Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
164s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 03:52
Static task
static1
Behavioral task
behavioral1
Sample
03fc9e8b77254aea88e4ee6874e6aa16.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral2
Sample
03fc9e8b77254aea88e4ee6874e6aa16.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
General
-
Target
03fc9e8b77254aea88e4ee6874e6aa16.exe
-
Size
512KB
-
MD5
03fc9e8b77254aea88e4ee6874e6aa16
-
SHA1
37ed01e12640426729ec3445035421cae398e9f3
-
SHA256
67ae1cb8fb6f1617dfb89958e55245dc791d41f8e3b7af48b175543f243ee46e
-
SHA512
31633112a32d70680d560e97b93994cdcf15e25973b6062558c1bad4100137e926e27742e4775b3f289464cb39b2314ba93e83895c4ac55fa8da5e0e22ac2f1a
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj63:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5a
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" zjffcnwkem.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" zjffcnwkem.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" zjffcnwkem.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" zjffcnwkem.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" zjffcnwkem.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" zjffcnwkem.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" zjffcnwkem.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" zjffcnwkem.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation 03fc9e8b77254aea88e4ee6874e6aa16.exe -
Executes dropped EXE 5 IoCs
pid Process 1436 zjffcnwkem.exe 68 hyeqxebzvnlente.exe 1088 ekneloim.exe 4032 vkvmvvjzpbaoh.exe 3844 ekneloim.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" zjffcnwkem.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" zjffcnwkem.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" zjffcnwkem.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" zjffcnwkem.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" zjffcnwkem.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" zjffcnwkem.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwjahtvs = "zjffcnwkem.exe" hyeqxebzvnlente.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rxdrfxkm = "hyeqxebzvnlente.exe" hyeqxebzvnlente.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "vkvmvvjzpbaoh.exe" hyeqxebzvnlente.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\j: zjffcnwkem.exe File opened (read-only) \??\i: ekneloim.exe File opened (read-only) \??\k: ekneloim.exe File opened (read-only) \??\w: ekneloim.exe File opened (read-only) \??\y: ekneloim.exe File opened (read-only) \??\n: zjffcnwkem.exe File opened (read-only) \??\p: zjffcnwkem.exe File opened (read-only) \??\k: ekneloim.exe File opened (read-only) \??\b: ekneloim.exe File opened (read-only) \??\i: ekneloim.exe File opened (read-only) \??\s: ekneloim.exe File opened (read-only) \??\z: ekneloim.exe File opened (read-only) \??\j: ekneloim.exe File opened (read-only) \??\o: ekneloim.exe File opened (read-only) \??\y: ekneloim.exe File opened (read-only) \??\n: ekneloim.exe File opened (read-only) \??\o: ekneloim.exe File opened (read-only) \??\t: ekneloim.exe File opened (read-only) \??\u: ekneloim.exe File opened (read-only) \??\u: zjffcnwkem.exe File opened (read-only) \??\h: ekneloim.exe File opened (read-only) \??\k: zjffcnwkem.exe File opened (read-only) \??\w: zjffcnwkem.exe File opened (read-only) \??\z: zjffcnwkem.exe File opened (read-only) \??\a: ekneloim.exe File opened (read-only) \??