Analysis
-
max time kernel
164s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2023 15:11
Static task
static1
Behavioral task
behavioral1
Sample
284c76ab5dc43c053aafc2003d40c7f4.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral2
Sample
284c76ab5dc43c053aafc2003d40c7f4.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
General
-
Target
284c76ab5dc43c053aafc2003d40c7f4.exe
-
Size
512KB
-
MD5
284c76ab5dc43c053aafc2003d40c7f4
-
SHA1
fc6767d8f5ad657993e5aa0b1119f1f6e0bf50d0
-
SHA256
fbe76953145bc653bb4ce6f773f9f5bd95da48e8bf13f3996083a14b2dcdfaff
-
SHA512
3a4f1a903d31b3505054db3c3978602fd9a49226d26b81dd50086af8a609d62b732d91e5ac79fcf43e3576d47974c8ffaacfef51f20b7b8d7b9d39620762d815
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj67:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5o
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" noelmpsbei.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" noelmpsbei.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" noelmpsbei.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" noelmpsbei.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" noelmpsbei.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" noelmpsbei.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" noelmpsbei.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" noelmpsbei.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation 284c76ab5dc43c053aafc2003d40c7f4.exe -
Executes dropped EXE 5 IoCs
pid Process 732 noelmpsbei.exe 2904 cxoornvzkywjrrn.exe 3572 xfbaupkf.exe 4236 etqvdoytfrnmi.exe 4972 xfbaupkf.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" noelmpsbei.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" noelmpsbei.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" noelmpsbei.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" noelmpsbei.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" noelmpsbei.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" noelmpsbei.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "etqvdoytfrnmi.exe" cxoornvzkywjrrn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cpubbflp = "noelmpsbei.exe" cxoornvzkywjrrn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lrxsddig = "cxoornvzkywjrrn.exe" cxoornvzkywjrrn.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\o: xfbaupkf.exe File opened (read-only) \??\a: noelmpsbei.exe File opened (read-only) \??\n: noelmpsbei.exe File opened (read-only) \??\a: xfbaupkf.exe File opened (read-only) \??\j: xfbaupkf.exe File opened (read-only) \??\t: xfbaupkf.exe File opened (read-only) \??\a: xfbaupkf.exe File opened (read-only) \??\k: xfbaupkf.exe File opened (read-only) \??\t: xfbaupkf.exe File opened (read-only) \??\h: xfbaupkf.exe File opened (read-only) \??\o: noelmpsbei.exe File opened (read-only) \??\u: noelmpsbei.exe File opened (read-only) \??\q: xfbaupkf.exe File opened (read-only) \??\i: xfbaupkf.exe File opened (read-only) \??\y: xfbaupkf.exe File opened (read-only) \??\y: xfbaupkf.exe File opened (read-only) \??\z: xfbaupkf.exe File opened (read-only) \??\k: noelmpsbei.exe File opened (read-only) \??\t: noelmpsbei.exe File opened (read-only) \??