Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 07:06
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
0d9f474df29eb4ffb4d1f4e635f7ed11.exe
Resource
win7-20231215-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
0d9f474df29eb4ffb4d1f4e635f7ed11.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
0d9f474df29eb4ffb4d1f4e635f7ed11.exe
-
Size
512KB
-
MD5
0d9f474df29eb4ffb4d1f4e635f7ed11
-
SHA1
05b21dab3d0b96599f0684167f28357701321dea
-
SHA256
e15b5ac6472da325f757191e30b68456b0aaafde1c934a8614da7dac63f35a05
-
SHA512
da0b35ec2141aa9827edb3c350b62b0e3db10524752b68d9831d334d173965d93ec7516e2c3d4814c365e797f86f613bf4e481fcc49225802e41bcc3a6462ce2
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6D:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5k
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ijthrwjhsr.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ijthrwjhsr.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ijthrwjhsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ijthrwjhsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ijthrwjhsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ijthrwjhsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ijthrwjhsr.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ijthrwjhsr.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation 0d9f474df29eb4ffb4d1f4e635f7ed11.exe -
Executes dropped EXE 5 IoCs
pid Process 1268 ijthrwjhsr.exe 628 dnuofiubgkxgqnq.exe 2336 kovhvgkn.exe 1900 aqupmtpitbkbn.exe 1940 kovhvgkn.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ijthrwjhsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ijthrwjhsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ijthrwjhsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ijthrwjhsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ijthrwjhsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ijthrwjhsr.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "aqupmtpitbkbn.exe" dnuofiubgkxgqnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tgajvaas = "ijthrwjhsr.exe" dnuofiubgkxgqnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sbvbuipt = "dnuofiubgkxgqnq.exe" dnuofiubgkxgqnq.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\h: kovhvgkn.exe File opened (read-only) \??\l: kovhvgkn.exe File opened (read-only) \??\o: kovhvgkn.exe File opened (read-only) \??\e: kovhvgkn.exe File opened (read-only) \??\i: kovhvgkn.exe File opened (read-only) \??\m: kovhvgkn.exe File opened (read-only) \??\r: kovhvgkn.exe File opened (read-only) \??\u: kovhvgkn.exe File opened (read-only) \??\q: kovhvgkn.exe File opened (read-only) \??\h: ijthrwjhsr.exe File opened (read-only) \??\j: kovhvgkn.exe File opened (read-only) \??\e: ijthrwjhsr.exe File opened (read-only) \??\u: ijthrwjhsr.exe File opened (read-only) \??\a: kovhvgkn.exe File opened (read-only) \??\l: kovhvgkn.exe File opened (read-only) \??\p: kovhvgkn.exe File opened (read-only) \??\s: kovhvgkn.exe File opened (read-only) \??\b: kovhvgkn.exe File opened (read-only) \??\i: kovhvgkn.exe File opened (read-only) \??\b: ijthrwjhsr.exe File opened (read-only) \??\l: ijthrwjhsr.exe File opened (read-only) \??\o: ijthrwjhsr.exe File opened (read-only) \??\t: kovhvgkn.exe File opened (read-only) \??\s: kovhvgkn.exe File opened (read-only) \??\i: ijthrwjhsr.exe File opened (read-only) \??\v: kovhvgkn.exe File opened (read-only) \??\v: kovhvgkn.exe File opened (read-only) \??\n: ijthrwjhsr.exe File opened (read-only) \??