Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
205s -
max time network
221s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
27/11/2022, 19:13
Behavioral task
behavioral1
Sample
244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe
Resource
win7-20221111-en
windows7-x64
28 signatures
150 seconds
Behavioral task
behavioral2
Sample
244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe
-
Size
255KB
-
MD5
b087f6eb1cedbd7c3aa83f37291aa692
-
SHA1
3d84c0740bd244e6d57a42f6026f4a80fc04318a
-
SHA256
244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d
-
SHA512
73db8e072342f7a4790512eaadc95c6a2e87bc6ec397f14738e874db23979bb4ebce619107eb18805c72110a54fb72e5ac97c7c75ac9baa5dec86761611a4974
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJE:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIH
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" vtmodpkgow.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" vtmodpkgow.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" vtmodpkgow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" vtmodpkgow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" vtmodpkgow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" vtmodpkgow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" vtmodpkgow.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vtmodpkgow.exe -
Executes dropped EXE 5 IoCs
pid Process 3556 vtmodpkgow.exe 3052 tginjkstanktjra.exe 4316 yzrmxlik.exe 1248 petyhwbilxyhg.exe 2492 yzrmxlik.exe -
resource yara_rule behavioral2/memory/2328-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0007000000022e50-135.dat upx behavioral2/files/0x0007000000022e50-134.dat upx behavioral2/files/0x0007000000022e5a-137.dat upx behavioral2/memory/3556-139-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0006000000022e5b-142.dat upx behavioral2/files/0x0006000000022e5c-146.dat upx behavioral2/files/0x0006000000022e5c-145.dat upx behavioral2/files/0x0006000000022e5b-143.dat upx behavioral2/memory/3052-141-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0007000000022e5a-138.dat upx behavioral2/files/0x0006000000022e5b-149.dat upx behavioral2/memory/4316-150-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1248-151-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2492-152-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2328-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3052-154-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3556-155-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4316-156-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1248-157-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2492-158-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0007000000022e6e-168.dat upx behavioral2/files/0x0007000000022e6e-167.dat upx behavioral2/files/0x000a000000022e5f-169.dat upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" vtmodpkgow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" vtmodpkgow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" vtmodpkgow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" vtmodpkgow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" vtmodpkgow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" vtmodpkgow.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jblgiuof = "tginjkstanktjra.exe" tginjkstanktjra.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "petyhwbilxyhg.exe" tginjkstanktjra.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run tginjkstanktjra.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\srqsyvfl = "vtmodpkgow.exe" tginjkstanktjra.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\h: yzrmxlik.exe File opened (read-only) \??\u: yzrmxlik.exe File opened (read-only) \??\l: vtmodpkgow.exe File opened (read-only) \??\v: vtmodpkgow.exe File opened (read-only) \??\f: yzrmxlik.exe File opened (read-only) \??\z: yzrmxlik.exe File opened (read-only) \??\z: yzrmxlik.exe File opened (read-only) \??\g: yzrmxlik.exe File opened (read-only) \??