Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 11:32
Static task
static1
Behavioral task
behavioral1
Sample
1b13ba682cbadbe31a665942343aa3c3.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral2
Sample
1b13ba682cbadbe31a665942343aa3c3.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
General
-
Target
1b13ba682cbadbe31a665942343aa3c3.exe
-
Size
512KB
-
MD5
1b13ba682cbadbe31a665942343aa3c3
-
SHA1
fbe7dd31c41c03b36bede2a6bb09c5238f387a18
-
SHA256
4bf3a7214edda9c12844804e7be52fbbcd0d698a205187d9a907fcce12d0b387
-
SHA512
f14b5429ad379ffca662b45f49ee7da9737de8144de37861af60d4faa86288408c674db659e5753827d2b9d58dba4283ceab2c848ae50f3b00171a94b764c81f
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6Q:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5Z
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" dsojrjjsaq.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" dsojrjjsaq.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" dsojrjjsaq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" dsojrjjsaq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" dsojrjjsaq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" dsojrjjsaq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" dsojrjjsaq.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dsojrjjsaq.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation 1b13ba682cbadbe31a665942343aa3c3.exe -
Executes dropped EXE 5 IoCs
pid Process 3288 dsojrjjsaq.exe 4312 fshkovdhgwqrzkn.exe 3732 rdgamffl.exe 3744 subbsmypjcqen.exe 4148 rdgamffl.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" dsojrjjsaq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" dsojrjjsaq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" dsojrjjsaq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" dsojrjjsaq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" dsojrjjsaq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" dsojrjjsaq.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uapurgwi = "dsojrjjsaq.exe" fshkovdhgwqrzkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ihcovpsm = "fshkovdhgwqrzkn.exe" fshkovdhgwqrzkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "subbsmypjcqen.exe" fshkovdhgwqrzkn.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\j: dsojrjjsaq.exe File opened (read-only) \??\j: rdgamffl.exe File opened (read-only) \??\q: rdgamffl.exe File opened (read-only) \??\r: rdgamffl.exe File opened (read-only) \??\b: dsojrjjsaq.exe File opened (read-only) \??\h: dsojrjjsaq.exe File opened (read-only) \??\i: dsojrjjsaq.exe File opened (read-only) \??\w: dsojrjjsaq.exe File opened (read-only) \??\b: rdgamffl.exe File opened (read-only) \??\e: rdgamffl.exe File opened (read-only) \??\l: rdgamffl.exe File opened (read-only) \??\t: rdgamffl.exe File opened (read-only) \??\a: dsojrjjsaq.exe File opened (read-only) \??\m: dsojrjjsaq.exe File opened (read-only) \??\w: rdgamffl.exe File opened (read-only) \??\n: dsojrjjsaq.exe File opened (read-only) \??\y: dsojrjjsaq.exe File opened (read-only) \??\g: rdgamffl.exe File opened (read-only) \??\h: rdgamffl.exe File opened (read-only) \??\n: rdgamffl.exe File opened (read-only) \??\k: dsojrjjsaq.exe File opened (read-only) \??\o: dsojrjjsaq.exe File opened (read-only) \??\s: dsojrjjsaq.exe File opened (read-only) \??\z: dsojrjjsaq.exe File opened (read-only) \??\k: rdgamffl.exe File opened (read-only) \??\b: rdgamffl.exe File opened (read-only) \??\p: rdgamffl.exe File opened (read-only) \??