Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
24/12/2023, 17:08
Static task
static1
Behavioral task
behavioral1
Sample
077c08440d185e41f6c1c9d0abcfb34e.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
077c08440d185e41f6c1c9d0abcfb34e.exe
Resource
win10v2004-20231222-en
General
-
Target
077c08440d185e41f6c1c9d0abcfb34e.exe
-
Size
512KB
-
MD5
077c08440d185e41f6c1c9d0abcfb34e
-
SHA1
7df1a0dfb46447fe888a2743cb7c25815abb68c7
-
SHA256
73fc40bed08500c75b018746c1a7307a0c03121ef8eaf65ad713b6b2281f03e1
-
SHA512
0a75a98acbb4ebe5201ad614384b598ae025baf249fcddc5db92799c69d2eb65df0b51cb8dc1d794bea447402228e9d67dcb4a9942f819cf9f10656f1dce43c2
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6s:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5l
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" bmiaxkbvpu.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" bmiaxkbvpu.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" bmiaxkbvpu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" bmiaxkbvpu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" bmiaxkbvpu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" bmiaxkbvpu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" bmiaxkbvpu.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bmiaxkbvpu.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation 077c08440d185e41f6c1c9d0abcfb34e.exe -
Executes dropped EXE 5 IoCs
pid Process 3876 bmiaxkbvpu.exe 3808 ryubzjmvgmqexbd.exe 4236 igtznmgi.exe 1176 irlibrupkltoc.exe 1492 igtznmgi.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" bmiaxkbvpu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" bmiaxkbvpu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" bmiaxkbvpu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" bmiaxkbvpu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" bmiaxkbvpu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" bmiaxkbvpu.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bczvuzqt = "bmiaxkbvpu.exe" ryubzjmvgmqexbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kmvqeept = "ryubzjmvgmqexbd.exe" ryubzjmvgmqexbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "irlibrupkltoc.exe" ryubzjmvgmqexbd.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\q: igtznmgi.exe File opened (read-only) \??\x: igtznmgi.exe File opened (read-only) \??\l: bmiaxkbvpu.exe File opened (read-only) \??\s: bmiaxkbvpu.exe File opened (read-only) \??\a: igtznmgi.exe File opened (read-only) \??\l: igtznmgi.exe File opened (read-only) \??\v: igtznmgi.exe File opened (read-only) \??\w: igtznmgi.exe File opened (read-only) \??\i: igtznmgi.exe File opened (read-only) \??\z: igtznmgi.exe File opened (read-only) \??\j: bmiaxkbvpu.exe File opened (read-only) \??\y: bmiaxkbvpu.exe File opened (read-only) \??\u: igtznmgi.exe File opened (read-only) \??\p: igtznmgi.exe File opened (read-only) \??\r: igtznmgi.exe File opened (read-only) \??\n: bmiaxkbvpu.exe File opened (read-only) \??\o: bmiaxkbvpu.exe File opened (read-only) \??\p: bmiaxkbvpu.exe File opened (read-only) \??\t: bmiaxkbvpu.exe File opened (read-only) \??\x: bmiaxkbvpu.exe File opened (read-only) \??\b: igtznmgi.exe File opened (read-only) \??\a: igtznmgi.exe File opened (read-only) \??\e: igtznmgi.exe File opened (read-only) \??