61d28c90ea37bfdea739103565da5216e1e7dcb3a7dba0a9f74835e7ee3d1434

Analysis

max time kernel
1s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 04:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0510d7a1f4cf13b6bafd2c21d293d310.exe
Size

512KB
MD5

0510d7a1f4cf13b6bafd2c21d293d310
SHA1

f11c620dfa56d642a3e1e854928d08e3bc7815e4
SHA256

61d28c90ea37bfdea739103565da5216e1e7dcb3a7dba0a9f74835e7ee3d1434
SHA512

04087fd7f61fd0ba143ad39022f68422141eecca8878fb94b65cab16312ce790c9b35f0282405af0eda51fce5cd866927271e4737fe264cb891d94ea655a8944
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj68:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5z

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	pxzvoyryex.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	pxzvoyryex.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	pxzvoyryex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	pxzvoyryex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	pxzvoyryex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	pxzvoyryex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	pxzvoyryex.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	pxzvoyryex.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	0510d7a1f4cf13b6bafd2c21d293d310.exe

Executes dropped EXE 5 IoCs

pid	Process
4272	pxzvoyryex.exe
832	kktxquhcgwljmar.exe
1340	qxooxtaf.exe
2264	fhabqwkuffgtr.exe
3908	qxooxtaf.exe

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	pxzvoyryex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	pxzvoyryex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	pxzvoyryex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	pxzvoyryex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	pxzvoyryex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	pxzvoyryex.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zhbeetba = "pxzvoyryex.exe"	kktxquhcgwljmar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mugpvdjm = "kktxquhcgwljmar.exe"	kktxquhcgwljmar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "fhabqwkuffgtr.exe"	kktxquhcgwljmar.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\h:	pxzvoyryex.exe
File opened (read-only)	\??\t:	pxzvoyryex.exe
File opened (read-only)	\??\z:	pxzvoyryex.exe
File opened (read-only)	\??\e:	qxooxtaf.exe
File opened (read-only)	\??\o:	qxooxtaf.exe
File opened (read-only)	\??\y:	qxooxtaf.exe
File opened (read-only)	\??\o:	pxzvoyryex.exe
File opened (read-only)	\??\a:	qxooxtaf.exe
File opened (read-only)	\??\v:	qxooxtaf.exe
File opened (read-only)	\??\z:	qxooxtaf.exe
File opened (read-only)	\??\e:	pxzvoyryex.exe
File opened (read-only)	\??\m:	qxooxtaf.exe
File opened (read-only)	\??\n:	qxooxtaf.exe
File opened (read-only)	\??\r:	qxooxtaf.exe
File opened (read-only)	\??\x:	qxooxtaf.exe
File opened (read-only)	\??\i:	pxzvoyryex.exe
File opened (read-only)	\??\j:	pxzvoyryex.exe
File opened (read-only)	\??\l:	pxzvoyryex.exe
File opened (read-only)	\??\p:	pxzvoyryex.exe
File opened (read-only)	\??\g:	qxooxtaf.exe
File opened (read-only)	\??\j:	qxooxtaf.exe
File opened (read-only)	\??\l:	qxooxtaf.exe
File opened (read-only)	\??\t:	qxooxtaf.exe
File opened (read-only)	\??\a:	pxzvoyryex.exe
File opened (read-only)	\??\b:	pxzvoyryex.exe
File opened (read-only)	\??\b:	qxooxtaf.exe
File opened (read-only)	\??\i:	qxooxtaf.exe
File opened (read-only)	\??\p:	qxooxtaf.exe
File opened (read-only)	\??\g:	pxzvoyryex.exe
File opened (read-only)	\??\k:	pxzvoyryex.exe
File opened (read-only)	\??\v:	pxzvoyryex.exe
File opened (read-only)	\??\w:	pxzvoyryex.exe
File opened (read-only)	\??\h:	qxooxtaf.exe
File opened (read-only)	\??\k:	qxooxtaf.exe
File opened (read-only)	\??\s:	qxooxtaf.exe
File opened (read-only)	\??\u:	pxzvoyryex.exe
File opened (read-only)	\??\y:	pxzvoyryex.exe
File opened (read-only)	\??\q:	qxooxtaf.exe
File opened (read-only)	\??\m:	pxzvoyryex.exe
File opened (read-only)	\??\q:	pxzvoyryex.exe
File opened (read-only)	\??\r:	pxzvoyryex.exe
File opened (read-only)	\??\s:	pxzvoyryex.exe
File opened (read-only)	\??\x:	pxzvoyryex.exe
File opened (read-only)	\??\u:	qxooxtaf.exe
File opened (read-only)	\??\w:	qxooxtaf.exe
File opened (read-only)	\??\n:	pxzvoyryex.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	pxzvoyryex.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	pxzvoyryex.exe

