Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
24/12/2023, 17:23
Static task
static1
Behavioral task
behavioral1
Sample
08478b0a20b9941292f63fd9082e2245.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral2
Sample
08478b0a20b9941292f63fd9082e2245.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
General
-
Target
08478b0a20b9941292f63fd9082e2245.exe
-
Size
512KB
-
MD5
08478b0a20b9941292f63fd9082e2245
-
SHA1
cea903f85151878dfd2c0a7755e9574ec2a38aac
-
SHA256
74be36919da08b2e4607568bf9e0069a668dde44cde84f609cfdeb68d31f7d54
-
SHA512
b20549c5e0ac415688cceb2522cc1a5d70d3cc7197a5ea2d3953ead25d589328b558eb91572596cb92bd1c0b433ea4622fb48a28eaf33309d2e0bd72bd37d8e5
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6g:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5Z
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" bzudwagzda.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" bzudwagzda.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" bzudwagzda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" bzudwagzda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" bzudwagzda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" bzudwagzda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" bzudwagzda.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bzudwagzda.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation 08478b0a20b9941292f63fd9082e2245.exe -
Executes dropped EXE 5 IoCs
pid Process 4940 bzudwagzda.exe 912 psaetnchaztvdlj.exe 3784 mryyphclbervq.exe 1204 vgcafanz.exe 64 vgcafanz.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" bzudwagzda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" bzudwagzda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" bzudwagzda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" bzudwagzda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" bzudwagzda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" bzudwagzda.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aigsleax = "bzudwagzda.exe" psaetnchaztvdlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qxjtpgsf = "psaetnchaztvdlj.exe" psaetnchaztvdlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mryyphclbervq.exe" psaetnchaztvdlj.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\s: vgcafanz.exe File opened (read-only) \??\h: vgcafanz.exe File opened (read-only) \??\i: vgcafanz.exe File opened (read-only) \??\o: vgcafanz.exe File opened (read-only) \??\p: vgcafanz.exe File opened (read-only) \??\q: bzudwagzda.exe File opened (read-only) \??\e: vgcafanz.exe File opened (read-only) \??\k: vgcafanz.exe File opened (read-only) \??\n: vgcafanz.exe File opened (read-only) \??\z: vgcafanz.exe File opened (read-only) \??\i: vgcafanz.exe File opened (read-only) \??\j: vgcafanz.exe File opened (read-only) \??\g: bzudwagzda.exe File opened (read-only) \??\z: vgcafanz.exe File opened (read-only) \??\t: vgcafanz.exe File opened (read-only) \??\v: vgcafanz.exe File opened (read-only) \??\a: vgcafanz.exe File opened (read-only) \??\e: vgcafanz.exe File opened (read-only) \??\g: vgcafanz.exe File opened (read-only) \??\b: bzudwagzda.exe File opened (read-only) \??\b: vgcafanz.exe File opened (read-only) \??\j: vgcafanz.exe File opened (read-only) \??\w: vgcafanz.exe File opened (read-only) \??\o: vgcafanz.exe File opened (read-only) \??\v: vgcafanz.exe File opened (read-only) \??\x: vgcafanz.exe File opened (read-only) \??\h: bzudwagzda.exe File opened (read-only) \??