Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 19:28
Behavioral task
behavioral1
Sample
37fa116ac75887bf0a2ec400e4ea33ef.exe
Resource
win7-20231215-en
windows7-x64
26 signatures
150 seconds
General
-
Target
37fa116ac75887bf0a2ec400e4ea33ef.exe
-
Size
255KB
-
MD5
37fa116ac75887bf0a2ec400e4ea33ef
-
SHA1
6687a2fec52e9322e76707705a595829824f9af7
-
SHA256
55edd1731f6160632379e7eab705be99fdb401c2ab96d2f1bef6925f6b7b8acc
-
SHA512
ddf0b68fda86e0f4b2a8d2c8fa61fa26a12c62416133e442da584a607e10659130537f3367274b21ad1841c6ed6cd40730b9e3dcdd4b548747895a3191481dfa
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJL:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIU
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" kdcwwtfknh.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" kdcwwtfknh.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" kdcwwtfknh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" kdcwwtfknh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" kdcwwtfknh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" kdcwwtfknh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" kdcwwtfknh.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" kdcwwtfknh.exe -
Executes dropped EXE 6 IoCs
pid Process 2368 kdcwwtfknh.exe 2720 nabmkifhyhekuai.exe 2820 lwscrqek.exe 2896 lgndmttiyzwll.exe 2832 lgndmttiyzwll.exe 2728 lwscrqek.exe -
Loads dropped DLL 6 IoCs
pid Process 2140 37fa116ac75887bf0a2ec400e4ea33ef.exe 2140 37fa116ac75887bf0a2ec400e4ea33ef.exe 2140 37fa116ac75887bf0a2ec400e4ea33ef.exe 2624 cmd.exe 2140 37fa116ac75887bf0a2ec400e4ea33ef.exe 2368 kdcwwtfknh.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2140-0-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x0035000000015d50-25.dat upx behavioral1/memory/2728-47-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2140-48-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2832-43-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2896-42-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2820-37-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2720-34-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2368-33-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x0035000000015d50-32.dat upx behavioral1/files/0x000c000000015cdd-29.dat upx behavioral1/files/0x000d000000012251-20.dat upx behavioral1/memory/2820-87-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2728-93-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2832-92-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2896-97-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2720-96-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2368-95-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2832-94-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2896-91-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2820-90-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2720-89-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2368-88-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2728-98-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2820-100-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2728-99-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2368-101-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2720-102-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2832-104-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2896-103-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2368-107-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2720-108-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2832-110-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2896-109-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2368-111-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2720-112-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2896-113-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2832-114-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2368-115-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2832-118-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2896-117-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2720-116-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2368-120-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2720-121-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2896-122-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2832-123-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2368-124-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2720-125-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2896-126-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2832-127-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2720-129-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2832-131-