\k: yzrmxlik.exe File opened (read-only) \??\n: yzrmxlik.exe File opened (read-only) \??\f: vtmodpkgow.exe File opened (read-only) \??\g: vtmodpkgow.exe File opened (read-only) \??\h: vtmodpkgow.exe File opened (read-only) \??\o: yzrmxlik.exe File opened (read-only) \??\k: yzrmxlik.exe File opened (read-only) \??\n: yzrmxlik.exe File opened (read-only) \??\s: yzrmxlik.exe File opened (read-only) \??\e: yzrmxlik.exe File opened (read-only) \??\f: yzrmxlik.exe File opened (read-only) \??\l: yzrmxlik.exe File opened (read-only) \??\r: yzrmxlik.exe File opened (read-only) \??\a: vtmodpkgow.exe File opened (read-only) \??\k: vtmodpkgow.exe File opened (read-only) \??\m: vtmodpkgow.exe File opened (read-only) \??\q: yzrmxlik.exe File opened (read-only) \??\x: yzrmxlik.exe File opened (read-only) \??\y: yzrmxlik.exe File opened (read-only) \??\l: yzrmxlik.exe File opened (read-only) \??\p: yzrmxlik.exe File opened (read-only) \??\t: yzrmxlik.exe File opened (read-only) \??\u: vtmodpkgow.exe File opened (read-only) \??\a: yzrmxlik.exe File opened (read-only) \??\b: yzrmxlik.exe File opened (read-only) \??\m: yzrmxlik.exe File opened (read-only) \??\p: yzrmxlik.exe File opened (read-only) \??\j: vtmodpkgow.exe File opened (read-only) \??\o: vtmodpkgow.exe File opened (read-only) \??\e: yzrmxlik.exe File opened (read-only) \??\e: vtmodpkgow.exe File opened (read-only) \??\n: vtmodpkgow.exe File opened (read-only) \??\x: vtmodpkgow.exe File opened (read-only) \??\s: vtmodpkgow.exe File opened (read-only) \??\i: vtmodpkgow.exe File opened (read-only) \??\w: vtmodpkgow.exe File opened (read-only) \??\t: yzrmxlik.exe File opened (read-only) \??\w: yzrmxlik.exe File opened (read-only) \??\a: yzrmxlik.exe File opened (read-only) \??\v: yzrmxlik.exe File opened (read-only) \??\y: yzrmxlik.exe File opened (read-only) \??\g: yzrmxlik.exe File opened (read-only) \??\o: yzrmxlik.exe File opened (read-only) \??\p: vtmodpkgow.exe File opened (read-only) \??\b: yzrmxlik.exe File opened (read-only) \??\h: yzrmxlik.exe File opened (read-only) \??\q: yzrmxlik.exe File opened (read-only) \??\b: vtmodpkgow.exe File opened (read-only) \??\t: vtmodpkgow.exe File opened (read-only) \??\j: yzrmxlik.exe File opened (read-only) \??\s: yzrmxlik.exe File opened (read-only) \??\u: yzrmxlik.exe File opened (read-only) \??\x: yzrmxlik.exe File opened (read-only) \??\v: yzrmxlik.exe File opened (read-only) \??\z: vtmodpkgow.exe File opened (read-only) \??\m: yzrmxlik.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" vtmodpkgow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" vtmodpkgow.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3556-139-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3052-141-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4316-150-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1248-151-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2492-152-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2328-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3052-154-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3556-155-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4316-156-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1248-157-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2492-158-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\vtmodpkgow.exe 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe File created C:\Windows\SysWOW64\tginjkstanktjra.exe 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe File created C:\Windows\SysWOW64\petyhwbilxyhg.exe 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe File opened for modification C:\Windows\SysWOW64\petyhwbilxyhg.exe 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll vtmodpkgow.exe File opened for modification C:\Windows\SysWOW64\vtmodpkgow.exe 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe File opened for modification C:\Windows\SysWOW64\tginjkstanktjra.exe 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe File created C:\Windows\SysWOW64\yzrmxlik.exe 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe File opened for modification C:\Windows\SysWOW64\yzrmxlik.exe 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe yzrmxlik.