Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29/11/2022, 06:05
Behavioral task
behavioral1
Sample
feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe
Resource
win7-20221111-en
windows7-x64
26 signatures
150 seconds
General
-
Target
feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe
-
Size
255KB
-
MD5
c883f057fd44e432933630bfa7b16787
-
SHA1
ebc8944e4b1ca122c8bfaa0d178707675083acb8
-
SHA256
feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301
-
SHA512
981d9316665087e3f903c58565be5ba3464de5844355d8f8b068665942219a2ee78a48ff1f419f36a75c83edbba7f4d90da29c91fd24e94c9a1311905a1ec42a
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJz:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIw
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" vhlxkdwhrh.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" vhlxkdwhrh.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" vhlxkdwhrh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" vhlxkdwhrh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" vhlxkdwhrh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" vhlxkdwhrh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" vhlxkdwhrh.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vhlxkdwhrh.exe -
Executes dropped EXE 5 IoCs
pid Process 2612 vhlxkdwhrh.exe 1844 wagljqhdteelfcw.exe 4076 iwthdevs.exe 4504 oghgpvksqtwcg.exe 4304 iwthdevs.exe -
resource yara_rule behavioral2/memory/4340-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000a000000022e0f-134.dat upx behavioral2/files/0x000a000000022e0f-135.dat upx behavioral2/files/0x0009000000022e17-137.dat upx behavioral2/files/0x0009000000022e17-138.dat upx behavioral2/files/0x0007000000022e1f-140.dat upx behavioral2/files/0x0007000000022e1f-141.dat upx behavioral2/files/0x0008000000022e20-143.dat upx behavioral2/files/0x0008000000022e20-144.dat upx behavioral2/memory/2612-145-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1844-146-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4076-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4504-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0007000000022e1f-150.dat upx behavioral2/memory/4304-152-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4340-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0007000000022e44-155.dat upx behavioral2/files/0x0007000000022e43-154.dat upx behavioral2/memory/2612-161-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1844-162-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4076-163-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4504-164-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4304-165-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0006000000016999-170.dat upx behavioral2/files/0x0006000000016988-169.dat upx behavioral2/files/0x000200000001e73a-171.dat upx behavioral2/files/0x000200000001e73a-172.dat upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" vhlxkdwhrh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" vhlxkdwhrh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" vhlxkdwhrh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" vhlxkdwhrh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" vhlxkdwhrh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" vhlxkdwhrh.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run wagljqhdteelfcw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ftdckayq = "vhlxkdwhrh.exe" wagljqhdteelfcw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kfleuyni = "wagljqhdteelfcw.exe" wagljqhdteelfcw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "oghgpvksqtwcg.exe" wagljqhdteelfcw.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\g: iwthdevs.exe File opened (read-only) \??\q: iwthdevs.exe File opened (read-only) \??\j: vhlxkdwhrh.exe File opened (read-only) \??\b: iwthdevs.exe File opened (read-only) \??\j: iwthdevs.exe File opened (read-only) \??\n: iwthdevs.exe File opened (read-only) \??\v: iwthdevs.exe File opened (read-only) \??\r: vhlxkdwhrh.exe File opened (read-only) \??\w: iwthdevs.exe File opened (read-only) \??\f: vhlxkdwhrh.exe File opened (read-only) \??\h: vhlxkdwhrh.exe File opened (read-only) \??