Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 15:22
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
28f8806a43c81ade4aded3b5adc6cde0.exe
Resource
win7-20231129-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
28f8806a43c81ade4aded3b5adc6cde0.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
28f8806a43c81ade4aded3b5adc6cde0.exe
-
Size
512KB
-
MD5
28f8806a43c81ade4aded3b5adc6cde0
-
SHA1
acd51b1accf5f3a27c5cf7568e976fca4e3b9dcf
-
SHA256
0150beb4a08d1cb109618ffea4545dd9a8727021133fe7fb784c7ab81cbbe8a7
-
SHA512
7511497bf86e6ba03a83bd75252c97161b368967b5cd768a99708cca9c573b74f5c50b103216c23e43ab1569c78b036942079f6602b4a7b913962d0fb4eb9e1e
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6c:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5f
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" rsqfldlerk.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" rsqfldlerk.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rsqfldlerk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rsqfldlerk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rsqfldlerk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rsqfldlerk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rsqfldlerk.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rsqfldlerk.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation 28f8806a43c81ade4aded3b5adc6cde0.exe -
Executes dropped EXE 5 IoCs
pid Process 4168 rsqfldlerk.exe 3760 bdeycwbvgczffia.exe 4352 yatqpiic.exe 1816 mipgqcmbrrkll.exe 4832 yatqpiic.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rsqfldlerk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rsqfldlerk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rsqfldlerk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" rsqfldlerk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rsqfldlerk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rsqfldlerk.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eswsygeg = "rsqfldlerk.exe" bdeycwbvgczffia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bezeljfv = "bdeycwbvgczffia.exe" bdeycwbvgczffia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mipgqcmbrrkll.exe" bdeycwbvgczffia.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\s: yatqpiic.exe File opened (read-only) \??\a: rsqfldlerk.exe File opened (read-only) \??\h: rsqfldlerk.exe File opened (read-only) \??\g: yatqpiic.exe File opened (read-only) \??\h: yatqpiic.exe File opened (read-only) \??\e: rsqfldlerk.exe File opened (read-only) \??\y: rsqfldlerk.exe File opened (read-only) \??\w: yatqpiic.exe File opened (read-only) \??\v: yatqpiic.exe File opened (read-only) \??\r: yatqpiic.exe File opened (read-only) \??\x: yatqpiic.exe File opened (read-only) \??\z: yatqpiic.exe File opened (read-only) \??\g: yatqpiic.exe File opened (read-only) \??\p: rsqfldlerk.exe File opened (read-only) \??\z: rsqfldlerk.exe File opened (read-only) \??\s: yatqpiic.exe File opened (read-only) \??\m: yatqpiic.exe File opened (read-only) \??\r: yatqpiic.exe File opened (read-only) \??\v: rsqfldlerk.exe File opened (read-only) \??\n: yatqpiic.exe File opened (read-only) \??\q: yatqpiic.exe File opened (read-only) \??\w: yatqpiic.exe File opened (read-only) \??\q: rsqfldlerk.exe File opened (read-only) \??\b: yatqpiic.exe File opened (read-only) \??\k: yatqpiic.exe File opened (read-only) \??\z: yatqpiic.exe File opened (read-only) \??\r: rsqfldlerk.exe File opened (read-only) \??\t: rsqfldlerk.exe File opened (read-only) \??\t: yatqpiic.exe File opened (read-only) \??\a: yatqpiic.exe File opened (read-only) \??\i: rsqfldlerk.exe File opened (read-only) \??\m: rsqfldlerk.exe File opened (read-only) \??