\n: xfbaupkf.exe File opened (read-only) \??\p: xfbaupkf.exe File opened (read-only) \??\b: noelmpsbei.exe File opened (read-only) \??\e: xfbaupkf.exe File opened (read-only) \??\s: xfbaupkf.exe File opened (read-only) \??\p: xfbaupkf.exe File opened (read-only) \??\q: xfbaupkf.exe File opened (read-only) \??\v: noelmpsbei.exe File opened (read-only) \??\z: noelmpsbei.exe File opened (read-only) \??\s: xfbaupkf.exe File opened (read-only) \??\e: xfbaupkf.exe File opened (read-only) \??\w: xfbaupkf.exe File opened (read-only) \??\l: xfbaupkf.exe File opened (read-only) \??\m: xfbaupkf.exe File opened (read-only) \??\e: noelmpsbei.exe File opened (read-only) \??\p: noelmpsbei.exe File opened (read-only) \??\m: xfbaupkf.exe File opened (read-only) \??\u: xfbaupkf.exe File opened (read-only) \??\h: noelmpsbei.exe File opened (read-only) \??\x: noelmpsbei.exe File opened (read-only) \??\r: xfbaupkf.exe File opened (read-only) \??\u: xfbaupkf.exe File opened (read-only) \??\v: xfbaupkf.exe File opened (read-only) \??\w: noelmpsbei.exe File opened (read-only) \??\i: xfbaupkf.exe File opened (read-only) \??\l: xfbaupkf.exe File opened (read-only) \??\o: xfbaupkf.exe File opened (read-only) \??\b: xfbaupkf.exe File opened (read-only) \??\r: xfbaupkf.exe File opened (read-only) \??\m: noelmpsbei.exe File opened (read-only) \??\b: xfbaupkf.exe File opened (read-only) \??\h: xfbaupkf.exe File opened (read-only) \??\k: xfbaupkf.exe File opened (read-only) \??\r: noelmpsbei.exe File opened (read-only) \??\v: xfbaupkf.exe File opened (read-only) \??\n: xfbaupkf.exe File opened (read-only) \??\g: xfbaupkf.exe File opened (read-only) \??\j: noelmpsbei.exe File opened (read-only) \??\l: noelmpsbei.exe File opened (read-only) \??\j: xfbaupkf.exe File opened (read-only) \??\z: xfbaupkf.exe File opened (read-only) \??\x: xfbaupkf.exe File opened (read-only) \??\g: noelmpsbei.exe File opened (read-only) \??\i: noelmpsbei.exe File opened (read-only) \??\x: xfbaupkf.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" noelmpsbei.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" noelmpsbei.exe -
AutoIT Executable 13 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/900-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00060000000231fc-5.dat autoit_exe behavioral2/files/0x00060000000231fb-19.dat autoit_exe behavioral2/files/0x00060000000231fb-18.dat autoit_exe behavioral2/files/0x00060000000231fc-23.dat autoit_exe behavioral2/files/0x00060000000231fc-22.dat autoit_exe behavioral2/files/0x00060000000231fd-27.dat autoit_exe behavioral2/files/0x00060000000231fe-31.dat autoit_exe behavioral2/files/0x00060000000231fe-32.dat autoit_exe behavioral2/files/0x00060000000231fd-26.dat autoit_exe behavioral2/files/0x00060000000231fd-35.dat autoit_exe behavioral2/files/0x000800000002320e-92.dat autoit_exe behavioral2/files/0x0009000000023213-95.