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2896-130-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2368-128-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2368-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2720-133-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2896-134-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2832-135-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2720-156-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2368-155-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2832-158-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2896-157-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2720-160-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2832-162-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" kdcwwtfknh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" kdcwwtfknh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" kdcwwtfknh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" kdcwwtfknh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" kdcwwtfknh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" kdcwwtfknh.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "lgndmttiyzwll.exe" nabmkifhyhekuai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lovfxlxy = "kdcwwtfknh.exe" nabmkifhyhekuai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mdyjwljk = "nabmkifhyhekuai.exe" nabmkifhyhekuai.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\e: lwscrqek.exe File opened (read-only) \??\n: lwscrqek.exe File opened (read-only) \??\p: lwscrqek.exe File opened (read-only) \??\g: kdcwwtfknh.exe File opened (read-only) \??\b: lwscrqek.exe File opened (read-only) \??\v: lwscrqek.exe File opened (read-only) \??\b: lwscrqek.exe File opened (read-only) \??\k: lwscrqek.exe File opened (read-only) \??\s: lwscrqek.exe File opened (read-only) \??\j: lwscrqek.exe File opened (read-only) \??\k: kdcwwtfknh.exe File opened (read-only) \??\t: kdcwwtfknh.exe File opened (read-only) \??\w: kdcwwtfknh.exe File opened (read-only) \??\z: lwscrqek.exe File opened (read-only) \??\g: lwscrqek.exe File opened (read-only) \??\m: lwscrqek.exe File opened (read-only) \??\t: lwscrqek.exe File opened (read-only) \??\i: kdcwwtfknh.exe File opened (read-only) \??\z: kdcwwtfknh.exe File opened (read-only) \??\a: lwscrqek.exe File opened (read-only) \??\i: lwscrqek.exe File opened (read-only) \??\r: lwscrqek.exe File opened (read-only) \??\x: kdcwwtfknh.exe File opened (read-only) \??\y: lwscrqek.exe File opened (read-only) \??\s: lwscrqek.exe File opened (read-only) \??\z: lwscrqek.exe File opened (read-only) \??\e: lwscrqek.exe File opened (read-only) \??\g: lwscrqek.exe File opened (read-only) \??\i: lwscrqek.exe File opened (read-only) \??\q: kdcwwtfknh.exe File opened (read-only) \??\v: lwscrqek.exe File opened (read-only) \??\x: lwscrqek.exe File opened (read-only) \??\r: kdcwwtfknh.exe File opened (read-only) \??\u: lwscrqek.exe File opened (read-only) \??\q: lwscrqek.exe File opened (read-only) \??\y: lwscrqek.exe File opened (read-only) \??\a: kdcwwtfknh.exe File opened (read-only) \??\p: lwscrqek.exe File opened (read-only) \??\n: lwscrqek.exe File opened (read-only) \??\l: lwscrqek.exe File opened (read-only) \??\b: kdcwwtfknh.exe File opened (read-only) \??\m: kdcwwtfknh.exe File opened (read-only) \??\k: lwscrqek.exe File opened (read-only) \??\r: lwscrqek.exe File opened (read-only) \??\a: lwscrqek.exe File opened (read-only) \??\e: kdcwwtfknh.exe File opened (read-only) \??\n: kdcwwtfknh.exe File opened (read-only) \??\m: lwscrqek.exe File opened (read-only) \??\h: lwscrqek.exe File opened (read-only) \??\l: lwscrqek.exe File opened (read-only) \??\q: lwscrqek.exe File opened (read-only) \??\w: lwscrqek.exe File opened (read-only) \??\j: lwscrqek.exe File opened (read-only) \??\j: kdcwwtfknh.exe File opened (read-only) \??\v: kdcwwtfknh.exe File opened (read-only) \??\y: kdcwwtfknh.exe File opened (read-only) \??\o: kdcwwtfknh.exe File opened (read-only) \??\u: kdcwwtfknh.exe File opened (read-only) \??\o: lwscrqek.exe File opened (read-only) \??\t: lwscrqek.exe File opened (read-only) \??\u: lwscrqek.exe File opened (read-only) \??\w: lwscrqek.exe File opened (read-only) \??\h: kdcwwtfknh.exe File opened (read-only) \??\l: kdcwwtfknh.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" kdcwwtfknh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" kdcwwtfknh.exe -
