Analysis
-
max time kernel
205s -
max time network
230s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
27/11/2022, 19:14
Behavioral task
behavioral1
Sample
141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe
Resource
win7-20221111-en
windows7-x64
28 signatures
150 seconds
Behavioral task
behavioral2
Sample
141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe
-
Size
255KB
-
MD5
f02ff11d1ea834c14453bfbbfd20f9e0
-
SHA1
2ccd0cb1f8a702d1e8129063b921ffa9007bf9b7
-
SHA256
141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62
-
SHA512
7fa955ddf97ff8aa87fd01f7a343ed65fd19b9fe0f48cc87966812835d405c3920b1be6dfbc165e8bf31aed89eab89ef4fe124f3cc8d9df5fe7c5c9ed2136ea7
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJn:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIM
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" zvpmoegmby.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" zvpmoegmby.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" zvpmoegmby.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" zvpmoegmby.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" zvpmoegmby.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" zvpmoegmby.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" zvpmoegmby.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" zvpmoegmby.exe -
Executes dropped EXE 5 IoCs
pid Process 4324 zvpmoegmby.exe 5020 xefruryirxrawuk.exe 4980 bothznis.exe 3616 nomszczfgifto.exe 2028 bothznis.exe -
resource yara_rule behavioral2/memory/3792-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x00060000000231af-134.dat upx behavioral2/files/0x00060000000231af-135.dat upx behavioral2/files/0x00060000000231b0-137.dat upx behavioral2/files/0x00060000000231b0-138.dat upx behavioral2/memory/4324-139-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/5020-140-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x00060000000231b1-143.dat upx behavioral2/files/0x00060000000231b1-142.dat upx behavioral2/files/0x00060000000231b2-146.dat upx behavioral2/files/0x00060000000231b2-145.dat upx behavioral2/memory/4980-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3616-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x00060000000231b1-150.dat upx behavioral2/memory/2028-151-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3792-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4324-154-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/5020-155-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4980-156-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3616-157-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2028-158-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000c0000000231ab-165.dat upx behavioral2/files/0x00090000000231c1-167.dat upx behavioral2/files/0x000c0000000231ab-166.dat upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" zvpmoegmby.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" zvpmoegmby.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" zvpmoegmby.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" zvpmoegmby.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" zvpmoegmby.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" zvpmoegmby.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "nomszczfgifto.exe" xefruryirxrawuk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run xefruryirxrawuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pexpdhgb = "zvpmoegmby.exe" xefruryirxrawuk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uybhiogg = "xefruryirxrawuk.exe" xefruryirxrawuk.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\f: bothznis.exe File opened (read-only) \??\g: bothznis.exe File opened (read-only) \??\q: zvpmoegmby.exe File opened (read-only) \??\i: bothznis.exe File opened (read-only) \??\p: zvpmoegmby.exe File opened (read-only) \??\a: zvpmoegmby.exe File opened (read-only) \??\j: zvpmoegmby.exe File opened (read-only) \??\m: zvpmoegmby.exe File opened (read-only) \??\g: bothznis.exe File opened (read-only) \??\z: bothznis.exe File opened (read-only) \??\x: bothznis.exe File opened (read-only) \??\u: bothznis.exe File opened (read-only) \??\n: bothznis.exe File opened (read-only) \??\l: bothznis.exe File opened (read-only) \??\k: zvpmoegmby.exe File opened (read-only) \??\a: bothznis.exe File opened (read-only) \??\m: bothznis.exe File opened (read-only) \??\r: bothznis.exe File opened (read-only) \??\e: bothznis.exe File opened (read-only) \??\j: bothznis.exe File opened (read-only) \??\y: bothznis.exe File opened (read-only) \??\i: zvpmoegmby.exe File opened (read-only) \??\v: bothznis.exe File opened (read-only) \??\n: bothznis.exe File opened (read-only) \??\r: bothznis.exe File opened (read-only) \??\z: bothznis.exe File opened (read-only) \??\x: bothznis.exe File opened (read-only) \??\t: zvpmoegmby.exe File opened (read-only) \??\x: zvpmoegmby.exe File opened (read-only) \??\j: bothznis.exe File opened (read-only) \??