0b368fdd71b01427305ff759bcc6e25d5e1058b58ab0b444170d3372194a267c

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 03:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02a73c4aa55189821f2fbacfefb0ea22.exe
Size

512KB
MD5

02a73c4aa55189821f2fbacfefb0ea22
SHA1

7be499fe466d3094a9b1e19def2fb9ae3ccdac3f
SHA256

0b368fdd71b01427305ff759bcc6e25d5e1058b58ab0b444170d3372194a267c
SHA512

12f44ab4ac044ae7ca1ee553f5c600782ab87aaa2114e59ddec7fb625baa6e09e479ced692ce772f1a3c18e553e23b49e09d9554f99aaca59e2c437cd45cd307
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6c:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5v

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	drrqupzxnf.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	drrqupzxnf.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	drrqupzxnf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	drrqupzxnf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	drrqupzxnf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	drrqupzxnf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	drrqupzxnf.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	drrqupzxnf.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 5 IoCs

pid	Process
2988	drrqupzxnf.exe
2672	rcmpgyzstrprtwz.exe
2760	idhzrizv.exe
2436	syrbxcruklemk.exe
2568	idhzrizv.exe

Loads dropped DLL 5 IoCs

pid	Process
2412	02a73c4aa55189821f2fbacfefb0ea22.exe
2412	02a73c4aa55189821f2fbacfefb0ea22.exe
2412	02a73c4aa55189821f2fbacfefb0ea22.exe
2412	02a73c4aa55189821f2fbacfefb0ea22.exe
2988	drrqupzxnf.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	drrqupzxnf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	drrqupzxnf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	drrqupzxnf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	drrqupzxnf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	drrqupzxnf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	drrqupzxnf.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "syrbxcruklemk.exe"	rcmpgyzstrprtwz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qlefiahr = "drrqupzxnf.exe"	rcmpgyzstrprtwz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\iuknkwmq = "rcmpgyzstrprtwz.exe"	rcmpgyzstrprtwz.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\b:	drrqupzxnf.exe
File opened (read-only)	\??\t:	idhzrizv.exe
File opened (read-only)	\??\e:	idhzrizv.exe
File opened (read-only)	\??\p:	idhzrizv.exe
File opened (read-only)	\??\m:	idhzrizv.exe
File opened (read-only)	\??\b:	idhzrizv.exe
File opened (read-only)	\??\j:	drrqupzxnf.exe
File opened (read-only)	\??\w:	drrqupzxnf.exe
File opened (read-only)	\??\h:	idhzrizv.exe
File opened (read-only)	\??\k:	idhzrizv.exe
File opened (read-only)	\??\o:	idhzrizv.exe
File opened (read-only)	\??\r:	idhzrizv.exe
File opened (read-only)	\??\p:	idhzrizv.exe
File opened (read-only)	\??\s:	idhzrizv.exe
File opened (read-only)	\??\m:	idhzrizv.exe
File opened (read-only)	\??\l:	drrqupzxnf.exe
File opened (read-only)	\??\j:	idhzrizv.exe
File opened (read-only)	\??\a:	drrqupzxnf.exe
File opened (read-only)	\??\t:	drrqupzxnf.exe
File opened (read-only)	\??\v:	drrqupzxnf.exe
File opened (read-only)	\??\q:	idhzrizv.exe
File opened (read-only)	\??\z:	idhzrizv.exe
File opened (read-only)	\??\l:	idhzrizv.exe
File opened (read-only)	\??\w:	idhzrizv.exe
File opened (read-only)	\??\k:	idhzrizv.exe
File opened (read-only)	\??\u:	drrqupzxnf.exe
File opened (read-only)	\??\w:	idhzrizv.exe
File opened (read-only)	\??\z:	drrqupzxnf.exe
File opened (read-only)	\??\i:	idhzrizv.exe
File opened (read-only)	\??\n:	idhzrizv.exe
File opened (read-only)	\??\l:	idhzrizv.exe
File opened (read-only)	\??\y:	idhzrizv.exe
File opened (read-only)	\??\p:	drrqupzxnf.exe
File opened (read-only)	\??\s:	drrqupzxnf.exe
File opened (read-only)	\??\y:	drrqupzxnf.exe
File opened (read-only)	\??\s:	idhzrizv.exe
File opened (read-only)	\??\v:	idhzrizv.exe
File opened (read-only)	\??\t:	idhzrizv.exe
File opened (read-only)	\??\o:	drrqupzxnf.exe
File opened (read-only)	\??\k:	drrqupzxnf.exe
File opened (read-only)	\??\q:	drrqupzxnf.exe
File opened (read-only)	\??\a:	idhzrizv.exe
File opened (read-only)	\??\j:	idhzrizv.exe
File opened (read-only)	\??\q:	idhzrizv.exe
File opened (read-only)	\??\z:	idhzrizv.exe
File opened (read-only)	\??\x:	idhzrizv.exe
File opened (read-only)	\??\a:	idhzrizv.exe
File opened (read-only)	\??\g:	drrqupzxnf.exe
File opened (read-only)	\??\u:	idhzrizv.exe
File opened (read-only)	\??\g:	idhzrizv.exe
File opened (read-only)	\??\e:	drrqupzxnf.exe
File opened (read-only)	\??\i:	drrqupzxnf.exe
File opened (read-only)	\??\r:	drrqupzxnf.exe
File opened (read-only)	\??\x:	drrqupzxnf.exe
File opened (read-only)	\??\r:	idhzrizv.exe
File opened (read-only)	\??\v:	idhzrizv.exe
File opened (read-only)	\??\m:	drrqupzxnf.exe
File opened (read-only)	\??\g:	idhzrizv.exe
File opened (read-only)	\??\b:	idhzrizv.exe
File opened (read-only)	\??\h:	drrqupzxnf.exe
File opened (read-only)	\??\o:	idhzrizv.exe
File opened (read-only)	\??\n:	drrqupzxnf.exe
File opened (read-only)	\??\i:	idhzrizv.exe
File opened (read-only)	\??\n:	idhzrizv.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	drrqupzxnf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	drrqupzxnf.exe