\u: igtznmgi.exe File opened (read-only) \??\y: igtznmgi.exe File opened (read-only) \??\x: igtznmgi.exe File opened (read-only) \??\y: igtznmgi.exe File opened (read-only) \??\q: bmiaxkbvpu.exe File opened (read-only) \??\k: igtznmgi.exe File opened (read-only) \??\n: igtznmgi.exe File opened (read-only) \??\t: igtznmgi.exe File opened (read-only) \??\k: bmiaxkbvpu.exe File opened (read-only) \??\p: igtznmgi.exe File opened (read-only) \??\h: bmiaxkbvpu.exe File opened (read-only) \??\u: bmiaxkbvpu.exe File opened (read-only) \??\j: igtznmgi.exe File opened (read-only) \??\e: bmiaxkbvpu.exe File opened (read-only) \??\r: bmiaxkbvpu.exe File opened (read-only) \??\n: igtznmgi.exe File opened (read-only) \??\q: igtznmgi.exe File opened (read-only) \??\j: igtznmgi.exe File opened (read-only) \??\o: igtznmgi.exe File opened (read-only) \??\v: igtznmgi.exe File opened (read-only) \??\g: bmiaxkbvpu.exe File opened (read-only) \??\v: bmiaxkbvpu.exe File opened (read-only) \??\h: igtznmgi.exe File opened (read-only) \??\t: igtznmgi.exe File opened (read-only) \??\g: igtznmgi.exe File opened (read-only) \??\h: igtznmgi.exe File opened (read-only) \??\b: bmiaxkbvpu.exe File opened (read-only) \??\m: bmiaxkbvpu.exe File opened (read-only) \??\m: igtznmgi.exe File opened (read-only) \??\w: bmiaxkbvpu.exe File opened (read-only) \??\i: igtznmgi.exe File opened (read-only) \??\k: igtznmgi.exe File opened (read-only) \??\i: bmiaxkbvpu.exe File opened (read-only) \??\z: bmiaxkbvpu.exe File opened (read-only) \??\e: igtznmgi.exe File opened (read-only) \??\l: igtznmgi.exe File opened (read-only) \??\m: igtznmgi.exe File opened (read-only) \??\s: igtznmgi.exe File opened (read-only) \??\g: igtznmgi.exe File opened (read-only) \??\o: igtznmgi.exe File opened (read-only) \??\s: igtznmgi.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" bmiaxkbvpu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" bmiaxkbvpu.exe -
AutoIT Executable 18 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4992-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000700000002320e-5.dat autoit_exe behavioral2/files/0x000700000002320b-19.dat autoit_exe behavioral2/files/0x0007000000023211-27.dat autoit_exe behavioral2/files/0x0007000000023211-26.dat autoit_exe behavioral2/files/0x000700000002320e-23.dat autoit_exe behavioral2/files/0x0006000000023212-31.dat autoit_exe behavioral2/files/0x0006000000023212-32.dat autoit_exe behavioral2/files/0x000700000002320e-24.dat autoit_exe behavioral2/files/0x000700000002320b-18.dat autoit_exe behavioral2/files/0x0007000000023211-60.dat autoit_exe behavioral2/files/0x000600000002321d-86.dat autoit_exe behavioral2/files/0x000600000002321e-92.dat autoit_exe behavioral2/files/0x000600000002321e-88.dat autoit_exe behavioral2/files/0x0006000000022720-100.dat autoit_exe behavioral2/files/0x0006000000022720-96.dat autoit_exe behavioral2/files/0x00090000000231c2-114.dat autoit_exe behavioral2/files/0x00090000000231c2-116.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\irlibrupkltoc.exe 077c08440d185e41f6c1c9d0abcfb34e.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe igtznmgi.exe File opened for modification C:\Windows\SysWOW64\bmiaxkbvpu.exe 077c08440d185e41f6c1c9d0abcfb34e.exe File created C:\Windows\SysWOW64\irlibrupkltoc.exe 077c08440d185e41f6c1c9d0abcfb34e.