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\etqvdoytfrnmi.exe 284c76ab5dc43c053aafc2003d40c7f4.exe File created C:\Windows\SysWOW64\noelmpsbei.exe 284c76ab5dc43c053aafc2003d40c7f4.exe File opened for modification C:\Windows\SysWOW64\cxoornvzkywjrrn.exe 284c76ab5dc43c053aafc2003d40c7f4.exe File created C:\Windows\SysWOW64\xfbaupkf.exe 284c76ab5dc43c053aafc2003d40c7f4.exe File created C:\Windows\SysWOW64\etqvdoytfrnmi.exe 284c76ab5dc43c053aafc2003d40c7f4.exe File opened for modification C:\Windows\SysWOW64\noelmpsbei.exe 284c76ab5dc43c053aafc2003d40c7f4.exe File created C:\Windows\SysWOW64\cxoornvzkywjrrn.exe 284c76ab5dc43c053aafc2003d40c7f4.exe File opened for modification C:\Windows\SysWOW64\xfbaupkf.exe 284c76ab5dc43c053aafc2003d40c7f4.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll noelmpsbei.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xfbaupkf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xfbaupkf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xfbaupkf.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xfbaupkf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xfbaupkf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal xfbaupkf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal xfbaupkf.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xfbaupkf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal xfbaupkf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xfbaupkf.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xfbaupkf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xfbaupkf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xfbaupkf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xfbaupkf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal xfbaupkf.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 284c76ab5dc43c053aafc2003d40c7f4.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" noelmpsbei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" noelmpsbei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" noelmpsbei.exe Key created \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\Local Settings 284c76ab5dc43c053aafc2003d40c7f4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACDF9BCF962F196840B3B30819D3EE2B0FB03FD42160333E2CC459B08A4" 284c76ab5dc43c053aafc2003d40c7f4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184CC7081493DBC3B8C07CE0ED9734CE" 284c76ab5dc43c053aafc2003d40c7f4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" noelmpsbei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf noelmpsbei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg noelmpsbei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat noelmpsbei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" noelmpsbei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc noelmpsbei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs noelmpsbei.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 284c76ab5dc43c053aafc2003d40c7f4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh noelmpsbei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF4FC834F588268913CD7287E9CBC90E134584567326333D79D" 284c76ab5dc43c053aafc2003d40c7f4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F268B5FF1821DAD272D0A88A75906A" 284c76ab5dc43c053aafc2003d40c7f4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" noelmpsbei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33342C779C2C83536A3177D077252CDC7DF464AB" 284c76ab5dc43c053aafc2003d40c7f4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC3B12C479739E352CBB9D2329ED7B9" 284c76ab5dc43c053aafc2003d40c7f4.