\x: ijthrwjhsr.exe File opened (read-only) \??\z: ijthrwjhsr.exe File opened (read-only) \??\u: kovhvgkn.exe File opened (read-only) \??\r: ijthrwjhsr.exe File opened (read-only) \??\o: kovhvgkn.exe File opened (read-only) \??\w: kovhvgkn.exe File opened (read-only) \??\y: kovhvgkn.exe File opened (read-only) \??\n: kovhvgkn.exe File opened (read-only) \??\t: kovhvgkn.exe File opened (read-only) \??\q: ijthrwjhsr.exe File opened (read-only) \??\j: kovhvgkn.exe File opened (read-only) \??\m: kovhvgkn.exe File opened (read-only) \??\g: kovhvgkn.exe File opened (read-only) \??\x: kovhvgkn.exe File opened (read-only) \??\z: kovhvgkn.exe File opened (read-only) \??\w: kovhvgkn.exe File opened (read-only) \??\z: kovhvgkn.exe File opened (read-only) \??\p: ijthrwjhsr.exe File opened (read-only) \??\y: ijthrwjhsr.exe File opened (read-only) \??\b: kovhvgkn.exe File opened (read-only) \??\p: kovhvgkn.exe File opened (read-only) \??\y: kovhvgkn.exe File opened (read-only) \??\a: ijthrwjhsr.exe File opened (read-only) \??\k: ijthrwjhsr.exe File opened (read-only) \??\k: kovhvgkn.exe File opened (read-only) \??\j: ijthrwjhsr.exe File opened (read-only) \??\n: kovhvgkn.exe File opened (read-only) \??\q: kovhvgkn.exe File opened (read-only) \??\k: kovhvgkn.exe File opened (read-only) \??\x: kovhvgkn.exe File opened (read-only) \??\h: kovhvgkn.exe File opened (read-only) \??\g: kovhvgkn.exe File opened (read-only) \??\m: ijthrwjhsr.exe File opened (read-only) \??\s: ijthrwjhsr.exe File opened (read-only) \??\v: ijthrwjhsr.exe File opened (read-only) \??\g: ijthrwjhsr.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ijthrwjhsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ijthrwjhsr.exe -
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3004-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0006000000023214-5.dat autoit_exe behavioral2/files/0x0007000000023210-18.dat autoit_exe behavioral2/files/0x0006000000023214-22.dat autoit_exe behavioral2/files/0x0006000000023214-23.dat autoit_exe behavioral2/files/0x0006000000023215-26.dat autoit_exe behavioral2/files/0x0006000000023215-27.dat autoit_exe behavioral2/files/0x0006000000023216-32.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ijthrwjhsr.exe 0d9f474df29eb4ffb4d1f4e635f7ed11.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe kovhvgkn.exe File opened for modification C:\Windows\SysWOW64\dnuofiubgkxgqnq.exe 0d9f474df29eb4ffb4d1f4e635f7ed11.exe File opened for modification C:\Windows\SysWOW64\kovhvgkn.exe 0d9f474df29eb4ffb4d1f4e635f7ed11.exe File created C:\Windows\SysWOW64\aqupmtpitbkbn.exe 0d9f474df29eb4ffb4d1f4e635f7ed11.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ijthrwjhsr.exe File created C:\Windows\SysWOW64\ijthrwjhsr.exe 0d9f474df29eb4ffb4d1f4e635f7ed11.exe File created C:\Windows\SysWOW64\dnuofiubgkxgqnq.exe 0d9f474df29eb4ffb4d1f4e635f7ed11.exe File created C:\Windows\SysWOW64\kovhvgkn.exe 0d9f474df29eb4ffb4d1f4e635f7ed11.exe File opened for modification C:\Windows\SysWOW64\aqupmtpitbkbn.exe 0d9f474df29eb4ffb4d1f4e635f7ed11.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe kovhvgkn.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe kovhvgkn.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe kovhvgkn.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kovhvgkn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal kovhvgkn.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kovhvgkn.