AutoIT Executable 20 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2412-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x000d000000012262-5.dat	autoit_exe
behavioral1/files/0x0008000000012254-17.dat	autoit_exe
behavioral1/files/0x0008000000012254-20.dat	autoit_exe
behavioral1/files/0x000d000000012262-23.dat	autoit_exe
behavioral1/files/0x0008000000012254-22.dat	autoit_exe
behavioral1/files/0x000d000000012262-26.dat	autoit_exe
behavioral1/files/0x0035000000015da6-32.dat	autoit_exe
behavioral1/files/0x0035000000015da6-40.dat	autoit_exe
behavioral1/files/0x000700000001604a-38.dat	autoit_exe
behavioral1/files/0x000700000001604a-41.dat	autoit_exe
behavioral1/files/0x000700000001604a-34.dat	autoit_exe
behavioral1/files/0x0035000000015da6-29.dat	autoit_exe
behavioral1/files/0x0035000000015da6-43.dat	autoit_exe
behavioral1/files/0x0035000000015da6-42.dat	autoit_exe
behavioral1/files/0x000d000000012262-28.dat	autoit_exe
behavioral1/files/0x0006000000016d66-71.dat	autoit_exe
behavioral1/files/0x0006000000016d66-68.dat	autoit_exe
behavioral1/files/0x0006000000016d5c-66.dat	autoit_exe
behavioral1/files/0x0006000000016d72-79.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rcmpgyzstrprtwz.exe	02a73c4aa55189821f2fbacfefb0ea22.exe
File opened for modification	C:\Windows\SysWOW64\rcmpgyzstrprtwz.exe	02a73c4aa55189821f2fbacfefb0ea22.exe
File created	C:\Windows\SysWOW64\idhzrizv.exe	02a73c4aa55189821f2fbacfefb0ea22.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	drrqupzxnf.exe
File created	C:\Windows\SysWOW64\drrqupzxnf.exe	02a73c4aa55189821f2fbacfefb0ea22.exe
File opened for modification	C:\Windows\SysWOW64\drrqupzxnf.exe	02a73c4aa55189821f2fbacfefb0ea22.exe
File opened for modification	C:\Windows\SysWOW64\idhzrizv.exe	02a73c4aa55189821f2fbacfefb0ea22.exe
File created	C:\Windows\SysWOW64\syrbxcruklemk.exe	02a73c4aa55189821f2fbacfefb0ea22.exe
File opened for modification	C:\Windows\SysWOW64\syrbxcruklemk.exe	02a73c4aa55189821f2fbacfefb0ea22.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	idhzrizv.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	idhzrizv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	idhzrizv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	idhzrizv.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	idhzrizv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	idhzrizv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	idhzrizv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	idhzrizv.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	idhzrizv.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	idhzrizv.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	idhzrizv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	idhzrizv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	idhzrizv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	idhzrizv.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\mydoc.rtf	02a73c4aa55189821f2fbacfefb0ea22.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	drrqupzxnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	drrqupzxnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	drrqupzxnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	drrqupzxnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC2B12E47E638E852CCBAA2339FD4B9"	02a73c4aa55189821f2fbacfefb0ea22.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2684	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2412	02a73c4aa55189821f2fbacfefb0ea22.exe