\m: ekneloim.exe File opened (read-only) \??\l: ekneloim.exe File opened (read-only) \??\b: zjffcnwkem.exe File opened (read-only) \??\e: zjffcnwkem.exe File opened (read-only) \??\r: zjffcnwkem.exe File opened (read-only) \??\t: zjffcnwkem.exe File opened (read-only) \??\e: ekneloim.exe File opened (read-only) \??\p: ekneloim.exe File opened (read-only) \??\g: ekneloim.exe File opened (read-only) \??\h: zjffcnwkem.exe File opened (read-only) \??\b: ekneloim.exe File opened (read-only) \??\s: ekneloim.exe File opened (read-only) \??\x: ekneloim.exe File opened (read-only) \??\x: ekneloim.exe File opened (read-only) \??\l: zjffcnwkem.exe File opened (read-only) \??\x: zjffcnwkem.exe File opened (read-only) \??\a: ekneloim.exe File opened (read-only) \??\l: ekneloim.exe File opened (read-only) \??\o: zjffcnwkem.exe File opened (read-only) \??\g: ekneloim.exe File opened (read-only) \??\h: ekneloim.exe File opened (read-only) \??\q: ekneloim.exe File opened (read-only) \??\t: ekneloim.exe File opened (read-only) \??\u: ekneloim.exe File opened (read-only) \??\e: ekneloim.exe File opened (read-only) \??\v: zjffcnwkem.exe File opened (read-only) \??\r: ekneloim.exe File opened (read-only) \??\a: zjffcnwkem.exe File opened (read-only) \??\m: zjffcnwkem.exe File opened (read-only) \??\r: ekneloim.exe File opened (read-only) \??\p: ekneloim.exe File opened (read-only) \??\v: ekneloim.exe File opened (read-only) \??\s: zjffcnwkem.exe File opened (read-only) \??\y: zjffcnwkem.exe File opened (read-only) \??\n: ekneloim.exe File opened (read-only) \??\w: ekneloim.exe File opened (read-only) \??\z: ekneloim.exe File opened (read-only) \??\j: ekneloim.exe File opened (read-only) \??\q: ekneloim.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" zjffcnwkem.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" zjffcnwkem.exe -
AutoIT Executable 15 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/868-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000600000002320b-5.dat autoit_exe behavioral2/files/0x000600000002320a-18.dat autoit_exe behavioral2/files/0x000600000002320b-24.dat autoit_exe behavioral2/files/0x000600000002320d-30.dat autoit_exe behavioral2/files/0x000600000002320c-32.dat autoit_exe behavioral2/files/0x000600000002320c-28.dat autoit_exe behavioral2/files/0x000600000002320d-29.dat autoit_exe behavioral2/files/0x000600000002320a-21.dat autoit_exe behavioral2/files/0x000600000002320c-42.dat autoit_exe behavioral2/files/0x000600000002321b-77.dat autoit_exe behavioral2/files/0x000600000002321c-84.dat autoit_exe behavioral2/files/0x000a0000000231b3-93.dat autoit_exe behavioral2/files/0x0007000000023239-115.dat autoit_exe behavioral2/files/0x0007000000023239-127.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\ekneloim.exe 03fc9e8b77254aea88e4ee6874e6aa16.exe File created C:\Windows\SysWOW64\vkvmvvjzpbaoh.exe 03fc9e8b77254aea88e4ee6874e6aa16.exe File opened for modification C:\Windows\SysWOW64\vkvmvvjzpbaoh.exe 03fc9e8b77254aea88e4ee6874e6aa16.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ekneloim.exe File created C:\Windows\SysWOW64\hyeqxebzvnlente.exe 03fc9e8b77254aea88e4ee6874e6aa16.exe File opened for modification C:\Windows\SysWOW64\hyeqxebzvnlente.exe 03fc9e8b77254aea88e4ee6874e6aa16.exe File opened for modification C:\Windows\SysWOW64\ekneloim.exe 03fc9e8b77254aea88e4ee6874e6aa16.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll zjffcnwkem.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ekneloim.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ekneloim.exe File created C:\Windows\SysWOW64\zjffcnwkem.exe 03fc9e8b77254aea88e4ee6874e6aa16.exe File opened for modification C:\Windows\SysWOW64\zjffcnwkem.exe 03fc9e8b77254aea88e4ee6874e6aa16.exe -