AutoIT Executable 64 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2728-47-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2140-48-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2832-43-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2896-42-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2820-37-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2720-34-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2368-33-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2820-87-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2728-93-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2832-92-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2896-97-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2720-96-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2368-95-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2832-94-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2896-91-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2820-90-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2720-89-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2368-88-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2728-98-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2820-100-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2728-99-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2368-101-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2720-102-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2832-104-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2896-103-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2368-107-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2720-108-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2832-110-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2896-109-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2368-111-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2720-112-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2896-113-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2832-114-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2368-115-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2832-118-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2896-117-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2720-116-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2368-120-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2720-121-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2896-122-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2832-123-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2368-124-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2720-125-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2896-126-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2832-127-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2720-129-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2832-131-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2896-130-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2368-128-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2368-132-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2720-133-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2896-134-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2832-135-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2720-156-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2368-155-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2832-158-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2896-157-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2720-160-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2832-162-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2896-161-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2368-159-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2368-163-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2720-164-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2896-165-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\lgndmttiyzwll.exe 37fa116ac75887bf0a2ec400e4ea33ef.exe File created C:\Windows\SysWOW64\kdcwwtfknh.exe 37fa116ac75887bf0a2ec400e4ea33ef.exe File opened for modification C:\Windows\SysWOW64\kdcwwtfknh.exe 37fa116ac75887bf0a2ec400e4ea33ef.exe File created C:\Windows\SysWOW64\nabmkifhyhekuai.exe 37fa116ac75887bf0a2ec400e4ea33ef.exe File created C:\Windows\SysWOW64\lgndmttiyzwll.exe 37fa116ac75887bf0a2ec400e4ea33ef.exe File opened for modification C:\Windows\SysWOW64\nabmkifhyhekuai.exe 37fa116ac75887bf0a2ec400e4ea33ef.exe File created C:\Windows\SysWOW64\lwscrqek.exe 37fa116ac75887bf0a2ec400e4ea33ef.exe File opened for modification C:\Windows\SysWOW64\lwscrqek.exe 37fa116ac75887bf0a2ec400e4ea33ef.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll kdcwwtfknh.exe -
