Analysis
-
max time kernel
170s -
max time network
198s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27/11/2022, 19:17
Behavioral task
behavioral1
Sample
eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe
Resource
win7-20220812-en
windows7-x64
26 signatures
150 seconds
General
-
Target
eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe
-
Size
255KB
-
MD5
9d045523f90461054d82e6af61e6bcd4
-
SHA1
d1ef34a19e965ff4b195a243f4039f98e774851a
-
SHA256
eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661
-
SHA512
8ed926096d41d1885bdd72fceb77bbc5d22f4a29d47a82d363352901e6868e52d4eb36091626bbf474923b0bb95d43623f755a11f148e98445b170d8caf7fa74
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJa:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIT
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" eiyqdxavnj.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" eiyqdxavnj.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" eiyqdxavnj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" eiyqdxavnj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" eiyqdxavnj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" eiyqdxavnj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" eiyqdxavnj.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" eiyqdxavnj.exe -
Executes dropped EXE 5 IoCs
pid Process 4464 eiyqdxavnj.exe 5064 jolsvmmjxzlufsz.exe 1932 rckgnmtk.exe 3600 imyjpsppzpodc.exe 4656 rckgnmtk.exe -
resource yara_rule behavioral2/memory/4452-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0007000000022e71-134.dat upx behavioral2/files/0x0007000000022e71-135.dat upx behavioral2/files/0x0006000000022e76-137.dat upx behavioral2/files/0x0006000000022e76-139.dat upx behavioral2/files/0x0006000000022e77-142.dat upx behavioral2/files/0x0006000000022e77-141.dat upx behavioral2/memory/4464-138-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0006000000022e78-145.dat upx behavioral2/files/0x0006000000022e78-144.dat upx behavioral2/files/0x0006000000022e77-148.dat upx behavioral2/memory/5064-149-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4452-150-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3600-152-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1932-151-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4656-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0006000000022e7a-161.dat upx behavioral2/files/0x0002000000009dee-160.dat upx behavioral2/files/0x0002000000009dee-159.dat upx behavioral2/memory/4464-165-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/5064-166-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3600-168-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1932-167-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4656-169-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x001800000001da6c-170.dat upx behavioral2/files/0x000800000001db6c-171.dat upx behavioral2/files/0x000800000001db6c-172.dat upx behavioral2/files/0x000800000001db6c-173.dat upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" eiyqdxavnj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" eiyqdxavnj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" eiyqdxavnj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" eiyqdxavnj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" eiyqdxavnj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" eiyqdxavnj.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run jolsvmmjxzlufsz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ynniybna = "eiyqdxavnj.exe" jolsvmmjxzlufsz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rmkxvxid = "jolsvmmjxzlufsz.exe" jolsvmmjxzlufsz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "imyjpsppzpodc.exe" jolsvmmjxzlufsz.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\e: rckgnmtk.exe File opened (read-only) \??\g: rckgnmtk.exe File opened (read-only) \??\v: rckgnmtk.exe File opened (read-only) \??\e: eiyqdxavnj.exe File opened (read-only) \??\g: eiyqdxavnj.exe File opened (read-only) \??\t: eiyqdxavnj.exe File opened (read-only) \??\y: rckgnmtk.exe File opened (read-only) \??\b: rckgnmtk.exe File opened (read-only) \??\k: eiyqdxavnj.exe File opened (read-only) \??\q: eiyqdxavnj.exe File opened (read-only) \??\q: rckgnmtk.exe File opened (read-only) \??