\k: vhlxkdwhrh.exe File opened (read-only) \??\l: vhlxkdwhrh.exe File opened (read-only) \??\z: vhlxkdwhrh.exe File opened (read-only) \??\e: iwthdevs.exe File opened (read-only) \??\g: iwthdevs.exe File opened (read-only) \??\b: iwthdevs.exe File opened (read-only) \??\t: iwthdevs.exe File opened (read-only) \??\x: iwthdevs.exe File opened (read-only) \??\b: vhlxkdwhrh.exe File opened (read-only) \??\r: iwthdevs.exe File opened (read-only) \??\s: iwthdevs.exe File opened (read-only) \??\n: iwthdevs.exe File opened (read-only) \??\u: iwthdevs.exe File opened (read-only) \??\m: iwthdevs.exe File opened (read-only) \??\o: iwthdevs.exe File opened (read-only) \??\s: vhlxkdwhrh.exe File opened (read-only) \??\a: iwthdevs.exe File opened (read-only) \??\h: iwthdevs.exe File opened (read-only) \??\g: vhlxkdwhrh.exe File opened (read-only) \??\k: iwthdevs.exe File opened (read-only) \??\z: iwthdevs.exe File opened (read-only) \??\h: iwthdevs.exe File opened (read-only) \??\i: iwthdevs.exe File opened (read-only) \??\l: iwthdevs.exe File opened (read-only) \??\p: iwthdevs.exe File opened (read-only) \??\w: iwthdevs.exe File opened (read-only) \??\a: vhlxkdwhrh.exe File opened (read-only) \??\w: vhlxkdwhrh.exe File opened (read-only) \??\o: iwthdevs.exe File opened (read-only) \??\v: iwthdevs.exe File opened (read-only) \??\i: vhlxkdwhrh.exe File opened (read-only) \??\m: vhlxkdwhrh.exe File opened (read-only) \??\t: vhlxkdwhrh.exe File opened (read-only) \??\u: vhlxkdwhrh.exe File opened (read-only) \??\x: vhlxkdwhrh.exe File opened (read-only) \??\e: iwthdevs.exe File opened (read-only) \??\i: iwthdevs.exe File opened (read-only) \??\s: iwthdevs.exe File opened (read-only) \??\v: vhlxkdwhrh.exe File opened (read-only) \??\u: iwthdevs.exe File opened (read-only) \??\x: iwthdevs.exe File opened (read-only) \??\f: iwthdevs.exe File opened (read-only) \??\k: iwthdevs.exe File opened (read-only) \??\j: iwthdevs.exe File opened (read-only) \??\l: iwthdevs.exe File opened (read-only) \??\e: vhlxkdwhrh.exe File opened (read-only) \??\p: vhlxkdwhrh.exe File opened (read-only) \??\y: iwthdevs.exe File opened (read-only) \??\m: iwthdevs.exe File opened (read-only) \??\r: iwthdevs.exe File opened (read-only) \??\y: iwthdevs.exe File opened (read-only) \??\o: vhlxkdwhrh.exe File opened (read-only) \??\q: vhlxkdwhrh.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" vhlxkdwhrh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" vhlxkdwhrh.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4340-132-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2612-145-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1844-146-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4076-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4304-152-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4340-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2612-161-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1844-162-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4076-163-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4504-164-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4304-165-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\iwthdevs.exe feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe File created C:\Windows\SysWOW64\oghgpvksqtwcg.exe feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe iwthdevs.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe iwthdevs.exe File created C:\Windows\SysWOW64\vhlxkdwhrh.exe feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe File opened for modification C:\Windows\SysWOW64\vhlxkdwhrh.exe feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe File created C:\Windows\SysWOW64\wagljqhdteelfcw.exe feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll vhlxkdwhrh.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe iwthdevs.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe iwthdevs.exe File opened for modification C:\Windows\SysWOW64\wagljqhdteelfcw.exe feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe File created C:\Windows\SysWOW64\iwthdevs.exe feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe File opened for modification C:\Windows\SysWOW64\oghgpvksqtwcg.exe feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe iwthdevs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal iwthdevs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe iwthdevs.