2412	02a73c4aa55189821f2fbacfefb0ea22.exe
2412	02a73c4aa55189821f2fbacfefb0ea22.exe
2412	02a73c4aa55189821f2fbacfefb0ea22.exe
2412	02a73c4aa55189821f2fbacfefb0ea22.exe
2412	02a73c4aa55189821f2fbacfefb0ea22.exe
2412	02a73c4aa55189821f2fbacfefb0ea22.exe
2988	drrqupzxnf.exe
2988	drrqupzxnf.exe
2988	drrqupzxnf.exe
2988	drrqupzxnf.exe
2988	drrqupzxnf.exe
2412	02a73c4aa55189821f2fbacfefb0ea22.exe
2672	rcmpgyzstrprtwz.exe
2672	rcmpgyzstrprtwz.exe
2672	rcmpgyzstrprtwz.exe
2672	rcmpgyzstrprtwz.exe
2672	rcmpgyzstrprtwz.exe
2436	syrbxcruklemk.exe
2436	syrbxcruklemk.exe
2436	syrbxcruklemk.exe
2436	syrbxcruklemk.exe
2436	syrbxcruklemk.exe
2436	syrbxcruklemk.exe
2760	idhzrizv.exe
2760	idhzrizv.exe
2760	idhzrizv.exe
2760	idhzrizv.exe
2568	idhzrizv.exe
2568	idhzrizv.exe
2568	idhzrizv.exe
2568	idhzrizv.exe
2672	rcmpgyzstrprtwz.exe
2436	syrbxcruklemk.exe
2436	syrbxcruklemk.exe
2672	rcmpgyzstrprtwz.exe
2672	rcmpgyzstrprtwz.exe
2436	syrbxcruklemk.exe
2436	syrbxcruklemk.exe
2672	rcmpgyzstrprtwz.exe
2436	syrbxcruklemk.exe
2436	syrbxcruklemk.exe
2672	rcmpgyzstrprtwz.exe
2436	syrbxcruklemk.exe
2436	syrbxcruklemk.exe
2672	rcmpgyzstrprtwz.exe
2436	syrbxcruklemk.exe
2436	syrbxcruklemk.exe
2672	rcmpgyzstrprtwz.exe
2436	syrbxcruklemk.exe
2436	syrbxcruklemk.exe
2672	rcmpgyzstrprtwz.exe
2436	syrbxcruklemk.exe
2436	syrbxcruklemk.exe
2672	rcmpgyzstrprtwz.exe
2436	syrbxcruklemk.exe
2436	syrbxcruklemk.exe
2672	rcmpgyzstrprtwz.exe
2436	syrbxcruklemk.exe
2436	syrbxcruklemk.exe
2672	rcmpgyzstrprtwz.exe
2436	syrbxcruklemk.exe
2436	syrbxcruklemk.exe
2672	rcmpgyzstrprtwz.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1852	explorer.exe
Token: SeShutdownPrivilege	1852	explorer.exe
Token: SeShutdownPrivilege	1852	explorer.exe
Token: SeShutdownPrivilege	1852	explorer.exe
Token: SeShutdownPrivilege	1852	explorer.exe
Token: SeShutdownPrivilege	1852	explorer.exe
Token: SeShutdownPrivilege	1852	explorer.exe
Token: SeShutdownPrivilege	1852	explorer.exe
Token: SeShutdownPrivilege	1852	explorer.exe
Token: SeShutdownPrivilege	1852	explorer.exe
Token: SeShutdownPrivilege	1852	explorer.exe
Token: SeShutdownPrivilege	1852	explorer.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
2412	02a73c4aa55189821f2fbacfefb0ea22.exe
2412	02a73c4aa55189821f2fbacfefb0ea22.exe
2412	02a73c4aa55189821f2fbacfefb0ea22.exe
2988	drrqupzxnf.exe
2988	drrqupzxnf.exe
2988	drrqupzxnf.exe
2672	rcmpgyzstrprtwz.exe
2672	rcmpgyzstrprtwz.exe
2672	rcmpgyzstrprtwz.exe
2760	idhzrizv.exe
2760	idhzrizv.exe
2760	idhzrizv.exe
2436	syrbxcruklemk.exe
2436	syrbxcruklemk.exe
2436	syrbxcruklemk.exe
2568	idhzrizv.exe
2568	idhzrizv.exe
2568	idhzrizv.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe

Suspicious use of SendNotifyMessage 34 IoCs

pid	Process
2412	02a73c4aa55189821f2fbacfefb0ea22.exe
2412	02a73c4aa55189821f2fbacfefb0ea22.exe
2412	02a73c4aa55189821f2fbacfefb0ea22.exe
2988	drrqupzxnf.exe
2988	drrqupzxnf.exe
2988	drrqupzxnf.exe
2672	rcmpgyzstrprtwz.exe
2672	rcmpgyzstrprtwz.exe
2672	rcmpgyzstrprtwz.exe
2760	idhzrizv.exe
2760	idhzrizv.exe
2760	idhzrizv.exe
2436	syrbxcruklemk.exe
2436	syrbxcruklemk.exe
2436	syrbxcruklemk.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe
1852	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2684	WINWORD.EXE
2684	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2988	2412	02a73c4aa55189821f2fbacfefb0ea22.exe	28
PID 2412 wrote to memory of 2988	2412	02a73c4aa55189821f2fbacfefb0ea22.exe	28
PID 2412 wrote to memory of 2988	2412	02a73c4aa55189821f2fbacfefb0ea22.exe	28
PID 2412 wrote to memory of 2988	2412	02a73c4aa55189821f2fbacfefb0ea22.exe	28
PID 2412 wrote to memory of 2672	2412	02a73c4aa55189821f2fbacfefb0ea22.exe	29
PID 2412 wrote to memory of 2672	2412	02a73c4aa55189821f2fbacfefb0ea22.exe	29
PID 2412 wrote to memory of 2672	2412	02a73c4aa55189821f2fbacfefb0ea22.exe	29
PID 2412 wrote to memory of 2672	2412	02a73c4aa55189821f2fbacfefb0ea22.exe	29
PID 2412 wrote to memory of 2760	2412	02a73c4aa55189821f2fbacfefb0ea22.exe	33
PID 2412 wrote to memory of 2760	2412	02a73c4aa55189821f2fbacfefb0ea22.exe	33
PID 2412 wrote to memory of 2760	2412	02a73c4aa55189821f2fbacfefb0ea22.exe	33
PID 2412 wrote to memory of 2760	2412	02a73c4aa55189821f2fbacfefb0ea22.exe	33
PID 2412 wrote to memory of 2436	2412	02a73c4aa55189821f2fbacfefb0ea22.exe	30
PID 2412 wrote to memory of 2436	2412	02a73c4aa55189821f2fbacfefb0ea22.exe	30
PID 2412 wrote to memory of 2436	2412	02a73c4aa55189821f2fbacfefb0ea22.exe	30
PID 2412 wrote to memory of 2436	2412	02a73c4aa55189821f2fbacfefb0ea22.exe	30
PID 2988 wrote to memory of 2568	2988	drrqupzxnf.exe	31
PID 2988 wrote to memory of 2568	2988	drrqupzxnf.exe	31
PID 2988 wrote to memory of 2568	2988	drrqupzxnf.exe	31
PID 2988 wrote to memory of 2568	2988	drrqupzxnf.exe	31
PID 2412 wrote to memory of 2684	2412	02a73c4aa55189821f2fbacfefb0ea22.exe	32
PID 2412 wrote to memory of 2684	2412	02a73c4aa55189821f2fbacfefb0ea22.exe	32
PID 2412 wrote to memory of 2684	2412	02a73c4aa55189821f2fbacfefb0ea22.exe	32
PID 2412 wrote to memory of 2684	2412	02a73c4aa55189821f2fbacfefb0ea22.exe	32
PID 2684 wrote to memory of 1548	2684	WINWORD.EXE	37
PID 2684 wrote to memory of 1548	2684	WINWORD.EXE	37
PID 2684 wrote to memory of 1548	2684	WINWORD.EXE	37
PID 2684 wrote to memory of 1548	2684	WINWORD.EXE	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\02a73c4aa55189821f2fbacfefb0ea22.exe
"C:\Users\Admin\AppData\Local\Temp\02a73c4aa55189821f2fbacfefb0ea22.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\SysWOW64\drrqupzxnf.exe
  drrqupzxnf.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\SysWOW64\idhzrizv.exe
    C:\Windows\system32\idhzrizv.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:2568
- C:\Windows\SysWOW64\rcmpgyzstrprtwz.exe
  rcmpgyzstrprtwz.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2672
- C:\Windows\SysWOW64\syrbxcruklemk.exe
  syrbxcruklemk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2436
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1548
- C:\Windows\SysWOW64\idhzrizv.exe
  idhzrizv.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2760

