Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
24/12/2023, 19:28
Static task
static1
Behavioral task
behavioral1
Sample
0d7fce70aca9ba6de2e300b04fbb598a.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral2
Sample
0d7fce70aca9ba6de2e300b04fbb598a.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
General
-
Target
0d7fce70aca9ba6de2e300b04fbb598a.exe
-
Size
512KB
-
MD5
0d7fce70aca9ba6de2e300b04fbb598a
-
SHA1
cb111d8408be1350abc3351897ac7d6a80cd443d
-
SHA256
258aaf878f86e50ef7871a91fddc9a8ac18a45a9b562c056c072732ccac592be
-
SHA512
a67dda0f07bcc17c5d86ae5c513a19daaacdb97a58d551b5656811933bd3c0f53d0e8cea1c3697c007b8172976be67b7ad6be341d3208faaafc34aed2a83f07e
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6B:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm58
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" xekozvqbjm.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" xekozvqbjm.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" xekozvqbjm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" xekozvqbjm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" xekozvqbjm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" xekozvqbjm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" xekozvqbjm.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xekozvqbjm.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation 0d7fce70aca9ba6de2e300b04fbb598a.exe -
Executes dropped EXE 5 IoCs
pid Process 2072 xekozvqbjm.exe 3960 tqudjpijroogtgb.exe 4500 dbhksjzg.exe 1196 aucfljtpqkttg.exe 3116 dbhksjzg.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" xekozvqbjm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" xekozvqbjm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" xekozvqbjm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" xekozvqbjm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" xekozvqbjm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" xekozvqbjm.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fmfigkzp = "xekozvqbjm.exe" tqudjpijroogtgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yiulhkpn = "tqudjpijroogtgb.exe" tqudjpijroogtgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "aucfljtpqkttg.exe" tqudjpijroogtgb.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\e: dbhksjzg.exe File opened (read-only) \??\w: xekozvqbjm.exe File opened (read-only) \??\z: xekozvqbjm.exe File opened (read-only) \??\e: dbhksjzg.exe File opened (read-only) \??\p: dbhksjzg.exe File opened (read-only) \??\a: xekozvqbjm.exe File opened (read-only) \??\t: xekozvqbjm.exe File opened (read-only) \??\j: dbhksjzg.exe File opened (read-only) \??\o: dbhksjzg.exe File opened (read-only) \??\u: dbhksjzg.exe File opened (read-only) \??\v: dbhksjzg.exe File opened (read-only) \??\w: dbhksjzg.exe File opened (read-only) \??\a: dbhksjzg.exe File opened (read-only) \??\i: dbhksjzg.exe File opened (read-only) \??\k: dbhksjzg.exe File opened (read-only) \??\b: xekozvqbjm.exe File opened (read-only) \??\s: xekozvqbjm.exe File opened (read-only) \??\g: dbhksjzg.exe File opened (read-only) \??\l: dbhksjzg.exe File opened (read-only) \??\y: dbhksjzg.exe File opened (read-only) \??\s: dbhksjzg.exe File opened (read-only) \??\e: xekozvqbjm.exe File opened (read-only) \??\j: dbhksjzg.exe File opened (read-only) \??\r: dbhksjzg.exe File opened (read-only) \??\h: xekozvqbjm.exe File opened (read-only) \??\b: dbhksjzg.exe File opened (read-only) \??