Analysis
-
max time kernel
154s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 14:32
Static task
static1
Behavioral task
behavioral1
Sample
25d4370b5f1fb5e124d1cfc1aabe227e.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral2
Sample
25d4370b5f1fb5e124d1cfc1aabe227e.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
General
-
Target
25d4370b5f1fb5e124d1cfc1aabe227e.exe
-
Size
512KB
-
MD5
25d4370b5f1fb5e124d1cfc1aabe227e
-
SHA1
13e9af386990b7fd7231f969c272af3060816646
-
SHA256
54747e30f6fab547bc4c595c4ecac23c4bcf258141e5625e9a14e9ca27bef39a
-
SHA512
9589772819e3d62b03fcdada8e50b1e33903c05e38f967071aad04883a08ebda60db2204ea8e8ad14a0357368b7772ea32ddb59d0881882bb3326cb26377d84e
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj62:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5b
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" psxtjnequg.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" psxtjnequg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" psxtjnequg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" psxtjnequg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" psxtjnequg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" psxtjnequg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" psxtjnequg.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" psxtjnequg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation 25d4370b5f1fb5e124d1cfc1aabe227e.exe -
Executes dropped EXE 5 IoCs
pid Process 4708 psxtjnequg.exe 564 ckujbephcbmrqrf.exe 2076 qcothyhw.exe 1328 mupaqoimrxema.exe 3464 qcothyhw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" psxtjnequg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" psxtjnequg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" psxtjnequg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" psxtjnequg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" psxtjnequg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" psxtjnequg.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uvogoebs = "psxtjnequg.exe" ckujbephcbmrqrf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wrwehhqu = "ckujbephcbmrqrf.exe" ckujbephcbmrqrf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mupaqoimrxema.exe" ckujbephcbmrqrf.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\t: qcothyhw.exe File opened (read-only) \??\t: psxtjnequg.exe File opened (read-only) \??\g: qcothyhw.exe File opened (read-only) \??\j: psxtjnequg.exe File opened (read-only) \??\k: psxtjnequg.exe File opened (read-only) \??\u: psxtjnequg.exe File opened (read-only) \??\z: qcothyhw.exe File opened (read-only) \??\g: psxtjnequg.exe File opened (read-only) \??\q: qcothyhw.exe File opened (read-only) \??\x: qcothyhw.exe File opened (read-only) \??\o: psxtjnequg.exe File opened (read-only) \??\b: qcothyhw.exe File opened (read-only) \??\x: psxtjnequg.exe File opened (read-only) \??\e: qcothyhw.exe File opened (read-only) \??\n: qcothyhw.exe File opened (read-only) \??\b: qcothyhw.exe File opened (read-only) \??\x: qcothyhw.exe File opened (read-only) \??\l: qcothyhw.exe File opened (read-only) \??\s: psxtjnequg.exe File opened (read-only) \??\w: psxtjnequg.exe File opened (read-only) \??\w: qcothyhw.exe File opened (read-only) \??\p: psxtjnequg.exe File opened (read-only) \??\v: psxtjnequg.exe File opened (read-only) \??\m: qcothyhw.exe File opened (read-only) \??\v: qcothyhw.exe File opened (read-only) \??\q: psxtjnequg.exe File opened (read-only) \??\u: qcothyhw.exe File opened (read-only) \??\i: psxtjnequg.exe File opened (read-only) \??\s: qcothyhw.exe File opened (read-only) \??\t: qcothyhw.exe File opened (read-only) \??