Analysis
-
max time kernel
165s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 12:18
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
1dbc0306bd804f227e707cdda7046f5a.exe
Resource
win7-20231215-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
1dbc0306bd804f227e707cdda7046f5a.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
1dbc0306bd804f227e707cdda7046f5a.exe
-
Size
512KB
-
MD5
1dbc0306bd804f227e707cdda7046f5a
-
SHA1
ad03d6a82f62b384361f2f26ea88e1b883d58505
-
SHA256
5d24d558dceab8702752e69e8a89c393d7c3d4a2463e6aeba01306fe8d8c331f
-
SHA512
6ee22544e19a55cf63601b8abd761b3348730c5949f31b4de6d5c19b12b0cc876616d2ef473a0bcc83f92b77b72d2461401b214f3218d98dd541dd0529adfdbf
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6I:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5T
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" puxizrntml.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" puxizrntml.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" puxizrntml.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" puxizrntml.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" puxizrntml.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" puxizrntml.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" puxizrntml.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" puxizrntml.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation 1dbc0306bd804f227e707cdda7046f5a.exe -
Executes dropped EXE 5 IoCs
pid Process 4932 puxizrntml.exe 4804 gelmbjtouwlfbmo.exe 1604 xfrhduay.exe 652 mojivspuybvmr.exe 1648 xfrhduay.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" puxizrntml.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" puxizrntml.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" puxizrntml.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" puxizrntml.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" puxizrntml.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" puxizrntml.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hddgbusr = "gelmbjtouwlfbmo.exe" gelmbjtouwlfbmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mojivspuybvmr.exe" gelmbjtouwlfbmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\glujlctk = "puxizrntml.exe" gelmbjtouwlfbmo.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\l: puxizrntml.exe File opened (read-only) \??\t: puxizrntml.exe File opened (read-only) \??\o: xfrhduay.exe File opened (read-only) \??\n: xfrhduay.exe File opened (read-only) \??\r: puxizrntml.exe File opened (read-only) \??\m: xfrhduay.exe File opened (read-only) \??\h: puxizrntml.exe File opened (read-only) \??\j: puxizrntml.exe File opened (read-only) \??\y: puxizrntml.exe File opened (read-only) \??\i: xfrhduay.exe File opened (read-only) \??\p: xfrhduay.exe File opened (read-only) \??\v: xfrhduay.exe File opened (read-only) \??\a: xfrhduay.exe File opened (read-only) \??\w: puxizrntml.exe File opened (read-only) \??\x: puxizrntml.exe File opened (read-only) \??\h: xfrhduay.exe File opened (read-only) \??\s: xfrhduay.exe File opened (read-only) \??\s: puxizrntml.exe File opened (read-only) \??\e: xfrhduay.exe File opened (read-only) \??\x: xfrhduay.exe File opened (read-only) \??\u: xfrhduay.exe File opened (read-only) \??\m: puxizrntml.exe File opened (read-only) \??\p: puxizrntml.exe File opened (read-only) \??\t: xfrhduay.exe File opened (read-only) \??\l: xfrhduay.exe File opened (read-only) \??\n: xfrhduay.exe File opened (read-only) \??\i: xfrhduay.exe File opened (read-only) \??\m: xfrhduay.exe File opened (read-only) \??\q: xfrhduay.exe File opened (read-only) \??\w: xfrhduay.exe File opened (read-only) \??