Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2023 14:32
Static task
static1
Behavioral task
behavioral1
Sample
0127157e92f97a8e8e05ae6a7d42dd24.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral2
Sample
0127157e92f97a8e8e05ae6a7d42dd24.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
General
-
Target
0127157e92f97a8e8e05ae6a7d42dd24.exe
-
Size
512KB
-
MD5
0127157e92f97a8e8e05ae6a7d42dd24
-
SHA1
b1efbdc6672560f2835346ce75bb27a50d600777
-
SHA256
788a64bcdb1fd5ab9203dce06033a729cc13514db575ca086995272326583316
-
SHA512
603c574225ec98503fd867005b3b477c7668b65ec081bc3bd4a006f3dad8d64a49a9924503fe297471acc8b36cc122d6ad4c20d52bed716af816632ae482eb3c
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6x:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5G
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" pslzjckxrc.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" pslzjckxrc.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" pslzjckxrc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" pslzjckxrc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" pslzjckxrc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" pslzjckxrc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" pslzjckxrc.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" pslzjckxrc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation 0127157e92f97a8e8e05ae6a7d42dd24.exe -
Executes dropped EXE 5 IoCs
pid Process 4632 pslzjckxrc.exe 4224 avqmcpriztfyifd.exe 4528 bpcyiafs.exe 1436 dijqarobtiiqk.exe 1044 bpcyiafs.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" pslzjckxrc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" pslzjckxrc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" pslzjckxrc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" pslzjckxrc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" pslzjckxrc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" pslzjckxrc.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\osyhivba = "pslzjckxrc.exe" avqmcpriztfyifd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ewxvnfnm = "avqmcpriztfyifd.exe" avqmcpriztfyifd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "dijqarobtiiqk.exe" avqmcpriztfyifd.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\e: bpcyiafs.exe File opened (read-only) \??\s: bpcyiafs.exe File opened (read-only) \??\h: pslzjckxrc.exe File opened (read-only) \??\j: pslzjckxrc.exe File opened (read-only) \??\r: pslzjckxrc.exe File opened (read-only) \??\v: pslzjckxrc.exe File opened (read-only) \??\w: pslzjckxrc.exe File opened (read-only) \??\b: bpcyiafs.exe File opened (read-only) \??\g: bpcyiafs.exe File opened (read-only) \??\q: bpcyiafs.exe File opened (read-only) \??\l: bpcyiafs.exe File opened (read-only) \??\y: pslzjckxrc.exe File opened (read-only) \??\b: bpcyiafs.exe File opened (read-only) \??\i: bpcyiafs.exe File opened (read-only) \??\j: bpcyiafs.exe File opened (read-only) \??\q: bpcyiafs.exe File opened (read-only) \??\o: bpcyiafs.exe File opened (read-only) \??\p: bpcyiafs.exe File opened (read-only) \??\z: bpcyiafs.exe File opened (read-only) \??\u: pslzjckxrc.exe File opened (read-only) \??\x: bpcyiafs.exe File opened (read-only) \??\h: bpcyiafs.exe File opened (read-only) \??\x: bpcyiafs.exe File opened (read-only) \??\m: pslzjckxrc.exe File opened (read-only) \??\m: bpcyiafs.exe File opened (read-only) \??\r: bpcyiafs.exe File opened (read-only) \??\k: pslzjckxrc.exe File opened (read-only) \??