\u: bothznis.exe File opened (read-only) \??\h: bothznis.exe File opened (read-only) \??\w: bothznis.exe File opened (read-only) \??\t: bothznis.exe File opened (read-only) \??\k: bothznis.exe File opened (read-only) \??\b: bothznis.exe File opened (read-only) \??\e: zvpmoegmby.exe File opened (read-only) \??\f: zvpmoegmby.exe File opened (read-only) \??\l: zvpmoegmby.exe File opened (read-only) \??\z: zvpmoegmby.exe File opened (read-only) \??\s: bothznis.exe File opened (read-only) \??\p: bothznis.exe File opened (read-only) \??\q: bothznis.exe File opened (read-only) \??\r: zvpmoegmby.exe File opened (read-only) \??\v: zvpmoegmby.exe File opened (read-only) \??\w: zvpmoegmby.exe File opened (read-only) \??\l: bothznis.exe File opened (read-only) \??\o: bothznis.exe File opened (read-only) \??\y: bothznis.exe File opened (read-only) \??\b: bothznis.exe File opened (read-only) \??\s: bothznis.exe File opened (read-only) \??\p: bothznis.exe File opened (read-only) \??\t: bothznis.exe File opened (read-only) \??\n: zvpmoegmby.exe File opened (read-only) \??\s: zvpmoegmby.exe File opened (read-only) \??\y: zvpmoegmby.exe File opened (read-only) \??\i: bothznis.exe File opened (read-only) \??\k: bothznis.exe File opened (read-only) \??\w: bothznis.exe File opened (read-only) \??\m: bothznis.exe File opened (read-only) \??\o: bothznis.exe File opened (read-only) \??\o: zvpmoegmby.exe File opened (read-only) \??\b: zvpmoegmby.exe File opened (read-only) \??\h: zvpmoegmby.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" zvpmoegmby.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" zvpmoegmby.exe -
AutoIT Executable 12 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3792-132-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4324-139-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5020-140-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4980-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3616-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2028-151-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3792-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4324-154-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5020-155-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4980-156-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3616-157-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2028-158-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\zvpmoegmby.exe 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe File opened for modification C:\Windows\SysWOW64\xefruryirxrawuk.exe 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll zvpmoegmby.exe File opened for modification C:\Windows\SysWOW64\nomszczfgifto.exe 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe File opened for modification C:\Windows\SysWOW64\zvpmoegmby.exe 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe File created C:\Windows\SysWOW64\xefruryirxrawuk.exe 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe File created C:\Windows\SysWOW64\bothznis.exe 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe File opened for modification C:\Windows\SysWOW64\bothznis.exe 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe File created C:\Windows\SysWOW64\nomszczfgifto.exe 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bothznis.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bothznis.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bothznis.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal bothznis.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bothznis.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bothznis.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal bothznis.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bothznis.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal bothznis.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bothznis.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bothznis.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal bothznis.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bothznis.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bothznis.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1945C77815E0DAB3B8CD7C90EDE034CE" 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh zvpmoegmby.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFFFF88482D82129032D75D7EE6BD92E135593767416243D79B" 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat zvpmoegmby.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" zvpmoegmby.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs zvpmoegmby.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" zvpmoegmby.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" zvpmoegmby.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBDFAB1F96BF2E084753A4381EB3998B38D03FC42110338E2C9459E08A1" 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" zvpmoegmby.