Analysis
-
max time kernel
207s -
max time network
211s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
28/11/2022, 02:12
Behavioral task
behavioral1
Sample
e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe
Resource
win7-20221111-en
windows7-x64
26 signatures
150 seconds
Behavioral task
behavioral2
Sample
e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe
-
Size
255KB
-
MD5
17a5cc3464e53a3056bfe273ab5ba52f
-
SHA1
b5e09adf1d6aabaa5e08818f5e0ca0a744e5826e
-
SHA256
e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24
-
SHA512
79f2c6b8f3b0670760db306a6b8bbd6a5686029ce2349bbd35fc00d1fc37e17c08e569efea8963168f6b1468b1951c2a78086549dff4292f57a056ab2606cedd
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJx:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI+
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" upisephuux.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" upisephuux.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" upisephuux.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" upisephuux.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" upisephuux.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" upisephuux.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" upisephuux.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" upisephuux.exe -
Executes dropped EXE 5 IoCs
pid Process 4188 upisephuux.exe 1372 bpgseyexuxkpgwi.exe 3008 jqcgncay.exe 2156 fuaiowgovsqyj.exe 2160 jqcgncay.exe -
resource yara_rule behavioral2/files/0x0005000000022643-133.dat upx behavioral2/files/0x0005000000022643-134.dat upx behavioral2/files/0x0005000000022663-136.dat upx behavioral2/files/0x0005000000022663-137.dat upx behavioral2/memory/4700-138-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4188-139-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1372-140-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000800000002307d-143.dat upx behavioral2/files/0x000800000002307d-144.dat upx behavioral2/files/0x000b00000002313e-147.dat upx behavioral2/files/0x000b00000002313e-146.dat upx behavioral2/memory/3008-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2156-149-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000800000002307d-151.dat upx behavioral2/memory/2160-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4700-154-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0006000000023153-155.dat upx behavioral2/files/0x0006000000023154-156.dat upx behavioral2/memory/4188-162-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1372-163-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3008-164-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2156-165-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2160-166-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" upisephuux.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" upisephuux.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" upisephuux.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" upisephuux.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" upisephuux.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" upisephuux.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run bpgseyexuxkpgwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fbztgqhu = "upisephuux.exe" bpgseyexuxkpgwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ijzzreik = "bpgseyexuxkpgwi.exe" bpgseyexuxkpgwi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "fuaiowgovsqyj.exe" bpgseyexuxkpgwi.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\t: upisephuux.exe File opened (read-only) \??\f: jqcgncay.exe File opened (read-only) \??\p: jqcgncay.exe File opened (read-only) \??\u: jqcgncay.exe File opened (read-only) \??\a: upisephuux.exe File opened (read-only) \??\f: upisephuux.exe File opened (read-only) \??\z: jqcgncay.exe File opened (read-only) \??\u: upisephuux.exe File opened (read-only) \??\w: upisephuux.exe File opened (read-only) \??\f: jqcgncay.exe File opened (read-only) \??\v: jqcgncay.exe File opened (read-only) \??\g: jqcgncay.exe File opened (read-only) \??\a: jqcgncay.exe File opened (read-only) \??\g: jqcgncay.exe File opened (read-only) \??\k: jqcgncay.exe File opened (read-only) \??\b: jqcgncay.exe File opened (read-only) \??\o: upisephuux.exe File opened (read-only) \??\x: upisephuux.exe File opened (read-only) \??\i: jqcgncay.exe File opened (read-only) \??\l: jqcgncay.exe File opened (read-only) \??\r: upisephuux.exe File opened (read-only) \??\z: jqcgncay.exe File opened (read-only) \??\n: jqcgncay.exe File opened (read-only) \??\q: jqcgncay.exe File opened (read-only) \??\x: jqcgncay.exe File opened (read-only) \??\n: upisephuux.exe File opened (read-only) \??\q: upisephuux.exe File opened (read-only) \??\r: jqcgncay.exe File opened (read-only) \??\w: jqcgncay.exe File opened (read-only) \??\i: upisephuux.exe File opened (read-only) \??\m: jqcgncay.exe File opened (read-only) \??\q: jqcgncay.exe File opened (read-only) \??