Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
178s -
max time network
195s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29/11/2022, 06:12
Behavioral task
behavioral1
Sample
2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe
Resource
win10v2004-20221111-en
General
-
Target
2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe
-
Size
255KB
-
MD5
2f9697108175f2c6563dcedea7bf616f
-
SHA1
a0fd9fe22ccf08ff659821df2870ef8525b6e294
-
SHA256
2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698
-
SHA512
218374059aa96121c7df0ebcd04ed97e7946564359b6ef9e9c693d7261c987fcff89ad3507786e0f872a86f9384f6ddcb836315be189f9ad6c888f3c646021d9
-
SSDEEP
6144:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI6+:Plf5j6zCNa0xeE3mx
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" riripoypiv.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" riripoypiv.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" riripoypiv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" riripoypiv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" riripoypiv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" riripoypiv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" riripoypiv.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" riripoypiv.exe -
Executes dropped EXE 5 IoCs
pid Process 5044 riripoypiv.exe 4480 qaalrrcgeliockd.exe 5028 jgepdelg.exe 3720 cqegloqpvfgdp.exe 1652 jgepdelg.exe -
resource yara_rule behavioral2/memory/1404-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0006000000022e6c-134.dat upx behavioral2/files/0x0006000000022e6c-135.dat upx behavioral2/files/0x0008000000022e6a-142.dat upx behavioral2/files/0x0008000000022e6a-141.dat upx behavioral2/files/0x0007000000022e6b-144.dat upx behavioral2/files/0x0007000000022e6b-143.dat upx behavioral2/files/0x0008000000022e67-138.dat upx behavioral2/files/0x0008000000022e67-137.dat upx behavioral2/memory/5044-145-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4480-146-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3720-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/5028-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0008000000022e6a-150.dat upx behavioral2/memory/1652-151-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1404-153-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/5044-154-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4480-155-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/5028-156-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3720-157-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0009000000022e36-165.dat upx behavioral2/files/0x0009000000022e36-164.dat upx behavioral2/files/0x000a000000022e25-163.dat upx behavioral2/memory/1652-167-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" riripoypiv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" riripoypiv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" riripoypiv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" riripoypiv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" riripoypiv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" riripoypiv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run qaalrrcgeliockd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lvfwxhig = "riripoypiv.exe" qaalrrcgeliockd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ggiedoyt = "qaalrrcgeliockd.exe" qaalrrcgeliockd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "cqegloqpvfgdp.exe" qaalrrcgeliockd.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\b: riripoypiv.exe File opened (read-only) \??\o: riripoypiv.exe File opened (read-only) \??\q: riripoypiv.exe File opened (read-only) \??\z: riripoypiv.exe File opened (read-only) \??\i: jgepdelg.exe File opened (read-only) \??\m: jgepdelg.exe File opened (read-only) \??\h: riripoypiv.exe File opened (read-only) \??\y: riripoypiv.exe File opened (read-only) \??\i: jgepdelg.exe File opened (read-only) \??\v: riripoypiv.exe File opened (read-only) \??\f: jgepdelg.exe File opened (read-only) \??\t: jgepdelg.exe File opened (read-only) \??\l: riripoypiv.exe File opened (read-only) \??\g: jgepdelg.exe File opened (read-only) \??\m: jgepdelg.exe File opened (read-only) \??\u: jgepdelg.exe File opened (read-only) \??\u: riripoypiv.exe File opened (read-only) \??\k: jgepdelg.exe File opened (read-only) \??\z: jgepdelg.exe File opened (read-only) \??\l: jgepdelg.exe File opened (read-only) \??\q: jgepdelg.exe File opened (read-only) \??\k: riripoypiv.exe File opened (read-only) \??\w: riripoypiv.exe File opened (read-only) \??\x: jgepdelg.exe File opened (read-only) \??\b: jgepdelg.exe File opened (read-only) \??\s: jgepdelg.exe File opened (read-only) \??\x: jgepdelg.exe File opened (read-only) \??\f: riripoypiv.exe File opened (read-only) \??\q: jgepdelg.exe File opened (read-only) \??\w: jgepdelg.exe File opened (read-only) \??\g: jgepdelg.exe File opened (read-only) \??