\s: rsqfldlerk.exe File opened (read-only) \??\w: rsqfldlerk.exe File opened (read-only) \??\j: yatqpiic.exe File opened (read-only) \??\o: yatqpiic.exe File opened (read-only) \??\j: yatqpiic.exe File opened (read-only) \??\n: yatqpiic.exe File opened (read-only) \??\t: yatqpiic.exe File opened (read-only) \??\y: yatqpiic.exe File opened (read-only) \??\i: yatqpiic.exe File opened (read-only) \??\y: yatqpiic.exe File opened (read-only) \??\b: yatqpiic.exe File opened (read-only) \??\b: rsqfldlerk.exe File opened (read-only) \??\k: rsqfldlerk.exe File opened (read-only) \??\n: rsqfldlerk.exe File opened (read-only) \??\o: yatqpiic.exe File opened (read-only) \??\p: yatqpiic.exe File opened (read-only) \??\g: rsqfldlerk.exe File opened (read-only) \??\l: rsqfldlerk.exe File opened (read-only) \??\m: yatqpiic.exe File opened (read-only) \??\q: yatqpiic.exe File opened (read-only) \??\e: yatqpiic.exe File opened (read-only) \??\j: rsqfldlerk.exe File opened (read-only) \??\u: rsqfldlerk.exe File opened (read-only) \??\i: yatqpiic.exe File opened (read-only) \??\u: yatqpiic.exe File opened (read-only) \??\a: yatqpiic.exe File opened (read-only) \??\l: yatqpiic.exe File opened (read-only) \??\x: rsqfldlerk.exe File opened (read-only) \??\e: yatqpiic.exe File opened (read-only) \??\o: rsqfldlerk.exe File opened (read-only) \??\k: yatqpiic.exe File opened (read-only) \??\l: yatqpiic.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" rsqfldlerk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" rsqfldlerk.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3700-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0007000000023227-5.dat autoit_exe behavioral2/files/0x000400000001e96f-18.dat autoit_exe behavioral2/files/0x000400000001e96f-19.dat autoit_exe behavioral2/files/0x0007000000023227-22.dat autoit_exe behavioral2/files/0x000700000002322a-28.dat autoit_exe behavioral2/files/0x000600000002322e-32.dat autoit_exe behavioral2/files/0x000600000002322e-31.dat autoit_exe behavioral2/files/0x000700000002322a-43.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\rsqfldlerk.exe 28f8806a43c81ade4aded3b5adc6cde0.exe File created C:\Windows\SysWOW64\yatqpiic.exe 28f8806a43c81ade4aded3b5adc6cde0.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe yatqpiic.exe File created C:\Windows\SysWOW64\rsqfldlerk.exe 28f8806a43c81ade4aded3b5adc6cde0.exe File opened for modification C:\Windows\SysWOW64\yatqpiic.exe 28f8806a43c81ade4aded3b5adc6cde0.exe File created C:\Windows\SysWOW64\mipgqcmbrrkll.exe 28f8806a43c81ade4aded3b5adc6cde0.exe File opened for modification C:\Windows\SysWOW64\mipgqcmbrrkll.exe 28f8806a43c81ade4aded3b5adc6cde0.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe yatqpiic.exe File created C:\Windows\SysWOW64\bdeycwbvgczffia.exe 28f8806a43c81ade4aded3b5adc6cde0.exe File opened for modification C:\Windows\SysWOW64\bdeycwbvgczffia.exe 28f8806a43c81ade4aded3b5adc6cde0.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll rsqfldlerk.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe yatqpiic.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe yatqpiic.exe -
Drops file in Program Files directory 18 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal yatqpiic.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal yatqpiic.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe yatqpiic.exe File opened for modification C:\Program Files\CheckpointAssert.doc.exe yatqpiic.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe yatqpiic.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe yatqpiic.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe yatqpiic.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe yatqpiic.