\x: jqcgncay.exe File opened (read-only) \??\o: jqcgncay.exe File opened (read-only) \??\y: jqcgncay.exe File opened (read-only) \??\h: upisephuux.exe File opened (read-only) \??\p: upisephuux.exe File opened (read-only) \??\t: jqcgncay.exe File opened (read-only) \??\e: jqcgncay.exe File opened (read-only) \??\g: upisephuux.exe File opened (read-only) \??\l: upisephuux.exe File opened (read-only) \??\v: upisephuux.exe File opened (read-only) \??\p: jqcgncay.exe File opened (read-only) \??\h: jqcgncay.exe File opened (read-only) \??\k: jqcgncay.exe File opened (read-only) \??\v: jqcgncay.exe File opened (read-only) \??\z: upisephuux.exe File opened (read-only) \??\j: jqcgncay.exe File opened (read-only) \??\a: jqcgncay.exe File opened (read-only) \??\k: upisephuux.exe File opened (read-only) \??\s: upisephuux.exe File opened (read-only) \??\b: jqcgncay.exe File opened (read-only) \??\r: jqcgncay.exe File opened (read-only) \??\j: jqcgncay.exe File opened (read-only) \??\y: upisephuux.exe File opened (read-only) \??\n: jqcgncay.exe File opened (read-only) \??\s: jqcgncay.exe File opened (read-only) \??\i: jqcgncay.exe File opened (read-only) \??\t: jqcgncay.exe File opened (read-only) \??\j: upisephuux.exe File opened (read-only) \??\u: jqcgncay.exe File opened (read-only) \??\m: jqcgncay.exe File opened (read-only) \??\s: jqcgncay.exe File opened (read-only) \??\m: upisephuux.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" upisephuux.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" upisephuux.exe -
AutoIT Executable 12 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4700-138-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4188-139-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1372-140-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3008-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2156-149-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2160-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4700-154-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4188-162-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1372-163-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3008-164-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2156-165-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2160-166-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\jqcgncay.exe e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe File opened for modification C:\Windows\SysWOW64\jqcgncay.exe e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe File created C:\Windows\SysWOW64\fuaiowgovsqyj.exe e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe File opened for modification C:\Windows\SysWOW64\fuaiowgovsqyj.exe e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll upisephuux.exe File opened for modification C:\Windows\SysWOW64\upisephuux.exe e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe File opened for modification C:\Windows\SysWOW64\bpgseyexuxkpgwi.exe e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe File created C:\Windows\SysWOW64\upisephuux.exe e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe File created C:\Windows\SysWOW64\bpgseyexuxkpgwi.exe e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal jqcgncay.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal jqcgncay.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jqcgncay.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal jqcgncay.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jqcgncay.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jqcgncay.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jqcgncay.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jqcgncay.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jqcgncay.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jqcgncay.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jqcgncay.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal jqcgncay.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jqcgncay.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jqcgncay.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACEF9CBF96AF2E383753A31869E3E99B38A03FC43630239E1C945E708A3" e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc upisephuux.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" upisephuux.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC1B02B4794399E53BFBAD132EDD4CF" e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" upisephuux.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" upisephuux.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" upisephuux.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg upisephuux.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" upisephuux.