Analysis
-
max time kernel
105s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2023 22:53
Static task
static1
Behavioral task
behavioral1
Sample
173d46f4ade0b56df43f7529d2880032.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral2
Sample
173d46f4ade0b56df43f7529d2880032.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
General
-
Target
173d46f4ade0b56df43f7529d2880032.exe
-
Size
512KB
-
MD5
173d46f4ade0b56df43f7529d2880032
-
SHA1
43faf29404ba504b09ae02bd4cae180ec60ca36c
-
SHA256
2600b669773f115666b103bce6c997a0d22ca69b3c730bdd178f6b68878cfd98
-
SHA512
4d9254024b8db5050ce7be6715e75c46f5af78a8dcbb8490ecd810a633160db02cf074928331ea01509c9ab0ce1b136ff5a43f1dd54e74ee7a02d18444da7dd6
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6u:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5T
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" uovyfxwmqo.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" uovyfxwmqo.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" uovyfxwmqo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" uovyfxwmqo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" uovyfxwmqo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" uovyfxwmqo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" uovyfxwmqo.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" uovyfxwmqo.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation 173d46f4ade0b56df43f7529d2880032.exe -
Executes dropped EXE 5 IoCs
pid Process 4624 uovyfxwmqo.exe 376 mplqnoqkcpppggl.exe 3472 mklokoci.exe 3336 haozybepgqeom.exe 4620 mklokoci.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" uovyfxwmqo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" uovyfxwmqo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" uovyfxwmqo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" uovyfxwmqo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" uovyfxwmqo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" uovyfxwmqo.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dgbjudre = "uovyfxwmqo.exe" mplqnoqkcpppggl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oorliwlj = "mplqnoqkcpppggl.exe" mplqnoqkcpppggl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "haozybepgqeom.exe" mplqnoqkcpppggl.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\u: mklokoci.exe File opened (read-only) \??\i: uovyfxwmqo.exe File opened (read-only) \??\m: uovyfxwmqo.exe File opened (read-only) \??\e: mklokoci.exe File opened (read-only) \??\p: mklokoci.exe File opened (read-only) \??\t: mklokoci.exe File opened (read-only) \??\w: mklokoci.exe File opened (read-only) \??\q: uovyfxwmqo.exe File opened (read-only) \??\g: mklokoci.exe File opened (read-only) \??\q: mklokoci.exe File opened (read-only) \??\t: mklokoci.exe File opened (read-only) \??\u: mklokoci.exe File opened (read-only) \??\v: mklokoci.exe File opened (read-only) \??\e: mklokoci.exe File opened (read-only) \??\y: mklokoci.exe File opened (read-only) \??\a: mklokoci.exe File opened (read-only) \??\j: mklokoci.exe File opened (read-only) \??\s: mklokoci.exe File opened (read-only) \??\v: mklokoci.exe File opened (read-only) \??\w: uovyfxwmqo.exe File opened (read-only) \??\z: uovyfxwmqo.exe File opened (read-only) \??\p: uovyfxwmqo.exe File opened (read-only) \??\r: uovyfxwmqo.exe File opened (read-only) \??\v: uovyfxwmqo.exe File opened (read-only) \??\r: mklokoci.exe File opened (read-only) \??\k: mklokoci.exe File opened (read-only) \??\j: uovyfxwmqo.exe File opened (read-only) \??\k: uovyfxwmqo.exe File opened (read-only) \??\o: uovyfxwmqo.exe File opened (read-only) \??\i: mklokoci.exe File opened (read-only) \??\n: mklokoci.exe File opened (read-only) \??\r: mklokoci.exe File opened (read-only) \??\e: uovyfxwmqo.exe File opened (read-only) \??