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kovhvgkn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kovhvgkn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kovhvgkn.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kovhvgkn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal kovhvgkn.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kovhvgkn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal kovhvgkn.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kovhvgkn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kovhvgkn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kovhvgkn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal kovhvgkn.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe kovhvgkn.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe kovhvgkn.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe kovhvgkn.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe kovhvgkn.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe kovhvgkn.exe File opened for modification C:\Windows\mydoc.rtf 0d9f474df29eb4ffb4d1f4e635f7ed11.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe kovhvgkn.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe kovhvgkn.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe kovhvgkn.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe kovhvgkn.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe kovhvgkn.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe kovhvgkn.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe kovhvgkn.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe kovhvgkn.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe kovhvgkn.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe kovhvgkn.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe kovhvgkn.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 0d9f474df29eb4ffb4d1f4e635f7ed11.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AC8FABAFE13F196830F3B31819E3993B08802FF4260033EE2CF42EE09D2" 0d9f474df29eb4ffb4d1f4e635f7ed11.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E89FCF94F5C826A9135D6587E95BDE4E636594567356345D79A" 0d9f474df29eb4ffb4d1f4e635f7ed11.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193AC60814E4DAC0B9C17C92EC9E37CD" 0d9f474df29eb4ffb4d1f4e635f7ed11.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33352C0D9D2D83576D3E77D770552CD67CF665DB" 0d9f474df29eb4ffb4d1f4e635f7ed11.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC0B15A449339EA52C8BAD5329ED7C8" 0d9f474df29eb4ffb4d1f4e635f7ed11.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ijthrwjhsr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc ijthrwjhsr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs ijthrwjhsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" ijthrwjhsr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf ijthrwjhsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" ijthrwjhsr.exe Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings 0d9f474df29eb4ffb4d1f4e635f7ed11.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" ijthrwjhsr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg ijthrwjhsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F56BB2FE1C21A9D109D0D68A789010" 0d9f474df29eb4ffb4d1f4e635f7ed11.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat ijthrwjhsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" ijthrwjhsr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh ijthrwjhsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" ijthrwjhsr.