Analysis
-
max time kernel
4s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 00:46
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
1df76fffd85fdcb914424f68c21ec57b.exe
Resource
win7-20231215-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
1df76fffd85fdcb914424f68c21ec57b.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
1df76fffd85fdcb914424f68c21ec57b.exe
-
Size
512KB
-
MD5
1df76fffd85fdcb914424f68c21ec57b
-
SHA1
87553925233cf61720a67788d904fb1767d5b9e9
-
SHA256
cd40e055e2f92afa14102e1a13ef3b8be2f96e84786f914c3ce8e8a8322139ec
-
SHA512
d707f53247cd99bf5547e96592f8e3bf2e20fef913beb27f15dd4e4b98acff6c09bde74f8b846f1dfcf7d1b9b92cd0f79aa27314881c1416f5f75c58e251d487
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6z:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm56
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" qqldznmuia.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" qqldznmuia.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" qqldznmuia.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" qqldznmuia.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" qqldznmuia.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" qqldznmuia.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" qqldznmuia.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qqldznmuia.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation 1df76fffd85fdcb914424f68c21ec57b.exe -
Executes dropped EXE 5 IoCs
pid Process 3604 qqldznmuia.exe 2036 xmofeauirbsppax.exe 2200 cegwnbcu.exe 624 yblztqdbtzlnj.exe 4996 cegwnbcu.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" qqldznmuia.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" qqldznmuia.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" qqldznmuia.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" qqldznmuia.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" qqldznmuia.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" qqldznmuia.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kvxrckpv = "qqldznmuia.exe" xmofeauirbsppax.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\unmtiezw = "xmofeauirbsppax.exe" xmofeauirbsppax.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "yblztqdbtzlnj.exe" xmofeauirbsppax.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\y: qqldznmuia.exe File opened (read-only) \??\y: cegwnbcu.exe File opened (read-only) \??\i: cegwnbcu.exe File opened (read-only) \??\l: qqldznmuia.exe File opened (read-only) \??\o: cegwnbcu.exe File opened (read-only) \??\q: cegwnbcu.exe File opened (read-only) \??\r: cegwnbcu.exe File opened (read-only) \??\s: cegwnbcu.exe File opened (read-only) \??\r: cegwnbcu.exe File opened (read-only) \??\v: cegwnbcu.exe File opened (read-only) \??\x: qqldznmuia.exe File opened (read-only) \??\i: cegwnbcu.exe File opened (read-only) \??\u: cegwnbcu.exe File opened (read-only) \??\k: cegwnbcu.exe File opened (read-only) \??\n: qqldznmuia.exe File opened (read-only) \??\z: qqldznmuia.exe File opened (read-only) \??\b: cegwnbcu.exe File opened (read-only) \??\j: cegwnbcu.exe File opened (read-only) \??\b: qqldznmuia.exe File opened (read-only) \??\i: qqldznmuia.exe File opened (read-only) \??\k: qqldznmuia.exe File opened (read-only) \??\k: cegwnbcu.exe File opened (read-only) \??\e: cegwnbcu.exe File opened (read-only) \??\l: cegwnbcu.exe File opened (read-only) \??\v: qqldznmuia.exe File opened (read-only) \??\w: qqldznmuia.exe File opened (read-only) \??\s: cegwnbcu.exe File opened (read-only) \??\p: qqldznmuia.exe File opened (read-only) \??\u: qqldznmuia.exe File opened (read-only) \??\m: cegwnbcu.exe File opened (read-only) \??\n: cegwnbcu.exe File opened (read-only) \??\e: cegwnbcu.exe File opened (read-only) \??\m: cegwnbcu.exe File opened (read-only) \??\p: cegwnbcu.exe File opened (read-only) \??\w: cegwnbcu.exe File opened (read-only) \??