Analysis
-
max time kernel
165s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
27/11/2022, 19:10
Behavioral task
behavioral1
Sample
6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe
Resource
win7-20221111-en
windows7-x64
26 signatures
150 seconds
Behavioral task
behavioral2
Sample
6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe
-
Size
255KB
-
MD5
068cb9608813612279f849fb6774056f
-
SHA1
19fb32a6083c6206746c75926032915fe8e707c0
-
SHA256
6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8
-
SHA512
2ae4cb76773760b87ccbb6a08e6033ccab864369ef43e1f5768004c9dbbe72efde84abc149b41d7ce1c52b507e1c0cd09f447a82e3be7476c7d5f047803ca641
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJc:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI5
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cymsqoriar.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" cymsqoriar.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" cymsqoriar.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" cymsqoriar.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" cymsqoriar.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" cymsqoriar.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" cymsqoriar.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cymsqoriar.exe -
Executes dropped EXE 5 IoCs
pid Process 4676 cymsqoriar.exe 1940 jtwmqbaswvqmfqt.exe 3332 xxkvxpso.exe 3224 wcroofpdbthvb.exe 920 xxkvxpso.exe -
resource yara_rule behavioral2/memory/1168-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1168-133-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000800000002316f-135.dat upx behavioral2/files/0x000800000002316f-136.dat upx behavioral2/files/0x0006000000023175-138.dat upx behavioral2/files/0x0006000000023175-139.dat upx behavioral2/files/0x0006000000023176-141.dat upx behavioral2/files/0x0006000000023176-142.dat upx behavioral2/memory/4676-146-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0006000000023177-145.dat upx behavioral2/files/0x0006000000023177-144.dat upx behavioral2/memory/1940-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3332-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3224-149-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0006000000023176-151.dat upx behavioral2/memory/1168-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/920-154-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4676-155-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1940-156-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3332-157-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3224-158-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/920-159-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000800000002307d-165.dat upx behavioral2/files/0x0007000000023174-166.dat upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" cymsqoriar.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" cymsqoriar.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" cymsqoriar.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" cymsqoriar.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" cymsqoriar.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" cymsqoriar.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run jtwmqbaswvqmfqt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ettdrbei = "cymsqoriar.exe" jtwmqbaswvqmfqt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dqfziwtf = "jtwmqbaswvqmfqt.exe" jtwmqbaswvqmfqt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "wcroofpdbthvb.exe" jtwmqbaswvqmfqt.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\r: cymsqoriar.exe File opened (read-only) \??\x: xxkvxpso.exe File opened (read-only) \??\b: cymsqoriar.exe File opened (read-only) \??\h: cymsqoriar.exe File opened (read-only) \??\f: xxkvxpso.exe File opened (read-only) \??\e: xxkvxpso.exe File opened (read-only) \??\r: xxkvxpso.exe File opened (read-only) \??\a: xxkvxpso.exe File opened (read-only) \??\m: xxkvxpso.exe File opened (read-only) \??\f: cymsqoriar.exe File opened (read-only) \??\k: cymsqoriar.exe File opened (read-only) \??\z: xxkvxpso.exe File opened (read-only) \??\l: xxkvxpso.exe File opened (read-only) \??\y: xxkvxpso.exe File opened (read-only) \??\z: cymsqoriar.exe File opened (read-only) \??\q: xxkvxpso.exe File opened (read-only) \??\q: xxkvxpso.exe File opened (read-only) \??\u: xxkvxpso.exe File opened (read-only) \??\u: cymsqoriar.exe File opened (read-only) \??\i: xxkvxpso.exe File opened (read-only) \??\j: xxkvxpso.exe File opened (read-only) \??\k: xxkvxpso.exe File opened (read-only) \??\o: xxkvxpso.exe File opened (read-only) \??\m: xxkvxpso.exe File opened (read-only) \??\x: xxkvxpso.exe File opened (read-only) \??\m: cymsqoriar.exe File opened (read-only) \??\p: cymsqoriar.exe File opened (read-only) \??\a: xxkvxpso.exe File opened (read-only) \??\k: xxkvxpso.exe File opened (read-only) \??