\w: bpcyiafs.exe File opened (read-only) \??\s: pslzjckxrc.exe File opened (read-only) \??\o: bpcyiafs.exe File opened (read-only) \??\t: bpcyiafs.exe File opened (read-only) \??\n: bpcyiafs.exe File opened (read-only) \??\v: bpcyiafs.exe File opened (read-only) \??\e: bpcyiafs.exe File opened (read-only) \??\z: pslzjckxrc.exe File opened (read-only) \??\k: bpcyiafs.exe File opened (read-only) \??\n: pslzjckxrc.exe File opened (read-only) \??\t: pslzjckxrc.exe File opened (read-only) \??\n: bpcyiafs.exe File opened (read-only) \??\g: pslzjckxrc.exe File opened (read-only) \??\l: pslzjckxrc.exe File opened (read-only) \??\y: bpcyiafs.exe File opened (read-only) \??\e: pslzjckxrc.exe File opened (read-only) \??\k: bpcyiafs.exe File opened (read-only) \??\s: bpcyiafs.exe File opened (read-only) \??\w: bpcyiafs.exe File opened (read-only) \??\i: bpcyiafs.exe File opened (read-only) \??\u: bpcyiafs.exe File opened (read-only) \??\a: pslzjckxrc.exe File opened (read-only) \??\j: bpcyiafs.exe File opened (read-only) \??\a: bpcyiafs.exe File opened (read-only) \??\p: bpcyiafs.exe File opened (read-only) \??\z: bpcyiafs.exe File opened (read-only) \??\i: pslzjckxrc.exe File opened (read-only) \??\h: bpcyiafs.exe File opened (read-only) \??\r: bpcyiafs.exe File opened (read-only) \??\o: pslzjckxrc.exe File opened (read-only) \??\p: pslzjckxrc.exe File opened (read-only) \??\u: bpcyiafs.exe File opened (read-only) \??\x: pslzjckxrc.exe File opened (read-only) \??\g: bpcyiafs.exe File opened (read-only) \??\m: bpcyiafs.exe File opened (read-only) \??\a: bpcyiafs.exe File opened (read-only) \??\v: bpcyiafs.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" pslzjckxrc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" pslzjckxrc.exe -
AutoIT Executable 15 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2116-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000c000000023176-18.dat autoit_exe behavioral2/files/0x0008000000023223-22.dat autoit_exe behavioral2/files/0x000c000000023176-19.dat autoit_exe behavioral2/files/0x0008000000023223-23.dat autoit_exe behavioral2/files/0x000600000002322a-30.dat autoit_exe behavioral2/files/0x0006000000023229-27.dat autoit_exe behavioral2/files/0x000600000002322a-31.dat autoit_exe behavioral2/files/0x0006000000023229-26.dat autoit_exe behavioral2/files/0x0008000000023223-5.dat autoit_exe behavioral2/files/0x0006000000023229-35.dat autoit_exe behavioral2/files/0x0006000000023236-77.dat autoit_exe behavioral2/files/0x0006000000023236-75.dat autoit_exe behavioral2/files/0x00080000000231ce-88.dat autoit_exe behavioral2/files/0x00080000000231ce-91.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\dijqarobtiiqk.exe 0127157e92f97a8e8e05ae6a7d42dd24.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bpcyiafs.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bpcyiafs.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll pslzjckxrc.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bpcyiafs.exe File created C:\Windows\SysWOW64\pslzjckxrc.exe 0127157e92f97a8e8e05ae6a7d42dd24.exe File created C:\Windows\SysWOW64\bpcyiafs.exe 0127157e92f97a8e8e05ae6a7d42dd24.exe File opened for modification C:\Windows\SysWOW64\bpcyiafs.exe 0127157e92f97a8e8e05ae6a7d42dd24.exe File created C:\Windows\SysWOW64\dijqarobtiiqk.exe 0127157e92f97a8e8e05ae6a7d42dd24.