27054ea6539792fda245ba1442d854124426aaddd75bd789b7be36de41078553

Analysis

max time kernel
0s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

091f600fd48ae9602d1bb72d1f001796.exe
Size

512KB
MD5

091f600fd48ae9602d1bb72d1f001796
SHA1

2b676b583b9bacf57a6364aa38832ac8b92f1ce9
SHA256

27054ea6539792fda245ba1442d854124426aaddd75bd789b7be36de41078553
SHA512

2b9900328aa47d5182f453662afa5c091426df0f46fc4a2ac96dd37978d69d09a587c9726a06f034baa4f5d37bafecbe9e0a71ba342dc77e812729305460b053
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6A:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5n

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	crjyugkrbl.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	crjyugkrbl.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	crjyugkrbl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	crjyugkrbl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	crjyugkrbl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	crjyugkrbl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	crjyugkrbl.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	crjyugkrbl.exe

Executes dropped EXE 5 IoCs

pid	Process
1728	crjyugkrbl.exe
2152	ixtybdxxnqruumj.exe
2592	zitcxgiu.exe
2648	tqdpraszdrvkz.exe
2608	zitcxgiu.exe

Loads dropped DLL 5 IoCs

pid	Process
2216	091f600fd48ae9602d1bb72d1f001796.exe
2216	091f600fd48ae9602d1bb72d1f001796.exe
2216	091f600fd48ae9602d1bb72d1f001796.exe
2216	091f600fd48ae9602d1bb72d1f001796.exe
1728	crjyugkrbl.exe