\j: bzudwagzda.exe File opened (read-only) \??\a: vgcafanz.exe File opened (read-only) \??\e: bzudwagzda.exe File opened (read-only) \??\s: bzudwagzda.exe File opened (read-only) \??\m: vgcafanz.exe File opened (read-only) \??\g: vgcafanz.exe File opened (read-only) \??\k: vgcafanz.exe File opened (read-only) \??\k: bzudwagzda.exe File opened (read-only) \??\h: vgcafanz.exe File opened (read-only) \??\y: vgcafanz.exe File opened (read-only) \??\a: bzudwagzda.exe File opened (read-only) \??\u: vgcafanz.exe File opened (read-only) \??\p: vgcafanz.exe File opened (read-only) \??\w: vgcafanz.exe File opened (read-only) \??\l: vgcafanz.exe File opened (read-only) \??\x: vgcafanz.exe File opened (read-only) \??\b: vgcafanz.exe File opened (read-only) \??\r: vgcafanz.exe File opened (read-only) \??\l: bzudwagzda.exe File opened (read-only) \??\p: bzudwagzda.exe File opened (read-only) \??\r: vgcafanz.exe File opened (read-only) \??\z: bzudwagzda.exe File opened (read-only) \??\q: vgcafanz.exe File opened (read-only) \??\y: vgcafanz.exe File opened (read-only) \??\q: vgcafanz.exe File opened (read-only) \??\s: vgcafanz.exe File opened (read-only) \??\m: bzudwagzda.exe File opened (read-only) \??\t: bzudwagzda.exe File opened (read-only) \??\v: bzudwagzda.exe File opened (read-only) \??\x: bzudwagzda.exe File opened (read-only) \??\y: bzudwagzda.exe File opened (read-only) \??\l: vgcafanz.exe File opened (read-only) \??\t: vgcafanz.exe File opened (read-only) \??\o: bzudwagzda.exe File opened (read-only) \??\r: bzudwagzda.exe File opened (read-only) \??\m: vgcafanz.exe File opened (read-only) \??\w: bzudwagzda.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" bzudwagzda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" bzudwagzda.exe -
AutoIT Executable 15 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3900-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00070000000231fc-5.dat autoit_exe behavioral2/files/0x00070000000231fc-23.dat autoit_exe behavioral2/files/0x00070000000231fc-22.dat autoit_exe behavioral2/files/0x00070000000231ff-32.dat autoit_exe behavioral2/files/0x00070000000231ff-31.dat autoit_exe behavioral2/files/0x0006000000023200-29.dat autoit_exe behavioral2/files/0x0006000000023200-28.dat autoit_exe behavioral2/files/0x00070000000231f9-19.dat autoit_exe behavioral2/files/0x00070000000231f9-18.dat autoit_exe behavioral2/files/0x00070000000231ff-46.dat autoit_exe behavioral2/files/0x000700000002320a-79.dat autoit_exe behavioral2/files/0x000700000002320c-83.dat autoit_exe behavioral2/files/0x0006000000023213-89.dat autoit_exe behavioral2/files/0x0006000000023213-91.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe vgcafanz.exe File opened for modification C:\Windows\SysWOW64\psaetnchaztvdlj.exe 08478b0a20b9941292f63fd9082e2245.exe File created C:\Windows\SysWOW64\vgcafanz.exe 08478b0a20b9941292f63fd9082e2245.exe File opened for modification C:\Windows\SysWOW64\vgcafanz.exe 08478b0a20b9941292f63fd9082e2245.exe File opened for modification C:\Windows\SysWOW64\mryyphclbervq.exe 08478b0a20b9941292f63fd9082e2245.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe vgcafanz.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe vgcafanz.exe File created C:\Windows\SysWOW64\bzudwagzda.exe 08478b0a20b9941292f63fd9082e2245.exe File opened for modification C:\Windows\SysWOW64\bzudwagzda.exe 08478b0a20b9941292f63fd9082e2245.exe File created C:\Windows\SysWOW64\psaetnchaztvdlj.exe 08478b0a20b9941292f63fd9082e2245.exe File created C:\Windows\SysWOW64\mryyphclbervq.exe 08478b0a20b9941292f63fd9082e2245.