Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
185s -
max time network
201s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
27/11/2022, 20:20
Behavioral task
behavioral1
Sample
d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe
Resource
win7-20221111-en
windows7-x64
26 signatures
150 seconds
Behavioral task
behavioral2
Sample
d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe
-
Size
255KB
-
MD5
e511ce5643ddf34295356ba91f63bef3
-
SHA1
8351c5b318f9459c6146d4033b7a61c004aea55f
-
SHA256
d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59
-
SHA512
70527588420ec0e66f834b108708e73cd313b58f4ad78b774d6343851d6a03460b5a989dae78795d61ac312ef5a7f2809b23d2d27c3fbb15f7da48aac8364837
-
SSDEEP
6144:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI8N:Plf5j6zCNa0xeE3m0N
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ryyxptqife.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ryyxptqife.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ryyxptqife.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ryyxptqife.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ryyxptqife.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ryyxptqife.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ryyxptqife.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ryyxptqife.exe -
Executes dropped EXE 5 IoCs
pid Process 224 ryyxptqife.exe 1820 vhdwvpnocqedgem.exe 4948 ingkcgce.exe 3612 mzdawodcfxkdu.exe 1256 ingkcgce.exe -
resource yara_rule behavioral2/memory/2808-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0008000000022e0c-134.dat upx behavioral2/files/0x0007000000022e17-138.dat upx behavioral2/files/0x0007000000022e17-137.dat upx behavioral2/files/0x0008000000022e0c-135.dat upx behavioral2/files/0x0007000000022e18-140.dat upx behavioral2/files/0x0007000000022e19-144.dat upx behavioral2/files/0x0007000000022e19-143.dat upx behavioral2/files/0x0007000000022e18-142.dat upx behavioral2/files/0x0007000000022e18-146.dat upx behavioral2/memory/2808-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/224-149-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1820-150-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4948-151-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3612-152-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1256-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0007000000022e1e-160.dat upx behavioral2/files/0x0007000000022e1f-161.dat upx behavioral2/memory/224-162-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1820-163-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3612-165-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4948-164-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1256-166-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ryyxptqife.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ryyxptqife.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ryyxptqife.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ryyxptqife.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ryyxptqife.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ryyxptqife.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qnkpmqow = "ryyxptqife.exe" vhdwvpnocqedgem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wbbokuwm = "vhdwvpnocqedgem.exe" vhdwvpnocqedgem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mzdawodcfxkdu.exe" vhdwvpnocqedgem.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run vhdwvpnocqedgem.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\q: ryyxptqife.exe File opened (read-only) \??\q: ingkcgce.exe File opened (read-only) \??\i: ingkcgce.exe File opened (read-only) \??\q: ingkcgce.exe File opened (read-only) \??\g: ryyxptqife.exe File opened (read-only) \??\f: ingkcgce.exe File opened (read-only) \??\s: ingkcgce.exe File opened (read-only) \??\j: ryyxptqife.exe File opened (read-only) \??\l: ingkcgce.exe File opened (read-only) \??\o: ingkcgce.exe File opened (read-only) \??\z: ingkcgce.exe File opened (read-only) \??\t: ingkcgce.exe File opened (read-only) \??\x: ingkcgce.exe File opened (read-only) \??\x: ingkcgce.exe File opened (read-only) \??\h: ryyxptqife.exe File opened (read-only) \??\n: ryyxptqife.exe File opened (read-only) \??\t: ryyxptqife.exe File opened (read-only) \??\i: ingkcgce.exe File opened (read-only) \??\k: ingkcgce.exe File opened (read-only) \??\m: ingkcgce.exe File opened (read-only) \??\r: ingkcgce.exe File opened (read-only) \??\b: ingkcgce.exe File opened (read-only) \??\w: ingkcgce.exe File opened (read-only) \??\y: ingkcgce.exe File opened (read-only) \??\o: ryyxptqife.exe File opened (read-only) \??\h: ingkcgce.exe File opened (read-only) \??\l: ingkcgce.exe File opened (read-only) \??\o: ingkcgce.exe File opened (read-only) \??\u: ryyxptqife.exe File opened (read-only) \??\x: ryyxptqife.exe File opened (read-only) \??