\n: uovyfxwmqo.exe File opened (read-only) \??\m: mklokoci.exe File opened (read-only) \??\x: mklokoci.exe File opened (read-only) \??\a: mklokoci.exe File opened (read-only) \??\g: mklokoci.exe File opened (read-only) \??\o: mklokoci.exe File opened (read-only) \??\a: uovyfxwmqo.exe File opened (read-only) \??\x: uovyfxwmqo.exe File opened (read-only) \??\k: mklokoci.exe File opened (read-only) \??\j: mklokoci.exe File opened (read-only) \??\z: mklokoci.exe File opened (read-only) \??\b: uovyfxwmqo.exe File opened (read-only) \??\u: uovyfxwmqo.exe File opened (read-only) \??\i: mklokoci.exe File opened (read-only) \??\w: mklokoci.exe File opened (read-only) \??\x: mklokoci.exe File opened (read-only) \??\h: uovyfxwmqo.exe File opened (read-only) \??\b: mklokoci.exe File opened (read-only) \??\s: mklokoci.exe File opened (read-only) \??\g: uovyfxwmqo.exe File opened (read-only) \??\b: mklokoci.exe File opened (read-only) \??\o: mklokoci.exe File opened (read-only) \??\t: uovyfxwmqo.exe File opened (read-only) \??\h: mklokoci.exe File opened (read-only) \??\p: mklokoci.exe File opened (read-only) \??\y: mklokoci.exe File opened (read-only) \??\h: mklokoci.exe File opened (read-only) \??\q: mklokoci.exe File opened (read-only) \??\l: uovyfxwmqo.exe File opened (read-only) \??\m: mklokoci.exe File opened (read-only) \??\n: mklokoci.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" uovyfxwmqo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" uovyfxwmqo.exe -
AutoIT Executable 18 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4536-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0008000000023202-5.dat autoit_exe behavioral2/files/0x0010000000023153-18.dat autoit_exe behavioral2/files/0x0010000000023153-19.dat autoit_exe behavioral2/files/0x0006000000023207-25.dat autoit_exe behavioral2/files/0x0006000000023208-31.dat autoit_exe behavioral2/files/0x0006000000023208-32.dat autoit_exe behavioral2/files/0x0006000000023207-27.dat autoit_exe behavioral2/files/0x0008000000023202-22.dat autoit_exe behavioral2/files/0x0006000000023207-44.dat autoit_exe behavioral2/files/0x00020000000227b6-78.dat autoit_exe behavioral2/files/0x0004000000022713-72.dat autoit_exe behavioral2/files/0x0006000000023215-87.dat autoit_exe behavioral2/files/0x000a000000023130-92.dat autoit_exe behavioral2/files/0x000a000000023130-90.dat autoit_exe behavioral2/files/0x000800000002314b-95.dat autoit_exe behavioral2/files/0x000800000002314b-111.dat autoit_exe behavioral2/files/0x000800000002314b-109.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\mklokoci.exe 173d46f4ade0b56df43f7529d2880032.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe mklokoci.exe File opened for modification C:\Windows\SysWOW64\mplqnoqkcpppggl.exe 173d46f4ade0b56df43f7529d2880032.exe File created C:\Windows\SysWOW64\haozybepgqeom.exe 173d46f4ade0b56df43f7529d2880032.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll uovyfxwmqo.exe File opened for modification C:\Windows\SysWOW64\uovyfxwmqo.exe 173d46f4ade0b56df43f7529d2880032.exe File created C:\Windows\SysWOW64\mplqnoqkcpppggl.exe 173d46f4ade0b56df43f7529d2880032.exe File created C:\Windows\SysWOW64\mklokoci.exe 173d46f4ade0b56df43f7529d2880032.exe File opened for modification C:\Windows\SysWOW64\haozybepgqeom.exe 173d46f4ade0b56df43f7529d2880032.exe File created C:\Windows\SysWOW64\uovyfxwmqo.exe 173d46f4ade0b56df43f7529d2880032.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe mklokoci.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe mklokoci.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe mklokoci.exe -
Drops file in Program Files directory 22 IoCs