\l: dsojrjjsaq.exe File opened (read-only) \??\x: rdgamffl.exe File opened (read-only) \??\z: rdgamffl.exe File opened (read-only) \??\a: rdgamffl.exe File opened (read-only) \??\e: rdgamffl.exe File opened (read-only) \??\x: rdgamffl.exe File opened (read-only) \??\y: rdgamffl.exe File opened (read-only) \??\g: dsojrjjsaq.exe File opened (read-only) \??\j: rdgamffl.exe File opened (read-only) \??\z: rdgamffl.exe File opened (read-only) \??\p: dsojrjjsaq.exe File opened (read-only) \??\r: rdgamffl.exe File opened (read-only) \??\w: rdgamffl.exe File opened (read-only) \??\m: rdgamffl.exe File opened (read-only) \??\u: rdgamffl.exe File opened (read-only) \??\e: dsojrjjsaq.exe File opened (read-only) \??\q: dsojrjjsaq.exe File opened (read-only) \??\m: rdgamffl.exe File opened (read-only) \??\n: rdgamffl.exe File opened (read-only) \??\s: rdgamffl.exe File opened (read-only) \??\t: rdgamffl.exe File opened (read-only) \??\h: rdgamffl.exe File opened (read-only) \??\v: dsojrjjsaq.exe File opened (read-only) \??\g: rdgamffl.exe File opened (read-only) \??\i: rdgamffl.exe File opened (read-only) \??\o: rdgamffl.exe File opened (read-only) \??\v: rdgamffl.exe File opened (read-only) \??\u: dsojrjjsaq.exe File opened (read-only) \??\x: dsojrjjsaq.exe File opened (read-only) \??\v: rdgamffl.exe File opened (read-only) \??\y: rdgamffl.exe File opened (read-only) \??\i: rdgamffl.exe File opened (read-only) \??\l: rdgamffl.exe File opened (read-only) \??\p: rdgamffl.exe File opened (read-only) \??\q: rdgamffl.exe File opened (read-only) \??\s: rdgamffl.exe File opened (read-only) \??\u: rdgamffl.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" dsojrjjsaq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" dsojrjjsaq.exe -
AutoIT Executable 15 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/508-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000800000002320d-5.dat autoit_exe behavioral2/files/0x000c000000023200-19.dat autoit_exe behavioral2/files/0x0006000000023219-28.dat autoit_exe behavioral2/files/0x0006000000023219-27.dat autoit_exe behavioral2/files/0x000600000002321a-32.dat autoit_exe behavioral2/files/0x000800000002320d-26.dat autoit_exe behavioral2/files/0x000600000002321a-31.dat autoit_exe behavioral2/files/0x000800000002320d-23.dat autoit_exe behavioral2/files/0x000c000000023200-18.dat autoit_exe behavioral2/files/0x0006000000023219-43.dat autoit_exe behavioral2/files/0x0006000000023226-74.dat autoit_exe behavioral2/files/0x0006000000023225-71.dat autoit_exe behavioral2/files/0x0006000000023233-83.dat autoit_exe behavioral2/files/0x0006000000023233-97.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\rdgamffl.exe 1b13ba682cbadbe31a665942343aa3c3.exe File opened for modification C:\Windows\SysWOW64\rdgamffl.exe 1b13ba682cbadbe31a665942343aa3c3.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll dsojrjjsaq.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe rdgamffl.exe File created C:\Windows\SysWOW64\dsojrjjsaq.exe 1b13ba682cbadbe31a665942343aa3c3.exe File created C:\Windows\SysWOW64\fshkovdhgwqrzkn.exe 1b13ba682cbadbe31a665942343aa3c3.exe File opened for modification C:\Windows\SysWOW64\fshkovdhgwqrzkn.exe 1b13ba682cbadbe31a665942343aa3c3.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe rdgamffl.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe rdgamffl.