Analysis
-
max time kernel
173s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27/11/2022, 19:05
Behavioral task
behavioral1
Sample
e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe
Resource
win7-20221111-en
windows7-x64
25 signatures
150 seconds
General
-
Target
e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe
-
Size
255KB
-
MD5
8fe84d33389dfb1d715fd9c0ec7ac0f0
-
SHA1
a35b41ca29cb6fedb8e6ca7abfc105d2cf07ebc0
-
SHA256
e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7
-
SHA512
5c6b6e7fe410888ba74886b57882bdba85ee532a8bced89fe87aaeee94a9ba8dd7970c09fce4f06d364bf20a3925316bc44dceacf0920593c1cffa63d63ac833
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJk:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIT
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ybujokxvrz.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ybujokxvrz.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ybujokxvrz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ybujokxvrz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ybujokxvrz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ybujokxvrz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ybujokxvrz.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ybujokxvrz.exe -
Executes dropped EXE 5 IoCs
pid Process 1952 ybujokxvrz.exe 4200 tkpdulqknsxeojh.exe 5024 lxvwbggs.exe 1392 wwwaabagopces.exe 4136 lxvwbggs.exe -
resource yara_rule behavioral2/memory/4560-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0007000000022e2f-134.dat upx behavioral2/files/0x0007000000022e2f-135.dat upx behavioral2/files/0x0007000000022e33-137.dat upx behavioral2/files/0x0007000000022e33-138.dat upx behavioral2/files/0x0006000000022e39-140.dat upx behavioral2/files/0x0006000000022e39-141.dat upx behavioral2/memory/1952-143-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4200-144-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/5024-145-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0006000000022e3a-147.dat upx behavioral2/files/0x0006000000022e3a-148.dat upx behavioral2/files/0x0006000000022e39-150.dat upx behavioral2/memory/1392-151-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4136-152-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4560-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1952-155-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4200-156-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/5024-157-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1392-158-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4136-159-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4560-160-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0007000000022e29-162.dat upx behavioral2/files/0x0002000000021b43-161.dat upx behavioral2/files/0x0004000000000725-171.dat upx behavioral2/files/0x0004000000000725-172.dat upx behavioral2/files/0x00050000000162ab-173.dat upx behavioral2/files/0x00050000000162ab-179.dat upx behavioral2/files/0x00050000000162ab-180.dat upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ybujokxvrz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ybujokxvrz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ybujokxvrz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ybujokxvrz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ybujokxvrz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ybujokxvrz.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run tkpdulqknsxeojh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fhulfbdt = "ybujokxvrz.exe" tkpdulqknsxeojh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kqhnfthx = "tkpdulqknsxeojh.exe" tkpdulqknsxeojh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "wwwaabagopces.exe" tkpdulqknsxeojh.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\i: lxvwbggs.exe File opened (read-only) \??\o: lxvwbggs.exe File opened (read-only) \??\x: lxvwbggs.exe File opened (read-only) \??\h: ybujokxvrz.exe File opened (read-only) \??\r: ybujokxvrz.exe File opened (read-only) \??\j: lxvwbggs.exe File opened (read-only) \??\n: lxvwbggs.exe File opened (read-only) \??\f: lxvwbggs.exe File opened (read-only) \??\m: lxvwbggs.exe File opened (read-only) \??\z: lxvwbggs.exe File opened (read-only) \??\u: ybujokxvrz.exe File opened (read-only) \??\x: lxvwbggs.exe File opened (read-only) \??\j: lxvwbggs.exe File opened (read-only) \??