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 880 WINWORD.EXE 880 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3004 0d9f474df29eb4ffb4d1f4e635f7ed11.exe 3004 0d9f474df29eb4ffb4d1f4e635f7ed11.exe 3004 0d9f474df29eb4ffb4d1f4e635f7ed11.exe 3004 0d9f474df29eb4ffb4d1f4e635f7ed11.exe 3004 0d9f474df29eb4ffb4d1f4e635f7ed11.exe 3004 0d9f474df29eb4ffb4d1f4e635f7ed11.exe 3004 0d9f474df29eb4ffb4d1f4e635f7ed11.exe 3004 0d9f474df29eb4ffb4d1f4e635f7ed11.exe 3004 0d9f474df29eb4ffb4d1f4e635f7ed11.exe 3004 0d9f474df29eb4ffb4d1f4e635f7ed11.exe 3004 0d9f474df29eb4ffb4d1f4e635f7ed11.exe 3004 0d9f474df29eb4ffb4d1f4e635f7ed11.exe 3004 0d9f474df29eb4ffb4d1f4e635f7ed11.exe 3004 0d9f474df29eb4ffb4d1f4e635f7ed11.exe 3004 0d9f474df29eb4ffb4d1f4e635f7ed11.exe 3004 0d9f474df29eb4ffb4d1f4e635f7ed11.exe 628 dnuofiubgkxgqnq.exe 628 dnuofiubgkxgqnq.exe 628 dnuofiubgkxgqnq.exe 628 dnuofiubgkxgqnq.exe 628 dnuofiubgkxgqnq.exe 1268 ijthrwjhsr.exe 1268 ijthrwjhsr.exe 1268 ijthrwjhsr.exe 1268 ijthrwjhsr.exe 628 dnuofiubgkxgqnq.exe 1268 ijthrwjhsr.exe 1268 ijthrwjhsr.exe 1268 ijthrwjhsr.exe 1268 ijthrwjhsr.exe 628 dnuofiubgkxgqnq.exe 628 dnuofiubgkxgqnq.exe 1268 ijthrwjhsr.exe 1268 ijthrwjhsr.exe 628 dnuofiubgkxgqnq.exe 628 dnuofiubgkxgqnq.exe 2336 kovhvgkn.exe 2336 kovhvgkn.exe 2336 kovhvgkn.exe 2336 kovhvgkn.exe 2336 kovhvgkn.exe 2336 kovhvgkn.exe 2336 kovhvgkn.exe 2336 kovhvgkn.exe 1900 aqupmtpitbkbn.exe 1900 aqupmtpitbkbn.exe 1900 aqupmtpitbkbn.exe 1900 aqupmtpitbkbn.exe 1900 aqupmtpitbkbn.exe 1900 aqupmtpitbkbn.exe 1900 aqupmtpitbkbn.exe 1900 aqupmtpitbkbn.exe 1900 aqupmtpitbkbn.exe 1900 aqupmtpitbkbn.exe 1900 aqupmtpitbkbn.exe 1900 aqupmtpitbkbn.exe 628 dnuofiubgkxgqnq.exe 628 dnuofiubgkxgqnq.exe 1940 kovhvgkn.exe 1940 kovhvgkn.exe 1940 kovhvgkn.exe 1940 kovhvgkn.exe 1940 kovhvgkn.exe 1940 kovhvgkn.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 3004 0d9f474df29eb4ffb4d1f4e635f7ed11.exe 3004 0d9f474df29eb4ffb4d1f4e635f7ed11.exe 3004 0d9f474df29eb4ffb4d1f4e635f7ed11.exe 628 dnuofiubgkxgqnq.exe 628 dnuofiubgkxgqnq.exe 628 dnuofiubgkxgqnq.exe 1268 ijthrwjhsr.exe 1268 ijthrwjhsr.exe 1268 ijthrwjhsr.exe 2336 kovhvgkn.exe 1900 aqupmtpitbkbn.exe 2336 kovhvgkn.exe 1900 aqupmtpitbkbn.exe 2336 kovhvgkn.exe 1900 aqupmtpitbkbn.exe 1940 kovhvgkn.exe 1940 kovhvgkn.exe 1940 kovhvgkn.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 3004 0d9f474df29eb4ffb4d1f4e635f7ed11.exe 3004 0d9f474df29eb4ffb4d1f4e635f7ed11.exe 3004 0d9f474df29eb4ffb4d1f4e635f7ed11.exe 628 dnuofiubgkxgqnq.exe 628 dnuofiubgkxgqnq.exe 628 dnuofiubgkxgqnq.exe 1268 ijthrwjhsr.exe 1268 ijthrwjhsr.exe 1268 ijthrwjhsr.exe 2336 kovhvgkn.exe 1900 aqupmtpitbkbn.exe 2336 kovhvgkn.exe 1900 aqupmtpitbkbn.exe 2336 kovhvgkn.exe 1900 aqupmtpitbkbn.exe 1940 kovhvgkn.exe 1940 kovhvgkn.exe 1940 kovhvgkn.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 880 WINWORD.EXE 880 WINWORD.EXE 880 WINWORD.EXE 880 WINWORD.EXE 880 WINWORD.EXE 880 WINWORD.EXE 880 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3004 wrote to memory of 1268 3004 0d9f474df29eb4ffb4d1f4e635f7ed11.exe 88 PID 3004 wrote to memory of 1268 3004 0d9f474df29eb4ffb4d1f4e635f7ed11.exe 88 PID 3004 wrote to memory of 1268 3004 0d9f474df29eb4ffb4d1f4e635f7ed11.exe 88 PID 3004 wrote to memory of 628 3004 0d9f474df29eb4ffb4d1f4e635f7ed11.exe 98 PID 3004 wrote to memory of 628 3004 0d9f474df29eb4ffb4d1f4e635f7ed11.exe 98 PID 3004 wrote to memory of 628 3004 