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe rdgamffl.exe File opened for modification C:\Windows\SysWOW64\dsojrjjsaq.exe 1b13ba682cbadbe31a665942343aa3c3.exe File created C:\Windows\SysWOW64\subbsmypjcqen.exe 1b13ba682cbadbe31a665942343aa3c3.exe File opened for modification C:\Windows\SysWOW64\subbsmypjcqen.exe 1b13ba682cbadbe31a665942343aa3c3.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rdgamffl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal rdgamffl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rdgamffl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rdgamffl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rdgamffl.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rdgamffl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rdgamffl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rdgamffl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rdgamffl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rdgamffl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal rdgamffl.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rdgamffl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal rdgamffl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal rdgamffl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rdgamffl.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe rdgamffl.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe rdgamffl.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe rdgamffl.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe rdgamffl.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe rdgamffl.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe rdgamffl.exe File opened for modification C:\Windows\mydoc.rtf 1b13ba682cbadbe31a665942343aa3c3.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe rdgamffl.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe rdgamffl.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe rdgamffl.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe rdgamffl.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe rdgamffl.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe rdgamffl.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe rdgamffl.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe rdgamffl.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe rdgamffl.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe rdgamffl.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1849C67915E1DAB4B9B97FE4ECE434BD" 1b13ba682cbadbe31a665942343aa3c3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" dsojrjjsaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" dsojrjjsaq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc dsojrjjsaq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf dsojrjjsaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" dsojrjjsaq.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 1b13ba682cbadbe31a665942343aa3c3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat dsojrjjsaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" dsojrjjsaq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg dsojrjjsaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F46BB4FF1F22DDD172D0A98B7E9163" 1b13ba682cbadbe31a665942343aa3c3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8BFC82485D85139042D72A7E9CBC94E141594466466344D79A" 1b13ba682cbadbe31a665942343aa3c3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh dsojrjjsaq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs dsojrjjsaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" dsojrjjsaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33472D7B9C2683556D3E76A170552DDD7D8F65D8" 1b13ba682cbadbe31a665942343aa3c3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB2B12E479039E353BABAD43293D7CA" 1b13ba682cbadbe31a665942343aa3c3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" dsojrjjsaq.