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc zvpmoegmby.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf zvpmoegmby.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32302D7E9D5083526A3376D570212CAC7DF565AB" 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB2B15A449539EA52C4BADC329CD4C5" 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F16BB0FF6C22D8D20FD0A68A7E9113" 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" zvpmoegmby.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" zvpmoegmby.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg zvpmoegmby.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1036 WINWORD.EXE 1036 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3792 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe 3792 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe 3792 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe 3792 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe 3792 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe 3792 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe 3792 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe 3792 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe 3792 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe 3792 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe 3792 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe 3792 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe 3792 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe 3792 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe 3792 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe 3792 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe 4324 zvpmoegmby.exe 4324 zvpmoegmby.exe 4324 zvpmoegmby.exe 4324 zvpmoegmby.exe 4324 zvpmoegmby.exe 4324 zvpmoegmby.exe 4324 zvpmoegmby.exe 4324 zvpmoegmby.exe 4324 zvpmoegmby.exe 4324 zvpmoegmby.exe 5020 xefruryirxrawuk.exe 5020 xefruryirxrawuk.exe 5020 xefruryirxrawuk.exe 5020 xefruryirxrawuk.exe 5020 xefruryirxrawuk.exe 5020 xefruryirxrawuk.exe 5020 xefruryirxrawuk.exe 5020 xefruryirxrawuk.exe 5020 xefruryirxrawuk.exe 5020 xefruryirxrawuk.exe 4980 bothznis.exe 4980 bothznis.exe 4980 bothznis.exe 4980 bothznis.exe 4980 bothznis.exe 4980 bothznis.exe 4980 bothznis.exe 4980 bothznis.exe 3616 nomszczfgifto.exe 3616 nomszczfgifto.exe 3616 nomszczfgifto.exe 3616 nomszczfgifto.exe 3616 nomszczfgifto.exe 3616 nomszczfgifto.exe 3616 nomszczfgifto.exe 3616 nomszczfgifto.exe 3616 nomszczfgifto.exe 3616 nomszczfgifto.exe 3616 nomszczfgifto.exe 3616 nomszczfgifto.exe 5020 xefruryirxrawuk.exe 5020 xefruryirxrawuk.exe 3616 nomszczfgifto.exe 3616 nomszczfgifto.exe 3616 nomszczfgifto.exe 3616 nomszczfgifto.exe 5020 xefruryirxrawuk.exe 5020 xefruryirxrawuk.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 3792 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe 3792 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe 3792 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe 4324 zvpmoegmby.exe 4324 zvpmoegmby.exe 4324 zvpmoegmby.exe 5020 xefruryirxrawuk.exe 5020 xefruryirxrawuk.exe 5020 xefruryirxrawuk.exe 4980 bothznis.exe 4980 bothznis.exe 4980 bothznis.exe 3616 nomszczfgifto.exe 3616 nomszczfgifto.exe 3616 nomszczfgifto.exe 2028 bothznis.exe 2028 bothznis.exe 2028 bothznis.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 3792 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe 3792 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe 3792 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe 4324 zvpmoegmby.exe 4324 zvpmoegmby.exe 4324 zvpmoegmby.exe 5020 xefruryirxrawuk.exe 5020 xefruryirxrawuk.exe 5020 xefruryirxrawuk.exe 4980 bothznis.exe 4980 bothznis.exe 4980 bothznis.exe 3616 nomszczfgifto.exe 3616 nomszczfgifto.exe 3616 nomszczfgifto.exe 2028 bothznis.exe 2028 bothznis.exe 2028 bothznis.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE 1036 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3792 wrote to memory of 4324 3792 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe 83 PID 3792 wrote to memory of 4324 3792 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe 83 PID 3792 wrote to memory of 4324 3792 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe 83 PID 3792 wrote to memory of 5020 3792 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe 84 PID 3792 wrote to memory of 5020 3792 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe 84 PID 3792 wrote to memory of 5020 3792 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe 84 PID 3792 wrote to memory of 4980 3792 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe 85 PID 3792 wrote to memory of 4980 3792 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe 85 PID 3792 wrote to memory of 4980 3792 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe 85 PID 3792 wrote to memory of 3616 3792 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe 86 PID 3792 wrote to memory of 3616 3792 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe 86 PID 3792 wrote to memory of 3616 3792 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe 86 PID 4324 wrote to memory of 2028 4324 zvpmoegmby.exe 87 PID 4324 wrote to memory of 2028 4324 zvpmoegmby.exe 87 PID 4324 wrote to memory of 2028 4324 zvpmoegmby.exe 87 PID 3792 wrote to memory of 1036 3792 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe 88 PID 3792 wrote to memory of 1036 3792 141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe"C:\Users\Admin\AppData\Local\Temp\141d5585beae71b998d67038afa20c96953029a889b604cd1f323c89fa3f1e62.