\f: rckgnmtk.exe File opened (read-only) \??\r: rckgnmtk.exe File opened (read-only) \??\t: rckgnmtk.exe File opened (read-only) \??\w: rckgnmtk.exe File opened (read-only) \??\u: eiyqdxavnj.exe File opened (read-only) \??\a: rckgnmtk.exe File opened (read-only) \??\g: rckgnmtk.exe File opened (read-only) \??\k: rckgnmtk.exe File opened (read-only) \??\p: rckgnmtk.exe File opened (read-only) \??\n: rckgnmtk.exe File opened (read-only) \??\q: rckgnmtk.exe File opened (read-only) \??\i: eiyqdxavnj.exe File opened (read-only) \??\u: rckgnmtk.exe File opened (read-only) \??\w: rckgnmtk.exe File opened (read-only) \??\n: rckgnmtk.exe File opened (read-only) \??\z: rckgnmtk.exe File opened (read-only) \??\p: eiyqdxavnj.exe File opened (read-only) \??\y: eiyqdxavnj.exe File opened (read-only) \??\a: eiyqdxavnj.exe File opened (read-only) \??\f: rckgnmtk.exe File opened (read-only) \??\s: rckgnmtk.exe File opened (read-only) \??\v: rckgnmtk.exe File opened (read-only) \??\l: eiyqdxavnj.exe File opened (read-only) \??\r: eiyqdxavnj.exe File opened (read-only) \??\h: rckgnmtk.exe File opened (read-only) \??\l: rckgnmtk.exe File opened (read-only) \??\w: eiyqdxavnj.exe File opened (read-only) \??\b: rckgnmtk.exe File opened (read-only) \??\i: rckgnmtk.exe File opened (read-only) \??\b: eiyqdxavnj.exe File opened (read-only) \??\o: eiyqdxavnj.exe File opened (read-only) \??\v: eiyqdxavnj.exe File opened (read-only) \??\z: eiyqdxavnj.exe File opened (read-only) \??\o: rckgnmtk.exe File opened (read-only) \??\p: rckgnmtk.exe File opened (read-only) \??\i: rckgnmtk.exe File opened (read-only) \??\x: rckgnmtk.exe File opened (read-only) \??\h: eiyqdxavnj.exe File opened (read-only) \??\a: rckgnmtk.exe File opened (read-only) \??\j: rckgnmtk.exe File opened (read-only) \??\j: eiyqdxavnj.exe File opened (read-only) \??\j: rckgnmtk.exe File opened (read-only) \??\l: rckgnmtk.exe File opened (read-only) \??\r: rckgnmtk.exe File opened (read-only) \??\u: rckgnmtk.exe File opened (read-only) \??\f: eiyqdxavnj.exe File opened (read-only) \??\s: eiyqdxavnj.exe File opened (read-only) \??\x: eiyqdxavnj.exe File opened (read-only) \??\x: rckgnmtk.exe File opened (read-only) \??\z: rckgnmtk.exe File opened (read-only) \??\m: rckgnmtk.exe File opened (read-only) \??\t: rckgnmtk.exe File opened (read-only) \??\e: rckgnmtk.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" eiyqdxavnj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" eiyqdxavnj.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4464-138-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5064-149-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4452-150-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3600-152-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1932-151-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4656-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4464-165-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5064-166-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3600-168-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1932-167-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4656-169-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\rckgnmtk.exe eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe File created C:\Windows\SysWOW64\imyjpsppzpodc.exe eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe File opened for modification C:\Windows\SysWOW64\imyjpsppzpodc.exe eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe rckgnmtk.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll eiyqdxavnj.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe rckgnmtk.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe rckgnmtk.exe File created C:\Windows\SysWOW64\eiyqdxavnj.exe eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe File opened for modification C:\Windows\SysWOW64\eiyqdxavnj.exe eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe File created C:\Windows\SysWOW64\jolsvmmjxzlufsz.exe eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe File opened for modification C:\Windows\SysWOW64\jolsvmmjxzlufsz.exe eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe File opened for modification C:\Windows\SysWOW64\rckgnmtk.exe eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rckgnmtk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal rckgnmtk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal rckgnmtk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal rckgnmtk.