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
12KB

MD5
25122b5caef24eca53d01b26f84910ea

SHA1
41be69897e7aaad04790782e52ca1e25557820d2

SHA256
2f6dec510d901dc8ccad14947bb74bd6573b831a1679f7fbe270297b902189c4

SHA512
0b1006bbbf92693f3b7086b1f4d6c4d6eeb8ccb42b1538c69d403415eec5c2612fbff3290835825f0f167d7c6e713259b1bd2fa7c850bf8a2c0025fcf3eed82c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
5KB

MD5
8b75f548f625f5bcdefd8a002b413126

SHA1
cb30cad9b1eaab56528f063957982cd90c824589

SHA256
c8aedcde02051e1e93dda61a7e73daafdaf8ea9ff0458bc7ba8674a8bea7058b

SHA512
20212c80e77f458f4593d3b550a5b9a63dd0a34c6cb10dd0d450c0499da530baaee1839f5ae328313fc416ccf0b51d11205a90e576f43794f18af895b08be1b8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
31KB

MD5
1134b66ca045e233346afd7b8f54d599

SHA1
55c8222023568d33433b24d6b4f269d1367f8915

SHA256
d960e91a9b5e87ceb2e8a4e2cfca56d46665432816b23302cc5ad86182968f42

SHA512
b2980a3b2d8fe74cd4c880e2ff8d3676554419d8bc73ea75e4eb7071f723e727daa5b250dccc5e3e690ef3527adbc0aff782e239d22b90cb1c3fbb089051dfd3

Download Submit
C:\Users\Admin\Documents\ProtectConfirm.doc.exe

Filesize
512KB

MD5
0eba5076729bfc5a8791ed22688da4c5

SHA1
14653c5124692044232db4da8fb4a1ff21c6985e

SHA256
16a470a1df87851eff1de5fd6315b16ed772abe4eeaadda7f02bdeca541408b0

SHA512
1bff0fcef507fd6fbb2f9cf2904eac604b98418eeb08f3b1760f50b320c32defc513522bbeb0c7d3b426b9f08e8bf93bbc271e5aa630d500fe1392f288ccc13f

Download Submit
C:\Windows\SysWOW64\drrqupzxnf.exe

Filesize
11KB

MD5
20565f96e754f9d3c7dda113d89ba7e3

SHA1
72c0a2b235ccb3e100063776d4c03a0d096d06d1

SHA256
f1b5c616a7a0b22f69fc98f9e46ffe333724e2a7093d0edb3ac4544a38d83277

SHA512
9e17c9c580e69b5c93113f842038368891f4bea6818db9fa781a654cbf823dbdd49ddff13260382bfee619047062a2e9b2c20a661c7a9db4887060ebc8349710

Download Submit
C:\Windows\SysWOW64\drrqupzxnf.exe

Filesize
204KB

MD5
baa63f4f26b2a0ec87a30b30b60d3f71

SHA1
4513a648512145ac0a846ec4aee9f590bf9f6803

SHA256
53c9555196cffc293433db59c5c85e6efe007301d444788762eaf916423f5dfc

SHA512
196fa5dc316d3c9c60afd001874e52d03aee8b4f4bf3a16df1933e6dee3b5b3eb578cb04387667197a9c4b4de3849b54aef53b8c4b98abef0d4a194a895d1f47