\m: lxvwbggs.exe File opened (read-only) \??\l: ybujokxvrz.exe File opened (read-only) \??\i: ybujokxvrz.exe File opened (read-only) \??\w: ybujokxvrz.exe File opened (read-only) \??\h: lxvwbggs.exe File opened (read-only) \??\i: lxvwbggs.exe File opened (read-only) \??\v: lxvwbggs.exe File opened (read-only) \??\f: ybujokxvrz.exe File opened (read-only) \??\p: lxvwbggs.exe File opened (read-only) \??\v: lxvwbggs.exe File opened (read-only) \??\w: lxvwbggs.exe File opened (read-only) \??\y: lxvwbggs.exe File opened (read-only) \??\a: ybujokxvrz.exe File opened (read-only) \??\q: lxvwbggs.exe File opened (read-only) \??\g: lxvwbggs.exe File opened (read-only) \??\e: lxvwbggs.exe File opened (read-only) \??\l: lxvwbggs.exe File opened (read-only) \??\e: ybujokxvrz.exe File opened (read-only) \??\j: ybujokxvrz.exe File opened (read-only) \??\n: ybujokxvrz.exe File opened (read-only) \??\y: ybujokxvrz.exe File opened (read-only) \??\k: lxvwbggs.exe File opened (read-only) \??\n: lxvwbggs.exe File opened (read-only) \??\t: ybujokxvrz.exe File opened (read-only) \??\b: lxvwbggs.exe File opened (read-only) \??\b: lxvwbggs.exe File opened (read-only) \??\u: lxvwbggs.exe File opened (read-only) \??\r: lxvwbggs.exe File opened (read-only) \??\l: lxvwbggs.exe File opened (read-only) \??\q: lxvwbggs.exe File opened (read-only) \??\q: ybujokxvrz.exe File opened (read-only) \??\o: lxvwbggs.exe File opened (read-only) \??\h: lxvwbggs.exe File opened (read-only) \??\o: ybujokxvrz.exe File opened (read-only) \??\g: lxvwbggs.exe File opened (read-only) \??\p: lxvwbggs.exe File opened (read-only) \??\w: lxvwbggs.exe File opened (read-only) \??\k: ybujokxvrz.exe File opened (read-only) \??\z: ybujokxvrz.exe File opened (read-only) \??\s: lxvwbggs.exe File opened (read-only) \??\u: lxvwbggs.exe File opened (read-only) \??\a: lxvwbggs.exe File opened (read-only) \??\t: lxvwbggs.exe File opened (read-only) \??\m: ybujokxvrz.exe File opened (read-only) \??\p: ybujokxvrz.exe File opened (read-only) \??\x: ybujokxvrz.exe File opened (read-only) \??\f: lxvwbggs.exe File opened (read-only) \??\k: lxvwbggs.exe File opened (read-only) \??\y: lxvwbggs.exe File opened (read-only) \??\s: lxvwbggs.exe File opened (read-only) \??\z: lxvwbggs.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ybujokxvrz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ybujokxvrz.exe -
AutoIT Executable 12 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1952-143-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4200-144-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5024-145-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1392-151-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4136-152-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4560-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1952-155-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4200-156-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5024-157-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1392-158-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4136-159-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4560-160-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\ybujokxvrz.exe e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe File opened for modification C:\Windows\SysWOW64\ybujokxvrz.exe e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe File created C:\Windows\SysWOW64\tkpdulqknsxeojh.exe e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe File opened for modification C:\Windows\SysWOW64\tkpdulqknsxeojh.exe e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe File created C:\Windows\SysWOW64\lxvwbggs.exe e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe File created C:\Windows\SysWOW64\wwwaabagopces.exe e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe File opened for modification C:\Windows\SysWOW64\lxvwbggs.exe e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe File opened for modification C:\Windows\SysWOW64\wwwaabagopces.exe e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ybujokxvrz.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe lxvwbggs.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe lxvwbggs.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe lxvwbggs.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lxvwbggs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lxvwbggs.