\l: xfrhduay.exe File opened (read-only) \??\y: xfrhduay.exe File opened (read-only) \??\i: puxizrntml.exe File opened (read-only) \??\g: xfrhduay.exe File opened (read-only) \??\u: xfrhduay.exe File opened (read-only) \??\z: xfrhduay.exe File opened (read-only) \??\e: xfrhduay.exe File opened (read-only) \??\h: xfrhduay.exe File opened (read-only) \??\p: xfrhduay.exe File opened (read-only) \??\k: puxizrntml.exe File opened (read-only) \??\z: xfrhduay.exe File opened (read-only) \??\r: xfrhduay.exe File opened (read-only) \??\g: puxizrntml.exe File opened (read-only) \??\s: xfrhduay.exe File opened (read-only) \??\w: xfrhduay.exe File opened (read-only) \??\v: puxizrntml.exe File opened (read-only) \??\a: xfrhduay.exe File opened (read-only) \??\j: xfrhduay.exe File opened (read-only) \??\t: xfrhduay.exe File opened (read-only) \??\q: puxizrntml.exe File opened (read-only) \??\u: puxizrntml.exe File opened (read-only) \??\z: puxizrntml.exe File opened (read-only) \??\j: xfrhduay.exe File opened (read-only) \??\q: xfrhduay.exe File opened (read-only) \??\y: xfrhduay.exe File opened (read-only) \??\g: xfrhduay.exe File opened (read-only) \??\x: xfrhduay.exe File opened (read-only) \??\a: puxizrntml.exe File opened (read-only) \??\b: puxizrntml.exe File opened (read-only) \??\o: xfrhduay.exe File opened (read-only) \??\b: xfrhduay.exe File opened (read-only) \??\k: xfrhduay.exe File opened (read-only) \??\b: xfrhduay.exe File opened (read-only) \??\r: xfrhduay.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" puxizrntml.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" puxizrntml.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1928-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0006000000023225-5.dat autoit_exe behavioral2/files/0x0007000000023221-19.dat autoit_exe behavioral2/files/0x0006000000023226-24.dat autoit_exe behavioral2/files/0x0006000000023227-30.dat autoit_exe behavioral2/files/0x00090000000231d3-94.dat autoit_exe behavioral2/files/0x000700000002323b-104.dat autoit_exe behavioral2/files/0x000600000001e761-128.dat autoit_exe behavioral2/files/0x000600000001e761-130.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\puxizrntml.exe 1dbc0306bd804f227e707cdda7046f5a.exe File created C:\Windows\SysWOW64\gelmbjtouwlfbmo.exe 1dbc0306bd804f227e707cdda7046f5a.exe File opened for modification C:\Windows\SysWOW64\gelmbjtouwlfbmo.exe 1dbc0306bd804f227e707cdda7046f5a.exe File created C:\Windows\SysWOW64\xfrhduay.exe 1dbc0306bd804f227e707cdda7046f5a.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe xfrhduay.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe xfrhduay.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe xfrhduay.exe File created C:\Windows\SysWOW64\puxizrntml.exe 1dbc0306bd804f227e707cdda7046f5a.exe File opened for modification C:\Windows\SysWOW64\xfrhduay.exe 1dbc0306bd804f227e707cdda7046f5a.exe File created C:\Windows\SysWOW64\mojivspuybvmr.exe 1dbc0306bd804f227e707cdda7046f5a.exe File opened for modification C:\Windows\SysWOW64\mojivspuybvmr.exe 1dbc0306bd804f227e707cdda7046f5a.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll puxizrntml.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal xfrhduay.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xfrhduay.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xfrhduay.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal xfrhduay.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal xfrhduay.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xfrhduay.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xfrhduay.