\y: xxkvxpso.exe File opened (read-only) \??\n: cymsqoriar.exe File opened (read-only) \??\r: xxkvxpso.exe File opened (read-only) \??\t: cymsqoriar.exe File opened (read-only) \??\w: cymsqoriar.exe File opened (read-only) \??\f: xxkvxpso.exe File opened (read-only) \??\w: xxkvxpso.exe File opened (read-only) \??\j: cymsqoriar.exe File opened (read-only) \??\l: cymsqoriar.exe File opened (read-only) \??\g: cymsqoriar.exe File opened (read-only) \??\x: cymsqoriar.exe File opened (read-only) \??\s: xxkvxpso.exe File opened (read-only) \??\s: xxkvxpso.exe File opened (read-only) \??\e: cymsqoriar.exe File opened (read-only) \??\i: xxkvxpso.exe File opened (read-only) \??\z: xxkvxpso.exe File opened (read-only) \??\y: cymsqoriar.exe File opened (read-only) \??\b: xxkvxpso.exe File opened (read-only) \??\h: xxkvxpso.exe File opened (read-only) \??\w: xxkvxpso.exe File opened (read-only) \??\q: cymsqoriar.exe File opened (read-only) \??\s: cymsqoriar.exe File opened (read-only) \??\p: xxkvxpso.exe File opened (read-only) \??\v: xxkvxpso.exe File opened (read-only) \??\n: xxkvxpso.exe File opened (read-only) \??\v: xxkvxpso.exe File opened (read-only) \??\o: cymsqoriar.exe File opened (read-only) \??\v: cymsqoriar.exe File opened (read-only) \??\h: xxkvxpso.exe File opened (read-only) \??\l: xxkvxpso.exe File opened (read-only) \??\t: xxkvxpso.exe File opened (read-only) \??\u: xxkvxpso.exe File opened (read-only) \??\e: xxkvxpso.exe File opened (read-only) \??\a: cymsqoriar.exe File opened (read-only) \??\i: cymsqoriar.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" cymsqoriar.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" cymsqoriar.exe -
AutoIT Executable 12 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1168-133-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4676-146-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1940-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3332-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3224-149-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1168-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/920-154-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4676-155-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1940-156-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3332-157-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3224-158-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/920-159-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll cymsqoriar.exe File created C:\Windows\SysWOW64\jtwmqbaswvqmfqt.exe 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe File created C:\Windows\SysWOW64\xxkvxpso.exe 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe File opened for modification C:\Windows\SysWOW64\xxkvxpso.exe 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe File created C:\Windows\SysWOW64\wcroofpdbthvb.exe 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe File opened for modification C:\Windows\SysWOW64\wcroofpdbthvb.exe 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe File created C:\Windows\SysWOW64\cymsqoriar.exe 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe File opened for modification C:\Windows\SysWOW64\cymsqoriar.exe 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe File opened for modification C:\Windows\SysWOW64\jtwmqbaswvqmfqt.exe 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal xxkvxpso.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xxkvxpso.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal xxkvxpso.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xxkvxpso.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xxkvxpso.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal xxkvxpso.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal xxkvxpso.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xxkvxpso.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xxkvxpso.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xxkvxpso.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xxkvxpso.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xxkvxpso.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xxkvxpso.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xxkvxpso.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" cymsqoriar.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh cymsqoriar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" cymsqoriar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8FFFFF4F5D851E9137D7217E95BD90E1305843674F6241D7ED" 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat cymsqoriar.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs cymsqoriar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" cymsqoriar.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg cymsqoriar.