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	crjyugkrbl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	crjyugkrbl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	crjyugkrbl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	crjyugkrbl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	crjyugkrbl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	crjyugkrbl.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fgojvdkw = "crjyugkrbl.exe"	ixtybdxxnqruumj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fstagags = "ixtybdxxnqruumj.exe"	ixtybdxxnqruumj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "tqdpraszdrvkz.exe"	ixtybdxxnqruumj.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\v:	crjyugkrbl.exe
File opened (read-only)	\??\e:	zitcxgiu.exe
File opened (read-only)	\??\m:	zitcxgiu.exe
File opened (read-only)	\??\k:	crjyugkrbl.exe
File opened (read-only)	\??\i:	zitcxgiu.exe
File opened (read-only)	\??\h:	zitcxgiu.exe
File opened (read-only)	\??\h:	zitcxgiu.exe
File opened (read-only)	\??\o:	zitcxgiu.exe
File opened (read-only)	\??\r:	zitcxgiu.exe
File opened (read-only)	\??\e:	crjyugkrbl.exe
File opened (read-only)	\??\i:	crjyugkrbl.exe
File opened (read-only)	\??\e:	zitcxgiu.exe
File opened (read-only)	\??\y:	zitcxgiu.exe
File opened (read-only)	\??\s:	zitcxgiu.exe
File opened (read-only)	\??\q:	zitcxgiu.exe
File opened (read-only)	\??\x:	zitcxgiu.exe
File opened (read-only)	\??\j:	zitcxgiu.exe
File opened (read-only)	\??\z:	zitcxgiu.exe
File opened (read-only)	\??\j:	crjyugkrbl.exe
File opened (read-only)	\??\p:	zitcxgiu.exe
File opened (read-only)	\??\a:	zitcxgiu.exe
File opened (read-only)	\??\o:	zitcxgiu.exe
File opened (read-only)	\??\r:	zitcxgiu.exe
File opened (read-only)	\??\h:	crjyugkrbl.exe
File opened (read-only)	\??\o:	crjyugkrbl.exe
File opened (read-only)	\??\l:	zitcxgiu.exe
File opened (read-only)	\??\z:	crjyugkrbl.exe
File opened (read-only)	\??\g:	zitcxgiu.exe
File opened (read-only)	\??\z:	zitcxgiu.exe
File opened (read-only)	\??\n:	zitcxgiu.exe
File opened (read-only)	\??\y:	zitcxgiu.exe
File opened (read-only)	\??\m:	crjyugkrbl.exe
File opened (read-only)	\??\n:	zitcxgiu.exe
File opened (read-only)	\??\i:	zitcxgiu.exe
File opened (read-only)	\??\q:	zitcxgiu.exe
File opened (read-only)	\??\x:	zitcxgiu.exe
File opened (read-only)	\??\q:	crjyugkrbl.exe
File opened (read-only)	\??\b:	zitcxgiu.exe
File opened (read-only)	\??\v:	zitcxgiu.exe
File opened (read-only)	\??\g:	zitcxgiu.exe
File opened (read-only)	\??\k:	zitcxgiu.exe
File opened (read-only)	\??\l:	zitcxgiu.exe
File opened (read-only)	\??\p:	zitcxgiu.exe
File opened (read-only)	\??\t:	zitcxgiu.exe
File opened (read-only)	\??\a:	crjyugkrbl.exe
File opened (read-only)	\??\y:	crjyugkrbl.exe
File opened (read-only)	\??\a:	zitcxgiu.exe
File opened (read-only)	\??\m:	zitcxgiu.exe
File opened (read-only)	\??\n:	crjyugkrbl.exe
File opened (read-only)	\??\p:	crjyugkrbl.exe
File opened (read-only)	\??\u:	crjyugkrbl.exe
File opened (read-only)	\??\t:	zitcxgiu.exe
File opened (read-only)	\??\v:	zitcxgiu.exe
File opened (read-only)	\??\w:	zitcxgiu.exe
File opened (read-only)	\??\b:	crjyugkrbl.exe
File opened (read-only)	\??\r:	crjyugkrbl.exe
File opened (read-only)	\??\w:	crjyugkrbl.exe
File opened (read-only)	\??\l:	crjyugkrbl.exe
File opened (read-only)	\??\s:	zitcxgiu.exe
File opened (read-only)	\??\u:	zitcxgiu.exe
File opened (read-only)	\??\x:	crjyugkrbl.exe
File opened (read-only)	\??\j:	zitcxgiu.exe
File opened (read-only)	\??\k:	zitcxgiu.exe
File opened (read-only)	\??\w:	zitcxgiu.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	crjyugkrbl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	crjyugkrbl.exe