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe yzrmxlik.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe yzrmxlik.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe yzrmxlik.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe yzrmxlik.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal yzrmxlik.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe yzrmxlik.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe yzrmxlik.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal yzrmxlik.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe yzrmxlik.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe yzrmxlik.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal yzrmxlik.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe yzrmxlik.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe yzrmxlik.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal yzrmxlik.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8EFF824F5F82189130D6207D97BDE4E1475830664E6336D7EA" 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc vtmodpkgow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BC8FACAF964F197837A3B4A81983E95B08E02FA4363023DE1C4459B08D2" 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat vtmodpkgow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" vtmodpkgow.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf vtmodpkgow.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs vtmodpkgow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F268B7FF1C22DBD179D1A88A7F9166" 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184AC6081597DAC7B8CD7FE1ED9134CF" 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" vtmodpkgow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC2B020449739EF52BDBAA5329CD7CD" 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32452D7C9C2483506A4177D070562CD97D8165DE" 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" vtmodpkgow.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh vtmodpkgow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" vtmodpkgow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" vtmodpkgow.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg vtmodpkgow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" vtmodpkgow.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4244 WINWORD.EXE 4244 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2328 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe 2328 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe 2328 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe 2328 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe 2328 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe 2328 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe 2328 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe 2328 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe 2328 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe 2328 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe 2328 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe 2328 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe 2328 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe 2328 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe 2328 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe 2328 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe 3556 vtmodpkgow.exe 3556 vtmodpkgow.exe 3556 vtmodpkgow.exe 3556 vtmodpkgow.exe 3556 vtmodpkgow.exe 3556 vtmodpkgow.exe 3556 vtmodpkgow.exe 3556 vtmodpkgow.exe 3556 vtmodpkgow.exe 3556 vtmodpkgow.exe 3052 tginjkstanktjra.exe 3052 tginjkstanktjra.exe 3052 tginjkstanktjra.exe 3052 tginjkstanktjra.exe 3052 tginjkstanktjra.exe 3052 tginjkstanktjra.exe 3052 tginjkstanktjra.exe 