Analysis
-
max time kernel
138s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2023 07:42
Static task
static1
Behavioral task
behavioral1
Sample
0fb00f611a03137f8ba7e6181eabcdd8.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral2
Sample
0fb00f611a03137f8ba7e6181eabcdd8.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
General
-
Target
0fb00f611a03137f8ba7e6181eabcdd8.exe
-
Size
512KB
-
MD5
0fb00f611a03137f8ba7e6181eabcdd8
-
SHA1
2d208cdf61eb7c960a08115acea97b9c48c24ee3
-
SHA256
3d968a0cf03136ed2f0393ca793437ea34b9f042b5eeb4e5d4a100ec1627b8f8
-
SHA512
6b6e4dd0a9bf9550b9fc5d2348f424e081f7634949b368504a94aef3b47f32c36838f642f448a1c9023d3c560d713f65e2ebfe9722e6e2c972961e28a0272d2f
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6J:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm56
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" zxzacxfpnp.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" zxzacxfpnp.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" zxzacxfpnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" zxzacxfpnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" zxzacxfpnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" zxzacxfpnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" zxzacxfpnp.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" zxzacxfpnp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation 0fb00f611a03137f8ba7e6181eabcdd8.exe -
Executes dropped EXE 5 IoCs
pid Process 3760 zxzacxfpnp.exe 3288 rjekbuzidjwndkv.exe 3896 qceiltji.exe 380 adkmcoczqsdbi.exe 2780 qceiltji.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" zxzacxfpnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" zxzacxfpnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" zxzacxfpnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" zxzacxfpnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" zxzacxfpnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" zxzacxfpnp.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hmdsatdj = "zxzacxfpnp.exe" rjekbuzidjwndkv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jpdocgyh = "rjekbuzidjwndkv.exe" rjekbuzidjwndkv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "adkmcoczqsdbi.exe" rjekbuzidjwndkv.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\z: zxzacxfpnp.exe File opened (read-only) \??\b: qceiltji.exe File opened (read-only) \??\u: qceiltji.exe File opened (read-only) \??\r: zxzacxfpnp.exe File opened (read-only) \??\a: qceiltji.exe File opened (read-only) \??\e: qceiltji.exe File opened (read-only) \??\h: zxzacxfpnp.exe File opened (read-only) \??\k: zxzacxfpnp.exe File opened (read-only) \??\q: zxzacxfpnp.exe File opened (read-only) \??\t: zxzacxfpnp.exe File opened (read-only) \??\h: qceiltji.exe File opened (read-only) \??\u: qceiltji.exe File opened (read-only) \??\e: zxzacxfpnp.exe File opened (read-only) \??\s: zxzacxfpnp.exe File opened (read-only) \??\w: zxzacxfpnp.exe File opened (read-only) \??\e: qceiltji.exe File opened (read-only) \??\o: qceiltji.exe File opened (read-only) \??\g: zxzacxfpnp.exe File opened (read-only) \??\j: qceiltji.exe File opened (read-only) \??\n: zxzacxfpnp.exe File opened (read-only) \??\x: zxzacxfpnp.exe File opened (read-only) \??\m: qceiltji.exe File opened (read-only) \??\p: qceiltji.exe File opened (read-only) \??