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal xfrhduay.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xfrhduay.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xfrhduay.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xfrhduay.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xfrhduay.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xfrhduay.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xfrhduay.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe xfrhduay.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe xfrhduay.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe xfrhduay.exe File opened for modification C:\Windows\mydoc.rtf 1dbc0306bd804f227e707cdda7046f5a.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe xfrhduay.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe xfrhduay.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe xfrhduay.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe xfrhduay.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe xfrhduay.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf puxizrntml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32432D7D9D2183566D3677D270512DDA7D8364AC" 1dbc0306bd804f227e707cdda7046f5a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AC9FAB1F961F194830B3B4B819F39E5B38A03884364033FE1CC42ED08A5" 1dbc0306bd804f227e707cdda7046f5a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" puxizrntml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" puxizrntml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" puxizrntml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFCFF88482A85189045D65D7E95BC93E640594566416333D6ED" 1dbc0306bd804f227e707cdda7046f5a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F66BB9FF1821A9D27CD0D48B7D9161" 1dbc0306bd804f227e707cdda7046f5a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat puxizrntml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc puxizrntml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" puxizrntml.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 1dbc0306bd804f227e707cdda7046f5a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC3B12C449739EA53CAB9D732EDD4CF" 1dbc0306bd804f227e707cdda7046f5a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh puxizrntml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs puxizrntml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg puxizrntml.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings 1dbc0306bd804f227e707cdda7046f5a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1848C67515E6DAC7B8BD7FE1ECE437CB" 1dbc0306bd804f227e707cdda7046f5a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" puxizrntml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" puxizrntml.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4004 WINWORD.EXE 4004 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1928 1dbc0306bd804f227e707cdda7046f5a.exe 1928 1dbc0306bd804f227e707cdda7046f5a.exe 1928 1dbc0306bd804f227e707cdda7046f5a.exe 1928 1dbc0306bd804f227e707cdda7046f5a.exe 1928 1dbc0306bd804f227e707cdda7046f5a.exe 1928 1dbc0306bd804f227e707cdda7046f5a.exe 1928 1dbc0306bd804f227e707cdda7046f5a.exe 1928 1dbc0306bd804f227e707cdda7046f5a.exe 1928 1dbc0306bd804f227e707cdda7046f5a.exe 1928 1dbc0306bd804f227e707cdda7046f5a.exe 1928 1dbc0306bd804f227e707cdda7046f5a.exe 1928 1dbc0306bd804f227e707cdda7046f5a.exe 1928 1dbc0306bd804f227e707cdda7046f5a.exe 1928 1dbc0306bd804f227e707cdda7046f5a.exe 1928 1dbc0306bd804f227e707cdda7046f5a.exe 1928 1dbc0306bd804f227e707cdda7046f5a.exe 1604 xfrhduay.exe 1604 xfrhduay.exe 4932 puxizrntml.exe 4932 puxizrntml.exe 1604 xfrhduay.exe 4932 