3052 tginjkstanktjra.exe 3052 tginjkstanktjra.exe 3052 tginjkstanktjra.exe 4316 yzrmxlik.exe 1248 petyhwbilxyhg.exe 4316 yzrmxlik.exe 4316 yzrmxlik.exe 1248 petyhwbilxyhg.exe 4316 yzrmxlik.exe 1248 petyhwbilxyhg.exe 4316 yzrmxlik.exe 4316 yzrmxlik.exe 4316 yzrmxlik.exe 4316 yzrmxlik.exe 1248 petyhwbilxyhg.exe 1248 petyhwbilxyhg.exe 1248 petyhwbilxyhg.exe 1248 petyhwbilxyhg.exe 1248 petyhwbilxyhg.exe 1248 petyhwbilxyhg.exe 1248 petyhwbilxyhg.exe 1248 petyhwbilxyhg.exe 1248 petyhwbilxyhg.exe 3052 tginjkstanktjra.exe 3052 tginjkstanktjra.exe 2492 yzrmxlik.exe 2492 yzrmxlik.exe 2492 yzrmxlik.exe 2492 yzrmxlik.exe 2492 yzrmxlik.exe 2492 yzrmxlik.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2328 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe 2328 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe 2328 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe 3556 vtmodpkgow.exe 3556 vtmodpkgow.exe 3556 vtmodpkgow.exe 3052 tginjkstanktjra.exe 3052 tginjkstanktjra.exe 3052 tginjkstanktjra.exe 4316 yzrmxlik.exe 4316 yzrmxlik.exe 4316 yzrmxlik.exe 1248 petyhwbilxyhg.exe 1248 petyhwbilxyhg.exe 1248 petyhwbilxyhg.exe 2492 yzrmxlik.exe 2492 yzrmxlik.exe 2492 yzrmxlik.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2328 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe 2328 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe 2328 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe 3556 vtmodpkgow.exe 3556 vtmodpkgow.exe 3556 vtmodpkgow.exe 3052 tginjkstanktjra.exe 3052 tginjkstanktjra.exe 3052 tginjkstanktjra.exe 4316 yzrmxlik.exe 4316 yzrmxlik.exe 4316 yzrmxlik.exe 1248 petyhwbilxyhg.exe 1248 petyhwbilxyhg.exe 1248 petyhwbilxyhg.exe 2492 yzrmxlik.exe 2492 yzrmxlik.exe 2492 yzrmxlik.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4244 WINWORD.EXE 4244 WINWORD.EXE 4244 WINWORD.EXE 4244 WINWORD.EXE 4244 WINWORD.EXE 4244 WINWORD.EXE 4244 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2328 wrote to memory of 3556 2328 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe 82 PID 2328 wrote to memory of 3556 2328 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe 82 PID 2328 wrote to memory of 3556 2328 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe 82 PID 2328 wrote to memory of 3052 2328 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe 83 PID 2328 wrote to memory of 3052 2328 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe 83 PID 2328 wrote to memory of 3052 2328 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe 83 PID 2328 wrote to memory of 4316 2328 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe 84 PID 2328 wrote to memory of 4316 2328 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe 84 PID 2328 wrote to memory of 4316 2328 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe 84 PID 2328 wrote to memory of 1248 2328 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe 85 PID 2328 wrote to memory of 1248 2328 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe 85 PID 2328 wrote to memory of 1248 2328 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe 85 PID 2328 wrote to memory of 4244 2328 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe 86 PID 2328 wrote to memory of 4244 2328 244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe 86 PID 3556 wrote to memory of 2492 3556 vtmodpkgow.exe 88 PID 3556 wrote to memory of 2492 3556 vtmodpkgow.exe 88 PID 3556 wrote to memory of 2492 3556 vtmodpkgow.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe"C:\Users\Admin\AppData\Local\Temp\244aaf110779d549aca57f0416bdac96fb49f113eeb596df3ea5317bc8d7955d.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\vtmodpkgow.exevtmodpkgow.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\SysWOW64\yzrmxlik.exeC:\Windows\system32\yzrmxlik.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2492
-
-
-
C:\Windows\SysWOW64\tginjkstanktjra.exetginjkstanktjra.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3052
-
-
