Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 06:23
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
0b5eb14018d8edcf7ec2f0d53343cae0.exe
Resource
win7-20231215-en
windows7-x64
28 signatures
150 seconds
Behavioral task
behavioral2
Sample
0b5eb14018d8edcf7ec2f0d53343cae0.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
0b5eb14018d8edcf7ec2f0d53343cae0.exe
-
Size
512KB
-
MD5
0b5eb14018d8edcf7ec2f0d53343cae0
-
SHA1
633b0af602f95b9839c78272b1f3dfa442a73b9a
-
SHA256
645cc40b8227591e5c7c26f8f7877d47b80504d6437540131712d2fb26ff8ad2
-
SHA512
1741449faa798cce64d6e6234602d8d815495b4baf2855c7e4e577567d980c8ec478cbdc823b3365fca97f33125123ec65a2603d15889b4871d54fd2b87405fa
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6v:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5e
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" dpmbcogula.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" dpmbcogula.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" dpmbcogula.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" dpmbcogula.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" dpmbcogula.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" dpmbcogula.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" dpmbcogula.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dpmbcogula.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation 0b5eb14018d8edcf7ec2f0d53343cae0.exe -
Executes dropped EXE 5 IoCs
pid Process 1976 dpmbcogula.exe 1616 izdcisapodtabex.exe 3156 idemkovj.exe 4864 sgltvmxyrqabw.exe 4048 idemkovj.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" dpmbcogula.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" dpmbcogula.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" dpmbcogula.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" dpmbcogula.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" dpmbcogula.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" dpmbcogula.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rwhythcm = "dpmbcogula.exe" izdcisapodtabex.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nzqlbuaa = "izdcisapodtabex.exe" izdcisapodtabex.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "sgltvmxyrqabw.exe" izdcisapodtabex.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\l: dpmbcogula.exe File opened (read-only) \??\e: idemkovj.exe File opened (read-only) \??\n: idemkovj.exe File opened (read-only) \??\t: idemkovj.exe File opened (read-only) \??\u: idemkovj.exe File opened (read-only) \??\x: idemkovj.exe File opened (read-only) \??\o: dpmbcogula.exe File opened (read-only) \??\z: idemkovj.exe File opened (read-only) \??\b: idemkovj.exe File opened (read-only) \??\m: idemkovj.exe File opened (read-only) \??\l: idemkovj.exe File opened (read-only) \??\z: idemkovj.exe File opened (read-only) \??\i: dpmbcogula.exe File opened (read-only) \??\r: idemkovj.exe File opened (read-only) \??\i: idemkovj.exe File opened (read-only) \??\r: dpmbcogula.exe File opened (read-only) \??\a: idemkovj.exe File opened (read-only) \??\b: idemkovj.exe File opened (read-only) \??\u: idemkovj.exe File opened (read-only) \??\e: idemkovj.exe File opened (read-only) \??\v: idemkovj.exe File opened (read-only) \??\g: dpmbcogula.exe File opened (read-only) \??\q: dpmbcogula.exe File opened (read-only) \??\w: dpmbcogula.exe File opened (read-only) \??\n: idemkovj.exe File opened (read-only) \??