\r: dbhksjzg.exe File opened (read-only) \??\z: dbhksjzg.exe File opened (read-only) \??\g: xekozvqbjm.exe File opened (read-only) \??\k: xekozvqbjm.exe File opened (read-only) \??\m: xekozvqbjm.exe File opened (read-only) \??\i: dbhksjzg.exe File opened (read-only) \??\u: xekozvqbjm.exe File opened (read-only) \??\v: xekozvqbjm.exe File opened (read-only) \??\m: dbhksjzg.exe File opened (read-only) \??\t: dbhksjzg.exe File opened (read-only) \??\x: dbhksjzg.exe File opened (read-only) \??\y: xekozvqbjm.exe File opened (read-only) \??\a: dbhksjzg.exe File opened (read-only) \??\k: dbhksjzg.exe File opened (read-only) \??\h: dbhksjzg.exe File opened (read-only) \??\w: dbhksjzg.exe File opened (read-only) \??\j: xekozvqbjm.exe File opened (read-only) \??\l: xekozvqbjm.exe File opened (read-only) \??\q: dbhksjzg.exe File opened (read-only) \??\s: dbhksjzg.exe File opened (read-only) \??\m: dbhksjzg.exe File opened (read-only) \??\y: dbhksjzg.exe File opened (read-only) \??\z: dbhksjzg.exe File opened (read-only) \??\o: xekozvqbjm.exe File opened (read-only) \??\p: xekozvqbjm.exe File opened (read-only) \??\n: dbhksjzg.exe File opened (read-only) \??\n: dbhksjzg.exe File opened (read-only) \??\n: xekozvqbjm.exe File opened (read-only) \??\r: xekozvqbjm.exe File opened (read-only) \??\u: dbhksjzg.exe File opened (read-only) \??\b: dbhksjzg.exe File opened (read-only) \??\i: xekozvqbjm.exe File opened (read-only) \??\o: dbhksjzg.exe File opened (read-only) \??\p: dbhksjzg.exe File opened (read-only) \??\x: xekozvqbjm.exe File opened (read-only) \??\x: dbhksjzg.exe File opened (read-only) \??\g: dbhksjzg.exe File opened (read-only) \??\l: dbhksjzg.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" xekozvqbjm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" xekozvqbjm.exe -
AutoIT Executable 15 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1836-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000800000002320b-5.dat autoit_exe behavioral2/files/0x000800000002320b-23.dat autoit_exe behavioral2/files/0x0006000000023210-27.dat autoit_exe behavioral2/files/0x0006000000023211-32.dat autoit_exe behavioral2/files/0x0006000000023211-31.dat autoit_exe behavioral2/files/0x0006000000023210-26.dat autoit_exe behavioral2/files/0x000800000002320b-22.dat autoit_exe behavioral2/files/0x000c00000002315e-19.dat autoit_exe behavioral2/files/0x000c00000002315e-18.dat autoit_exe behavioral2/files/0x0006000000023210-35.dat autoit_exe behavioral2/files/0x0003000000022757-83.dat autoit_exe behavioral2/files/0x000600000002322e-104.dat autoit_exe behavioral2/files/0x000600000002322e-102.dat autoit_exe behavioral2/files/0x000600000002322e-109.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe dbhksjzg.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe dbhksjzg.exe File created C:\Windows\SysWOW64\dbhksjzg.exe 0d7fce70aca9ba6de2e300b04fbb598a.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll xekozvqbjm.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe dbhksjzg.exe File opened for modification C:\Windows\SysWOW64\tqudjpijroogtgb.exe 0d7fce70aca9ba6de2e300b04fbb598a.exe File created C:\Windows\SysWOW64\aucfljtpqkttg.exe 0d7fce70aca9ba6de2e300b04fbb598a.exe File opened for modification C:\Windows\SysWOW64\dbhksjzg.exe 0d7fce70aca9ba6de2e300b04fbb598a.exe File created C:\Windows\SysWOW64\xekozvqbjm.exe 0d7fce70aca9ba6de2e300b04fbb598a.exe File opened for modification C:\Windows\SysWOW64\xekozvqbjm.exe 0d7fce70aca9ba6de2e300b04fbb598a.exe File created C:\Windows\SysWOW64\tqudjpijroogtgb.exe 0d7fce70aca9ba6de2e300b04fbb598a.exe File opened for modification C:\Windows\SysWOW64\aucfljtpqkttg.exe 0d7fce70aca9ba6de2e300b04fbb598a.