Analysis
-
max time kernel
186s -
max time network
213s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27/11/2022, 19:10
Behavioral task
behavioral1
Sample
7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe
Resource
win7-20220812-en
windows7-x64
26 signatures
150 seconds
General
-
Target
7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe
-
Size
255KB
-
MD5
711f6880034e8e3be02bb3611f9fd5ce
-
SHA1
0b4464f8f4a04801a7cc0f92db1b91689ba56034
-
SHA256
7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24
-
SHA512
011d0edac8a87b74c8f246d88fc2bc2e96f570144fee0f9afe2e068607ddcf3e53dbad30ffc903806483cc9d02cb96bedb354e9217a10b745080420a28e05b71
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJW:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIf
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" jtrucxnpdx.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" jtrucxnpdx.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" jtrucxnpdx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" jtrucxnpdx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" jtrucxnpdx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" jtrucxnpdx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" jtrucxnpdx.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jtrucxnpdx.exe -
Executes dropped EXE 5 IoCs
pid Process 852 jtrucxnpdx.exe 4436 btfhkyxiijzaimv.exe 4764 jbmhzyzu.exe 3688 tlqllchjzoedv.exe 4916 jbmhzyzu.exe -
resource yara_rule behavioral2/memory/4496-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000200000001e72a-135.dat upx behavioral2/files/0x000200000001e72a-134.dat upx behavioral2/files/0x000200000001e72c-137.dat upx behavioral2/files/0x000200000001e72c-138.dat upx behavioral2/memory/852-139-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4436-141-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000400000001e81b-143.dat upx behavioral2/files/0x000400000001e81b-142.dat upx behavioral2/files/0x000300000001e81c-145.dat upx behavioral2/files/0x000300000001e81c-146.dat upx behavioral2/memory/4764-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3688-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000400000001e81b-150.dat upx behavioral2/memory/4916-151-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4496-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0007000000022e3a-155.dat upx behavioral2/files/0x0008000000022e32-154.dat upx behavioral2/memory/4436-161-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/852-162-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4764-164-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3688-165-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4916-166-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0004000000009db3-169.dat upx behavioral2/files/0x0003000000000721-170.dat upx behavioral2/files/0x0003000000000721-172.dat upx behavioral2/files/0x0003000000000721-173.dat upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" jtrucxnpdx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" jtrucxnpdx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" jtrucxnpdx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" jtrucxnpdx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" jtrucxnpdx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" jtrucxnpdx.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run btfhkyxiijzaimv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qmnkerqi = "jtrucxnpdx.exe" btfhkyxiijzaimv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ogbuirqv = "btfhkyxiijzaimv.exe" btfhkyxiijzaimv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "tlqllchjzoedv.exe" btfhkyxiijzaimv.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\z: jtrucxnpdx.exe File opened (read-only) \??\f: jbmhzyzu.exe File opened (read-only) \??\n: jbmhzyzu.exe File opened (read-only) \??\v: jbmhzyzu.exe File opened (read-only) \??\e: jbmhzyzu.exe File opened (read-only) \??\f: jbmhzyzu.exe File opened (read-only) \??\a: jtrucxnpdx.exe File opened (read-only) \??\b: jbmhzyzu.exe File opened (read-only) \??\x: jbmhzyzu.exe File opened (read-only) \??\t: jbmhzyzu.exe File opened (read-only) \??