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Windows\SysWOW64\zvpmoegmby.exezvpmoegmby.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\SysWOW64\bothznis.exeC:\Windows\system32\bothznis.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2028
-
-
-
C:\Windows\SysWOW64\xefruryirxrawuk.exexefruryirxrawuk.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5020
-
-
C:\Windows\SysWOW64\bothznis.exebothznis.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4980
-
-
C:\Windows\SysWOW64\nomszczfgifto.exenomszczfgifto.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3616
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1036
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD52a5e5f00c0783b26141a05eb078d9a3b
SHA1e344170dfd11508a3661daac42a82e398edd89c2
SHA2569bbca7711cadda0c5f0a493c30491c29e6fcce13301b8ab2e33de0d5774587da
SHA51217ce69ea12f6789ef775ac4fa2255f1e4c966fb26442f30bec21af5ec2494c9a7cd6149888086d9a6fa64dd628fba1724134dd6f336ec849d37c1fbf6604ed0d
-
Filesize
255KB
MD52a5e5f00c0783b26141a05eb078d9a3b
SHA1e344170dfd11508a3661daac42a82e398edd89c2
SHA2569bbca7711cadda0c5f0a493c30491c29e6fcce13301b8ab2e33de0d5774587da
SHA51217ce69ea12f6789ef775ac4fa2255f1e4c966fb26442f30bec21af5ec2494c9a7cd6149888086d9a6fa64dd628fba1724134dd6f336ec849d37c1fbf6604ed0d
-
Filesize
255KB
MD550a9863eb3c6e46030c6943d963f50ff
SHA1f2a4307c814446e7991dc7d53725ad17862f0f60
SHA256b6a18a98f42f3b5487d5752a9b7375a43d94d882923da8651ee802c6cf9f2cdc
SHA512c2ed76256f647c5e71f5b4a617de3683353b51667a81980b2acc912d19c460aa1f757a842a59e71a1f678eeea2ebcaf6655a187bcaed51d43f197ac3755a1e0c
-
Filesize
255KB
MD5692328a73df4fd003613c6cc7ed41634
SHA11182dc92bdadd79d721d35351667b7143ddc0449
SHA256a153f4e86622fefee551d293347bef4a389c8fbf28d160d62d5d95400017b1d1
SHA51290601b87ee58595f11b5decf171493d51dde4933a266ed96cc1f7dece0c7c2f58722b7600d2c591697898d296c0527e59a27b7ef877130519e9c2db6a69fdcbc
-
Filesize
255KB
MD5692328a73df4fd003613c6cc7ed41634
SHA11182dc92bdadd79d721d35351667b7143ddc0449
SHA256a153f4e86622fefee551d293347bef4a389c8fbf28d160d62d5d95400017b1d1
SHA51290601b87ee58595f11b5decf171493d51dde4933a266ed96cc1f7dece0c7c2f58722b7600d2c591697898d296c0527e59a27b7ef877130519e9c2db6a69fdcbc
-
Filesize
255KB
MD5692328a73df4fd003613c6cc7ed41634
SHA11182dc92bdadd79d721d35351667b7143ddc0449
SHA256a153f4e86622fefee551d293347bef4a389c8fbf28d160d62d5d95400017b1d1
SHA51290601b87ee58595f11b5decf171493d51dde4933a266ed96cc1f7dece0c7c2f58722b7600d2c591697898d296c0527e59a27b7ef877130519e9c2db6a69fdcbc
-
Filesize
255KB
MD56ec5cd0e61107e0d98fad9eec423d7c7
SHA164689af21c3dd999ad978eae64d9c085f0821901
SHA2569353d31697661104760fce615186276c6124d190e90e2fd0c4dad7e6c2a9ba71
SHA5125ee218111d82dbb6ad7a0deb7908d273417ea2c1fffc2178697554a1c599c7434f877045d9284f46c439216ce730683a67ae479f253725359e734437c9d8c448
-
Filesize
255KB
MD56ec5cd0e61107e0d98fad9eec423d7c7
SHA164689af21c3dd999ad978eae64d9c085f0821901
SHA2569353d31697661104760fce615186276c6124d190e90e2fd0c4dad7e6c2a9ba71
SHA5125ee218111d82dbb6ad7a0deb7908d273417ea2c1fffc2178697554a1c599c7434f877045d9284f46c439216ce730683a67ae479f253725359e734437c9d8c448
-
Filesize
255KB
MD546e96bdd327fe19edcd5149021d1fd01
SHA12fa39900f4983563efc6c9088aedacb1c2d2c474
SHA256a2634f37d964cec6f2d32b794d7b049b35928393b4a2e75c25c5fefec4216718
SHA512e8ae99e5c344150cc456c894dd6bebd0a7d747d7f1d103b0c4350853b1aabe9fa2403d73e489e38c9472eb83cb94517cb9ab149e1a11c7c7c0a88b97e931d0e6
-
Filesize
255KB
MD546e96bdd327fe19edcd5149021d1fd01
SHA12fa39900f4983563efc6c9088aedacb1c2d2c474
SHA256a2634f37d964cec6f2d32b794d7b049b35928393b4a2e75c25c5fefec4216718
SHA512e8ae99e5c344150cc456c894dd6bebd0a7d747d7f1d103b0c4350853b1aabe9fa2403d73e489e38c9472eb83cb94517cb9ab149e1a11c7c7c0a88b97e931d0e6
-
Filesize
255KB
MD565964554a7dc46236c2489a8d9356ba7
SHA137a4513ea8b8cec4cbf38bd4a6529a8781bff3c8
SHA2567615a8dcd208c03e2fa8d570a079e4fad9a0ba8be2883ed7c706b9ffb2409868
SHA512e031fb88c5f5d549501839ffdbfbb779a0dd6d78547860ecc185cb854c67a0df4cccc83fbd5fe82a864a2d06891113b665e15dc0d59e1132491d98c9ae5adf5f
-
Filesize
255KB
MD565964554a7dc46236c2489a8d9356ba7
SHA137a4513ea8b8cec4cbf38bd4a6529a8781bff3c8
SHA2567615a8dcd208c03e2fa8d570a079e4fad9a0ba8be2883ed7c706b9ffb2409868
SHA512e031fb88c5f5d549501839ffdbfbb779a0dd6d78547860ecc185cb854c67a0df4cccc83fbd5fe82a864a2d06891113b665e15dc0d59e1132491d98c9ae5adf5f
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7