Analysis
-
max time kernel
157s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
27/11/2022, 19:04
Behavioral task
behavioral1
Sample
eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe
Resource
win7-20220812-en
windows7-x64
26 signatures
150 seconds
General
-
Target
eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe
-
Size
255KB
-
MD5
62128f2fb4f8f996dc65ccd2f7b2da1b
-
SHA1
8ac5fd2fb0473fb92b3e00887cefbd49fde6a468
-
SHA256
eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180
-
SHA512
98c73fc25078a84122470dcc91c450a090c998344fae2f5a75a9ea173fbf166f60f3885dbb4af024985ae1e3c4d500351d1d1150c39ce02a944501c600dc1ad8
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJ2:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIV
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" szbqnmdxdb.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" szbqnmdxdb.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" szbqnmdxdb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" szbqnmdxdb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" szbqnmdxdb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" szbqnmdxdb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" szbqnmdxdb.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" szbqnmdxdb.exe -
Executes dropped EXE 5 IoCs
pid Process 3780 szbqnmdxdb.exe 3876 jewvzdepekqwnwy.exe 3772 gpylexcf.exe 208 locxtugsghifx.exe 4092 gpylexcf.exe -
resource yara_rule behavioral2/memory/3540-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0003000000022dfe-134.dat upx behavioral2/files/0x0003000000022dfe-135.dat upx behavioral2/files/0x0004000000022e00-138.dat upx behavioral2/files/0x0004000000022e00-137.dat upx behavioral2/files/0x0003000000022e01-140.dat upx behavioral2/files/0x0003000000022e01-141.dat upx behavioral2/files/0x0001000000022e02-144.dat upx behavioral2/files/0x0001000000022e02-143.dat upx behavioral2/memory/3780-145-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3876-146-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3772-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/208-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0003000000022e01-150.dat upx behavioral2/memory/4092-152-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3540-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0001000000022e05-159.dat upx behavioral2/files/0x0001000000022e06-160.dat upx behavioral2/memory/3780-163-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3876-164-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3772-165-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/208-166-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4092-167-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000300000001e469-169.dat upx behavioral2/files/0x000300000001e5b3-172.dat upx behavioral2/files/0x000300000001e5b3-171.dat upx behavioral2/files/0x000300000001e5b3-170.dat upx behavioral2/files/0x000300000001e5b3-173.dat upx behavioral2/files/0x000300000001e5b3-174.dat upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" szbqnmdxdb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" szbqnmdxdb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" szbqnmdxdb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" szbqnmdxdb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" szbqnmdxdb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" szbqnmdxdb.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run jewvzdepekqwnwy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\apkogabk = "szbqnmdxdb.exe" jewvzdepekqwnwy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vcbimyuy = "jewvzdepekqwnwy.exe" jewvzdepekqwnwy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "locxtugsghifx.exe" jewvzdepekqwnwy.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\g: gpylexcf.exe File opened (read-only) \??\k: gpylexcf.exe File opened (read-only) \??\m: gpylexcf.exe File opened (read-only) \??\q: gpylexcf.exe File opened (read-only) \??\z: gpylexcf.exe File opened (read-only) \??\e: gpylexcf.exe File opened (read-only) \??\g: gpylexcf.exe File opened (read-only) \??\b: gpylexcf.exe File opened (read-only) \??\j: gpylexcf.exe File opened (read-only) \??\y: gpylexcf.exe File opened (read-only) \??\z: gpylexcf.exe File opened (read-only) \??\l: szbqnmdxdb.exe File opened (read-only) \??