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bpcyiafs.exe File opened for modification C:\Windows\SysWOW64\pslzjckxrc.exe 0127157e92f97a8e8e05ae6a7d42dd24.exe File created C:\Windows\SysWOW64\avqmcpriztfyifd.exe 0127157e92f97a8e8e05ae6a7d42dd24.exe File opened for modification C:\Windows\SysWOW64\avqmcpriztfyifd.exe 0127157e92f97a8e8e05ae6a7d42dd24.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal bpcyiafs.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bpcyiafs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal bpcyiafs.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bpcyiafs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bpcyiafs.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bpcyiafs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bpcyiafs.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bpcyiafs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal bpcyiafs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal bpcyiafs.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bpcyiafs.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bpcyiafs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bpcyiafs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bpcyiafs.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bpcyiafs.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bpcyiafs.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bpcyiafs.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bpcyiafs.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bpcyiafs.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bpcyiafs.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bpcyiafs.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bpcyiafs.exe File opened for modification C:\Windows\mydoc.rtf 0127157e92f97a8e8e05ae6a7d42dd24.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bpcyiafs.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bpcyiafs.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bpcyiafs.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bpcyiafs.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bpcyiafs.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bpcyiafs.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bpcyiafs.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bpcyiafs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat pslzjckxrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc pslzjckxrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" pslzjckxrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg pslzjckxrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" pslzjckxrc.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 0127157e92f97a8e8e05ae6a7d42dd24.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF5FF8E482A82699140D65A7DE1BDEFE6365937674E623FD79F" 0127157e92f97a8e8e05ae6a7d42dd24.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1845C70F1493DBC4B8CA7CE2ED9034BD" 0127157e92f97a8e8e05ae6a7d42dd24.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs pslzjckxrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32432D7B9C2582556A3676D370562DD67CF564DA" 0127157e92f97a8e8e05ae6a7d42dd24.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh pslzjckxrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" pslzjckxrc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf pslzjckxrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" pslzjckxrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" pslzjckxrc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB4F9C9FE17F19483083A4181993998B3FC03F04315024BE1BE42E608D5" 0127157e92f97a8e8e05ae6a7d42dd24.