Download Submit
C:\Windows\SysWOW64\idhzrizv.exe

Filesize
142KB

MD5
1e284357837dcf6885f07dd86798fa98

SHA1
70d1ea401c7a49aa5fcb25afe6a58f74bb39bdd2

SHA256
f37cea968fd5f70ae1698f28bc640e45835f38caae25c6d272b02920a78111d4

SHA512
43f298bff8585564778b624333f376f5c679cf45c94dcb903c9c7517a93cceabffaa9c6875b7d01237959be42254f600d35728e376ce56b17d59de9da7178a9d

Download Submit
C:\Windows\SysWOW64\idhzrizv.exe

Filesize
147KB

MD5
164180bcf8ddcea40b7521530fb730aa

SHA1
fc3f3def8599d7d016822d618049e3c9ddfa796c

SHA256
d7df4e4ace0edca2a381961ede9b4c8b960ac2c64e8d1c6e77c8370e40361837

SHA512
7b90c1c23f9637df3881cb4b1ac17ec68f949e261a2bcf3862f05398915a1c13985dfeb13afd47a61811455734dba6fd085b515132fc24b7d4c038156da2eeff

Download Submit
C:\Windows\SysWOW64\idhzrizv.exe

Filesize
116KB

MD5
5e3892fd91db4370da996645dd85474c

SHA1
b4ce2d0fc1818d4dddf70b6dc22ea25a1f06b23d

SHA256
d933777991434e1dea43307ae0e604bc36f199119a91ed716c55d989b77a507b

SHA512
861336cfc6ecffb8fc0bb338c90a4ee3f9a602224b3eae3a35e70030647a2d7e73b7781c9c03a90df1ae4fcfa172c014064c1f9a9c565766ae645e0ce1a920c2

Download Submit
C:\Windows\SysWOW64\rcmpgyzstrprtwz.exe

Filesize
163KB

MD5
e82d64fae36c7d68a42d334c70c098d6

SHA1
5c6f1817daee460b0de60cbce9b93d3f4da75d3d

SHA256
b47cd3fc61dc15691964c02a45ba38e5416293f58674fdbe7493f9f93faf592f

SHA512
7e069f92d0292365f2f1140b48a47472dc6dbe85583e6c301493c480f0bce53ab7308bf2c300c67d973caae587faad05f327601e04731d82151fd2e3ccb5fbac

Download Submit
C:\Windows\SysWOW64\rcmpgyzstrprtwz.exe

Filesize
114KB

MD5
d829bd99052f4c7dd2bc63e09bf2568e

SHA1
af877f1da72b30face7f425ff70571ebe1accde4

SHA256
868f5f7ecdf80880c9182028d546b6246e7ae527616e58f98e93dbeac5a76bc9

SHA512
b6a4b7beaffc656ca76deb7289b6ff59aaee12ed40c0d09afbad40b5197ec15328637305777f9f369b1541f7362a9d68645167ba6213c765d13d52ea79551dd6

Download Submit
C:\Windows\SysWOW64\rcmpgyzstrprtwz.exe

Filesize
80KB

MD5
313509ea3b961cc39907eade2ee5c5f4

SHA1
2597062d381b4f216d15823d14326bbe79fc4d30

SHA256
1dcaa4924c30d96ef0f7964ead0f6dfa23916b9fa390461ac8527be03cf58032

SHA512
27733218d012428c7c405e0f159ca0bf7978dc22f9bf1ed19f5e5d4640a8df93be3e8ec705267250bef2a78fe6ef6646cf372e48f9e515f3a4e2de8225cc9734

Download Submit
C:\Windows\SysWOW64\syrbxcruklemk.exe

Filesize
70KB

MD5
21c075bc5176cde08a78b4658b76ebef

SHA1
6093f2ffeb62cadad8d4a01f1b61592e21be0a50

SHA256
02823ea4b9b5af466bcf7290340a6feb20b49f676bd093853cfb3164f5a63b2b

SHA512
e79c8e36e101899aa0090807597361615c50647fc0cbd3005f634b1ea03f31cb7da1cb65f1072a5fdb4a2bcc700507ba2b13913b7e9bd98757b32750232465ba