AutoIT Executable 15 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/1816-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral2/files/0x0006000000023251-32.dat	autoit_exe
behavioral2/files/0x0006000000023251-31.dat	autoit_exe
behavioral2/files/0x0007000000023250-28.dat	autoit_exe
behavioral2/files/0x0007000000023250-29.dat	autoit_exe
behavioral2/files/0x000700000002324d-24.dat	autoit_exe
behavioral2/files/0x000700000002324d-22.dat	autoit_exe
behavioral2/files/0x0007000000023250-48.dat	autoit_exe
behavioral2/files/0x000600000002325d-76.dat	autoit_exe
behavioral2/files/0x000600000002325c-73.dat	autoit_exe
behavioral2/files/0x000700000002324a-19.dat	autoit_exe
behavioral2/files/0x000700000002324a-18.dat	autoit_exe
behavioral2/files/0x000700000002324d-5.dat	autoit_exe
behavioral2/files/0x00080000000231fb-82.dat	autoit_exe
behavioral2/files/0x00020000000227e5-94.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\qxooxtaf.exe	0510d7a1f4cf13b6bafd2c21d293d310.exe
File opened for modification	C:\Windows\SysWOW64\fhabqwkuffgtr.exe	0510d7a1f4cf13b6bafd2c21d293d310.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	pxzvoyryex.exe
File created	C:\Windows\SysWOW64\pxzvoyryex.exe	0510d7a1f4cf13b6bafd2c21d293d310.exe
File opened for modification	C:\Windows\SysWOW64\pxzvoyryex.exe	0510d7a1f4cf13b6bafd2c21d293d310.exe
File created	C:\Windows\SysWOW64\kktxquhcgwljmar.exe	0510d7a1f4cf13b6bafd2c21d293d310.exe
File opened for modification	C:\Windows\SysWOW64\kktxquhcgwljmar.exe	0510d7a1f4cf13b6bafd2c21d293d310.exe
File created	C:\Windows\SysWOW64\qxooxtaf.exe	0510d7a1f4cf13b6bafd2c21d293d310.exe
File created	C:\Windows\SysWOW64\fhabqwkuffgtr.exe	0510d7a1f4cf13b6bafd2c21d293d310.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	0510d7a1f4cf13b6bafd2c21d293d310.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 20 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	pxzvoyryex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	pxzvoyryex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	pxzvoyryex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	pxzvoyryex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	pxzvoyryex.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	0510d7a1f4cf13b6bafd2c21d293d310.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32432D0B9D2382596A3377A077242DD77DF465A8"	0510d7a1f4cf13b6bafd2c21d293d310.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184DC77415E5DBC2B9B97CE0ED9434BD"	0510d7a1f4cf13b6bafd2c21d293d310.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	pxzvoyryex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	pxzvoyryex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	pxzvoyryex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	pxzvoyryex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	pxzvoyryex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2ECAB05B47E139ED52BDB9D632EDD7B9"	0510d7a1f4cf13b6bafd2c21d293d310.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8CFF8F485885139040D6207DE5BC93E134594167406243D6ED"	0510d7a1f4cf13b6bafd2c21d293d310.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings	0510d7a1f4cf13b6bafd2c21d293d310.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	pxzvoyryex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABEFABFFE10F291840E3A4486EC3992B088038843640333E1BA429A09A8"	0510d7a1f4cf13b6bafd2c21d293d310.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0806BC4FE6621DDD20CD1D18A7B916B"	0510d7a1f4cf13b6bafd2c21d293d310.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	pxzvoyryex.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
468	WINWORD.EXE
468	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
1816	0510d7a1f4cf13b6bafd2c21d293d310.exe
1816	0510d7a1f4cf13b6bafd2c21d293d310.exe
