Analysis
-
max time kernel
151s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2023 05:44
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
09040edf7d379eb85234a8b04cadbec9.exe
Resource
win7-20231215-en
windows7-x64
28 signatures
150 seconds
Behavioral task
behavioral2
Sample
09040edf7d379eb85234a8b04cadbec9.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
09040edf7d379eb85234a8b04cadbec9.exe
-
Size
512KB
-
MD5
09040edf7d379eb85234a8b04cadbec9
-
SHA1
7f3b0020fb6ba1afcfd48070cb327094278fffed
-
SHA256
1892d6ce4f0392097ec0c4e6e15bd696611d5793632f5f4f726f13df1a83f79c
-
SHA512
4851dd9a540d48071032aeae4b8c345ff5cd6d2bb9c527c8da34f1c48414f06b29bf110806ba386fdbad2e560c9dca353a2fb3c8e8642e4821205e276577f367
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6H:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5c
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ihbtmqzfzj.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ihbtmqzfzj.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ihbtmqzfzj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ihbtmqzfzj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ihbtmqzfzj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ihbtmqzfzj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ihbtmqzfzj.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ihbtmqzfzj.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation 09040edf7d379eb85234a8b04cadbec9.exe -
Executes dropped EXE 5 IoCs
pid Process 4684 ihbtmqzfzj.exe 632 jgxszojosgrrvsm.exe 1492 wryejlvc.exe 1228 myrolmnadeqhk.exe 4068 wryejlvc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ihbtmqzfzj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ihbtmqzfzj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ihbtmqzfzj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ihbtmqzfzj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ihbtmqzfzj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ihbtmqzfzj.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sqcfmjrk = "ihbtmqzfzj.exe" jgxszojosgrrvsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hnlltibc = "jgxszojosgrrvsm.exe" jgxszojosgrrvsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "myrolmnadeqhk.exe" jgxszojosgrrvsm.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\b: wryejlvc.exe File opened (read-only) \??\i: wryejlvc.exe File opened (read-only) \??\z: wryejlvc.exe File opened (read-only) \??\x: wryejlvc.exe File opened (read-only) \??\w: ihbtmqzfzj.exe File opened (read-only) \??\p: wryejlvc.exe File opened (read-only) \??\q: wryejlvc.exe File opened (read-only) \??\y: wryejlvc.exe File opened (read-only) \??\m: wryejlvc.exe File opened (read-only) \??\l: ihbtmqzfzj.exe File opened (read-only) \??\q: ihbtmqzfzj.exe File opened (read-only) \??\u: ihbtmqzfzj.exe File opened (read-only) \??\g: wryejlvc.exe File opened (read-only) \??\a: wryejlvc.exe File opened (read-only) \??\u: wryejlvc.exe File opened (read-only) \??\v: wryejlvc.exe File opened (read-only) \??\n: ihbtmqzfzj.exe File opened (read-only) \??\p: ihbtmqzfzj.exe File opened (read-only) \??\g: wryejlvc.exe File opened (read-only) \??\k: wryejlvc.exe File opened (read-only) \??\s: wryejlvc.exe File opened (read-only) \??\z: wryejlvc.exe File opened (read-only) \??\h: ihbtmqzfzj.exe File opened (read-only) \??\y: ihbtmqzfzj.exe File opened (read-only) \??\z: ihbtmqzfzj.exe File opened (read-only) \??\h: wryejlvc.exe File opened (read-only) \??\n: wryejlvc.exe File opened (read-only) \??\r: wryejlvc.exe File opened (read-only) \??