\n: szbqnmdxdb.exe File opened (read-only) \??\u: gpylexcf.exe File opened (read-only) \??\a: gpylexcf.exe File opened (read-only) \??\r: gpylexcf.exe File opened (read-only) \??\j: szbqnmdxdb.exe File opened (read-only) \??\w: szbqnmdxdb.exe File opened (read-only) \??\f: szbqnmdxdb.exe File opened (read-only) \??\r: szbqnmdxdb.exe File opened (read-only) \??\u: szbqnmdxdb.exe File opened (read-only) \??\y: szbqnmdxdb.exe File opened (read-only) \??\h: gpylexcf.exe File opened (read-only) \??\x: gpylexcf.exe File opened (read-only) \??\j: gpylexcf.exe File opened (read-only) \??\o: gpylexcf.exe File opened (read-only) \??\p: gpylexcf.exe File opened (read-only) \??\s: gpylexcf.exe File opened (read-only) \??\i: szbqnmdxdb.exe File opened (read-only) \??\q: szbqnmdxdb.exe File opened (read-only) \??\x: szbqnmdxdb.exe File opened (read-only) \??\v: gpylexcf.exe File opened (read-only) \??\i: gpylexcf.exe File opened (read-only) \??\n: gpylexcf.exe File opened (read-only) \??\k: szbqnmdxdb.exe File opened (read-only) \??\s: szbqnmdxdb.exe File opened (read-only) \??\l: gpylexcf.exe File opened (read-only) \??\q: gpylexcf.exe File opened (read-only) \??\e: gpylexcf.exe File opened (read-only) \??\l: gpylexcf.exe File opened (read-only) \??\o: gpylexcf.exe File opened (read-only) \??\t: gpylexcf.exe File opened (read-only) \??\p: szbqnmdxdb.exe File opened (read-only) \??\t: szbqnmdxdb.exe File opened (read-only) \??\w: gpylexcf.exe File opened (read-only) \??\b: szbqnmdxdb.exe File opened (read-only) \??\e: szbqnmdxdb.exe File opened (read-only) \??\v: szbqnmdxdb.exe File opened (read-only) \??\n: gpylexcf.exe File opened (read-only) \??\y: gpylexcf.exe File opened (read-only) \??\z: szbqnmdxdb.exe File opened (read-only) \??\f: gpylexcf.exe File opened (read-only) \??\a: szbqnmdxdb.exe File opened (read-only) \??\h: szbqnmdxdb.exe File opened (read-only) \??\b: gpylexcf.exe File opened (read-only) \??\h: gpylexcf.exe File opened (read-only) \??\m: gpylexcf.exe File opened (read-only) \??\m: szbqnmdxdb.exe File opened (read-only) \??\o: szbqnmdxdb.exe File opened (read-only) \??\r: gpylexcf.exe File opened (read-only) \??\s: gpylexcf.exe File opened (read-only) \??\u: gpylexcf.exe File opened (read-only) \??\v: gpylexcf.exe File opened (read-only) \??\g: szbqnmdxdb.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" szbqnmdxdb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" szbqnmdxdb.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3780-145-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3876-146-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3772-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/208-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4092-152-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3540-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3780-163-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3876-164-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3772-165-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/208-166-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4092-167-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\szbqnmdxdb.exe eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe File opened for modification C:\Windows\SysWOW64\szbqnmdxdb.exe eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe File opened for modification C:\Windows\SysWOW64\jewvzdepekqwnwy.exe eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe gpylexcf.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll szbqnmdxdb.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe gpylexcf.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe gpylexcf.exe File created C:\Windows\SysWOW64\jewvzdepekqwnwy.exe eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe File created C:\Windows\SysWOW64\gpylexcf.exe eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe File opened for modification C:\Windows\SysWOW64\gpylexcf.exe eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe File created C:\Windows\SysWOW64\locxtugsghifx.exe eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe File opened for modification C:\Windows\SysWOW64\locxtugsghifx.exe eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gpylexcf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gpylexcf.