Analysis
-
max time kernel
220s -
max time network
221s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 19:39
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
38a2dc78195df4e156b72471ebd19337.exe
Resource
win7-20231129-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
38a2dc78195df4e156b72471ebd19337.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
38a2dc78195df4e156b72471ebd19337.exe
-
Size
512KB
-
MD5
38a2dc78195df4e156b72471ebd19337
-
SHA1
6c2df162ad502ee85d234584707463f284ff4097
-
SHA256
4188edbf9808ff09f969413e1fca5b15774c9b28a09f4b21c94960ef2576b15b
-
SHA512
d0681fc5acaf4d1d4e7b481b750bf94492d0b6adfb1004ee9abe62fe62d7661d5bbf999573d3c8c946ffc749649afb02c771d3e4229b46ac1a0c0a3222ad813f
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6B:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5w
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" czffyfwqyi.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" czffyfwqyi.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" czffyfwqyi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" czffyfwqyi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" czffyfwqyi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" czffyfwqyi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" czffyfwqyi.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" czffyfwqyi.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation 38a2dc78195df4e156b72471ebd19337.exe -
Executes dropped EXE 5 IoCs
pid Process 2764 czffyfwqyi.exe 628 fvdjgmqthfnhcsv.exe 2928 hmyhlgfw.exe 3692 rbpzmfpotgrsm.exe 4300 hmyhlgfw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" czffyfwqyi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" czffyfwqyi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" czffyfwqyi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" czffyfwqyi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" czffyfwqyi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" czffyfwqyi.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qkvkidjj = "czffyfwqyi.exe" fvdjgmqthfnhcsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rvzpfupw = "fvdjgmqthfnhcsv.exe" fvdjgmqthfnhcsv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "rbpzmfpotgrsm.exe" fvdjgmqthfnhcsv.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\k: czffyfwqyi.exe File opened (read-only) \??\o: czffyfwqyi.exe File opened (read-only) \??\v: czffyfwqyi.exe File opened (read-only) \??\x: hmyhlgfw.exe File opened (read-only) \??\a: hmyhlgfw.exe File opened (read-only) \??\j: hmyhlgfw.exe File opened (read-only) \??\h: czffyfwqyi.exe File opened (read-only) \??\q: czffyfwqyi.exe File opened (read-only) \??\y: czffyfwqyi.exe File opened (read-only) \??\n: hmyhlgfw.exe File opened (read-only) \??\e: hmyhlgfw.exe File opened (read-only) \??\t: hmyhlgfw.exe File opened (read-only) \??\t: czffyfwqyi.exe File opened (read-only) \??\i: hmyhlgfw.exe File opened (read-only) \??\t: hmyhlgfw.exe File opened (read-only) \??\o: hmyhlgfw.exe File opened (read-only) \??\a: czffyfwqyi.exe File opened (read-only) \??\l: czffyfwqyi.exe File opened (read-only) \??\b: hmyhlgfw.exe File opened (read-only) \??\q: hmyhlgfw.exe File opened (read-only) \??\w: hmyhlgfw.exe File opened (read-only) \??\g: czffyfwqyi.exe File opened (read-only) \??\g: hmyhlgfw.exe File opened (read-only) \??\i: hmyhlgfw.exe File opened (read-only) \??\z: hmyhlgfw.exe File opened (read-only) \??\e: czffyfwqyi.exe File opened (read-only) \??\j: czffyfwqyi.exe File opened (read-only) \??\n: czffyfwqyi.exe File opened (read-only) \??\a: hmyhlgfw.exe File opened (read-only) \??\y: hmyhlgfw.exe File opened (read-only) \??\r: hmyhlgfw.exe File opened (read-only) \??\b: hmyhlgfw.exe File opened (read-only) \??\h: hmyhlgfw.exe File opened (read-only) \??\l: hmyhlgfw.exe File opened (read-only) \??