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32462D789C2082256A4277D0702E2DDB7CF465A8" e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8CFC82485885189137D6207D92BDE2E634584466466237D79E" e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F76BB7FF6E22DCD20ED1D68A0E9016" e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1849C67B1491DBB1B9BD7CE1ED9734BB" e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat upisephuux.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh upisephuux.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" upisephuux.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs upisephuux.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf upisephuux.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4764 WINWORD.EXE 4764 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4700 e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe 4700 e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe 4700 e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe 4700 e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe 4700 e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe 4700 e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe 4700 e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe 4700 e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe 4700 e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe 4700 e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe 4700 e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe 4700 e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe 4700 e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe 4700 e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe 4188 upisephuux.exe 4188 upisephuux.exe 4188 upisephuux.exe 4188 upisephuux.exe 4188 upisephuux.exe 4188 upisephuux.exe 4188 upisephuux.exe 4188 upisephuux.exe 4188 upisephuux.exe 4188 upisephuux.exe 1372 bpgseyexuxkpgwi.exe 1372 bpgseyexuxkpgwi.exe 1372 bpgseyexuxkpgwi.exe 1372 bpgseyexuxkpgwi.exe 1372 bpgseyexuxkpgwi.exe 1372 bpgseyexuxkpgwi.exe 1372 bpgseyexuxkpgwi.exe 1372 bpgseyexuxkpgwi.exe 1372 bpgseyexuxkpgwi.exe 1372 bpgseyexuxkpgwi.exe 4700 e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe 4700 e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe 1372 bpgseyexuxkpgwi.exe 1372 bpgseyexuxkpgwi.exe 3008 jqcgncay.exe 3008 jqcgncay.exe 2156 fuaiowgovsqyj.exe 2156 fuaiowgovsqyj.exe 3008 jqcgncay.exe 3008 jqcgncay.exe 2156 fuaiowgovsqyj.exe 2156 fuaiowgovsqyj.exe 3008 jqcgncay.exe 3008 jqcgncay.exe 2156 fuaiowgovsqyj.exe 2156 fuaiowgovsqyj.exe 3008 jqcgncay.exe 3008 jqcgncay.exe 2156 fuaiowgovsqyj.exe 2156 fuaiowgovsqyj.exe 2156 fuaiowgovsqyj.exe 2156 fuaiowgovsqyj.exe 2156 fuaiowgovsqyj.exe 2156 fuaiowgovsqyj.exe 1372 bpgseyexuxkpgwi.exe 1372 bpgseyexuxkpgwi.exe 1372 bpgseyexuxkpgwi.exe 1372 bpgseyexuxkpgwi.exe 2156 fuaiowgovsqyj.exe 2156 fuaiowgovsqyj.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4700 e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe 4700 e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe 4700 e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe 4188 upisephuux.exe 4188 upisephuux.exe 4188 upisephuux.exe 1372 bpgseyexuxkpgwi.exe 1372 bpgseyexuxkpgwi.exe 1372 bpgseyexuxkpgwi.exe 3008 jqcgncay.exe 2156 fuaiowgovsqyj.exe 3008 jqcgncay.exe 2156 fuaiowgovsqyj.exe 3008 jqcgncay.exe 2156 fuaiowgovsqyj.exe 2160 jqcgncay.exe 2160 jqcgncay.exe 2160 jqcgncay.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4700 e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe 4700 e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe 4700 e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe 4188 upisephuux.exe 4188 upisephuux.exe 4188 upisephuux.exe 1372 bpgseyexuxkpgwi.exe 1372 bpgseyexuxkpgwi.exe 1372 bpgseyexuxkpgwi.exe 3008 jqcgncay.exe 2156 fuaiowgovsqyj.exe 3008 jqcgncay.exe 2156 fuaiowgovsqyj.exe 3008 jqcgncay.exe 2156 fuaiowgovsqyj.exe 2160 jqcgncay.exe 2160 jqcgncay.exe 2160 jqcgncay.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4764 WINWORD.EXE 4764 WINWORD.EXE 4764 WINWORD.EXE 4764 WINWORD.EXE 4764 WINWORD.EXE 4764 WINWORD.EXE 4764 WINWORD.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 4700 wrote to memory of 4188 4700 e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe 81 PID 4700 wrote to memory of 4188 4700 e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe 81 PID 4700 wrote to memory of 4188 4700 e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe 81 PID 4700 wrote to memory of 1372 4700 e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe 82 PID 4700 wrote to memory of 1372 4700 e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe 82 PID 4700 wrote to memory of 1372 4700 e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe 82 PID 4700 wrote to memory of 3008 4700 e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe 83 PID 4700 wrote to memory of 3008 4700 e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe 83 PID 4700 wrote to memory of 3008 4700 e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe 83 PID 1372 wrote to memory of 3060 1372 bpgseyexuxkpgwi.exe 84 PID 1372 wrote to memory of 3060 1372 