description ioc Process File opened for modification C:\Program Files\PingUse.nal mklokoci.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mklokoci.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal mklokoci.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal mklokoci.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mklokoci.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mklokoci.exe File opened for modification C:\Program Files\PingUse.doc.exe mklokoci.exe File opened for modification \??\c:\Program Files\PingUse.doc.exe mklokoci.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mklokoci.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mklokoci.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal mklokoci.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mklokoci.exe File opened for modification C:\Program Files\PingUse.nal mklokoci.exe File opened for modification C:\Program Files\PingUse.doc.exe mklokoci.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mklokoci.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mklokoci.exe File opened for modification \??\c:\Program Files\PingUse.doc.exe mklokoci.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mklokoci.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mklokoci.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mklokoci.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal mklokoci.exe File created \??\c:\Program Files\PingUse.doc.exe mklokoci.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe mklokoci.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe mklokoci.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe mklokoci.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe mklokoci.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe mklokoci.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe mklokoci.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe mklokoci.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe mklokoci.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe mklokoci.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe mklokoci.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe mklokoci.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe mklokoci.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe mklokoci.exe File opened for modification C:\Windows\mydoc.rtf 173d46f4ade0b56df43f7529d2880032.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe mklokoci.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe mklokoci.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe mklokoci.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC6B12147E239ED53C5BADD32EFD7CF" 173d46f4ade0b56df43f7529d2880032.exe Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings 173d46f4ade0b56df43f7529d2880032.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh uovyfxwmqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" uovyfxwmqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32462C779D5682566A4377A777212CAC7C8F64D6" 173d46f4ade0b56df43f7529d2880032.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF9FFF9482F821B9031D75A7D90BC94E135584667426331D799" 173d46f4ade0b56df43f7529d2880032.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184FC67E14E0DAB7B8CD7FE3ED9234BC" 173d46f4ade0b56df43f7529d2880032.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" uovyfxwmqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB8F9CBF961F298837E3B37819A39E1B08C038D42680239E1C942E708A6" 173d46f4ade0b56df43f7529d2880032.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" uovyfxwmqo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc uovyfxwmqo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf uovyfxwmqo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs uovyfxwmqo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg uovyfxwmqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" uovyfxwmqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F56BB2FE6621A9D10CD0D18B7B9116" 173d46f4ade0b56df43f7529d2880032.