\k: ingkcgce.exe File opened (read-only) \??\z: ingkcgce.exe File opened (read-only) \??\v: ingkcgce.exe File opened (read-only) \??\a: ryyxptqife.exe File opened (read-only) \??\b: ryyxptqife.exe File opened (read-only) \??\e: ryyxptqife.exe File opened (read-only) \??\k: ryyxptqife.exe File opened (read-only) \??\a: ingkcgce.exe File opened (read-only) \??\n: ingkcgce.exe File opened (read-only) \??\p: ingkcgce.exe File opened (read-only) \??\y: ingkcgce.exe File opened (read-only) \??\n: ingkcgce.exe File opened (read-only) \??\y: ryyxptqife.exe File opened (read-only) \??\b: ingkcgce.exe File opened (read-only) \??\v: ryyxptqife.exe File opened (read-only) \??\j: ingkcgce.exe File opened (read-only) \??\u: ingkcgce.exe File opened (read-only) \??\a: ingkcgce.exe File opened (read-only) \??\e: ingkcgce.exe File opened (read-only) \??\l: ryyxptqife.exe File opened (read-only) \??\r: ryyxptqife.exe File opened (read-only) \??\w: ryyxptqife.exe File opened (read-only) \??\w: ingkcgce.exe File opened (read-only) \??\m: ingkcgce.exe File opened (read-only) \??\r: ingkcgce.exe File opened (read-only) \??\f: ryyxptqife.exe File opened (read-only) \??\i: ryyxptqife.exe File opened (read-only) \??\s: ryyxptqife.exe File opened (read-only) \??\z: ryyxptqife.exe File opened (read-only) \??\j: ingkcgce.exe File opened (read-only) \??\p: ingkcgce.exe File opened (read-only) \??\t: ingkcgce.exe File opened (read-only) \??\g: ingkcgce.exe File opened (read-only) \??\g: ingkcgce.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ryyxptqife.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ryyxptqife.exe -
AutoIT Executable 12 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2808-132-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2808-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/224-149-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1820-150-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4948-151-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3612-152-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1256-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/224-162-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1820-163-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3612-165-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4948-164-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1256-166-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\vhdwvpnocqedgem.exe d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe File opened for modification C:\Windows\SysWOW64\vhdwvpnocqedgem.exe d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe File created C:\Windows\SysWOW64\ingkcgce.exe d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe File created C:\Windows\SysWOW64\mzdawodcfxkdu.exe d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe File opened for modification C:\Windows\SysWOW64\mzdawodcfxkdu.exe d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe File created C:\Windows\SysWOW64\ryyxptqife.exe d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe File opened for modification C:\Windows\SysWOW64\ryyxptqife.exe d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe File opened for modification C:\Windows\SysWOW64\ingkcgce.exe d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ryyxptqife.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ingkcgce.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ingkcgce.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ingkcgce.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ingkcgce.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ingkcgce.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ingkcgce.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ingkcgce.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ingkcgce.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ingkcgce.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ingkcgce.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ingkcgce.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ingkcgce.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ingkcgce.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ingkcgce.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ingkcgce.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC2B15D479039E953CDBAD532EFD7B8" d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs ryyxptqife.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFCFC8D485F85699046D7287D91BDEEE134583067356343D691" d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" ryyxptqife.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32412D089D2082576D4577D477272CD77DF164DC" d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat ryyxptqife.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh ryyxptqife.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ryyxptqife.