\u: jbmhzyzu.exe File opened (read-only) \??\y: jbmhzyzu.exe File opened (read-only) \??\m: jtrucxnpdx.exe File opened (read-only) \??\w: jtrucxnpdx.exe File opened (read-only) \??\i: jbmhzyzu.exe File opened (read-only) \??\k: jbmhzyzu.exe File opened (read-only) \??\q: jbmhzyzu.exe File opened (read-only) \??\m: jbmhzyzu.exe File opened (read-only) \??\w: jbmhzyzu.exe File opened (read-only) \??\b: jbmhzyzu.exe File opened (read-only) \??\x: jtrucxnpdx.exe File opened (read-only) \??\y: jbmhzyzu.exe File opened (read-only) \??\z: jbmhzyzu.exe File opened (read-only) \??\r: jbmhzyzu.exe File opened (read-only) \??\q: jtrucxnpdx.exe File opened (read-only) \??\y: jtrucxnpdx.exe File opened (read-only) \??\r: jbmhzyzu.exe File opened (read-only) \??\s: jbmhzyzu.exe File opened (read-only) \??\a: jbmhzyzu.exe File opened (read-only) \??\i: jbmhzyzu.exe File opened (read-only) \??\v: jbmhzyzu.exe File opened (read-only) \??\b: jtrucxnpdx.exe File opened (read-only) \??\s: jtrucxnpdx.exe File opened (read-only) \??\o: jtrucxnpdx.exe File opened (read-only) \??\e: jbmhzyzu.exe File opened (read-only) \??\u: jbmhzyzu.exe File opened (read-only) \??\q: jbmhzyzu.exe File opened (read-only) \??\l: jbmhzyzu.exe File opened (read-only) \??\m: jbmhzyzu.exe File opened (read-only) \??\o: jbmhzyzu.exe File opened (read-only) \??\t: jbmhzyzu.exe File opened (read-only) \??\n: jtrucxnpdx.exe File opened (read-only) \??\g: jbmhzyzu.exe File opened (read-only) \??\z: jbmhzyzu.exe File opened (read-only) \??\p: jtrucxnpdx.exe File opened (read-only) \??\v: jtrucxnpdx.exe File opened (read-only) \??\l: jbmhzyzu.exe File opened (read-only) \??\j: jbmhzyzu.exe File opened (read-only) \??\h: jtrucxnpdx.exe File opened (read-only) \??\i: jtrucxnpdx.exe File opened (read-only) \??\k: jbmhzyzu.exe File opened (read-only) \??\w: jbmhzyzu.exe File opened (read-only) \??\e: jtrucxnpdx.exe File opened (read-only) \??\g: jtrucxnpdx.exe File opened (read-only) \??\a: jbmhzyzu.exe File opened (read-only) \??\x: jbmhzyzu.exe File opened (read-only) \??\f: jtrucxnpdx.exe File opened (read-only) \??\k: jtrucxnpdx.exe File opened (read-only) \??\t: jtrucxnpdx.exe File opened (read-only) \??\o: jbmhzyzu.exe File opened (read-only) \??\l: jtrucxnpdx.exe File opened (read-only) \??\u: jtrucxnpdx.exe File opened (read-only) \??\g: jbmhzyzu.exe File opened (read-only) \??\h: jbmhzyzu.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" jtrucxnpdx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" jtrucxnpdx.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/852-139-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4436-141-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4764-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3688-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4916-151-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4496-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4436-161-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/852-162-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4764-164-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3688-165-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4916-166-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\btfhkyxiijzaimv.exe 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe File opened for modification C:\Windows\SysWOW64\btfhkyxiijzaimv.exe 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe File opened for modification C:\Windows\SysWOW64\tlqllchjzoedv.exe 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe File created C:\Windows\SysWOW64\jtrucxnpdx.exe 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe File created C:\Windows\SysWOW64\jbmhzyzu.exe 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe File opened for modification C:\Windows\SysWOW64\jbmhzyzu.exe 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe File created C:\Windows\SysWOW64\tlqllchjzoedv.exe 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll jtrucxnpdx.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe jbmhzyzu.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe jbmhzyzu.