\a: psxtjnequg.exe File opened (read-only) \??\e: psxtjnequg.exe File opened (read-only) \??\z: psxtjnequg.exe File opened (read-only) \??\i: qcothyhw.exe File opened (read-only) \??\h: qcothyhw.exe File opened (read-only) \??\r: qcothyhw.exe File opened (read-only) \??\q: qcothyhw.exe File opened (read-only) \??\w: qcothyhw.exe File opened (read-only) \??\n: psxtjnequg.exe File opened (read-only) \??\i: qcothyhw.exe File opened (read-only) \??\j: qcothyhw.exe File opened (read-only) \??\p: qcothyhw.exe File opened (read-only) \??\v: qcothyhw.exe File opened (read-only) \??\s: qcothyhw.exe File opened (read-only) \??\a: qcothyhw.exe File opened (read-only) \??\j: qcothyhw.exe File opened (read-only) \??\r: qcothyhw.exe File opened (read-only) \??\l: qcothyhw.exe File opened (read-only) \??\u: qcothyhw.exe File opened (read-only) \??\p: qcothyhw.exe File opened (read-only) \??\y: qcothyhw.exe File opened (read-only) \??\a: qcothyhw.exe File opened (read-only) \??\e: qcothyhw.exe File opened (read-only) \??\m: psxtjnequg.exe File opened (read-only) \??\h: qcothyhw.exe File opened (read-only) \??\o: qcothyhw.exe File opened (read-only) \??\z: qcothyhw.exe File opened (read-only) \??\k: qcothyhw.exe File opened (read-only) \??\l: psxtjnequg.exe File opened (read-only) \??\y: psxtjnequg.exe File opened (read-only) \??\k: qcothyhw.exe File opened (read-only) \??\n: qcothyhw.exe File opened (read-only) \??\o: qcothyhw.exe File opened (read-only) \??\y: qcothyhw.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" psxtjnequg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" psxtjnequg.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/208-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000900000001db1b-5.dat autoit_exe behavioral2/files/0x00070000000231e7-18.dat autoit_exe behavioral2/files/0x00060000000231f2-32.dat autoit_exe behavioral2/files/0x00060000000231f2-31.dat autoit_exe behavioral2/files/0x00060000000231f0-29.dat autoit_exe behavioral2/files/0x00060000000231f0-28.dat autoit_exe behavioral2/files/0x000900000001db1b-23.dat autoit_exe behavioral2/files/0x00060000000231f0-43.dat autoit_exe behavioral2/files/0x00080000000230ae-65.dat autoit_exe behavioral2/files/0x00080000000230a9-61.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\qcothyhw.exe 25d4370b5f1fb5e124d1cfc1aabe227e.exe File created C:\Windows\SysWOW64\mupaqoimrxema.exe 25d4370b5f1fb5e124d1cfc1aabe227e.exe File opened for modification C:\Windows\SysWOW64\mupaqoimrxema.exe 25d4370b5f1fb5e124d1cfc1aabe227e.exe File created C:\Windows\SysWOW64\psxtjnequg.exe 25d4370b5f1fb5e124d1cfc1aabe227e.exe File created C:\Windows\SysWOW64\ckujbephcbmrqrf.exe 25d4370b5f1fb5e124d1cfc1aabe227e.exe File opened for modification C:\Windows\SysWOW64\ckujbephcbmrqrf.exe 25d4370b5f1fb5e124d1cfc1aabe227e.exe File opened for modification C:\Windows\SysWOW64\psxtjnequg.exe 25d4370b5f1fb5e124d1cfc1aabe227e.exe File opened for modification C:\Windows\SysWOW64\qcothyhw.exe 25d4370b5f1fb5e124d1cfc1aabe227e.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll psxtjnequg.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qcothyhw.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qcothyhw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qcothyhw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal qcothyhw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal qcothyhw.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qcothyhw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qcothyhw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qcothyhw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal qcothyhw.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qcothyhw.