Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2023 12:19
Static task
static1
Behavioral task
behavioral1
Sample
1dd267c95fb82de848d0262b1b66bc78.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral2
Sample
1dd267c95fb82de848d0262b1b66bc78.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
General
-
Target
1dd267c95fb82de848d0262b1b66bc78.exe
-
Size
512KB
-
MD5
1dd267c95fb82de848d0262b1b66bc78
-
SHA1
500f1bee0954db7938bd6768dbcc6a83492d8d47
-
SHA256
5079511925112402438b5b56358e81e09514239e16c787620b8f562ec41a88b2
-
SHA512
21782e675e0fca9c202cd716be92f6aeb9ece4f2b6ad9535e71f14b5c95b59ae69181f5493026fd92b87916ce2c6cc33af58405f2fe24e5e1f00deb3de1f0c33
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6/:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5u
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" vnfxbozsjr.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" vnfxbozsjr.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" vnfxbozsjr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" vnfxbozsjr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" vnfxbozsjr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" vnfxbozsjr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" vnfxbozsjr.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vnfxbozsjr.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation 1dd267c95fb82de848d0262b1b66bc78.exe -
Executes dropped EXE 5 IoCs
pid Process 1620 vnfxbozsjr.exe 1296 bhooaaddkwwvoip.exe 3064 nqupumjk.exe 2856 wavywtelqreiq.exe 1356 nqupumjk.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" vnfxbozsjr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" vnfxbozsjr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" vnfxbozsjr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" vnfxbozsjr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" vnfxbozsjr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" vnfxbozsjr.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xcrwvugo = "vnfxbozsjr.exe" bhooaaddkwwvoip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dbxyhvni = "bhooaaddkwwvoip.exe" bhooaaddkwwvoip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "wavywtelqreiq.exe" bhooaaddkwwvoip.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\l: nqupumjk.exe File opened (read-only) \??\q: vnfxbozsjr.exe File opened (read-only) \??\b: nqupumjk.exe File opened (read-only) \??\j: nqupumjk.exe File opened (read-only) \??\b: nqupumjk.exe File opened (read-only) \??\y: nqupumjk.exe File opened (read-only) \??\p: vnfxbozsjr.exe File opened (read-only) \??\y: vnfxbozsjr.exe File opened (read-only) \??\r: nqupumjk.exe File opened (read-only) \??\s: nqupumjk.exe File opened (read-only) \??\v: nqupumjk.exe File opened (read-only) \??\o: nqupumjk.exe File opened (read-only) \??\p: nqupumjk.exe File opened (read-only) \??\g: nqupumjk.exe File opened (read-only) \??\u: nqupumjk.exe File opened (read-only) \??\o: vnfxbozsjr.exe File opened (read-only) \??\h: nqupumjk.exe File opened (read-only) \??\h: nqupumjk.exe File opened (read-only) \??\q: nqupumjk.exe File opened (read-only) \??\l: vnfxbozsjr.exe File opened (read-only) \??\v: nqupumjk.exe File opened (read-only) \??\t: nqupumjk.exe File opened (read-only) \??\z: nqupumjk.exe File opened (read-only) \??\x: vnfxbozsjr.exe File opened (read-only) \??\k: nqupumjk.exe File opened (read-only) \??\k: vnfxbozsjr.exe File opened (read-only) \??\l: nqupumjk.exe File opened (read-only) \??\n: nqupumjk.exe File opened (read-only) \??\t: nqupumjk.exe File opened (read-only) \??