\z: qceiltji.exe File opened (read-only) \??\o: zxzacxfpnp.exe File opened (read-only) \??\k: qceiltji.exe File opened (read-only) \??\q: qceiltji.exe File opened (read-only) \??\r: qceiltji.exe File opened (read-only) \??\v: qceiltji.exe File opened (read-only) \??\s: qceiltji.exe File opened (read-only) \??\z: qceiltji.exe File opened (read-only) \??\n: qceiltji.exe File opened (read-only) \??\b: zxzacxfpnp.exe File opened (read-only) \??\y: zxzacxfpnp.exe File opened (read-only) \??\l: qceiltji.exe File opened (read-only) \??\y: qceiltji.exe File opened (read-only) \??\w: qceiltji.exe File opened (read-only) \??\l: zxzacxfpnp.exe File opened (read-only) \??\h: qceiltji.exe File opened (read-only) \??\x: qceiltji.exe File opened (read-only) \??\s: qceiltji.exe File opened (read-only) \??\y: qceiltji.exe File opened (read-only) \??\g: qceiltji.exe File opened (read-only) \??\i: zxzacxfpnp.exe File opened (read-only) \??\m: qceiltji.exe File opened (read-only) \??\p: qceiltji.exe File opened (read-only) \??\v: zxzacxfpnp.exe File opened (read-only) \??\n: qceiltji.exe File opened (read-only) \??\w: qceiltji.exe File opened (read-only) \??\g: qceiltji.exe File opened (read-only) \??\i: qceiltji.exe File opened (read-only) \??\l: qceiltji.exe File opened (read-only) \??\r: qceiltji.exe File opened (read-only) \??\a: qceiltji.exe File opened (read-only) \??\t: qceiltji.exe File opened (read-only) \??\p: zxzacxfpnp.exe File opened (read-only) \??\v: qceiltji.exe File opened (read-only) \??\m: zxzacxfpnp.exe File opened (read-only) \??\o: qceiltji.exe File opened (read-only) \??\q: qceiltji.exe File opened (read-only) \??\u: zxzacxfpnp.exe File opened (read-only) \??\t: qceiltji.exe File opened (read-only) \??\k: qceiltji.exe File opened (read-only) \??\x: qceiltji.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" zxzacxfpnp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" zxzacxfpnp.exe -
AutoIT Executable 15 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2592-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00070000000231fe-5.dat autoit_exe behavioral2/files/0x00070000000231fd-19.dat autoit_exe behavioral2/files/0x00070000000231fd-18.dat autoit_exe behavioral2/files/0x00070000000231fe-22.dat autoit_exe behavioral2/files/0x00070000000231fe-23.dat autoit_exe behavioral2/files/0x0006000000023201-27.dat autoit_exe behavioral2/files/0x0006000000023201-26.dat autoit_exe behavioral2/files/0x0006000000023202-30.dat autoit_exe behavioral2/files/0x0006000000023201-35.dat autoit_exe behavioral2/files/0x0006000000023211-57.dat autoit_exe behavioral2/files/0x0006000000023210-54.dat autoit_exe behavioral2/files/0x000600000002322b-93.dat autoit_exe behavioral2/files/0x000600000002322c-102.dat autoit_exe behavioral2/files/0x000600000002322d-108.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\adkmcoczqsdbi.exe 0fb00f611a03137f8ba7e6181eabcdd8.exe File opened for modification C:\Windows\SysWOW64\adkmcoczqsdbi.exe 0fb00f611a03137f8ba7e6181eabcdd8.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll zxzacxfpnp.exe File created C:\Windows\SysWOW64\rjekbuzidjwndkv.exe 0fb00f611a03137f8ba7e6181eabcdd8.exe File created C:\Windows\SysWOW64\qceiltji.exe 0fb00f611a03137f8ba7e6181eabcdd8.exe File opened for modification C:\Windows\SysWOW64\rjekbuzidjwndkv.exe 0fb00f611a03137f8ba7e6181eabcdd8.exe File opened for modification C:\Windows\SysWOW64\qceiltji.exe 0fb00f611a03137f8ba7e6181eabcdd8.exe File created C:\Windows\SysWOW64\zxzacxfpnp.exe 0fb00f611a03137f8ba7e6181eabcdd8.exe File opened for modification C:\Windows\SysWOW64\zxzacxfpnp.exe 0fb00f611a03137f8ba7e6181eabcdd8.