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe igtznmgi.exe File created C:\Windows\SysWOW64\bmiaxkbvpu.exe 077c08440d185e41f6c1c9d0abcfb34e.exe File opened for modification C:\Windows\SysWOW64\ryubzjmvgmqexbd.exe 077c08440d185e41f6c1c9d0abcfb34e.exe File opened for modification C:\Windows\SysWOW64\igtznmgi.exe 077c08440d185e41f6c1c9d0abcfb34e.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll bmiaxkbvpu.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe igtznmgi.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe igtznmgi.exe File created C:\Windows\SysWOW64\ryubzjmvgmqexbd.exe 077c08440d185e41f6c1c9d0abcfb34e.exe File created C:\Windows\SysWOW64\igtznmgi.exe 077c08440d185e41f6c1c9d0abcfb34e.exe -
Drops file in Program Files directory 22 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe igtznmgi.exe File created \??\c:\Program Files\WatchDisable.doc.exe igtznmgi.exe File created \??\c:\Program Files\WatchDisable.doc.exe igtznmgi.exe File opened for modification C:\Program Files\WatchDisable.doc.exe igtznmgi.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe igtznmgi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal igtznmgi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal igtznmgi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal igtznmgi.exe File opened for modification C:\Program Files\WatchDisable.doc.exe igtznmgi.exe File opened for modification C:\Program Files\WatchDisable.nal igtznmgi.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe igtznmgi.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe igtznmgi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal igtznmgi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe igtznmgi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe igtznmgi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe igtznmgi.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe igtznmgi.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe igtznmgi.exe File opened for modification \??\c:\Program Files\WatchDisable.doc.exe igtznmgi.exe File opened for modification \??\c:\Program Files\WatchDisable.doc.exe igtznmgi.exe File opened for modification C:\Program Files\WatchDisable.nal igtznmgi.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe igtznmgi.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe igtznmgi.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe igtznmgi.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe igtznmgi.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe igtznmgi.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe igtznmgi.exe File opened for modification C:\Windows\mydoc.rtf 077c08440d185e41f6c1c9d0abcfb34e.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe igtznmgi.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe igtznmgi.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe igtznmgi.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe igtznmgi.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe igtznmgi.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe igtznmgi.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe igtznmgi.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe igtznmgi.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe igtznmgi.