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe yatqpiic.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe yatqpiic.exe File opened for modification \??\c:\Program Files\CheckpointAssert.doc.exe yatqpiic.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe yatqpiic.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe yatqpiic.exe File opened for modification C:\Program Files\CheckpointAssert.nal yatqpiic.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe yatqpiic.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal yatqpiic.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal yatqpiic.exe File created \??\c:\Program Files\CheckpointAssert.doc.exe yatqpiic.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe yatqpiic.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe yatqpiic.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe yatqpiic.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe yatqpiic.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe yatqpiic.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe yatqpiic.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe yatqpiic.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe yatqpiic.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe yatqpiic.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe yatqpiic.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe yatqpiic.exe File opened for modification C:\Windows\mydoc.rtf 28f8806a43c81ade4aded3b5adc6cde0.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe yatqpiic.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe yatqpiic.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe yatqpiic.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe yatqpiic.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe yatqpiic.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" rsqfldlerk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc rsqfldlerk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" rsqfldlerk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" rsqfldlerk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg rsqfldlerk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" rsqfldlerk.exe Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings 28f8806a43c81ade4aded3b5adc6cde0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh rsqfldlerk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F468B6FF1A22DBD179D0A98A7C9114" 28f8806a43c81ade4aded3b5adc6cde0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat rsqfldlerk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf rsqfldlerk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" rsqfldlerk.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 28f8806a43c81ade4aded3b5adc6cde0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFCFF8E4F5B856F9040D75D7DE7BDEFE630584567356332D798" 28f8806a43c81ade4aded3b5adc6cde0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" rsqfldlerk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs rsqfldlerk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC2B12B449538E352CEBAA2329CD7C5" 28f8806a43c81ade4aded3b5adc6cde0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1839C6741491DABEB8C87C97EDE337CF" 28f8806a43c81ade4aded3b5adc6cde0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32412D7B9D5783596A3076D470532CDB7CF564AD" 28f8806a43c81ade4aded3b5adc6cde0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACEFAB0F913F29083083A4686993E97B088028C4262033FE1C842E908D2" 28f8806a43c81ade4aded3b5adc6cde0.