Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 11:07
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
19955cd73613e751555da60dc245ebfc.exe
Resource
win7-20231215-en
windows7-x64
28 signatures
150 seconds
Behavioral task
behavioral2
Sample
19955cd73613e751555da60dc245ebfc.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
19955cd73613e751555da60dc245ebfc.exe
-
Size
512KB
-
MD5
19955cd73613e751555da60dc245ebfc
-
SHA1
859f559cd270011e56a350b84427fddb62cf8b6a
-
SHA256
6903753ff33ae8e45b87c5457558bb573194d1aadd26d1963e99e768f50a42c2
-
SHA512
c72a909c57dbdce715fc287bce1c694c7760435fb43802bde29ebaee892e39c3a5e470e3f8085de10cba214ce32e37d37bb5ece188103b8be45b625ca8a1557a
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6+:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5L
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" nfujhgvqyx.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" nfujhgvqyx.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" nfujhgvqyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" nfujhgvqyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" nfujhgvqyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" nfujhgvqyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" nfujhgvqyx.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" nfujhgvqyx.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation 19955cd73613e751555da60dc245ebfc.exe -
Executes dropped EXE 5 IoCs
pid Process 4312 nfujhgvqyx.exe 1740 qbscshcytyqccnh.exe 4512 dznyazzk.exe 3068 waztuofttbeyp.exe 3812 dznyazzk.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" nfujhgvqyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" nfujhgvqyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" nfujhgvqyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" nfujhgvqyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" nfujhgvqyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" nfujhgvqyx.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\budkiugr = "nfujhgvqyx.exe" qbscshcytyqccnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mpyelmli = "qbscshcytyqccnh.exe" qbscshcytyqccnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "waztuofttbeyp.exe" qbscshcytyqccnh.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\p: dznyazzk.exe File opened (read-only) \??\m: nfujhgvqyx.exe File opened (read-only) \??\u: nfujhgvqyx.exe File opened (read-only) \??\a: nfujhgvqyx.exe File opened (read-only) \??\q: dznyazzk.exe File opened (read-only) \??\r: dznyazzk.exe File opened (read-only) \??\b: nfujhgvqyx.exe File opened (read-only) \??\e: dznyazzk.exe File opened (read-only) \??\x: nfujhgvqyx.exe File opened (read-only) \??\h: dznyazzk.exe File opened (read-only) \??\j: nfujhgvqyx.exe File opened (read-only) \??\j: dznyazzk.exe File opened (read-only) \??\k: dznyazzk.exe File opened (read-only) \??\w: dznyazzk.exe File opened (read-only) \??\u: dznyazzk.exe File opened (read-only) \??\p: nfujhgvqyx.exe File opened (read-only) \??\s: nfujhgvqyx.exe File opened (read-only) \??\i: dznyazzk.exe File opened (read-only) \??\m: dznyazzk.exe File opened (read-only) \??\u: dznyazzk.exe File opened (read-only) \??\g: dznyazzk.exe File opened (read-only) \??\m: dznyazzk.exe File opened (read-only) \??\v: dznyazzk.exe File opened (read-only) \??\w: nfujhgvqyx.exe File opened (read-only) \??\s: dznyazzk.exe File opened (read-only) \??\v: dznyazzk.exe File opened (read-only) \??\b: dznyazzk.exe File opened (read-only) \??\e: dznyazzk.exe File opened (read-only) \??\o: dznyazzk.exe File opened (read-only) \??\s: dznyazzk.exe File opened (read-only) \??\i: nfujhgvqyx.exe File opened (read-only) \??\j: dznyazzk.exe File opened (read-only) \??\k: dznyazzk.exe File opened (read-only) \??\n: dznyazzk.exe File opened (read-only) \??\x: dznyazzk.exe File opened (read-only) \??\z: dznyazzk.exe File opened (read-only) \??\g: nfujhgvqyx.exe File opened (read-only) \??\h: nfujhgvqyx.exe File opened (read-only) \??\k: nfujhgvqyx.exe File opened (read-only) \??\r: dznyazzk.exe File opened (read-only) \??\i: dznyazzk.exe File opened (read-only) \??\o: nfujhgvqyx.exe File opened (read-only) \??\a: dznyazzk.exe File opened (read-only) \??\x: dznyazzk.exe File opened (read-only) \??