\r: idemkovj.exe File opened (read-only) \??\y: idemkovj.exe File opened (read-only) \??\a: dpmbcogula.exe File opened (read-only) \??\g: idemkovj.exe File opened (read-only) \??\x: idemkovj.exe File opened (read-only) \??\m: idemkovj.exe File opened (read-only) \??\j: dpmbcogula.exe File opened (read-only) \??\n: dpmbcogula.exe File opened (read-only) \??\q: idemkovj.exe File opened (read-only) \??\k: idemkovj.exe File opened (read-only) \??\h: dpmbcogula.exe File opened (read-only) \??\u: dpmbcogula.exe File opened (read-only) \??\v: dpmbcogula.exe File opened (read-only) \??\y: dpmbcogula.exe File opened (read-only) \??\z: dpmbcogula.exe File opened (read-only) \??\h: idemkovj.exe File opened (read-only) \??\i: idemkovj.exe File opened (read-only) \??\a: idemkovj.exe File opened (read-only) \??\l: idemkovj.exe File opened (read-only) \??\j: idemkovj.exe File opened (read-only) \??\e: dpmbcogula.exe File opened (read-only) \??\p: dpmbcogula.exe File opened (read-only) \??\x: dpmbcogula.exe File opened (read-only) \??\j: idemkovj.exe File opened (read-only) \??\g: idemkovj.exe File opened (read-only) \??\b: dpmbcogula.exe File opened (read-only) \??\k: dpmbcogula.exe File opened (read-only) \??\o: idemkovj.exe File opened (read-only) \??\w: idemkovj.exe File opened (read-only) \??\s: idemkovj.exe File opened (read-only) \??\o: idemkovj.exe File opened (read-only) \??\h: idemkovj.exe File opened (read-only) \??\t: idemkovj.exe File opened (read-only) \??\m: dpmbcogula.exe File opened (read-only) \??\t: dpmbcogula.exe File opened (read-only) \??\k: idemkovj.exe File opened (read-only) \??\s: idemkovj.exe File opened (read-only) \??\y: idemkovj.exe File opened (read-only) \??\p: idemkovj.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" dpmbcogula.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" dpmbcogula.exe -
AutoIT Executable 7 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3468-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0006000000023206-6.dat autoit_exe behavioral2/files/0x0007000000023202-19.dat autoit_exe behavioral2/files/0x0006000000023208-30.dat autoit_exe behavioral2/files/0x0006000000023207-29.dat autoit_exe behavioral2/files/0x0006000000023234-87.dat autoit_exe behavioral2/files/0x0006000000023233-78.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\idemkovj.exe 0b5eb14018d8edcf7ec2f0d53343cae0.exe File created C:\Windows\SysWOW64\sgltvmxyrqabw.exe 0b5eb14018d8edcf7ec2f0d53343cae0.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll dpmbcogula.exe File opened for modification C:\Windows\SysWOW64\izdcisapodtabex.exe 0b5eb14018d8edcf7ec2f0d53343cae0.exe File created C:\Windows\SysWOW64\idemkovj.exe 0b5eb14018d8edcf7ec2f0d53343cae0.exe File created C:\Windows\SysWOW64\izdcisapodtabex.exe 0b5eb14018d8edcf7ec2f0d53343cae0.exe File opened for modification C:\Windows\SysWOW64\sgltvmxyrqabw.exe 0b5eb14018d8edcf7ec2f0d53343cae0.exe File created C:\Windows\SysWOW64\dpmbcogula.exe 0b5eb14018d8edcf7ec2f0d53343cae0.exe File opened for modification C:\Windows\SysWOW64\dpmbcogula.exe 0b5eb14018d8edcf7ec2f0d53343cae0.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal idemkovj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe idemkovj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal idemkovj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe idemkovj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe idemkovj.