Download Submit
C:\Windows\SysWOW64\syrbxcruklemk.exe

Filesize
66KB

MD5
3095ebe5a569d94441a3dc4eb3f9a272

SHA1
b6221aac85933c457da885b120eb0156841cfcf6

SHA256
1695e11482bf103fd7db3d0dd8ac9555ea82597bdc7f6af55bf4f5a6284202fc

SHA512
b4447a2abcb347fdec065e20aaa49946df90956d28ccc56f5660183af5674b659ee21d5e2b4058e21824582d3e3b863b2939517b2ab329d987327c8883a865d6

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\drrqupzxnf.exe

Filesize
109KB

MD5
12bfa0b7e43e1d0d85ec88ea3d9836a4

SHA1
bf04d91a15acd4614fed6006b0596c41297fb715

SHA256
0b6b6c523121bc1961c01456a4cdcdd425191553d4043295eacfb943976307ac

SHA512
30ce241c0935da1ec82318b71887accec7622044bbe0bb70a0232f9e1564e0dc85459f3507fc467fffaf6a15182e63e8a610b6162a50b091e55ba340340338a7

Download Submit
\Windows\SysWOW64\idhzrizv.exe

Filesize
61KB

MD5
36fb870d1b1ecfc40e43eb62b7212148

SHA1
77460535f572ad7201e06ee5ae325a13e6934158

SHA256
5593e4611bc700c93a0da2fb5bd33e3e92f221b33ae57a42e79efe1e1176f80b

SHA512
f968253205db594b6d04c347aba6cc8856629b571ce1cb99fe6fc4ac6c45672213d05d89c673f0be675e0a9fcfdf19e2c3d602ad9f62b772f456d4e008221710

Download Submit
\Windows\SysWOW64\idhzrizv.exe

Filesize
108KB

MD5
a8e41eb30f7159efe40e79dbf0741dcf

SHA1
4e4e38898d074d658e4e30492fe34a7194210d38

SHA256
be4d660411e7e4313f645399e106b899157bd86f8df93a37e991844274336dc0

SHA512
6351d3fbe17d6f90204cf273f5d41453bd97810aa96f11e271c137e2c0e10410bb1d0185c36c99f554edfcc36d36a3b491aa6123865944b918921878e7ffa778

Download Submit
\Windows\SysWOW64\rcmpgyzstrprtwz.exe

Filesize
1KB

MD5
ec89629d437c17787acc7061c89e753c

SHA1
c65089b32eba1cf75d3546335718073460c971f9

SHA256
87b17909878537f2c3d3bc046f54b9eb382e312fa75d2b177457a978dcc7d83c

SHA512
65f02cc30b64e2c33d7287c135bc0bb20abe1e35c7176a03e47403db3e21da28f7e7ec7a13ef748aeb76ac06e5e159a9b4e62196692c3411459a4ae235a1bec9

Download Submit
\Windows\SysWOW64\syrbxcruklemk.exe

Filesize
102KB

MD5
53ba1f3123e13b73f8c6696b93fb8135

SHA1
d6ba175ec8285cdadbf3ad1fe6e5bb228d0d3dff

SHA256
48cd965cf64dc5d447d720709c4c6c7c715dd1d1de29a0f72d9189d4cbd830ef

SHA512
2d5615274507ca4d265885525a598f6763f364fa569a1cc1c6b85ae4d95a75642e258d46506d72beb70207e01ba33e0efd9a74110731760ede67a0c4e7b1d0e8

Download Submit
memory/1852-73-0x0000000004130000-0x0000000004131000-memory.dmp

Filesize
4KB

Download
memory/1852-83-0x0000000004130000-0x0000000004131000-memory.dmp

Filesize
4KB

Download
memory/1852-88-0x0000000002750000-0x0000000002760000-memory.dmp

Filesize
64KB

Download
memory/2412-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2684-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2684-47-0x000000007151D000-0x0000000071528000-memory.dmp

Filesize
44KB

Download
memory/2684-45-0x000000002F4A1000-0x000000002F4A2000-memory.dmp

Filesize
4KB

Download
memory/2684-81-0x000000007151D000-0x0000000071528000-memory.dmp

Filesize
44KB

Download