\y: hmyhlgfw.exe File opened (read-only) \??\l: hmyhlgfw.exe File opened (read-only) \??\i: czffyfwqyi.exe File opened (read-only) \??\u: czffyfwqyi.exe File opened (read-only) \??\s: hmyhlgfw.exe File opened (read-only) \??\v: hmyhlgfw.exe File opened (read-only) \??\z: hmyhlgfw.exe File opened (read-only) \??\k: hmyhlgfw.exe File opened (read-only) \??\p: hmyhlgfw.exe File opened (read-only) \??\s: czffyfwqyi.exe File opened (read-only) \??\z: czffyfwqyi.exe File opened (read-only) \??\p: hmyhlgfw.exe File opened (read-only) \??\r: hmyhlgfw.exe File opened (read-only) \??\x: hmyhlgfw.exe File opened (read-only) \??\m: czffyfwqyi.exe File opened (read-only) \??\o: hmyhlgfw.exe File opened (read-only) \??\w: hmyhlgfw.exe File opened (read-only) \??\q: hmyhlgfw.exe File opened (read-only) \??\j: hmyhlgfw.exe File opened (read-only) \??\k: hmyhlgfw.exe File opened (read-only) \??\g: hmyhlgfw.exe File opened (read-only) \??\h: hmyhlgfw.exe File opened (read-only) \??\n: hmyhlgfw.exe File opened (read-only) \??\m: hmyhlgfw.exe File opened (read-only) \??\s: hmyhlgfw.exe File opened (read-only) \??\u: hmyhlgfw.exe File opened (read-only) \??\r: czffyfwqyi.exe File opened (read-only) \??\w: czffyfwqyi.exe File opened (read-only) \??\b: czffyfwqyi.exe File opened (read-only) \??\x: czffyfwqyi.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" czffyfwqyi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" czffyfwqyi.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4948-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0006000000023237-9.dat autoit_exe behavioral2/files/0x0006000000023235-19.dat autoit_exe behavioral2/files/0x0006000000023236-24.dat autoit_exe behavioral2/files/0x0006000000023238-32.dat autoit_exe behavioral2/files/0x00090000000231b1-78.dat autoit_exe behavioral2/files/0x00090000000231b3-81.dat autoit_exe behavioral2/files/0x0009000000023127-107.dat autoit_exe behavioral2/files/0x000900000002312a-113.dat autoit_exe behavioral2/files/0x000c00000002312e-119.dat autoit_exe behavioral2/files/0x000c00000002312e-127.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\rbpzmfpotgrsm.exe 38a2dc78195df4e156b72471ebd19337.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll czffyfwqyi.exe File opened for modification C:\Windows\SysWOW64\czffyfwqyi.exe 38a2dc78195df4e156b72471ebd19337.exe File opened for modification C:\Windows\SysWOW64\rbpzmfpotgrsm.exe 38a2dc78195df4e156b72471ebd19337.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe hmyhlgfw.exe File created C:\Windows\SysWOW64\czffyfwqyi.exe 38a2dc78195df4e156b72471ebd19337.exe File opened for modification C:\Windows\SysWOW64\fvdjgmqthfnhcsv.exe 38a2dc78195df4e156b72471ebd19337.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe hmyhlgfw.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe hmyhlgfw.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe hmyhlgfw.exe File created C:\Windows\SysWOW64\fvdjgmqthfnhcsv.exe 38a2dc78195df4e156b72471ebd19337.exe File created C:\Windows\SysWOW64\hmyhlgfw.exe 38a2dc78195df4e156b72471ebd19337.exe File opened for modification C:\Windows\SysWOW64\hmyhlgfw.exe 38a2dc78195df4e156b72471ebd19337.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hmyhlgfw.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hmyhlgfw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hmyhlgfw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal hmyhlgfw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal hmyhlgfw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal hmyhlgfw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hmyhlgfw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal hmyhlgfw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hmyhlgfw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hmyhlgfw.