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78768B6FF6D21D0D279D1A88A7B916B" 0127157e92f97a8e8e05ae6a7d42dd24.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" pslzjckxrc.exe Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings 0127157e92f97a8e8e05ae6a7d42dd24.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB2B02A479438EB53BEBAD33293D4C5" 0127157e92f97a8e8e05ae6a7d42dd24.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4680 WINWORD.EXE 4680 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2116 0127157e92f97a8e8e05ae6a7d42dd24.exe 2116 0127157e92f97a8e8e05ae6a7d42dd24.exe 2116 0127157e92f97a8e8e05ae6a7d42dd24.exe 2116 0127157e92f97a8e8e05ae6a7d42dd24.exe 2116 0127157e92f97a8e8e05ae6a7d42dd24.exe 2116 0127157e92f97a8e8e05ae6a7d42dd24.exe 2116 0127157e92f97a8e8e05ae6a7d42dd24.exe 2116 0127157e92f97a8e8e05ae6a7d42dd24.exe 2116 0127157e92f97a8e8e05ae6a7d42dd24.exe 2116 0127157e92f97a8e8e05ae6a7d42dd24.exe 2116 0127157e92f97a8e8e05ae6a7d42dd24.exe 2116 0127157e92f97a8e8e05ae6a7d42dd24.exe 2116 0127157e92f97a8e8e05ae6a7d42dd24.exe 2116 0127157e92f97a8e8e05ae6a7d42dd24.exe 2116 0127157e92f97a8e8e05ae6a7d42dd24.exe 2116 0127157e92f97a8e8e05ae6a7d42dd24.exe 4632 pslzjckxrc.exe 4632 pslzjckxrc.exe 4632 pslzjckxrc.exe 4632 pslzjckxrc.exe 4632 pslzjckxrc.exe 4632 pslzjckxrc.exe 4632 pslzjckxrc.exe 4632 pslzjckxrc.exe 4632 pslzjckxrc.exe 4632 pslzjckxrc.exe 4224 avqmcpriztfyifd.exe 4224 avqmcpriztfyifd.exe 4224 avqmcpriztfyifd.exe 4224 avqmcpriztfyifd.exe 4224 avqmcpriztfyifd.exe 4224 avqmcpriztfyifd.exe 4224 avqmcpriztfyifd.exe 4224 avqmcpriztfyifd.exe 4224 avqmcpriztfyifd.exe 4224 avqmcpriztfyifd.exe 1436 dijqarobtiiqk.exe 1436 dijqarobtiiqk.exe 1436 dijqarobtiiqk.exe 1436 dijqarobtiiqk.exe 1436 dijqarobtiiqk.exe 1436 dijqarobtiiqk.exe 1436 dijqarobtiiqk.exe 1436 dijqarobtiiqk.exe 1436 dijqarobtiiqk.exe 1436 dijqarobtiiqk.exe 1436 dijqarobtiiqk.exe 1436 dijqarobtiiqk.exe 4528 bpcyiafs.exe 4528 bpcyiafs.exe 4528 bpcyiafs.exe 4528 bpcyiafs.exe 4528 bpcyiafs.exe 4528 bpcyiafs.exe 4528 bpcyiafs.exe 4528 bpcyiafs.exe 4224 avqmcpriztfyifd.exe 4224 avqmcpriztfyifd.exe 1044 bpcyiafs.exe 1044 bpcyiafs.exe 1044 bpcyiafs.exe 1044 bpcyiafs.exe 1044 bpcyiafs.exe 1044 bpcyiafs.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2116 0127157e92f97a8e8e05ae6a7d42dd24.exe 2116 0127157e92f97a8e8e05ae6a7d42dd24.exe 2116 0127157e92f97a8e8e05ae6a7d42dd24.exe 4224 avqmcpriztfyifd.exe 4632 pslzjckxrc.exe 4224 avqmcpriztfyifd.exe 4632 pslzjckxrc.exe 4224 avqmcpriztfyifd.exe 4632 pslzjckxrc.exe 1436 dijqarobtiiqk.exe 4528 bpcyiafs.exe 1436 dijqarobtiiqk.exe 4528 bpcyiafs.exe 1436 dijqarobtiiqk.exe 4528 bpcyiafs.exe 1044 bpcyiafs.exe 1044 bpcyiafs.exe 1044 bpcyiafs.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2116 0127157e92f97a8e8e05ae6a7d42dd24.exe 2116 0127157e92f97a8e8e05ae6a7d42dd24.exe 2116 0127157e92f97a8e8e05ae6a7d42dd24.exe 4224 avqmcpriztfyifd.exe 4632 pslzjckxrc.exe 4224 avqmcpriztfyifd.exe 4632 pslzjckxrc.exe 4224 avqmcpriztfyifd.exe 4632 pslzjckxrc.exe 1436 dijqarobtiiqk.exe 4528 bpcyiafs.exe 1436 dijqarobtiiqk.exe 4528 bpcyiafs.exe 1436 dijqarobtiiqk.exe 4528 bpcyiafs.exe 1044 bpcyiafs.exe 1044 bpcyiafs.exe 1044 bpcyiafs.