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll bzudwagzda.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vgcafanz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vgcafanz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal vgcafanz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal vgcafanz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vgcafanz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vgcafanz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal vgcafanz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vgcafanz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vgcafanz.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vgcafanz.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vgcafanz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vgcafanz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal vgcafanz.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vgcafanz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vgcafanz.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe vgcafanz.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe vgcafanz.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe vgcafanz.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe vgcafanz.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe vgcafanz.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe vgcafanz.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe vgcafanz.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe vgcafanz.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe vgcafanz.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe vgcafanz.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe vgcafanz.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe vgcafanz.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe vgcafanz.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe vgcafanz.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe vgcafanz.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe vgcafanz.exe File opened for modification C:\Windows\mydoc.rtf 08478b0a20b9941292f63fd9082e2245.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFCFCFC4F2982189047D72F7D96BDE1E130594266456241D6EC" 08478b0a20b9941292f63fd9082e2245.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc bzudwagzda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" bzudwagzda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33412D0D9D2C83206D4476D170212DAD7DF364D8" 08478b0a20b9941292f63fd9082e2245.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings 08478b0a20b9941292f63fd9082e2245.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" bzudwagzda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F06BC3FE1A22DBD27CD0D28A789062" 08478b0a20b9941292f63fd9082e2245.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf bzudwagzda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs bzudwagzda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg bzudwagzda.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 08478b0a20b9941292f63fd9082e2245.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BB5F9CEF917F1E584743B3086983999B08E03FE4213023FE1CA42EC08A0" 08478b0a20b9941292f63fd9082e2245.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB6B12D479439E353C8BAD3329BD4CC" 08478b0a20b9941292f63fd9082e2245.