1816	0510d7a1f4cf13b6bafd2c21d293d310.exe
1816	0510d7a1f4cf13b6bafd2c21d293d310.exe
1816	0510d7a1f4cf13b6bafd2c21d293d310.exe
1816	0510d7a1f4cf13b6bafd2c21d293d310.exe
1816	0510d7a1f4cf13b6bafd2c21d293d310.exe
1816	0510d7a1f4cf13b6bafd2c21d293d310.exe
1816	0510d7a1f4cf13b6bafd2c21d293d310.exe
1816	0510d7a1f4cf13b6bafd2c21d293d310.exe
1816	0510d7a1f4cf13b6bafd2c21d293d310.exe
1816	0510d7a1f4cf13b6bafd2c21d293d310.exe
1816	0510d7a1f4cf13b6bafd2c21d293d310.exe
1816	0510d7a1f4cf13b6bafd2c21d293d310.exe
1816	0510d7a1f4cf13b6bafd2c21d293d310.exe
1816	0510d7a1f4cf13b6bafd2c21d293d310.exe
832	kktxquhcgwljmar.exe
832	kktxquhcgwljmar.exe
832	kktxquhcgwljmar.exe
832	kktxquhcgwljmar.exe
832	kktxquhcgwljmar.exe
832	kktxquhcgwljmar.exe
832	kktxquhcgwljmar.exe
832	kktxquhcgwljmar.exe
832	kktxquhcgwljmar.exe
832	kktxquhcgwljmar.exe
4272	pxzvoyryex.exe
2264	fhabqwkuffgtr.exe
4272	pxzvoyryex.exe
2264	fhabqwkuffgtr.exe
4272	pxzvoyryex.exe
2264	fhabqwkuffgtr.exe
4272	pxzvoyryex.exe
2264	fhabqwkuffgtr.exe
2264	fhabqwkuffgtr.exe
4272	pxzvoyryex.exe
2264	fhabqwkuffgtr.exe
4272	pxzvoyryex.exe
2264	fhabqwkuffgtr.exe
4272	pxzvoyryex.exe
2264	fhabqwkuffgtr.exe
4272	pxzvoyryex.exe
2264	fhabqwkuffgtr.exe
2264	fhabqwkuffgtr.exe
4272	pxzvoyryex.exe
4272	pxzvoyryex.exe
2264	fhabqwkuffgtr.exe
2264	fhabqwkuffgtr.exe
1340	qxooxtaf.exe
1340	qxooxtaf.exe
1340	qxooxtaf.exe
1340	qxooxtaf.exe
1340	qxooxtaf.exe
1340	qxooxtaf.exe
1340	qxooxtaf.exe
1340	qxooxtaf.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
1816	0510d7a1f4cf13b6bafd2c21d293d310.exe
1816	0510d7a1f4cf13b6bafd2c21d293d310.exe
1816	0510d7a1f4cf13b6bafd2c21d293d310.exe
832	kktxquhcgwljmar.exe
832	kktxquhcgwljmar.exe
832	kktxquhcgwljmar.exe
2264	fhabqwkuffgtr.exe
4272	pxzvoyryex.exe
1340	qxooxtaf.exe
2264	fhabqwkuffgtr.exe
4272	pxzvoyryex.exe
1340	qxooxtaf.exe
2264	fhabqwkuffgtr.exe
4272	pxzvoyryex.exe
1340	qxooxtaf.exe
3908	qxooxtaf.exe
3908	qxooxtaf.exe
3908	qxooxtaf.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
1816	0510d7a1f4cf13b6bafd2c21d293d310.exe
1816	0510d7a1f4cf13b6bafd2c21d293d310.exe
1816	0510d7a1f4cf13b6bafd2c21d293d310.exe
832	kktxquhcgwljmar.exe
832	kktxquhcgwljmar.exe
832	kktxquhcgwljmar.exe
2264	fhabqwkuffgtr.exe
4272	pxzvoyryex.exe
1340	qxooxtaf.exe
2264	fhabqwkuffgtr.exe
4272	pxzvoyryex.exe
1340	qxooxtaf.exe
2264	fhabqwkuffgtr.exe
4272	pxzvoyryex.exe
1340	qxooxtaf.exe
3908	qxooxtaf.exe
3908	qxooxtaf.exe
3908	qxooxtaf.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
468	WINWORD.EXE
468	WINWORD.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 4272	1816	0510d7a1f4cf13b6bafd2c21d293d310.exe	30
PID 1816 wrote to memory of 4272	1816	0510d7a1f4cf13b6bafd2c21d293d310.exe	30
PID 1816 wrote to memory of 4272	1816	0510d7a1f4cf13b6bafd2c21d293d310.exe	30
PID 1816 wrote to memory of 832	1816	0510d7a1f4cf13b6bafd2c21d293d310.exe	28
PID 1816 wrote to memory of 832	1816	0510d7a1f4cf13b6bafd2c21d293d310.exe	28
PID 1816 wrote to memory of 832	1816	0510d7a1f4cf13b6bafd2c21d293d310.exe	28
PID 1816 wrote to memory of 1340	1816	0510d7a1f4cf13b6bafd2c21d293d310.exe	27
PID 1816 wrote to memory of 1340	1816	0510d7a1f4cf13b6bafd2c21d293d310.exe	27
PID 1816 wrote to memory of 1340	1816	0510d7a1f4cf13b6bafd2c21d293d310.exe	27
PID 1816 wrote to memory of 2264	1816	0510d7a1f4cf13b6bafd2c21d293d310.exe	20
PID 1816 wrote to memory of 2264	1816	0510d7a1f4cf13b6bafd2c21d293d310.exe	20
PID 1816 wrote to memory of 2264	1816	0510d7a1f4cf13b6bafd2c21d293d310.exe	20
PID 1816 wrote to memory of 468	1816	0510d7a1f4cf13b6bafd2c21d293d310.exe	22
PID 1816 wrote to memory of 468	1816	0510d7a1f4cf13b6bafd2c21d293d310.exe	22
PID 4272 wrote to memory of 3908	4272	pxzvoyryex.exe	25
PID 4272 wrote to memory of 3908	4272	pxzvoyryex.exe	25
PID 4272 wrote to memory of 3908	4272	pxzvoyryex.exe	25