\y: dznyazzk.exe File opened (read-only) \??\e: nfujhgvqyx.exe File opened (read-only) \??\l: nfujhgvqyx.exe File opened (read-only) \??\q: nfujhgvqyx.exe File opened (read-only) \??\q: dznyazzk.exe File opened (read-only) \??\z: dznyazzk.exe File opened (read-only) \??\b: dznyazzk.exe File opened (read-only) \??\o: dznyazzk.exe File opened (read-only) \??\p: dznyazzk.exe File opened (read-only) \??\l: dznyazzk.exe File opened (read-only) \??\r: nfujhgvqyx.exe File opened (read-only) \??\y: nfujhgvqyx.exe File opened (read-only) \??\g: dznyazzk.exe File opened (read-only) \??\l: dznyazzk.exe File opened (read-only) \??\w: dznyazzk.exe File opened (read-only) \??\y: dznyazzk.exe File opened (read-only) \??\z: nfujhgvqyx.exe File opened (read-only) \??\n: dznyazzk.exe File opened (read-only) \??\a: dznyazzk.exe File opened (read-only) \??\t: dznyazzk.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" nfujhgvqyx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" nfujhgvqyx.exe -
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2756-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00090000000231e8-26.dat autoit_exe behavioral2/files/0x00070000000231ef-31.dat autoit_exe behavioral2/files/0x000e00000002314b-19.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\dznyazzk.exe 19955cd73613e751555da60dc245ebfc.exe File opened for modification C:\Windows\SysWOW64\waztuofttbeyp.exe 19955cd73613e751555da60dc245ebfc.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe dznyazzk.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe dznyazzk.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe dznyazzk.exe File created C:\Windows\SysWOW64\qbscshcytyqccnh.exe 19955cd73613e751555da60dc245ebfc.exe File created C:\Windows\SysWOW64\nfujhgvqyx.exe 19955cd73613e751555da60dc245ebfc.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe dznyazzk.exe File opened for modification C:\Windows\SysWOW64\nfujhgvqyx.exe 19955cd73613e751555da60dc245ebfc.exe File opened for modification C:\Windows\SysWOW64\qbscshcytyqccnh.exe 19955cd73613e751555da60dc245ebfc.exe File opened for modification C:\Windows\SysWOW64\dznyazzk.exe 19955cd73613e751555da60dc245ebfc.exe File created C:\Windows\SysWOW64\waztuofttbeyp.exe 19955cd73613e751555da60dc245ebfc.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll nfujhgvqyx.exe -
Drops file in Program Files directory 22 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dznyazzk.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dznyazzk.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dznyazzk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dznyazzk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal dznyazzk.exe File opened for modification C:\Program Files\MeasureExit.doc.exe dznyazzk.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dznyazzk.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dznyazzk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal dznyazzk.exe File opened for modification C:\Program Files\MeasureExit.nal dznyazzk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal dznyazzk.exe File opened for modification \??\c:\Program Files\MeasureExit.doc.exe dznyazzk.exe File opened for modification C:\Program Files\MeasureExit.doc.exe dznyazzk.exe File opened for modification C:\Program Files\MeasureExit.nal dznyazzk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dznyazzk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal dznyazzk.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dznyazzk.exe File created \??\c:\Program Files\MeasureExit.doc.exe dznyazzk.exe File opened for modification \??\c:\Program Files\MeasureExit.doc.exe dznyazzk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dznyazzk.exe File created \??\c:\Program Files\MeasureExit.doc.exe dznyazzk.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dznyazzk.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe dznyazzk.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe dznyazzk.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe dznyazzk.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe dznyazzk.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe dznyazzk.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe dznyazzk.