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3744 WINWORD.EXE 3744 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 900 284c76ab5dc43c053aafc2003d40c7f4.exe 900 284c76ab5dc43c053aafc2003d40c7f4.exe 900 284c76ab5dc43c053aafc2003d40c7f4.exe 900 284c76ab5dc43c053aafc2003d40c7f4.exe 900 284c76ab5dc43c053aafc2003d40c7f4.exe 900 284c76ab5dc43c053aafc2003d40c7f4.exe 900 284c76ab5dc43c053aafc2003d40c7f4.exe 900 284c76ab5dc43c053aafc2003d40c7f4.exe 900 284c76ab5dc43c053aafc2003d40c7f4.exe 900 284c76ab5dc43c053aafc2003d40c7f4.exe 900 284c76ab5dc43c053aafc2003d40c7f4.exe 900 284c76ab5dc43c053aafc2003d40c7f4.exe 732 noelmpsbei.exe 732 noelmpsbei.exe 732 noelmpsbei.exe 732 noelmpsbei.exe 732 noelmpsbei.exe 732 noelmpsbei.exe 732 noelmpsbei.exe 732 noelmpsbei.exe 732 noelmpsbei.exe 732 noelmpsbei.exe 900 284c76ab5dc43c053aafc2003d40c7f4.exe 900 284c76ab5dc43c053aafc2003d40c7f4.exe 900 284c76ab5dc43c053aafc2003d40c7f4.exe 900 284c76ab5dc43c053aafc2003d40c7f4.exe 2904 cxoornvzkywjrrn.exe 2904 cxoornvzkywjrrn.exe 3572 xfbaupkf.exe 3572 xfbaupkf.exe 2904 cxoornvzkywjrrn.exe 2904 cxoornvzkywjrrn.exe 3572 xfbaupkf.exe 3572 xfbaupkf.exe 2904 cxoornvzkywjrrn.exe 2904 cxoornvzkywjrrn.exe 3572 xfbaupkf.exe 3572 xfbaupkf.exe 2904 cxoornvzkywjrrn.exe 2904 cxoornvzkywjrrn.exe 3572 xfbaupkf.exe 3572 xfbaupkf.exe 2904 cxoornvzkywjrrn.exe 2904 cxoornvzkywjrrn.exe 4236 etqvdoytfrnmi.exe 4236 etqvdoytfrnmi.exe 4236 etqvdoytfrnmi.exe 4236 etqvdoytfrnmi.exe 4236 etqvdoytfrnmi.exe 4236 etqvdoytfrnmi.exe 4236 etqvdoytfrnmi.exe 4236 etqvdoytfrnmi.exe 4236 etqvdoytfrnmi.exe 4236 etqvdoytfrnmi.exe 4236 etqvdoytfrnmi.exe 4236 etqvdoytfrnmi.exe 4972 xfbaupkf.exe 4972 xfbaupkf.exe 4972 xfbaupkf.exe 4972 xfbaupkf.exe 4972 xfbaupkf.exe 4972 xfbaupkf.exe 4972 xfbaupkf.exe 4972 xfbaupkf.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 900 284c76ab5dc43c053aafc2003d40c7f4.exe 900 284c76ab5dc43c053aafc2003d40c7f4.exe 900 284c76ab5dc43c053aafc2003d40c7f4.exe 732 noelmpsbei.exe 732 noelmpsbei.exe 732 noelmpsbei.exe 2904 cxoornvzkywjrrn.exe 2904 cxoornvzkywjrrn.exe 2904 cxoornvzkywjrrn.exe 3572 xfbaupkf.exe 3572 xfbaupkf.exe 3572 xfbaupkf.exe 4236 etqvdoytfrnmi.exe 4236 etqvdoytfrnmi.exe 4236 etqvdoytfrnmi.exe 4972 xfbaupkf.exe 4972 xfbaupkf.exe 4972 xfbaupkf.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 900 284c76ab5dc43c053aafc2003d40c7f4.exe 900 284c76ab5dc43c053aafc2003d40c7f4.exe 900 284c76ab5dc43c053aafc2003d40c7f4.exe 732 noelmpsbei.exe 732 noelmpsbei.exe 732 noelmpsbei.exe 2904 cxoornvzkywjrrn.exe 2904 cxoornvzkywjrrn.exe 2904 cxoornvzkywjrrn.exe 3572 xfbaupkf.exe 3572 xfbaupkf.exe 3572 xfbaupkf.exe 4236 etqvdoytfrnmi.exe 4236 etqvdoytfrnmi.exe 4236 etqvdoytfrnmi.exe 4972 xfbaupkf.exe 4972 xfbaupkf.exe 4972 xfbaupkf.