Drops file in Program Files directory 16 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal lwscrqek.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe lwscrqek.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe lwscrqek.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe lwscrqek.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal lwscrqek.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe lwscrqek.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal lwscrqek.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe lwscrqek.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe lwscrqek.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe lwscrqek.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal lwscrqek.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe lwscrqek.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe lwscrqek.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe lwscrqek.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe lwscrqek.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe lwscrqek.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf 37fa116ac75887bf0a2ec400e4ea33ef.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC7B02D4494399A52CCB9D332E9D7CD" 37fa116ac75887bf0a2ec400e4ea33ef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" kdcwwtfknh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs kdcwwtfknh.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" kdcwwtfknh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf kdcwwtfknh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFDFFFB482E856E9135D6587E91BDE4E640583666406332D798" 37fa116ac75887bf0a2ec400e4ea33ef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 37fa116ac75887bf0a2ec400e4ea33ef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh kdcwwtfknh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" kdcwwtfknh.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1528 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2140 37fa116ac75887bf0a2ec400e4ea33ef.exe 2140 37fa116ac75887bf0a2ec400e4ea33ef.exe 2140 37fa116ac75887bf0a2ec400e4ea33ef.exe 2140 37fa116ac75887bf0a2ec400e4ea33ef.exe 2140 37fa116ac75887bf0a2ec400e4ea33ef.exe 2140 37fa116ac75887bf0a2ec400e4ea33ef.exe 2140 37fa116ac75887bf0a2ec400e4ea33ef.exe 2140 37fa116ac75887bf0a2ec400e4ea33ef.exe 2720 nabmkifhyhekuai.exe 2720 nabmkifhyhekuai.exe 2720 nabmkifhyhekuai.exe 2720 nabmkifhyhekuai.exe 2720 nabmkifhyhekuai.exe 2820 lwscrqek.exe 2820 lwscrqek.exe 2820 lwscrqek.exe 2820 lwscrqek.exe 2368 kdcwwtfknh.exe 2368 kdcwwtfknh.exe 2368 kdcwwtfknh.exe 2368 kdcwwtfknh.exe 2368 kdcwwtfknh.exe 2720 nabmkifhyhekuai.exe 2896 lgndmttiyzwll.exe 2896 lgndmttiyzwll.exe 2896 lgndmttiyzwll.exe 2896 lgndmttiyzwll.exe 2896 lgndmttiyzwll.exe 2896 lgndmttiyzwll.exe 2832 lgndmttiyzwll.exe 2832 lgndmttiyzwll.exe 2832 lgndmttiyzwll.exe 2832 lgndmttiyzwll.exe 2832 lgndmttiyzwll.exe 2832 lgndmttiyzwll.exe 2728 lwscrqek.exe 2728 lwscrqek.exe 2728 lwscrqek.exe 2728 lwscrqek.exe 2720 nabmkifhyhekuai.exe 2896 lgndmttiyzwll.exe 2896 lgndmttiyzwll.exe 2832 lgndmttiyzwll.exe 2832 lgndmttiyzwll.exe 2720 nabmkifhyhekuai.exe 2896 lgndmttiyzwll.exe 2896 lgndmttiyzwll.exe 2832 lgndmttiyzwll.exe 2832 lgndmttiyzwll.exe 2720 nabmkifhyhekuai.exe 2896 lgndmttiyzwll.exe 2896 lgndmttiyzwll.exe 2832 lgndmttiyzwll.exe 2832 lgndmttiyzwll.exe 2720 nabmkifhyhekuai.exe 2896 lgndmttiyzwll.exe 2896 lgndmttiyzwll.exe 2832 lgndmttiyzwll.exe 2832 lgndmttiyzwll.exe 2720 nabmkifhyhekuai.exe 2896 lgndmttiyzwll.exe 2896 lgndmttiyzwll.exe 2832 lgndmttiyzwll.exe 2832 lgndmttiyzwll.exe -
Suspicious use of FindShellTrayWindow 21 IoCs
pid Process 2140 37fa116ac75887bf0a2ec400e4ea33ef.exe 2140 37fa116ac75887bf0a2ec400e4ea33ef.exe 2140 37fa116ac75887bf0a2ec400e4ea33ef.exe 2720 nabmkifhyhekuai.exe 2720 nabmkifhyhekuai.exe 2720 nabmkifhyhekuai.exe 2368 kdcwwtfknh.exe 2368 kdcwwtfknh.exe 2368 kdcwwtfknh.exe 2820 lwscrqek.exe 2820 lwscrqek.exe 2820 lwscrqek.exe 2832 lgndmttiyzwll.exe 2832 lgndmttiyzwll.exe 2832 lgndmttiyzwll.exe 2896 lgndmttiyzwll.exe 2896 lgndmttiyzwll.exe 2896 lgndmttiyzwll.exe 2728 lwscrqek.exe 2728 lwscrqek.exe 2728 lwscrqek.exe -
Suspicious use of SendNotifyMessage 21 IoCs
pid Process 2140 37fa116ac75887bf0a2ec400e4ea33ef.exe 2140 37fa116ac75887bf0a2ec400e4ea33ef.exe 2140 37fa116ac75887bf0a2ec400e4ea33ef.exe 2720 nabmkifhyhekuai.exe 2720 nabmkifhyhekuai.exe 2720 nabmkifhyhekuai.exe 2368 kdcwwtfknh.exe 2368 kdcwwtfknh.exe 2368 kdcwwtfknh.exe 2820 lwscrqek.exe 2820 lwscrqek.exe 2820 lwscrqek.exe 2832 lgndmttiyzwll.exe 2832 lgndmttiyzwll.exe 2832 lgndmttiyzwll.exe 2896 lgndmttiyzwll.exe 2896 lgndmttiyzwll.exe 2896 lgndmttiyzwll.exe 2728 lwscrqek.exe 2728 lwscrqek.exe 2728 lwscrqek.