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lxvwbggs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal lxvwbggs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lxvwbggs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal lxvwbggs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lxvwbggs.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lxvwbggs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal lxvwbggs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lxvwbggs.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lxvwbggs.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lxvwbggs.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lxvwbggs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal lxvwbggs.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" ybujokxvrz.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat ybujokxvrz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh ybujokxvrz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc ybujokxvrz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs ybujokxvrz.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32352C7A9D2C83556A3376A2772E2DD87CF565AA" e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184BC7091593DAB5B8B97FE0ED9637BA" e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ybujokxvrz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg ybujokxvrz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" ybujokxvrz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BC8FABFFE14F1E284753B36819A39E1B081038C4260033CE1B842EA08A2" e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC7B05B4493389E53CCBAD53292D4C5" e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8FFCFB4F2785699140D75A7D94BD95E13D584767446344D6EE" e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F76BC4FF1821ABD209D0D38A7D9011" e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" ybujokxvrz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" ybujokxvrz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf ybujokxvrz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" ybujokxvrz.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3712 WINWORD.EXE 3712 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4560 e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe 4560 e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe 4560 e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe 4560 e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe 4560 e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe 4560 e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe 4560 e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe 4560 e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe 4560 e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe 4560 e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe 4560 e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe 4560 e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe 4560 e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe 4560 e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe 4560 e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe 4560 e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe 1952 ybujokxvrz.exe 1952 ybujokxvrz.exe 1952 ybujokxvrz.exe 1952 ybujokxvrz.exe 1952 ybujokxvrz.exe 1952 ybujokxvrz.exe 1952 ybujokxvrz.exe 1952 ybujokxvrz.exe 1952 ybujokxvrz.exe 1952 ybujokxvrz.exe 4200 tkpdulqknsxeojh.exe 4200 tkpdulqknsxeojh.exe 4200 tkpdulqknsxeojh.exe 4200 tkpdulqknsxeojh.exe 4200 tkpdulqknsxeojh.exe 4200 tkpdulqknsxeojh.exe 4200 tkpdulqknsxeojh.exe 4200 tkpdulqknsxeojh.exe 4200 tkpdulqknsxeojh.exe 4200 tkpdulqknsxeojh.exe 5024 lxvwbggs.exe 5024 lxvwbggs.exe 5024 lxvwbggs.exe 5024 lxvwbggs.exe 5024 lxvwbggs.exe 5024 lxvwbggs.exe 5024 lxvwbggs.exe 5024 lxvwbggs.exe 4200 tkpdulqknsxeojh.exe 4200 tkpdulqknsxeojh.exe 1392 wwwaabagopces.exe 1392 wwwaabagopces.exe 1392 wwwaabagopces.exe 1392 wwwaabagopces.exe 1392 wwwaabagopces.exe 1392 wwwaabagopces.exe 1392 wwwaabagopces.exe 1392 wwwaabagopces.exe 1392 wwwaabagopces.exe 1392 wwwaabagopces.exe 1392 wwwaabagopces.exe 1392 wwwaabagopces.exe 4200 tkpdulqknsxeojh.exe 4200 tkpdulqknsxeojh.exe 4200 tkpdulqknsxeojh.exe 4200 tkpdulqknsxeojh.exe 1392 wwwaabagopces.exe 1392 wwwaabagopces.