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe idemkovj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe idemkovj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe idemkovj.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe idemkovj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe idemkovj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal idemkovj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe idemkovj.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe idemkovj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe idemkovj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal idemkovj.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 0b5eb14018d8edcf7ec2f0d53343cae0.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184EC77B14E3DAB7B8BD7FE1ED9F34C8" 0b5eb14018d8edcf7ec2f0d53343cae0.exe Key created \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings 0b5eb14018d8edcf7ec2f0d53343cae0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" dpmbcogula.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh dpmbcogula.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" dpmbcogula.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" dpmbcogula.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33472D789C2483226A3F76A670212DDB7D8264D8" 0b5eb14018d8edcf7ec2f0d53343cae0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC2B12E479239EF53C5BADD3393D7CC" 0b5eb14018d8edcf7ec2f0d53343cae0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" dpmbcogula.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs dpmbcogula.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" dpmbcogula.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABCF9BEF910F1E383793A42869A3E91B08002F042130338E1CC429E09A2" 0b5eb14018d8edcf7ec2f0d53343cae0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc dpmbcogula.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8BFFFB482C826E9045D72A7E9DBCE4E630584667466345D6EA" 0b5eb14018d8edcf7ec2f0d53343cae0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg dpmbcogula.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat dpmbcogula.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" dpmbcogula.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf dpmbcogula.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 0b5eb14018d8edcf7ec2f0d53343cae0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F368B2FE6C22D1D10FD0A68A7A9167" 0b5eb14018d8edcf7ec2f0d53343cae0.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2544 WINWORD.EXE 2544 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3468 0b5eb14018d8edcf7ec2f0d53343cae0.exe 3468 0b5eb14018d8edcf7ec2f0d53343cae0.exe 3468 0b5eb14018d8edcf7ec2f0d53343cae0.exe 3468 0b5eb14018d8edcf7ec2f0d53343cae0.exe 3468 0b5eb14018d8edcf7ec2f0d53343cae0.exe 3468 0b5eb14018d8edcf7ec2f0d53343cae0.exe 3468 0b5eb14018d8edcf7ec2f0d53343cae0.exe 3468 0b5eb14018d8edcf7ec2f0d53343cae0.exe 3468 0b5eb14018d8edcf7ec2f0d53343cae0.exe 3468 0b5eb14018d8edcf7ec2f0d53343cae0.exe 3468 0b5eb14018d8edcf7ec2f0d53343cae0.exe 3468 0b5eb14018d8edcf7ec2f0d53343cae0.exe 3468 0b5eb14018d8edcf7ec2f0d53343cae0.exe 3468 0b5eb14018d8edcf7ec2f0d53343cae0.exe 3468 0b5eb14018d8edcf7ec2f0d53343cae0.exe 3468 0b5eb14018d8edcf7ec2f0d53343cae0.exe 1976 dpmbcogula.exe 1976 dpmbcogula.exe 3156 idemkovj.exe 1976 dpmbcogula.exe 3156 idemkovj.exe 1976 dpmbcogula.exe 3156 idemkovj.exe 