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh bzudwagzda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" bzudwagzda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" bzudwagzda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" bzudwagzda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1938C7791591DBBFB9BB7CE3ECE434CF" 08478b0a20b9941292f63fd9082e2245.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat bzudwagzda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" bzudwagzda.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3596 WINWORD.EXE 3596 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3900 08478b0a20b9941292f63fd9082e2245.exe 3900 08478b0a20b9941292f63fd9082e2245.exe 3900 08478b0a20b9941292f63fd9082e2245.exe 3900 08478b0a20b9941292f63fd9082e2245.exe 3900 08478b0a20b9941292f63fd9082e2245.exe 3900 08478b0a20b9941292f63fd9082e2245.exe 3900 08478b0a20b9941292f63fd9082e2245.exe 3900 08478b0a20b9941292f63fd9082e2245.exe 3900 08478b0a20b9941292f63fd9082e2245.exe 3900 08478b0a20b9941292f63fd9082e2245.exe 3900 08478b0a20b9941292f63fd9082e2245.exe 3900 08478b0a20b9941292f63fd9082e2245.exe 3900 08478b0a20b9941292f63fd9082e2245.exe 3900 08478b0a20b9941292f63fd9082e2245.exe 3900 08478b0a20b9941292f63fd9082e2245.exe 3900 08478b0a20b9941292f63fd9082e2245.exe 4940 bzudwagzda.exe 4940 bzudwagzda.exe 4940 bzudwagzda.exe 4940 bzudwagzda.exe 4940 bzudwagzda.exe 4940 bzudwagzda.exe 4940 bzudwagzda.exe 4940 bzudwagzda.exe 4940 bzudwagzda.exe 4940 bzudwagzda.exe 912 psaetnchaztvdlj.exe 912 psaetnchaztvdlj.exe 912 psaetnchaztvdlj.exe 912 psaetnchaztvdlj.exe 912 psaetnchaztvdlj.exe 912 psaetnchaztvdlj.exe 912 psaetnchaztvdlj.exe 912 psaetnchaztvdlj.exe 912 psaetnchaztvdlj.exe 912 psaetnchaztvdlj.exe 3784 mryyphclbervq.exe 3784 mryyphclbervq.exe 3784 mryyphclbervq.exe 3784 mryyphclbervq.exe 3784 mryyphclbervq.exe 3784 mryyphclbervq.exe 3784 mryyphclbervq.exe 3784 mryyphclbervq.exe 3784 mryyphclbervq.exe 3784 mryyphclbervq.exe 3784 mryyphclbervq.exe 3784 mryyphclbervq.exe 1204 vgcafanz.exe 1204 vgcafanz.exe 1204 vgcafanz.exe 1204 vgcafanz.exe 1204 vgcafanz.exe 1204 vgcafanz.exe 1204 vgcafanz.exe 1204 vgcafanz.exe 64 vgcafanz.exe 64 vgcafanz.exe 64 vgcafanz.exe 64 vgcafanz.exe 64 vgcafanz.exe 64 vgcafanz.exe 64 vgcafanz.exe 64 vgcafanz.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 3900 08478b0a20b9941292f63fd9082e2245.exe 3900 08478b0a20b9941292f63fd9082e2245.exe 3900 08478b0a20b9941292f63fd9082e2245.exe 4940 bzudwagzda.exe 4940 bzudwagzda.exe 4940 bzudwagzda.exe 912 psaetnchaztvdlj.exe 912 psaetnchaztvdlj.exe 912 psaetnchaztvdlj.exe 3784 mryyphclbervq.exe 1204 vgcafanz.exe 3784 mryyphclbervq.exe 1204 vgcafanz.exe 3784 mryyphclbervq.exe 1204 vgcafanz.exe 64 vgcafanz.exe 64 vgcafanz.exe 64 vgcafanz.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 3900 08478b0a20b9941292f63fd9082e2245.exe 3900 08478b0a20b9941292f63fd9082e2245.exe 3900 08478b0a20b9941292f63fd9082e2245.exe 4940 bzudwagzda.exe 4940 bzudwagzda.exe 4940 bzudwagzda.exe 912 psaetnchaztvdlj.exe 912 psaetnchaztvdlj.exe 912 psaetnchaztvdlj.exe 3784 mryyphclbervq.exe 1204 vgcafanz.exe 3784 mryyphclbervq.exe 1204 vgcafanz.exe 3784 mryyphclbervq.exe 1204 vgcafanz.exe 64 vgcafanz.exe 64 vgcafanz.exe 64 vgcafanz.