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4560 e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe 4560 e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe 4560 e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe 1952 ybujokxvrz.exe 1952 ybujokxvrz.exe 1952 ybujokxvrz.exe 4200 tkpdulqknsxeojh.exe 4200 tkpdulqknsxeojh.exe 4200 tkpdulqknsxeojh.exe 5024 lxvwbggs.exe 5024 lxvwbggs.exe 5024 lxvwbggs.exe 1392 wwwaabagopces.exe 1392 wwwaabagopces.exe 1392 wwwaabagopces.exe 4136 lxvwbggs.exe 4136 lxvwbggs.exe 4136 lxvwbggs.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4560 e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe 4560 e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe 4560 e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe 1952 ybujokxvrz.exe 1952 ybujokxvrz.exe 1952 ybujokxvrz.exe 4200 tkpdulqknsxeojh.exe 4200 tkpdulqknsxeojh.exe 4200 tkpdulqknsxeojh.exe 5024 lxvwbggs.exe 5024 lxvwbggs.exe 5024 lxvwbggs.exe 1392 wwwaabagopces.exe 1392 wwwaabagopces.exe 1392 wwwaabagopces.exe 4136 lxvwbggs.exe 4136 lxvwbggs.exe 4136 lxvwbggs.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3712 WINWORD.EXE 3712 WINWORD.EXE 3712 WINWORD.EXE 3712 WINWORD.EXE 3712 WINWORD.EXE 3712 WINWORD.EXE 3712 WINWORD.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 4560 wrote to memory of 1952 4560 e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe 80 PID 4560 wrote to memory of 1952 4560 e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe 80 PID 4560 wrote to memory of 1952 4560 e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe 80 PID 4560 wrote to memory of 4200 4560 e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe 81 PID 4560 wrote to memory of 4200 4560 e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe 81 PID 4560 wrote to memory of 4200 4560 e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe 81 PID 4560 wrote to memory of 5024 4560 e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe 82 PID 4560 wrote to memory of 5024 4560 e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe 82 PID 4560 wrote to memory of 5024 4560 e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe 82 PID 4200 wrote to memory of 4540 4200 tkpdulqknsxeojh.exe 83 PID 4200 wrote to memory of 4540 4200 tkpdulqknsxeojh.exe 83 PID 4200 wrote to memory of 4540 4200 tkpdulqknsxeojh.exe 83 PID 4560 wrote to memory of 1392 4560 e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe 85 PID 4560 wrote to memory of 1392 4560 e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe 85 PID 4560 wrote to memory of 1392 4560 e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe 85 PID 1952 wrote to memory of 4136 1952 ybujokxvrz.exe 86 PID 1952 wrote to memory of 4136 1952 ybujokxvrz.exe 86 PID 1952 wrote to memory of 4136 1952 ybujokxvrz.exe 86 PID 4560 wrote to memory of 3712 4560 e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe 87 PID 4560 wrote to memory of 3712 4560 e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe"C:\Users\Admin\AppData\Local\Temp\e3499c810133ef9cbe3bc74c44b5d1ca08ffc827f9124bf294641b7b892898f7.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\ybujokxvrz.exeybujokxvrz.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\lxvwbggs.exeC:\Windows\system32\lxvwbggs.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4136
-
-
-
C:\Windows\SysWOW64\tkpdulqknsxeojh.exetkpdulqknsxeojh.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\SysWOW64\cmd.execmd.exe /c wwwaabagopces.exe3⤵PID:4540
-
-
-
C:\Windows\SysWOW64\lxvwbggs.exelxvwbggs.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5024
-
-
C:\Windows\SysWOW64\wwwaabagopces.exewwwaabagopces.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1392
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3712
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD56ca7970b4f96ffe2135dc4f2d52694b1
SHA1129192af9963378def1d972d6de8572103986179
SHA25699afd1f2565116fe6bda4ac6466f2198f6a113e46d48480b5319dca6c9a13c91
SHA51283ccfa4996ff8d1355b5d03967c2c818b2f21a1b3716b9e9799ad032cfe8931c0e6982f65e32afd3ca3487eb5f7c4276eb1f6d6605ae0dff47261e4d3dcd31a0
-
Filesize
255KB
MD5ad786c44b05556cf82aea528951d3646
SHA1f630ad7d8e99ea3016fcdde8a399dfab75ae8e58
SHA25645ac72c4faf799d4e565c45c4c1385d59c48a63b238acac52072ae9c4dd5e013
SHA5129f695da699e904c1e8b97e7c8dcd1a9166cc51f6be30c01946852cef7cf48edc80132d2e1b2a8baa28086e7843b30205d0b06f1529d5697f66e17b238c5c88df