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe igtznmgi.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe igtznmgi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" bmiaxkbvpu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs bmiaxkbvpu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" bmiaxkbvpu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC2B12D449538E853BFBAA63292D7CF" 077c08440d185e41f6c1c9d0abcfb34e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F36BB6FF6E22DED10CD1A48B789011" 077c08440d185e41f6c1c9d0abcfb34e.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings 077c08440d185e41f6c1c9d0abcfb34e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat bmiaxkbvpu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" bmiaxkbvpu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf bmiaxkbvpu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" bmiaxkbvpu.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 077c08440d185e41f6c1c9d0abcfb34e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCEF9BDFE13F1E0847A3B4B86963E97B08802F94269033CE2BD429B08D5" 077c08440d185e41f6c1c9d0abcfb34e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184BC67C14E4DBC5B8C17CE1EC9E37CD" 077c08440d185e41f6c1c9d0abcfb34e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" bmiaxkbvpu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc bmiaxkbvpu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" bmiaxkbvpu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg bmiaxkbvpu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33412C0C9C2083276D3476A270242DD87C8E65DC" 077c08440d185e41f6c1c9d0abcfb34e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF8FCFC482C85189141D65A7E90BC94E146594B66436331D7EE" 077c08440d185e41f6c1c9d0abcfb34e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh bmiaxkbvpu.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 352 WINWORD.EXE 352 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4992 077c08440d185e41f6c1c9d0abcfb34e.exe 4992 077c08440d185e41f6c1c9d0abcfb34e.exe 4992 077c08440d185e41f6c1c9d0abcfb34e.exe 4992 077c08440d185e41f6c1c9d0abcfb34e.exe 4992 077c08440d185e41f6c1c9d0abcfb34e.exe 4992 077c08440d185e41f6c1c9d0abcfb34e.exe 4992 077c08440d185e41f6c1c9d0abcfb34e.exe 4992 077c08440d185e41f6c1c9d0abcfb34e.exe 4992 077c08440d185e41f6c1c9d0abcfb34e.exe 4992 077c08440d185e41f6c1c9d0abcfb34e.exe 4992 077c08440d185e41f6c1c9d0abcfb34e.exe 4992 077c08440d185e41f6c1c9d0abcfb34e.exe 4992 077c08440d185e41f6c1c9d0abcfb34e.exe 4992 077c08440d185e41f6c1c9d0abcfb34e.exe 4992 077c08440d185e41f6c1c9d0abcfb34e.exe 4992 077c08440d185e41f6c1c9d0abcfb34e.exe 4236 igtznmgi.exe 4236 igtznmgi.exe 4236 igtznmgi.exe 4236 igtznmgi.exe 4236 igtznmgi.exe 4236 igtznmgi.exe 4236 igtznmgi.exe 4236 igtznmgi.exe 3876 bmiaxkbvpu.exe 3876 bmiaxkbvpu.exe 3876 bmiaxkbvpu.exe 3876 bmiaxkbvpu.exe 3876 bmiaxkbvpu.exe 3876 bmiaxkbvpu.exe 3876 bmiaxkbvpu.exe 3876 bmiaxkbvpu.exe 3876 bmiaxkbvpu.exe 3876 bmiaxkbvpu.exe 3808 ryubzjmvgmqexbd.exe 3808 ryubzjmvgmqexbd.exe 3808 ryubzjmvgmqexbd.exe 3808 ryubzjmvgmqexbd.exe 3808 ryubzjmvgmqexbd.exe 3808 ryubzjmvgmqexbd.exe 3808 ryubzjmvgmqexbd.exe 3808 ryubzjmvgmqexbd.exe 3808 ryubzjmvgmqexbd.exe 3808 ryubzjmvgmqexbd.exe 1176 irlibrupkltoc.exe 1176 irlibrupkltoc.exe 1176 irlibrupkltoc.exe 1176 irlibrupkltoc.exe 1176 irlibrupkltoc.exe 1176 irlibrupkltoc.exe 1176 irlibrupkltoc.exe 1176 irlibrupkltoc.exe 1176 irlibrupkltoc.exe 1176 irlibrupkltoc.exe 1176 irlibrupkltoc.exe 1176 irlibrupkltoc.exe 3808 ryubzjmvgmqexbd.exe 3808 ryubzjmvgmqexbd.exe 1492 igtznmgi.exe 1492 igtznmgi.exe 1492 igtznmgi.exe 1492 igtznmgi.exe 1492 igtznmgi.exe 1492 igtznmgi.