\z: vnfxbozsjr.exe File opened (read-only) \??\n: nqupumjk.exe File opened (read-only) \??\u: nqupumjk.exe File opened (read-only) \??\a: nqupumjk.exe File opened (read-only) \??\t: vnfxbozsjr.exe File opened (read-only) \??\r: nqupumjk.exe File opened (read-only) \??\q: nqupumjk.exe File opened (read-only) \??\z: nqupumjk.exe File opened (read-only) \??\i: nqupumjk.exe File opened (read-only) \??\m: nqupumjk.exe File opened (read-only) \??\x: nqupumjk.exe File opened (read-only) \??\a: vnfxbozsjr.exe File opened (read-only) \??\u: vnfxbozsjr.exe File opened (read-only) \??\w: vnfxbozsjr.exe File opened (read-only) \??\g: nqupumjk.exe File opened (read-only) \??\m: nqupumjk.exe File opened (read-only) \??\w: nqupumjk.exe File opened (read-only) \??\i: vnfxbozsjr.exe File opened (read-only) \??\s: vnfxbozsjr.exe File opened (read-only) \??\y: nqupumjk.exe File opened (read-only) \??\k: nqupumjk.exe File opened (read-only) \??\j: vnfxbozsjr.exe File opened (read-only) \??\p: nqupumjk.exe File opened (read-only) \??\r: vnfxbozsjr.exe File opened (read-only) \??\s: nqupumjk.exe File opened (read-only) \??\h: vnfxbozsjr.exe File opened (read-only) \??\n: vnfxbozsjr.exe File opened (read-only) \??\g: vnfxbozsjr.exe File opened (read-only) \??\v: vnfxbozsjr.exe File opened (read-only) \??\a: nqupumjk.exe File opened (read-only) \??\e: nqupumjk.exe File opened (read-only) \??\j: nqupumjk.exe File opened (read-only) \??\o: nqupumjk.exe File opened (read-only) \??\b: vnfxbozsjr.exe File opened (read-only) \??\e: vnfxbozsjr.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" vnfxbozsjr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" vnfxbozsjr.exe -
AutoIT Executable 15 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1368-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00080000000231f0-18.dat autoit_exe behavioral2/files/0x00080000000231f3-5.dat autoit_exe behavioral2/files/0x00080000000231f0-19.dat autoit_exe behavioral2/files/0x00080000000231f3-23.dat autoit_exe behavioral2/files/0x0007000000023207-29.dat autoit_exe behavioral2/files/0x0007000000023207-28.dat autoit_exe behavioral2/files/0x0006000000023208-32.dat autoit_exe behavioral2/files/0x0006000000023208-30.dat autoit_exe behavioral2/files/0x00080000000231f3-22.dat autoit_exe behavioral2/files/0x0007000000023207-36.dat autoit_exe behavioral2/files/0x0006000000023216-71.dat autoit_exe behavioral2/files/0x0006000000023217-77.dat autoit_exe behavioral2/files/0x00080000000231eb-85.dat autoit_exe behavioral2/files/0x00080000000231eb-93.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\wavywtelqreiq.exe 1dd267c95fb82de848d0262b1b66bc78.exe File opened for modification C:\Windows\SysWOW64\vnfxbozsjr.exe 1dd267c95fb82de848d0262b1b66bc78.exe File opened for modification C:\Windows\SysWOW64\nqupumjk.exe 1dd267c95fb82de848d0262b1b66bc78.exe File created C:\Windows\SysWOW64\wavywtelqreiq.exe 1dd267c95fb82de848d0262b1b66bc78.exe File created C:\Windows\SysWOW64\bhooaaddkwwvoip.exe 1dd267c95fb82de848d0262b1b66bc78.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll vnfxbozsjr.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe nqupumjk.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe nqupumjk.exe File opened for modification C:\Windows\SysWOW64\bhooaaddkwwvoip.exe 1dd267c95fb82de848d0262b1b66bc78.exe File created C:\Windows\SysWOW64\nqupumjk.exe 1dd267c95fb82de848d0262b1b66bc78.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe nqupumjk.exe File created C:\Windows\SysWOW64\vnfxbozsjr.exe 1dd267c95fb82de848d0262b1b66bc78.