exeelcojgevir.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Windows\SysWOW64\brlhjzmc.exeC:\Windows\system32\brlhjzmc.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4660
-
-
-
C:\Windows\SysWOW64\rbusubpdaobgajb.exerbusubpdaobgajb.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1088
-
-
C:\Windows\SysWOW64\tgzdhvhpvcoew.exetgzdhvhpvcoew.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4004
-
-
C:\Windows\SysWOW64\brlhjzmc.exebrlhjzmc.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1144
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:688
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5ae3a7d7391334d869e9669779763862b
SHA10092fcc29fe6f56ba156f4a1d4897bf7da5e1cbc
SHA256b57904e09388f75cfa4f2ced2927b534d10120587a96c61c5c2c5462a6e37ea1
SHA51226ad63f1517b5c5a7f5381b8d502d0211a9832b1e59596ca555500d8faa985e129a984bb18d12bc83d2f8c48e87b6a21d0f9fcfbc118f107a278574a9d00eee7
-
Filesize
255KB
MD5140be9f76ac1efbff064ea0eb960d7bc
SHA126e270b0a034559057dfa72c2c72959cf48ca61f
SHA2563a3c56cbe08af4eee1b83217d537652f0e4d2333852a4874cb3dd496e202ac61
SHA5121a9f5d205fb7d2da461c41cefeeafb47f54b98e210b700065ccd92a6df6bd3c85c1d3b2c0502550088872114da373479dd785d2907d519a8d4de269f56c68092
-
Filesize
255KB
MD51462b09449b605e15bf68f39c37df7fd
SHA1ef7d5734abbf67ba758a8bdf5d662ed9a7a1c5eb
SHA256259802639c94f378a38afa5f170f9ef65c84553ded7626083ef100edca44dd67
SHA512719382aa8338259ce3bcb3d21444418e790fab08da2c025be46227e97a6cb08a019e5042bee7dd1c7190e868bcfada602858a4f21fb539ce953e78e84b592b4f
-
Filesize
255KB
MD526f32fb6d084134ca675f7ef0a7cc21d
SHA11006057589ce5a6d1ab69ed11a26f12536f76ccf
SHA256c13267cfdd02bb3f205ce1f1921e3a143fb8708824c506dfb512553d9fbe7ca6
SHA512ade34aff7ed5e1902e6c05dd8a13e68197fc30a135ac7eea96dcc1add7e22300ea797a8a43e0157da1bb5857f4ed864d2e0ea44ac7833008fbc22b449ef46db6
-
Filesize
255KB
MD526f32fb6d084134ca675f7ef0a7cc21d
SHA11006057589ce5a6d1ab69ed11a26f12536f76ccf
SHA256c13267cfdd02bb3f205ce1f1921e3a143fb8708824c506dfb512553d9fbe7ca6
SHA512ade34aff7ed5e1902e6c05dd8a13e68197fc30a135ac7eea96dcc1add7e22300ea797a8a43e0157da1bb5857f4ed864d2e0ea44ac7833008fbc22b449ef46db6
-
Filesize
255KB
MD526f32fb6d084134ca675f7ef0a7cc21d
SHA11006057589ce5a6d1ab69ed11a26f12536f76ccf
SHA256c13267cfdd02bb3f205ce1f1921e3a143fb8708824c506dfb512553d9fbe7ca6
SHA512ade34aff7ed5e1902e6c05dd8a13e68197fc30a135ac7eea96dcc1add7e22300ea797a8a43e0157da1bb5857f4ed864d2e0ea44ac7833008fbc22b449ef46db6
-
Filesize
255KB
MD5c7b7a15645265ae05f2a5a1fb07a28ff
SHA1ff65d9c485bdc1d9709af4df6ee8187120f06e2e
SHA2563a143f1c0f4eed281b69f6ed1cd30285c7a07a0e6449c8cc733d422739951d02
SHA512a08f7784e29894dec9b0a6e88718845ce56a1f1a0223a967e948e484f8e4cf356268f96c649420169d20bb792c40cf3f59d7a920d1287b14015849636296a330
-
Filesize
255KB
MD5c7b7a15645265ae05f2a5a1fb07a28ff
SHA1ff65d9c485bdc1d9709af4df6ee8187120f06e2e
SHA2563a143f1c0f4eed281b69f6ed1cd30285c7a07a0e6449c8cc733d422739951d02
SHA512a08f7784e29894dec9b0a6e88718845ce56a1f1a0223a967e948e484f8e4cf356268f96c649420169d20bb792c40cf3f59d7a920d1287b14015849636296a330
-
Filesize
255KB
MD589b5d354e2218b0278cdca1d6126d359
SHA1076425e3415ea78802d5ce58764cb47090c6a0b8
SHA256bd3d2f5531fb42029053e6c0c9aafb898706752f9092eb892f239425dd7eb8ef
SHA5120f0736c3b04d92fed4d435780f2219bd3bf6a5281d48ea0ae1cc5f89b14ca742e612ce0fd310c9112f0215ee4a8d2754ed6a616c81a9b153569f3914facfd6a2
-
Filesize
255KB
MD589b5d354e2218b0278cdca1d6126d359
SHA1076425e3415ea78802d5ce58764cb47090c6a0b8
SHA256bd3d2f5531fb42029053e6c0c9aafb898706752f9092eb892f239425dd7eb8ef
SHA5120f0736c3b04d92fed4d435780f2219bd3bf6a5281d48ea0ae1cc5f89b14ca742e612ce0fd310c9112f0215ee4a8d2754ed6a616c81a9b153569f3914facfd6a2
-
Filesize
255KB
MD5c0590b0566671d9c5c60a0b5280a8c6b
SHA1158fc492a88d86ad99000d904df031afddf8fdef
SHA2564968b5bee9bba0e49a5108d6c7e1bbc3bff78440c64d3c61ba9a9b8bffb36e6b
SHA512f2d608c5afa5f7b5be68f6163abeb26bf8888d1136a2b4c9bab89de12b41c369c5777cf8e4accf46ac224864209c93c61b1d0748bad883e43fb431846b3f4296
-
Filesize
255KB
MD5c0590b0566671d9c5c60a0b5280a8c6b
SHA1158fc492a88d86ad99000d904df031afddf8fdef
SHA2564968b5bee9bba0e49a5108d6c7e1bbc3bff78440c64d3c61ba9a9b8bffb36e6b
SHA512f2d608c5afa5f7b5be68f6163abeb26bf8888d1136a2b4c9bab89de12b41c369c5777cf8e4accf46ac224864209c93c61b1d0748bad883e43fb431846b3f4296
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7