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4992 077c08440d185e41f6c1c9d0abcfb34e.exe 4992 077c08440d185e41f6c1c9d0abcfb34e.exe 4992 077c08440d185e41f6c1c9d0abcfb34e.exe 4236 igtznmgi.exe 4236 igtznmgi.exe 4236 igtznmgi.exe 3876 bmiaxkbvpu.exe 3876 bmiaxkbvpu.exe 3876 bmiaxkbvpu.exe 3808 ryubzjmvgmqexbd.exe 3808 ryubzjmvgmqexbd.exe 3808 ryubzjmvgmqexbd.exe 1176 irlibrupkltoc.exe 1176 irlibrupkltoc.exe 1176 irlibrupkltoc.exe 1492 igtznmgi.exe 1492 igtznmgi.exe 1492 igtznmgi.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4992 077c08440d185e41f6c1c9d0abcfb34e.exe 4992 077c08440d185e41f6c1c9d0abcfb34e.exe 4992 077c08440d185e41f6c1c9d0abcfb34e.exe 4236 igtznmgi.exe 4236 igtznmgi.exe 4236 igtznmgi.exe 3876 bmiaxkbvpu.exe 3876 bmiaxkbvpu.exe 3876 bmiaxkbvpu.exe 3808 ryubzjmvgmqexbd.exe 3808 ryubzjmvgmqexbd.exe 3808 ryubzjmvgmqexbd.exe 1176 irlibrupkltoc.exe 1176 irlibrupkltoc.exe 1176 irlibrupkltoc.exe 1492 igtznmgi.exe 1492 igtznmgi.exe 1492 igtznmgi.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 352 WINWORD.EXE 352 WINWORD.EXE 352 WINWORD.EXE 352 WINWORD.EXE 352 WINWORD.EXE 352 WINWORD.EXE 352 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4992 wrote to memory of 3876 4992 077c08440d185e41f6c1c9d0abcfb34e.exe 92 PID 4992 wrote to memory of 3876 4992 077c08440d185e41f6c1c9d0abcfb34e.exe 92 PID 4992 wrote to memory of 3876 4992 077c08440d185e41f6c1c9d0abcfb34e.exe 92 PID 4992 wrote to memory of 3808 4992 077c08440d185e41f6c1c9d0abcfb34e.exe 95 PID 4992 wrote to memory of 3808 4992 077c08440d185e41f6c1c9d0abcfb34e.exe 95 PID 4992 wrote to memory of 3808 4992 077c08440d185e41f6c1c9d0abcfb34e.exe 95 PID 4992 wrote to memory of 4236 4992 077c08440d185e41f6c1c9d0abcfb34e.exe 93 PID 4992 wrote to memory of 4236 4992 077c08440d185e41f6c1c9d0abcfb34e.exe 93 PID 4992 wrote to memory of 4236 4992 077c08440d185e41f6c1c9d0abcfb34e.exe 93 PID 4992 wrote to memory of 1176 4992 077c08440d185e41f6c1c9d0abcfb34e.exe 94 PID 4992 wrote to memory of 1176 4992 077c08440d185e41f6c1c9d0abcfb34e.exe 94 PID 4992 wrote to memory of 1176 4992 077c08440d185e41f6c1c9d0abcfb34e.exe 94 PID 4992 wrote to memory of 352 4992 077c08440d185e41f6c1c9d0abcfb34e.exe 96 PID 4992 wrote to memory of 352 4992 077c08440d185e41f6c1c9d0abcfb34e.exe 96 PID 3876 wrote to memory of 1492 3876 bmiaxkbvpu.exe 99 PID 3876 wrote to memory of 1492 3876 bmiaxkbvpu.exe 99 PID 3876 wrote to memory of 1492 3876 bmiaxkbvpu.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\077c08440d185e41f6c1c9d0abcfb34e.exe"C:\Users\Admin\AppData\Local\Temp\077c08440d185e41f6c1c9d0abcfb34e.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\bmiaxkbvpu.exebmiaxkbvpu.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Windows\SysWOW64\igtznmgi.exeC:\Windows\system32\igtznmgi.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1492
-
-
-