AutoIT Executable 18 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2216-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x0009000000016a29-5.dat	autoit_exe
behavioral1/files/0x000a00000001650c-17.dat	autoit_exe
behavioral1/files/0x000a00000001650c-20.dat	autoit_exe
behavioral1/files/0x0009000000016a29-25.dat	autoit_exe
behavioral1/files/0x0009000000016a29-21.dat	autoit_exe
behavioral1/files/0x0009000000016ca5-31.dat	autoit_exe
behavioral1/files/0x0009000000016ca5-40.dat	autoit_exe
behavioral1/files/0x0009000000016a29-41.dat	autoit_exe
behavioral1/files/0x0007000000016d16-39.dat	autoit_exe
behavioral1/files/0x0007000000016d16-37.dat	autoit_exe
behavioral1/files/0x0009000000016ca5-43.dat	autoit_exe
behavioral1/files/0x0009000000016ca5-42.dat	autoit_exe
behavioral1/files/0x0007000000016d16-32.dat	autoit_exe
behavioral1/files/0x0009000000016ca5-27.dat	autoit_exe
behavioral1/files/0x000a00000001650c-26.dat	autoit_exe
behavioral1/files/0x0006000000018ba1-69.dat	autoit_exe
behavioral1/files/0x0005000000018717-66.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ixtybdxxnqruumj.exe	091f600fd48ae9602d1bb72d1f001796.exe
File created	C:\Windows\SysWOW64\zitcxgiu.exe	091f600fd48ae9602d1bb72d1f001796.exe
File opened for modification	C:\Windows\SysWOW64\zitcxgiu.exe	091f600fd48ae9602d1bb72d1f001796.exe
File created	C:\Windows\SysWOW64\tqdpraszdrvkz.exe	091f600fd48ae9602d1bb72d1f001796.exe
File created	C:\Windows\SysWOW64\crjyugkrbl.exe	091f600fd48ae9602d1bb72d1f001796.exe
File opened for modification	C:\Windows\SysWOW64\crjyugkrbl.exe	091f600fd48ae9602d1bb72d1f001796.exe
File created	C:\Windows\SysWOW64\ixtybdxxnqruumj.exe	091f600fd48ae9602d1bb72d1f001796.exe
File opened for modification	C:\Windows\SysWOW64\tqdpraszdrvkz.exe	091f600fd48ae9602d1bb72d1f001796.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	crjyugkrbl.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	091f600fd48ae9602d1bb72d1f001796.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 19 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	crjyugkrbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	crjyugkrbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	crjyugkrbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	crjyugkrbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	crjyugkrbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33402D7A9C2382566D4276D770562DDC7DF564AC"	091f600fd48ae9602d1bb72d1f001796.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABCF9BCFE10F290830B3B4581EC3E99B081038A4211023CE2CB42ED08A0"	091f600fd48ae9602d1bb72d1f001796.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183DC70B14E6DAC5B8BA7CE5EDE037CA"	091f600fd48ae9602d1bb72d1f001796.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	crjyugkrbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	crjyugkrbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	crjyugkrbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	crjyugkrbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	crjyugkrbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	crjyugkrbl.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	091f600fd48ae9602d1bb72d1f001796.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF5FCF9485F826A9041D75F7E96BCE7E136584566416335D69E"	091f600fd48ae9602d1bb72d1f001796.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	crjyugkrbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC1B1584495399A52BDBAD5329CD4B8"	091f600fd48ae9602d1bb72d1f001796.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F76BB2FE6B21A9D109D0D18A0B9014"	091f600fd48ae9602d1bb72d1f001796.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2216	091f600fd48ae9602d1bb72d1f001796.exe