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc ryyxptqife.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf ryyxptqife.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" ryyxptqife.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg ryyxptqife.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" ryyxptqife.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCAFABCF910F2E7840F3A4186EE39E5B08C038A4314033DE1C9429E08A7" d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F06BC2FE6F22D8D27DD1D68A0F9014" d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193EC60815E0DAB4B8CF7FE1ECE034BD" d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" ryyxptqife.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" ryyxptqife.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3684 WINWORD.EXE 3684 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2808 d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe 2808 d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe 2808 d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe 2808 d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe 2808 d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe 2808 d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe 2808 d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe 2808 d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe 2808 d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe 2808 d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe 2808 d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe 2808 d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe 2808 d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe 2808 d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe 2808 d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe 2808 d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe 224 ryyxptqife.exe 224 ryyxptqife.exe 1820 vhdwvpnocqedgem.exe 1820 vhdwvpnocqedgem.exe 224 ryyxptqife.exe 224 ryyxptqife.exe 224 ryyxptqife.exe 1820 vhdwvpnocqedgem.exe 1820 vhdwvpnocqedgem.exe 224 ryyxptqife.exe 224 ryyxptqife.exe 224 ryyxptqife.exe 1820 vhdwvpnocqedgem.exe 1820 vhdwvpnocqedgem.exe 224 ryyxptqife.exe 224 ryyxptqife.exe 1820 vhdwvpnocqedgem.exe 1820 vhdwvpnocqedgem.exe 1820 vhdwvpnocqedgem.exe 1820 vhdwvpnocqedgem.exe 4948 ingkcgce.exe 4948 ingkcgce.exe 4948 ingkcgce.exe 4948 ingkcgce.exe 4948 ingkcgce.exe 3612 mzdawodcfxkdu.exe 4948 ingkcgce.exe 3612 mzdawodcfxkdu.exe 4948 ingkcgce.exe 4948 ingkcgce.exe 3612 mzdawodcfxkdu.exe 3612 mzdawodcfxkdu.exe 3612 mzdawodcfxkdu.exe 3612 mzdawodcfxkdu.exe 3612 mzdawodcfxkdu.exe 3612 mzdawodcfxkdu.exe 3612 mzdawodcfxkdu.exe 3612 mzdawodcfxkdu.exe 3612 mzdawodcfxkdu.exe 3612 mzdawodcfxkdu.exe 1256 ingkcgce.exe 1256 ingkcgce.exe 1256 ingkcgce.exe 1256 ingkcgce.exe 1256 ingkcgce.exe 1256 ingkcgce.exe 1256 ingkcgce.exe 1256 ingkcgce.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2808 d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe 2808 d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe 2808 d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe 224 ryyxptqife.exe 224 ryyxptqife.exe 224 ryyxptqife.exe 1820 vhdwvpnocqedgem.exe 1820 vhdwvpnocqedgem.exe 1820 vhdwvpnocqedgem.exe 4948 ingkcgce.exe 4948 ingkcgce.exe 4948 ingkcgce.exe 3612 mzdawodcfxkdu.exe 3612 mzdawodcfxkdu.exe 3612 mzdawodcfxkdu.exe 1256 ingkcgce.exe 1256 ingkcgce.exe 1256 ingkcgce.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2808 d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe 2808 d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe 2808 d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe 224 ryyxptqife.exe 224 ryyxptqife.exe 224 ryyxptqife.exe 1820 vhdwvpnocqedgem.exe 1820 vhdwvpnocqedgem.exe 1820 vhdwvpnocqedgem.exe 4948 ingkcgce.exe 4948 ingkcgce.exe 4948 ingkcgce.exe 3612 mzdawodcfxkdu.exe 3612 mzdawodcfxkdu.exe 3612 mzdawodcfxkdu.exe 1256 ingkcgce.exe 1256 ingkcgce.exe 1256 ingkcgce.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3684 WINWORD.EXE 3684 WINWORD.EXE 3684 WINWORD.EXE 3684 WINWORD.EXE 3684 WINWORD.EXE 3684 WINWORD.EXE 3684 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2808 wrote to memory of 224 2808 d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe 85 PID 2808 wrote to memory of 224 2808 d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe 85 PID 2808 wrote to memory of 224 2808 d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe 85 PID 2808 wrote to memory of 1820 2808 d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe 86 PID 2808 wrote to memory of 1820 2808 d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe 86 PID 2808 wrote to memory of 1820 2808 d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe 86 PID 2808 wrote to memory of 4948 2808 d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe 87 PID 2808 wrote to memory of 4948 2808 