C:\Windows\SysWOW64\igtznmgi.exeigtznmgi.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4236
-
-
C:\Windows\SysWOW64\irlibrupkltoc.exeirlibrupkltoc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1176
-
-
C:\Windows\SysWOW64\ryubzjmvgmqexbd.exeryubzjmvgmqexbd.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3808
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:352
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
77KB
MD5d950c999cec7245a92fee00f12165822
SHA1b8e6ddf3d63fd987f537e866b8d847bae893b235
SHA256c4b514047785439c01d7903cffd581016b89943ae6796cb9ba4e7a7f55e71237
SHA512a7f554faf828b4807117e846458f98d06416e811685dec654cdc6178a0096eeac40364060e4b845875f3161b8072b5e7d2909ffdbcb842da59693e4baa1d21ea
-
Filesize
15KB
MD5c838ec47be2f5492708e6d31c7f15b62
SHA169e7e96409290b4358d1b7218b47e13ca2e288d0
SHA256631176e48788454341d6b284f83b1586b72dbfb37f6a45c08eddfe202e05f9ce
SHA512b9f8c8fdde86422a86d8f56939855d13e644e313d4ae3051649ba4313b06824f4ac3f70c5d1e899f0eb3c3733d15e17d65aa612db5e98321ab17cc415e54abed
-
Filesize
14KB
MD550b815ea825ded6c0f813ceaba7beea4
SHA18dad0ca5371c7279fd0a9dcd6d20468f6ddfe543
SHA256a4bd7252e940a597caae499f2135f947c4df28f62706eb4c4b3122703ddcb26e
SHA512821a9ddc7a7603ec7e7cad0c1b90e5af9ce101d744feeabf4d3ff7c9e49ebd376ce0916f7de26d0214f57f1e8ea6caa4a3d17658e96a5b3617e8d388d21d6bb7
-
Filesize
247B
MD51b529425a37b1334b8b33ebd890269a4
SHA184768e6475b45e3431d5dd62968dde9b92bcb799
SHA256774609fb895e024729e533b8420e732453a0f7ad9cc4599a871157b4f2ca0440
SHA5128d82cb100fb6e979061a2a86aedf2f77de9bb5abf4431ed7add5c75d04988a3cd747119ade26856e8c2fdf7fe75e6aedf0025f2015e525b6835c80cfa2eff295
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD54403556788947df6942a1e498f157d97
SHA117a0fcf8625819df16b2debf87ab10219d6a078e
SHA2567023508c6cf9c7f040e4fa5e0171e5eea1740237278917d683adecd4a86e1cb3
SHA512499947dca754e88ade91fe00d173dd3d294f4eef3318db49228648c8604180c50811f64d99e7b55e291257013a56106fa8d70f64c9e908f8025bfdb806a36ed8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD545883cf8e63fa654dc982916f4711cee
SHA1bc9e37fcc06e98e2de0dfa88ae924cb6a3cde790
SHA256b4fc2e21dc42d281e93801403c1e408c4b7d9291dc68c32741b9f49df62f9e02
SHA512385692006f67bd142f2d58cbea2e6a1edec6d8c249de466ae3bfb7d733c58dbc369872b37f0a2fb086b35240c60adff0feb91f21dbc26080d96aceeb708725a4
-
Filesize
152KB
MD5c02a0c310c1213fa845b3314f14a946c
SHA1ed40bc7bd11f181a5742f8ee205252fe02989a7f
SHA2563f3eb2b19497bb6cbba9bcfa5b624713551cc12ccb6beba5a10bc4fec9f01c84
SHA512cc4c86669f111a86e2449271caa527e7f10fc3baacf675d987c3f19a2d3a8f6b2653ef2eccf2fff63be3d217092da4a6d7d0c2ecdd60b1f69f17b10a8ec93165
-
Filesize
189KB
MD5f4f580c3e9b57e498b3d7414121af10c
SHA13967e58043b1155430726bcd7b57d00e8fac09f7
SHA256002e5c8b7fa475b312b7151e6427beeaf6ec395e332adde311e025307018d457
SHA51279b70f918f3289468579573eb277fb0129188e81686c900b60ad4548176e0f290cd5daf49b18e0a0db908f6d0bded122815a993e08c9ce7f8fb8787002482356
-
Filesize
378KB
MD5be5e7b55b31f83fba5b46684b1c37745
SHA1cb64da5a4da56b3116740a9ed1c58c6c266155ad
SHA2567f9481f3a56e6b824b4b1889796005b777d49f216322de753cb0fbd8f041248d
SHA5129fa2331a696a4545e68fbef56fdc7bcafa1d9a637667936bd12b5ad87fc5614128881e3c84c799505b69ee37afeb05fc8e32d2985a2ac6e9e59aa364bd7edb10
-
Filesize
374KB
MD548ddaba6597d9ca2d915884d2c477c83
SHA18c625a8a70a5996cd0e08a86eedbf38e0a681591