C:\Windows\SysWOW64\yzrmxlik.exeyzrmxlik.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4316
-
-
C:\Windows\SysWOW64\petyhwbilxyhg.exepetyhwbilxyhg.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1248
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4244
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD539c3e3c82684e762a7ba7acbe42d8880
SHA15a403d2ecb812598adc2ab6f611d228ac4b8624b
SHA25676127dbee71fd8408586cfa03d87ccf7459d504b8c0b5350ad9ed5098f0fecad
SHA512c08746347ac0b780be85e8eba2ce3febe3d8b947e6e765b90937ebc499809ec687627fe615fa6a627c1ffc8c1953e9b25ecd807566f3a78de91ce053f71d7b2e
-
Filesize
255KB
MD5985770ef67891b98746680406ae14a53
SHA1d4850dcdef2364c4b7fcef7503e88ed4e3781fae
SHA2560bd41e56947f6f332a818a43c3acc63645424d1e8dcdb97d9997f6560e5398e3
SHA5129ee0019aff0cf7d74734e25b9a5a3618c19dee0001577fc1f4bc84803771871343cddb4b206505847f8125b6a1f0b34e26f60f31a22b9a16702c51647beff199
-
Filesize
255KB
MD53c8c7f959794bc8a1e00fd247dd43c59
SHA174c5d5baf5302806232dac19cc38b3cc4b3abc3b
SHA256a6386bff376db7757fc17b30ff6204b1d85fb6ed580d5e5889b6dd2bb08acccf
SHA5124a639c52b4f8c17cae88f250f6f18c1cd906d4bded307b0409e4cacb9202c41c8338b6b643af704f0e802b947ddb2d81672001ab4dfed532508810bfa45af16f
-
Filesize
255KB
MD53c8c7f959794bc8a1e00fd247dd43c59
SHA174c5d5baf5302806232dac19cc38b3cc4b3abc3b
SHA256a6386bff376db7757fc17b30ff6204b1d85fb6ed580d5e5889b6dd2bb08acccf
SHA5124a639c52b4f8c17cae88f250f6f18c1cd906d4bded307b0409e4cacb9202c41c8338b6b643af704f0e802b947ddb2d81672001ab4dfed532508810bfa45af16f
-
Filesize
255KB
MD52a2dced8069757ba5feed3174a8b39eb
SHA184af933bea41896d504ace4160d9924c488edab0
SHA2562f6d50e22fc8542d85dfbf579f321a748b50b036e45227336e248c91185736da
SHA512cec81ebd62b86df60a872ff48df6894b575fdaff4f04a4eec0ec5ef5f33b1e1cb4db2fbd0b865a239cc4f2b1c56671b51943dbda2094824a359a8322c150a634
-
Filesize
255KB
MD52a2dced8069757ba5feed3174a8b39eb
SHA184af933bea41896d504ace4160d9924c488edab0
SHA2562f6d50e22fc8542d85dfbf579f321a748b50b036e45227336e248c91185736da
SHA512cec81ebd62b86df60a872ff48df6894b575fdaff4f04a4eec0ec5ef5f33b1e1cb4db2fbd0b865a239cc4f2b1c56671b51943dbda2094824a359a8322c150a634
-
Filesize
255KB
MD52c643e3f255aeef11668167b2267b747
SHA14258365c422750c22b79d7846f90734f2571c6d3
SHA2562d142ec3e7ab4ff869ce985c4030ef6fdbcb856db8792b728d71a77d0d5a532b
SHA5120b37ea6a9beb047f59eac2a5c6f9eb1b6e34cdf66f17d835e6401681eee738410c70e5399b27e411abaaca9c1c960ee999f503cd11f034765785c816911c899d
-
Filesize
255KB
MD52c643e3f255aeef11668167b2267b747
SHA14258365c422750c22b79d7846f90734f2571c6d3
SHA2562d142ec3e7ab4ff869ce985c4030ef6fdbcb856db8792b728d71a77d0d5a532b
SHA5120b37ea6a9beb047f59eac2a5c6f9eb1b6e34cdf66f17d835e6401681eee738410c70e5399b27e411abaaca9c1c960ee999f503cd11f034765785c816911c899d
-
Filesize
255KB
MD59379276be04a0086e02a7ded786d68cf
SHA18ad20a8f6d080df8ed771a9020b70e6d211369f1
SHA256ade4cc0567d4c5fff2e0b5b5b45f01ad53590f3dfc1dbd3ee84fd5726371f7eb
SHA512d122fd12b944321d5ba8d27f681dd09e80e514a6dfa8559f66af7adccd2f8663a78e3e581121f8495db81b18ba47d28a2e039985c5651f465bca3d59515c909d
-
Filesize
255KB
MD59379276be04a0086e02a7ded786d68cf
SHA18ad20a8f6d080df8ed771a9020b70e6d211369f1
SHA256ade4cc0567d4c5fff2e0b5b5b45f01ad53590f3dfc1dbd3ee84fd5726371f7eb
SHA512d122fd12b944321d5ba8d27f681dd09e80e514a6dfa8559f66af7adccd2f8663a78e3e581121f8495db81b18ba47d28a2e039985c5651f465bca3d59515c909d
-
Filesize
255KB
MD59379276be04a0086e02a7ded786d68cf
SHA18ad20a8f6d080df8ed771a9020b70e6d211369f1
SHA256ade4cc0567d4c5fff2e0b5b5b45f01ad53590f3dfc1dbd3ee84fd5726371f7eb
SHA512d122fd12b944321d5ba8d27f681dd09e80e514a6dfa8559f66af7adccd2f8663a78e3e581121f8495db81b18ba47d28a2e039985c5651f465bca3d59515c909d
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD539c3e3c82684e762a7ba7acbe42d8880
SHA15a403d2ecb812598adc2ab6f611d228ac4b8624b
SHA25676127dbee71fd8408586cfa03d87ccf7459d504b8c0b5350ad9ed5098f0fecad
SHA512c08746347ac0b780be85e8eba2ce3febe3d8b947e6e765b90937ebc499809ec687627fe615fa6a627c1ffc8c1953e9b25ecd807566f3a78de91ce053f71d7b2e