2216	091f600fd48ae9602d1bb72d1f001796.exe
2216	091f600fd48ae9602d1bb72d1f001796.exe
2216	091f600fd48ae9602d1bb72d1f001796.exe
2216	091f600fd48ae9602d1bb72d1f001796.exe
2216	091f600fd48ae9602d1bb72d1f001796.exe
2216	091f600fd48ae9602d1bb72d1f001796.exe
2216	091f600fd48ae9602d1bb72d1f001796.exe
1728	crjyugkrbl.exe
1728	crjyugkrbl.exe
1728	crjyugkrbl.exe
1728	crjyugkrbl.exe
1728	crjyugkrbl.exe
2152	ixtybdxxnqruumj.exe
2152	ixtybdxxnqruumj.exe
2152	ixtybdxxnqruumj.exe
2152	ixtybdxxnqruumj.exe
2152	ixtybdxxnqruumj.exe
2648	tqdpraszdrvkz.exe
2648	tqdpraszdrvkz.exe
2648	tqdpraszdrvkz.exe
2648	tqdpraszdrvkz.exe
2648	tqdpraszdrvkz.exe
2648	tqdpraszdrvkz.exe
2592	zitcxgiu.exe
2592	zitcxgiu.exe
2592	zitcxgiu.exe
2592	zitcxgiu.exe
2608	zitcxgiu.exe
2608	zitcxgiu.exe
2608	zitcxgiu.exe
2608	zitcxgiu.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
2216	091f600fd48ae9602d1bb72d1f001796.exe
2216	091f600fd48ae9602d1bb72d1f001796.exe
2216	091f600fd48ae9602d1bb72d1f001796.exe
1728	crjyugkrbl.exe
1728	crjyugkrbl.exe
1728	crjyugkrbl.exe
2648	tqdpraszdrvkz.exe
2648	tqdpraszdrvkz.exe
2648	tqdpraszdrvkz.exe
2592	zitcxgiu.exe
2592	zitcxgiu.exe
2592	zitcxgiu.exe
2152	ixtybdxxnqruumj.exe
2152	ixtybdxxnqruumj.exe
2152	ixtybdxxnqruumj.exe
2608	zitcxgiu.exe
2608	zitcxgiu.exe
2608	zitcxgiu.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
2216	091f600fd48ae9602d1bb72d1f001796.exe
2216	091f600fd48ae9602d1bb72d1f001796.exe
2216	091f600fd48ae9602d1bb72d1f001796.exe
1728	crjyugkrbl.exe
1728	crjyugkrbl.exe
1728	crjyugkrbl.exe
2648	tqdpraszdrvkz.exe
2648	tqdpraszdrvkz.exe
2648	tqdpraszdrvkz.exe
2592	zitcxgiu.exe
2592	zitcxgiu.exe
2592	zitcxgiu.exe
2152	ixtybdxxnqruumj.exe
2152	ixtybdxxnqruumj.exe
2152	ixtybdxxnqruumj.exe
2608	zitcxgiu.exe
2608	zitcxgiu.exe
2608	zitcxgiu.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 1728	2216	091f600fd48ae9602d1bb72d1f001796.exe	22
PID 2216 wrote to memory of 1728	2216	091f600fd48ae9602d1bb72d1f001796.exe	22
PID 2216 wrote to memory of 1728	2216	091f600fd48ae9602d1bb72d1f001796.exe	22
PID 2216 wrote to memory of 1728	2216	091f600fd48ae9602d1bb72d1f001796.exe	22
PID 2216 wrote to memory of 2152	2216	091f600fd48ae9602d1bb72d1f001796.exe	27
PID 2216 wrote to memory of 2152	2216	091f600fd48ae9602d1bb72d1f001796.exe	27
PID 2216 wrote to memory of 2152	2216	091f600fd48ae9602d1bb72d1f001796.exe	27
PID 2216 wrote to memory of 2152	2216	091f600fd48ae9602d1bb72d1f001796.exe	27
PID 2216 wrote to memory of 2592	2216	091f600fd48ae9602d1bb72d1f001796.exe	23
PID 2216 wrote to memory of 2592	2216	091f600fd48ae9602d1bb72d1f001796.exe	23
PID 2216 wrote to memory of 2592	2216	091f600fd48ae9602d1bb72d1f001796.exe	23
PID 2216 wrote to memory of 2592	2216	091f600fd48ae9602d1bb72d1f001796.exe	23
PID 2216 wrote to memory of 2648	2216	091f600fd48ae9602d1bb72d1f001796.exe	26
PID 2216 wrote to memory of 2648	2216	091f600fd48ae9602d1bb72d1f001796.exe	26
PID 2216 wrote to memory of 2648	2216	091f600fd48ae9602d1bb72d1f001796.exe	26
PID 2216 wrote to memory of 2648	2216	091f600fd48ae9602d1bb72d1f001796.exe	26
PID 1728 wrote to memory of 2608	1728	crjyugkrbl.exe	24
PID 1728 wrote to memory of 2608	1728	crjyugkrbl.exe	24
PID 1728 wrote to memory of 2608	1728	crjyugkrbl.exe	24
PID 1728 wrote to memory of 2608	1728	crjyugkrbl.exe	24
PID 2216 wrote to memory of 2484	2216	091f600fd48ae9602d1bb72d1f001796.exe	25
PID 2216 wrote to memory of 2484	2216	091f600fd48ae9602d1bb72d1f001796.exe	25
PID 2216 wrote to memory of 2484	2216	091f600fd48ae9602d1bb72d1f001796.exe	25
PID 2216 wrote to memory of 2484	2216	091f600fd48ae9602d1bb72d1f001796.exe	25