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3596 WINWORD.EXE 3596 WINWORD.EXE 3596 WINWORD.EXE 3596 WINWORD.EXE 3596 WINWORD.EXE 3596 WINWORD.EXE 3596 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3900 wrote to memory of 4940 3900 08478b0a20b9941292f63fd9082e2245.exe 89 PID 3900 wrote to memory of 4940 3900 08478b0a20b9941292f63fd9082e2245.exe 89 PID 3900 wrote to memory of 4940 3900 08478b0a20b9941292f63fd9082e2245.exe 89 PID 3900 wrote to memory of 912 3900 08478b0a20b9941292f63fd9082e2245.exe 92 PID 3900 wrote to memory of 912 3900 08478b0a20b9941292f63fd9082e2245.exe 92 PID 3900 wrote to memory of 912 3900 08478b0a20b9941292f63fd9082e2245.exe 92 PID 3900 wrote to memory of 1204 3900 08478b0a20b9941292f63fd9082e2245.exe 91 PID 3900 wrote to memory of 1204 3900 08478b0a20b9941292f63fd9082e2245.exe 91 PID 3900 wrote to memory of 1204 3900 08478b0a20b9941292f63fd9082e2245.exe 91 PID 3900 wrote to memory of 3784 3900 08478b0a20b9941292f63fd9082e2245.exe 90 PID 3900 wrote to memory of 3784 3900 08478b0a20b9941292f63fd9082e2245.exe 90 PID 3900 wrote to memory of 3784 3900 08478b0a20b9941292f63fd9082e2245.exe 90 PID 3900 wrote to memory of 3596 3900 08478b0a20b9941292f63fd9082e2245.exe 93 PID 3900 wrote to memory of 3596 3900 08478b0a20b9941292f63fd9082e2245.exe 93 PID 4940 wrote to memory of 64 4940 bzudwagzda.exe 95 PID 4940 wrote to memory of 64 4940 bzudwagzda.exe 95 PID 4940 wrote to memory of 64 4940 bzudwagzda.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\08478b0a20b9941292f63fd9082e2245.exe"C:\Users\Admin\AppData\Local\Temp\08478b0a20b9941292f63fd9082e2245.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Windows\SysWOW64\bzudwagzda.exebzudwagzda.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\vgcafanz.exeC:\Windows\system32\vgcafanz.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:64
-
-
-
C:\Windows\SysWOW64\mryyphclbervq.exemryyphclbervq.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3784
-
-
C:\Windows\SysWOW64\vgcafanz.exevgcafanz.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1204
-
-
C:\Windows\SysWOW64\psaetnchaztvdlj.exepsaetnchaztvdlj.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:912
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3596
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD5d86ad1df7d1880398c37dcd92d9f919b
SHA1c6526304059d412f132524b0b5571ec8f9b60fe6
SHA256bf7ed9ebd3cba2892efeae50ef0814b5a222ce0f7b747641db3ee5e07a207fda
SHA5125ec49c14d07711a63b75e1a9141f0ca6e2b7dbd6227e55ae40ea9f0eadcafd72026a964c474ada7af8ccbf62a51498a80a383e67c2a5ff312fc8d9c66e0b6cbd
-
Filesize
59KB
MD5065ffeaf514dfd949766afc2f4d8e99d
SHA15204a5a1b975bc4674525a06f38b70a723214275
SHA256dfbb7d99dc89ac1663fc6b35de7358d2d0c0691bc96a92e54d0d92f708830654
SHA5121c8653ca88e21eba405ff7e5d8ba0ac7d339430f85c5e268f8e5bc0f0fede06eff5fcea1b217920aefe6d11d190ad77bb1a3b1763b122991888cbbe5cbb98fc9
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD51c23c926c6636690c3085504c5bc5674
SHA19f43493de326c33835afda1b674fdb7644ffe2c8
SHA2561794ac581b5472e0e5968dedd1d58545d16f3893fdfb71a5c9aab602985087cf
SHA51236c273e88658bb72358027a7f5eb64ef0824cc5dd3ad766a8fcd44c183204af23f60eeb276876bb4360455bbffc7505b124befa0ea5201cf461f49b1d3d79dde
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD513e41d1cf1701a829c3b38b19bdeeb1b
SHA1f14c7125ea82882d983bc92fd8ba57bfe77d2e5c
SHA25608ac1956ec319b93d7f228e299331da19c52a23a7d81b3abd1982820e16b7188
SHA512ca6f030716921b36c4c77f68ea317385b0895c3463f5e8cb66c057676db39e22e2e78db5e9486eeaeb170e4d7ee975228fbab69521304aca9a4585ab3ad791c0
-
Filesize
389KB
MD56e01af1d87bc3725d390a802868a3513
SHA18f16f8a19fbedad4b16666136fab483a223dfe9d
SHA25643c0891c7eb20d769c46341c73e339414d9b9559ab0750ace798c3f5acc7f811