\a: ihbtmqzfzj.exe File opened (read-only) \??\j: ihbtmqzfzj.exe File opened (read-only) \??\o: ihbtmqzfzj.exe File opened (read-only) \??\r: wryejlvc.exe File opened (read-only) \??\p: wryejlvc.exe File opened (read-only) \??\w: wryejlvc.exe File opened (read-only) \??\j: wryejlvc.exe File opened (read-only) \??\m: wryejlvc.exe File opened (read-only) \??\l: wryejlvc.exe File opened (read-only) \??\t: wryejlvc.exe File opened (read-only) \??\y: wryejlvc.exe File opened (read-only) \??\e: ihbtmqzfzj.exe File opened (read-only) \??\v: ihbtmqzfzj.exe File opened (read-only) \??\s: wryejlvc.exe File opened (read-only) \??\o: wryejlvc.exe File opened (read-only) \??\i: ihbtmqzfzj.exe File opened (read-only) \??\t: ihbtmqzfzj.exe File opened (read-only) \??\x: ihbtmqzfzj.exe File opened (read-only) \??\k: wryejlvc.exe File opened (read-only) \??\i: wryejlvc.exe File opened (read-only) \??\r: ihbtmqzfzj.exe File opened (read-only) \??\e: wryejlvc.exe File opened (read-only) \??\h: wryejlvc.exe File opened (read-only) \??\j: wryejlvc.exe File opened (read-only) \??\k: ihbtmqzfzj.exe File opened (read-only) \??\t: wryejlvc.exe File opened (read-only) \??\u: wryejlvc.exe File opened (read-only) \??\q: wryejlvc.exe File opened (read-only) \??\g: ihbtmqzfzj.exe File opened (read-only) \??\a: wryejlvc.exe File opened (read-only) \??\e: wryejlvc.exe File opened (read-only) \??\o: wryejlvc.exe File opened (read-only) \??\x: wryejlvc.exe File opened (read-only) \??\b: ihbtmqzfzj.exe File opened (read-only) \??\m: ihbtmqzfzj.exe File opened (read-only) \??\n: wryejlvc.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ihbtmqzfzj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ihbtmqzfzj.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2176-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0006000000023213-5.dat autoit_exe behavioral2/files/0x0006000000023212-19.dat autoit_exe behavioral2/files/0x0006000000023213-23.dat autoit_exe behavioral2/files/0x0006000000023213-22.dat autoit_exe behavioral2/files/0x0006000000023212-18.dat autoit_exe behavioral2/files/0x0008000000023246-110.dat autoit_exe behavioral2/files/0x000700000002324e-116.dat autoit_exe behavioral2/files/0x000a0000000231c0-147.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe wryejlvc.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe wryejlvc.exe File opened for modification C:\Windows\SysWOW64\jgxszojosgrrvsm.exe 09040edf7d379eb85234a8b04cadbec9.exe File created C:\Windows\SysWOW64\wryejlvc.exe 09040edf7d379eb85234a8b04cadbec9.exe File opened for modification C:\Windows\SysWOW64\myrolmnadeqhk.exe 09040edf7d379eb85234a8b04cadbec9.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe wryejlvc.exe File created C:\Windows\SysWOW64\ihbtmqzfzj.exe 09040edf7d379eb85234a8b04cadbec9.exe File opened for modification C:\Windows\SysWOW64\ihbtmqzfzj.exe 09040edf7d379eb85234a8b04cadbec9.exe File opened for modification C:\Windows\SysWOW64\wryejlvc.exe 09040edf7d379eb85234a8b04cadbec9.exe File created C:\Windows\SysWOW64\myrolmnadeqhk.exe 09040edf7d379eb85234a8b04cadbec9.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ihbtmqzfzj.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe wryejlvc.exe File created C:\Windows\SysWOW64\jgxszojosgrrvsm.exe 09040edf7d379eb85234a8b04cadbec9.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wryejlvc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wryejlvc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wryejlvc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wryejlvc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wryejlvc.