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3744 WINWORD.EXE 3744 WINWORD.EXE 3744 WINWORD.EXE 3744 WINWORD.EXE 3744 WINWORD.EXE 3744 WINWORD.EXE 3744 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 900 wrote to memory of 732 900 284c76ab5dc43c053aafc2003d40c7f4.exe 91 PID 900 wrote to memory of 732 900 284c76ab5dc43c053aafc2003d40c7f4.exe 91 PID 900 wrote to memory of 732 900 284c76ab5dc43c053aafc2003d40c7f4.exe 91 PID 900 wrote to memory of 2904 900 284c76ab5dc43c053aafc2003d40c7f4.exe 92 PID 900 wrote to memory of 2904 900 284c76ab5dc43c053aafc2003d40c7f4.exe 92 PID 900 wrote to memory of 2904 900 284c76ab5dc43c053aafc2003d40c7f4.exe 92 PID 900 wrote to memory of 3572 900 284c76ab5dc43c053aafc2003d40c7f4.exe 94 PID 900 wrote to memory of 3572 900 284c76ab5dc43c053aafc2003d40c7f4.exe 94 PID 900 wrote to memory of 3572 900 284c76ab5dc43c053aafc2003d40c7f4.exe 94 PID 900 wrote to memory of 4236 900 284c76ab5dc43c053aafc2003d40c7f4.exe 99 PID 900 wrote to memory of 4236 900 284c76ab5dc43c053aafc2003d40c7f4.exe 99 PID 900 wrote to memory of 4236 900 284c76ab5dc43c053aafc2003d40c7f4.exe 99 PID 732 wrote to memory of 4972 732 noelmpsbei.exe 95 PID 732 wrote to memory of 4972 732 noelmpsbei.exe 95 PID 732 wrote to memory of 4972 732 noelmpsbei.exe 95 PID 900 wrote to memory of 3744 900 284c76ab5dc43c053aafc2003d40c7f4.exe 97 PID 900 wrote to memory of 3744 900 284c76ab5dc43c053aafc2003d40c7f4.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\284c76ab5dc43c053aafc2003d40c7f4.exe"C:\Users\Admin\AppData\Local\Temp\284c76ab5dc43c053aafc2003d40c7f4.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\SysWOW64\noelmpsbei.exenoelmpsbei.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:732 -
C:\Windows\SysWOW64\xfbaupkf.exeC:\Windows\system32\xfbaupkf.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4972
-
-
-
C:\Windows\SysWOW64\cxoornvzkywjrrn.execxoornvzkywjrrn.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2904
-
-
C:\Windows\SysWOW64\xfbaupkf.exexfbaupkf.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3572
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3744
-
-
C:\Windows\SysWOW64\etqvdoytfrnmi.exeetqvdoytfrnmi.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4236
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ec89629d437c17787acc7061c89e753c
SHA1c65089b32eba1cf75d3546335718073460c971f9
SHA25687b17909878537f2c3d3bc046f54b9eb382e312fa75d2b177457a978dcc7d83c
SHA51265f02cc30b64e2c33d7287c135bc0bb20abe1e35c7176a03e47403db3e21da28f7e7ec7a13ef748aeb76ac06e5e159a9b4e62196692c3411459a4ae235a1bec9
-
Filesize
39KB
MD5895c7b2f348ce8560912c23c75993d81
SHA1e2cd0716aaf604807b3d76ff9d2e17c5fdd35809
SHA256bf37480b5b50b7f43790ad2a384b14a33f440018b6fb16dc1ae13c9e527b6b21
SHA51222728884c17f5419043594523f1da0aee8a70e5c9208d4bb8f54f202508332a938bddb0cc68e8fe878137f9a1608c0dcbebf6cf8f1dd6ec23afead8a356ef60c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD559830ff9e39daf498a56cb48ef084875
SHA14c0f3546a081a707c1aae867ce8e2a6d50da831b
SHA2561ac3de8cd9c018708549f96a3a75182d93c412581d00ec59176d25f0a9fa5796
SHA512f04cc2fb0db5d03f4aa46cfd8cca371bb2fd5418d2872f5a1fb57a8430bf9157285de0b81ce75b57722490e1250e5d7b4ae084c7d4e79d31e5a27506739ca16a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5c435610cc48ac2e86bc3d182286be612
SHA16335050677cc2390cbfa87d98adf0afdd200d2ce
SHA256c96df443323f2791b7b1a5bc456f75ee59734428dec5b83e53143edfc0241560