Drops file in Program Files directory 19 IoCs
description ioc Process File opened for modification C:\Program Files\BackupClear.doc.exe ekneloim.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ekneloim.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ekneloim.exe File opened for modification C:\Program Files\BackupClear.nal ekneloim.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ekneloim.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ekneloim.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ekneloim.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ekneloim.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ekneloim.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ekneloim.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ekneloim.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ekneloim.exe File created \??\c:\Program Files\BackupClear.doc.exe ekneloim.exe File opened for modification \??\c:\Program Files\BackupClear.doc.exe ekneloim.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ekneloim.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ekneloim.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ekneloim.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ekneloim.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ekneloim.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 03fc9e8b77254aea88e4ee6874e6aa16.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ekneloim.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ekneloim.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ekneloim.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ekneloim.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ekneloim.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ekneloim.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ekneloim.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ekneloim.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABDF9BDF913F29884783B4486993EE2B38902FA4364033CE1BF459D08D6" 03fc9e8b77254aea88e4ee6874e6aa16.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" zjffcnwkem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh zjffcnwkem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" zjffcnwkem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs zjffcnwkem.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 03fc9e8b77254aea88e4ee6874e6aa16.exe Key created \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\Local Settings 03fc9e8b77254aea88e4ee6874e6aa16.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" zjffcnwkem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8CFF8C4F26851C9045D6217DE6BCE7E632594567466331D79C" 03fc9e8b77254aea88e4ee6874e6aa16.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F068B2FE6E21D9D278D1D18B7F9010" 03fc9e8b77254aea88e4ee6874e6aa16.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1939C77915E6DBC0B8B97F95ED9534BD" 03fc9e8b77254aea88e4ee6874e6aa16.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc zjffcnwkem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" zjffcnwkem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" zjffcnwkem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32302C0D9C5683596A3F76A577212CAE7DF464AF" 03fc9e8b77254aea88e4ee6874e6aa16.