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe nqupumjk.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe nqupumjk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe nqupumjk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal nqupumjk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal nqupumjk.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe nqupumjk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe nqupumjk.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe nqupumjk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe nqupumjk.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe nqupumjk.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe nqupumjk.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe nqupumjk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe nqupumjk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal nqupumjk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal nqupumjk.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe nqupumjk.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe nqupumjk.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe nqupumjk.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe nqupumjk.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe nqupumjk.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe nqupumjk.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe nqupumjk.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe nqupumjk.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe nqupumjk.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe nqupumjk.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe nqupumjk.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe nqupumjk.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe nqupumjk.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe nqupumjk.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe nqupumjk.exe File opened for modification C:\Windows\mydoc.rtf 1dd267c95fb82de848d0262b1b66bc78.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe nqupumjk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 1dd267c95fb82de848d0262b1b66bc78.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACEFABCF962F196830E3B40869F3995B0FB03884216023FE1B842E909D1" 1dd267c95fb82de848d0262b1b66bc78.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat vnfxbozsjr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh vnfxbozsjr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" vnfxbozsjr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" vnfxbozsjr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" vnfxbozsjr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" vnfxbozsjr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32452C769C5682576A3E76A677552DDD7D8465DB" 1dd267c95fb82de848d0262b1b66bc78.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8FFFF94F2682189046D6587D90BDE1E633584567426337D6EC" 1dd267c95fb82de848d0262b1b66bc78.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1844C6081493DBB2B8CC7FE2ED9034B9" 1dd267c95fb82de848d0262b1b66bc78.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC5B02B449238E252CBBAA6329FD7CD" 1dd267c95fb82de848d0262b1b66bc78.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" vnfxbozsjr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf vnfxbozsjr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0866BB6FF6622DFD109D1D28A7E9165" 1dd267c95fb82de848d0262b1b66bc78.