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qceiltji.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qceiltji.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal qceiltji.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qceiltji.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qceiltji.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qceiltji.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qceiltji.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qceiltji.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qceiltji.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qceiltji.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal qceiltji.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qceiltji.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qceiltji.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal qceiltji.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal qceiltji.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf 0fb00f611a03137f8ba7e6181eabcdd8.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" zxzacxfpnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc zxzacxfpnp.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 0fb00f611a03137f8ba7e6181eabcdd8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32302D0B9D2383276A3F77A770202DDE7D8065D9" 0fb00f611a03137f8ba7e6181eabcdd8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCEFABEF913F192830B3A4481EA3998B08B02FE4216034EE1CA42EB09D3" 0fb00f611a03137f8ba7e6181eabcdd8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2ECAB129479239EB53B9B9D6329FD7CF" 0fb00f611a03137f8ba7e6181eabcdd8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7866BB8FE1B22DBD208D1D18A7D9160" 0fb00f611a03137f8ba7e6181eabcdd8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat zxzacxfpnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf zxzacxfpnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" zxzacxfpnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg zxzacxfpnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" zxzacxfpnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E89FF83482B851C9142D7287D96BCE7E633584467436345D79D" 0fb00f611a03137f8ba7e6181eabcdd8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184AC70E15E6DAB4B8BE7CE3EC9734BA" 0fb00f611a03137f8ba7e6181eabcdd8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" zxzacxfpnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh zxzacxfpnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" zxzacxfpnp.exe Key created \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\Local Settings 0fb00f611a03137f8ba7e6181eabcdd8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" zxzacxfpnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs zxzacxfpnp.