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rckgnmtk.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rckgnmtk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rckgnmtk.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rckgnmtk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rckgnmtk.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rckgnmtk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rckgnmtk.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rckgnmtk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal rckgnmtk.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rckgnmtk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rckgnmtk.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33462C089D2082276A4177A770272DD87D8064AA" eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF8FF8A4F29851B9047D65D7E95BC94E641584767316343D7EE" eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat eiyqdxavnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf eiyqdxavnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg eiyqdxavnj.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB2B12947E5399E53BFBAA633EAD7CD" eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0816BC2FE6A21D1D179D0D38A0C916B" eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1939C67C1596DBB3B9B97F95ED9734CD" eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" eiyqdxavnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" eiyqdxavnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" eiyqdxavnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABFFABBF961F2E3840F3B35869639E2B3FE03FE4364023CE1C8459C09A0" eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" eiyqdxavnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs eiyqdxavnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" eiyqdxavnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" eiyqdxavnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh eiyqdxavnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc eiyqdxavnj.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1356 WINWORD.EXE 1356 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4452 eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe 4452 eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe 4452 eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe 4452 eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe 4452 eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe 4452 eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe 4452 eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe 4452 eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe 4452 eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe 4452 eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe 4452 eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe 4452 eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe 4452 eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe 4452 eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe 4452 eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe 4452 eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe 4464 eiyqdxavnj.exe 4464 eiyqdxavnj.exe 4464 eiyqdxavnj.exe 4464 eiyqdxavnj.exe 4464 eiyqdxavnj.exe 5064 jolsvmmjxzlufsz.exe 4464 eiyqdxavnj.exe 5064 jolsvmmjxzlufsz.exe 5064 jolsvmmjxzlufsz.exe 5064 jolsvmmjxzlufsz.exe 4464 eiyqdxavnj.exe 4464 eiyqdxavnj.exe 5064 jolsvmmjxzlufsz.exe 5064 jolsvmmjxzlufsz.exe 5064 jolsvmmjxzlufsz.exe 5064 jolsvmmjxzlufsz.exe 4464 eiyqdxavnj.exe 4464 eiyqdxavnj.exe 5064 jolsvmmjxzlufsz.exe 5064 jolsvmmjxzlufsz.exe 3600 imyjpsppzpodc.exe 3600 imyjpsppzpodc.exe 3600 imyjpsppzpodc.exe 3600 imyjpsppzpodc.exe 3600 imyjpsppzpodc.exe 3600 imyjpsppzpodc.exe 3600 imyjpsppzpodc.exe 3600 imyjpsppzpodc.exe 1932 rckgnmtk.exe 1932 rckgnmtk.exe 1932 rckgnmtk.exe 1932 rckgnmtk.exe 3600 imyjpsppzpodc.exe 3600 imyjpsppzpodc.exe 1932 rckgnmtk.exe 1932 rckgnmtk.exe 1932 rckgnmtk.exe 3600 imyjpsppzpodc.exe 1932 rckgnmtk.exe 3600 imyjpsppzpodc.exe 5064 jolsvmmjxzlufsz.exe 5064 jolsvmmjxzlufsz.exe 4656 rckgnmtk.exe 4656 rckgnmtk.exe 4656 rckgnmtk.exe 4656 rckgnmtk.exe 4656 rckgnmtk.exe 4656 rckgnmtk.