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe dznyazzk.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe dznyazzk.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe dznyazzk.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe dznyazzk.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe dznyazzk.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe dznyazzk.exe File opened for modification C:\Windows\mydoc.rtf 19955cd73613e751555da60dc245ebfc.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe dznyazzk.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe dznyazzk.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe dznyazzk.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe dznyazzk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BB4FACDFE11F1E384083B3286983E98B38B03FD4269033AE1CD42EE08A2" 19955cd73613e751555da60dc245ebfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8FFFF94F2A826E903DD7287D93BC90E636594567426237D6EB" 19955cd73613e751555da60dc245ebfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F368B0FE1B21AAD279D1D28A7E9013" 19955cd73613e751555da60dc245ebfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184DC70E1490DABEB8C87CE9ED9234B9" 19955cd73613e751555da60dc245ebfc.exe Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings 19955cd73613e751555da60dc245ebfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh nfujhgvqyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" nfujhgvqyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33342C7E9D2C83556A3476D777202DDF7C8765A8" 19955cd73613e751555da60dc245ebfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf nfujhgvqyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc nfujhgvqyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat nfujhgvqyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs nfujhgvqyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" nfujhgvqyx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg nfujhgvqyx.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 19955cd73613e751555da60dc245ebfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" nfujhgvqyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" nfujhgvqyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" nfujhgvqyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" nfujhgvqyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB0B02047E038EB53CFB9A7339FD7CD" 19955cd73613e751555da60dc245ebfc.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4928 WINWORD.EXE 4928 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2756 19955cd73613e751555da60dc245ebfc.exe 2756 19955cd73613e751555da60dc245ebfc.exe 2756 19955cd73613e751555da60dc245ebfc.exe 2756 19955cd73613e751555da60dc245ebfc.exe 2756 19955cd73613e751555da60dc245ebfc.exe 2756 19955cd73613e751555da60dc245ebfc.exe 2756 19955cd73613e751555da60dc245ebfc.exe 2756 19955cd73613e751555da60dc245ebfc.exe 2756 19955cd73613e751555da60dc245ebfc.exe 2756 19955cd73613e751555da60dc245ebfc.exe 2756 19955cd73613e751555da60dc245ebfc.exe 2756 19955cd73613e751555da60dc245ebfc.exe 2756 19955cd73613e751555da60dc245ebfc.exe 2756 19955cd73613e751555da60dc245ebfc.exe 2756 19955cd73613e751555da60dc245ebfc.exe 2756 19955cd73613e751555da60dc245ebfc.exe 4512 dznyazzk.exe 4512 dznyazzk.exe 4312 nfujhgvqyx.exe 4312 nfujhgvqyx.exe 4512 dznyazzk.exe 4512 dznyazzk.exe 4512 dznyazzk.exe 4312 nfujhgvqyx.exe 4512 dznyazzk.exe 4312 nfujhgvqyx.exe 4512 dznyazzk.exe 4512 dznyazzk.exe 4312 nfujhgvqyx.exe 4312 nfujhgvqyx.exe 4312 nfujhgvqyx.exe 4312 nfujhgvqyx.exe 4312 nfujhgvqyx.exe 4312 nfujhgvqyx.exe 1740 qbscshcytyqccnh.exe 1740 qbscshcytyqccnh.exe 1740 qbscshcytyqccnh.exe 1740 qbscshcytyqccnh.exe 1740 qbscshcytyqccnh.exe 1740 qbscshcytyqccnh.exe 1740 qbscshcytyqccnh.exe 1740 qbscshcytyqccnh.exe 1740 qbscshcytyqccnh.exe 1740 qbscshcytyqccnh.exe 3068 waztuofttbeyp.exe 3068 waztuofttbeyp.exe 3068 waztuofttbeyp.exe 3068 waztuofttbeyp.exe 3068 waztuofttbeyp.exe 3068 waztuofttbeyp.exe 3068 waztuofttbeyp.exe 3068 waztuofttbeyp.exe 3068 waztuofttbeyp.exe 3068 waztuofttbeyp.exe 3068 waztuofttbeyp.exe 3068 waztuofttbeyp.exe 1740 qbscshcytyqccnh.exe 1740 qbscshcytyqccnh.exe 3812 dznyazzk.exe 3812 dznyazzk.exe 3812 dznyazzk.exe 3812 dznyazzk.exe 3812 dznyazzk.exe 3812 dznyazzk.