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe dbhksjzg.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dbhksjzg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dbhksjzg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dbhksjzg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dbhksjzg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal dbhksjzg.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dbhksjzg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dbhksjzg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dbhksjzg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal dbhksjzg.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dbhksjzg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal dbhksjzg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dbhksjzg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dbhksjzg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal dbhksjzg.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe dbhksjzg.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe dbhksjzg.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe dbhksjzg.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe dbhksjzg.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe dbhksjzg.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe dbhksjzg.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe dbhksjzg.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe dbhksjzg.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe dbhksjzg.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe dbhksjzg.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe dbhksjzg.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe dbhksjzg.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe dbhksjzg.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe dbhksjzg.exe File opened for modification C:\Windows\mydoc.rtf 0d7fce70aca9ba6de2e300b04fbb598a.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe dbhksjzg.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe dbhksjzg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 0d7fce70aca9ba6de2e300b04fbb598a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" xekozvqbjm.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings 0d7fce70aca9ba6de2e300b04fbb598a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1949C67814E7DAB7B8CC7C94EC9E34C7" 0d7fce70aca9ba6de2e300b04fbb598a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" xekozvqbjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" xekozvqbjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32322C7D9C2283506D3677D677272CDC7D8464AF" 0d7fce70aca9ba6de2e300b04fbb598a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BC8F9CCFE13F1E2837A3A4186EB39E2B38D02FB4367033EE2CA42E708A8" 0d7fce70aca9ba6de2e300b04fbb598a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E89FC82485A85689134D72D7E91BC94E633593566436243D7EA" 0d7fce70aca9ba6de2e300b04fbb598a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F76BB8FE1D21D1D20ED0A58B08906A" 0d7fce70aca9ba6de2e300b04fbb598a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf xekozvqbjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs xekozvqbjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg xekozvqbjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" xekozvqbjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh xekozvqbjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" xekozvqbjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc xekozvqbjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB0B12847E639E952CDBAA7339FD7BE" 0d7fce70aca9ba6de2e300b04fbb598a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat xekozvqbjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" xekozvqbjm.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3884 WINWORD.EXE 3884 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1836 0d7fce70aca9ba6de2e300b04fbb598a.exe 1836 0d7fce70aca9ba6de2e300b04fbb598a.exe 1836 0d7fce70aca9ba6de2e300b04fbb598a.exe 1836 0d7fce70aca9ba6de2e300b04fbb598a.exe 1836 0d7fce70aca9ba6de2e300b04fbb598a.exe 1836 0d7fce70aca9ba6de2e300b04fbb598a.exe 1836 0d7fce70aca9ba6de2e300b04fbb598a.exe 1836 0d7fce70aca9ba6de2e300b04fbb598a.exe 1836 0d7fce70aca9ba6de2e300b04fbb598a.exe 1836 0d7fce70aca9ba6de2e300b04fbb598a.exe 1836 0d7fce70aca9ba6de2e300b04fbb598a.exe 1836 0d7fce70aca9ba6de2e300b04fbb598a.exe 1836 0d7fce70aca9ba6de2e300b04fbb598a.exe 1836 0d7fce70aca9ba6de2e300b04fbb598a.exe 1836 0d7fce70aca9ba6de2e300b04fbb598a.exe 1836 0d7fce70aca9ba6de2e300b04fbb598a.exe 2072 xekozvqbjm.exe 2072 xekozvqbjm.exe 2072 xekozvqbjm.exe 2072 xekozvqbjm.exe 2072 xekozvqbjm.exe 2072 xekozvqbjm.exe 2072 xekozvqbjm.exe 2072 xekozvqbjm.exe 1196 aucfljtpqkttg.exe 2072 xekozvqbjm.exe 2072 xekozvqbjm.exe 1196 aucfljtpqkttg.exe 1196 aucfljtpqkttg.exe 1196 aucfljtpqkttg.exe 1196 aucfljtpqkttg.exe 1196 aucfljtpqkttg.exe 1196 aucfljtpqkttg.exe 1196 aucfljtpqkttg.exe 1196 aucfljtpqkttg.exe 1196 aucfljtpqkttg.exe 1196 aucfljtpqkttg.exe 1196 aucfljtpqkttg.exe 4500 dbhksjzg.exe 4500 dbhksjzg.exe 4500 dbhksjzg.exe 4500 dbhksjzg.exe 4500 dbhksjzg.exe 4500 dbhksjzg.exe 4500 dbhksjzg.exe 4500 dbhksjzg.exe 3960 tqudjpijroogtgb.exe 3960 tqudjpijroogtgb.exe 3960 tqudjpijroogtgb.exe 3960 tqudjpijroogtgb.exe 3960 tqudjpijroogtgb.exe 3960 tqudjpijroogtgb.exe 3960 tqudjpijroogtgb.exe 3960 tqudjpijroogtgb.exe 3960 tqudjpijroogtgb.exe 3960 tqudjpijroogtgb.exe 3960 tqudjpijroogtgb.exe 3960 tqudjpijroogtgb.exe 3116 dbhksjzg.exe 3116 dbhksjzg.exe 3116 dbhksjzg.exe 3116 dbhksjzg.exe 3116 dbhksjzg.exe 3116 dbhksjzg.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1836 0d7fce70aca9ba6de2e300b04fbb598a.exe 1836 0d7fce70aca9ba6de2e300b04fbb598a.exe 1836 0d7fce70aca9ba6de2e300b04fbb598a.exe 2072 xekozvqbjm.exe 1196 aucfljtpqkttg.exe 4500 dbhksjzg.exe 3960 tqudjpijroogtgb.exe 2072 xekozvqbjm.exe 1196 aucfljtpqkttg.exe 4500 dbhksjzg.exe 2072 xekozvqbjm.exe 3960 tqudjpijroogtgb.exe 1196 aucfljtpqkttg.exe 4500 dbhksjzg.exe 3960 tqudjpijroogtgb.exe 3116 dbhksjzg.exe 3116 dbhksjzg.exe 3116 dbhksjzg.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1836 0d7fce70aca9ba6de2e300b04fbb598a.exe 1836 0d7fce70aca9ba6de2e300b04fbb598a.exe 1836 0d7fce70aca9ba6de2e300b04fbb598a.exe 2072 xekozvqbjm.exe 1196 aucfljtpqkttg.exe 4500 dbhksjzg.exe 2072 xekozvqbjm.exe 3960 tqudjpijroogtgb.exe 1196 aucfljtpqkttg.exe 4500 dbhksjzg.exe 2072 xekozvqbjm.exe 3960 tqudjpijroogtgb.exe 1196 aucfljtpqkttg.exe 4500 dbhksjzg.exe 3960 tqudjpijroogtgb.exe 3116 dbhksjzg.exe 3116 dbhksjzg.exe 3116 dbhksjzg.