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB7B12147E0399853B9BADD329CD7CB" 03fc9e8b77254aea88e4ee6874e6aa16.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat zjffcnwkem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" zjffcnwkem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf zjffcnwkem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg zjffcnwkem.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1632 WINWORD.EXE 1632 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 868 03fc9e8b77254aea88e4ee6874e6aa16.exe 868 03fc9e8b77254aea88e4ee6874e6aa16.exe 868 03fc9e8b77254aea88e4ee6874e6aa16.exe 868 03fc9e8b77254aea88e4ee6874e6aa16.exe 868 03fc9e8b77254aea88e4ee6874e6aa16.exe 868 03fc9e8b77254aea88e4ee6874e6aa16.exe 868 03fc9e8b77254aea88e4ee6874e6aa16.exe 868 03fc9e8b77254aea88e4ee6874e6aa16.exe 868 03fc9e8b77254aea88e4ee6874e6aa16.exe 868 03fc9e8b77254aea88e4ee6874e6aa16.exe 868 03fc9e8b77254aea88e4ee6874e6aa16.exe 868 03fc9e8b77254aea88e4ee6874e6aa16.exe 868 03fc9e8b77254aea88e4ee6874e6aa16.exe 868 03fc9e8b77254aea88e4ee6874e6aa16.exe 868 03fc9e8b77254aea88e4ee6874e6aa16.exe 868 03fc9e8b77254aea88e4ee6874e6aa16.exe 4032 vkvmvvjzpbaoh.exe 1436 zjffcnwkem.exe 4032 vkvmvvjzpbaoh.exe 1436 zjffcnwkem.exe 1436 zjffcnwkem.exe 4032 vkvmvvjzpbaoh.exe 4032 vkvmvvjzpbaoh.exe 1436 zjffcnwkem.exe 1436 zjffcnwkem.exe 1436 zjffcnwkem.exe 1436 zjffcnwkem.exe 1436 zjffcnwkem.exe 4032 vkvmvvjzpbaoh.exe 4032 vkvmvvjzpbaoh.exe 4032 vkvmvvjzpbaoh.exe 4032 vkvmvvjzpbaoh.exe 1436 zjffcnwkem.exe 4032 vkvmvvjzpbaoh.exe 1436 zjffcnwkem.exe 4032 vkvmvvjzpbaoh.exe 4032 vkvmvvjzpbaoh.exe 4032 vkvmvvjzpbaoh.exe 68 hyeqxebzvnlente.exe 68 hyeqxebzvnlente.exe 68 hyeqxebzvnlente.exe 68 hyeqxebzvnlente.exe 68 hyeqxebzvnlente.exe 68 hyeqxebzvnlente.exe 68 hyeqxebzvnlente.exe 68 hyeqxebzvnlente.exe 68 hyeqxebzvnlente.exe 68 hyeqxebzvnlente.exe 1088 ekneloim.exe 1088 ekneloim.exe 1088 ekneloim.exe 1088 ekneloim.exe 1088 ekneloim.exe 1088 ekneloim.exe 1088 ekneloim.exe 1088 ekneloim.exe 68 hyeqxebzvnlente.exe 68 hyeqxebzvnlente.exe 4032 vkvmvvjzpbaoh.exe 4032 vkvmvvjzpbaoh.exe 4032 vkvmvvjzpbaoh.exe 4032 vkvmvvjzpbaoh.exe 68 hyeqxebzvnlente.exe 68 hyeqxebzvnlente.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 868 03fc9e8b77254aea88e4ee6874e6aa16.exe 868 03fc9e8b77254aea88e4ee6874e6aa16.exe 868 03fc9e8b77254aea88e4ee6874e6aa16.exe 1436 zjffcnwkem.exe 1436 zjffcnwkem.exe 1436 zjffcnwkem.exe 4032 vkvmvvjzpbaoh.exe 4032 vkvmvvjzpbaoh.exe 4032 vkvmvvjzpbaoh.exe 68 hyeqxebzvnlente.exe 68 hyeqxebzvnlente.exe 68 hyeqxebzvnlente.exe 1088 ekneloim.exe 1088 ekneloim.exe 1088 ekneloim.exe 3844 ekneloim.exe 3844 ekneloim.exe 3844 ekneloim.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 868 03fc9e8b77254aea88e4ee6874e6aa16.exe 868 03fc9e8b77254aea88e4ee6874e6aa16.exe 868 03fc9e8b77254aea88e4ee6874e6aa16.exe 1436 zjffcnwkem.exe 1436 zjffcnwkem.exe 1436 zjffcnwkem.exe 4032 vkvmvvjzpbaoh.exe 4032 vkvmvvjzpbaoh.exe 4032 vkvmvvjzpbaoh.exe 68 hyeqxebzvnlente.exe 68 hyeqxebzvnlente.exe 68 hyeqxebzvnlente.exe 1088 ekneloim.exe 1088 ekneloim.exe 1088 ekneloim.exe 3844 ekneloim.exe 3844 ekneloim.exe 3844 ekneloim.