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings 1b13ba682cbadbe31a665942343aa3c3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACAF9CEF965F192837F3A47869F3999B08803884269023BE2C442EB08A4" 1b13ba682cbadbe31a665942343aa3c3.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3324 WINWORD.EXE 3324 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 508 1b13ba682cbadbe31a665942343aa3c3.exe 508 1b13ba682cbadbe31a665942343aa3c3.exe 508 1b13ba682cbadbe31a665942343aa3c3.exe 508 1b13ba682cbadbe31a665942343aa3c3.exe 508 1b13ba682cbadbe31a665942343aa3c3.exe 508 1b13ba682cbadbe31a665942343aa3c3.exe 508 1b13ba682cbadbe31a665942343aa3c3.exe 508 1b13ba682cbadbe31a665942343aa3c3.exe 508 1b13ba682cbadbe31a665942343aa3c3.exe 508 1b13ba682cbadbe31a665942343aa3c3.exe 508 1b13ba682cbadbe31a665942343aa3c3.exe 508 1b13ba682cbadbe31a665942343aa3c3.exe 508 1b13ba682cbadbe31a665942343aa3c3.exe 508 1b13ba682cbadbe31a665942343aa3c3.exe 508 1b13ba682cbadbe31a665942343aa3c3.exe 508 1b13ba682cbadbe31a665942343aa3c3.exe 3288 dsojrjjsaq.exe 3288 dsojrjjsaq.exe 3288 dsojrjjsaq.exe 3288 dsojrjjsaq.exe 3288 dsojrjjsaq.exe 3288 dsojrjjsaq.exe 3288 dsojrjjsaq.exe 3288 dsojrjjsaq.exe 3288 dsojrjjsaq.exe 3288 dsojrjjsaq.exe 3732 rdgamffl.exe 3732 rdgamffl.exe 3732 rdgamffl.exe 3732 rdgamffl.exe 3732 rdgamffl.exe 3732 rdgamffl.exe 3732 rdgamffl.exe 3732 rdgamffl.exe 4312 fshkovdhgwqrzkn.exe 4312 fshkovdhgwqrzkn.exe 4312 fshkovdhgwqrzkn.exe 4312 fshkovdhgwqrzkn.exe 4312 fshkovdhgwqrzkn.exe 4312 fshkovdhgwqrzkn.exe 4312 fshkovdhgwqrzkn.exe 4312 fshkovdhgwqrzkn.exe 4312 fshkovdhgwqrzkn.exe 4312 fshkovdhgwqrzkn.exe 3744 subbsmypjcqen.exe 3744 subbsmypjcqen.exe 3744 subbsmypjcqen.exe 3744 subbsmypjcqen.exe 3744 subbsmypjcqen.exe 3744 subbsmypjcqen.exe 3744 subbsmypjcqen.exe 3744 subbsmypjcqen.exe 3744 subbsmypjcqen.exe 3744 subbsmypjcqen.exe 3744 subbsmypjcqen.exe 3744 subbsmypjcqen.exe 4312 fshkovdhgwqrzkn.exe 4312 fshkovdhgwqrzkn.exe 4148 rdgamffl.exe 4148 rdgamffl.exe 4148 rdgamffl.exe 4148 rdgamffl.exe 4148 rdgamffl.exe 4148 rdgamffl.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 508 1b13ba682cbadbe31a665942343aa3c3.exe 508 1b13ba682cbadbe31a665942343aa3c3.exe 508 1b13ba682cbadbe31a665942343aa3c3.exe 3288 dsojrjjsaq.exe 3288 dsojrjjsaq.exe 3288 dsojrjjsaq.exe 4312 fshkovdhgwqrzkn.exe 3732 rdgamffl.exe 4312 fshkovdhgwqrzkn.exe 3732 rdgamffl.exe 4312 fshkovdhgwqrzkn.exe 3732 rdgamffl.exe 3744 subbsmypjcqen.exe 3744 subbsmypjcqen.exe 3744 subbsmypjcqen.exe 4148 rdgamffl.exe 4148 rdgamffl.exe 4148 rdgamffl.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 508 1b13ba682cbadbe31a665942343aa3c3.exe 508 1b13ba682cbadbe31a665942343aa3c3.exe 508 1b13ba682cbadbe31a665942343aa3c3.exe 3288 dsojrjjsaq.exe 3288 dsojrjjsaq.exe 3288 dsojrjjsaq.exe 4312 fshkovdhgwqrzkn.exe 3732 rdgamffl.exe 4312 fshkovdhgwqrzkn.exe 3732 rdgamffl.exe 4312 fshkovdhgwqrzkn.exe 3732 rdgamffl.exe 3744 subbsmypjcqen.exe 3744 subbsmypjcqen.exe 3744 subbsmypjcqen.exe 4148 rdgamffl.exe 4148 rdgamffl.exe 4148 rdgamffl.