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe jbmhzyzu.exe File opened for modification C:\Windows\SysWOW64\jtrucxnpdx.exe 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jbmhzyzu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jbmhzyzu.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jbmhzyzu.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jbmhzyzu.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jbmhzyzu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jbmhzyzu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jbmhzyzu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jbmhzyzu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal jbmhzyzu.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jbmhzyzu.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jbmhzyzu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal jbmhzyzu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal jbmhzyzu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal jbmhzyzu.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACEF9B0F96BF191837B3A3181EC3998B0FD02FE42620338E1BE42ED09D3" 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184FC60F15E0DBBEB8CD7FE6EC9F37CF" 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh jtrucxnpdx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs jtrucxnpdx.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC1B12847E339EA52C4B9A2339FD4B8" 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F06BB8FE6A21AAD20CD1D38B789163" 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat jtrucxnpdx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" jtrucxnpdx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" jtrucxnpdx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg jtrucxnpdx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" jtrucxnpdx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF5FF8B4F58851D9134D75D7D9DBDE7E641593167426343D6E9" 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" jtrucxnpdx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" jtrucxnpdx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf jtrucxnpdx.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33302D7C9D5282236A3F77A770512DDE7DF365A8" 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc jtrucxnpdx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" jtrucxnpdx.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4844 WINWORD.EXE 4844 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4496 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe 4496 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe 4496 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe 4496 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe 4496 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe 4496 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe 4496 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe 4496 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe 4496 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe 4496 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe 4496 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe 4496 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe 4496 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe 4496 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe 4496 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe 4496 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe 852 jtrucxnpdx.exe 852 jtrucxnpdx.exe 852 jtrucxnpdx.exe 852 jtrucxnpdx.exe 852 jtrucxnpdx.exe 852 jtrucxnpdx.exe 852 jtrucxnpdx.exe 852 jtrucxnpdx.exe 852 jtrucxnpdx.exe 852 jtrucxnpdx.exe 4764 jbmhzyzu.exe 4764 jbmhzyzu.exe 4764 jbmhzyzu.exe 4764 jbmhzyzu.exe 4764 jbmhzyzu.exe 4764 jbmhzyzu.exe 4764 jbmhzyzu.exe 4764 jbmhzyzu.exe 4436 btfhkyxiijzaimv.exe 4436 btfhkyxiijzaimv.exe 4436 btfhkyxiijzaimv.exe 4436 btfhkyxiijzaimv.exe 4436 btfhkyxiijzaimv.exe 4436 btfhkyxiijzaimv.exe 4436 btfhkyxiijzaimv.exe 4436 btfhkyxiijzaimv.exe 4436 btfhkyxiijzaimv.exe 4436 btfhkyxiijzaimv.exe 3688 tlqllchjzoedv.exe 3688 tlqllchjzoedv.exe 3688 tlqllchjzoedv.exe 3688 tlqllchjzoedv.exe 3688 tlqllchjzoedv.exe 3688 tlqllchjzoedv.exe 3688 tlqllchjzoedv.exe 3688 tlqllchjzoedv.exe 3688 tlqllchjzoedv.exe 3688 tlqllchjzoedv.exe 3688 tlqllchjzoedv.exe 3688 tlqllchjzoedv.exe 4436 btfhkyxiijzaimv.exe 4436 btfhkyxiijzaimv.exe 3688 tlqllchjzoedv.exe 3688 tlqllchjzoedv.exe 3688 tlqllchjzoedv.exe 3688 tlqllchjzoedv.exe 4436 btfhkyxiijzaimv.exe 4436 btfhkyxiijzaimv.