d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe 87 PID 2808 wrote to memory of 4948 2808 d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe 87 PID 2808 wrote to memory of 3612 2808 d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe 88 PID 2808 wrote to memory of 3612 2808 d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe 88 PID 2808 wrote to memory of 3612 2808 d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe 88 PID 224 wrote to memory of 1256 224 ryyxptqife.exe 89 PID 224 wrote to memory of 1256 224 ryyxptqife.exe 89 PID 224 wrote to memory of 1256 224 ryyxptqife.exe 89 PID 2808 wrote to memory of 3684 2808 d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe 90 PID 2808 wrote to memory of 3684 2808 d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe"C:\Users\Admin\AppData\Local\Temp\d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\ryyxptqife.exeryyxptqife.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\ingkcgce.exeC:\Windows\system32\ingkcgce.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1256
-
-
-
C:\Windows\SysWOW64\vhdwvpnocqedgem.exevhdwvpnocqedgem.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1820
-
-
C:\Windows\SysWOW64\ingkcgce.exeingkcgce.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4948
-
-
C:\Windows\SysWOW64\mzdawodcfxkdu.exemzdawodcfxkdu.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3612
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3684
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD59c816789f2abd50d41e59fbd17f5dd07
SHA177526639bd49086f42cf2d1d45a61dd235d4dbe7
SHA256f7c0cedfbad9bc7520858f174c2b959c4746c6d3e2a863add41589cc0600bf73
SHA5127134a4f4789f470a28060d15ca9715f0e8a0bc241c57320ff6579fc2b0f6c8a973a0284508cb7d7ce62da52d807b9695b3a43e82b811efea8077ed5eb4287b91
-
Filesize
255KB
MD5bdae2125d5ff9bff763fd0dbf7d0800b
SHA1c3fcb9e270107b3cb2ad4d4c1a28643ee3016926
SHA2566d88e53606e24e17a60a69ce87693337179ccf8c9238d89a62d73b3c2549b978
SHA512ef8b99463ce841f35dfc90d4d27557c2a70f2959ec128869c5bcc222015136fe9873eaa800fb34095fc73ab7593cec14ff9c1cb557fc490ad18ac457bcc27768
-
Filesize
255KB
MD533ac7385a29c06c3bd5998cdb797b244
SHA1768f1e1563b2f7b29240c3904bd22a9a0c2d8e73
SHA25692cb37791675e89fb8e8d978b1d37f0cf689e5dd22be14468129cd63a31e196c
SHA512c8ea9a4a44fa49838b8487453b9938f62a229c7463a4184dda1eee6fa6fbd12a86543f92c6d037652266588e5d715f6a76963d5e6201daaace89eeb0c5261230
-
Filesize
255KB
MD533ac7385a29c06c3bd5998cdb797b244
SHA1768f1e1563b2f7b29240c3904bd22a9a0c2d8e73
SHA25692cb37791675e89fb8e8d978b1d37f0cf689e5dd22be14468129cd63a31e196c
SHA512c8ea9a4a44fa49838b8487453b9938f62a229c7463a4184dda1eee6fa6fbd12a86543f92c6d037652266588e5d715f6a76963d5e6201daaace89eeb0c5261230
-
Filesize
255KB
MD533ac7385a29c06c3bd5998cdb797b244
SHA1768f1e1563b2f7b29240c3904bd22a9a0c2d8e73
SHA25692cb37791675e89fb8e8d978b1d37f0cf689e5dd22be14468129cd63a31e196c
SHA512c8ea9a4a44fa49838b8487453b9938f62a229c7463a4184dda1eee6fa6fbd12a86543f92c6d037652266588e5d715f6a76963d5e6201daaace89eeb0c5261230
-
Filesize
255KB
MD5cd6f56de63535fa30c45335519ad4333
SHA1c94123c2d8d92e89f6aa73831654539fb4589eb8
SHA256a99557daf83a8539288cac4570ba06a6ec3e816c2e2f0f50fa3418998774c138
SHA512ab65450e18d20ac5477fc69fd734bcb2c10db60679a792f04c7cc48b3e3fefec5db4d1529e98ab5096e6ea909cc863122d7fb3b95bd5d22b4dc39b30a07efd2a
-
Filesize
255KB
MD5cd6f56de63535fa30c45335519ad4333
SHA1c94123c2d8d92e89f6aa73831654539fb4589eb8
SHA256a99557daf83a8539288cac4570ba06a6ec3e816c2e2f0f50fa3418998774c138
SHA512ab65450e18d20ac5477fc69fd734bcb2c10db60679a792f04c7cc48b3e3fefec5db4d1529e98ab5096e6ea909cc863122d7fb3b95bd5d22b4dc39b30a07efd2a
-
Filesize
255KB
MD530045f43aa4225f18094352896bbde16
SHA1d99e514cd18289789a1f4a1cb4eb057a9da79952
SHA256b14c447759e15058449be2c51c2fdef81c41688db758c1734d320995abebf547
SHA5127437025cf3c5f92bd5a1f0d2599c472b3cb3ef76e529fc168e97a36386765955c22889f1163ae079993f741f1e78e9ef3298a9bdd03bde27fe2bb15e7457c7a0
-
Filesize
255KB
MD530045f43aa4225f18094352896bbde16
SHA1d99e514cd18289789a1f4a1cb4eb057a9da79952
SHA256b14c447759e15058449be2c51c2fdef81c41688db758c1734d320995abebf547
SHA5127437025cf3c5f92bd5a1f0d2599c472b3cb3ef76e529fc168e97a36386765955c22889f1163ae079993f741f1e78e9ef3298a9bdd03bde27fe2bb15e7457c7a0
-
Filesize
255KB
MD52d6c97e757d1be205cb990ac5643bf0a
SHA13dd423433d61924fdf5f59267d8431fc247f6223
SHA256f8edbe65a91d70bba3b0334ac6bcf3048dda77aeea0f40b219836b1f8c90b713
SHA5128de92a903c10a610d3356d5766374f39d91fd93736bd12acde7ed8733c56e41ec9858fe3e2537b3d24f15eec58329da6bb88d3cba73a4a2b2dca505bb2e1c998
-
Filesize
255KB
MD52d6c97e757d1be205cb990ac5643bf0a
SHA13dd423433d61924fdf5f59267d8431fc247f6223
SHA256f8edbe65a91d70bba3b0334ac6bcf3048dda77aeea0f40b219836b1f8c90b713
SHA5128de92a903c10a610d3356d5766374f39d91fd93736bd12acde7ed8733c56e41ec9858fe3e2537b3d24f15eec58329da6bb88d3cba73a4a2b2dca505bb2e1c998
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7