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qcothyhw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal qcothyhw.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qcothyhw.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qcothyhw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qcothyhw.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf 25d4370b5f1fb5e124d1cfc1aabe227e.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat psxtjnequg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc psxtjnequg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" psxtjnequg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32432D7B9D2182206A3676A570232DDF7CF464DE" 25d4370b5f1fb5e124d1cfc1aabe227e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2ECAB12947E1389F53BDB9A2329DD4BE" 25d4370b5f1fb5e124d1cfc1aabe227e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" psxtjnequg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" psxtjnequg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs psxtjnequg.exe Key created \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\Local Settings 25d4370b5f1fb5e124d1cfc1aabe227e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFCFC824F5B85699040D7287D9CBDE0E630583067426333D7EC" 25d4370b5f1fb5e124d1cfc1aabe227e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F468B3FE6B21DFD27FD0D28A7B9010" 25d4370b5f1fb5e124d1cfc1aabe227e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" psxtjnequg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf psxtjnequg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" psxtjnequg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg psxtjnequg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACDFABFFE13F193830B3B44819B3999B08C028F4365023BE2CF459B08D3" 25d4370b5f1fb5e124d1cfc1aabe227e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" psxtjnequg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh psxtjnequg.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 25d4370b5f1fb5e124d1cfc1aabe227e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193EC70814E5DABEB8CC7C95EC9F37CC" 25d4370b5f1fb5e124d1cfc1aabe227e.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2168 WINWORD.EXE 2168 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 208 25d4370b5f1fb5e124d1cfc1aabe227e.exe 208 25d4370b5f1fb5e124d1cfc1aabe227e.exe 208 25d4370b5f1fb5e124d1cfc1aabe227e.exe 208 25d4370b5f1fb5e124d1cfc1aabe227e.exe 208 25d4370b5f1fb5e124d1cfc1aabe227e.exe 208 25d4370b5f1fb5e124d1cfc1aabe227e.exe 208 25d4370b5f1fb5e124d1cfc1aabe227e.exe 208 25d4370b5f1fb5e124d1cfc1aabe227e.exe 208 25d4370b5f1fb5e124d1cfc1aabe227e.exe 208 25d4370b5f1fb5e124d1cfc1aabe227e.exe 208 25d4370b5f1fb5e124d1cfc1aabe227e.exe 208 25d4370b5f1fb5e124d1cfc1aabe227e.exe 208 25d4370b5f1fb5e124d1cfc1aabe227e.exe 208 25d4370b5f1fb5e124d1cfc1aabe227e.exe 208 25d4370b5f1fb5e124d1cfc1aabe227e.exe 208 25d4370b5f1fb5e124d1cfc1aabe227e.exe 4708 psxtjnequg.exe 4708 psxtjnequg.exe 564 ckujbephcbmrqrf.exe 4708 psxtjnequg.exe 564 ckujbephcbmrqrf.exe 4708 psxtjnequg.exe 4708 psxtjnequg.exe 4708 psxtjnequg.exe 4708 psxtjnequg.exe 564 ckujbephcbmrqrf.exe 4708 psxtjnequg.exe 564 ckujbephcbmrqrf.exe 4708 psxtjnequg.exe 4708 psxtjnequg.exe 564 ckujbephcbmrqrf.exe 564 ckujbephcbmrqrf.exe 564 ckujbephcbmrqrf.exe 564 ckujbephcbmrqrf.exe 1328 mupaqoimrxema.exe 564 ckujbephcbmrqrf.exe 1328 mupaqoimrxema.exe 564 ckujbephcbmrqrf.exe 1328 mupaqoimrxema.exe 1328 mupaqoimrxema.exe 1328 mupaqoimrxema.exe 1328 mupaqoimrxema.exe 1328 mupaqoimrxema.exe 1328 mupaqoimrxema.exe 1328 mupaqoimrxema.exe 1328 mupaqoimrxema.exe 1328 mupaqoimrxema.exe 1328 mupaqoimrxema.exe 2076 qcothyhw.exe 2076 qcothyhw.exe 2076 qcothyhw.exe 2076 qcothyhw.exe 2076 qcothyhw.exe 2076 qcothyhw.exe 2076 qcothyhw.exe 2076 qcothyhw.exe 564 ckujbephcbmrqrf.exe 564 ckujbephcbmrqrf.exe 1328 mupaqoimrxema.exe 1328 mupaqoimrxema.exe 1328 mupaqoimrxema.exe 1328 mupaqoimrxema.exe 564 ckujbephcbmrqrf.exe 564 ckujbephcbmrqrf.