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4496 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe 4496 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe 4496 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe 852 jtrucxnpdx.exe 852 jtrucxnpdx.exe 852 jtrucxnpdx.exe 4436 btfhkyxiijzaimv.exe 4436 btfhkyxiijzaimv.exe 4436 btfhkyxiijzaimv.exe 4764 jbmhzyzu.exe 4764 jbmhzyzu.exe 4764 jbmhzyzu.exe 3688 tlqllchjzoedv.exe 3688 tlqllchjzoedv.exe 3688 tlqllchjzoedv.exe 4916 jbmhzyzu.exe 4916 jbmhzyzu.exe 4916 jbmhzyzu.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4496 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe 4496 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe 4496 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe 852 jtrucxnpdx.exe 852 jtrucxnpdx.exe 852 jtrucxnpdx.exe 4436 btfhkyxiijzaimv.exe 4436 btfhkyxiijzaimv.exe 4436 btfhkyxiijzaimv.exe 4764 jbmhzyzu.exe 4764 jbmhzyzu.exe 4764 jbmhzyzu.exe 3688 tlqllchjzoedv.exe 3688 tlqllchjzoedv.exe 3688 tlqllchjzoedv.exe 4916 jbmhzyzu.exe 4916 jbmhzyzu.exe 4916 jbmhzyzu.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4844 WINWORD.EXE 4844 WINWORD.EXE 4844 WINWORD.EXE 4844 WINWORD.EXE 4844 WINWORD.EXE 4844 WINWORD.EXE 4844 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4496 wrote to memory of 852 4496 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe 79 PID 4496 wrote to memory of 852 4496 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe 79 PID 4496 wrote to memory of 852 4496 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe 79 PID 4496 wrote to memory of 4436 4496 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe 80 PID 4496 wrote to memory of 4436 4496 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe 80 PID 4496 wrote to memory of 4436 4496 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe 80 PID 4496 wrote to memory of 4764 4496 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe 81 PID 4496 wrote to memory of 4764 4496 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe 81 PID 4496 wrote to memory of 4764 4496 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe 81 PID 4496 wrote to memory of 3688 4496 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe 82 PID 4496 wrote to memory of 3688 4496 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe 82 PID 4496 wrote to memory of 3688 4496 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe 82 PID 852 wrote to memory of 4916 852 jtrucxnpdx.exe 83 PID 852 wrote to memory of 4916 852 jtrucxnpdx.exe 83 PID 852 wrote to memory of 4916 852 jtrucxnpdx.exe 83 PID 4496 wrote to memory of 4844 4496 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe 84 PID 4496 wrote to memory of 4844 4496 7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe"C:\Users\Admin\AppData\Local\Temp\7044a7f1e7767ac824dde5856a47f608c5e1d5592bd5156e4f634f404f080f24.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\jtrucxnpdx.exejtrucxnpdx.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\jbmhzyzu.exeC:\Windows\system32\jbmhzyzu.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4916
-
-
-
C:\Windows\SysWOW64\btfhkyxiijzaimv.exebtfhkyxiijzaimv.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4436
-
-
C:\Windows\SysWOW64\jbmhzyzu.exejbmhzyzu.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4764
-
-
C:\Windows\SysWOW64\tlqllchjzoedv.exetlqllchjzoedv.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3688
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4844
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5cbccaa067f67fd048b3ed9a0c660bb6d
SHA1ab1c768a63273b94645fd1d046b33b05eb7bf5bd
SHA2561b4ae2cf9627e3af224c83b29e18ab0e297253382e5778c098f8260e705640e4
SHA5121a9e62ce7d8104a24f02cfa80365354504deebe6bc4716ccb8b80675d1e2e00a3a6fe448aec589fcaad504f7e005ed6f83b2660d596bf6142df5fbe52ff7f730
-
Filesize
255KB
MD5ed88883b4f1356d54fedf043dc993193
SHA1cd8f5ebbda7298d94c454796f6e503d50bc99421