-
Filesize
255KB
MD50475f7949d531cea979ed5af79e43067
SHA1540f19f89d14861df0a647c1f35b57621a7dd1dc
SHA2564f684404cfabbafe902339f5ff1863de56dd27c134502c26d0058ea2e3064943
SHA512b6beba557d3d9b88b11b33aee807704e0d5d8eca0bc3f7f044037b1a6dbbbb5235cee94036b8ad1af3d5c5f00a8636b23daf4d8122e743af38b10621afd128e0
-
Filesize
255KB
MD5aa556fedd93e3181de6634fffe17cde2
SHA1b8e61099629edef41d21d4c91a7839c73e08764e
SHA256c6c2f77b17eb5a52eab5be5c60f6ca6fd53eea839da7abb0f41ea15eb834d754
SHA512084c36cc026140fdb2a5c77eb2199f870f0e77fd0ab7a420676e47b7261453bf65a854a355d9453ca5b9566d414395b2e309c913c9df1f2f3d57dc1dfc45c6d5
-
Filesize
255KB
MD5aa556fedd93e3181de6634fffe17cde2
SHA1b8e61099629edef41d21d4c91a7839c73e08764e
SHA256c6c2f77b17eb5a52eab5be5c60f6ca6fd53eea839da7abb0f41ea15eb834d754
SHA512084c36cc026140fdb2a5c77eb2199f870f0e77fd0ab7a420676e47b7261453bf65a854a355d9453ca5b9566d414395b2e309c913c9df1f2f3d57dc1dfc45c6d5
-
Filesize
255KB
MD5aa556fedd93e3181de6634fffe17cde2
SHA1b8e61099629edef41d21d4c91a7839c73e08764e
SHA256c6c2f77b17eb5a52eab5be5c60f6ca6fd53eea839da7abb0f41ea15eb834d754
SHA512084c36cc026140fdb2a5c77eb2199f870f0e77fd0ab7a420676e47b7261453bf65a854a355d9453ca5b9566d414395b2e309c913c9df1f2f3d57dc1dfc45c6d5
-
Filesize
255KB
MD5a7f042097e335a7eb7cb4f54d1a2e1c3
SHA1c7f7980d79e531e5707900d8f22dc68f62449671
SHA256d3b327bba157bc9b509146d11903e797a02d05c3b656a101c5198bc103364b63
SHA51208b95a41fade3853ad6525425c47ff791ea7659e8ec5b9e374a37d37950dee583c4e99841941426925b36110847d6e19b5a08f65a8ae84951f65aad6ab640e57
-
Filesize
255KB
MD5a7f042097e335a7eb7cb4f54d1a2e1c3
SHA1c7f7980d79e531e5707900d8f22dc68f62449671
SHA256d3b327bba157bc9b509146d11903e797a02d05c3b656a101c5198bc103364b63
SHA51208b95a41fade3853ad6525425c47ff791ea7659e8ec5b9e374a37d37950dee583c4e99841941426925b36110847d6e19b5a08f65a8ae84951f65aad6ab640e57
-
Filesize
255KB
MD5255fe6af443766aaf7ca8cea28de5e1d
SHA15b241dfb7d2cea98246f2a25f906fb3565c95d82
SHA256628ceb0906742f20ceb746dfce1c2b3e6883cac9e3e4debf33c35b8e67608341
SHA512974885d6cde9291fadb243c3345bf3be6cce72f1758a0a05a499e3265050819af021f951dd6e3ae17f6950b87a56a92e66c2e6c979fe6f8f74f1d38d8378490e
-
Filesize
255KB
MD5255fe6af443766aaf7ca8cea28de5e1d
SHA15b241dfb7d2cea98246f2a25f906fb3565c95d82
SHA256628ceb0906742f20ceb746dfce1c2b3e6883cac9e3e4debf33c35b8e67608341
SHA512974885d6cde9291fadb243c3345bf3be6cce72f1758a0a05a499e3265050819af021f951dd6e3ae17f6950b87a56a92e66c2e6c979fe6f8f74f1d38d8378490e
-
Filesize
255KB
MD53c09d1743d8448e2c7e26b6ac29c286b
SHA1b470029582daa637fbbd3d9152ac521e9406fc4c
SHA256654c3b2e339db384c4ea5b65bba6a34978e3c9417c478d59d6a7e91a13f8282b
SHA5124ad0b21b3b13501f425c26b825e6468ba4c7c50577b5751c0d3fbc4cf91e5a1ede3bb21b9cde7cacee996b845e124586fdbf4e803eb227a44af1e25ae3294a2e
-
Filesize
255KB
MD53c09d1743d8448e2c7e26b6ac29c286b
SHA1b470029582daa637fbbd3d9152ac521e9406fc4c
SHA256654c3b2e339db384c4ea5b65bba6a34978e3c9417c478d59d6a7e91a13f8282b
SHA5124ad0b21b3b13501f425c26b825e6468ba4c7c50577b5751c0d3fbc4cf91e5a1ede3bb21b9cde7cacee996b845e124586fdbf4e803eb227a44af1e25ae3294a2e
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD50475f7949d531cea979ed5af79e43067
SHA1540f19f89d14861df0a647c1f35b57621a7dd1dc
SHA2564f684404cfabbafe902339f5ff1863de56dd27c134502c26d0058ea2e3064943
SHA512b6beba557d3d9b88b11b33aee807704e0d5d8eca0bc3f7f044037b1a6dbbbb5235cee94036b8ad1af3d5c5f00a8636b23daf4d8122e743af38b10621afd128e0
-
Filesize
255KB
MD585146b02f15d638280b88dca11dbc061
SHA178cac7bb3f09ff0abc3a6652d6a62406976e0312
SHA25621e166de8a097e848190a51682b3aceac07c56bed0a15eea60727f06ec46fda7
SHA5123c78377b7d129ec42a7c3a108d61e1b333825d4aebc0838be2e2ad2764648580da42e1d9b0eed0953a6df4b26f62c27b4073bc71040d3e3af5fe7b992cf95716
-
Filesize
255KB
MD5f3757fddb2156366f08021c8d0f0ffc8
SHA16ce89de8af0d9bbabd7a31d4b4944dc7a4ce5e08
SHA25617c9a23e4cfa151c5a598959f9de2ab1746352be7933cdbff92eef23682b84f5
SHA5123b41c8eb17f778ee0d28a62e90177312e458622265fe293b9685a181dc8e2847a4ae2c1bd47ffd546f24263f26858ccca187ec413f4e84523c8947997bf03e18
-
Filesize
255KB
MD5f3757fddb2156366f08021c8d0f0ffc8
SHA16ce89de8af0d9bbabd7a31d4b4944dc7a4ce5e08
SHA25617c9a23e4cfa151c5a598959f9de2ab1746352be7933cdbff92eef23682b84f5
SHA5123b41c8eb17f778ee0d28a62e90177312e458622265fe293b9685a181dc8e2847a4ae2c1bd47ffd546f24263f26858ccca187ec413f4e84523c8947997bf03e18