\h: jgepdelg.exe File opened (read-only) \??\j: jgepdelg.exe File opened (read-only) \??\t: jgepdelg.exe File opened (read-only) \??\i: riripoypiv.exe File opened (read-only) \??\a: jgepdelg.exe File opened (read-only) \??\v: jgepdelg.exe File opened (read-only) \??\a: jgepdelg.exe File opened (read-only) \??\f: jgepdelg.exe File opened (read-only) \??\p: jgepdelg.exe File opened (read-only) \??\y: jgepdelg.exe File opened (read-only) \??\j: jgepdelg.exe File opened (read-only) \??\o: jgepdelg.exe File opened (read-only) \??\r: riripoypiv.exe File opened (read-only) \??\n: jgepdelg.exe File opened (read-only) \??\r: jgepdelg.exe File opened (read-only) \??\s: jgepdelg.exe File opened (read-only) \??\r: jgepdelg.exe File opened (read-only) \??\p: jgepdelg.exe File opened (read-only) \??\y: jgepdelg.exe File opened (read-only) \??\t: riripoypiv.exe File opened (read-only) \??\x: riripoypiv.exe File opened (read-only) \??\l: jgepdelg.exe File opened (read-only) \??\o: jgepdelg.exe File opened (read-only) \??\e: jgepdelg.exe File opened (read-only) \??\e: jgepdelg.exe File opened (read-only) \??\k: jgepdelg.exe File opened (read-only) \??\n: jgepdelg.exe File opened (read-only) \??\z: jgepdelg.exe File opened (read-only) \??\a: riripoypiv.exe File opened (read-only) \??\e: riripoypiv.exe File opened (read-only) \??\g: riripoypiv.exe File opened (read-only) \??\n: riripoypiv.exe File opened (read-only) \??\h: jgepdelg.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" riripoypiv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" riripoypiv.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/5044-145-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4480-146-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3720-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5028-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1652-151-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1404-153-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5044-154-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4480-155-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5028-156-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3720-157-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1652-167-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\riripoypiv.exe 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe File created C:\Windows\SysWOW64\jgepdelg.exe 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe File opened for modification C:\Windows\SysWOW64\jgepdelg.exe 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll riripoypiv.exe File opened for modification C:\Windows\SysWOW64\riripoypiv.exe 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe File created C:\Windows\SysWOW64\qaalrrcgeliockd.exe 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe File opened for modification C:\Windows\SysWOW64\qaalrrcgeliockd.exe 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe File created C:\Windows\SysWOW64\cqegloqpvfgdp.exe 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe File opened for modification C:\Windows\SysWOW64\cqegloqpvfgdp.exe 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jgepdelg.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jgepdelg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jgepdelg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jgepdelg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jgepdelg.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jgepdelg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal jgepdelg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal jgepdelg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal jgepdelg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jgepdelg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal jgepdelg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jgepdelg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jgepdelg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jgepdelg.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc riripoypiv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BB4FACCF917F195840B3A4386983996B08A02F843610349E1CD42EB08D5" 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC1B12D479238E253CABAD73299D7BE" 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat riripoypiv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" riripoypiv.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32412C089D5283566D4576A6772F2DDE7D8765DF" 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" riripoypiv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" riripoypiv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" riripoypiv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" riripoypiv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8BFCF9485C856F9134D7287E94BC94E634594167406343D6EB" 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183EC60F1590DABEB8C07C90EC9737CD" 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh riripoypiv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs riripoypiv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg riripoypiv.