1976 dpmbcogula.exe 3156 idemkovj.exe 1976 dpmbcogula.exe 3156 idemkovj.exe 1976 dpmbcogula.exe 3156 idemkovj.exe 1976 dpmbcogula.exe 3156 idemkovj.exe 3156 idemkovj.exe 1976 dpmbcogula.exe 1976 dpmbcogula.exe 4864 sgltvmxyrqabw.exe 4864 sgltvmxyrqabw.exe 4864 sgltvmxyrqabw.exe 4864 sgltvmxyrqabw.exe 4864 sgltvmxyrqabw.exe 4864 sgltvmxyrqabw.exe 4864 sgltvmxyrqabw.exe 4864 sgltvmxyrqabw.exe 1616 izdcisapodtabex.exe 1616 izdcisapodtabex.exe 1616 izdcisapodtabex.exe 1616 izdcisapodtabex.exe 4864 sgltvmxyrqabw.exe 4864 sgltvmxyrqabw.exe 1616 izdcisapodtabex.exe 1616 izdcisapodtabex.exe 4864 sgltvmxyrqabw.exe 4864 sgltvmxyrqabw.exe 1616 izdcisapodtabex.exe 1616 izdcisapodtabex.exe 1616 izdcisapodtabex.exe 1616 izdcisapodtabex.exe 1616 izdcisapodtabex.exe 1616 izdcisapodtabex.exe 4864 sgltvmxyrqabw.exe 4864 sgltvmxyrqabw.exe 4864 sgltvmxyrqabw.exe 4864 sgltvmxyrqabw.exe 1616 izdcisapodtabex.exe 1616 izdcisapodtabex.exe -
Suspicious use of FindShellTrayWindow 19 IoCs
pid Process 3468 0b5eb14018d8edcf7ec2f0d53343cae0.exe 3468 0b5eb14018d8edcf7ec2f0d53343cae0.exe 3468 0b5eb14018d8edcf7ec2f0d53343cae0.exe 3468 0b5eb14018d8edcf7ec2f0d53343cae0.exe 1976 dpmbcogula.exe 1616 izdcisapodtabex.exe 4864 sgltvmxyrqabw.exe 3156 idemkovj.exe 1976 dpmbcogula.exe 1616 izdcisapodtabex.exe 4864 sgltvmxyrqabw.exe 1976 dpmbcogula.exe 3156 idemkovj.exe 1616 izdcisapodtabex.exe 4864 sgltvmxyrqabw.exe 3156 idemkovj.exe 4048 idemkovj.exe 4048 idemkovj.exe 4048 idemkovj.exe -
Suspicious use of SendNotifyMessage 19 IoCs
pid Process 3468 0b5eb14018d8edcf7ec2f0d53343cae0.exe 3468 0b5eb14018d8edcf7ec2f0d53343cae0.exe 3468 0b5eb14018d8edcf7ec2f0d53343cae0.exe 3468 0b5eb14018d8edcf7ec2f0d53343cae0.exe 1976 dpmbcogula.exe 1616 izdcisapodtabex.exe 4864 sgltvmxyrqabw.exe 1976 dpmbcogula.exe 3156 idemkovj.exe 1616 izdcisapodtabex.exe 4864 sgltvmxyrqabw.exe 1976 dpmbcogula.exe 3156 idemkovj.exe 1616 izdcisapodtabex.exe 4864 sgltvmxyrqabw.exe 3156 idemkovj.exe 4048 idemkovj.exe 4048 idemkovj.exe 4048 idemkovj.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2544 WINWORD.EXE 2544 WINWORD.EXE 2544 WINWORD.EXE 2544 WINWORD.EXE 2544 WINWORD.EXE 2544 WINWORD.EXE 2544 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3468 wrote to memory of 1976 3468 0b5eb14018d8edcf7ec2f0d53343cae0.exe 90 PID 3468 wrote to memory of 1976 3468 0b5eb14018d8edcf7ec2f0d53343cae0.exe 90 PID 3468 wrote to memory of 1976 3468 0b5eb14018d8edcf7ec2f0d53343cae0.exe 90 PID 3468 wrote to memory of 1616 3468 0b5eb14018d8edcf7ec2f0d53343cae0.exe 93 PID 3468 wrote to memory of 1616 3468 0b5eb14018d8edcf7ec2f0d53343cae0.exe 93 PID 3468 wrote to memory of 1616 3468 0b5eb14018d8edcf7ec2f0d53343cae0.exe 93 PID 3468 wrote to memory of 3156 3468 0b5eb14018d8edcf7ec2f0d53343cae0.exe 91 PID 3468 wrote to memory of 3156 3468 0b5eb14018d8edcf7ec2f0d53343cae0.exe 91 PID 3468 wrote to memory of 3156 3468 0b5eb14018d8edcf7ec2f0d53343cae0.exe 91 PID 3468 wrote to memory of 4864 3468 0b5eb14018d8edcf7ec2f0d53343cae0.exe 92 PID 3468 wrote to memory of 4864 3468 0b5eb14018d8edcf7ec2f0d53343cae0.exe 92 PID 3468 wrote to memory of 4864 3468 0b5eb14018d8edcf7ec2f0d53343cae0.exe 92 PID 3468 wrote to memory of 2544 3468 0b5eb14018d8edcf7ec2f0d53343cae0.exe 95 PID 3468 wrote to memory of 2544 3468 0b5eb14018d8edcf7ec2f0d53343cae0.exe 95 PID 1976 wrote to memory of 4048 1976 dpmbcogula.exe 97 PID 1976 wrote to memory of 4048 1976 dpmbcogula.exe 97 PID 1976 wrote to memory of 4048 1976 dpmbcogula.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b5eb14018d8edcf7ec2f0d53343cae0.exe"C:\Users\Admin\AppData\Local\Temp\0b5eb14018d8edcf7ec2f0d53343cae0.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\SysWOW64\dpmbcogula.exedpmbcogula.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\idemkovj.exeC:\Windows\system32\idemkovj.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4048