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc vnfxbozsjr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" vnfxbozsjr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs vnfxbozsjr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg vnfxbozsjr.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings 1dd267c95fb82de848d0262b1b66bc78.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2860 WINWORD.EXE 2860 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1368 1dd267c95fb82de848d0262b1b66bc78.exe 1368 1dd267c95fb82de848d0262b1b66bc78.exe 1368 1dd267c95fb82de848d0262b1b66bc78.exe 1368 1dd267c95fb82de848d0262b1b66bc78.exe 1368 1dd267c95fb82de848d0262b1b66bc78.exe 1368 1dd267c95fb82de848d0262b1b66bc78.exe 1368 1dd267c95fb82de848d0262b1b66bc78.exe 1368 1dd267c95fb82de848d0262b1b66bc78.exe 1368 1dd267c95fb82de848d0262b1b66bc78.exe 1368 1dd267c95fb82de848d0262b1b66bc78.exe 1368 1dd267c95fb82de848d0262b1b66bc78.exe 1368 1dd267c95fb82de848d0262b1b66bc78.exe 1368 1dd267c95fb82de848d0262b1b66bc78.exe 1368 1dd267c95fb82de848d0262b1b66bc78.exe 1368 1dd267c95fb82de848d0262b1b66bc78.exe 1368 1dd267c95fb82de848d0262b1b66bc78.exe 1620 vnfxbozsjr.exe 1620 vnfxbozsjr.exe 1620 vnfxbozsjr.exe 1620 vnfxbozsjr.exe 1620 vnfxbozsjr.exe 1620 vnfxbozsjr.exe 1620 vnfxbozsjr.exe 1620 vnfxbozsjr.exe 1620 vnfxbozsjr.exe 1620 vnfxbozsjr.exe 1296 bhooaaddkwwvoip.exe 1296 bhooaaddkwwvoip.exe 1296 bhooaaddkwwvoip.exe 1296 bhooaaddkwwvoip.exe 1296 bhooaaddkwwvoip.exe 1296 bhooaaddkwwvoip.exe 1296 bhooaaddkwwvoip.exe 1296 bhooaaddkwwvoip.exe 1296 bhooaaddkwwvoip.exe 1296 bhooaaddkwwvoip.exe 3064 nqupumjk.exe 3064 nqupumjk.exe 3064 nqupumjk.exe 3064 nqupumjk.exe 3064 nqupumjk.exe 3064 nqupumjk.exe 3064 nqupumjk.exe 3064 nqupumjk.exe 2856 wavywtelqreiq.exe 2856 wavywtelqreiq.exe 2856 wavywtelqreiq.exe 2856 wavywtelqreiq.exe 2856 wavywtelqreiq.exe 2856 wavywtelqreiq.exe 2856 wavywtelqreiq.exe 2856 wavywtelqreiq.exe 2856 wavywtelqreiq.exe 2856 wavywtelqreiq.exe 2856 wavywtelqreiq.exe 2856 wavywtelqreiq.exe 1296 bhooaaddkwwvoip.exe 1296 bhooaaddkwwvoip.exe 1356 nqupumjk.exe 1356 nqupumjk.exe 1356 nqupumjk.exe 1356 nqupumjk.exe 1356 nqupumjk.exe 1356 nqupumjk.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1368 1dd267c95fb82de848d0262b1b66bc78.exe 1368 1dd267c95fb82de848d0262b1b66bc78.exe 1368 1dd267c95fb82de848d0262b1b66bc78.exe 1620 vnfxbozsjr.exe 1620 vnfxbozsjr.exe 1620 vnfxbozsjr.exe 1296 bhooaaddkwwvoip.exe 1296 bhooaaddkwwvoip.exe 1296 bhooaaddkwwvoip.exe 3064 nqupumjk.exe 2856 wavywtelqreiq.exe 3064 nqupumjk.exe 2856 wavywtelqreiq.exe 3064 nqupumjk.exe 2856 wavywtelqreiq.exe 1356 nqupumjk.exe 1356 nqupumjk.exe 1356 nqupumjk.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1368 1dd267c95fb82de848d0262b1b66bc78.exe 1368 1dd267c95fb82de848d0262b1b66bc78.exe 1368 1dd267c95fb82de848d0262b1b66bc78.exe 1620 vnfxbozsjr.exe 1620 vnfxbozsjr.exe 1620 vnfxbozsjr.exe 1296 bhooaaddkwwvoip.exe 1296 bhooaaddkwwvoip.exe 1296 bhooaaddkwwvoip.exe 3064 nqupumjk.exe 2856 wavywtelqreiq.exe 3064 nqupumjk.exe 2856 wavywtelqreiq.exe 3064 nqupumjk.exe 2856 wavywtelqreiq.exe 1356 nqupumjk.exe 1356 nqupumjk.exe 1356 nqupumjk.