bpgseyexuxkpgwi.exe 84 PID 1372 wrote to memory of 3060 1372 bpgseyexuxkpgwi.exe 84 PID 4700 wrote to memory of 2156 4700 e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe 86 PID 4700 wrote to memory of 2156 4700 e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe 86 PID 4700 wrote to memory of 2156 4700 e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe 86 PID 4188 wrote to memory of 2160 4188 upisephuux.exe 89 PID 4188 wrote to memory of 2160 4188 upisephuux.exe 89 PID 4188 wrote to memory of 2160 4188 upisephuux.exe 89 PID 4700 wrote to memory of 4764 4700 e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe 90 PID 4700 wrote to memory of 4764 4700 e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe"C:\Users\Admin\AppData\Local\Temp\e987cb16733f2da868ef60902cace837d210f4eb99d0fc813c46fbf5582b9f24.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\SysWOW64\upisephuux.exeupisephuux.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\SysWOW64\jqcgncay.exeC:\Windows\system32\jqcgncay.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2160
-
-
-
C:\Windows\SysWOW64\bpgseyexuxkpgwi.exebpgseyexuxkpgwi.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\cmd.execmd.exe /c fuaiowgovsqyj.exe3⤵PID:3060
-
-
-
C:\Windows\SysWOW64\jqcgncay.exejqcgncay.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3008
-
-
C:\Windows\SysWOW64\fuaiowgovsqyj.exefuaiowgovsqyj.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2156
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4764
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD54d68a296fd0ca1324826156ca59994c7
SHA1b16b8c615f119865cb8ff5029c8c38021a7b9376
SHA2561a38526dca63dd78653ccf2e2f55009db3209f00de72564f5dd97b8f3e8e2de7
SHA5124c79c000898c404b8f5dfddfd8226ee9c7b949e1d9ed116298d987da9f046c4474207e090ba502ef3f130c08a18817c032fb3230fc92cd52413856d96737ec32
-
Filesize
255KB
MD54f2fd0ce3e2944af254e7ee0dfcb1dd9
SHA1f84b41119a187251ade7403be446ec5d04241338
SHA256ba494def35e1f7883bfe174ad52e8820c7f6ba18be6d3445fe7c58420069de74
SHA512c6f9d21b9411843b1391390da4dc83c76546878353152c25b85f7530fdbec62f950ab19cd303171210a96a9955dba5ccfe629919e3c66d75af6704e4d4d15fa2
-
Filesize
255KB
MD52a189343622ffa5281b383b7486e625c
SHA1d131d44f35593c2d81b721a10419d81768fe310f
SHA256f267a2af1802ad25290761f33e8fa953e4ed07a04ee8b77936149642b5352802
SHA512be56ce684e9e218687029ab55bf10bc2a6a32d9afeed2ecc153b64656ebe997f3db27a60ae550fefa4b1cbfb623d3735a8f96fb11c0704304c362376609bb09a
-
Filesize
255KB
MD52a189343622ffa5281b383b7486e625c
SHA1d131d44f35593c2d81b721a10419d81768fe310f
SHA256f267a2af1802ad25290761f33e8fa953e4ed07a04ee8b77936149642b5352802
SHA512be56ce684e9e218687029ab55bf10bc2a6a32d9afeed2ecc153b64656ebe997f3db27a60ae550fefa4b1cbfb623d3735a8f96fb11c0704304c362376609bb09a
-
Filesize
255KB
MD52806ee58d8d5d35bc7d7a251ce787ee5
SHA17542b826725dab71af846d3ec0a8d7ade6e6b46b
SHA25686e23917082904cab57ea2ecda9fc8e280d2ae4fb48e977954618fbaa62111a2
SHA512bff271e2d30a66bc1d2ea2915365ff0e67b09f1dcdd46b9febb3ca09466cb890103ada2ed23474560bdcb9cc8ef3808f5fa33b58bda8c7c396035eca3343ede5
-
Filesize
255KB
MD52806ee58d8d5d35bc7d7a251ce787ee5
SHA17542b826725dab71af846d3ec0a8d7ade6e6b46b
SHA25686e23917082904cab57ea2ecda9fc8e280d2ae4fb48e977954618fbaa62111a2
SHA512bff271e2d30a66bc1d2ea2915365ff0e67b09f1dcdd46b9febb3ca09466cb890103ada2ed23474560bdcb9cc8ef3808f5fa33b58bda8c7c396035eca3343ede5
-
Filesize
255KB
MD57e79d5fff63990e16bfbdd69d9f35f6f
SHA18d22559c2a86db9ed9147bcce4f68c6097eab56b
SHA256f13ddb35f32d987cf51bda8cae28d389abc5b13bce46b719aa443326509794d9
SHA512269e3905b66acef3658b3883b2eff5e39e870321c2b605dc62dbef31c23c890e2c8caf8039a1a54bd0971d24332ac1cee80e9f55339fc9f2fe44153beed191c8
-
Filesize
255KB
MD57e79d5fff63990e16bfbdd69d9f35f6f
SHA18d22559c2a86db9ed9147bcce4f68c6097eab56b
SHA256f13ddb35f32d987cf51bda8cae28d389abc5b13bce46b719aa443326509794d9
SHA512269e3905b66acef3658b3883b2eff5e39e870321c2b605dc62dbef31c23c890e2c8caf8039a1a54bd0971d24332ac1cee80e9f55339fc9f2fe44153beed191c8
-
Filesize
255KB
MD57e79d5fff63990e16bfbdd69d9f35f6f
SHA18d22559c2a86db9ed9147bcce4f68c6097eab56b
SHA256f13ddb35f32d987cf51bda8cae28d389abc5b13bce46b719aa443326509794d9
SHA512269e3905b66acef3658b3883b2eff5e39e870321c2b605dc62dbef31c23c890e2c8caf8039a1a54bd0971d24332ac1cee80e9f55339fc9f2fe44153beed191c8
-
Filesize
255KB
MD53bfdf4a2ba5c090b51fd00947e7b4add
SHA1e406a9db41d960d345349592e8f54fa46e7c0259
SHA2568ac52b35c02f7fe35cd823abbcbf47ff23091403ea983e76818223ca6911a6cc
SHA51247d4811d2bfa7e4095cc9e0c3220d26668d235d49f81f2b9948e773e4170e0b0374b7f989121e046c22b1f6a4381230def46c9af98782337280b55d7ad9f609c
-
Filesize
255KB
MD53bfdf4a2ba5c090b51fd00947e7b4add
SHA1e406a9db41d960d345349592e8f54fa46e7c0259
SHA2568ac52b35c02f7fe35cd823abbcbf47ff23091403ea983e76818223ca6911a6cc
SHA51247d4811d2bfa7e4095cc9e0c3220d26668d235d49f81f2b9948e773e4170e0b0374b7f989121e046c22b1f6a4381230def46c9af98782337280b55d7ad9f609c
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7