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1528 WINWORD.EXE 1528 WINWORD.EXE -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2140 wrote to memory of 2368 2140 37fa116ac75887bf0a2ec400e4ea33ef.exe 38 PID 2140 wrote to memory of 2368 2140 37fa116ac75887bf0a2ec400e4ea33ef.exe 38 PID 2140 wrote to memory of 2368 2140 37fa116ac75887bf0a2ec400e4ea33ef.exe 38 PID 2140 wrote to memory of 2368 2140 37fa116ac75887bf0a2ec400e4ea33ef.exe 38 PID 2140 wrote to memory of 2720 2140 37fa116ac75887bf0a2ec400e4ea33ef.exe 37 PID 2140 wrote to memory of 2720 2140 37fa116ac75887bf0a2ec400e4ea33ef.exe 37 PID 2140 wrote to memory of 2720 2140 37fa116ac75887bf0a2ec400e4ea33ef.exe 37 PID 2140 wrote to memory of 2720 2140 37fa116ac75887bf0a2ec400e4ea33ef.exe 37 PID 2140 wrote to memory of 2820 2140 37fa116ac75887bf0a2ec400e4ea33ef.exe 36 PID 2140 wrote to memory of 2820 2140 37fa116ac75887bf0a2ec400e4ea33ef.exe 36 PID 2140 wrote to memory of 2820 2140 37fa116ac75887bf0a2ec400e4ea33ef.exe 36 PID 2140 wrote to memory of 2820 2140 37fa116ac75887bf0a2ec400e4ea33ef.exe 36 PID 2720 wrote to memory of 2624 2720 nabmkifhyhekuai.exe 35 PID 2720 wrote to memory of 2624 2720 nabmkifhyhekuai.exe 35 PID 2720 wrote to memory of 2624 2720 nabmkifhyhekuai.exe 35 PID 2720 wrote to memory of 2624 2720 nabmkifhyhekuai.exe 35 PID 2624 wrote to memory of 2896 2624 cmd.exe 33 PID 2624 wrote to memory of 2896 2624 cmd.exe 33 PID 2624 wrote to memory of 2896 2624 cmd.exe 33 PID 2624 wrote to memory of 2896 2624 cmd.exe 33 PID 2140 wrote to memory of 2832 2140 37fa116ac75887bf0a2ec400e4ea33ef.exe 32 PID 2140 wrote to memory of 2832 2140 37fa116ac75887bf0a2ec400e4ea33ef.exe 32 PID 2140 wrote to memory of 2832 2140 37fa116ac75887bf0a2ec400e4ea33ef.exe 32 PID 2140 wrote to memory of 2832 2140 37fa116ac75887bf0a2ec400e4ea33ef.exe 32 PID 2368 wrote to memory of 2728 2368 kdcwwtfknh.exe 28 PID 2368 wrote to memory of 2728 2368 kdcwwtfknh.exe 28 PID 2368 wrote to memory of 2728 2368 kdcwwtfknh.exe 28 PID 2368 wrote to memory of 2728 2368 kdcwwtfknh.exe 28 PID 2140 wrote to memory of 1528 2140 37fa116ac75887bf0a2ec400e4ea33ef.exe 29 PID 2140 wrote to memory of 1528 2140 37fa116ac75887bf0a2ec400e4ea33ef.exe 29 PID 2140 wrote to memory of 1528 2140 37fa116ac75887bf0a2ec400e4ea33ef.exe 29 PID 2140 wrote to memory of 1528 2140 37fa116ac75887bf0a2ec400e4ea33ef.exe 29 PID 1528 wrote to memory of 296 1528 WINWORD.EXE 39 PID 1528 wrote to memory of 296 1528 WINWORD.EXE 39 PID 1528 wrote to memory of 296 1528 WINWORD.EXE 39 PID 1528 wrote to memory of 296 1528 WINWORD.EXE 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\37fa116ac75887bf0a2ec400e4ea33ef.exe"C:\Users\Admin\AppData\Local\Temp\37fa116ac75887bf0a2ec400e4ea33ef.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:296
-
-
-
C:\Windows\SysWOW64\lgndmttiyzwll.exelgndmttiyzwll.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2832
-
-
C:\Windows\SysWOW64\lwscrqek.exelwscrqek.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2820
-
-
C:\Windows\SysWOW64\nabmkifhyhekuai.exenabmkifhyhekuai.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2720
-
-
C:\Windows\SysWOW64\kdcwwtfknh.exekdcwwtfknh.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2368
-
-
C:\Windows\SysWOW64\lwscrqek.exeC:\Windows\system32\lwscrqek.exe1⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2728
-
C:\Windows\SysWOW64\lgndmttiyzwll.exelgndmttiyzwll.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2896
-
C:\Windows\SysWOW64\cmd.execmd.exe /c lgndmttiyzwll.exe1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD5b1a8124b4ef90065a9391042cac826d2
SHA1d8dcd5857f5079f4819285403f3f8818f9a73c46
SHA25675d95bd0238a09e97a37845a25dd707a1a54fdba08f6e1a9d8dc8161080c7e5a
SHA512fd9f45ddcd5dce564d63063caba348734571ca20f2759491b67d6a3471bfd1c21bea3eebb1de5b41321fb356bca6fc19fe3073d014c2bafccd39984ac285afb3
-
Filesize
255KB
MD57823789f77b627c8e963376cdcdc9853
SHA186472e3908d800f088fc8e3240b420f214fa2f47
SHA256f72d9ce77288087ccb028e8f7a06dc0bc9b381a7f66ae21b9177e8d3308b4de9
SHA512ac5e75f7f29f0eb08d6bc1469794d5f3c7d525e904827b916a8ea98fb2e86bc4077e1da114f462a82c0ce3ccca5d0d6c7c31a66b462c7abc7bc6503e61408ae5
-
Filesize
255KB
MD5dc518c22686976091196bd2bad2909c4
SHA1ee96aceafc5364ad03fd5bd32856d808b4aa2834
SHA2569d219db4de99548378cd6597500dd2833e0b5f20b54801b397f096105f63965c
SHA51275db5bb40bd7c282058bb1b1a6e9f4b492ab9e045400238283b06f01f3cd535a6efb1d2a2b4acbb17c28c3dc787193ac9d9c20a21ab1db3785ab639dcb72f99d
-
Filesize
255KB
MD59ee187e46277d29d81aa994aa9bb054e
SHA1013d2a5737e50c4b3a5b064e2f9019f1e8b192ff
SHA2567730c696e0c51f5783f84b89410e828c6414492a642cc77c1c807cf31095ad6b
SHA512f02a81a772e51648fbe8723da18966b99ac7b05b54f7893efda33120d075b51d9cea43673207bb64a5d0e612a8b7a9f8aba1b64cdc8e054aae2972478e92b252
-
Filesize
92KB
MD5e8c68efbd9ff088c63fe74e65797b42a
SHA15c252e5949c1b0784c8bc8a81c99461bd2d6d6b2
SHA256a240a04680d2febd56a054c196c4a984a8b31780e29189d682e5d94c18ac03ba
SHA5129619092b701cadafc826af13bb4061715b9ff9fdce7c48cb33abc67d88d1f0ad42495fb5a95695c829c40473d7e16e4fe9234ecb9d60d8672736329da3f773fb