C:\Users\Admin\AppData\Local\Temp\0510d7a1f4cf13b6bafd2c21d293d310.exe
"C:\Users\Admin\AppData\Local\Temp\0510d7a1f4cf13b6bafd2c21d293d310.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Windows\SysWOW64\fhabqwkuffgtr.exe
  fhabqwkuffgtr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2264
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:468
- C:\Windows\SysWOW64\qxooxtaf.exe
  qxooxtaf.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1340
- C:\Windows\SysWOW64\kktxquhcgwljmar.exe
  kktxquhcgwljmar.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:832
- C:\Windows\SysWOW64\pxzvoyryex.exe
  pxzvoyryex.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4272

C:\Windows\SysWOW64\qxooxtaf.exe
C:\Windows\system32\qxooxtaf.exe
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

Filesize
31KB

MD5
672a6765419bc1c0904df4c70e58fdbc

SHA1
6f17beaf530d8a4a3544643e298c3ba2a26130b8

SHA256
efbd463a7d9ed8a17b683ac20eeaa39d938e150c0651e70e8aa700f9d7eea2fa

SHA512
dc8209c7ebbb5294cbc9ef91f3823240f705b97c989185a034c5bd11771c38d9e0501fe073a0b19fe5bcb36b8924fa894b91fe84a00c190a9e7d330da38bd2ec

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

Filesize
1KB

MD5
ec89629d437c17787acc7061c89e753c

SHA1
c65089b32eba1cf75d3546335718073460c971f9

SHA256
87b17909878537f2c3d3bc046f54b9eb382e312fa75d2b177457a978dcc7d83c

SHA512
65f02cc30b64e2c33d7287c135bc0bb20abe1e35c7176a03e47403db3e21da28f7e7ec7a13ef748aeb76ac06e5e159a9b4e62196692c3411459a4ae235a1bec9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
239B