SHA5124178383d472110d75ffa5d5e7956150b55a54988ba8083d5b3ab59a8b86859960fc6c30321298b102edb9a2d45d442345301b5d9f82d7c26bd3e56e554ff303f
-
Filesize
29KB
MD5fab07c3453c4069efc751a82e0bea098
SHA131dfe0414a22b3f5ff10f356094ad00eadaaa4a6
SHA25615f14af77eed3f9e27505a32a5ebdeb859dfa1c0236cff512d17c3bac8a3657e
SHA512ec830dfb30f3639e7f8130cf18874e81867a05b5c71b205350caf2e8bb9a711783e61df59da4d7dec931a00c7e561e7977be083953f732299820b6f9c9df5117
-
Filesize
29KB
MD5c7ebbd28e1cb9853116b7aae9fa463f8
SHA1022107f3e65e587944dd6f0788cab4c5905bb328
SHA256e76d49a50940a0d0f856d15b71a111770610474ebd9f8577c5f66dbd118173d5
SHA5126ad40bee5b674e18417f70b3ebd69edfb42abc6ca35ea1d6e274c94b56b47d439d22c15674d1b82d79855c79f6e02524bf7fd8f158638659b6048543a9b40210
-
Filesize
189KB
MD5176f7670ee0143efa12f383123c4fb36
SHA15e38d7111356fd58e1adc8d09d33dd645ccb695f
SHA256f5a1b3d0d25fea02e6184174720f2569ee45d16688c37789abc75e006321f42f
SHA512c30e529c5c6c81bfb4512803e0cc337d4e2723533f2caa6785a0f34eed11c3f09fa75b94db3af2607acf2224009a3b1742f5fe7221ccabd017ff0922763e7e24
-
Filesize
127KB
MD5df651df325cefe144fac04126ce85e6c
SHA1f13d53a9139c5e34f894d73d99c10b3ae531bc60
SHA2562693d8664191f9c1466b7c989b05eb842f27a26f988f62b44e75d1da120027fc
SHA512dd7c6da29f07fe8685f62318f1cf92b1f27709c2c04de5b5d8c9f79e323ea313f67ab17a84c4550a0aace5995e829047b80aa6bb73d78b603b259f1e699ddf47
-
Filesize
118KB
MD58ce9dd5990281e35995d60510795d472
SHA1d29b075164d8c3a68f131883d64d20905a4b01f0
SHA2561f3687166382d67c99f1a7fdfb516f32ee6d82c0c69545c32274834ef70466f9
SHA512e4339c1510647e92931f0a235713e3920862aaba34942ccfa1b8c975c6da52ff40e4eb09ee8800f2a421e2f19de2524b4786032fb635032a69c4e4667fe04178
-
Filesize
167KB
MD5fdecccfbc136ca5785ca34579436aabc
SHA1748a73dba07e048cc5605221b6c9ff389978dc6f
SHA2561b67c96d4cf05e135d2e720d9af3d4bb0fc4e6273ad301d405dbaa5cf6b65dc9
SHA5127a8976f4925ae6ad8b3ce6230d26f3345c03bf8a3341ffae6d8f56eea1ee0aff3995466cbffedc3141bdbe7b053ecde17a9cec96e6f32b06857e30aba76f6a69
-
Filesize
198KB
MD565a9cbaa36333aec60d42ec78059d92e
SHA1a2167befe0528c0883fdb0807ee282575783d40b
SHA25631d4ed4c507cbd3f6e3825467f33e9d050966a6f4968aa21477b7640ed531166
SHA512392466bc70128fcd91b8878ec90d8dd7c4d46b4574cc2924b2cde23b098c51b2ab8f1bbe2424054c762880919c3f08be74822c37c80a49e6c9643595468facf7
-
Filesize
261KB
MD58dc3e26caa1f9a307bd631c414a04584
SHA13da407f3f2b220e78b8328bbc36f978c486c0aa0
SHA2567bf44951b08d39f6b1e938ac6e99089df0e4fe211c4dec72c5a878a23e9f7989
SHA5124d4c6a935e4cbc65350a54c1f9e0972e064f5d94e5ffe4613157afe5dadc125b80eb84f31f69842ee4b789f5f9c1181a019bd952bc468494adb9f1b8d8eeba70
-
Filesize
193KB
MD5498e2713f1c8d494cb2ee58db329a71a
SHA136ba3f038f8ad1b7add14732fb570193e5b361dc
SHA2561aa0c79fbb5c599811c31efa99c7c9ac59e8fbe072d90bec8e916bd705c15dcb
SHA5127b73d3ca65869b16dace9744ab4bcbf0d2fe3892b3f3e74355abb4c59cecfefaff9622edda94c41658d7cbdad151749948603ef368699e3b4771172b15c71144
-
Filesize
208KB
MD5fd2760ab520badef3993a855f18726f3
SHA1122cd308398d4971404bc79f179732173ee96ddd
SHA256997a9a15000b6f2002327c5b148c28b2cd7ffc2c29ccc36d682b1559fc95108f
SHA512aa7dd46e416743d663e5113a6b3fcc24c3acf94e90ccc06589c973c83e8905bcaf73b3f7e48352fe9cc3407f48ff05815d3cff15442d44a1faa7aa6926c11f73
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7