0d9f474df29eb4ffb4d1f4e635f7ed11.exe 98 PID 3004 wrote to memory of 2336 3004 0d9f474df29eb4ffb4d1f4e635f7ed11.exe 89 PID 3004 wrote to memory of 2336 3004 0d9f474df29eb4ffb4d1f4e635f7ed11.exe 89 PID 3004 wrote to memory of 2336 3004 0d9f474df29eb4ffb4d1f4e635f7ed11.exe 89 PID 3004 wrote to memory of 1900 3004 0d9f474df29eb4ffb4d1f4e635f7ed11.exe 90 PID 3004 wrote to memory of 1900 3004 0d9f474df29eb4ffb4d1f4e635f7ed11.exe 90 PID 3004 wrote to memory of 1900 3004 0d9f474df29eb4ffb4d1f4e635f7ed11.exe 90 PID 3004 wrote to memory of 880 3004 0d9f474df29eb4ffb4d1f4e635f7ed11.exe 93 PID 3004 wrote to memory of 880 3004 0d9f474df29eb4ffb4d1f4e635f7ed11.exe 93 PID 1268 wrote to memory of 1940 1268 ijthrwjhsr.exe 97 PID 1268 wrote to memory of 1940 1268 ijthrwjhsr.exe 97 PID 1268 wrote to memory of 1940 1268 ijthrwjhsr.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d9f474df29eb4ffb4d1f4e635f7ed11.exe"C:\Users\Admin\AppData\Local\Temp\0d9f474df29eb4ffb4d1f4e635f7ed11.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\ijthrwjhsr.exeijthrwjhsr.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\kovhvgkn.exeC:\Windows\system32\kovhvgkn.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1940
-
-
-
C:\Windows\SysWOW64\kovhvgkn.exekovhvgkn.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2336
-
-
C:\Windows\SysWOW64\aqupmtpitbkbn.exeaqupmtpitbkbn.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1900
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:880
-
-
C:\Windows\SysWOW64\dnuofiubgkxgqnq.exednuofiubgkxgqnq.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:628
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5ce804af6eda0e84a780c26522a2ecc7b
SHA1357f52bafb481c67eab273e11d92b6ee030a72d9
SHA256416ce969cb43f8be6eac48d769660bfe858612c61b34da8d4cf564a70b617471
SHA5122590277fc2ad1dbe71ee79df2c10f163839c2fef5841ffb93b8ff6164f4bc316a2557b5e142e5bacbcdc3980de40c84fdb425484f69f9a4499a506ef0d194ea6
-
Filesize
320KB
MD540eccbf82b7b8fc916befc4f91646a41
SHA19b26728b4c732bfeb504f70ab523d90def972d37
SHA2561dc118e41bf637830be03d9bfe6d57960cf8dc9dbe9c8302a78e3406285bbaaa
SHA5124714d4a188098bfac7feb042ef4c6f0236e826c335c740df7f47d60f0e70d50c5eeaf73e1b94afb0408bd8c6b5ef6fa9d49577a6ac214ce115f4b6db0b341cdf
-
Filesize
128KB
MD533be84de0fa03c6883fec2ead970e3ba
SHA1dbe35ed4343779aa93200c24966ccb805e18f223
SHA256ef0f2733bf476c4dc632a27627cb24681d552719aafcc969eec5db1a90996887
SHA5123e93ab8677009d404503e243038ae323b1bc55af56c8c53bd3d44f5313ed4383c987ccb1f1f0e86111fc36db67c7b1b76de4eb4b1c6742baadffd70d7dc6c093
-
Filesize
512KB
MD5a2277286e3d59f98e4a986c4aeb24463
SHA15bad83260ab2f6f45a60513f7ee403f237ca6b46
SHA2561c1e849a97bd428bb5e5340146fafe9765936ce6d02ed560a6469652a3de99cf
SHA512f1e8204822319b69a743c8a586e82c92f9200732369792da1a219bd6075124da708ed73633d8131cfa64c90a56a1b1ea3aa3b6e776c8389fb6eafb34bbf9c28a
-
Filesize
512KB
MD561bec51c286e11385579f8ae0b014297
SHA1b4c6d23b6b20b10428988a96db92bc05bd3cce54
SHA256ecb9971ad92333870b3bbad1fc530898db6ef05e7e16c2a7231e496a12cecf70
SHA512c7fcd78a1795813176d9952d4be61f646ab2666d5a2b2c10fb3a51823764be412ebebb9de585bdb66c66e2e43d919522dddd6df457285ba2669f013ca2f7773d
-
Filesize
512KB
MD5ec846f4bc0dd756e7cfbf3f09d6254e4
SHA170e094712a82ffc2b1ff37162f4aa7efbee222a1
SHA2568d96f4e3b28460ab71888fa1ad476b0831c9cba70f5beb055f8e23231e91d105
SHA51232e488186acad8cc2e4fd30df025903ae9dbf9dfd4b4581c40c0fb11f436524a11a9decb07d5ef21bc9055fba2e748f851c9831574d8eca31d457dfab0af1d2d