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4040 WINWORD.EXE 4040 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2592 0fb00f611a03137f8ba7e6181eabcdd8.exe 2592 0fb00f611a03137f8ba7e6181eabcdd8.exe 2592 0fb00f611a03137f8ba7e6181eabcdd8.exe 2592 0fb00f611a03137f8ba7e6181eabcdd8.exe 2592 0fb00f611a03137f8ba7e6181eabcdd8.exe 2592 0fb00f611a03137f8ba7e6181eabcdd8.exe 2592 0fb00f611a03137f8ba7e6181eabcdd8.exe 2592 0fb00f611a03137f8ba7e6181eabcdd8.exe 2592 0fb00f611a03137f8ba7e6181eabcdd8.exe 2592 0fb00f611a03137f8ba7e6181eabcdd8.exe 2592 0fb00f611a03137f8ba7e6181eabcdd8.exe 2592 0fb00f611a03137f8ba7e6181eabcdd8.exe 3760 zxzacxfpnp.exe 3760 zxzacxfpnp.exe 3760 zxzacxfpnp.exe 3760 zxzacxfpnp.exe 3760 zxzacxfpnp.exe 3760 zxzacxfpnp.exe 3760 zxzacxfpnp.exe 3760 zxzacxfpnp.exe 3760 zxzacxfpnp.exe 3760 zxzacxfpnp.exe 2592 0fb00f611a03137f8ba7e6181eabcdd8.exe 2592 0fb00f611a03137f8ba7e6181eabcdd8.exe 2592 0fb00f611a03137f8ba7e6181eabcdd8.exe 2592 0fb00f611a03137f8ba7e6181eabcdd8.exe 3288 rjekbuzidjwndkv.exe 3288 rjekbuzidjwndkv.exe 3288 rjekbuzidjwndkv.exe 3288 rjekbuzidjwndkv.exe 3288 rjekbuzidjwndkv.exe 3288 rjekbuzidjwndkv.exe 3288 rjekbuzidjwndkv.exe 3288 rjekbuzidjwndkv.exe 3288 rjekbuzidjwndkv.exe 3288 rjekbuzidjwndkv.exe 3896 qceiltji.exe 3896 qceiltji.exe 3896 qceiltji.exe 3896 qceiltji.exe 3896 qceiltji.exe 3896 qceiltji.exe 3896 qceiltji.exe 3896 qceiltji.exe 3288 rjekbuzidjwndkv.exe 3288 rjekbuzidjwndkv.exe 380 adkmcoczqsdbi.exe 380 adkmcoczqsdbi.exe 380 adkmcoczqsdbi.exe 380 adkmcoczqsdbi.exe 380 adkmcoczqsdbi.exe 380 adkmcoczqsdbi.exe 380 adkmcoczqsdbi.exe 380 adkmcoczqsdbi.exe 380 adkmcoczqsdbi.exe 380 adkmcoczqsdbi.exe 380 adkmcoczqsdbi.exe 380 adkmcoczqsdbi.exe 3288 rjekbuzidjwndkv.exe 3288 rjekbuzidjwndkv.exe 380 adkmcoczqsdbi.exe 380 adkmcoczqsdbi.exe 380 adkmcoczqsdbi.exe 380 adkmcoczqsdbi.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2592 0fb00f611a03137f8ba7e6181eabcdd8.exe 2592 0fb00f611a03137f8ba7e6181eabcdd8.exe 2592 0fb00f611a03137f8ba7e6181eabcdd8.exe 3760 zxzacxfpnp.exe 3760 zxzacxfpnp.exe 3760 zxzacxfpnp.exe 3288 rjekbuzidjwndkv.exe 3288 rjekbuzidjwndkv.exe 3288 rjekbuzidjwndkv.exe 3896 qceiltji.exe 3896 qceiltji.exe 3896 qceiltji.exe 380 adkmcoczqsdbi.exe 380 adkmcoczqsdbi.exe 380 adkmcoczqsdbi.exe 2780 qceiltji.exe 2780 qceiltji.exe 2780 qceiltji.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2592 0fb00f611a03137f8ba7e6181eabcdd8.exe 2592 0fb00f611a03137f8ba7e6181eabcdd8.exe 2592 0fb00f611a03137f8ba7e6181eabcdd8.exe 3760 zxzacxfpnp.exe 3760 zxzacxfpnp.exe 3760 zxzacxfpnp.exe 3288 rjekbuzidjwndkv.exe 3288 rjekbuzidjwndkv.exe 3288 rjekbuzidjwndkv.exe 3896 qceiltji.exe 3896 qceiltji.exe 3896 qceiltji.exe 380 adkmcoczqsdbi.exe 380 adkmcoczqsdbi.exe 380 adkmcoczqsdbi.exe 2780 qceiltji.exe 2780 qceiltji.exe 2780 qceiltji.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4040 WINWORD.EXE 4040 WINWORD.EXE 4040 WINWORD.EXE 4040 WINWORD.EXE 4040 WINWORD.EXE 4040 WINWORD.EXE 4040 WINWORD.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2592 wrote to memory of 3760 2592 0fb00f611a03137f8ba7e6181eabcdd8.exe 89 PID 2592 wrote to memory of 3760 2592 0fb00f611a03137f8ba7e6181eabcdd8.exe 89 PID 2592 wrote to memory of 3760 2592 0fb00f611a03137f8ba7e6181eabcdd8.exe 89 PID 2592 wrote to memory of 3288 2592 0fb00f611a03137f8ba7e6181eabcdd8.exe 90 PID 2592 wrote to memory of 3288 2592 0fb00f611a03137f8ba7e6181eabcdd8.exe 90 PID 2592 wrote to memory of 3288 2592 0fb00f611a03137f8ba7e6181eabcdd8.exe 90 PID 2592 wrote to memory of 3896 2592 0fb00f611a03137f8ba7e6181eabcdd8.exe 92 PID 2592 wrote to memory of 3896 2592 0fb00f611a03137f8ba7e6181eabcdd8.exe 