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gpylexcf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal gpylexcf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gpylexcf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal gpylexcf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal gpylexcf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gpylexcf.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gpylexcf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gpylexcf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gpylexcf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal gpylexcf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gpylexcf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gpylexcf.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" szbqnmdxdb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs szbqnmdxdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" szbqnmdxdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" szbqnmdxdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32402D0D9C5282276A3276DD70222DD67DF364DB" eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F068B5FE6F21AED20ED0D68A7B9161" eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc szbqnmdxdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB5B02A44E739EE53CBB9A132EFD7B9" eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat szbqnmdxdb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf szbqnmdxdb.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABFFAB1FE6AF2E4847A3B45869E3E91B08A02FF4269023EE1BF45E709A3" eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh szbqnmdxdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193DC60B15E0DAB2B8C97F92ECE237B9" eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" szbqnmdxdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" szbqnmdxdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" szbqnmdxdb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg szbqnmdxdb.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFDFF88485A8219903CD65B7D92BCEEE1355930674E6341D69C" eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 340 WINWORD.EXE 340 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3540 eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe 3540 eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe 3540 eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe 3540 eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe 3540 eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe 3540 eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe 3540 eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe 3540 eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe 3540 eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe 3540 eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe 3540 eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe 3540 eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe 3540 eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe 3540 eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe 3540 eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe 3540 eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe 3780 szbqnmdxdb.exe 3780 szbqnmdxdb.exe 3780 szbqnmdxdb.exe 3780 szbqnmdxdb.exe 3780 szbqnmdxdb.exe 3780 szbqnmdxdb.exe 3780 szbqnmdxdb.exe 3780 szbqnmdxdb.exe 3780 szbqnmdxdb.exe 3780 szbqnmdxdb.exe 3772 gpylexcf.exe 3772 gpylexcf.exe 3772 gpylexcf.exe 3772 gpylexcf.exe 3772 gpylexcf.exe 3772 gpylexcf.exe 3772 gpylexcf.exe 3772 gpylexcf.exe 208 locxtugsghifx.exe 208 locxtugsghifx.exe 208 locxtugsghifx.exe 208 locxtugsghifx.exe 208 locxtugsghifx.exe 208 locxtugsghifx.exe 208 locxtugsghifx.exe 208 locxtugsghifx.exe 208 locxtugsghifx.exe 208 locxtugsghifx.exe 208 locxtugsghifx.exe 208 locxtugsghifx.exe 3876 jewvzdepekqwnwy.exe 3876 jewvzdepekqwnwy.exe 3876 jewvzdepekqwnwy.exe 3876 jewvzdepekqwnwy.exe 3876 jewvzdepekqwnwy.exe 3876 jewvzdepekqwnwy.exe 3876 jewvzdepekqwnwy.exe 3876 jewvzdepekqwnwy.exe 3876 jewvzdepekqwnwy.exe 3876 jewvzdepekqwnwy.exe 4092 gpylexcf.exe 4092 gpylexcf.exe 4092 gpylexcf.exe 4092 gpylexcf.exe 4092 gpylexcf.exe 4092 gpylexcf.exe 4092 gpylexcf.exe 4092 gpylexcf.