C:\Users\Admin\AppData\Local\Temp\091f600fd48ae9602d1bb72d1f001796.exe
"C:\Users\Admin\AppData\Local\Temp\091f600fd48ae9602d1bb72d1f001796.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\SysWOW64\crjyugkrbl.exe
  crjyugkrbl.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\SysWOW64\zitcxgiu.exe
    C:\Windows\system32\zitcxgiu.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2608
- C:\Windows\SysWOW64\zitcxgiu.exe
  zitcxgiu.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2592
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  PID:2484
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1448
- C:\Windows\SysWOW64\tqdpraszdrvkz.exe
  tqdpraszdrvkz.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2648
- C:\Windows\SysWOW64\ixtybdxxnqruumj.exe
  ixtybdxxnqruumj.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
68KB

MD5
d484d365237e56d843948a4470242f94

SHA1
da2785b10b756616cc28f01875d08a0607a1374b

SHA256
abc8209f8970e95d9d6b1896bc4239315a048a2260b277da26ce87d86e3f7951

SHA512
ff9079966f27ff3e91800c9320c130a7b8df68318d6c9ce011698b6d7806a4f58fed173a3649bee9356554b3288b16d36d6636c899a91f457262cdbdc94532ac

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
70KB

MD5
fb91407717c767a9e258d389ddd7e89d

SHA1
dd95f158cbf9115f390328e22f41170348fd8a40

SHA256
ecffdd67f11bc0b00d277461fc1b9e6a835b1cc67732a07a57e8a002a506c619

SHA512
3fe3b282626b4c224a18e450a9cc70eeaad894ff5ef3411ef47dfa3e1f65756265bb25b9385702cb83e29142b61e515a3556402d0026b73fffc8a6c841eeefd9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
8KB

MD5
f8ed530f6a6f45faf87c36c790ea078c

SHA1
a15f4623166d388fd19962da1e658204078d54a7

SHA256
1c79499310909e514f39bffe4aa948e19ccfd6f9360ad08f5a0c67b9f96857c8

SHA512
951c82f98652bd2037ffa14fd36066da8a6ab1839bb0e6bf8f98f0e9862d6048ca1339c07c5cb8831421efa4c37e353b75cf79b2349ec20c1496ac1dab8cfae6

Download Submit
C:\Windows\SysWOW64\crjyugkrbl.exe

Filesize
68KB

MD5
302220e57855732c844bbd43f2ce17d9

SHA1
9a07a1a92f309a80368554b7240f5a339beeca54

SHA256
eb18c50812897858c1b5cbcbb9ba173849a86f03fc118fb3137f616b2286e030

SHA512
d31ec957b7bf30a0c0d94b205130e9d048db3bc9e4a6b99f081fb44d5f464d765128f46727d76a5820e206ef463c51173ecfc12e0c5bb5ff2e3ed43b0b78dbeb

Download Submit
C:\Windows\SysWOW64\crjyugkrbl.exe

Filesize
45KB

MD5
e8d0a210a7de9cb675e1378280b0b6de

SHA1
c2ab939a2766a03bf6c24459cd935c2d580f220d

SHA256
c7c4be5ef5432feb35d5b82dadc75a8e6292be3f6630a23c22c1b66957344d0b

SHA512
e3aed655216ba65313dfc649215cb55b215aa5a3bccb14598d335ada70f6b0d02cc0133b02e755ae53f6e3983c19366dda6364ca91976fb07def3f5eaeb54fb5

Download Submit
C:\Windows\SysWOW64\ixtybdxxnqruumj.exe

Filesize
58KB

MD5
55270575413995f8c811f155340e43d4

SHA1
5e9ac9afebe7de3de8454a7833d8da7e8e497c2e

SHA256
b9a4eff3864e5ed148cc457647e92a2e1f3b33e7cdcb80fb999e80661391fda9

SHA512
e0b5791ef69b5a13e1df33f32ed567b73d08f62d974dae686cb7aea1125910c0a946383a116920ef5921d103b036be7299499e6961fc751caa18f7280de1b315