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4984 WINWORD.EXE 4984 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3700 28f8806a43c81ade4aded3b5adc6cde0.exe 3700 28f8806a43c81ade4aded3b5adc6cde0.exe 3700 28f8806a43c81ade4aded3b5adc6cde0.exe 3700 28f8806a43c81ade4aded3b5adc6cde0.exe 3700 28f8806a43c81ade4aded3b5adc6cde0.exe 3700 28f8806a43c81ade4aded3b5adc6cde0.exe 3700 28f8806a43c81ade4aded3b5adc6cde0.exe 3700 28f8806a43c81ade4aded3b5adc6cde0.exe 3700 28f8806a43c81ade4aded3b5adc6cde0.exe 3700 28f8806a43c81ade4aded3b5adc6cde0.exe 3700 28f8806a43c81ade4aded3b5adc6cde0.exe 3700 28f8806a43c81ade4aded3b5adc6cde0.exe 3700 28f8806a43c81ade4aded3b5adc6cde0.exe 3700 28f8806a43c81ade4aded3b5adc6cde0.exe 3700 28f8806a43c81ade4aded3b5adc6cde0.exe 3700 28f8806a43c81ade4aded3b5adc6cde0.exe 3760 bdeycwbvgczffia.exe 3760 bdeycwbvgczffia.exe 3760 bdeycwbvgczffia.exe 3760 bdeycwbvgczffia.exe 3760 bdeycwbvgczffia.exe 3760 bdeycwbvgczffia.exe 3760 bdeycwbvgczffia.exe 3760 bdeycwbvgczffia.exe 4168 rsqfldlerk.exe 4168 rsqfldlerk.exe 4168 rsqfldlerk.exe 4168 rsqfldlerk.exe 4168 rsqfldlerk.exe 4168 rsqfldlerk.exe 4168 rsqfldlerk.exe 4168 rsqfldlerk.exe 4168 rsqfldlerk.exe 4168 rsqfldlerk.exe 3760 bdeycwbvgczffia.exe 3760 bdeycwbvgczffia.exe 4352 yatqpiic.exe 4352 yatqpiic.exe 4352 yatqpiic.exe 4352 yatqpiic.exe 4352 yatqpiic.exe 4352 yatqpiic.exe 4352 yatqpiic.exe 4352 yatqpiic.exe 1816 mipgqcmbrrkll.exe 1816 mipgqcmbrrkll.exe 1816 mipgqcmbrrkll.exe 1816 mipgqcmbrrkll.exe 1816 mipgqcmbrrkll.exe 1816 mipgqcmbrrkll.exe 1816 mipgqcmbrrkll.exe 1816 mipgqcmbrrkll.exe 1816 mipgqcmbrrkll.exe 1816 mipgqcmbrrkll.exe 1816 mipgqcmbrrkll.exe 1816 mipgqcmbrrkll.exe 3760 bdeycwbvgczffia.exe 3760 bdeycwbvgczffia.exe 4832 yatqpiic.exe 4832 yatqpiic.exe 4832 yatqpiic.exe 4832 yatqpiic.exe 4832 yatqpiic.exe 4832 yatqpiic.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 3700 28f8806a43c81ade4aded3b5adc6cde0.exe 3700 28f8806a43c81ade4aded3b5adc6cde0.exe 3700 28f8806a43c81ade4aded3b5adc6cde0.exe 3760 bdeycwbvgczffia.exe 3760 bdeycwbvgczffia.exe 3760 bdeycwbvgczffia.exe 4168 rsqfldlerk.exe 4352 yatqpiic.exe 1816 mipgqcmbrrkll.exe 4168 rsqfldlerk.exe 4352 yatqpiic.exe 1816 mipgqcmbrrkll.exe 4168 rsqfldlerk.exe 4352 yatqpiic.exe 1816 mipgqcmbrrkll.exe 4832 yatqpiic.exe 4832 yatqpiic.exe 4832 yatqpiic.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 3700 28f8806a43c81ade4aded3b5adc6cde0.exe 3700 28f8806a43c81ade4aded3b5adc6cde0.exe 3700 28f8806a43c81ade4aded3b5adc6cde0.exe 3760 bdeycwbvgczffia.exe 3760 bdeycwbvgczffia.exe 3760 bdeycwbvgczffia.exe 4168 rsqfldlerk.exe 4352 yatqpiic.exe 1816 mipgqcmbrrkll.exe 4168 rsqfldlerk.exe 4352 yatqpiic.exe 1816 mipgqcmbrrkll.exe 4168 rsqfldlerk.exe 4352 yatqpiic.exe 1816 mipgqcmbrrkll.exe 4832 yatqpiic.exe 4832 yatqpiic.exe 4832 yatqpiic.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4984 WINWORD.EXE 4984 WINWORD.EXE 4984 WINWORD.EXE 4984 WINWORD.EXE 4984 WINWORD.EXE 4984 WINWORD.EXE 4984 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3700 wrote to memory of 4168 3700 28f8806a43c81ade4aded3b5adc6cde0.exe 89 PID 3700 wrote to memory of 4168 3700 28f8806a43c81ade4aded3b5adc6cde0.exe 89 PID 3700 wrote to memory of 4168 3700 28f8806a43c81ade4aded3b5adc6cde0.exe 89 PID 3700 wrote to memory of 3760 3700 28f8806a43c81ade4aded3b5adc6cde0.exe 90 PID 3700 wrote to memory of 3760 3700 28f8806a43c81ade4aded3b5adc6cde0.exe 90 PID 3700 wrote to memory of 3760 3700 28f8806a43c81ade4aded3b5adc6cde0.exe 90 PID 3700 wrote to memory of 4352 3700 28f8806a43c81ade4aded3b5adc6cde0.exe 92 PID 3700 wrote to memory of 4352 3700 28f8806a43c81ade4aded3b5adc6cde0.exe 92 PID 3700 wrote to memory of 4352 3700 28f8806a43c81ade4aded3b5adc6cde0.exe 92 PID 3700 wrote to memory of 1816 3700 28f8806a43c81ade4aded3b5adc6cde0.exe 91 PID 3700 wrote to memory of 1816 3700 28f8806a43c81ade4aded3b5adc6cde0.exe 91 PID 3700 wrote to memory of 1816 3700 28f8806a43c81ade4aded3b5adc6cde0.exe 91 PID 3700 wrote to memory of 4984 3700 28f8806a43c81ade4aded3b5adc6cde0.exe 94 PID 3700 wrote to memory of 4984 3700 28f8806a43c81ade4aded3b5adc6cde0.exe 94 PID 4168 wrote to memory of 4832 4168 rsqfldlerk.exe 97 PID 4168 wrote to memory of 4832 4168 rsqfldlerk.exe 97 PID 4168 wrote to memory of 4832 4168 rsqfldlerk.