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat uovyfxwmqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" uovyfxwmqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" uovyfxwmqo.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 173d46f4ade0b56df43f7529d2880032.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4352 WINWORD.EXE 4352 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4536 173d46f4ade0b56df43f7529d2880032.exe 4536 173d46f4ade0b56df43f7529d2880032.exe 4536 173d46f4ade0b56df43f7529d2880032.exe 4536 173d46f4ade0b56df43f7529d2880032.exe 4536 173d46f4ade0b56df43f7529d2880032.exe 4536 173d46f4ade0b56df43f7529d2880032.exe 4536 173d46f4ade0b56df43f7529d2880032.exe 4536 173d46f4ade0b56df43f7529d2880032.exe 4536 173d46f4ade0b56df43f7529d2880032.exe 4536 173d46f4ade0b56df43f7529d2880032.exe 4536 173d46f4ade0b56df43f7529d2880032.exe 4536 173d46f4ade0b56df43f7529d2880032.exe 4536 173d46f4ade0b56df43f7529d2880032.exe 4536 173d46f4ade0b56df43f7529d2880032.exe 4536 173d46f4ade0b56df43f7529d2880032.exe 4536 173d46f4ade0b56df43f7529d2880032.exe 4624 uovyfxwmqo.exe 4624 uovyfxwmqo.exe 3472 mklokoci.exe 4624 uovyfxwmqo.exe 3472 mklokoci.exe 4624 uovyfxwmqo.exe 4624 uovyfxwmqo.exe 4624 uovyfxwmqo.exe 4624 uovyfxwmqo.exe 4624 uovyfxwmqo.exe 4624 uovyfxwmqo.exe 4624 uovyfxwmqo.exe 3472 mklokoci.exe 3472 mklokoci.exe 3472 mklokoci.exe 3472 mklokoci.exe 3472 mklokoci.exe 3472 mklokoci.exe 376 mplqnoqkcpppggl.exe 376 mplqnoqkcpppggl.exe 376 mplqnoqkcpppggl.exe 376 mplqnoqkcpppggl.exe 376 mplqnoqkcpppggl.exe 376 mplqnoqkcpppggl.exe 376 mplqnoqkcpppggl.exe 376 mplqnoqkcpppggl.exe 376 mplqnoqkcpppggl.exe 376 mplqnoqkcpppggl.exe 3336 haozybepgqeom.exe 3336 haozybepgqeom.exe 3336 haozybepgqeom.exe 3336 haozybepgqeom.exe 3336 haozybepgqeom.exe 3336 haozybepgqeom.exe 3336 haozybepgqeom.exe 3336 haozybepgqeom.exe 3336 haozybepgqeom.exe 3336 haozybepgqeom.exe 3336 haozybepgqeom.exe 3336 haozybepgqeom.exe 376 mplqnoqkcpppggl.exe 376 mplqnoqkcpppggl.exe 4620 mklokoci.exe 4620 mklokoci.exe 4620 mklokoci.exe 4620 mklokoci.exe 4620 mklokoci.exe 4620 mklokoci.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4536 173d46f4ade0b56df43f7529d2880032.exe 4536 173d46f4ade0b56df43f7529d2880032.exe 4536 173d46f4ade0b56df43f7529d2880032.exe 4624 uovyfxwmqo.exe 4624 uovyfxwmqo.exe 4624 uovyfxwmqo.exe 376 mplqnoqkcpppggl.exe 3472 mklokoci.exe 376 mplqnoqkcpppggl.exe 3472 mklokoci.exe 376 mplqnoqkcpppggl.exe 3472 mklokoci.exe 3336 haozybepgqeom.exe 3336 haozybepgqeom.exe 3336 haozybepgqeom.exe 4620 mklokoci.exe 4620 mklokoci.exe 4620 mklokoci.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4536 173d46f4ade0b56df43f7529d2880032.exe 4536 173d46f4ade0b56df43f7529d2880032.exe 4536 173d46f4ade0b56df43f7529d2880032.exe 4624 uovyfxwmqo.exe 4624 uovyfxwmqo.exe 4624 uovyfxwmqo.exe 376 mplqnoqkcpppggl.exe 3472 mklokoci.exe 376 mplqnoqkcpppggl.exe 3472 mklokoci.exe 376 mplqnoqkcpppggl.exe 3472 mklokoci.exe 3336 haozybepgqeom.exe 3336 haozybepgqeom.exe 3336 haozybepgqeom.exe 4620 mklokoci.exe 4620 mklokoci.exe 4620 mklokoci.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4352 WINWORD.EXE 4352 WINWORD.EXE 4352 WINWORD.EXE 4352 WINWORD.EXE 4352 WINWORD.EXE 4352 WINWORD.EXE 4352 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4536 wrote to memory of 4624 4536 173d46f4ade0b56df43f7529d2880032.exe 89 PID 4536 wrote to memory of 4624 4536 173d46f4ade0b56df43f7529d2880032.exe 89 PID 4536 wrote to memory of 4624 4536 173d46f4ade0b56df43f7529d2880032.exe 89 PID 4536 wrote to memory of 376 4536 173d46f4ade0b56df43f7529d2880032.exe 90 PID 4536 wrote to memory of 376 4536 173d46f4ade0b56df43f7529d2880032.exe 90 