MD5
12b138a5a40ffb88d1850866bf2959cd

SHA1
57001ba2de61329118440de3e9f8a81074cb28a2

SHA256
9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf

SHA512
9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
40dc343ab97e821cfb7ccc9a89d0e51e

SHA1
11e5b54d370595e77ead65600584c18df8d81170

SHA256
67b9ec2165de622d35969faabde41775646a35a5777d31a1346e3c2e2ea4e756

SHA512
17931abcfaa4469759212bb70b11c304de21af8c4110999fc2400a69001387492dc58ce6f0408a3eaa3a430e19a959f3e2b5ec5fe9225f385278b8bb8d02be41

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
001122ff20d3928c04b93948e99b538a

SHA1
51232aac64aadbc6c11193fb214b4f5f85f9020f

SHA256
187c4a0e6f94a4ac1c40ca7f844c8687fb967f9f98e7af27d6fc997b02bc61ec

SHA512
5ab93710c5651885d84f8e8ef739afc78183400920c0c369913f7c1409e23dd0754f3e13fb5a9a9126421ef959e8a59e71dc8acbf5fe2278a5afcef4fa5f1bf0

Download Submit
C:\Users\Admin\Music\InitializeGroup.doc.exe

Filesize
42KB

MD5
0f1a470b895c4f611861d565550f3a34

SHA1
5d97c9972071708b1eba2f0f9bf30170019a1ab6

SHA256
57a99e8422aca5035637a58cda68c908944009788df3d1db3198f754572d2c82

SHA512
458573e040c0f6d62e56b0f1f0a2241d0b8885b6643235d72781dc7a6631102f78906431c66e06525e57b5a44f7cf7b506667edb6dfa7ee3fa49a28df25dd811

Download Submit
C:\Windows\SysWOW64\fhabqwkuffgtr.exe

Filesize
77KB

MD5
a1766cde1fc4e55c27a55da2a1ea09e3

SHA1
ca85943853a34dd21962a9364998483e99c2af5d

SHA256
e5c8b9738315a93348ae0fe9dc8b9b27007d20ea0bcecb9ee907f89b87fee019

SHA512
4cc3399b828ff54a7e0678ad32b16ae2c1df9b156822268e2cc010aca237afd92d819f32421467b40325657c16ec4e1e9d8697d016d0abdfdaf6b193ed1ef74c

Download Submit
C:\Windows\SysWOW64\fhabqwkuffgtr.exe

Filesize
112KB

MD5
3a83b78403bcf7c64bc4cd93c7f6cda0

SHA1
2b10d3fa9c32976f4d2fa08bbf79cfe6d9780ba6

SHA256
4b735ddcffb525809fdb6c3f3af871a096f52c0ea9b7e3591d390535c4feb93e

SHA512
47501318e9c57441be63151e273724f321cfb197f692ba6fb8204c1a0c02c587a72557b31c855e1e3438d30992a67c84847a7ef9537e72bf810cc2ccc17d6ee0

Download Submit
C:\Windows\SysWOW64\kktxquhcgwljmar.exe

Filesize
215KB

MD5
56d889fdfbabdf28105f4cdeccda572c

SHA1
621b0d6a3bfdefbe79e8c1811af7ee0fd6fb403e

SHA256
3463fa611b5fc98961490d83b5c319809ff8e13860cad28523fbeedad4a8fd07

SHA512
0c96a327c2e01dfe9b4f28b9637bf6c4a111d03a8e2acf0ae833186dedd558b00a5a0f8ad096e9e94829f90e31b4adb6f073e690ca718320fdb21c122334488c

Download Submit
C:\Windows\SysWOW64\kktxquhcgwljmar.exe

Filesize
124KB

MD5
5f8dfe961592d36a68a11c92fe94c18e

SHA1
07c64a929392366e10f370be0ac3c7a73d06ceca

SHA256
a5a8af321c349ec771728f58304e209011197d115e175d72de1e3ee68fd68b01

SHA512
24720799c525bbfa255502d69a4c0eabfe9f70bf08d7e50faea105854e5a22d708381a30b17c764af997c9fb328cfc6545011631441ec620a57b1c932545ac7c