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe iwthdevs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe iwthdevs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe iwthdevs.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe iwthdevs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal iwthdevs.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe iwthdevs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal iwthdevs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe iwthdevs.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe iwthdevs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal iwthdevs.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe iwthdevs.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFEFFFB4828856F9047D6217DE5BCEEE633584366406346D7EA" feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F768B1FE1B21DBD27BD0D68B09906B" feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184BC60C1597DABEB9C17F92ED9034B9" feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" vhlxkdwhrh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" vhlxkdwhrh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" vhlxkdwhrh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32452C0B9C2582576A3776D477212CD67CF564A8" feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC2B02D449539EA53CABAD73393D4C5" feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat vhlxkdwhrh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh vhlxkdwhrh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" vhlxkdwhrh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc vhlxkdwhrh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf vhlxkdwhrh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" vhlxkdwhrh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BC9FACCF96AF195837A3A4086EC3995B38B02F14314034CE1C8429C09D4" feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs vhlxkdwhrh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" vhlxkdwhrh.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg vhlxkdwhrh.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4300 WINWORD.EXE 4300 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4340 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 4340 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 4340 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 4340 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 4340 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 4340 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 4340 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 4340 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 4340 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 4340 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 4340 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 4340 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 4340 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 4340 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 4340 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 4340 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 2612 vhlxkdwhrh.exe 2612 vhlxkdwhrh.exe 2612 vhlxkdwhrh.exe 2612 vhlxkdwhrh.exe 2612 vhlxkdwhrh.exe 2612 vhlxkdwhrh.exe 2612 vhlxkdwhrh.exe 2612 vhlxkdwhrh.exe 2612 vhlxkdwhrh.exe 2612 vhlxkdwhrh.exe 1844 wagljqhdteelfcw.exe 1844 wagljqhdteelfcw.exe 1844 wagljqhdteelfcw.exe 1844 wagljqhdteelfcw.exe 1844 wagljqhdteelfcw.exe 1844 wagljqhdteelfcw.exe 1844 wagljqhdteelfcw.exe 1844 wagljqhdteelfcw.exe 1844 wagljqhdteelfcw.exe 1844 wagljqhdteelfcw.exe 4076 iwthdevs.exe 4076 iwthdevs.exe 4076 iwthdevs.exe 4076 iwthdevs.exe 4076 iwthdevs.exe 4076 iwthdevs.exe 4076 iwthdevs.exe 4076 iwthdevs.exe 1844 wagljqhdteelfcw.exe 1844 wagljqhdteelfcw.exe 1844 wagljqhdteelfcw.exe 1844 wagljqhdteelfcw.exe 1844 wagljqhdteelfcw.exe 1844 wagljqhdteelfcw.exe 1844 wagljqhdteelfcw.exe 1844 wagljqhdteelfcw.exe 4504 oghgpvksqtwcg.exe 4504 oghgpvksqtwcg.exe 4504 oghgpvksqtwcg.exe 4504 oghgpvksqtwcg.exe 4504 oghgpvksqtwcg.exe 4504 oghgpvksqtwcg.exe 4504 oghgpvksqtwcg.exe 4504 oghgpvksqtwcg.exe 4504 oghgpvksqtwcg.exe 4504 oghgpvksqtwcg.exe 4504 oghgpvksqtwcg.exe 4504 oghgpvksqtwcg.