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7FD68B3FE1D22DFD178D0A68A099114" 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" riripoypiv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf riripoypiv.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 800 WINWORD.EXE 800 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1404 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe 1404 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe 1404 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe 1404 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe 1404 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe 1404 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe 1404 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe 1404 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe 1404 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe 1404 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe 1404 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe 1404 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe 1404 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe 1404 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe 1404 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe 1404 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe 5044 riripoypiv.exe 5044 riripoypiv.exe 5044 riripoypiv.exe 5044 riripoypiv.exe 5044 riripoypiv.exe 5044 riripoypiv.exe 5044 riripoypiv.exe 5044 riripoypiv.exe 5044 riripoypiv.exe 5044 riripoypiv.exe 4480 qaalrrcgeliockd.exe 4480 qaalrrcgeliockd.exe 4480 qaalrrcgeliockd.exe 4480 qaalrrcgeliockd.exe 4480 qaalrrcgeliockd.exe 4480 qaalrrcgeliockd.exe 4480 qaalrrcgeliockd.exe 4480 qaalrrcgeliockd.exe 4480 qaalrrcgeliockd.exe 4480 qaalrrcgeliockd.exe 3720 cqegloqpvfgdp.exe 3720 cqegloqpvfgdp.exe 3720 cqegloqpvfgdp.exe 3720 cqegloqpvfgdp.exe 3720 cqegloqpvfgdp.exe 3720 cqegloqpvfgdp.exe 3720 cqegloqpvfgdp.exe 3720 cqegloqpvfgdp.exe 3720 cqegloqpvfgdp.exe 3720 cqegloqpvfgdp.exe 3720 cqegloqpvfgdp.exe 3720 cqegloqpvfgdp.exe 5028 jgepdelg.exe 5028 jgepdelg.exe 5028 jgepdelg.exe 5028 jgepdelg.exe 5028 jgepdelg.exe 5028 jgepdelg.exe 5028 jgepdelg.exe 5028 jgepdelg.exe 4480 qaalrrcgeliockd.exe 4480 qaalrrcgeliockd.exe 4480 qaalrrcgeliockd.exe 4480 qaalrrcgeliockd.exe 4480 qaalrrcgeliockd.exe 4480 qaalrrcgeliockd.exe 4480 qaalrrcgeliockd.exe 4480 qaalrrcgeliockd.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1404 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe 1404 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe 1404 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe 5044 riripoypiv.exe 5044 riripoypiv.exe 5044 riripoypiv.exe 4480 qaalrrcgeliockd.exe 4480 qaalrrcgeliockd.exe 4480 qaalrrcgeliockd.exe 3720 cqegloqpvfgdp.exe 3720 cqegloqpvfgdp.exe 3720 cqegloqpvfgdp.exe 5028 jgepdelg.exe 5028 jgepdelg.exe 5028 jgepdelg.exe 1652 jgepdelg.exe 1652 jgepdelg.exe 1652 jgepdelg.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1404 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe 1404 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe 1404 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe 5044 riripoypiv.exe 5044 riripoypiv.exe 5044 riripoypiv.exe 4480 qaalrrcgeliockd.exe 4480 qaalrrcgeliockd.exe 4480 qaalrrcgeliockd.exe 3720 cqegloqpvfgdp.exe 3720 cqegloqpvfgdp.exe 3720 cqegloqpvfgdp.exe 5028 jgepdelg.exe 5028 jgepdelg.exe 5028 jgepdelg.exe 1652 jgepdelg.exe 1652 jgepdelg.exe 1652 jgepdelg.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 800 WINWORD.EXE 800 WINWORD.EXE 800 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1404 wrote to memory of 5044 1404 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe 87 PID 1404 wrote to memory of 5044 1404 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe 87 PID 1404 wrote to memory of 5044 1404 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe 87 PID 1404 wrote to memory of 4480 1404 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe 88 PID 1404 wrote to memory of 4480 1404 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe 88 PID 1404 wrote to memory of 4480 1404 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe 88 PID 1404 wrote to memory of 5028 1404 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe 89 PID 1404 wrote to memory of 5028 1404 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe 89 PID 1404 wrote to memory of 5028 1404 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe 89 PID 1404 wrote to memory of 3720 1404 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe 90 PID 1404 wrote to memory of 3720 1404 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe 90 PID 1404 wrote to memory of 3720 1404 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe 90 PID 5044 wrote to memory of 1652 5044 riripoypiv.exe 91 PID 5044 wrote to memory of 1652 5044 riripoypiv.exe 91 PID 5044 wrote to memory of 1652 5044 riripoypiv.exe 91 PID 1404 wrote to memory of 800 1404 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe 92 PID 1404 wrote to memory of 800 1404 2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe"C:\Users\Admin\AppData\Local\Temp\2a14da1cc4b47e0ccfb5bcedf38d4a6bc941fa3e81c59b5058ba7a0048f3c698.