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2756 19955cd73613e751555da60dc245ebfc.exe 2756 19955cd73613e751555da60dc245ebfc.exe 2756 19955cd73613e751555da60dc245ebfc.exe 1740 qbscshcytyqccnh.exe 1740 qbscshcytyqccnh.exe 1740 qbscshcytyqccnh.exe 4512 dznyazzk.exe 4312 nfujhgvqyx.exe 4512 dznyazzk.exe 4312 nfujhgvqyx.exe 4512 dznyazzk.exe 4312 nfujhgvqyx.exe 3068 waztuofttbeyp.exe 3068 waztuofttbeyp.exe 3068 waztuofttbeyp.exe 3812 dznyazzk.exe 3812 dznyazzk.exe 3812 dznyazzk.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2756 19955cd73613e751555da60dc245ebfc.exe 2756 19955cd73613e751555da60dc245ebfc.exe 2756 19955cd73613e751555da60dc245ebfc.exe 1740 qbscshcytyqccnh.exe 1740 qbscshcytyqccnh.exe 1740 qbscshcytyqccnh.exe 4512 dznyazzk.exe 4312 nfujhgvqyx.exe 4512 dznyazzk.exe 4312 nfujhgvqyx.exe 4512 dznyazzk.exe 4312 nfujhgvqyx.exe 3068 waztuofttbeyp.exe 3068 waztuofttbeyp.exe 3068 waztuofttbeyp.exe 3812 dznyazzk.exe 3812 dznyazzk.exe 3812 dznyazzk.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4928 WINWORD.EXE 4928 WINWORD.EXE 4928 WINWORD.EXE 4928 WINWORD.EXE 4928 WINWORD.EXE 4928 WINWORD.EXE 4928 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2756 wrote to memory of 4312 2756 19955cd73613e751555da60dc245ebfc.exe 31 PID 2756 wrote to memory of 4312 2756 19955cd73613e751555da60dc245ebfc.exe 31 PID 2756 wrote to memory of 4312 2756 19955cd73613e751555da60dc245ebfc.exe 31 PID 2756 wrote to memory of 1740 2756 19955cd73613e751555da60dc245ebfc.exe 30 PID 2756 wrote to memory of 1740 2756 19955cd73613e751555da60dc245ebfc.exe 30 PID 2756 wrote to memory of 1740 2756 19955cd73613e751555da60dc245ebfc.exe 30 PID 2756 wrote to memory of 4512 2756 19955cd73613e751555da60dc245ebfc.exe 29 PID 2756 wrote to memory of 4512 2756 19955cd73613e751555da60dc245ebfc.exe 29 PID 2756 wrote to memory of 4512 2756 19955cd73613e751555da60dc245ebfc.exe 29 PID 2756 wrote to memory of 3068 2756 19955cd73613e751555da60dc245ebfc.exe 21 PID 2756 wrote to memory of 3068 2756 19955cd73613e751555da60dc245ebfc.exe 21 PID 2756 wrote to memory of 3068 2756 19955cd73613e751555da60dc245ebfc.exe 21 PID 2756 wrote to memory of 4928 2756 19955cd73613e751555da60dc245ebfc.exe 28 PID 2756 wrote to memory of 4928 2756 19955cd73613e751555da60dc245ebfc.exe 28 PID 4312 wrote to memory of 3812 4312 nfujhgvqyx.exe 26 PID 4312 wrote to memory of 3812 4312 nfujhgvqyx.exe 26 PID 4312 wrote to memory of 3812 4312 nfujhgvqyx.exe 26
Processes
-
C:\Users\Admin\AppData\Local\Temp\19955cd73613e751555da60dc245ebfc.exe"C:\Users\Admin\AppData\Local\Temp\19955cd73613e751555da60dc245ebfc.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\waztuofttbeyp.exewaztuofttbeyp.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3068
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4928
-
-
C:\Windows\SysWOW64\dznyazzk.exedznyazzk.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4512
-
-
C:\Windows\SysWOW64\qbscshcytyqccnh.exeqbscshcytyqccnh.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1740
-
-
C:\Windows\SysWOW64\nfujhgvqyx.exenfujhgvqyx.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4312
-
-
C:\Windows\SysWOW64\dznyazzk.exeC:\Windows\system32\dznyazzk.exe1⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3812
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5a6bb5909ce3f331d8a30eafcf9361eeb
SHA13ed8a657133dba046d8d1cb90cd6ce292173374b
SHA2564479f30eee08f58807e26295e05ea97ee63f77fa22ecf483f921fbc632a0e572
SHA512b2d9a2c21f23a1ef5243aaec1812b7ed439eb0a9aeda3df08607b58309ff0cd6229aa1b43014e70e5cb076449944b51ba46dea6576829a2144513f331b680595
-
Filesize
512KB
MD5a0012746d3c5c3e881c5014ba29915c4
SHA1e3b1bc801b4e5d1dbd782afa76881582e1fab1dc
SHA256d5a17a992edee5d4d2c639ecbb640fcb91cc348fe59fa198c2fa67198ff3b0f0
SHA5120b773b7e54c32bfb9126c39d3e119107647e1c3ba96fdc74d561c68376510096241fb2ce3b55100958960e97c047cb1f87346d76165d1a5b2dbda3fed04e1cd3
-
Filesize
512KB
MD5fdcabf5384641a4bfea12c660657a63d
SHA160d1d743f74e6a0d0b2a06740dcb4d1638357ec0
SHA256cfe745ae0b2a80b5846b823762c5610024bb098e626620044353cd28ec943e6b
SHA51270e08e26d81561144363ed9db8571d1c89f7544855c9cdfefe8523cd7c6d6b2b8049d5789b8f62d46325645dd743b9d75350f86711257a405f1feb1fe89fcc85