-
-
-
C:\Windows\SysWOW64\idemkovj.exeidemkovj.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3156
-
-
C:\Windows\SysWOW64\sgltvmxyrqabw.exesgltvmxyrqabw.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4864
-
-
C:\Windows\SysWOW64\izdcisapodtabex.exeizdcisapodtabex.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1616
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2544
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD554744f4eca5a5d6d826891b4586898fb
SHA1486cab95c4469d035e66cec4a5a07290128f6162
SHA256d9803a1031485a164edde155c025565356731984f4a28f6c0f8e162bb8025b82
SHA512b8a391f76b905e7cdb63fe2941d4f2914c36ac8322ff758095818ebd050aeb063582c665fc0d39b32760640e368daa92fbee2412fd70db1843c1a32c6ad2c3be
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5e14ec3e60144186b37a6f8d337b3aacf
SHA15f4588ed4673d3f8f691e38562ff1ce6d4f23216
SHA2563999d7da36630fae5b05439e1e19f8afcf89b6d549a5ab3e4ee3a6223a131626
SHA512067be6d9df0c45627e550eccc123e56c7f62b2797923d89dd369b84a077fbf48d9c489067f669774f6b03df03c6f2566196120cce22959c163580f46f165cfc9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD56b43301db0a8c9e93d1e9bd0970e7438
SHA165cfd31b7c8c98fff0c40640cee0ffa222bd6d96
SHA256c6e38bf4973ca852f208ececeaf294d9de931d4661e8c0245a3d1b11727a0595
SHA512fafc43b996b649b4783f1ed9b5a52f4f4a8f463b4c338c00630cde69d8393c81f65b96e0af384c75f58523cf3f44aa1c2140b4199c020322eb6de0d49c6c348f
-
Filesize
512KB
MD50c9a658ae6499f5ff21b0b0ca18bae0d
SHA149ac388cc8a56b0321f92aa948dd7e258a06bd9a
SHA256c9524e38c7a5d96d41a4154d99a3c1fc03c33b1d090ab53e56c63658edde7b5b
SHA5127e9a8e5b43b5e445bc308c881bf981bc67bbeb20eb3bbb063050e3b1f4cd22d882609dbd33cb698b444cc734b345e4b47919daa3fe21d5e10d77fb2439b5740d
-
Filesize
512KB
MD5a0df41f67dfffe7adebc34115e71fc1d
SHA188a29664908047377b6623d43e241af10a180065
SHA25682f06e072123f47d7a70de06ff8252921254977cadb225411004db48bd06016c
SHA5124fd84e549d9a2f373da538e82dcb145d8a4e4fe64010eacb6179f522d5ce1e55bfaa375c015d3e990bd398c587c67ffb049ac762f277204dada8d6c865b15386
-
Filesize
512KB
MD5d97627cf1538a7055ff3ee892e203241
SHA1d371c8061453c55f69c6198f32ee30efb75da724
SHA256b6adf24c18a0244f810be09e92eac8821b96b60117ef876004c8c8d273ae1942
SHA512930e8a2f500327ee0d76b2d55b98c7c02936f0d15055be6280d6365cb7a0c34ca66ac2fc002746c2e79112dbea14571afbd8ff6a7e5a15ccd975c677a5849fe6
-
Filesize
512KB
MD56eac1ee082522fb65200004427a8d369
SHA1932df23327f9565f5ad4c46eac1a4183599e438d
SHA256bf40f623afc0f7747ce3477e8f0e12b18b8d28d82ba5654cca3e487f4b1b10b3
SHA512db9ad181a2a954e288e7ac33a0b2e370d0408f1ecbe43d34d526f096032db3880c8a8dc2a60f4266448644fa7b5ce94311683449ad7e358d56acf834daf1bbe0
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD59ab88db4521cf94b0989c515c12fb77d
SHA14457bc30d46ecdd92e1d9ee4e0688d0cee1dbfe8
SHA2566ee0995574316aaddeccca471c02f08e0d712257f6f7767a2af5a1d6a2b1b84f
SHA512d4674b1bbcdc3cc853f617ccaa52dc04701413d8c52c286e47903cac106d764196e9c7286b55397c55686229b089a1a67f8035ab3788068ac11efb03cef740f2