puxizrntml.exe 4932 puxizrntml.exe 1604 xfrhduay.exe 1604 xfrhduay.exe 1604 xfrhduay.exe 4932 puxizrntml.exe 4932 puxizrntml.exe 1604 xfrhduay.exe 1604 xfrhduay.exe 4932 puxizrntml.exe 4932 puxizrntml.exe 4932 puxizrntml.exe 4932 puxizrntml.exe 4804 gelmbjtouwlfbmo.exe 4804 gelmbjtouwlfbmo.exe 4804 gelmbjtouwlfbmo.exe 4804 gelmbjtouwlfbmo.exe 4804 gelmbjtouwlfbmo.exe 4804 gelmbjtouwlfbmo.exe 4804 gelmbjtouwlfbmo.exe 4804 gelmbjtouwlfbmo.exe 652 mojivspuybvmr.exe 652 mojivspuybvmr.exe 652 mojivspuybvmr.exe 652 mojivspuybvmr.exe 652 mojivspuybvmr.exe 652 mojivspuybvmr.exe 652 mojivspuybvmr.exe 652 mojivspuybvmr.exe 652 mojivspuybvmr.exe 652 mojivspuybvmr.exe 652 mojivspuybvmr.exe 652 mojivspuybvmr.exe 4804 gelmbjtouwlfbmo.exe 4804 gelmbjtouwlfbmo.exe 4804 gelmbjtouwlfbmo.exe 4804 gelmbjtouwlfbmo.exe 652 mojivspuybvmr.exe 652 mojivspuybvmr.exe 652 mojivspuybvmr.exe 652 mojivspuybvmr.exe 4804 gelmbjtouwlfbmo.exe 4804 gelmbjtouwlfbmo.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1928 1dbc0306bd804f227e707cdda7046f5a.exe 1928 1dbc0306bd804f227e707cdda7046f5a.exe 1928 1dbc0306bd804f227e707cdda7046f5a.exe 4932 puxizrntml.exe 4932 puxizrntml.exe 4932 puxizrntml.exe 1604 xfrhduay.exe 1604 xfrhduay.exe 1604 xfrhduay.exe 4804 gelmbjtouwlfbmo.exe 652 mojivspuybvmr.exe 4804 gelmbjtouwlfbmo.exe 652 mojivspuybvmr.exe 4804 gelmbjtouwlfbmo.exe 652 mojivspuybvmr.exe 1648 xfrhduay.exe 1648 xfrhduay.exe 1648 xfrhduay.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1928 1dbc0306bd804f227e707cdda7046f5a.exe 1928 1dbc0306bd804f227e707cdda7046f5a.exe 1928 1dbc0306bd804f227e707cdda7046f5a.exe 4932 puxizrntml.exe 4932 puxizrntml.exe 4932 puxizrntml.exe 1604 xfrhduay.exe 1604 xfrhduay.exe 1604 xfrhduay.exe 4804 gelmbjtouwlfbmo.exe 652 mojivspuybvmr.exe 4804 gelmbjtouwlfbmo.exe 652 mojivspuybvmr.exe 4804 gelmbjtouwlfbmo.exe 652 mojivspuybvmr.exe 1648 xfrhduay.exe 1648 xfrhduay.exe 1648 xfrhduay.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4004 WINWORD.EXE 4004 WINWORD.EXE 4004 WINWORD.EXE 4004 WINWORD.EXE 4004 WINWORD.EXE 4004 WINWORD.EXE 4004 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1928 wrote to memory of 4932 1928 1dbc0306bd804f227e707cdda7046f5a.exe 91 PID 1928 wrote to memory of 4932 1928 1dbc0306bd804f227e707cdda7046f5a.exe 91 PID 1928 wrote to memory of 4932 1928 1dbc0306bd804f227e707cdda7046f5a.exe 91 PID 1928 wrote to memory of 4804 1928 1dbc0306bd804f227e707cdda7046f5a.exe 92 PID 1928 wrote to memory of 4804 1928 1dbc0306bd804f227e707cdda7046f5a.exe 92 PID 1928 wrote to memory of 4804 1928 1dbc0306bd804f227e707cdda7046f5a.exe 92 PID 1928 wrote to memory of 1604 1928 1dbc0306bd804f227e707cdda7046f5a.exe 94 PID 1928 wrote to memory of 1604 1928 1dbc0306bd804f227e707cdda7046f5a.exe 94 PID 1928 wrote to memory of 1604 1928 1dbc0306bd804f227e707cdda7046f5a.exe 94 PID 1928 wrote to memory of 652 1928 1dbc0306bd804f227e707cdda7046f5a.exe 93 PID 1928 wrote to memory of 652 1928 1dbc0306bd804f227e707cdda7046f5a.exe 93 PID 1928 wrote to memory of 652 1928 1dbc0306bd804f227e707cdda7046f5a.exe 93 PID 1928 wrote to memory of 4004 1928 1dbc0306bd804f227e707cdda7046f5a.exe 95 PID 1928 wrote to memory of 4004 1928 1dbc0306bd804f227e707cdda7046f5a.exe 95 PID 4932 wrote to memory of 1648 4932 puxizrntml.exe 97 PID 4932 wrote to memory of 1648 4932 puxizrntml.exe 97 PID 4932 wrote to memory of 1648 4932 puxizrntml.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\1dbc0306bd804f227e707cdda7046f5a.exe"C:\Users\Admin\AppData\Local\Temp\1dbc0306bd804f227e707cdda7046f5a.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\puxizrntml.exepuxizrntml.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\SysWOW64\xfrhduay.exeC:\Windows\system32\xfrhduay.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1648