\x: cegwnbcu.exe File opened (read-only) \??\s: qqldznmuia.exe File opened (read-only) \??\a: cegwnbcu.exe File opened (read-only) \??\g: cegwnbcu.exe File opened (read-only) \??\j: cegwnbcu.exe File opened (read-only) \??\m: qqldznmuia.exe File opened (read-only) \??\h: cegwnbcu.exe File opened (read-only) \??\t: cegwnbcu.exe File opened (read-only) \??\a: cegwnbcu.exe File opened (read-only) \??\b: cegwnbcu.exe File opened (read-only) \??\o: cegwnbcu.exe File opened (read-only) \??\t: cegwnbcu.exe File opened (read-only) \??\r: qqldznmuia.exe File opened (read-only) \??\g: cegwnbcu.exe File opened (read-only) \??\u: cegwnbcu.exe File opened (read-only) \??\w: cegwnbcu.exe File opened (read-only) \??\x: cegwnbcu.exe File opened (read-only) \??\z: cegwnbcu.exe File opened (read-only) \??\z: cegwnbcu.exe File opened (read-only) \??\a: qqldznmuia.exe File opened (read-only) \??\o: qqldznmuia.exe File opened (read-only) \??\h: cegwnbcu.exe File opened (read-only) \??\n: cegwnbcu.exe File opened (read-only) \??\q: cegwnbcu.exe File opened (read-only) \??\g: qqldznmuia.exe File opened (read-only) \??\q: qqldznmuia.exe File opened (read-only) \??\t: qqldznmuia.exe File opened (read-only) \??\y: cegwnbcu.exe File opened (read-only) \??\h: qqldznmuia.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" qqldznmuia.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" qqldznmuia.exe -
AutoIT Executable 6 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4972-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000600000002320a-31.dat autoit_exe behavioral2/files/0x0006000000023209-28.dat autoit_exe behavioral2/files/0x0007000000023205-23.dat autoit_exe behavioral2/files/0x0007000000023205-22.dat autoit_exe behavioral2/files/0x0007000000023202-19.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\qqldznmuia.exe 1df76fffd85fdcb914424f68c21ec57b.exe File created C:\Windows\SysWOW64\xmofeauirbsppax.exe 1df76fffd85fdcb914424f68c21ec57b.exe File opened for modification C:\Windows\SysWOW64\xmofeauirbsppax.exe 1df76fffd85fdcb914424f68c21ec57b.exe File created C:\Windows\SysWOW64\yblztqdbtzlnj.exe 1df76fffd85fdcb914424f68c21ec57b.exe File opened for modification C:\Windows\SysWOW64\yblztqdbtzlnj.exe 1df76fffd85fdcb914424f68c21ec57b.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll qqldznmuia.exe File created C:\Windows\SysWOW64\qqldznmuia.exe 1df76fffd85fdcb914424f68c21ec57b.exe File created C:\Windows\SysWOW64\cegwnbcu.exe 1df76fffd85fdcb914424f68c21ec57b.exe File opened for modification C:\Windows\SysWOW64\cegwnbcu.exe 1df76fffd85fdcb914424f68c21ec57b.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe cegwnbcu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe cegwnbcu.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe cegwnbcu.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe cegwnbcu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe cegwnbcu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal cegwnbcu.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe cegwnbcu.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe cegwnbcu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal cegwnbcu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal cegwnbcu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal cegwnbcu.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe cegwnbcu.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe cegwnbcu.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe cegwnbcu.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe cegwnbcu.