PID 4536 wrote to memory of 376 4536 173d46f4ade0b56df43f7529d2880032.exe 90 PID 4536 wrote to memory of 3472 4536 173d46f4ade0b56df43f7529d2880032.exe 92 PID 4536 wrote to memory of 3472 4536 173d46f4ade0b56df43f7529d2880032.exe 92 PID 4536 wrote to memory of 3472 4536 173d46f4ade0b56df43f7529d2880032.exe 92 PID 4536 wrote to memory of 3336 4536 173d46f4ade0b56df43f7529d2880032.exe 91 PID 4536 wrote to memory of 3336 4536 173d46f4ade0b56df43f7529d2880032.exe 91 PID 4536 wrote to memory of 3336 4536 173d46f4ade0b56df43f7529d2880032.exe 91 PID 4536 wrote to memory of 4352 4536 173d46f4ade0b56df43f7529d2880032.exe 93 PID 4536 wrote to memory of 4352 4536 173d46f4ade0b56df43f7529d2880032.exe 93 PID 4624 wrote to memory of 4620 4624 uovyfxwmqo.exe 95 PID 4624 wrote to memory of 4620 4624 uovyfxwmqo.exe 95 PID 4624 wrote to memory of 4620 4624 uovyfxwmqo.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\173d46f4ade0b56df43f7529d2880032.exe"C:\Users\Admin\AppData\Local\Temp\173d46f4ade0b56df43f7529d2880032.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\uovyfxwmqo.exeuovyfxwmqo.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\mklokoci.exeC:\Windows\system32\mklokoci.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4620
-
-
-
C:\Windows\SysWOW64\mplqnoqkcpppggl.exemplqnoqkcpppggl.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:376
-
-
C:\Windows\SysWOW64\haozybepgqeom.exehaozybepgqeom.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3336
-
-
C:\Windows\SysWOW64\mklokoci.exemklokoci.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3472
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4352
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD5372feb054b02033346cbafa7a22c0ed0
SHA1492d88c812c70d7a2b08dcb2ee7483722ee83cb4
SHA25625a22a662084fd5ab5f2a00d71d111d58adaf4f14683e53740829849eb24acd5
SHA512e43131f42cd88308364515cd1d60f711f178ead0fe12087bd5e1bebbf2bb75898b12211c1b9cf29a73b357cf39b9617af9f5f8aedb7bbeb5a0960815db040ae0
-
Filesize
9KB
MD55ac1facbb5452dc504a9bf1fbb1adde6
SHA1d74073f75e65bb33148fd5ebd8afcd5297ad5120
SHA2567a917859482ab7a7783aae5044dcf375504ea4ec924668670cc6adb0f335634b
SHA51277835f2dd61ed9daf9cdfb0b26bdb04f5826860adb7844d9762c2ae26b1a00dc54e9576834fb722749e4a2d3f947712947c5e4185c8f5389106d69adb1d2e77a
-
Filesize
288KB
MD5ddef2594d1a3a41444678c1c24f0e02c
SHA1ac68188c6af5bb0776a1713308cdbcc76743d0c3
SHA256e11b4750e73988cc6735afccd67b729e4974fed549bdb413017f5ed1286100d0
SHA51237e2ffe7987cfd4fa1cf5263c1c69b99bdab4c36513caabf72c440c3710a6b9954405d81017dbe274c74cb7f91bb16fb5c959156d61bdf798b812fedc1564b39
-
Filesize
239B
MD549cb7e42e96246112deafefe11d534b1
SHA127d12e47a95b587790ad980cca2db9ffdfa79caa
SHA256ec903863f323d8efec74a708b93951e7e0bb12faa5fc73b4ac295e7d094d17fb
SHA5129a744593b72eb0c5b0b0548e67beb1676fb4d4ca9750a5d72b8d2a3846ca3e6ebe50ead4f45df68736c4a3779ad9dbb7aed2a7ccf6cab08275a780c6f264376d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD53aa4c897cfb813310cca79053074480c
SHA181aba66c18edc46a5a928e353fee33208a351175
SHA2561a04fb1a0b1ffdf5789cedf3ebce1cde44d044a7fada6161f2cb6bda3ab89dc2
SHA512e8440e70b7ba705db9ef7b9cf984a0fe20d84b8916773bda6eb312149e90df44107d15edc550222b7a5da2317ed9b04fa35076966bd641338f6d517782a7d393
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD569ec59ab7f79cd7c63142c2ad435c471
SHA105b3d61bb9aa5bbac887b29cee846ab84aed5027
SHA25612b8da54ad8bbbd82a0f75393dd4b1512af3e433600a146c899abb966ed2cca9
SHA5124dae68a5680bc9519c5d37cdb34415ac970f2a55f152cd47254ada1958e0449bb22f4701a5374cddd19ef92bf6519ca0f661e4a352b7395cac920e51e67d9de6
-
Filesize
9KB
MD56de03a79c709db7a6ab5a11c9c29560e
SHA1f54881849780f098bcb8fb68eef8e8c27a1e945c
SHA2560521d02daef2b2e4ec604ce252ceceac4789e4c70f253dd86c6ae89270c0d16e