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\riripoypiv.exeriripoypiv.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\jgepdelg.exeC:\Windows\system32\jgepdelg.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1652
-
-
-
C:\Windows\SysWOW64\qaalrrcgeliockd.exeqaalrrcgeliockd.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4480
-
-
C:\Windows\SysWOW64\jgepdelg.exejgepdelg.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5028
-
-
C:\Windows\SysWOW64\cqegloqpvfgdp.execqegloqpvfgdp.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3720
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:800
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5b77252a35ce75b1678c38c2657051ea2
SHA12d6169009b4155c72f962f1b4ca57c74d6fee015
SHA25674ca6b47d852cbbeed240ffbbd08ad4defd1a8101ab8fa221b08ce7432041dce
SHA5127d1245cd50a7881425faa577394faa6a61eeb67da687900b89c3a179f493ad9cf117ffd4b9560b96a2a8c0d4860e2971de93e76833d27b8c73b1917e7f8a29a8
-
Filesize
255KB
MD5c0d58fc3af8505a4e63f39ea96f37ad5
SHA1fc43a72001bcdf36c68b0649092e26563b86c370
SHA2567e269513753b5f6b45a07dd3d002fef2f979a997d0899b3f087a1cc7f1fb2a2b
SHA5122314f796f6d0992362db05dae5428e5c1dcaeffbb86d083851718afadb7c724361ec28c67d207ff55f5f956a36820c1e5cd23ab1fa4e4eaca7cb12ef62a826c5
-
Filesize
255KB
MD51b90fba67e0ad333535e1abd58e74a1b
SHA1183b6f855e9ce64bcf548c90ca4d08e239d45c97
SHA256369e4a7143308ed3f06a6e7a125eacc353de5093a870ee7f03ee36fdfbf27793
SHA51296756d5c54d4bce1f4405c155769cba6269e1592b044cd770933844de016ab28b958c52d70466a77f2affbdbd6f1ba9b7dc85e4d6fb744793a9c7b81f2f6fb98
-
Filesize
255KB
MD51b90fba67e0ad333535e1abd58e74a1b
SHA1183b6f855e9ce64bcf548c90ca4d08e239d45c97
SHA256369e4a7143308ed3f06a6e7a125eacc353de5093a870ee7f03ee36fdfbf27793
SHA51296756d5c54d4bce1f4405c155769cba6269e1592b044cd770933844de016ab28b958c52d70466a77f2affbdbd6f1ba9b7dc85e4d6fb744793a9c7b81f2f6fb98
-
Filesize
255KB
MD5312c78e698e25d0b02d5bd879af0f4e0
SHA12a1713ca57fe736c9174e21c1048d59bea52a86a
SHA25628e6375007139b6dcf6df105adddb0d9015b462384df9677f52f121d70d95538
SHA5123f52911e474e474969e12a1c7e6b64bda0b8978e65dd924be8a993232c45c65a66f147b10994dc91f06e65e6dbeda9bae0e36a60f41d9ced515791ae01ee933f
-
Filesize
255KB
MD5312c78e698e25d0b02d5bd879af0f4e0
SHA12a1713ca57fe736c9174e21c1048d59bea52a86a
SHA25628e6375007139b6dcf6df105adddb0d9015b462384df9677f52f121d70d95538
SHA5123f52911e474e474969e12a1c7e6b64bda0b8978e65dd924be8a993232c45c65a66f147b10994dc91f06e65e6dbeda9bae0e36a60f41d9ced515791ae01ee933f
-
Filesize
255KB
MD5312c78e698e25d0b02d5bd879af0f4e0
SHA12a1713ca57fe736c9174e21c1048d59bea52a86a
SHA25628e6375007139b6dcf6df105adddb0d9015b462384df9677f52f121d70d95538
SHA5123f52911e474e474969e12a1c7e6b64bda0b8978e65dd924be8a993232c45c65a66f147b10994dc91f06e65e6dbeda9bae0e36a60f41d9ced515791ae01ee933f
-
Filesize
255KB
MD5dcf16550941cace159e1337e33ad8d71
SHA178fd728add7f0594e9f59cd4c4bc54d1f93ce213
SHA25613314fd29df0af279256c2a4d9f57e4a82beb6cef3c2f16763eeffd456f47a8e
SHA512f97b9fb35897de599a48853b5f4df199474c993f60d23687e898de31f0f114214e49521e2bce52c1d03f69ecb58b7853aa25da8158f1b3c62a743089391a76c5
-
Filesize
255KB
MD5dcf16550941cace159e1337e33ad8d71
SHA178fd728add7f0594e9f59cd4c4bc54d1f93ce213
SHA25613314fd29df0af279256c2a4d9f57e4a82beb6cef3c2f16763eeffd456f47a8e
SHA512f97b9fb35897de599a48853b5f4df199474c993f60d23687e898de31f0f114214e49521e2bce52c1d03f69ecb58b7853aa25da8158f1b3c62a743089391a76c5
-
Filesize
255KB
MD5bcea0ccf2fde0ff47b1770eec2ed7d62
SHA1eb125c211864e83c9649cf16a37a2b59b20df11e
SHA2563adec395f72f20c8435f8f5997eff900a875cf5ca4ad4772063f37ba6af6282c
SHA512198251867af4c781a0dee8d0fe1fa22fad6557f78facddd5ba4fad0d4895c79dcaf9404c20ac9ab24a4cd7d278a88714c326aded22ccf7070a1574be2162e218
-
Filesize
255KB
MD5bcea0ccf2fde0ff47b1770eec2ed7d62
SHA1eb125c211864e83c9649cf16a37a2b59b20df11e
SHA2563adec395f72f20c8435f8f5997eff900a875cf5ca4ad4772063f37ba6af6282c
SHA512198251867af4c781a0dee8d0fe1fa22fad6557f78facddd5ba4fad0d4895c79dcaf9404c20ac9ab24a4cd7d278a88714c326aded22ccf7070a1574be2162e218
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD5c0d58fc3af8505a4e63f39ea96f37ad5
SHA1fc43a72001bcdf36c68b0649092e26563b86c370
SHA2567e269513753b5f6b45a07dd3d002fef2f979a997d0899b3f087a1cc7f1fb2a2b
SHA5122314f796f6d0992362db05dae5428e5c1dcaeffbb86d083851718afadb7c724361ec28c67d207ff55f5f956a36820c1e5cd23ab1fa4e4eaca7cb12ef62a826c5