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf 1df76fffd85fdcb914424f68c21ec57b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg qqldznmuia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" qqldznmuia.exe Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings 1df76fffd85fdcb914424f68c21ec57b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB1B12F4790389E53BFBAD032EFD4B8" 1df76fffd85fdcb914424f68c21ec57b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78368B3FF6C22DAD273D0A58B799017" 1df76fffd85fdcb914424f68c21ec57b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1945C67F1594DBBFB8CD7CE1EC9437CE" 1df76fffd85fdcb914424f68c21ec57b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf qqldznmuia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32422D799C2583206D3676A570542DDB7D8764D8" 1df76fffd85fdcb914424f68c21ec57b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc qqldznmuia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" qqldznmuia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" qqldznmuia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF8FFFC482C821B903CD65F7D91BDEFE636583667346330D79E" 1df76fffd85fdcb914424f68c21ec57b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" qqldznmuia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" qqldznmuia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs qqldznmuia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh qqldznmuia.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 1df76fffd85fdcb914424f68c21ec57b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBDFAB9F962F1E483753B40819E3998B38D028F42120239E2CE429A09A2" 1df76fffd85fdcb914424f68c21ec57b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat qqldznmuia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" qqldznmuia.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1444 WINWORD.EXE 1444 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4972 1df76fffd85fdcb914424f68c21ec57b.exe 4972 1df76fffd85fdcb914424f68c21ec57b.exe 4972 1df76fffd85fdcb914424f68c21ec57b.exe 4972 1df76fffd85fdcb914424f68c21ec57b.exe 4972 1df76fffd85fdcb914424f68c21ec57b.exe 4972 1df76fffd85fdcb914424f68c21ec57b.exe 4972 1df76fffd85fdcb914424f68c21ec57b.exe 4972 1df76fffd85fdcb914424f68c21ec57b.exe 4972 1df76fffd85fdcb914424f68c21ec57b.exe 4972 1df76fffd85fdcb914424f68c21ec57b.exe 4972 1df76fffd85fdcb914424f68c21ec57b.exe 4972 1df76fffd85fdcb914424f68c21ec57b.exe 4972 1df76fffd85fdcb914424f68c21ec57b.exe 4972 1df76fffd85fdcb914424f68c21ec57b.exe 4972 1df76fffd85fdcb914424f68c21ec57b.exe 4972 1df76fffd85fdcb914424f68c21ec57b.exe 3604 qqldznmuia.exe 3604 qqldznmuia.exe 3604 qqldznmuia.exe 3604 qqldznmuia.exe 3604 qqldznmuia.exe 3604 qqldznmuia.exe 3604 qqldznmuia.exe 3604 qqldznmuia.exe 3604 qqldznmuia.exe 3604 qqldznmuia.exe 2036 xmofeauirbsppax.exe 2036 xmofeauirbsppax.exe 2036 xmofeauirbsppax.exe 2036 xmofeauirbsppax.exe 2036 xmofeauirbsppax.exe 2036 xmofeauirbsppax.exe 2036 xmofeauirbsppax.exe 2036 xmofeauirbsppax.exe 2200 cegwnbcu.exe 2200 cegwnbcu.exe 2200 cegwnbcu.exe 2200 cegwnbcu.exe 2200 cegwnbcu.exe 2200 cegwnbcu.exe 2200 cegwnbcu.exe 2200 cegwnbcu.exe 2036 xmofeauirbsppax.exe 2036 xmofeauirbsppax.exe 624 yblztqdbtzlnj.exe 624 yblztqdbtzlnj.exe 624 yblztqdbtzlnj.exe 624 yblztqdbtzlnj.exe 624 yblztqdbtzlnj.exe 624 yblztqdbtzlnj.exe 624 yblztqdbtzlnj.exe 624 yblztqdbtzlnj.exe 624 yblztqdbtzlnj.exe 624 yblztqdbtzlnj.exe 624 yblztqdbtzlnj.exe 624 yblztqdbtzlnj.exe 4996 cegwnbcu.exe 4996 cegwnbcu.exe 4996 cegwnbcu.exe 4996 cegwnbcu.exe 4996 cegwnbcu.exe 4996 cegwnbcu.exe 4996 cegwnbcu.exe 4996 cegwnbcu.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4972 1df76fffd85fdcb914424f68c21ec57b.exe 4972 1df76fffd85fdcb914424f68c21ec57b.exe 4972 1df76fffd85fdcb914424f68c21ec57b.exe 2036 xmofeauirbsppax.exe 3604 qqldznmuia.exe 2036 xmofeauirbsppax.exe 3604 qqldznmuia.exe 2036 xmofeauirbsppax.exe 3604 qqldznmuia.exe 2200 cegwnbcu.exe 624 yblztqdbtzlnj.exe 2200 cegwnbcu.exe 624 yblztqdbtzlnj.exe 2200 cegwnbcu.exe 624 yblztqdbtzlnj.exe 4996 cegwnbcu.exe 4996 cegwnbcu.exe 4996 cegwnbcu.