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1632 WINWORD.EXE 1632 WINWORD.EXE 1632 WINWORD.EXE 1632 WINWORD.EXE 1632 WINWORD.EXE 1632 WINWORD.EXE 1632 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 868 wrote to memory of 1436 868 03fc9e8b77254aea88e4ee6874e6aa16.exe 88 PID 868 wrote to memory of 1436 868 03fc9e8b77254aea88e4ee6874e6aa16.exe 88 PID 868 wrote to memory of 1436 868 03fc9e8b77254aea88e4ee6874e6aa16.exe 88 PID 868 wrote to memory of 68 868 03fc9e8b77254aea88e4ee6874e6aa16.exe 89 PID 868 wrote to memory of 68 868 03fc9e8b77254aea88e4ee6874e6aa16.exe 89 PID 868 wrote to memory of 68 868 03fc9e8b77254aea88e4ee6874e6aa16.exe 89 PID 868 wrote to memory of 1088 868 03fc9e8b77254aea88e4ee6874e6aa16.exe 92 PID 868 wrote to memory of 1088 868 03fc9e8b77254aea88e4ee6874e6aa16.exe 92 PID 868 wrote to memory of 1088 868 03fc9e8b77254aea88e4ee6874e6aa16.exe 92 PID 868 wrote to memory of 4032 868 03fc9e8b77254aea88e4ee6874e6aa16.exe 91 PID 868 wrote to memory of 4032 868 03fc9e8b77254aea88e4ee6874e6aa16.exe 91 PID 868 wrote to memory of 4032 868 03fc9e8b77254aea88e4ee6874e6aa16.exe 91 PID 868 wrote to memory of 1632 868 03fc9e8b77254aea88e4ee6874e6aa16.exe 93 PID 868 wrote to memory of 1632 868 03fc9e8b77254aea88e4ee6874e6aa16.exe 93 PID 1436 wrote to memory of 3844 1436 zjffcnwkem.exe 95 PID 1436 wrote to memory of 3844 1436 zjffcnwkem.exe 95 PID 1436 wrote to memory of 3844 1436 zjffcnwkem.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\03fc9e8b77254aea88e4ee6874e6aa16.exe"C:\Users\Admin\AppData\Local\Temp\03fc9e8b77254aea88e4ee6874e6aa16.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\zjffcnwkem.exezjffcnwkem.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\ekneloim.exeC:\Windows\system32\ekneloim.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3844
-
-
-
C:\Windows\SysWOW64\hyeqxebzvnlente.exehyeqxebzvnlente.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:68
-
-
C:\Windows\SysWOW64\vkvmvvjzpbaoh.exevkvmvvjzpbaoh.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4032
-
-
C:\Windows\SysWOW64\ekneloim.exeekneloim.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1088
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1632
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD553f9850060b0fbbe381e006a78ff77c5
SHA15f86c8f08df3a266fd842363e1ecf79dc949aa4c
SHA256ad045755c99ad17e8a70b84c99662985030f38d9789b93e94666a8588e5ae178
SHA512f03403fac2ae32db4b53e0505c5e8d1e6061f6b66aa271c07deea27a467a4e777363a2e3d49153302113993b674508001effc9ce28512d999a1a78731ede0c62
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD52319dc21d512fecbd3cbda76f3f219bb
SHA1f96655a93e5eb1287f8ba6314645cce8e2c1246d
SHA256a26d758300e14c9ea180c464183f98cf2dfde1fe5abfe943df8b07c840ffd9b5
SHA512765a05dd93f126b93a1c611ce5cef769e96f2b9266246c78dbb270106d077fe59ceed9a2fe6832aeeef7e259ff2367475980660ad75d29bb99f8d8d5bda2cff1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD56b268a4c84dacb00a838581876c08cbd
SHA1dc362a5100252a1ea55542cfde542bc557530367
SHA25651a45a92db0b2474538beb4e715f99116fe380016c703f5d6e829507dd626abf
SHA5126979ee62be46bd081198748c28e8d4f418b7ea3df463b71afd3d1f53f7167765568a7cc4564ef7b7871dee741daf8a1b9190e0e8006f885b48c7b5c7942f67c2
-
Filesize
512KB
MD5f678e2fbe41a12ec58d665eea92523d6
SHA130f1fdf07e183473bf733a661a8e6e6988103ce6
SHA25600c9f9bbafb3d0347ff494accddae0223b699118feeb7be7055e9e2a610b645d
SHA51235283e0562e711e2d2e5fa573ff3e0f4f552241740724841390fb57f0e8433337b290d65871656a5fc17c193d3a4a47a628fc0413ae6768885a1bd4efe09703c
-
Filesize
207KB
MD55e252fb954da74e666096f526c656f68
SHA18ec6f525fc81853589e615736955ae90e52856c6
SHA256b15477b09f910cdbcf5add73efaabbe6caf21d2a0b4ab6abb9a82551312230f3