Download Submit
C:\Windows\SysWOW64\kktxquhcgwljmar.exe

Filesize
219KB

MD5
1f5552657fb2a9d887964efac04f4f70

SHA1
a8bbee844f5e663544f74de2e040b1e412b53a4e

SHA256
d9bcffb78b6e35a5fabb585fd1be4b22dbb7bb452714eb5a1ac4454ad5462d4f

SHA512
d89c9a65738230bf7d5b46195b0cf55340f3a26da573db787e992abd167bb77725f271c5a38808a8aeb64cd989dce1407523b8e6ad5c73f82033402741e0365e

Download Submit
C:\Windows\SysWOW64\pxzvoyryex.exe

Filesize
351KB

MD5
ef15100b1a780362f933fc907aa01404

SHA1
c53e7c1fdbdc06698cd1265146d82fcc9b43694c

SHA256
b1021604487907b5f2d949b129e8d03c869e24aa157e8055e9c6d87d072e4dd3

SHA512
a01833138b5fe8e26c48dda1a578c8db396b8666ad0045995ec8747b4a70e4e524e81f4acb747f858fcfb2ca5b5b2a0ddc93840e9d5d65c6a682747629f2f269

Download Submit
C:\Windows\SysWOW64\pxzvoyryex.exe

Filesize
322KB

MD5
92b44a8d5c662df0583286a5124cd66f

SHA1
89889c0a2549594b3447cc7ed5cb3350d7506788

SHA256
f58c52dd1335a5980bf2cb9d613e229c34c3a1128337f542cce647ca9cbfd58b

SHA512
8cfb5e81457e1cfd11ad55fbcdbe9fa33aa2556d26d50ae2aade5dd84d5ece36f2ff9626e9e74582d7faa304b2d87ab67ace5b65e34e1804ccde3da24caf9222

Download Submit
C:\Windows\SysWOW64\qxooxtaf.exe

Filesize
127KB

MD5
aeb3f3d2afdf2e0e824caf038bc0fa31

SHA1
c345dec18c42ad93d95f2e467536fb957488cf6f

SHA256
86309d47b82f6b9a8aa0da99a6872a1ace9ee433f5a36850e0231ae59a0afd5b

SHA512
58bec48bfe83a2a3f6149880d264536aba4a65690364b82b2e7797ed544cc50eff236b05fb9bc0f10d7a13b26a6f65eb6b169fa5bea7551c0c2b639f6b45d556

Download Submit
C:\Windows\SysWOW64\qxooxtaf.exe

Filesize
114KB

MD5
a50b07a0fe5581f62e84c5beb0774fff

SHA1
1e0a53c61b5e1a06a27269845ef10e219ddf9365

SHA256
d90cf87747932b7b6616035d1cdfcd31a794d6f4d14ea58ca94f780b6f43b341

SHA512
90ce8853271efb47275e73b670d60e84ed8242fa1d7dffb5cd1fd7dfc241663937d96fa8bc282c31638aacc459521ccfc2fb3495cd9d4675b080e50d1550db33

Download Submit
C:\Windows\SysWOW64\qxooxtaf.exe

Filesize
106KB

MD5
98170bef51450afa9396274cb077e722

SHA1
968895f53ae0593bd63fe00ebd7fa6f029e3b7af

SHA256
40fb2fcf33759bc3ec1ca9a967a273848c6c7b7dfe5dc29a9f7ddd0a5cfc4dde

SHA512
d3beb5ea49d97803e8f3098a2cee91c0bcb8fca6fe957bc65c1b001ad582d186aea4f7892e421bbcb36d93fe22d62751f501ae389046188e80bef1ac83752026

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

Filesize
92KB

MD5
6662b185f19fbf697c56a25c92de7961

SHA1
0df0c0df0de3724258df2549c583e3c934aca726

SHA256
c11edb9e97848e20319fba876d9382c7193f68323eff1f7ed805bb04303bdc86

SHA512
c6e2cb83f68a63ca299dae843d2697d41dab8b565fb4005755b0d255b388779b6c1dad97375009c995f0a3d2e0acb4cc820090ca5dc24ee11e1a3de5b1a4921f