-
-
-
C:\Windows\SysWOW64\gelmbjtouwlfbmo.exegelmbjtouwlfbmo.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4804
-
-
C:\Windows\SysWOW64\mojivspuybvmr.exemojivspuybvmr.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:652
-
-
C:\Windows\SysWOW64\xfrhduay.exexfrhduay.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1604
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4004
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5a96b421866739e8fc9d2c22252b48cde
SHA15d9c4725d50f5a988054e1256974394bfc49ddce
SHA25665f01c8602ac9cf7d8dd3d267a7d7619549739f11a37dfeb2c17111ea5695bd7
SHA5126968acd64b4a6f7e633f8d470a08a1327f4b1e900fb06277a256e1f60fc0d841bca7b632181b0c3a6058df201af50b9e95a74d5a62fc00ef3715d927ee67ad47
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD52304b8e2b02e36f74b836576ffae6940
SHA144feb86ad11d6905df3c45a4e7d48754c0266242
SHA2561ed343df0a190b96210f46560233f67775a005ff32d53f725261349dbde77f2b
SHA512e4a90628e16b20851ad7eb834ae6933ba3ee60d9fbf88e5ffc31eb9d92fe818dfa19ef410792e67ba162f69d3783b7981e4981c2cfd47cc06e3fa5dc67966eaa
-
Filesize
512KB
MD53976d0a329399cc5dcf8985221ffa718
SHA11906fe1631c314133289eb4ebfc48a9417e8431a
SHA2564e0de7a388bdea7bf00ded879ccf95b6b82d04d4065f4094af39da5d86fdb315
SHA51294bc4449e348ae8e7de255ecc07e827adc3b9fc65dd6de1e7aee3f735e7c6f787b825c01dc6dc1dd776a9433c5a869fa5e25acc49fa68c421dd3f9e58c10abcf
-
Filesize
512KB
MD5b01af587fb9c6571868cfbeac3d8c511
SHA11276c2645b16d732e0f1ecd1678f48abda237fed
SHA256aa3c491f36455238eb8520fee88ede64c07428c2b0d5faf03cf5fd2e5f0257c6
SHA5127a67724b834f3fd8ffb7a41b8b777cd38b0accd8c7833c7d4cd7da9dda5836194dfe6eb45611b12757f600c8b1e33a0a508cdfcea3bf438769ea6b75f642dde1
-
Filesize
512KB
MD593ddd279fa8e134da5472486d3a028ae
SHA1e0f4aa25da7aaef025997a751918293ed91d0cda
SHA256c5b3e09781543c5da9d817fad2825910f0237115faf6be1548c58b33a8ce9205
SHA5129cde5577a6e5139bf8d2a946b67961a5479384689b828058a0feaae4b967ed0d7bef9a3306378fcdff8e28f594cfd6ef9d473a0728c837eb84208af70e5ff984
-
Filesize
512KB
MD543bbcf185595e15b82efc78688a13230
SHA1b5c9f79904e63ab9f7bf1c60b1fe1f7148e61840
SHA2567f6ea4f4698df86c7317c9450a3970fc64a82e2f2afdc17d2a8002f294f75998
SHA51208010388ed9883fce0e22db22e52d62c22ab61c96ec3d6f8a740dcd2265c30c0f31de01407989887827cbed8388190c406ae27dc3fc4f141d40ef0794c59d86f
-
Filesize
512KB
MD5ad13ed6344f1805d8fffd3b15d5b6a07
SHA1f067ade70fb0d6939b8663cc65b2d2481b5d074c
SHA25630b5d2125bee21320f39419fbfc892d0c3a2136b0154f7ca8a1c47ff18beb0d5
SHA512c1067a69449272d77970382e29ed12335b487679bf80a8806998420e7dfcb954be3b7c794e6a4a5f131c04ace950e7a56805cd4e4ec12b3f9f30a95a77ae229a
-
Filesize
512KB
MD53add76fef5600bc8ea5d65137a36e154
SHA1162cd0408d24d1d4720e83509de94ab8658f8453
SHA2560e63f218170ea7b63432a92c495fbc94ece4dc825b295e33dcb20a4df8d22ea0
SHA5125f6d628757c027282fa8a8a387fe6caa2e062ec9db593de18425f68f5be1ba2497227a116f6897138922b708214bd8112986ffc51803f7fdcea8713785274948
-
Filesize
512KB
MD5fe566ec8359e0fcf5180655cb6659ded
SHA12caf7840df3fa2cd404fd48d52570b6941a4c103
SHA25614d15fb937328181ecbe488b96e02b3aeeff6e24618dc09b74d0c22eba19120e
SHA51214c4bf93478be5dc19532559a8a3ad438eae87602a23744efffe5ccfcee8d1c54408bc559d3df5321eb52520243c7a9b020e5c61758f2f657c42cd391eb5f93a
-
Filesize
512KB
MD56dfe7bba86f4f2a3f23879dd4149cf4c
SHA1c1ed02ab42a5953bd2a27909b06427e5f0a7c630
SHA256275e5eea83c5c939023f8f9d17dfd63e8d2d76544c324afb4310f38227b61df8
SHA512204425a9293703aa8ba0419fad76b5df4ece8fbf0f6785ec1cd94d194975916a4ac1447a3c2569faeded9e156819106a14a7787829ca18e21ff74f0bbe3034cb