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2860 WINWORD.EXE 2860 WINWORD.EXE 2860 WINWORD.EXE 2860 WINWORD.EXE 2860 WINWORD.EXE 2860 WINWORD.EXE 2860 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1368 wrote to memory of 1620 1368 1dd267c95fb82de848d0262b1b66bc78.exe 88 PID 1368 wrote to memory of 1620 1368 1dd267c95fb82de848d0262b1b66bc78.exe 88 PID 1368 wrote to memory of 1620 1368 1dd267c95fb82de848d0262b1b66bc78.exe 88 PID 1368 wrote to memory of 1296 1368 1dd267c95fb82de848d0262b1b66bc78.exe 89 PID 1368 wrote to memory of 1296 1368 1dd267c95fb82de848d0262b1b66bc78.exe 89 PID 1368 wrote to memory of 1296 1368 1dd267c95fb82de848d0262b1b66bc78.exe 89 PID 1368 wrote to memory of 3064 1368 1dd267c95fb82de848d0262b1b66bc78.exe 91 PID 1368 wrote to memory of 3064 1368 1dd267c95fb82de848d0262b1b66bc78.exe 91 PID 1368 wrote to memory of 3064 1368 1dd267c95fb82de848d0262b1b66bc78.exe 91 PID 1368 wrote to memory of 2856 1368 1dd267c95fb82de848d0262b1b66bc78.exe 90 PID 1368 wrote to memory of 2856 1368 1dd267c95fb82de848d0262b1b66bc78.exe 90 PID 1368 wrote to memory of 2856 1368 1dd267c95fb82de848d0262b1b66bc78.exe 90 PID 1368 wrote to memory of 2860 1368 1dd267c95fb82de848d0262b1b66bc78.exe 92 PID 1368 wrote to memory of 2860 1368 1dd267c95fb82de848d0262b1b66bc78.exe 92 PID 1620 wrote to memory of 1356 1620 vnfxbozsjr.exe 96 PID 1620 wrote to memory of 1356 1620 vnfxbozsjr.exe 96 PID 1620 wrote to memory of 1356 1620 vnfxbozsjr.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\1dd267c95fb82de848d0262b1b66bc78.exe"C:\Users\Admin\AppData\Local\Temp\1dd267c95fb82de848d0262b1b66bc78.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\vnfxbozsjr.exevnfxbozsjr.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\nqupumjk.exeC:\Windows\system32\nqupumjk.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1356
-
-
-
C:\Windows\SysWOW64\bhooaaddkwwvoip.exebhooaaddkwwvoip.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1296
-
-
C:\Windows\SysWOW64\wavywtelqreiq.exewavywtelqreiq.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2856
-
-
C:\Windows\SysWOW64\nqupumjk.exenqupumjk.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3064
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2860
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD5defcf0baae1664c86124b64d2bb1cfa9
SHA128ef9079d96428da3715a30debcd67c0e7a8fd92
SHA256b31abccd2d0ecab21e186b8ae60242b56b02fe7ebe576a8bc6828281e673d784
SHA512b0c083a1f85f9ac8716c92407abed299e507b56df41df37e626d387cdc99d810bb5853de3d5b7950d56aa8432fe28b8e1960bdc44a7d3a8fe4c62edaec8b6b2d
-
Filesize
113KB
MD5945ec5730e3785a5e77756e5c44329ea
SHA12a41daebc7df477343011bf6fe76dc1621a2b051
SHA2568082628a2bc21868952ab94cc2ea416482e3595d566086520d4e12d8fd534d59
SHA512a5b096efb92fde8d0fbe82d9413eea14b0d81af326f504ef22e9c7aaaf000e99c9bb80f0528f8ec9a1abfdbe91d2a0406e7c9eeea3819f197f3eed0beaa4bbff
-
Filesize
239B
MD5408ff72ac77dfbd94124373f0a45a68e
SHA13d2ca24fe5531456ace256f7fbedd6dc6f553646
SHA256035fe50fb10220afc92b62741669d0936114689bda12e37d0deee3cf7fc44fba
SHA512df506c72f762d2a0a024ac9a98f1eaa074d286041a4b743717d3c489f47f7d0ddc7a8e08bdd7f45f515a9283a3bd7fb629beb11f00a05f78a4f17d34a428cd7b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5cc4d4b358046d0841731915c49ec00db
SHA1a02f132ed4ac9e4e63a3c9533f2c01a92c74bfb3
SHA2561340ed7b7b5c7293753f2c3c1f837bfd702f7bfa0d8817766d5397fc41c17e46
SHA5129f600d4b435afc925e86f3534a493d6774a6bccb4a75b65b449ff2b500b6436cb692ea61412cd25962f23309b27e11f4d44d0dd7ce9e32e67740c2655e53aa37
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5850bd5bed1d6c9d225a172db7edf4e01
SHA153154f6ca8d819be26e5ffd532e1d42b44975468
SHA2566bb1bc36ce1d9e971fa89dce4c0476cdc651158da5c21b625506d9c0b64bbeb9
SHA512c6becef33923bf6e0efc4befe64a2e09f2f828802cde93e08501e6f26995f4cf7ec0960e068ad84ebc5b52cca0adbfda0e3f44caa55ef9fae5e57336827fecd6
-
Filesize
466KB
MD5b2e612e7fb5584996543995d514b057d
SHA1c0842d1647e8a320f734f8b68d62fc649318cc0e
SHA256c1a61c1e199d79794356058d11c2e452ce92cff52c297a38ce4f19963a16c1c7