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3324 WINWORD.EXE 3324 WINWORD.EXE 3324 WINWORD.EXE 3324 WINWORD.EXE 3324 WINWORD.EXE 3324 WINWORD.EXE 3324 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 508 wrote to memory of 3288 508 1b13ba682cbadbe31a665942343aa3c3.exe 91 PID 508 wrote to memory of 3288 508 1b13ba682cbadbe31a665942343aa3c3.exe 91 PID 508 wrote to memory of 3288 508 1b13ba682cbadbe31a665942343aa3c3.exe 91 PID 508 wrote to memory of 4312 508 1b13ba682cbadbe31a665942343aa3c3.exe 95 PID 508 wrote to memory of 4312 508 1b13ba682cbadbe31a665942343aa3c3.exe 95 PID 508 wrote to memory of 4312 508 1b13ba682cbadbe31a665942343aa3c3.exe 95 PID 508 wrote to memory of 3732 508 1b13ba682cbadbe31a665942343aa3c3.exe 93 PID 508 wrote to memory of 3732 508 1b13ba682cbadbe31a665942343aa3c3.exe 93 PID 508 wrote to memory of 3732 508 1b13ba682cbadbe31a665942343aa3c3.exe 93 PID 508 wrote to memory of 3744 508 1b13ba682cbadbe31a665942343aa3c3.exe 92 PID 508 wrote to memory of 3744 508 1b13ba682cbadbe31a665942343aa3c3.exe 92 PID 508 wrote to memory of 3744 508 1b13ba682cbadbe31a665942343aa3c3.exe 92 PID 508 wrote to memory of 3324 508 1b13ba682cbadbe31a665942343aa3c3.exe 96 PID 508 wrote to memory of 3324 508 1b13ba682cbadbe31a665942343aa3c3.exe 96 PID 3288 wrote to memory of 4148 3288 dsojrjjsaq.exe 98 PID 3288 wrote to memory of 4148 3288 dsojrjjsaq.exe 98 PID 3288 wrote to memory of 4148 3288 dsojrjjsaq.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b13ba682cbadbe31a665942343aa3c3.exe"C:\Users\Admin\AppData\Local\Temp\1b13ba682cbadbe31a665942343aa3c3.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:508 -
C:\Windows\SysWOW64\dsojrjjsaq.exedsojrjjsaq.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Windows\SysWOW64\rdgamffl.exeC:\Windows\system32\rdgamffl.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4148
-
-
-
C:\Windows\SysWOW64\subbsmypjcqen.exesubbsmypjcqen.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3744
-
-
C:\Windows\SysWOW64\rdgamffl.exerdgamffl.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3732
-
-
C:\Windows\SysWOW64\fshkovdhgwqrzkn.exefshkovdhgwqrzkn.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4312
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3324
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD57d908c73535b238cd69c816c1a2881e0
SHA1f1bb419a612d2d45d4ca9c2b5d126014c6cbc601
SHA25666713e63e9e7e94c580b945e87d05a871c1b8b994dd20596207cc7139dcceb47
SHA512fc12a886cbfc4ac746db76bd3bfa4f069638ad88f9c340be72e236e45fd0f8ec7ee686a6aceee976325c9b69aa8f538ea2d372bc0f404ce91cb05045471a30c6
-
Filesize
13KB
MD595dafcab96a45b7aa0196ae06422e2fa
SHA1785a576a83fc08a5072fe2f21d6260216b8244d1
SHA25647ae5e0df85aef2090b775f0f9bce142da10973eef3e334097159dc650ee2381
SHA512f75d62ba9e5989724c793cd8176aba1247fffc9325a194f12b7c4d788329757aaf05f6e114f3bc023ab39e7c454405129b1702ed6cf437be8128c96a4e8ab2dc
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5a8e1590c35d27ae1cf6556bfc479fa2b
SHA15842e434b296107bc520a8564e0e67874152d238
SHA256d9068f384891f47181730704bcd3185c3986180029d40384ecfc709e29b08c7b
SHA512fcd58c35973961e8daf3165665359758e4ad550b4cf60cb82b0d11418c883842eddcd0fe7af56eb1aa0fb401e488403ff7746aaf1aa3fc0229afc398cc07a8fa
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5f565f852b55fc650a6e0fa0b90de27f2
SHA198c7e9291efa2841cf791366210a7ef13410787a
SHA256ad32ad81ad9c0e4882470aac5d3e194afb3231d96e0e9f6546d3b6d7b659dace
SHA5125b1de9a2dc787931e3f056957fc45de0243852fc476b39fb5b2a5762da04b8c8d0d2958cdc8819927d44fee49af3c9e6ef7166606d2f81e0afdbfd974b828746
-
Filesize
165KB
MD5eff730e9f808fd3f243abc786bf731d1
SHA1c56c46396bd9cb4289331d13093c31f54ddd5584
SHA2564a7e2b30997317cafa0d42cc324c223760a772f4b12d860a9ed8eb4ac5ecc316