SHA256a73766952ca2b712d1cbdf245a22b41f034329919a74bbafa5ab6a636617e3ae
SHA5127e9eb162a780041451be6f8616af111618f748cffe838c3ea7d3668e89a135098a90d44570f5e40b2bc68b0d5f9eab176b4a702a0bed4d5302111d66d906b45b
-
Filesize
385KB
MD52d71deff4ec17cd705b8e3e1f6954fec
SHA1fa04171143eccd57fe7a51596e5ef7900c0b3647
SHA2561ad68fb94400fa42aaea2db51971a1066c9f5a9f9dfd1e7ab0d7fe2122d5067b
SHA512693e989d1be41702c26666065fe8280d2a9884b41d4c196c3bb1ed1a9c0ceb821a306b9ddfff12d63f232207c1b1ec33b0b31b54d79b030aeb495277dd823af4
-
Filesize
341KB
MD589c7356a144a648a08b4101c1e3cee24
SHA10d9924907c169cd9e68ba292aa8869c0a9c054af
SHA2561f2d6002e6a618ae7ef535c0e45bdc7548754d47e39a13359ff41f0843ad3436
SHA51268aa18be29736ce615971c0c3265263bc1dd6026a250b720144c5df5bcf62bd1dae37a314902bf08a7a1b2a07c3f3bbec5bb97fac607c73069259232f00485a4
-
Filesize
279KB
MD58df9a3bff4590024e460319444010e73
SHA10f1bbbf95db6e36d75b8cdec0df792538e5f7857
SHA25658bb14778ccf6a39ea0daf2d4c2c11b760439710498dcb3f06c5c160996bf04c
SHA51279b7c250b9e8bcf7768979014cd109a582c4e84c6ad9f95d6b401bf9084f91ecce334fdba68475f024d328180ba1faa62645832a30ca5c0f6e2d32a4f2870b62
-
Filesize
472KB
MD54ce92dab7634bc473ba5fcc10c99d777
SHA15a74ddf751cdd3540e454baa47c651e84eb83a8f
SHA256dd706e6114ad8d6e01054646fedaafeb93e97737e970e218b3fbc10aa1e4915a
SHA512b3b05c73119811c65c6dcd6b2b6f075353a1c4d757c0d0bbc78d3a040d62c7a7abd7ae3d7162e873f7ac8b35d0ccaab6e11f070a45684a66cfa690f181cae6a7
-
Filesize
280KB
MD5436d50f5069c264e15b82e899614be27
SHA14cabfea2b81ee2060a54e4c24cc5ee154b8d81a5
SHA256b6834009428a35a95659e487eb5d655e2422348ff2e705a9d208fcfa36d3fda0
SHA512dcd7c92be8d908ba008bf27421c30d82042c9c372f53b01de3d8eba79b56889da41e76f863fc9c668349390733b5412e5265f1afe8c65037df389a35936be38d
-
Filesize
385KB
MD5b2c0dacf197cedf71c702edfad4e9098
SHA1103400350a20104dbc549fca5e869755ced0ddd7
SHA256a5aaa77c9b3b2b58d89a45228070d4014cdd4b8d9fc54748edb73737c5b29559
SHA5123fcb9967380e6a18b13522aafe8ced6a1c38ffde8e5e4c4098b6854cc82ee998994369990cb0b19536543a4d43e6b82807d72d6e8e06f81ceb332e769d7ae287
-
Filesize
414KB
MD52d6f82ebcb21ea5fbabb62559b73cdcb
SHA154d98dfc3579fa38fe4b630e99639d97154efab3
SHA2566cff26b04a80d18c0e17cc9be0452e9a0f001629f6f634df793a085af88a2f3b
SHA5125326943a8464d0dcfed63749033f579f8c10a0f457e82958c05a190d9af4f468916b3ffaa276becd404020cdf4c8cd52a4c8d4f7696637df6e57d71bcaa3b1ef
-
Filesize
512KB
MD592ce6749cb3f9a1920eceb8f78127eee
SHA1cf2c77d95380b31bec23129e34a0da68fabd80ea
SHA256102ea49f9d958fc3a54e19cb4808b5b64ff284774a124ef0c9b7b75ae41ce462
SHA5121f76f6f74de079e21130df90d2d9636fe42297fad7d5dabf426fedf800c9563a6435a6d9a11342da3df7b8552cf1eed1d1aa2c06a135310858ab66fc6a235e3e
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
37KB
MD533212000e3788f38392adb080d56a10e
SHA1d3ce2df4cbc424ba4214cc1988c9a1577d34dfb4
SHA2564be0d85aa4ac4eabbf0571f722fdf3d034008a7a07ba6c7b062f01e85a237ce7
SHA512b7664cfed9137cd9c858529210d16a2add1865eb6d8d857e0391ca44f31da6f86e7cb95f5c138f6ceb4122b90955c9c22854dccaf2ad13ea67be06d628e1afe0
-
Filesize
205KB
MD5751a4ba20a5c93cb15b65744a5efe521
SHA10d58ef664bbfada98cbfc8e80480b9d6cd34d83a
SHA256c1b1dcfca7ba6fdc435ac429daf55959bf03ceaea8de73a10b767bc41dc5d908
SHA5126779994f453efe6736932505bfe60985cd038185bbbb668a50e9d244f7d7b8dd1ef5ef348b21c988fdcaa15057b505696ce5c8a1a173c22ab0298ddd7d5d6276