Download Submit
C:\Windows\SysWOW64\ixtybdxxnqruumj.exe

Filesize
44KB

MD5
b5872814d8ddf4f891cbdd57e5a26c8d

SHA1
5b8d9fbcd7b44015f066988a90ceb0e5c23b80f9

SHA256
f6efc65801afa1b061deb8d03ab593804de4c02dd6d0faa13c55e98406eab799

SHA512
2d27bb5e38c027664864ad5738b7cb474edc57fc35f1615868ac1e06934ba67fbee85103035b2ed921c6599fd722840b707be416086a30c1bb32fa003ab1d7a7

Download Submit
C:\Windows\SysWOW64\ixtybdxxnqruumj.exe

Filesize
84KB

MD5
35efaa547e515164909bb41f32754738

SHA1
1bf017170d0e8bde934846b3009c2e68cdc99245

SHA256
6b7ff53ee45410899247949a42f236daf411d3da70d72b6144e2710d7011af00

SHA512
657ad5a56525e6dcd459dc776e0df1009a7310fd668ca081cf32bc43dbbb94ca67235285a6236b53e06ff6dcc7970d65335694f04f85a597922882a78cdcbb62

Download Submit
C:\Windows\SysWOW64\tqdpraszdrvkz.exe

Filesize
64KB

MD5
7eb2abaaeb4d282eb0261173bd0a25ab

SHA1
e856e280e8dd10713989ebf2fdd1cd5530a97f57

SHA256
37cab9675e58b94ff83f06ec6e504575d29d756ebe802292c8d9b72f13a928c2

SHA512
456f43954659bd0f5a2e34b84a85123c5cec2378e8360a21f8c0ee0157355bd266bc79b599c22ed5777ac2a0d07737e6e117c74eb76c35c5ec4155e6cebf7df0

Download Submit
C:\Windows\SysWOW64\tqdpraszdrvkz.exe

Filesize
92KB

MD5
379ff6663aca28265ef117a97f9af33b

SHA1
b740ee76768e54e5f169b68df54377d2fdee378d

SHA256
a386721c29a1263bd301a958aeca633ade1c1c2dedaa6daa6e56fb8d15d53503

SHA512
d52c6100cb2e81eaf2777b9cf0d4012783ecb579426c05a19cbdbb8ef22b3776c237fbc36d482f42790443a853564d19d2a7d3a9fac7bc2794982f64eba6bc8c

Download Submit
C:\Windows\SysWOW64\zitcxgiu.exe

Filesize
79KB

MD5
0f82bc95d2b930b65a9131822c2177c3

SHA1
6e68c406c57faa1e5e45c9dc7141c4a7ae10ddef

SHA256
811f79616714483e6b839af65eff75b4e75cc055cfdf0c508019c3f1e8e6f9b9

SHA512
4cb1445f2ca945d88966e4123bdb5f6eee156dbec271bf10d5a0b85ad5294523d2c6ece9466a2e4eadea019ad0ced02372da08bce7725e482bd6f210c9469384

Download Submit
C:\Windows\SysWOW64\zitcxgiu.exe

Filesize
60KB

MD5
d9821902a408c524bc74aef02b2733e7

SHA1
772d765f0aaa5061888491e43fb0885429c1b082

SHA256
b7e9f7aca5aba1ebb54efb09e8201ede40b2580e451775eb0bb3eddcbb27a271

SHA512
13324a5c5f9ab36106a3eea45e3a2adca911b500afc875ab77cdf4e6f1fad6c830ae3d234c333400072582fc385b5bad2096eedc7dd5b870f86899c6a266d33b