SHA512cce3609b237bfb62866d47b0b41272140d5d265c07abb4774130c385686e7d4ab30d6c5f03bc5ebaf41d155f698d22e65df6f6eacac22ff99a92bd9731357997
-
Filesize
438KB
MD512e3cc25b42ea7e8511ad34b8d0528ab
SHA1810b14f1a5869dd0adeedbf0c28e92de02714b6a
SHA256e5cee6d7a08e04c4a8110941d11101c7422ce88de8fe9439541a02a8c3985d3e
SHA512e16564d8312fcdc915b387fb831cf873c73d387bc29970078282abb58b99dc75449a528d45195aef48c1be298385d14fc8c468e2b30a72f2cc91ca086d419e9a
-
Filesize
70KB
MD59e4f0c94c9fae9bf2364952b547b2505
SHA133159deb648e9494d10aba96ce61536a35da78e1
SHA256534aa9e2e5f5097ce60ed2b83fbfae8d7fe86487cb48a7a4931fa190f7029f9e
SHA5120b1b3d20f9f9dd59301fe7c0337d8d68191877e049a0596fcbddfb137f659eabde56d6987a8c21af2a7f0f9dce4ab2115b425b3b75a1049feaa16eea5dbf74fb
-
Filesize
277KB
MD552dbf41c0604a2513b35404b838ceef1
SHA10c32ede431ffb8f915a0e7c4f8d65fd4df285f1a
SHA25650797646b8ed440b8f996bfe19b0169918325a4169350612aec84984ebd200e8
SHA5123727cb49c4213b0435f94d16020b1f083f4b4c4c889b725c7b3ebfdbb814598e1e7c6e9779b8b9caab9824b110579241e5bea60cc2d64f226d190e053dafb0f8
-
Filesize
335KB
MD59921ef3de7cc210152a085eb666af3e2
SHA1cfcc18fbbbd140bcd61905a55c8958b21be2fb06
SHA25668c383c1169386e70a483460c75e077dde1eb2016bc901061dbbd4848505e00a
SHA5123e003510b7ab985d08e3cc777986e360d24718156952eada29a9325b4521ad9ae7e2bde351afae695457c51450f009cd6e6e2c055718bf020951b59ae905c2af
-
Filesize
501KB
MD5f74a6dfa40207bf43f9456d4dc6d4588
SHA16096ae78bdf5f690d07f2f834ace94580dcdbfd9
SHA256c7114fc43beb49b54c4a05d0ea2029606e5e6739e61e28c2a215c343ff7e87a2
SHA512811b3a13b6292866a95b41bc914c523e9cf7f38b2a368cedb40dc9bd5c252a949f51cc3104471f7b6c7b8ecdf0239dd149aef2423a9e07b71a6696b7469bf457
-
Filesize
49KB
MD57728bc91c925609cb76d44e34ff19975
SHA1d3da8ba1e7cca6b785fd6fe932243005ab2a55c4
SHA256ac6fdb67281259cc26e54d7e12ab6aefddcc94abc03e47596203bef9655f04ce
SHA5121b115eaf603157e5717aa2c799a098825bdd455b36c58e92f154632213c7b5795a0df1beda04c3199396f731dcf6ea1b9fede08d6739d71ceb8d63af3070817b
-
Filesize
51KB
MD5172c8beae04740aa7223afd0f8fdb961
SHA1fba782a18328f70dc9b60b4b1b05cea7d4bc94bb
SHA256be94ad5df6ba0b709a0d020d7a0aa0f4f9893fbab5840f72616052c91c37a97e
SHA512534cdb71df6b94c5ac14896fb3168c255964422e84cf336bb0e113ab437c0e05cc7909320001b77063d5f7a2158b05a459e2d35cf3f43533695a5db94f0df2a1
-
Filesize
512KB
MD51c8f084a2b3d7c31d039cdf9d245bbb4
SHA11ded7b15bfeb77b03c7ff78a6b92316fdfb1c10c
SHA2567317a781c5a2bac0fa8b989c073f78aa5da83b79fbc1e5e3d1b87ccd6761796e
SHA512c956aa884ab391dcd62f7ec4d54e2a57084c8061b51f6bf729b81b3c43ab95721adbf23f9db35d9bce6196d8456ab01f5a6a31c53044c967ced6fd83dd904ba4
-
Filesize
474KB
MD5b69a965459d4eca125378611585e9aef
SHA172d121903f7047b447bb75129dd83426ebb4b6ef
SHA2561f6a3e723574108b7bf9542383cb62bab59fbe28b159e916815553ff0fd3c040
SHA5123181cfce9289f20c17f9a66347e1876c7feb66e3912e72135ac43dd9be928c4842c9d44ccb9aae23bd05292d6305b293ba22e930cc8582dc99f0b99269e80d2b
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
166KB
MD5ea6aee67c3127319165bf6fdfc31ca4e
SHA1a53ac8d1ef8b1c43843be3e6dbd76a34d2cc4a89
SHA25694e0fd0e13296c3faca74bfdbf0d910277586fe3e14abada38a363d0f0d77874
SHA512c8cdd98e3cadf347be02dc5e94b8a969454781326bf160c1a442c937b68672f678810b2dfc8aa280111d0d1751b2a575a546ea5457ad40300799b95e36d81580
-
Filesize
512KB
MD5a853dbbb5b99d136458ccf32b3a85b35
SHA147b73433e1ee1eec57a6a51b63de7680ad701445
SHA256292c23063b9ea71c6d741f656cca540f1f187cc8cd3c98f4bd8af29b16524d47
SHA512a9a28732f961745e0cc5987898c747a76a729c8b78ce5fa2803ecebf266632981b4d432dc07d557ea42fea2700052b2cde80f674918db438b0e41e591eed2787