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 3540 eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe 3540 eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe 3540 eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe 3780 szbqnmdxdb.exe 3876 jewvzdepekqwnwy.exe 3780 szbqnmdxdb.exe 3876 jewvzdepekqwnwy.exe 3780 szbqnmdxdb.exe 3876 jewvzdepekqwnwy.exe 3772 gpylexcf.exe 3772 gpylexcf.exe 3772 gpylexcf.exe 208 locxtugsghifx.exe 208 locxtugsghifx.exe 208 locxtugsghifx.exe 4092 gpylexcf.exe 4092 gpylexcf.exe 4092 gpylexcf.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 3540 eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe 3540 eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe 3540 eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe 3780 szbqnmdxdb.exe 3876 jewvzdepekqwnwy.exe 3780 szbqnmdxdb.exe 3876 jewvzdepekqwnwy.exe 3780 szbqnmdxdb.exe 3876 jewvzdepekqwnwy.exe 3772 gpylexcf.exe 3772 gpylexcf.exe 3772 gpylexcf.exe 208 locxtugsghifx.exe 208 locxtugsghifx.exe 208 locxtugsghifx.exe 4092 gpylexcf.exe 4092 gpylexcf.exe 4092 gpylexcf.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 340 WINWORD.EXE 340 WINWORD.EXE 340 WINWORD.EXE 340 WINWORD.EXE 340 WINWORD.EXE 340 WINWORD.EXE 340 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3540 wrote to memory of 3780 3540 eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe 82 PID 3540 wrote to memory of 3780 3540 eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe 82 PID 3540 wrote to memory of 3780 3540 eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe 82 PID 3540 wrote to memory of 3876 3540 eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe 83 PID 3540 wrote to memory of 3876 3540 eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe 83 PID 3540 wrote to memory of 3876 3540 eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe 83 PID 3540 wrote to memory of 3772 3540 eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe 84 PID 3540 wrote to memory of 3772 3540 eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe 84 PID 3540 wrote to memory of 3772 3540 eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe 84 PID 3540 wrote to memory of 208 3540 eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe 85 PID 3540 wrote to memory of 208 3540 eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe 85 PID 3540 wrote to memory of 208 3540 eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe 85 PID 3780 wrote to memory of 4092 3780 szbqnmdxdb.exe 86 PID 3780 wrote to memory of 4092 3780 szbqnmdxdb.exe 86 PID 3780 wrote to memory of 4092 3780 szbqnmdxdb.exe 86 PID 3540 wrote to memory of 340 3540 eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe 87 PID 3540 wrote to memory of 340 3540 eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe"C:\Users\Admin\AppData\Local\Temp\eb971c33c76ce004d1d0738ab7f352b2aa597cc654eab817d711d9cba87d2180.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\SysWOW64\szbqnmdxdb.exeszbqnmdxdb.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SysWOW64\gpylexcf.exeC:\Windows\system32\gpylexcf.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4092
-
-
-
C:\Windows\SysWOW64\jewvzdepekqwnwy.exejewvzdepekqwnwy.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3876
-
-
C:\Windows\SysWOW64\gpylexcf.exegpylexcf.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3772
-
-
C:\Windows\SysWOW64\locxtugsghifx.exelocxtugsghifx.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:208
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:340
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD525a19e5b1f4e825fa49224552850113f
SHA148d282e39a37cea408af91d11e30cdcb03679c9c
SHA25699503c0f19f329aa3e7d37f5c25e3c36dd45dff3d76e9e2909b1cd80a1e10e3c
SHA51243d5ee61727e5490fc2dd3acb11d266d3ca8f8b32ee9570cdcedbf3a2ebe1738428a4d4bd338c198b32191087f5f42947f20e819a29a7106039e7c4d90a71c41
-
Filesize
255KB
MD54e1a3e472db6e530bca789ac3b7e3ae9
SHA1aaa4293bb65f1a6ff087ea33f79f7131cc7d6257
SHA256d8b41eaf6e7254dc9d9258870d4f159a10b1630090e5fd4af46a4a3c8f0da9b9
SHA512098f62ec71b6cc0d686ad0b024ff52e8585fb2603375df0e83ddf25ddf4ad4065d89025ec53fcf3139f7d2be4dc84e62210f590a3585ff888285aa0d41404654
-
Filesize
255KB
MD501ecde3b01ce80cd124c0212e0d816e5
SHA1d148853c96ec201c2da0b35185ea528102dbd86b
SHA256454309017ef729af6c592337dcd78f506c13a51ac9fa732cbeca548218b01484
SHA51256edb622ce00c482a2350aa3b57ed14ca3b9d7535dbbb9a1f590c13923f3b37c628b26f3a0e0299f807d39df1ba5cde33765c9942c71758b6a705b82ba2d7b91