Download Submit
memory/468-42-0x00007FFD174B0000-0x00007FFD176A5000-memory.dmp

Filesize
2.0MB

Download
memory/468-35-0x00007FFCD7530000-0x00007FFCD7540000-memory.dmp

Filesize
64KB

Download
memory/468-53-0x00007FFCD54D0000-0x00007FFCD54E0000-memory.dmp

Filesize
64KB

Download
memory/468-59-0x00007FFD174B0000-0x00007FFD176A5000-memory.dmp

Filesize
2.0MB

Download
memory/468-52-0x00007FFD174B0000-0x00007FFD176A5000-memory.dmp

Filesize
2.0MB

Download
memory/468-55-0x00007FFD174B0000-0x00007FFD176A5000-memory.dmp

Filesize
2.0MB

Download
memory/468-130-0x00007FFCD7530000-0x00007FFCD7540000-memory.dmp

Filesize
64KB

Download
memory/468-47-0x00007FFD174B0000-0x00007FFD176A5000-memory.dmp

Filesize
2.0MB

Download
memory/468-43-0x00007FFD174B0000-0x00007FFD176A5000-memory.dmp

Filesize
2.0MB

Download
memory/468-41-0x00007FFD174B0000-0x00007FFD176A5000-memory.dmp

Filesize
2.0MB

Download
memory/468-40-0x00007FFCD7530000-0x00007FFCD7540000-memory.dmp

Filesize
64KB

Download
memory/468-39-0x00007FFD174B0000-0x00007FFD176A5000-memory.dmp

Filesize
2.0MB

Download
memory/468-37-0x00007FFCD7530000-0x00007FFCD7540000-memory.dmp

Filesize
64KB

Download
memory/468-36-0x00007FFCD7530000-0x00007FFCD7540000-memory.dmp

Filesize
64KB

Download
memory/468-57-0x00007FFD174B0000-0x00007FFD176A5000-memory.dmp

Filesize
2.0MB

Download
memory/468-54-0x00007FFD174B0000-0x00007FFD176A5000-memory.dmp

Filesize
2.0MB

Download
memory/468-49-0x00007FFD174B0000-0x00007FFD176A5000-memory.dmp

Filesize
2.0MB

Download
memory/468-51-0x00007FFD174B0000-0x00007FFD176A5000-memory.dmp

Filesize
2.0MB

Download
memory/468-46-0x00007FFCD54D0000-0x00007FFCD54E0000-memory.dmp

Filesize
64KB

Download
memory/468-45-0x00007FFD174B0000-0x00007FFD176A5000-memory.dmp

Filesize
2.0MB

Download
memory/468-44-0x00007FFD174B0000-0x00007FFD176A5000-memory.dmp

Filesize
2.0MB

Download
memory/468-58-0x00007FFD174B0000-0x00007FFD176A5000-memory.dmp

Filesize
2.0MB

Download
memory/468-56-0x00007FFD174B0000-0x00007FFD176A5000-memory.dmp

Filesize
2.0MB

Download
memory/468-38-0x00007FFCD7530000-0x00007FFCD7540000-memory.dmp

Filesize
64KB

Download
memory/468-110-0x00007FFD174B0000-0x00007FFD176A5000-memory.dmp

Filesize
2.0MB

Download
memory/468-135-0x00007FFD174B0000-0x00007FFD176A5000-memory.dmp

Filesize
2.0MB

Download
memory/468-134-0x00007FFD174B0000-0x00007FFD176A5000-memory.dmp

Filesize
2.0MB

Download
memory/468-133-0x00007FFCD7530000-0x00007FFCD7540000-memory.dmp

Filesize
64KB

Download
memory/468-132-0x00007FFCD7530000-0x00007FFCD7540000-memory.dmp

Filesize
64KB

Download
memory/468-131-0x00007FFCD7530000-0x00007FFCD7540000-memory.dmp

Filesize
64KB

Download
memory/1816-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download