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4680 WINWORD.EXE 4680 WINWORD.EXE 4680 WINWORD.EXE 4680 WINWORD.EXE 4680 WINWORD.EXE 4680 WINWORD.EXE 4680 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2116 wrote to memory of 4632 2116 0127157e92f97a8e8e05ae6a7d42dd24.exe 90 PID 2116 wrote to memory of 4632 2116 0127157e92f97a8e8e05ae6a7d42dd24.exe 90 PID 2116 wrote to memory of 4632 2116 0127157e92f97a8e8e05ae6a7d42dd24.exe 90 PID 2116 wrote to memory of 4224 2116 0127157e92f97a8e8e05ae6a7d42dd24.exe 93 PID 2116 wrote to memory of 4224 2116 0127157e92f97a8e8e05ae6a7d42dd24.exe 93 PID 2116 wrote to memory of 4224 2116 0127157e92f97a8e8e05ae6a7d42dd24.exe 93 PID 2116 wrote to memory of 4528 2116 0127157e92f97a8e8e05ae6a7d42dd24.exe 92 PID 2116 wrote to memory of 4528 2116 0127157e92f97a8e8e05ae6a7d42dd24.exe 92 PID 2116 wrote to memory of 4528 2116 0127157e92f97a8e8e05ae6a7d42dd24.exe 92 PID 2116 wrote to memory of 1436 2116 0127157e92f97a8e8e05ae6a7d42dd24.exe 91 PID 2116 wrote to memory of 1436 2116 0127157e92f97a8e8e05ae6a7d42dd24.exe 91 PID 2116 wrote to memory of 1436 2116 0127157e92f97a8e8e05ae6a7d42dd24.exe 91 PID 2116 wrote to memory of 4680 2116 0127157e92f97a8e8e05ae6a7d42dd24.exe 94 PID 2116 wrote to memory of 4680 2116 0127157e92f97a8e8e05ae6a7d42dd24.exe 94 PID 4632 wrote to memory of 1044 4632 pslzjckxrc.exe 96 PID 4632 wrote to memory of 1044 4632 pslzjckxrc.exe 96 PID 4632 wrote to memory of 1044 4632 pslzjckxrc.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\0127157e92f97a8e8e05ae6a7d42dd24.exe"C:\Users\Admin\AppData\Local\Temp\0127157e92f97a8e8e05ae6a7d42dd24.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\pslzjckxrc.exepslzjckxrc.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\SysWOW64\bpcyiafs.exeC:\Windows\system32\bpcyiafs.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1044
-
-
-
C:\Windows\SysWOW64\dijqarobtiiqk.exedijqarobtiiqk.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1436
-
-
C:\Windows\SysWOW64\bpcyiafs.exebpcyiafs.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4528
-
-
C:\Windows\SysWOW64\avqmcpriztfyifd.exeavqmcpriztfyifd.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4224
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4680
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48KB
MD5f3be3e7611b537aee1c65c321f131cae
SHA1bcbc3f0cc10ea44c7561c1c477226a89d1c6da5d
SHA2567e1551aee826c3731d945ee5b0c7ef352db7813a42a0768df5afde178bcf9b2e
SHA512475bd7c710eca37757d3c6d7d084aa634dd837c7bd1252574e138241532e7e2d9776289c1de732f4b92eb2c84de002c7805b33f72203472733d3dff2948f6df2
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5bdcf614e5e3299c358cdf9fc3c8a3b65
SHA1b6590481a9a3c929a57cc0ee64f10dcff6a2275a
SHA256e4afafaefd05dcc9ad76795a2d2ce786e862c4a9a14330c52b94ce04438de634
SHA512481b3a7bef94b574de99c8b86aa25f33b70525419e313b845437fe1af2ed836df7ec1b55da1bbb5895901f8d21ff4b7932c56950610fef765af3d6d109cdf8e7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5a84bf2430f8a0ae53f72e50da0b94a7c
SHA17050e3a7f855887f6f12a4566969c652133b2b67
SHA256d430a7fb878537cb370e8c3e6cc9dfdb5fed886e8c16051ee100330386c41fd1
SHA512d01d4c361bacc4989845b120a4f34edf5e93eef91426c4fd5cea642b4c572535c4a43b87d80bf5ef77c619bdb4b9b62faee0eacfa93b2e1d5b6a661ed78933e0
-
Filesize
180KB
MD5aacf3c1d45a834229c57bf05936fd052
SHA1c4f627e35aebbeb6ed69d26c4a9b4d7f71b33501
SHA25637d29e96d3b755a68d3c51bcf12297b7ac6232a3106b5b1e3d005aee5b101236
SHA51291ee61dd7c5e5da04887f95078ed625b4081208757682cec9c33974b0c58d30c115b50edd7a1cc5bf86b28bdf531b3810c3d6c0e9609ef9f12b02c9f21d3da03
-
Filesize
149KB
MD55a1366d811460096a3c3f9960094826e
SHA173404ca8a2aad03e5abf7adeb6cbb311b2cf6a0a
SHA2564e9231d36d7c9aadd6a627de644ddf942629f80c1d33739a9cdded3380bfca92