-
Filesize
255KB
MD55e1bdd410a09f808996883ebed4674b7
SHA13241ddd13af705d4a1d66440563b7a075010b52b
SHA2560175ca21c23df71bd47a5e17232bfe8e9547b1b75b5b097392434c6d511263fc
SHA512adba7a5fed850020392db9e6faeca305984734ccfb23537c13bcc803e900285b779dbdae868a6c9f26e970bdc4fb6e98ca0e6ab4861d716fd77d97a881747dcc
-
Filesize
255KB
MD55e1bdd410a09f808996883ebed4674b7
SHA13241ddd13af705d4a1d66440563b7a075010b52b
SHA2560175ca21c23df71bd47a5e17232bfe8e9547b1b75b5b097392434c6d511263fc
SHA512adba7a5fed850020392db9e6faeca305984734ccfb23537c13bcc803e900285b779dbdae868a6c9f26e970bdc4fb6e98ca0e6ab4861d716fd77d97a881747dcc
-
Filesize
255KB
MD55e1bdd410a09f808996883ebed4674b7
SHA13241ddd13af705d4a1d66440563b7a075010b52b
SHA2560175ca21c23df71bd47a5e17232bfe8e9547b1b75b5b097392434c6d511263fc
SHA512adba7a5fed850020392db9e6faeca305984734ccfb23537c13bcc803e900285b779dbdae868a6c9f26e970bdc4fb6e98ca0e6ab4861d716fd77d97a881747dcc
-
Filesize
255KB
MD50f086d5ad4fa3314de2f48fecfd47e51
SHA13f52d47709a9dc72e93ed3c5900d116f7f6d94e3
SHA2565816aea718aac69fb3e22d9251b8930742a5b56ae4c9787a6fc1759cd8371936
SHA512a4e9e441075d54baa2e0460ba6fad0159cafcc7aaa463f6d991508953c2c2551651f8b803976136424ac4517851eb3f731a5c2b7bea573bc7955c80a066a8d62
-
Filesize
255KB
MD50f086d5ad4fa3314de2f48fecfd47e51
SHA13f52d47709a9dc72e93ed3c5900d116f7f6d94e3
SHA2565816aea718aac69fb3e22d9251b8930742a5b56ae4c9787a6fc1759cd8371936
SHA512a4e9e441075d54baa2e0460ba6fad0159cafcc7aaa463f6d991508953c2c2551651f8b803976136424ac4517851eb3f731a5c2b7bea573bc7955c80a066a8d62
-
Filesize
255KB
MD554b89dff1be6339afe79f077c45ecd8e
SHA13a4a3571e9788d48cf98e4593c29b332c890f292
SHA256496259b052aaf19dc2fea15893b5500f5fd310ef7941bec3bdd5de2aaf27a721
SHA512004a5cfe0508f86d89dd7721ae1c3a0b6b3a588ad23c990264efd55f6be1d3e6d325b1e56b4b4ae9b30346481b6bc9308b255c240e8d8ccd31528e380c96698b
-
Filesize
255KB
MD554b89dff1be6339afe79f077c45ecd8e
SHA13a4a3571e9788d48cf98e4593c29b332c890f292
SHA256496259b052aaf19dc2fea15893b5500f5fd310ef7941bec3bdd5de2aaf27a721
SHA512004a5cfe0508f86d89dd7721ae1c3a0b6b3a588ad23c990264efd55f6be1d3e6d325b1e56b4b4ae9b30346481b6bc9308b255c240e8d8ccd31528e380c96698b
-
Filesize
255KB
MD5c8a870d0025500f460c8fdae6aace834
SHA14e7379e031e76ba52b9d360751ab59b20895e411
SHA2562140e9a7e4e453a34eb1d871c91e1a740ba083d138e50b5c6e56f6b83230a9cd
SHA5125338b74d913685584b66caeb19d1623c1ef284c34a61850aae6ee4b4eee85f153c6218a8e899d2cd289daafcb59ea0f723c9fc2b080197352ea7586f60a40274
-
Filesize
255KB
MD5c8a870d0025500f460c8fdae6aace834
SHA14e7379e031e76ba52b9d360751ab59b20895e411
SHA2562140e9a7e4e453a34eb1d871c91e1a740ba083d138e50b5c6e56f6b83230a9cd
SHA5125338b74d913685584b66caeb19d1623c1ef284c34a61850aae6ee4b4eee85f153c6218a8e899d2cd289daafcb59ea0f723c9fc2b080197352ea7586f60a40274
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD52a9e0a089da978119c82517735c83f26
SHA14e8ddbba6d2098ddcb40ce25128c4c1d7c3f5a1c
SHA256841902e33f5a4ed3eedf55d06cfefae5da14020b0cae858647aa14961d8f6f0e
SHA5122ef78086c0dc01344cc507dc2e3a056324ca12bc6bd833816b5744b5953ac6276656131da56dcb0ada6a521726c10a4555cab382caba6f49faa1ff9e86e842c1
-
Filesize
255KB
MD52a9e0a089da978119c82517735c83f26
SHA14e8ddbba6d2098ddcb40ce25128c4c1d7c3f5a1c
SHA256841902e33f5a4ed3eedf55d06cfefae5da14020b0cae858647aa14961d8f6f0e
SHA5122ef78086c0dc01344cc507dc2e3a056324ca12bc6bd833816b5744b5953ac6276656131da56dcb0ada6a521726c10a4555cab382caba6f49faa1ff9e86e842c1
-
Filesize
255KB
MD52a9e0a089da978119c82517735c83f26
SHA14e8ddbba6d2098ddcb40ce25128c4c1d7c3f5a1c
SHA256841902e33f5a4ed3eedf55d06cfefae5da14020b0cae858647aa14961d8f6f0e
SHA5122ef78086c0dc01344cc507dc2e3a056324ca12bc6bd833816b5744b5953ac6276656131da56dcb0ada6a521726c10a4555cab382caba6f49faa1ff9e86e842c1
-
Filesize
255KB
MD592163fc0b766a197525fbf2e1896bd62
SHA1f46b5433e7a52b6f178eab301713cbbd46068413
SHA2569280ffe3544267b2707a37deaf46b82f17c4171324177833c488ba3d335dfa00
SHA512c1c56558ee057c03e5b69744815f7dd245b7d73b5bedf095b4619bd5ff865de1decd47c39bccec54cb92a8352c8470ae362d6e6aa720b53e4e5ab577c2cf17cf
-
Filesize
255KB
MD592163fc0b766a197525fbf2e1896bd62
SHA1f46b5433e7a52b6f178eab301713cbbd46068413
SHA2569280ffe3544267b2707a37deaf46b82f17c4171324177833c488ba3d335dfa00
SHA512c1c56558ee057c03e5b69744815f7dd245b7d73b5bedf095b4619bd5ff865de1decd47c39bccec54cb92a8352c8470ae362d6e6aa720b53e4e5ab577c2cf17cf