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wryejlvc.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wryejlvc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wryejlvc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal wryejlvc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wryejlvc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal wryejlvc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal wryejlvc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal wryejlvc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wryejlvc.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 09040edf7d379eb85234a8b04cadbec9.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg ihbtmqzfzj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABFFACAFE65F2E3847A3B3786EA39E5B38C02884211023BE2C8459C08A7" 09040edf7d379eb85234a8b04cadbec9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" ihbtmqzfzj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ihbtmqzfzj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc ihbtmqzfzj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs ihbtmqzfzj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F268B4FE6721DED27DD0A48B7B9161" 09040edf7d379eb85234a8b04cadbec9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf ihbtmqzfzj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" ihbtmqzfzj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" ihbtmqzfzj.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 09040edf7d379eb85234a8b04cadbec9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33352C0B9C5282206A3177D177552CD87C8464AA" 09040edf7d379eb85234a8b04cadbec9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat ihbtmqzfzj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" ihbtmqzfzj.exe Key created \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings 09040edf7d379eb85234a8b04cadbec9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB5B02844E7399853C4BAA53393D7C5" 09040edf7d379eb85234a8b04cadbec9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFCFC8E4F5D851E9134D72A7DE2BD97E136594266466336D79F" 09040edf7d379eb85234a8b04cadbec9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1848C67F1597DAB7B9C07C92EDE734CA" 09040edf7d379eb85234a8b04cadbec9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh ihbtmqzfzj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" ihbtmqzfzj.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1068 WINWORD.EXE 1068 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2176 09040edf7d379eb85234a8b04cadbec9.exe 2176 09040edf7d379eb85234a8b04cadbec9.exe 2176 09040edf7d379eb85234a8b04cadbec9.exe 2176 09040edf7d379eb85234a8b04cadbec9.exe 2176 09040edf7d379eb85234a8b04cadbec9.exe 2176 09040edf7d379eb85234a8b04cadbec9.exe 2176 09040edf7d379eb85234a8b04cadbec9.exe 2176 09040edf7d379eb85234a8b04cadbec9.exe 2176 09040edf7d379eb85234a8b04cadbec9.exe 2176 09040edf7d379eb85234a8b04cadbec9.exe 2176 09040edf7d379eb85234a8b04cadbec9.exe 2176 09040edf7d379eb85234a8b04cadbec9.exe 2176 09040edf7d379eb85234a8b04cadbec9.exe 2176 09040edf7d379eb85234a8b04cadbec9.exe 2176 09040edf7d379eb85234a8b04cadbec9.exe 2176 09040edf7d379eb85234a8b04cadbec9.exe 4684 ihbtmqzfzj.exe 4684 ihbtmqzfzj.exe 4684 ihbtmqzfzj.exe 4684 ihbtmqzfzj.exe 4684 ihbtmqzfzj.exe 4684 ihbtmqzfzj.exe 4684 ihbtmqzfzj.exe 4684 ihbtmqzfzj.exe 4684 ihbtmqzfzj.exe 4684 ihbtmqzfzj.exe 1492 wryejlvc.exe 1492 wryejlvc.exe 632 jgxszojosgrrvsm.exe 