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4340 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 4340 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 4340 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 2612 vhlxkdwhrh.exe 2612 vhlxkdwhrh.exe 2612 vhlxkdwhrh.exe 1844 wagljqhdteelfcw.exe 1844 wagljqhdteelfcw.exe 1844 wagljqhdteelfcw.exe 4076 iwthdevs.exe 4076 iwthdevs.exe 4076 iwthdevs.exe 4504 oghgpvksqtwcg.exe 4504 oghgpvksqtwcg.exe 4504 oghgpvksqtwcg.exe 4304 iwthdevs.exe 4304 iwthdevs.exe 4304 iwthdevs.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4340 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 4340 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 4340 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 2612 vhlxkdwhrh.exe 2612 vhlxkdwhrh.exe 2612 vhlxkdwhrh.exe 1844 wagljqhdteelfcw.exe 1844 wagljqhdteelfcw.exe 1844 wagljqhdteelfcw.exe 4076 iwthdevs.exe 4076 iwthdevs.exe 4076 iwthdevs.exe 4504 oghgpvksqtwcg.exe 4504 oghgpvksqtwcg.exe 4504 oghgpvksqtwcg.exe 4304 iwthdevs.exe 4304 iwthdevs.exe 4304 iwthdevs.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4300 WINWORD.EXE 4300 WINWORD.EXE 4300 WINWORD.EXE 4300 WINWORD.EXE 4300 WINWORD.EXE 4300 WINWORD.EXE 4300 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4340 wrote to memory of 2612 4340 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 79 PID 4340 wrote to memory of 2612 4340 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 79 PID 4340 wrote to memory of 2612 4340 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 79 PID 4340 wrote to memory of 1844 4340 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 80 PID 4340 wrote to memory of 1844 4340 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 80 PID 4340 wrote to memory of 1844 4340 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 80 PID 4340 wrote to memory of 4076 4340 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 81 PID 4340 wrote to memory of 4076 4340 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 81 PID 4340 wrote to memory of 4076 4340 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 81 PID 4340 wrote to memory of 4504 4340 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 82 PID 4340 wrote to memory of 4504 4340 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 82 PID 4340 wrote to memory of 4504 4340 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 82 PID 2612 wrote to memory of 4304 2612 vhlxkdwhrh.exe 83 PID 2612 wrote to memory of 4304 2612 vhlxkdwhrh.exe 83 PID 2612 wrote to memory of 4304 2612 vhlxkdwhrh.exe 83 PID 4340 wrote to memory of 4300 4340 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 84 PID 4340 wrote to memory of 4300 4340 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe"C:\Users\Admin\AppData\Local\Temp\feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\SysWOW64\vhlxkdwhrh.exevhlxkdwhrh.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\iwthdevs.exeC:\Windows\system32\iwthdevs.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4304
-
-
-
C:\Windows\SysWOW64\wagljqhdteelfcw.exewagljqhdteelfcw.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1844
-
-
C:\Windows\SysWOW64\iwthdevs.exeiwthdevs.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4076
-
-
C:\Windows\SysWOW64\oghgpvksqtwcg.exeoghgpvksqtwcg.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4504
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4300
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD52d0154375b1a92c911c37a086d5db717
SHA10813d1642cfdd61287ab460488dab89a3fdc5ae2
SHA2560b5836931b3bc0adf5d1317584f491883c2b30d52118b4df139bb18735d03d64
SHA5120cd579a7213fbf7b9f69f705f5911dedc3998062f77996fc844b3e3ed452fa940ad8c01beccfbbb1abc802c741856015375152974fad48d33b7008e88701f12e
-
Filesize
255KB
MD5a9e55ab7fee346097c6829f3faa77e1c
SHA16adb8689ce52436a196caa1e0116dc953514269d