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\28f8806a43c81ade4aded3b5adc6cde0.exe"C:\Users\Admin\AppData\Local\Temp\28f8806a43c81ade4aded3b5adc6cde0.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\SysWOW64\rsqfldlerk.exersqfldlerk.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Windows\SysWOW64\yatqpiic.exeC:\Windows\system32\yatqpiic.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4832
-
-
-
C:\Windows\SysWOW64\bdeycwbvgczffia.exebdeycwbvgczffia.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3760
-
-
C:\Windows\SysWOW64\mipgqcmbrrkll.exemipgqcmbrrkll.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1816
-
-
C:\Windows\SysWOW64\yatqpiic.exeyatqpiic.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4352
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4984
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
256KB
MD5a6912481eb039ab8ce8e65eefa5ac57b
SHA15859f27fff5ebd524ebd24615ab41f86fba46f02
SHA256660f3560eeba127d97ee2570ed1c2dacd357f42f6136589ecedd2aa3004dccb4
SHA5128f3bd0fa20db122cacaaeb9cba2d755db7a1d51371da190ea9337429d514ebde3336cd55f2db82358e06fe8f7906f50cb1799cb494875e3e38f478640697db40
-
Filesize
512KB
MD5d5b8f9a364b4bf12b275ea3253341dae
SHA1462df3d411a78141ee76a20f2cf16dce7fa720dc
SHA2560426e0cc7fc02c522a3db5b65aadde0655fdbb7aa12f5aed4cd51709accb588f
SHA5120d50fea2539b1f5ede625321ff743796cebd16e4268423d367d88448a47a90cd2844af509c495f934066ca16da758fc4551ad6fd9140928a7f0a586486b9d5ae
-
Filesize
128KB
MD533be84de0fa03c6883fec2ead970e3ba
SHA1dbe35ed4343779aa93200c24966ccb805e18f223
SHA256ef0f2733bf476c4dc632a27627cb24681d552719aafcc969eec5db1a90996887
SHA5123e93ab8677009d404503e243038ae323b1bc55af56c8c53bd3d44f5313ed4383c987ccb1f1f0e86111fc36db67c7b1b76de4eb4b1c6742baadffd70d7dc6c093
-
Filesize
150KB
MD5e6525bc843b2e9deeadb8f5a45310bcc
SHA1146ca2f84bc371a7a9954f458fc184dcabf18181
SHA2567a0dcfe62b45c11e415e88ea423f7d6efe312497d20c20647ab9845549bd7c87
SHA512717f6fb4e3f41618195e2ace4687355823cf7a1466829699a574f689e9156d992254715c80f56fdab0efee0ddf8f36c422c6b85ce08fd994d7a987c93ec7d64b
-
Filesize
512KB
MD58307a06fdef3f83c1828f4dbc5d79e6d
SHA157e0603a9bdc18c232e9f2c404c69512b8690725
SHA2565fbe787560e06a58c548d67a95f3599ff9af531ff17b5549434fc37df3107f68
SHA512c39a85d51c7f30f5f5e2f53371186bc9fad1d3186d9e5cb8669aeb28faaae0ee69e31aef418aa291d577b028e50b70b3d18b4053a6f52ce4c617ae93c7505424
-
Filesize
257KB
MD5d3a4c6dd9b4c5e977140cc4359d964e3
SHA128301bbce69c8b2e489ff713570e540480d06e36
SHA2562fcd6649cae0217107ceb02bef676d9c37fbfb01e2d28abcb5850d128e962684
SHA51235eb782628461576b9f4842170989f76fedf9a99b72ef706d9d39a9777e28da4c1e575104e6a86732831d28f07b040bcd61032d3b95eafd71fa059adfba86efe
-
Filesize
65KB
MD56b2d87c29e03c1669c86b13f0e329f27
SHA1fc01a8091ad1488013e09ecabcbb34ebb2729a38
SHA2566cb9102f5b672aa60bab941d44dfac6baa33354a6dbff3a6cf1b7e16f4e1c61c
SHA51262a6d356d9d1393f780e7ebef155962a8261e76e5c6df375d5d35484702607996e9334a0a3788cde9ee44d7d6cbfbd284c2163ff4e9837884a0ae5712b1e0272
-
Filesize
381KB
MD530aec9e0b33fbd99234328357879f812
SHA13c9d37139d4ccfe2b694afba9633170d0f510a92
SHA25615aad0daaaeea2f1eb8d19a8999f42844b2885d6bef949f6787feba7dad46563
SHA5122060f2cc8c90181dd0a9965f0ff3a94aece08c82c4a68454846f66778bc60dade3ba5ddc38be57311ff4a7bd78217b89a9cd09837eee4b5d9893277299dad415