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABFF9B0FE6AF194840E3B43869A3E92B388038B4269034FE1C8459A09D5" 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" cymsqoriar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33402D089C2482256D4676A677242CD77D8F65DB" 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F468B1FF1B21DCD172D0D38A7C9163" 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" cymsqoriar.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc cymsqoriar.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf cymsqoriar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" cymsqoriar.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC3B05B47E5389D52BDB9D233EFD7C9" 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1844C70915E4DBB1B8CD7FE3ECE534CF" 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4540 WINWORD.EXE 4540 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1168 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe 1168 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe 1168 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe 1168 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe 1168 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe 1168 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe 1168 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe 1168 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe 1168 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe 1168 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe 1168 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe 1168 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe 4676 cymsqoriar.exe 4676 cymsqoriar.exe 4676 cymsqoriar.exe 4676 cymsqoriar.exe 4676 cymsqoriar.exe 4676 cymsqoriar.exe 4676 cymsqoriar.exe 4676 cymsqoriar.exe 4676 cymsqoriar.exe 4676 cymsqoriar.exe 1168 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe 1168 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe 1168 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe 1168 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe 1940 jtwmqbaswvqmfqt.exe 1940 jtwmqbaswvqmfqt.exe 1940 jtwmqbaswvqmfqt.exe 1940 jtwmqbaswvqmfqt.exe 1940 jtwmqbaswvqmfqt.exe 1940 jtwmqbaswvqmfqt.exe 1940 jtwmqbaswvqmfqt.exe 1940 jtwmqbaswvqmfqt.exe 1940 jtwmqbaswvqmfqt.exe 1940 jtwmqbaswvqmfqt.exe 3332 xxkvxpso.exe 3332 xxkvxpso.exe 3332 xxkvxpso.exe 3332 xxkvxpso.exe 3332 xxkvxpso.exe 3332 xxkvxpso.exe 3332 xxkvxpso.exe 3332 xxkvxpso.exe 3224 wcroofpdbthvb.exe 3224 wcroofpdbthvb.exe 3224 wcroofpdbthvb.exe 3224 wcroofpdbthvb.exe 3224 wcroofpdbthvb.exe 3224 wcroofpdbthvb.exe 3224 wcroofpdbthvb.exe 3224 wcroofpdbthvb.exe 3224 wcroofpdbthvb.exe 3224 wcroofpdbthvb.exe 3224 wcroofpdbthvb.exe 3224 wcroofpdbthvb.exe 1940 jtwmqbaswvqmfqt.exe 1940 jtwmqbaswvqmfqt.exe 3224 wcroofpdbthvb.exe 3224 wcroofpdbthvb.exe 3224 wcroofpdbthvb.exe 3224 wcroofpdbthvb.exe 1940 jtwmqbaswvqmfqt.exe 1940 jtwmqbaswvqmfqt.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1168 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe 1168 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe 1168 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe 4676 cymsqoriar.exe 4676 cymsqoriar.exe 4676 cymsqoriar.exe 1940 jtwmqbaswvqmfqt.exe 1940 jtwmqbaswvqmfqt.exe 1940 jtwmqbaswvqmfqt.exe 3332 xxkvxpso.exe 3332 xxkvxpso.exe 3332 xxkvxpso.exe 3224 wcroofpdbthvb.exe 3224 wcroofpdbthvb.exe 3224 wcroofpdbthvb.exe 920 xxkvxpso.exe 920 xxkvxpso.exe 920 xxkvxpso.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1168 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe 1168 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe 1168 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe 4676 cymsqoriar.exe 4676 cymsqoriar.exe 4676 cymsqoriar.exe 1940 jtwmqbaswvqmfqt.exe 1940 jtwmqbaswvqmfqt.exe 1940 jtwmqbaswvqmfqt.exe 3332 xxkvxpso.exe 3332 xxkvxpso.exe 3332 xxkvxpso.exe 3224 wcroofpdbthvb.exe 3224 wcroofpdbthvb.exe 3224 wcroofpdbthvb.exe 920 xxkvxpso.exe 920 xxkvxpso.exe 920 xxkvxpso.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4540 WINWORD.EXE 4540 WINWORD.EXE 4540 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1168 wrote to memory of 4676 1168 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe 86 PID 1168 wrote to memory of 4676 1168 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe 86 PID 1168 wrote to memory of 4676 1168 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe 86 PID 1168 wrote to memory of 1940 1168 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe 87 PID 1168 wrote to memory of 1940 1168 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe 87 PID 1168 wrote to memory of 1940 1168 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe 87 PID 1168 wrote to memory of 3332 1168 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe 88 PID 1168 wrote to memory of 3332 1168 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe 88 PID 1168 wrote to