632 jgxszojosgrrvsm.exe 1492 wryejlvc.exe 1492 wryejlvc.exe 632 jgxszojosgrrvsm.exe 1492 wryejlvc.exe 632 jgxszojosgrrvsm.exe 1492 wryejlvc.exe 632 jgxszojosgrrvsm.exe 632 jgxszojosgrrvsm.exe 1492 wryejlvc.exe 1492 wryejlvc.exe 632 jgxszojosgrrvsm.exe 632 jgxszojosgrrvsm.exe 632 jgxszojosgrrvsm.exe 632 jgxszojosgrrvsm.exe 1228 myrolmnadeqhk.exe 1228 myrolmnadeqhk.exe 1228 myrolmnadeqhk.exe 1228 myrolmnadeqhk.exe 1228 myrolmnadeqhk.exe 1228 myrolmnadeqhk.exe 1228 myrolmnadeqhk.exe 1228 myrolmnadeqhk.exe 1228 myrolmnadeqhk.exe 1228 myrolmnadeqhk.exe 1228 myrolmnadeqhk.exe 1228 myrolmnadeqhk.exe 4068 wryejlvc.exe 4068 wryejlvc.exe 4068 wryejlvc.exe 4068 wryejlvc.exe 4068 wryejlvc.exe 4068 wryejlvc.exe 4068 wryejlvc.exe 4068 wryejlvc.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2176 09040edf7d379eb85234a8b04cadbec9.exe 2176 09040edf7d379eb85234a8b04cadbec9.exe 2176 09040edf7d379eb85234a8b04cadbec9.exe 4684 ihbtmqzfzj.exe 4684 ihbtmqzfzj.exe 4684 ihbtmqzfzj.exe 1492 wryejlvc.exe 1492 wryejlvc.exe 1492 wryejlvc.exe 632 jgxszojosgrrvsm.exe 632 jgxszojosgrrvsm.exe 632 jgxszojosgrrvsm.exe 1228 myrolmnadeqhk.exe 1228 myrolmnadeqhk.exe 1228 myrolmnadeqhk.exe 4068 wryejlvc.exe 4068 wryejlvc.exe 4068 wryejlvc.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2176 09040edf7d379eb85234a8b04cadbec9.exe 2176 09040edf7d379eb85234a8b04cadbec9.exe 2176 09040edf7d379eb85234a8b04cadbec9.exe 4684 ihbtmqzfzj.exe 4684 ihbtmqzfzj.exe 4684 ihbtmqzfzj.exe 1492 wryejlvc.exe 1492 wryejlvc.exe 1492 wryejlvc.exe 632 jgxszojosgrrvsm.exe 632 jgxszojosgrrvsm.exe 632 jgxszojosgrrvsm.exe 1228 myrolmnadeqhk.exe 1228 myrolmnadeqhk.exe 1228 myrolmnadeqhk.exe 4068 wryejlvc.exe 4068 wryejlvc.exe 4068 wryejlvc.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1068 WINWORD.EXE 1068 WINWORD.EXE 1068 WINWORD.EXE 1068 WINWORD.EXE 1068 WINWORD.EXE 1068 WINWORD.EXE 1068 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2176 wrote to memory of 4684 2176 09040edf7d379eb85234a8b04cadbec9.exe 91 PID 2176 wrote to memory of 4684 2176 09040edf7d379eb85234a8b04cadbec9.exe 91 PID 2176 wrote to memory of 4684 2176 09040edf7d379eb85234a8b04cadbec9.exe 91 PID 2176 wrote to memory of 632 2176 09040edf7d379eb85234a8b04cadbec9.exe 92 PID 2176 wrote to memory of 632 2176 09040edf7d379eb85234a8b04cadbec9.exe 92 PID 2176 wrote to memory of 632 2176 09040edf7d379eb85234a8b04cadbec9.exe 92 PID 2176 wrote to memory of 1492 2176 09040edf7d379eb85234a8b04cadbec9.exe 93 PID 2176 wrote to memory of 1492 2176 09040edf7d379eb85234a8b04cadbec9.exe 93 PID 2176 wrote to memory of 1492 2176 09040edf7d379eb85234a8b04cadbec9.exe 93 PID 2176 wrote to memory of 1228 2176 09040edf7d379eb85234a8b04cadbec9.exe 94 PID 2176 wrote to memory of 1228 2176 09040edf7d379eb85234a8b04cadbec9.exe 94 PID 2176 wrote to memory of 1228 2176 09040edf7d379eb85234a8b04cadbec9.exe 94 PID 4684 wrote to memory of 4068 4684 ihbtmqzfzj.exe 95 PID 4684 wrote to memory of 4068 4684 ihbtmqzfzj.exe 95 PID 4684 wrote to memory of 4068 4684 ihbtmqzfzj.exe 95 PID 2176 wrote to memory of 1068 2176 09040edf7d379eb85234a8b04cadbec9.exe 96 PID 2176 wrote to memory of 1068 2176 09040edf7d379eb85234a8b04cadbec9.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\09040edf7d379eb85234a8b04cadbec9.exe"C:\Users\Admin\AppData\Local\Temp\09040edf7d379eb85234a8b04cadbec9.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\ihbtmqzfzj.exeihbtmqzfzj.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\wryejlvc.exeC:\Windows\system32\wryejlvc.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4068