SHA512859f7abb527c3641cdea0a3aeb8500f953f9fbb38f236aeda9b71003622863c9c145b231d78c79dbd43841ae5d07689342ac6668b464d05d0f584c6266680c49
-
Filesize
256KB
MD5f6d822896cbe425540368c1aba8a8952
SHA13f43aa4c5e94ab717ef73032b62af1fb54141e57
SHA25661dcf6e7680a764308623c9923dbfdeddc59f0298d392ef565861a42cfe39e0e
SHA5126bddfed443dd9b84dfd9a50ae509493e24abc4408659b5bfdb3f71f991d1249ad045ced6b734d5c0cee298d4deb4ea9d833d7cd83a90330d835b56c7640dadcf
-
Filesize
512KB
MD5a353eeac06d130f3c97655fa8b60f4b8
SHA1870f499c6a419c9e1603ea166c9fa0ea2d8859ed
SHA256f4216e1e245aca967307d51e6e487b0eec642dabea0f7e3675810434c83c1567
SHA512f78b138a4d1f2f78bc048615e14789a425296518d500a42a36d7100fa8c7c6e041b89ae4073e903a8db8ec31c21e07fdfa32dc352311166d34968bc3dff34635
-
Filesize
395KB
MD529888121410347065fa1b95f4090e5ed
SHA19f0093ee68e035abd4dfc9d1c3241dabb4e1a9eb
SHA256ec71fb230f332c1853e69b245781072e3e37be568f82ed4343f4f88ba33323dc
SHA5125f406d2d22d826a91f7926455be7fa92b6536eeddfa8e9c059cca78d21696eedbb40a27320c2b99c60fb7d4a58d45ca859bfcca1d6d09e90a8687b96f062f962
-
Filesize
512KB
MD5f926c901bc5487ca1000cae79b05dd7b
SHA18016a3e9cd95e4843ad96650179cf433d550e467
SHA256283205d962120b98e79768ef43d6a36ad83145ea0a6878a7cfbd0f56d67d16e4
SHA5120b82094c4cf0f9b710c47d85021a3f7a2c1c3d2fc652b9d6bea497f423ee972132eefc8c90f8b736037bf8bb9975c36479386ba236977e8e373c1209ef02755f
-
Filesize
258KB
MD5653d225fefa48925e915f0126dedd713
SHA1fd75c896c9a5b52d8a4b9f895de02c157f7a1ae5
SHA256f8debdbd4f89e3cd745846587019b85060608f1c1e5f9ffab64418a9e76ffeca
SHA512824ac032c29743f0da58ff8b55ce7c741b2d2a3f2a70780671f7099d27595b30e2e84009eda5d404ba27b1c2b535a50de0ec2ec9d343073e44117ebfbd965ff2
-
Filesize
178KB
MD59ab454d70803d9f7a58a1c06eb2f7ed0
SHA152ee1a8e0910036d89cd2ea1ddbe60fe476e4d96
SHA256b47158427a760ba4521030d0bb8e19e8b854ba9e969e50b96276f59fd9aaff03
SHA5121d2db5cb3f856b8f5ef231be72a4026f661942b70fd49525b4757d3fd47180f29e1aa92464d7a05e9781a2a82c6da0634299c6b431c1412bc2e7af6631067420
-
Filesize
512KB
MD55bd75c7107c4e670761747e16ca512ba
SHA188e98541d3802d293e05810b3b8b6d93a12b6f27
SHA2567e3dd0d1fd0acff075ed0a98afb7c4077514ed807f0f605e7632c1b49184ecb2
SHA512cb24dd10c4e129315573b8f30a9f2da671ee7fe310059f3349426a3a2235f4d995d40cb9440fd64047f9cafefb6a5e30bf1b6b4ab2868f39f7f826b0c4effcac
-
Filesize
471KB
MD5ee33ab8b7fa8c9bc89340967450a6dd9
SHA196a181e4da5e49d60d82df6af8f80fc14b975aba
SHA2561bff5bb306a4a34e2039c90b65c3c140793b480e6ae2353f994ddba0a54bf229
SHA512a73cffd68279999bc35189c7e65977de4a844a4bafd31c5f80ff21331575b38b93498a7659470b07512c74a010847953030ceb5ef46b56ffd68a45489bc68550
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
87B
MD58b24f488bf5666fadf8b2bc3f34a876a
SHA10b7f7838db56d7110bb5376d467ebc176830a797
SHA256458f18531d1ef64720f4b71956a8a747e59e466ce5a2de46497dcad2211a9080
SHA512807e0d2e6a24ebe101b1fa26a24744e9375880090b2b694d84f5e62da23bf482f73ac78bf90be9b89a869d641f4c7a7ee69fe96fe023e230d6f644f46bd0adbd
-
Filesize
512KB
MD5a4524992e8ec80618dadaf27457f25f9
SHA1c8f73c3bfb96a829900afadf7cc983c07e31c8f8
SHA2566f6c7239f242730946de6308d3ae92ebb47e35cb65b051ca4101d034e4b2df2e
SHA512c094dfff72f29fbf2dc80ab29902eb6b15145b43bc88fe9cc1c5fb6a5c47e0111b5de2518d61acb8f8e91877822719c45ef5c1514429ce1d621055cff9cf01ab
-
Filesize
512KB
MD59d20e670ba4ebc03623475c4eeca5810
SHA118042149fe6d9d4f12850a8f36a9b4da5fdf44da
SHA256ba4ddddce7de0b019c6864f312e8c4584b3f0abd7dc7919779e28ceef81a1e4f
SHA512c45eb858414308f18a1f8f3614c53ec1da2223b5af56560cd383a120d30a547a817203f6c36d3966a803ca7cd20777c6189d72db5e9b3fa7fe01640dcf6cfe7d