memory of 3332 1168 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe 88 PID 1168 wrote to memory of 3224 1168 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe 89 PID 1168 wrote to memory of 3224 1168 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe 89 PID 1168 wrote to memory of 3224 1168 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe 89 PID 4676 wrote to memory of 920 4676 cymsqoriar.exe 90 PID 4676 wrote to memory of 920 4676 cymsqoriar.exe 90 PID 4676 wrote to memory of 920 4676 cymsqoriar.exe 90 PID 1168 wrote to memory of 4540 1168 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe 91 PID 1168 wrote to memory of 4540 1168 6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe"C:\Users\Admin\AppData\Local\Temp\6f0aec34dbf9c47ed2b246e53b0f78261d22413147274b8bc9b55716ae4b29a8.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\cymsqoriar.execymsqoriar.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\xxkvxpso.exeC:\Windows\system32\xxkvxpso.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:920
-
-
-
C:\Windows\SysWOW64\jtwmqbaswvqmfqt.exejtwmqbaswvqmfqt.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1940
-
-
C:\Windows\SysWOW64\xxkvxpso.exexxkvxpso.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3332
-
-
C:\Windows\SysWOW64\wcroofpdbthvb.exewcroofpdbthvb.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3224
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4540
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5078ee38c75abe1cb42d4c880954543df
SHA1aa636d05337a92fe28a03f890d63cb62045a1b9d
SHA256fb902d6144f82638d9618d27e14274bbdd8509f4f4af3140d7ab7a0ec2d97b47
SHA5123d3bc412af315c2570e4d4f58284cbb36ea8b4d7c5d0c84c1ea71e2369bf35069d1a45c16ba7aeb54d68951ddf3621b4d429b20f6b3ad262d739caf61a401f96
-
Filesize
255KB
MD55a3d0cd3436e9f310ddd9edd7874bbd5
SHA17b1a42455c36d64648a55fb37c3386723c42bc66
SHA256d61a74be5be6b35c85649a1d3aa6070795f7a07e18b6fb0cadd3bcfb7ff421cd
SHA512bfedf7e196106fa16905c58e934b3e902f43b280e5f019e5ec1cf288302bb592554069094b5262955bb5e5ef2940f1044558ebd6d2e395e353ee8ba312d2ae58
-
Filesize
255KB
MD5c210542fbcbd525a6d79392fe69a8381
SHA1f1203b52a0624561bc1b91ff58443d9e671f4d83
SHA2567bf0e684b7e9878506d0904d961fa573b4f4b0fe3f95deae2cd47c5393502efc
SHA512cf88e11626ba7c483e14874532290c62183484094b6150ecf3ce79ed4ae6eda8f3b65cccf181a1f41da6106264c24da0469e3c4699f0efb16766168255e91402
-
Filesize
255KB
MD5c210542fbcbd525a6d79392fe69a8381
SHA1f1203b52a0624561bc1b91ff58443d9e671f4d83
SHA2567bf0e684b7e9878506d0904d961fa573b4f4b0fe3f95deae2cd47c5393502efc
SHA512cf88e11626ba7c483e14874532290c62183484094b6150ecf3ce79ed4ae6eda8f3b65cccf181a1f41da6106264c24da0469e3c4699f0efb16766168255e91402
-
Filesize
255KB
MD5ff1625c1d8610e6ed54bf5155b92b485
SHA1697eef729ca8a8738f81bde1060851efbf2cf81a
SHA25696a375662f320bc704fbb6771829034e22dd626d4150ca209e480e299bf7b041
SHA512e4759ef90dffcdacd061706757cee4aaf4ad2daf5cdaff2420f04eb180eb5752d38f2a12850c0a5c1788e68ee875d6dc6c17c292f4c1043aa2ed91910f90a572
-
Filesize
255KB
MD5ff1625c1d8610e6ed54bf5155b92b485
SHA1697eef729ca8a8738f81bde1060851efbf2cf81a
SHA25696a375662f320bc704fbb6771829034e22dd626d4150ca209e480e299bf7b041
SHA512e4759ef90dffcdacd061706757cee4aaf4ad2daf5cdaff2420f04eb180eb5752d38f2a12850c0a5c1788e68ee875d6dc6c17c292f4c1043aa2ed91910f90a572
-
Filesize
255KB
MD54a898354920f176eb80c93ce91e15f29
SHA19587ce63d834ae63de09aeac7d042b4b446465d2
SHA256c61e35b8b9830e7f0804cb029bd4f41c905baf882e9d4d6552cbefb873d990d6
SHA512d9b01ac4d8fff11f22831ac5a4eae682559bae53fb680416bae0a9d6f9efbfbb5179b731d490fe4940546bd01c832bb98e21046d73ad3294abf0fb3e0fb93a08
-
Filesize
255KB
MD54a898354920f176eb80c93ce91e15f29
SHA19587ce63d834ae63de09aeac7d042b4b446465d2
SHA256c61e35b8b9830e7f0804cb029bd4f41c905baf882e9d4d6552cbefb873d990d6
SHA512d9b01ac4d8fff11f22831ac5a4eae682559bae53fb680416bae0a9d6f9efbfbb5179b731d490fe4940546bd01c832bb98e21046d73ad3294abf0fb3e0fb93a08
-
Filesize
255KB
MD5f607339a11df0917ab1ca4af912cd72f
SHA1d7f68db8dcaeeb6350f557af4603c4f555a4d6c7
SHA25647c6512aeb8d4b9c6371376001439f24a8668044de3f0300a03039f3d67aab15
SHA5127985a9b0ab16daf69c502432ff61361620e5e3ae7cdee1ecfc0797db6500af93a4f077d08ea393757656980737ff2b28e14808990832b2ff6b3ac5d64e680402
-
Filesize
255KB
MD5f607339a11df0917ab1ca4af912cd72f
SHA1d7f68db8dcaeeb6350f557af4603c4f555a4d6c7
SHA25647c6512aeb8d4b9c6371376001439f24a8668044de3f0300a03039f3d67aab15
SHA5127985a9b0ab16daf69c502432ff61361620e5e3ae7cdee1ecfc0797db6500af93a4f077d08ea393757656980737ff2b28e14808990832b2ff6b3ac5d64e680402
-
Filesize
255KB
MD5f607339a11df0917ab1ca4af912cd72f
SHA1d7f68db8dcaeeb6350f557af4603c4f555a4d6c7
SHA25647c6512aeb8d4b9c6371376001439f24a8668044de3f0300a03039f3d67aab15
SHA5127985a9b0ab16daf69c502432ff61361620e5e3ae7cdee1ecfc0797db6500af93a4f077d08ea393757656980737ff2b28e14808990832b2ff6b3ac5d64e680402
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7