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3884 WINWORD.EXE 3884 WINWORD.EXE 3884 WINWORD.EXE 3884 WINWORD.EXE 3884 WINWORD.EXE 3884 WINWORD.EXE 3884 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1836 wrote to memory of 2072 1836 0d7fce70aca9ba6de2e300b04fbb598a.exe 93 PID 1836 wrote to memory of 2072 1836 0d7fce70aca9ba6de2e300b04fbb598a.exe 93 PID 1836 wrote to memory of 2072 1836 0d7fce70aca9ba6de2e300b04fbb598a.exe 93 PID 1836 wrote to memory of 3960 1836 0d7fce70aca9ba6de2e300b04fbb598a.exe 92 PID 1836 wrote to memory of 3960 1836 0d7fce70aca9ba6de2e300b04fbb598a.exe 92 PID 1836 wrote to memory of 3960 1836 0d7fce70aca9ba6de2e300b04fbb598a.exe 92 PID 1836 wrote to memory of 4500 1836 0d7fce70aca9ba6de2e300b04fbb598a.exe 89 PID 1836 wrote to memory of 4500 1836 0d7fce70aca9ba6de2e300b04fbb598a.exe 89 PID 1836 wrote to memory of 4500 1836 0d7fce70aca9ba6de2e300b04fbb598a.exe 89 PID 1836 wrote to memory of 1196 1836 0d7fce70aca9ba6de2e300b04fbb598a.exe 90 PID 1836 wrote to memory of 1196 1836 0d7fce70aca9ba6de2e300b04fbb598a.exe 90 PID 1836 wrote to memory of 1196 1836 0d7fce70aca9ba6de2e300b04fbb598a.exe 90 PID 1836 wrote to memory of 3884 1836 0d7fce70aca9ba6de2e300b04fbb598a.exe 95 PID 1836 wrote to memory of 3884 1836 0d7fce70aca9ba6de2e300b04fbb598a.exe 95 PID 2072 wrote to memory of 3116 2072 xekozvqbjm.exe 96 PID 2072 wrote to memory of 3116 2072 xekozvqbjm.exe 96 PID 2072 wrote to memory of 3116 2072 xekozvqbjm.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d7fce70aca9ba6de2e300b04fbb598a.exe"C:\Users\Admin\AppData\Local\Temp\0d7fce70aca9ba6de2e300b04fbb598a.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\dbhksjzg.exedbhksjzg.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4500
-
-
C:\Windows\SysWOW64\aucfljtpqkttg.exeaucfljtpqkttg.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1196
-
-
C:\Windows\SysWOW64\tqudjpijroogtgb.exetqudjpijroogtgb.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3960
-
-
C:\Windows\SysWOW64\xekozvqbjm.exexekozvqbjm.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\dbhksjzg.exeC:\Windows\system32\dbhksjzg.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3116
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3884
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5bb96d8791fe5076502f5d8c0411d6090
SHA106005003880e313255556d9454f0c91551593a27
SHA25677fd091d6300bb14f86a4c90ac4f92bc1ee35687318ce6051f4ae36cfc964136
SHA512a0b6109e704aef0ce6e69de7f8298de8eca17b4c95633e7628da3d01c54f8f9947c7d8987609973a5384dd2dc9cb08590138bf6b29e3296d4697ff23ecfd193a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5d5d11f9965f64da3d110a9a92eda15b6
SHA16119c10d9c11aed0f020189abe202a79e08f9d25
SHA256916e288cf94534971ad349104f20a1fd543f5157e68da354a0da05bf3d756bea
SHA512b6b348de65e0d190ec77c18cfc67cc06f0994454b3cc17d7a2b90fb587c7ae4cea8cff2d3b3cb5dde01e7c9d830ed2bc62711cc2676ed9383855b6e905299de8
-
Filesize
225KB
MD5ebb0a12a461c8aebeaf1f1e9fedae8e0
SHA1507b1cae01cc8013b73f04eb5c19e991848ee04a
SHA25620e1efdc929ae35d27fed6641909395b44741a0c146f75b02e3e06602ecd835d
SHA512f04db7d825e28a52b8c7ea399491a452f56cc10eabb6892affdac858fd8748ff7b0a397dfee68d8d130e3ba343d4a2b269619d4c9adbf87e9aa2aab0b24254f2
-
Filesize
237KB
MD54ef8d1623be230b81d7fea0308ad1cbc
SHA16eb5c5b07e5ed8c2bfe51ed70476928119b60a26
SHA25617f7bfdde51a9427d505e338d5a721d44a0b430000ade8010554001c258db93e
SHA51225f61326d266b1f65b7bed2807c172193445c216bf115b295a184ec531a0a8bf081ecbf9f39052a1667458d0dec90127d59743e519dbcd624917141949044f2a