SHA25646d2fb0bb6c90e52cf2a8a617adcf5d1c701bcbdb6730c9c78df1583a80aaac6
SHA5123ead1090af11a5242b6e6b43257e60d84cab2a4f582d85e4baf0c18af3b5c072d88f81cd1fae0e5181d8f27e97ba60de8baaf60a97af3d1c899fb8dcc1665742
-
Filesize
255KB
MD5c14ceb00457d8e680a8f44b0de65034b
SHA18e89bcbf2ee8a4381cb7a9f672c7504eabb8ae1b
SHA2560aea3e6f239235abea8d3e8b3b474fcfc69a220bce2ebd6d256f2878179665a2
SHA512675018a1b3f0431aa671ebff7155d43a2ea8a4354dd446ab20d64293a84f4d5478e1b168d0ac78f06b55ea9be8330c1b725455043ed39a1f5d9cebd2e47e65c9
-
Filesize
255KB
MD511d63d5f7dfab792561054a2600fce6e
SHA110f865abe19ac4ab4001f845aea0ffebe20c63a7
SHA256dca302efea7e6cd3b05813152c99c2218449129219b86717c21cfbf8f800b077
SHA512315540ba16c54fd6885632870cb8b232a7fe830baabcf4ad7b4eec229a351419fa0a0f90bd4f2204278b0e3d9424ba628b941a8753133024c3ac8c67c34b45bb
-
Filesize
255KB
MD52d999abf2a93dcebc6a87db8e0597183
SHA1fc16cbfa0d951940ab1c6e7b10eb5dbc9188c086
SHA256811cd933ff19cdfce8416e850e1819a330a1d0e3bf4a697a2a7de8b884973eb9
SHA51211bc03aef3b9b8fe0e85f203ebf6007140de0e533e96ef92e17b0a2df2d66cf9ab2b243562a44b1f5e6e53b5b543cdffa8883b56c475bf2116a7937496f856c0
-
Filesize
255KB
MD52d999abf2a93dcebc6a87db8e0597183
SHA1fc16cbfa0d951940ab1c6e7b10eb5dbc9188c086
SHA256811cd933ff19cdfce8416e850e1819a330a1d0e3bf4a697a2a7de8b884973eb9
SHA51211bc03aef3b9b8fe0e85f203ebf6007140de0e533e96ef92e17b0a2df2d66cf9ab2b243562a44b1f5e6e53b5b543cdffa8883b56c475bf2116a7937496f856c0
-
Filesize
255KB
MD52d999abf2a93dcebc6a87db8e0597183
SHA1fc16cbfa0d951940ab1c6e7b10eb5dbc9188c086
SHA256811cd933ff19cdfce8416e850e1819a330a1d0e3bf4a697a2a7de8b884973eb9
SHA51211bc03aef3b9b8fe0e85f203ebf6007140de0e533e96ef92e17b0a2df2d66cf9ab2b243562a44b1f5e6e53b5b543cdffa8883b56c475bf2116a7937496f856c0
-
Filesize
255KB
MD5c6a524aa54a57dbba3a2a73a624afd3c
SHA19357a60eecf2bdce4afd298fafea7f6ab9700f43
SHA25607d4c941bd493841f435e1299092ed1a707f1e02e6742f16153a9c132a922f0b
SHA512a409079fea56fbd533b2736fe511ea5f03b78eeb8435fb1cc67f2ca024e88d7ecfb14cdcb304719c2872da58a38984c6aae0373cec8424eb935df7b4fab66573
-
Filesize
255KB
MD5c6a524aa54a57dbba3a2a73a624afd3c
SHA19357a60eecf2bdce4afd298fafea7f6ab9700f43
SHA25607d4c941bd493841f435e1299092ed1a707f1e02e6742f16153a9c132a922f0b
SHA512a409079fea56fbd533b2736fe511ea5f03b78eeb8435fb1cc67f2ca024e88d7ecfb14cdcb304719c2872da58a38984c6aae0373cec8424eb935df7b4fab66573
-
Filesize
255KB
MD5fa5493907971d45caa6ebd15ca579fe4
SHA1ccf376222400c73761ac061ba6590338dd7018c9
SHA256ed25ca5d1c7fb7115eecff48f37f7fd64002cfe922610de2cb9c47dc2acabbdb
SHA51274392d8a6af437797e5da7e11021103b45236542959c0158aef8f26321dc6a2f05e66fc9dd82cfba0215faa68b314f689b2be46065183409c131be3f2b7da9d9
-
Filesize
255KB
MD5fa5493907971d45caa6ebd15ca579fe4
SHA1ccf376222400c73761ac061ba6590338dd7018c9
SHA256ed25ca5d1c7fb7115eecff48f37f7fd64002cfe922610de2cb9c47dc2acabbdb
SHA51274392d8a6af437797e5da7e11021103b45236542959c0158aef8f26321dc6a2f05e66fc9dd82cfba0215faa68b314f689b2be46065183409c131be3f2b7da9d9
-
Filesize
255KB
MD5f14658e13f285d10a3c13503a9813ab9
SHA1c5847c1503a70714b22ea81d5fedc80007d30775
SHA2562132a03f3f07a9b9a4c6cc3bf6349a45d5d5c1a0859f56c27da70efe26a40ab2
SHA5124bf3f46e73e2998fbe5f38965d7e2ca36cd4cb094833dfa80be723ca624fc474803c09552f0b01caf58605627bb2413a23f328a5b8f1941235b3dffd3f020331
-
Filesize
255KB
MD5f14658e13f285d10a3c13503a9813ab9
SHA1c5847c1503a70714b22ea81d5fedc80007d30775
SHA2562132a03f3f07a9b9a4c6cc3bf6349a45d5d5c1a0859f56c27da70efe26a40ab2
SHA5124bf3f46e73e2998fbe5f38965d7e2ca36cd4cb094833dfa80be723ca624fc474803c09552f0b01caf58605627bb2413a23f328a5b8f1941235b3dffd3f020331
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD53aa994557d24e52730b95d11cc159b70
SHA13a1fb0937b2f2c577f5e67d208db77c6233f2b17
SHA25618d25bd2ecfa368ea39eb04fb50dcba8d02120bca9c90f1dcf4348d2d5c2a18b
SHA512f7728257ee47d527c20f7aa94984efc67532d3c50b029b43e498ff69db60d4333cbfdd42709e5d4078e1bb3bff2a2e1df9acec6d22e8a795995c15733e4e96b6
-
Filesize
255KB
MD525f746e7fdb4581389c9ec37bca807e7
SHA135d60dc926093ff423840991d6fcc2b17c74609a
SHA25637f9dad2a0e3230552ea89d15cea4d476eb4013fafed33968aa46b94ae587b05
SHA512d0cd52f90eed42ad459fda57317cbdcc070467282016f23580b765574290aa5351a10624ce481518381c18607c2126b62be7fb53e90b99846c6f8ad4967da100