-
-
-
C:\Windows\SysWOW64\jgxszojosgrrvsm.exejgxszojosgrrvsm.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:632
-
-
C:\Windows\SysWOW64\wryejlvc.exewryejlvc.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1492
-
-
C:\Windows\SysWOW64\myrolmnadeqhk.exemyrolmnadeqhk.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1228
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1068
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5f70be9cb01cad785f62fc17bf004ccba
SHA1c7ccc538256a9bb87b076cfcc5f3f4cf1512ccfd
SHA256e332defd625f6141e51c36d63cc5e2d916dff72ce88afba033bf3dd2365a4eb1
SHA512f7cd2aae2dd99d03bc4e7b3946ea936bfba14c5450788587cd752182a9b4a2b393413d6e8945e90b10d95f8498b9845e465022df65e4fe0dfa51622b4a61236a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD599872553486449d101cb69c302aabbd3
SHA104c2831c63b66d756564c2e4d437953118e22a12
SHA25653e5566a12112c40489e4d56117a140fbf807cf6db3ff27e22c01ef25220c27d
SHA5128f9fce59ba08064dc350308837dec68507ce2083d84dfe0bfcac913dffa99484fd90501bdede66add59a5bb0fda7ad93e2b0ff5edcbebf9fe4fbebd2c017a32b
-
Filesize
170KB
MD5daf4f61e2e6bb788cbf01f6bf8f59cb6
SHA156fec01d3fcabe44c1539ebb9133d99c0f80cbe1
SHA256044b564603bfb5473f5159e2820cd6bc475c3d6816db10cceb899de8a96c644e
SHA512e31b9b7d810918ad52da2b60040e8fa96c900a27af4e5bafd945dacdea1d10530b725e6e149dad1cf989b0394ba0864b808be6d81f2da55f070db530d7567334
-
Filesize
512KB
MD5219699e879033580596879517bb0e513
SHA1edc4d3a7bc2ed5b26c748173b590e998c135a5f5
SHA256ac8e964bb40712b196c07d0213399ee47b86d478ea804cb7fe06aa0384c8f442
SHA512182898f3e332e16f725963e8e50f2da442504a6d0e00050218fda5a366fb356b6863a56d95a848724466f150c0b2f846a8deed9bcf536eb1c6556a4196eb0e0d
-
Filesize
512KB
MD513eec35c0d5c1d326faea637bbe878a6
SHA14b0b1c048a14ac027428c7966b1d7645f0cac537
SHA256ca0daaa4e94ed39b262ea60ca5229b528d3b54be0293eeab13a75376ad88c6f8
SHA512df34de175e0f03c1daa8d0c336dc7fd7c6c2d8cefa5026ca40c20effd231eec35d96e5c23af985778491ce784f2d35a6e49f060f476a2d69a43a8e0ccd909ac8
-
Filesize
348KB
MD5b3e1b55752818da128907f3dc079021a
SHA1f7f749c92968bdc80115f48378ecc5a19ffd04e0
SHA25668cb7b8034c41dee63fb762157bb6bb0ead1887eecf678f576f1220433164000
SHA5126de28713fc167647479cab28ed08d21f01e6dd4c44eac8c79d5a65e187fb515da5415bed0df60c70b7f3cedda84c378c11d280daf00573392657942a285f1e21
-
Filesize
512KB
MD593b89a04a0349f539d9ceb3e7d4bff43
SHA1f78ced16c936157391dcf9dd9defb881898b6ea1
SHA2564bc0ed2ece017048b202591d4818579efe2e1396cda9a106872524d07e68c31c
SHA51242360abff1b514f69980823f89c6eab85f54cbf7511ef0d0ee4e0f4110948621f67d64e7ecddacabc92d5d76730e0c4cb98ecceef2a4fcd6f078814fbe862420
-
Filesize
92KB
MD56662b185f19fbf697c56a25c92de7961
SHA10df0c0df0de3724258df2549c583e3c934aca726
SHA256c11edb9e97848e20319fba876d9382c7193f68323eff1f7ed805bb04303bdc86
SHA512c6e2cb83f68a63ca299dae843d2697d41dab8b565fb4005755b0d255b388779b6c1dad97375009c995f0a3d2e0acb4cc820090ca5dc24ee11e1a3de5b1a4921f
-
Filesize
384KB
MD50e151ec3919b72f9a6c7fe60d10f4ea0
SHA191fb01badc6db9808233ff95abf39c37982a8c85
SHA256f644299fe8f10c5f3e24c1943fc808270b5d4f853e2316abf091c8d18344193c
SHA51241d25f82ce04a14c21d19a9ad2d12663714221b6ecb1c3ee579a4a134949de0bfb3e6212e9acf97d0659d50e7a034dcdc103ecbedd8a71fbfefdc30f5728c12b
-
Filesize
512KB
MD572fb776643c72a56867a4427329be296
SHA155e2d6c9e96f7fb2b1c45db60c6d9cb34974e369
SHA25672793270f4033a0240700710f58b41a5014484fe1e60876e5201e34b3cf2b9ca
SHA51296c1183f07b4339af14e23c3510b95a3b411e380157ed014e41ab5c20b93cb5ffe7b340252605896dcb5070cb9d5cd4778837a5b3bd585bf7cc7f9119c968ffc