-
Filesize
137KB
MD5e088c6972c41a17ff8b85d61a67f5bb1
SHA13501fbafb6f38e81b00b5034f183e7cec11fccf1
SHA256e369c457c09e215e4c4eafad56eb8c8f1ce162a732241b9ffd76b90a1d205554
SHA5125c8d447ea485c5955b58b7a8157ecdff92839a389ef19301343e99dfb961d2ca96026ff68ee2dade756ba95e84c2b7c41485c0f8695b31e05772fb5cb92e09f1
-
Filesize
138KB
MD5a84a80c011923c4dc67312386fa6bef5
SHA1afdcbda6dd8056cdbd7ada771c309034cebb459f
SHA256c385cf6ab475893a0dc9f8bc2062032d1d56ff3fea2790f51b402c0eea5f3dd1
SHA5126eae58fc0e310a79c53ceae271561716224df17cafee233f753bfdaf2e5f10e24d86265d09aa6e1d19b67b742d6b1d3d0cf11a2e4338f78af0acbc630d0ff6f6
-
Filesize
149KB
MD55a1366d811460096a3c3f9960094826e
SHA173404ca8a2aad03e5abf7adeb6cbb311b2cf6a0a
SHA2564e9231d36d7c9aadd6a627de644ddf942629f80c1d33739a9cdded3380bfca92
SHA51295d7b50fe24e86d40df88c6c7c2c57c1e2a9575c3922316dc842e3cf41712b8f511a6602e83aa43b45e819dd85a0b853340e47055ea5d8e00794344328cb58e1
-
Filesize
195KB
MD59dc7ebf1a49eace3e46f9216f4a46196
SHA19fda49e7e0839ba6f9924915bf3d8131d24165a2
SHA256dd6bcdfa0c4dab7763ac49ca9cbf772d15107c26ce0bdc4f0b80283c077ac835
SHA5129568eb65ed5eb1212040ac0bb1b67d395084120fcca64113e67af808049da4477734c6804e940e26ca6a573978aad8c29e5ab917f3a9307531e4f17ddea764d5
-
Filesize
130KB
MD507de897dc957d0824d58c16ee8bde3c7
SHA179d70ed4ed09bd877ad565f5ca4a22827ea02329
SHA2567356f780ebf532915dc1944abee20f63b129951de3b2898bac1b29a5fece4506
SHA512675ddbe22c0d7f0d62f16792c561fc2cd41fa424dbe9e87e94dc73d4239a21c836c46fd1e726bb231e2a889ebc8b093f57a53e75c46ca19686ba41ef117d3b3d
-
Filesize
319KB
MD5ca0940acc1ec547d556e2d87f1e44a9e
SHA1e52db3a1cdd79e71431a127bd4758f6e3b96ba5f
SHA256a4b4df19811c56e35d58e4ebb3ca66f0344e79332862ff0ea86eead90e17c4c1
SHA51258de47d9f4541ea29df54dd8c02186271364b98a06499922d3a28df2886f9d4005b4201a52cf72d131004b426ed6214f15763d0508293fc4a00e5e1967d6cbfd
-
Filesize
196KB
MD5065d4801bd27ae3555289ce1aee61079
SHA12f308e5297161e3540050a294174c259de2b844d
SHA256693a027e6d62f71ca6a8ebec4e23b536e3d485ee724262bb9f8d1e14e7c1ed3a
SHA512694cb2eb1b9186925cf5836c215974abb094c4fc07bb5e229b5af46dd16888987e770815591493d21b30359c721cd0e0ad75addb56b450c1d6001b56568f4813
-
Filesize
250KB
MD505471aa5395980d520096b3b979a712e
SHA19cbf5858e3660b925c53f542862a1b3cba574d3a
SHA256f540590f000627c8306e7bb91fad49447a6cb36d050a9100c8d67346432eed54
SHA512b915fd5070d9952391424e22a8c9af397480fa03c9537bfa3b1b92c5b7d5210a40f91ddf967c32d69d59bae3e90709fee3eb5315c307d5dc8999b6fe5097e5c8
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
263KB
MD56cb88c59deb1b9e21a7ed6a1edc0c205
SHA1fcaea203b6a990891a02db8193874c5baeda5492
SHA256432c469b50c1388b127be05877a5632c05507ecddad9b025dc9e6b646e308029
SHA512e07d623c0821da4aa3e14c3f4979daa9ae0bc76923415d2a0c8a277b8e38decc24972481c2d0bdf4b6608ad86f7cd28906372a5aecf9c84bcb2f3bb483d7a2f4
-
Filesize
89KB
MD52704a14366b7344aa9fdaf82278f7211
SHA1165fe58844f14dbed9b783347d4630eae87d6ad8
SHA256a2c7ca42d24aa2bb1effe8210c72c285a60cae105c6be99fe04be5b890c7aec0
SHA5123b2bff68463b3afab2f4d5ca9385ebebdd055d0e623424262e9f1d381fcbea06e367fb04ddf1c28d4c74179a2227d77fd4d7f31630a86013152962f590a0f034
-
Filesize
14KB
MD5c8f23fc3db4bd538b8d8a1ebf04aab80
SHA1130c5933706e998894700d5d80b954d402a6ad4a
SHA2568aa27d3da802c81ccd887c821217446f27f9ca85fb4c5ab2abc78a82cfb0e633
SHA5126f6a223c9beeda49365954cc5ea0b1014067bec0955f066d8471a8cacf9792462dfa19aade2269716dc92ba02b1abe348cbbf2da54a8a4065c0635daf5459a71