SHA512dac32271ee014f4af122698709d473ef8e020a6d153ea82bdb4f91e9b854cfb64ee8dea7b373d896b7d5b355654edb3ecdc016d3c3bc89df0ce28345c58f0fdd
-
Filesize
136KB
MD595aab6a832fbcbd6e07c064e283b636c
SHA1fc89b8ae3f3fb0fbcfb5a04e46dcb12d1080c5e3
SHA25676b5eefb33674b76a16942fa2904d55fbd761a41c2c1c561786a48254127b539
SHA5128b3137602b779eead4adf8fa459b4628cccc2f348d55765d107b9e608c346c1f72f61a7a31277ca0ef9cf800a44272d01cdf586a66e1c7a2c07341b8600fbfb0
-
Filesize
61KB
MD5fb5e6978b03335a573dfe022b92cc041
SHA1cf62c2b36196ec9fdc1a69b956808fc926c352e3
SHA2560a09beb1ddbc7e93d91a247612b78d924a715a92c1b0a72bd39a88a5331f0add
SHA51281cfb08ebf4efc8f0c47db7a1945d04196be51bf5e25f1c668b683096b51cd93929d4060568ca1d1dd265551690698f12d5e8a02f957c534183e2da47859b328
-
Filesize
36KB
MD5f0ba224c7e68761e620d1b7f179a3af2
SHA1beecf135858e6b157095c424ffe5d571610c178b
SHA256e313e143418561e2fbc31dc2fe0f7133b543df3d2f439b966ef3237c98da7503
SHA5123664cf69b6e62dba72fd6d191bb55a9f72fd4a470a41c41daaa5a542f93117cef6c740a7ba6a86b719e587292942ae9d9e39352364e7dbafa0a8dc2e3068783f
-
Filesize
215KB
MD54f05585b28ce6a6b0a5934b1360470e1
SHA1143b8071569d19c3b59ac08b869565c8abc57d18
SHA256a5a6f774d419d786d81d63fecec0518df6d547d032216a153361fdbfa65d25bb
SHA5125e41db9fb066c75580bfa8000f3c3dc76c98f64b9c071f784d2c41b0b4cfacb5f3a80eddb0cf93bb7294546b164e63601d9d4129fc3bb2c9340a3bebcb50d401
-
Filesize
133KB
MD559ff13641c9f5d42d23e97a0e4a44b0d
SHA18809396bbdf03731fda3829c57705b31f289bab7
SHA2563bca1b0a3e7f44d76d80f5b0b890a8d3d65658a84c5d3be843316d8cb9ff27a4
SHA512c93be246c27ab99e49fcbe687d145013ffc9ae0019f31fa316a49bb1ae528cdb34242e0e43229176dfcb912cfcf9be277adf520b1191fa7b8e7625d15e9fd17f
-
Filesize
60KB
MD588c4bb67f69af2bbaf842d3e9c2713c5
SHA1b24719110087399320afd0b41c97cb8db0f32ade
SHA256b5b1cc01244511d0f62bdc2aef9c16178d45c625208aa1db0004ec7e33ccad83
SHA512e3d721df12408667124341d80bdab2b890ec1b7cbd8b004617ab4a5c9f24ce770ee665f01f7356689c2a409b4682be57aec6037e4d1d2706642cc79f1a62619e
-
Filesize
79KB
MD5d2a6ae36218449690ddc7c9811fdd929
SHA1b64eab86ce5d23b601fed12443e7b5dffb360f2e
SHA256686303ad5749de9e060cff0aa2a2674db0597500c2fe3e30bbef767dce0cab44
SHA512c34157ba8bb69db778481b7d8994c5361e64f01fa91455c3890dd129f5618c538f3058cd30f798cba70535ef05cfd04914f388911403580be49949bacbc51052
-
Filesize
123KB
MD57db1087825acafb71d9fec486044b7df
SHA1f5daf51e6320163eb0dbd0a9ac0c9f926f1aa88c
SHA2565700866a5fcbb3b3d803db6ae88c5771abfad093d3a053f7f1415e31c8fdac9c
SHA512e490dc72bd4c8282f561679c1257645da3d82a8096a9a9e89b3ee7d00de244352e2728d7d7a4024d5054862a755ecd34d921eae1586de11cc9aa5e05e7d09c1b
-
Filesize
61KB
MD546163f6f783d1a1cf61d8cacf484a8bb
SHA100dda4539aaa1bb30731d193185d422ecc288bcb
SHA25644a7ece4d216f3f82b691d688612224205b38ad0bb01e1762dfe677e9c0562af
SHA51218c969f8eee8dcc6b4426bfd8158a8be5b8f9fc4abf6c858c6e404eb667745ae4fc7a866b3712b2c0dcd0807ee31472e74422f0d52b822a623d0358191d38b3c
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
1KB
MD5ec89629d437c17787acc7061c89e753c
SHA1c65089b32eba1cf75d3546335718073460c971f9
SHA25687b17909878537f2c3d3bc046f54b9eb382e312fa75d2b177457a978dcc7d83c
SHA51265f02cc30b64e2c33d7287c135bc0bb20abe1e35c7176a03e47403db3e21da28f7e7ec7a13ef748aeb76ac06e5e159a9b4e62196692c3411459a4ae235a1bec9
-
Filesize
7KB
MD5754f62de153f4ee68eb40226f106eea8
SHA139991ff2ab199875e61163628ffc55170c4deac6
SHA256d1fce2e27c3d1a1680ce76e76ae71f9bff998b604cd55fdefc7b6766f3885756
SHA512495497a42dacf062db56e5371bccda03d5198208f6988a807135a8192a8e61028bf38a59a6c0a47da39e1b67995b15e3288328ce3c3261b1487813cc7284a485