SHA51269602e8bfd45500dbd42b34d1f4bb23892a85381db380ce19fb3e9435f3f74f85a29622eb3415e272da1a841c7a3e8ae72923c6570741d4273be74d6e56ba0dc
-
Filesize
346KB
MD55005251a6e8e7b4874c9449caaea0f4d
SHA18f29bc4d3c9ee454036ce392505d271fdf2692b1
SHA256df03ea7479d79d290dc54fd87abe392c57104294c7fa45b911a6158f6e198fe8
SHA512c9b483ae0725a4a1e0b99465db4e14ff96cca03ab685ba89c3e7b4759a965f97cd9e0c2ed1f2ef2d53080ec4cc50c995b2c24f220fb5fd0e3a8aac708924cf52
-
Filesize
170KB
MD57063261806c2ef9c42f87be252f5150c
SHA164aad9dcbb5c31ae440207969ad20efe43e51316
SHA256880722f08477a21b729817dfd22b35f7dfdfdcf04f29f4994a0a54dfc9f45831
SHA5124e13daa21256a58840c614753ee4daf2d65c6d96d478ea8f65231975eef579b8548ad03b005a86468ad316914cdfbef4989891da8430ddedf8bc0aae90e4ad61
-
Filesize
202KB
MD51cad13e59fa682d41d538004b35f6c2d
SHA1c8e10985a823c325bc102b586ca96bfdf6e9421c
SHA25698634b20853e79683de7a6c43a19328cfcd9dddfb23658d50eae2053c95336e6
SHA512e4701596780a63aee59252003adb2729c4cb173080d751c06503ac13ee8b7e9780780a2cf62b1e5eefe75ea356d3a5eadc2f3da5d0fc5ff780403e248e07c1fb
-
Filesize
202KB
MD5321cd518e00f83ac320f7f2e1baabd3b
SHA15f111d6a7069ae5bcfef6c04e887ed227d391c90
SHA2565692efa38eb900cace97a959315f7162874d9ba0a092fe9f549c9b5444eeb749
SHA512add18a867dedb17034032f829e23dcde2dc7fb3d4a48ade5d1ec310268f7078179ce03e4e8de45a415353fe49a474a5e823656ee8269c4e0e79c850b07401ba8
-
Filesize
57KB
MD53a81bb7f89fff51fd80d1e9e1e60471f
SHA17c04e73b47855108f7cb0f1f8e76b71078d74158
SHA2567afee2b09ec479879bca80da134ceff2df40ad8eff99ed5b1461e6b64e3c474e
SHA512d8500626b99b14b8e441c88b9a8431db9188b5dea17610b1d5ff35a199195026f6c9961281e7c3a4babe8c88b1a949a03a42c6872e2eb0ec1761f65095f777cc
-
Filesize
263KB
MD58c062315160813e621512cfb58307766
SHA1601a2016b3b50d0d7e371567a69f06577d948e16
SHA256f6161e18bb4ccddf6dc362407c22780c81021fe546bfaa4480bf63ef86205571
SHA512767ff8777842b55432bed717c3498c37b16b1773c5a62c96b6d2109d9cb93109974deac102ba6bdda782a980c5214721f7f9ef8c2e7157f9fa206fb74164b739
-
Filesize
512KB
MD5cb472d7fe3ca4dc6f250afad81d58ae1
SHA1e6fd5780fe3fab007cb3ec3adcd0c75fd4233e9c
SHA25672aae52b96bebbc8fd98e24aaac40540eca7e5c72c2f3435c1e577d82a1c084d
SHA5123b1932d98ba5c425970130a9aef75369f3cf109db7ab6c951ef36c1f4cdae5b7315e39dcf36b0671a33083e1038e368ba4fce0a882ca2785eedecbabce8d5821
-
Filesize
196KB
MD5e73cadd5749a92aa91708e31e554a833
SHA19f23c645647b220162f518de9a82184183278c05
SHA256c399bf35ae0de67821a9504d643bec28ff95888fe97f4cbe33746d0a247df5a9
SHA5126e95509f3228e982cb4782530684fd97a440877620519f510eda47492e622e96b39e5a75f055760796cf3dcf5b82501708e71e9317ff575eee904865215ce6aa
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
27KB
MD51733608aa0abbc9f46fc65fb14ddc6bc
SHA16fb51d20b6ded7220fb206e0be8af8b1564ed086
SHA2568fc901452f06f4f6d95b704351c7543b727aab38321589ccf5876c10f6517897
SHA5127981f201c6609b92fd442cd8bcd9a37fae5ba8b17928eebfb269e65f106ab1b9f7fea6ba1942b8f63bfbd407ae280b8a4a720c6acfd59178ff84fe94e9e0623c
-
Filesize
227KB
MD51d3cf820a3db0a38155a6a487d526d31
SHA18591eceef3ebcae5d84b05921f691c5c4ed337fe
SHA256dd86f0f891a83942c47fa7c1b97509ffc316db28ad8a6bb2395a7eafc0fa835a
SHA51207a34adbde3bfdfb107df6aeb690c26809d5dd2a11f5a4b249c3669c56b04b09f5bef15472d482cb3581e96a91709d03d55750272a607262a271e0b0e7ce5a9d
-
Filesize
258KB
MD5308805b194bf8e833d5154070d48214d
SHA10b83ec5d0e98ee482020602c8a215a473fd59a2e
SHA2565fd64a272814147d563919293a91fd829c5c313cc42c949d13de88c45bde389e
SHA512b36b63e503e50a647c4a321f7d3b97c46d51f9240095b91cb0d3567fc30daa9ea8538c033b84429be33e6ccd4a9b906e077b885e3fa94fd1ca5bdc192a4ef280
-
Filesize
204KB
MD53ed0498da1b3e9a683ce406241606c91
SHA128ca3f0b942b766c06cb1aa935c975d035835aca
SHA2561a6f77841846bd0d4c220ccb4defbc7bfa349f6f523c0263c562e9cf8316cce2
SHA5129a6881143121f9d00a90601f228db96754f5ed00395039aa58ea57a908f6cac56491281897f4d5ba15910eae4227288640eee2d8dc12f113524e577a60002de1