SHA512838a470ad63fa6a15a5291f274cdba7f7c3dba406896c1bcde0e6b95fa0ce8db06d4ce95d3c88eb19dfe6794095a70c6df3782284b650bc80cbda1d45af60a43
-
Filesize
356KB
MD5968fef48925e00a7fde5f2a1c833df5b
SHA10021f100683bf6e63bf583b87c6d0e9de3236420
SHA2561efa246108921a314102996392eb4b85b9e25c228a757bd9e43aa1121e10e001
SHA512bd94b26839e8f532107d4893cf0876bab5223959a9afc54b235d2076f3021dae7d405a80e0fa2fdc7a99fc6b9d8e424e22e05408a41e3e90c84ed8b8e65b8528
-
Filesize
219KB
MD576219ce1a69eec3f55aa57197a70364a
SHA1d92c1492f6e91ff9f1eefb6120cd50b70a428755
SHA2566c53e2f3eb618d1cc9e66acd320fd3ed606e0bc0ff215c6f09001a4f9787dcdd
SHA5123e7750750d95b71c736343517c6d1153b0d208c33969bb3630063a976c2cae4f8d1662ec1016f563ba58770d9d59b4cc636c7bb7794fb5e767eeffddc42a2dbf
-
Filesize
309KB
MD54d115ffe88c738a06f3da6e96028f1ed
SHA14dd9807783f26390dac45fd6debf2d2092c8b1c9
SHA256ce0e12a937f2e6428fa0827c77d57c86e015e5ddfd29a9a50bbaa8aea7297331
SHA5121435b125d3f320ad44ce1368532534d3a7c007df45d9fc4ec5d35be9322a0b0dd503aff17da4488408862b75a0e3153f9b535108db282208c0788803c85a56fd
-
Filesize
436KB
MD515792e5ef427c1d78eaa9ece572e2271
SHA11cf32a79e07c78ff5edf20d91ec8b0b5da1e5a2d
SHA256e39d7b956e34a7656ae28835bffab706f2453868f6b59505826e267cc17fbb52
SHA51286747cb290f62b261e7f9554d2fcfc5ec8ea79bfa40c04f9b7fe22053636ae7c3464c75c42bdee35880f882c25c31a96fa0b1b9485325c0cc2316d6eed2c233d
-
Filesize
302KB
MD5caa9da7ada873bdc22131744a69cf51c
SHA1827a9adf2fbd65f8c6f1b26aa2afad788f5363de
SHA256293436f78f94b10f913905bbde3262f949866abb451cc78f8d03c72c78ed5162
SHA5126fd3e6f7a1b9431f1a72cc54b89bcd638543af7fca83e2e9c09e45d50f0db98b6ec519c123ba128a15721ea89d2ff95c714b8f9774635d06dd476255f74b9feb
-
Filesize
284KB
MD5a6ee92140bc3df9ede5aa7d2b8544481
SHA1c4545687a5716748b9b4962cc0e026bd3f51a7eb
SHA2562633a196337cba6bc40fd08cff65a2102410a8873db6c3d7290d119ee59fc54f
SHA5126de3ab15121d9c9ee79e04007703bb1c60fb5bfb9acb13b171c18f500c3df72fe6876b51afaf08ec16d26eeed26c837a683370c2212b66c0830f8a99fd1ba72e
-
Filesize
402KB
MD5a5bcb053834a68a8a2e777a42013aa32
SHA1aa51e3b2e5ca3513661b71e28ce1163c91849a7a
SHA256946ed00d0aa536acced27c9ad6cd1e239bbaae781b0cef0f42e50e6b0cf92246
SHA5122e0bd344a6b773ef42bd6250938bdaff88598ca2cef7048bc1fe31a8a1ef9e524466a97f17477a5b84da0d45f42fa4df4af7210e88e18563a7431084ed374715
-
Filesize
189KB
MD5b9ba98b5135dbe9937269f6518c07f2f
SHA1c5975f7844fbea277f98e2403b5b1527d4f4329b
SHA25690bc9bf60f82a762d4234518e2e5b1a3301b553a535f5aa37f565824815e260b
SHA5122a1598b7cbbd11cf3069d921e4e4f9255937bc66e314516726e1dcdf396989ffb8c1c5aa1e54aff8bb359f2e23239c868da518a43373a7b22f799d36f2aa57fd
-
Filesize
38KB
MD50977bdb999c56e39a63aa13c30055f2a
SHA1edcf99cc0e91366e94d0b58d7cd3eb56d8790f33
SHA256ecd7672afb1a6bbdba819761ea41ed76e6f122cbec00954c41946d46bd1ab8fc
SHA5123498013d793d88524cef9109ad9c35dc2f91a0d7af2c111e47ad5925469caf9a771f69bd4129728ab9d82c60ecadd205fb095801a55f5e8ccf7543dd34249b28
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
180KB
MD50cfe0975d992e25a4410dea237744634
SHA17d1414d0e476373547f34b9c1e0ca7651604e445
SHA25662fe0c58283937842569529e615a65ee522f7a4691f1617002bf3198292ecf2b
SHA5123ca7d6eda26b2a5c7718b29011c8dec4212edb3722969e861a4c5b77db88a9d28f9f2276e59cce2adfdd22a2d6f8b2dc62acf888de58a680aa342a68f782a85c
-
Filesize
47KB
MD56314c6035d56a9659fc28dd311364b1a
SHA1ba897f59e29583229a028f6cd0c41f45b589ac19
SHA256975863887dd04b7bf9182b5d9194cc71e5a985e1f2767fc5ea3c9d94f962fbbb
SHA512645ab65273a0c075a6823f5c1775ff84ed07347f67ed7c3db797f9f59104ae719fd088de8ab537489287be048930f3ae195609e06f28f8c2a49a88dd19c33b19