Download Submit
C:\Windows\SysWOW64\zitcxgiu.exe

Filesize
43KB

MD5
ef09f69c15bc84dc2cf8602e9f2d92af

SHA1
d0052c176e9609c88f846e5a1f0bd44cba044232

SHA256
7bbc3e3fa03d66ae06ca07f268d083ad7e74edee4f37f1375b14a7746d3f1b14

SHA512
969e300f3baaf65441789ba8a84b970faa526586f3732a7d29926a98ffe8a6d2583a7ee23f385b21fcd1eda29c26373d60e6cc4b2e7080df4a9614b43a6779a1

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\crjyugkrbl.exe

Filesize
107KB

MD5
be6627a26dc753ab09ca6c6500790909

SHA1
69f3f76641e79edd5bb3c5c6e2199ca44f53b1ce

SHA256
9e7f15263cf46cd93acd4e80043720dfabc9332e4e204a817fa15a2a7271c024

SHA512
7938004f3a0aea171b54d74400acdc47a66d76295902f1981844f52e93e7e7363190b7a1d9b1e11299f7115bbf3ee634eb879eee085aeaf73ebc4aa32d359466

Download Submit
\Windows\SysWOW64\ixtybdxxnqruumj.exe

Filesize
69KB

MD5
9caf21c47d1d65584b05acfb3f184e2d

SHA1
db48f3e099885e8424196fbceaf7f1fe646711fa

SHA256
093a86246d83ca00897ae2b76c49b2aa5ad48eb4654cf0ad0f0d3916da188b9c

SHA512
5b506668c884ff43613be5be789575c28fa3c03233db3828ea6734fa15314485f1dfa2ece3b4ba89e39b65336120b0431386f97683b26d4f8a6061df137afa90

Download Submit
\Windows\SysWOW64\tqdpraszdrvkz.exe

Filesize
74KB

MD5
526206bb3d7d4ead109f316e7394053f

SHA1
e36eb45ce89a96856ca139e9e9e8c8ee51b81551

SHA256
1b1ee696c703db5e86d405d97417be188695505db111664df844063eb43432d4

SHA512
527c6f5a8cb1145c78f28cc681b57103d7278e517d9afdb2a22257c51a2506d1cc84ef46b3379ce9a968cdf9059cc1c9395d0aedef6aff1eb733aa5cf097a019

Download Submit
\Windows\SysWOW64\zitcxgiu.exe

Filesize
33KB

MD5
5f15d6798edf154d87f656b47a6d1921

SHA1
6a7f05fa25962ee5932b1da58b0987d1aa1a2811

SHA256
775109b639ede779b117f0f2b9a0a3e90db52bd772d1702de17d4b9839d5db52

SHA512
f9e6a0ad87c75b6d715f448a17adfa49a4cbe81f72fe99d03c11bc1b3afc849861872a6e105cc732d1944832bf55ca59840738bda742d062005ea475bc8d12ce

Download Submit
\Windows\SysWOW64\zitcxgiu.exe

Filesize
44KB

MD5
d4972fab59bd020b6c542b606c391387

SHA1
ec218d5b537dbeea1eff537636dd8710b325550c

SHA256
6a865a8a8f6c6015b62a59aebadf7f7a59dd5002b9812bd2bdd26f4e38b916b2

SHA512
f7e497374e351b2c61a2026eb4f852e291570f129e25e0322535886856ea63e99c984fa88358ffaf1baef4a6e27af0a65a6ba3beaa136420067fa851d97cba7a

Download Submit
memory/2216-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2484-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2484-47-0x0000000070E4D000-0x0000000070E58000-memory.dmp

Filesize
44KB

Download
memory/2484-45-0x000000002F541000-0x000000002F542000-memory.dmp

Filesize
4KB

Download
memory/2484-72-0x0000000070E4D000-0x0000000070E58000-memory.dmp

Filesize
44KB

Download
memory/2484-93-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download