SHA51295d7b50fe24e86d40df88c6c7c2c57c1e2a9575c3922316dc842e3cf41712b8f511a6602e83aa43b45e819dd85a0b853340e47055ea5d8e00794344328cb58e1
-
Filesize
251KB
MD5c60b8f8c37879c0034671b92fc5be0bc
SHA1430b367f929965f97d6f169761a4d0299875b774
SHA256ba1bc9e0d8b9bac2baaa296cd2a8785f6b8698a4e85a253543b97a0230d285c2
SHA512d5fc92846f5f32df91a1e59425b96a811a96bb28733c45bb55d4ecc686214f8dc5cba59a9301d5ea20da90ef42ba9b609524761fb2a233920acf52383e7f9e02
-
Filesize
163KB
MD52fa1d4356d322972999169950baaf513
SHA1c856ee6edf006b23c199dce46f5161b07a7e94de
SHA256d7645007a64e94ebf8bbaad1b8a393c0e2f446ed300ea16515a87c067ec61f3c
SHA5126a29b89c3fea4019a2a61bc7c55c84fe7d21c0af2391b8dccdd64d2f8f51fcba7bec6a35716212ae2582d5c8aa7387926d8562029a2bc175eb0c8572cfe25baf
-
Filesize
242KB
MD5210910cb9a246869db26c0a8307c0bd7
SHA11db74b7fc644774675021275dcac739c489b1aa0
SHA256696227c37355ed79c2a4047d8f4225c3bbff8e41ea4df3b2f53aeebfe02a3ecb
SHA512aef85c8188c6835e2db05c65da06220cdd21e66f2929d15e306a7dbd291482d6c48cd369edb26dae57f5050c9cbf0fc7a48bda8aa4706617cc1229eba221f265
-
Filesize
95KB
MD57b188974e91988e1cd6327b3b62fa980
SHA1ac2282da69f07ff5144c1e362f2e372863652a54
SHA256d502f1646dda45c910e886f82af4bb1628e62795cfebb6f5f57826a119ac773c
SHA512e5801dc2fe34c38fb75f479b99331d81d2f6ec2b11f8430ded5cc291a35c60168aa642fe5407540669abdc647270fd039e27eba24098a4cb8c06824a8aefd716
-
Filesize
348KB
MD52eb589691a2cd07d73afa140d25c56f6
SHA1ad14b88fbdf4af42767a81dde29ae08df33136b7
SHA2569a810890a9deb117efd307840b082d265f7d721c15cd3c39c218d7ffe3598271
SHA512be1e6d99661fbe60e0a98bdfebeb83856d906c7baf41c7d8439965c6737290189ee3597d206785125630bf7ae97fc425074f91bd36b0365bd1484af8cb6e849a
-
Filesize
266KB
MD5961b0c36708a41356053841c7b568e59
SHA1e0c22ab6d49aeb32a58b097518438350d962429c
SHA256e73212a4cf5455a34730be3870390607d405b3b2cfdde4dd7cfaae394e5a7dd6
SHA512cb4df4a5adb2ec3ff34bb0af5f342f84fd9591a333d8330bd66e37b3f4106cba76cb95afb8bf608443be80ba2ed1a5038605b236f359f59bcd772cc7637ba130
-
Filesize
184KB
MD51afa91b88cf59fdadcd3139d93445e52
SHA19a13dd576b5b3d5381811ea8d7651cd5ab129054
SHA256000bc18ed00fdba5ce531283eb32b4f32daff12952632aefefeb8332beba1744
SHA512ef81054039c170200c8936feaa3100b96f0f1009d483ed26a11bd7b2cb09263a62d0edd309d78dae03ff410c067462f9613eb496acff27da6e3058006db89530
-
Filesize
176KB
MD5f5e78c247118f85cafae21f17df6faf8
SHA131d35658fc3b89c5c0aa1f4fbd278ffdb6d1f352
SHA2568e4ab9a8e1d600991d3e0bcdd53c30527668b106ba1209cd8e41a6cb2df05451
SHA5126a0e1ff9f90f066666b9f3e73e5ce6b32f9ce039b80fd48695037f71f7ae45b165c0cd40bf743736b96bdae07ee3fbed86d559b6c48105e0f52b91535bac45f3
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
52KB
MD5f9a51f0131e096af6cf0cb31cceffbe7
SHA156c95b3f3bfe13d3d3e8faa073256f7409f4d770
SHA256f53f9b6d09d15922089090b32770eee017cbee2dfc1123fffee83b455d4cc82d
SHA5120f0ac544897d34e62819d35a815e0e8d7b4269582feadb7d1a7e9cd898bde7488670bffef36bbe47e8573fda682aa05a06a8af0b8ee995c0f3a081914e4214fc
-
Filesize
40KB
MD55f36a1ba60c65ad615f36e8a5f4511e1
SHA1417054dbf6d1909116f45bc6488f63d7273c41f4
SHA2562e2c643e0570a0713b8586980820d6f514ce87033f07acfbe141c964adc38c76
SHA51269a9f25fc98595419cb293783ea6d14e258bf498c149ec79f7a44ab1d6dca96136e8b10583eba98734b3fc8e4c061e5ead3b4a0949d20e70e8a57fb3f48af9d9
-
Filesize
258KB
MD5558f37e0041e74b9b20f6796ad671ca4
SHA179f0881deb0e32abd7c56a1ace642c6963868d78
SHA256734e748f2f3f7e71009645e25fb88e5b8aac152e0f09a68c1ddc602618396ecc
SHA51255a5bc68e7cd16ba605cbb7ee6cf61382bc0cd1ebe9c361efc3fce7c2feb446847bc23f9d9ef61d44cbc1c36c24f03db8f72a59753ff52a9f1780dbfc15d5d72