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 208 25d4370b5f1fb5e124d1cfc1aabe227e.exe 208 25d4370b5f1fb5e124d1cfc1aabe227e.exe 208 25d4370b5f1fb5e124d1cfc1aabe227e.exe 4708 psxtjnequg.exe 564 ckujbephcbmrqrf.exe 4708 psxtjnequg.exe 564 ckujbephcbmrqrf.exe 4708 psxtjnequg.exe 564 ckujbephcbmrqrf.exe 1328 mupaqoimrxema.exe 2076 qcothyhw.exe 1328 mupaqoimrxema.exe 2076 qcothyhw.exe 1328 mupaqoimrxema.exe 2076 qcothyhw.exe 3464 qcothyhw.exe 3464 qcothyhw.exe 3464 qcothyhw.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 208 25d4370b5f1fb5e124d1cfc1aabe227e.exe 208 25d4370b5f1fb5e124d1cfc1aabe227e.exe 208 25d4370b5f1fb5e124d1cfc1aabe227e.exe 4708 psxtjnequg.exe 564 ckujbephcbmrqrf.exe 4708 psxtjnequg.exe 564 ckujbephcbmrqrf.exe 4708 psxtjnequg.exe 564 ckujbephcbmrqrf.exe 1328 mupaqoimrxema.exe 2076 qcothyhw.exe 1328 mupaqoimrxema.exe 2076 qcothyhw.exe 1328 mupaqoimrxema.exe 2076 qcothyhw.exe 3464 qcothyhw.exe 3464 qcothyhw.exe 3464 qcothyhw.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2168 WINWORD.EXE 2168 WINWORD.EXE 2168 WINWORD.EXE 2168 WINWORD.EXE 2168 WINWORD.EXE 2168 WINWORD.EXE 2168 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 208 wrote to memory of 4708 208 25d4370b5f1fb5e124d1cfc1aabe227e.exe 91 PID 208 wrote to memory of 4708 208 25d4370b5f1fb5e124d1cfc1aabe227e.exe 91 PID 208 wrote to memory of 4708 208 25d4370b5f1fb5e124d1cfc1aabe227e.exe 91 PID 208 wrote to memory of 564 208 25d4370b5f1fb5e124d1cfc1aabe227e.exe 92 PID 208 wrote to memory of 564 208 25d4370b5f1fb5e124d1cfc1aabe227e.exe 92 PID 208 wrote to memory of 564 208 25d4370b5f1fb5e124d1cfc1aabe227e.exe 92 PID 208 wrote to memory of 2076 208 25d4370b5f1fb5e124d1cfc1aabe227e.exe 94 PID 208 wrote to memory of 2076 208 25d4370b5f1fb5e124d1cfc1aabe227e.exe 94 PID 208 wrote to memory of 2076 208 25d4370b5f1fb5e124d1cfc1aabe227e.exe 94 PID 208 wrote to memory of 1328 208 25d4370b5f1fb5e124d1cfc1aabe227e.exe 93 PID 208 wrote to memory of 1328 208 25d4370b5f1fb5e124d1cfc1aabe227e.exe 93 PID 208 wrote to memory of 1328 208 25d4370b5f1fb5e124d1cfc1aabe227e.exe 93 PID 208 wrote to memory of 2168 208 25d4370b5f1fb5e124d1cfc1aabe227e.exe 95 PID 208 wrote to memory of 2168 208 25d4370b5f1fb5e124d1cfc1aabe227e.exe 95 PID 4708 wrote to memory of 3464 4708 psxtjnequg.exe 97 PID 4708 wrote to memory of 3464 4708 psxtjnequg.exe 97 PID 4708 wrote to memory of 3464 4708 psxtjnequg.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\25d4370b5f1fb5e124d1cfc1aabe227e.exe"C:\Users\Admin\AppData\Local\Temp\25d4370b5f1fb5e124d1cfc1aabe227e.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\SysWOW64\psxtjnequg.exepsxtjnequg.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\qcothyhw.exeC:\Windows\system32\qcothyhw.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3464
-
-
-
C:\Windows\SysWOW64\ckujbephcbmrqrf.execkujbephcbmrqrf.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:564
-
-
C:\Windows\SysWOW64\mupaqoimrxema.exemupaqoimrxema.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1328
-
-
C:\Windows\SysWOW64\qcothyhw.exeqcothyhw.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2076
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2168
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
230KB
MD513e703e1fc2d986be604007693b97fd2
SHA187a00d1aa51f7782c1c731edf0f99cd745775706