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4452 eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe 4452 eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe 4452 eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe 4464 eiyqdxavnj.exe 4464 eiyqdxavnj.exe 4464 eiyqdxavnj.exe 5064 jolsvmmjxzlufsz.exe 5064 jolsvmmjxzlufsz.exe 5064 jolsvmmjxzlufsz.exe 1932 rckgnmtk.exe 1932 rckgnmtk.exe 1932 rckgnmtk.exe 3600 imyjpsppzpodc.exe 3600 imyjpsppzpodc.exe 3600 imyjpsppzpodc.exe 4656 rckgnmtk.exe 4656 rckgnmtk.exe 4656 rckgnmtk.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4452 eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe 4452 eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe 4452 eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe 4464 eiyqdxavnj.exe 4464 eiyqdxavnj.exe 4464 eiyqdxavnj.exe 5064 jolsvmmjxzlufsz.exe 5064 jolsvmmjxzlufsz.exe 5064 jolsvmmjxzlufsz.exe 1932 rckgnmtk.exe 1932 rckgnmtk.exe 1932 rckgnmtk.exe 3600 imyjpsppzpodc.exe 3600 imyjpsppzpodc.exe 3600 imyjpsppzpodc.exe 4656 rckgnmtk.exe 4656 rckgnmtk.exe 4656 rckgnmtk.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1356 WINWORD.EXE 1356 WINWORD.EXE 1356 WINWORD.EXE 1356 WINWORD.EXE 1356 WINWORD.EXE 1356 WINWORD.EXE 1356 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4452 wrote to memory of 4464 4452 eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe 79 PID 4452 wrote to memory of 4464 4452 eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe 79 PID 4452 wrote to memory of 4464 4452 eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe 79 PID 4452 wrote to memory of 5064 4452 eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe 80 PID 4452 wrote to memory of 5064 4452 eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe 80 PID 4452 wrote to memory of 5064 4452 eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe 80 PID 4452 wrote to memory of 1932 4452 eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe 81 PID 4452 wrote to memory of 1932 4452 eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe 81 PID 4452 wrote to memory of 1932 4452 eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe 81 PID 4452 wrote to memory of 3600 4452 eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe 82 PID 4452 wrote to memory of 3600 4452 eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe 82 PID 4452 wrote to memory of 3600 4452 eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe 82 PID 4452 wrote to memory of 1356 4452 eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe 83 PID 4452 wrote to memory of 1356 4452 eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe 83 PID 4464 wrote to memory of 4656 4464 eiyqdxavnj.exe 85 PID 4464 wrote to memory of 4656 4464 eiyqdxavnj.exe 85 PID 4464 wrote to memory of 4656 4464 eiyqdxavnj.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe"C:\Users\Admin\AppData\Local\Temp\eb929610db977223e41c5ce31eb0a931f01732ca14d1f9de9f489bcbb1a8e661.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\SysWOW64\eiyqdxavnj.exeeiyqdxavnj.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\SysWOW64\rckgnmtk.exeC:\Windows\system32\rckgnmtk.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4656
-
-
-
C:\Windows\SysWOW64\jolsvmmjxzlufsz.exejolsvmmjxzlufsz.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5064
-
-
C:\Windows\SysWOW64\rckgnmtk.exerckgnmtk.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1932
-
-
C:\Windows\SysWOW64\imyjpsppzpodc.exeimyjpsppzpodc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3600
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1356
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD594296fafb1f6d055f350adbcfff839f8
SHA15ec8feb9ef5969ec3ec8354d7801aec1c7bb1052
SHA2563bcc8e8bd36ceed23f10169cb271a2dfdf9691d656ca4172b80f15c408db62ed
SHA51221d3b340f4cda07185c0e4600520d3f85d66ad688cf269ba974b87bfc39a5a52ad9e02cedeceb946a4c6bf9cb45561b9110961ec2c9aa7a11ad8734b9dda2636
-
Filesize
255KB
MD50e184965030208d3716d88ad2efa83a6
SHA1289099674124d4c8be19498766041984a579dc2b
SHA25605dbb3d70a7d9c95675a759e9ed4f58c9ab3833bfd806dc853d21a46772a3927
SHA51210f29f37ea00a08a08c88d077683f917d403273b5cb55021dc17e157c3e20bbee8ba060925f37ec9f9f4fd1e9200256204d4aee61c4ef2f0f9d70c5294dd7b45