SHA25618ba78c5f6dad51d58c563a0743629570e30f73ed60dd0e8c730c9a0e2aea35c
SHA512e3038686bab94576dd203f13633701f4d91debef1e999d4ec511b2a683009e0ef35e1da0ae11267412cbab317d09ffef16808d9e97febd0609567b38b5841628
-
Filesize
255KB
MD5b4b6be15d0e98a55fca489929f6f0b4b
SHA12290cab2ce71d75663e2bcfc0796b34580c35eb4
SHA2560f6f38985a15af18635de413aa8cf04571b71adbd143dbae4d7f7dfc061c54a7
SHA51248b05ec31c99dfb7650b2398c394ad17a386b56a59e57d022812a1ecb375406cf51f20e47cbdf5608cf1dcb61f5a874b0ae224903da44165cabef1c1c349ef09
-
Filesize
255KB
MD51c834e9249a550aee9ae945db505dc85
SHA1a94c0065f5a98f5b04da64dea5e1cb04f741f143
SHA2568b0787b26ec4e1af01ffa47529f095d59d77fdf19794e99ec2896fac06429baf
SHA5127d3c41a5d5ab34286de830bf83d4a1cfc13609997cb42d6c24faa8b9db6254eede694b1e280e101f99da8479d6c58b0bde5adf25bf8570f02a07a778f6a52098
-
Filesize
255KB
MD51c834e9249a550aee9ae945db505dc85
SHA1a94c0065f5a98f5b04da64dea5e1cb04f741f143
SHA2568b0787b26ec4e1af01ffa47529f095d59d77fdf19794e99ec2896fac06429baf
SHA5127d3c41a5d5ab34286de830bf83d4a1cfc13609997cb42d6c24faa8b9db6254eede694b1e280e101f99da8479d6c58b0bde5adf25bf8570f02a07a778f6a52098
-
Filesize
255KB
MD550cf612f9870f1ea44f33f9fe5f60adb
SHA15b6172c00a496ced732cafe9c0e1a7927a4a1c78
SHA256606bade031cb6da300ceae21aab789a9480eb2b20df9de55c705219254983843
SHA5123cae1429b56f960bf235203df4827224ffc93950038d9fec8b4d405785854d608b82b008282ddc24a3662584488f9b71bc37da71ee00f07f3abfae785034cb04
-
Filesize
255KB
MD550cf612f9870f1ea44f33f9fe5f60adb
SHA15b6172c00a496ced732cafe9c0e1a7927a4a1c78
SHA256606bade031cb6da300ceae21aab789a9480eb2b20df9de55c705219254983843
SHA5123cae1429b56f960bf235203df4827224ffc93950038d9fec8b4d405785854d608b82b008282ddc24a3662584488f9b71bc37da71ee00f07f3abfae785034cb04
-
Filesize
255KB
MD550cf612f9870f1ea44f33f9fe5f60adb
SHA15b6172c00a496ced732cafe9c0e1a7927a4a1c78
SHA256606bade031cb6da300ceae21aab789a9480eb2b20df9de55c705219254983843
SHA5123cae1429b56f960bf235203df4827224ffc93950038d9fec8b4d405785854d608b82b008282ddc24a3662584488f9b71bc37da71ee00f07f3abfae785034cb04
-
Filesize
255KB
MD5929d081792ab6209f9d0b7580e6757a7
SHA14777b7f2045f1085603939d0839d7e64f5e2edb4
SHA256e1eeb529cc7fa88d98166ff48d44fe087bfd4f0e94f02f7d41f9605f0de5e7e6
SHA512585cc2c2a29af93a37d978b46faafb100df31f250a0891e428421017519034486090852358b7b09ff344e9148578de7d6d1e02dd91599c56aa62b281b4dd6bd2
-
Filesize
255KB
MD5929d081792ab6209f9d0b7580e6757a7
SHA14777b7f2045f1085603939d0839d7e64f5e2edb4
SHA256e1eeb529cc7fa88d98166ff48d44fe087bfd4f0e94f02f7d41f9605f0de5e7e6
SHA512585cc2c2a29af93a37d978b46faafb100df31f250a0891e428421017519034486090852358b7b09ff344e9148578de7d6d1e02dd91599c56aa62b281b4dd6bd2
-
Filesize
255KB
MD57c422b43ed4d08be0f86c85b216246e4
SHA142104d7fbbd42dfb3586c1868de0925b0b809fc0
SHA256d12cd0f409344004c32d1bfca15a97ca36c561f2e25b9da19d7a7c24ee27f595
SHA5121932fd1c1e3be1092394505eb57ed5e8ba60a7c98f8fad90ad7c9a98698b6de070b902b64d40116c09e1b2670ccb8871cf258b2098a36623c27c82c05845096e
-
Filesize
255KB
MD57c422b43ed4d08be0f86c85b216246e4
SHA142104d7fbbd42dfb3586c1868de0925b0b809fc0
SHA256d12cd0f409344004c32d1bfca15a97ca36c561f2e25b9da19d7a7c24ee27f595
SHA5121932fd1c1e3be1092394505eb57ed5e8ba60a7c98f8fad90ad7c9a98698b6de070b902b64d40116c09e1b2670ccb8871cf258b2098a36623c27c82c05845096e
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD5f95d34defb629bb47d58b3fdb26ea818
SHA16b5add2bf63273623e337687e729b28a63f54679
SHA25673b901498f16f214384c7dba64a8b71012e96327bb04215bf6915c893fd8c84e
SHA512d7b750b23611992bf0226d83011e8c83e61163b4839afb807d2170d71b77ac1cfc42fb157733fe979a2deb49304913fe40772213a0f7f3b729e7a0e3e16b062f
-
Filesize
255KB
MD5f8ec08101f49d00940d10eea114e1a1e
SHA1bfaf6f74241e77a412d962bd2d76306565afc3a4
SHA256e179eee9c23d477c6688f637d03ab2c3879d84ebdbef229ed794b8d68d297ed3
SHA5126f7d0554ff103a5fc56aa0b418964a23f1295d901b3899d63d3fb2b9aa40a4e3e061c56746ac2eccfc2018abd512667398bf4c621b3bcd98e95a487cb23a86c7
-
Filesize
255KB
MD5f8ec08101f49d00940d10eea114e1a1e
SHA1bfaf6f74241e77a412d962bd2d76306565afc3a4
SHA256e179eee9c23d477c6688f637d03ab2c3879d84ebdbef229ed794b8d68d297ed3
SHA5126f7d0554ff103a5fc56aa0b418964a23f1295d901b3899d63d3fb2b9aa40a4e3e061c56746ac2eccfc2018abd512667398bf4c621b3bcd98e95a487cb23a86c7