SHA2562cbc2d7b0d3296fb90f6db99dfe38423a2b058a21f3fdc7cbb0c4ed0cb6cb2b1
SHA512a728285834114f1f55fd337b1d9de04c7790292f72bd196d3770a3684866d0f8aa26d8419f793a097ec3195969acd20b4fd634a3a3af363aae5e4269c49ec36c
-
Filesize
410KB
MD5a2dacdf00139dd2798b6a2e89098d5ba
SHA1267d633463caff888b2d16409ed07e28b58a7d2f
SHA256e4e83f5f4830a8a8fe0b312d4d8d9159835c88a24f92418e7ca2f3ab6b1a243e
SHA512a386ff758d5a24d874de826505d31b0a0a30d7c371c86c68506494be84365267535a25a9944c794178b9b0c558d2f41cee826ffb16fe7941cffa082f2ff491fc
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD59a53b44a25b380d5865ba03716be2e81
SHA1c96e57f6160d71faf5fa038839a10ddd3546ad52
SHA256bbbe63a658c599f59f7da2ec8101ea89b1c659282f7c7271464b4d74d058663f
SHA512d0bf1ba92fbcd3695d29c3a7d501b926f2c7267c0b389907f8bc96ce80991f57797c615a69b0e625b81a6a533083db2636292fbe60bc9597cd711c81f882a75a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5b86aee8df509a477031f7919b925e5af
SHA11f8ad27ac805fbe37369d07b37b8825ef2fbb7cf
SHA256f02aa7da43205c9bec88c063aefb42e32c0208bf239fda6ff3bbf0ff3b943e98
SHA512b833cbc27db9241ecb4f109a304e50c812a82fb1680d2c09a22e5063fcdb54c9180fa775812c03b75be7ba12e311da4b551c61430ed80c8ab578a8484ff18682
-
Filesize
381KB
MD530aec9e0b33fbd99234328357879f812
SHA13c9d37139d4ccfe2b694afba9633170d0f510a92
SHA25615aad0daaaeea2f1eb8d19a8999f42844b2885d6bef949f6787feba7dad46563
SHA5122060f2cc8c90181dd0a9965f0ff3a94aece08c82c4a68454846f66778bc60dade3ba5ddc38be57311ff4a7bd78217b89a9cd09837eee4b5d9893277299dad415
-
Filesize
512KB
MD520b0ef06dec660163a3086f3f5b9ea70
SHA1f274f6fd1d54197554fdbbdac343c7c5b03cf2c8
SHA2567f4c6e59f457f80e7691c42f5ebfc208f3d36aafc5a4aa17af8edc474d2c57c9
SHA5128da2e695a287fae6cf779aa358b73986385212a21981e4359b55d92688cb6fbea02801a172749ce4e94f6672ff02c7872b8f8dccec084bde9e55b844c37cb2bc
-
Filesize
116KB
MD582740e636df3458eb185a675c24e417a
SHA18832b77f94612f7c91b3558fc6901fc75a8ca02e
SHA2561a284f3fd0c1c711b252a8d51e626d0c708d8a831e04c69182ca56e0b2f66c22
SHA512246b2f0f23056ccdbc8bb0b005735b6a764c494aea407e2058a245300641c677fe577802292145f48ecd6395153facfe386326c649edae0b348f159828829ee4
-
Filesize
319KB
MD5fa41665c900b7d1423e9e9f7d2bf1029
SHA1fdb1470b9c9b059c7c7eecd59d95489b10a5de32
SHA2566b4752b2966fed645a5050a92b162da28875591ffc055dcfbd7c9c60a217fab6
SHA5122ff7d0c789bb910cf407ff3a8cee6dec6b136f225a78c8599078cc5737b1ad3159aac8ae97ef6f9c4b195cf95c17da1a08180fdbee4afd2a5d5dedc960d0f19a
-
Filesize
512KB
MD55fd2f361e053a1d8a4217acc6afd9050
SHA1e49a2199e1c7e4885c22fe04fd4479f30fc6808d
SHA256b8e2a93d3d0bc091ad0a69f163f32fdebe3b52a28a6ca7f074ee1b1f01d83830
SHA512ed107e9332404a5ddf166c0417c2c3917bdfbfcc0bc6c0c4e15a907ec0e82769e6b7feb13c434f9e5e2c69bbe0cd85eae7386ef27f65dd757f3e7a8507152fe6
-
Filesize
128KB
MD5cf1c42f1b34b2c8a87bc8cacd33df495
SHA1b285bd788eec85158182efd78bf5e58183b97d79
SHA256ab4ea5a557055abc51df97dc1a1182a273a9c0e65f04f996a279b3a2e44598b3
SHA512652cd4f038f6009de628bafa541137a1cce3ddc240a5d0d33ec8d4abacb244e1498ece3bf97411e0411e59398c8cd3627c2bb6079bbe7c9283856d849ad4ec8f
-
Filesize
245KB
MD598110ee03be0c8e5a13627b631d8dbf8
SHA1e5243197b95aa9b287f9203127b0f28550211469
SHA2567956433d21e316af40e646aff29f88c5794a66133d15a31727701aa530391735
SHA5120dc2281c8034b9fc13e5c46182ae99206c6394e0bd89354180eedce9ccae31ded293cac06087b0eed8c1ffb55bab529b2f559806fa8edb092eeeb38c1d5b283e
-
Filesize
512KB
MD5f2ae27628a04b1668216f006506a6220
SHA1b1fc75a14130c3d15ff4d25a7b16af8d7cc3e564
SHA2564db05eb43416e1039f18deb29483a6066443e22cb4dd879a08b9c3f6ff0b7442
SHA512ce107ae593dc0a5ccb9799a3d40b1a68659110c6ea81b4494ccea4998ac68bb66fbcf337a8e5ead5e2434192856e133b090551e459e99e4a41919da2268a3cac
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7