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4972 1df76fffd85fdcb914424f68c21ec57b.exe 4972 1df76fffd85fdcb914424f68c21ec57b.exe 4972 1df76fffd85fdcb914424f68c21ec57b.exe 2036 xmofeauirbsppax.exe 3604 qqldznmuia.exe 2036 xmofeauirbsppax.exe 3604 qqldznmuia.exe 2036 xmofeauirbsppax.exe 3604 qqldznmuia.exe 2200 cegwnbcu.exe 624 yblztqdbtzlnj.exe 2200 cegwnbcu.exe 624 yblztqdbtzlnj.exe 2200 cegwnbcu.exe 624 yblztqdbtzlnj.exe 4996 cegwnbcu.exe 4996 cegwnbcu.exe 4996 cegwnbcu.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1444 WINWORD.EXE 1444 WINWORD.EXE 1444 WINWORD.EXE 1444 WINWORD.EXE 1444 WINWORD.EXE 1444 WINWORD.EXE 1444 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4972 wrote to memory of 3604 4972 1df76fffd85fdcb914424f68c21ec57b.exe 27 PID 4972 wrote to memory of 3604 4972 1df76fffd85fdcb914424f68c21ec57b.exe 27 PID 4972 wrote to memory of 3604 4972 1df76fffd85fdcb914424f68c21ec57b.exe 27 PID 4972 wrote to memory of 2036 4972 1df76fffd85fdcb914424f68c21ec57b.exe 26 PID 4972 wrote to memory of 2036 4972 1df76fffd85fdcb914424f68c21ec57b.exe 26 PID 4972 wrote to memory of 2036 4972 1df76fffd85fdcb914424f68c21ec57b.exe 26 PID 4972 wrote to memory of 2200 4972 1df76fffd85fdcb914424f68c21ec57b.exe 19 PID 4972 wrote to memory of 2200 4972 1df76fffd85fdcb914424f68c21ec57b.exe 19 PID 4972 wrote to memory of 2200 4972 1df76fffd85fdcb914424f68c21ec57b.exe 19 PID 4972 wrote to memory of 624 4972 1df76fffd85fdcb914424f68c21ec57b.exe 25 PID 4972 wrote to memory of 624 4972 1df76fffd85fdcb914424f68c21ec57b.exe 25 PID 4972 wrote to memory of 624 4972 1df76fffd85fdcb914424f68c21ec57b.exe 25 PID 4972 wrote to memory of 1444 4972 1df76fffd85fdcb914424f68c21ec57b.exe 21 PID 4972 wrote to memory of 1444 4972 1df76fffd85fdcb914424f68c21ec57b.exe 21 PID 3604 wrote to memory of 4996 3604 qqldznmuia.exe 24 PID 3604 wrote to memory of 4996 3604 qqldznmuia.exe 24 PID 3604 wrote to memory of 4996 3604 qqldznmuia.exe 24
Processes
-
C:\Users\Admin\AppData\Local\Temp\1df76fffd85fdcb914424f68c21ec57b.exe"C:\Users\Admin\AppData\Local\Temp\1df76fffd85fdcb914424f68c21ec57b.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\cegwnbcu.execegwnbcu.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2200
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1444
-
-
C:\Windows\SysWOW64\yblztqdbtzlnj.exeyblztqdbtzlnj.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:624
-
-
C:\Windows\SysWOW64\xmofeauirbsppax.exexmofeauirbsppax.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2036
-
-
C:\Windows\SysWOW64\qqldznmuia.exeqqldznmuia.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3604
-
-
C:\Windows\SysWOW64\cegwnbcu.exeC:\Windows\system32\cegwnbcu.exe1⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4996
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD56662b185f19fbf697c56a25c92de7961
SHA10df0c0df0de3724258df2549c583e3c934aca726
SHA256c11edb9e97848e20319fba876d9382c7193f68323eff1f7ed805bb04303bdc86
SHA512c6e2cb83f68a63ca299dae843d2697d41dab8b565fb4005755b0d255b388779b6c1dad97375009c995f0a3d2e0acb4cc820090ca5dc24ee11e1a3de5b1a4921f
-
Filesize
512KB
MD53660b69421fa2ac30dbe0aceb7c14e67
SHA1c01ec3e85e3e3860024281cea2183905f8cb6d5b
SHA256547b5a0a5f0ab52f1ac564ac086795209f110a826535baff4f504c2cab2a7e68
SHA5126e158308be874d1430ee7662d6684db6bff63749c561d2d64b1f3dfa1574432e85cff508ec35486cd0f0a62d2bfa32fb6cf4b4af9b0f55707f8c2a7d9fd58b28
-
Filesize
512KB
MD5f8be0cbfae8a438ecda67b4bf6ca2346
SHA121f2f2a2a6f08cb6a94d13700117e92ef6e38c8e
SHA2561e9db2c21728ef88412a5a2b0c148bf96ddbd8f36495e9ff24782ecf6c7fb1aa
SHA512ac75f606878cec9206de590ea1a8e54f7485ca5eebce1f0c2c6bc634b1d74d9f3ff9a27c66c0fd8cde95d96e07d80f2156508fbfc39b20d718d2311acbabf5a0
-
Filesize
135KB
MD5095528e75ff0f6cb403a5bbe807535b1
SHA1fe0f98abee9eaf0412d80c65f5b935585b235c12
SHA25641836802a29e28a89732e0db29578e2a75d758d57e09bf413b334fa8fe80ebab
SHA5129ad990bb4667d9b002f74dc103e894fa92c7fa025588427fa9e6e3704322296d6a65548b9e56e3c297b061ef135d0fd07130f469f76705e1001040c87972d5ff