92 PID 2592 wrote to memory of 3896 2592 0fb00f611a03137f8ba7e6181eabcdd8.exe 92 PID 2592 wrote to memory of 380 2592 0fb00f611a03137f8ba7e6181eabcdd8.exe 95 PID 2592 wrote to memory of 380 2592 0fb00f611a03137f8ba7e6181eabcdd8.exe 95 PID 2592 wrote to memory of 380 2592 0fb00f611a03137f8ba7e6181eabcdd8.exe 95 PID 3288 wrote to memory of 3304 3288 rjekbuzidjwndkv.exe 93 PID 3288 wrote to memory of 3304 3288 rjekbuzidjwndkv.exe 93 PID 3288 wrote to memory of 3304 3288 rjekbuzidjwndkv.exe 93 PID 3760 wrote to memory of 2780 3760 zxzacxfpnp.exe 97 PID 3760 wrote to memory of 2780 3760 zxzacxfpnp.exe 97 PID 3760 wrote to memory of 2780 3760 zxzacxfpnp.exe 97 PID 2592 wrote to memory of 4040 2592 0fb00f611a03137f8ba7e6181eabcdd8.exe 98 PID 2592 wrote to memory of 4040 2592 0fb00f611a03137f8ba7e6181eabcdd8.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\0fb00f611a03137f8ba7e6181eabcdd8.exe"C:\Users\Admin\AppData\Local\Temp\0fb00f611a03137f8ba7e6181eabcdd8.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\zxzacxfpnp.exezxzacxfpnp.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Windows\SysWOW64\qceiltji.exeC:\Windows\system32\qceiltji.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2780
-
-
-
C:\Windows\SysWOW64\rjekbuzidjwndkv.exerjekbuzidjwndkv.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Windows\SysWOW64\cmd.execmd.exe /c adkmcoczqsdbi.exe3⤵PID:3304
-
-
-
C:\Windows\SysWOW64\qceiltji.exeqceiltji.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3896
-
-
C:\Windows\SysWOW64\adkmcoczqsdbi.exeadkmcoczqsdbi.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:380
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4040
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD5c2e43ba551a3d067105651cc42376a01
SHA14953c8f6e66e0371ae950a928cec609475a9d754
SHA2567fbdc8fbb4a0216c00d36e2221324a635c38d8477a81f8a993b0b2cf0a9a1676
SHA512fbd8db94574cdb0215e62d8242907eac7297f200cccc4d857c71cb4f9e06cc67855aa7cd001fad854aa9c5d5a01e7ad7a9b45e72a202d200717d042f2b9e67fb
-
Filesize
234KB
MD5e4ad0f2ea9d926bf4379c7143b2045ba
SHA16203ee3d47f3e029bc84be3d71ff0be4b51a2f6b
SHA25629097490c8d7c1e2d0e0751a4185bb8a839244af9422fd1f0fedf1cbe67201d8
SHA512665a6c2d5dacee75bdb612c1859a3358e4cea286dcbd2c6da6d909c726c497ed6e536038a66cbeaad386f80e77d91c540e0215ade2f895c7325f4d073ca60036
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5bbfd4d5f564dcc2c407e6cfaaf063f8b
SHA1532c17ec88214644a5973a143797243e9846449e
SHA2568828622e09529a5da7df1aabfe6bd690ffd33e2c68dce148196da7828fc823fa
SHA512749756823ad70cb6cb9aa4adf04950722b3402015ccb896ff4906ca8be7bae2ed4aac390aff6c5afffd97616b99ecf6672a6bbfef9198a05f8f4e923e9d4d8b4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD56b08b0688d1d0bdb8c0aa066690f63c5
SHA1cc7ff8411df1498456d1b142e034a2299fad2d31
SHA25600a31b9ed4f8fcb51dd9a4f91a6e2ea8ff0ff1e43a35cbb8dafe43a241c6f44f
SHA512f40b160e1cd31f0a34373591051c4b5b20111afdfaf0d71872d39406e942be1a01ce5dd7b0061a174bdb5086148ee5881a8e186f9f8ef44e05d0f503f90f6afe
-
Filesize
512KB
MD5d6371ea70829c0e4e0ad959841545bdb
SHA1bbcbc0c8d317123b0006b947ea3bbe8e609fe03a
SHA25672555ef2605f124d8194b3c2d3b0424f2e5725098e903bd178d90a862872fc7c
SHA512d347e864725750c061f37ef3e3e3c4080931469b47dece8004980e1d55004fe1aee7fdee942798bc0c594d96d7bc307e9773e0002fd0bbc6d8d9ee23fffb60e7
-
Filesize
512KB
MD59da81df63c1db15c53d9c1e8e44c4600