-
Filesize
255KB
MD55549d1020cad6c0a7d21fb09e31445f0
SHA1804dda43b8bddeab518fceca4699dd1ea517281f
SHA2560a889195ec150278e7d412e126e4a1d7f0109535b645549ff8d7551470333f4d
SHA51276e49349fa25a4533164f4ad3dd59794ca8a98c6baa54ddad975461f05d2719ac85ce97ed0ec2fe9dc5fc0a61dfb48a7c25f784451e084fe438e6d8b0acca4aa
-
Filesize
255KB
MD5a81025b5791eac729125e6fb5be4118e
SHA14bb3e56f0446497daa5e2f64612194c74770c87e
SHA256f47094bbf92bc973367a9fd27184b4eaf53e02902b341faef7af101b01ae2da0
SHA5127e1695c1e77d7a85a485c6e9273f093f41285ddcdc4b902ce4e6ccf3a99355a25115d2bde879a159452b4acc555d7d0b655c0af4dd33cfe2e4e97ec1128e992a
-
Filesize
255KB
MD5a81025b5791eac729125e6fb5be4118e
SHA14bb3e56f0446497daa5e2f64612194c74770c87e
SHA256f47094bbf92bc973367a9fd27184b4eaf53e02902b341faef7af101b01ae2da0
SHA5127e1695c1e77d7a85a485c6e9273f093f41285ddcdc4b902ce4e6ccf3a99355a25115d2bde879a159452b4acc555d7d0b655c0af4dd33cfe2e4e97ec1128e992a
-
Filesize
255KB
MD5d818aa622b841aef99caa158820235dc
SHA19039e9153ede39c4632d5424a8fd36829b334e06
SHA256c972c9086adfc33b86d7b735534eaed5252a0ddbb7e4cce3da5803ff209e3a35
SHA512f31af9a6157e8f29158b9b0549abae0709cd97156037e3a8ac30f37ee1f11ed408636ed969bcc12e23da0764ba9a4a6327bec5607d62d3e53c11e622331c4b7d
-
Filesize
255KB
MD5d818aa622b841aef99caa158820235dc
SHA19039e9153ede39c4632d5424a8fd36829b334e06
SHA256c972c9086adfc33b86d7b735534eaed5252a0ddbb7e4cce3da5803ff209e3a35
SHA512f31af9a6157e8f29158b9b0549abae0709cd97156037e3a8ac30f37ee1f11ed408636ed969bcc12e23da0764ba9a4a6327bec5607d62d3e53c11e622331c4b7d
-
Filesize
255KB
MD569bcc080ba83b01ab04dd711fe127ea4
SHA14e171d8aa86e360b9058bff4e40614f45c3ec37a
SHA256ff31c876f408893081e3af7ed88e9977499347363d9e10a44e0c0f39d63ea45d
SHA512a30485aca3f4d149c7965952561cae310501f78fe63a5143a02246fa1e16fadc3c6f53466cf7c29dac67f7e1e082260da8692600c596ee20e2ff62d130bcfcf9
-
Filesize
255KB
MD569bcc080ba83b01ab04dd711fe127ea4
SHA14e171d8aa86e360b9058bff4e40614f45c3ec37a
SHA256ff31c876f408893081e3af7ed88e9977499347363d9e10a44e0c0f39d63ea45d
SHA512a30485aca3f4d149c7965952561cae310501f78fe63a5143a02246fa1e16fadc3c6f53466cf7c29dac67f7e1e082260da8692600c596ee20e2ff62d130bcfcf9
-
Filesize
255KB
MD5f4b9d87d849be46e761aead0092959c7
SHA113efa46db20bfdcd4b3d85b65699b8d58aa8e4a4
SHA2562d294a7232aa73153b1461917fe84157ca9ba6102eb2dbad7dac29264f0d69d8
SHA512796a1f6acc4bbff6a8819fd6df84069b76a77b936f6fcca7d7b8f676bbad15b229f8eaf680fea91e9d0b9517b16ae962667842c5c2312a8f9e651d9e85a840a5
-
Filesize
255KB
MD5f4b9d87d849be46e761aead0092959c7
SHA113efa46db20bfdcd4b3d85b65699b8d58aa8e4a4
SHA2562d294a7232aa73153b1461917fe84157ca9ba6102eb2dbad7dac29264f0d69d8
SHA512796a1f6acc4bbff6a8819fd6df84069b76a77b936f6fcca7d7b8f676bbad15b229f8eaf680fea91e9d0b9517b16ae962667842c5c2312a8f9e651d9e85a840a5
-
Filesize
255KB
MD5f4b9d87d849be46e761aead0092959c7
SHA113efa46db20bfdcd4b3d85b65699b8d58aa8e4a4
SHA2562d294a7232aa73153b1461917fe84157ca9ba6102eb2dbad7dac29264f0d69d8
SHA512796a1f6acc4bbff6a8819fd6df84069b76a77b936f6fcca7d7b8f676bbad15b229f8eaf680fea91e9d0b9517b16ae962667842c5c2312a8f9e651d9e85a840a5
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD594296fafb1f6d055f350adbcfff839f8
SHA15ec8feb9ef5969ec3ec8354d7801aec1c7bb1052
SHA2563bcc8e8bd36ceed23f10169cb271a2dfdf9691d656ca4172b80f15c408db62ed
SHA51221d3b340f4cda07185c0e4600520d3f85d66ad688cf269ba974b87bfc39a5a52ad9e02cedeceb946a4c6bf9cb45561b9110961ec2c9aa7a11ad8734b9dda2636
-
Filesize
255KB
MD5d2b917714f1998608e94f49403b80de4
SHA1e3173235740b80d4379c2f6fc04fbdd423feed44
SHA25647fb5e7ef0ef77719823502e43b01640d5b042f7aba9023caabfca94568b959e
SHA51233c1aa75d602c9fd4289b52cf286712e789ab569bf2eec0301d69e15c25358b82e4e208d114f859a2dbd8f3d8d37aebadb7ecbf3c507cdf1d9cdb57cafef4122
-
Filesize
255KB
MD5d2b917714f1998608e94f49403b80de4
SHA1e3173235740b80d4379c2f6fc04fbdd423feed44
SHA25647fb5e7ef0ef77719823502e43b01640d5b042f7aba9023caabfca94568b959e
SHA51233c1aa75d602c9fd4289b52cf286712e789ab569bf2eec0301d69e15c25358b82e4e208d114f859a2dbd8f3d8d37aebadb7ecbf3c507cdf1d9cdb57cafef4122
-
Filesize
255KB
MD5fe01512da24c15d4463ad2d077af431d
SHA1edcb4fbf537e5c1573a3ebcbce7669d3a0c88b10
SHA256bd2eb894cf742dac188cebb87a0933e1e27d58750a5da10f8d18f703a6f7d4f5
SHA51256d87a99a0ce9826e5246b32c51256240225c1791a586ae2bb6a39b7fdafc83d4076d0e6a61bf308f8c441d957fb997baa40635d3db15bb3f8395030bc689bad