SHA11a4ccabb2f7e91cd97080145c5b14cfc2d1ce7b8
SHA256eaca7550618ab41474f96dbbef15111d027f73a628982f1eb692d5e12728fb04
SHA5123f5092f9db75effdc1cc86930df3741154e8b868cf6088922fa8f8596db007c39021d0a477e790b8ab84c1b6fbda76bbf8ba21a03dd6a369fc86611dfbc56df1
-
Filesize
512KB
MD5e63484cfd9b26effe0ce9af46c7a9a16
SHA1a0b0e3f8ade51d319be2749f08ad0084cede6716
SHA256ae92a9108f719dfed6538f17d1657169fc39e478507de53eb2d5c6cbc4a51a77
SHA5124656aee2c4f89753c99e053b4fbe30c261c031b1c02b0a1b1f33e9455dc14c51c0c944d6ac86500c553084de56fcd4e66168d3ece098a1b86ad91e00e3e81e95
-
Filesize
512KB
MD5fa5de7fa631d733686af5b6a5a8d64f2
SHA180f8ffa7759e30b8b71e50f0dda2af1543728e98
SHA25685328a5728f54bac4d0c00f4409acef49dada197be2cf37febf41800faecc22f
SHA512db62b2f2bb16d2851666e9e94622bebae6f5b4bf2de10402c10eba3698f13f665c5bb37ba18e46d8e2d65fa4b39025fc4e51bd8fddbe36a387456af2496496bd
-
Filesize
472KB
MD5cbf61292326f80cd0dc9f75f26d6f64e
SHA1eedff120355898311d388c07c021ca864b572051
SHA256af081ca3b2577ecaa550a09a91ba231e65de1c4acc91f189af24348761e97bea
SHA5125c2778bba151b0c1ba841f3dd343be57679adc65a9f56e11083ba4a3be8fbe1ea1949ae21e46cce5e71223d8daadc8f92831bdf3aa3523f9678f3e44d0786958
-
Filesize
369KB
MD57142d8a5a0a76a138220f71a299dff55
SHA14a42fef81b14b50132a20d31a527c7c8f7e48255
SHA2561e1b06527bb5af56c0295f6663af43daa8e3766fe8fb06e4f2db56a0b4ef0193
SHA512202b8f1f7339a1281a447f360105678b95d42dc9cf2e27c07b4592a13c14a69525772ae8c47e4d572aa4c9ef8666f958ab25415f278d3c2659b320d0ddbb6139
-
Filesize
371KB
MD5eef8696f202441ca0cb1d6934fb13342
SHA1ffedaa11bcc41154835a07f5c576706a70d3bee3
SHA25645aa7d958fdf097ef73c81ed6259cdca980990765be93c819276774308094ea2
SHA512ad123b7e292ea9fb2f238937a83aa27444146d29f95a51c6a9626382a4fdddf5f4f95603603bd607e526f4a4245414e98f486703ef6ec598e9ef980ef5f21a72
-
Filesize
424KB
MD57c60d946cf4e71ae3db9a4420319bd9e
SHA1c12a08d873e7f0177d61281ff4c2bee32e7a44ed
SHA256ffee72678108277ad193abafa78258991149b4601073b1af3912c6d6735db50d
SHA512036e86a6358366a89ad061802d8a1b00dcf373fbfc44c1a7e4c62b636ded063bfbbaf47f2be91d1fd7767aff7491b006854589312eb3a5c19a0653f6a095be00
-
Filesize
234KB
MD5d6871de8fa050db31cda768e0a6bc90f
SHA1fc177c7f7d0e9461717dc8328f8b5b2e99eb8970
SHA2568ef4723289a53a8fa7bc8fe75472db927ccaaa46854e35ab59d6529a076ac39c
SHA5128aefe2c7e40cb0e0a27c1e796e1ca086662b3568771fcf1401cd8f33789b4d2e73223c8d914de7694f8dc338e401d226c1a5ec215e4333e0ec8420eb7ca37c72
-
Filesize
167KB
MD55280f7e055503c30a084baf699325cdf
SHA15f8a976cb4c7ff5b2c7b999919841f1900192870
SHA256f66946922379f2880b50e1760da0c7db45e8763232e630459acbf7bd3c316b35
SHA512051fd6bb34f127603eaf445dc7964431fbfdec948ea72d61dea2e052dd00eb978ded3ac0645ffe1b5d7d3bcf3a79961cb45aecf4ec3c14677587ebacf09b23d9
-
Filesize
257KB
MD5137b6a6423a248a502d0ffd22c9aa357
SHA10aabcbe5efed3ed0ef61172b6efdcaae1ec1b466
SHA25665318663da1b8471164788262bcfcd0da27bce722303a1630e34d03fe167fae8
SHA512c7d812d4680904fa668cdc304e8624e3d589ac78b9ad3219b0f44463d74f408c6e9fbddd42aaca01af854c8f51af6b07793b92aa214842c87eb04282e5a5f13a
-
Filesize
201KB
MD55ed9da7848d47831ea2d5d99b5b6c85a
SHA1ae8ac51b1ffc09a884695b5c33c57ce93a907971
SHA256baa3eab191fcb100a490e22d38c223db613c6e276519b5b9223f2a3b4efca185
SHA512aac1313582446d129e1ff117ea281ba2810bed0b622a9a2d2033ce58129d57a864f5229b5b56e96549e7203c0f8506d339b5ac7d7bee34dc3f8ff60c558f6b58
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7