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hmyhlgfw.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hmyhlgfw.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hmyhlgfw.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hmyhlgfw.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 38a2dc78195df4e156b72471ebd19337.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC3B15C44E739EA53B9BAD53293D4BE" 38a2dc78195df4e156b72471ebd19337.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat czffyfwqyi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" czffyfwqyi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc czffyfwqyi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" czffyfwqyi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf czffyfwqyi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs czffyfwqyi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" czffyfwqyi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33402D0D9C5683596D3576D677212DDF7C8764AB" 38a2dc78195df4e156b72471ebd19337.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACAF9C9F910F193830C3B35819A3E95B0FE028B43660348E1CD459C09D3" 38a2dc78195df4e156b72471ebd19337.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F88FFFC4F5B821B9135D7217E95BDE2E636594066456246D799" 38a2dc78195df4e156b72471ebd19337.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F06BC5FF1D21AAD279D0D18A089160" 38a2dc78195df4e156b72471ebd19337.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg czffyfwqyi.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 38a2dc78195df4e156b72471ebd19337.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1939C70C1491DBC2B8B97FE1EC9E37CE" 38a2dc78195df4e156b72471ebd19337.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh czffyfwqyi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" czffyfwqyi.exe Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings 38a2dc78195df4e156b72471ebd19337.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" czffyfwqyi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" czffyfwqyi.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4580 WINWORD.EXE 4580 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4948 38a2dc78195df4e156b72471ebd19337.exe 4948 38a2dc78195df4e156b72471ebd19337.exe 4948 38a2dc78195df4e156b72471ebd19337.exe 4948 38a2dc78195df4e156b72471ebd19337.exe 4948 38a2dc78195df4e156b72471ebd19337.exe 4948 38a2dc78195df4e156b72471ebd19337.exe 4948 38a2dc78195df4e156b72471ebd19337.exe 4948 38a2dc78195df4e156b72471ebd19337.exe 4948 38a2dc78195df4e156b72471ebd19337.exe 4948 38a2dc78195df4e156b72471ebd19337.exe 4948 38a2dc78195df4e156b72471ebd19337.exe 4948 38a2dc78195df4e156b72471ebd19337.exe 4948 38a2dc78195df4e156b72471ebd19337.exe 4948 38a2dc78195df4e156b72471ebd19337.exe 4948 38a2dc78195df4e156b72471ebd19337.exe 4948 38a2dc78195df4e156b72471ebd19337.exe 2764 czffyfwqyi.exe 3692 rbpzmfpotgrsm.exe 2764 czffyfwqyi.exe 3692 rbpzmfpotgrsm.exe 2764 czffyfwqyi.exe 2764 czffyfwqyi.exe 3692 rbpzmfpotgrsm.exe 3692 rbpzmfpotgrsm.exe 2764 czffyfwqyi.exe 2764 czffyfwqyi.exe 2764 czffyfwqyi.exe 3692 rbpzmfpotgrsm.exe 2764 czffyfwqyi.exe 3692 rbpzmfpotgrsm.exe 2764 czffyfwqyi.exe 2764 czffyfwqyi.exe 3692 rbpzmfpotgrsm.exe 3692 rbpzmfpotgrsm.exe 628 fvdjgmqthfnhcsv.exe 628 fvdjgmqthfnhcsv.exe 3692 rbpzmfpotgrsm.exe 3692 rbpzmfpotgrsm.exe 628 fvdjgmqthfnhcsv.exe 628 fvdjgmqthfnhcsv.exe 3692 rbpzmfpotgrsm.exe 3692 rbpzmfpotgrsm.exe 628 fvdjgmqthfnhcsv.exe 628 fvdjgmqthfnhcsv.exe 628 fvdjgmqthfnhcsv.exe 628 fvdjgmqthfnhcsv.exe 628 fvdjgmqthfnhcsv.exe 628 fvdjgmqthfnhcsv.exe 2928 hmyhlgfw.exe 2928 hmyhlgfw.exe 2928 hmyhlgfw.exe 2928 hmyhlgfw.exe 2928 hmyhlgfw.exe 2928 hmyhlgfw.exe 2928 hmyhlgfw.exe 2928 hmyhlgfw.exe 4300 hmyhlgfw.exe 4300 hmyhlgfw.exe 4300 hmyhlgfw.exe 4300 hmyhlgfw.exe 4300 hmyhlgfw.exe 4300 hmyhlgfw.exe 4300 hmyhlgfw.exe 4300 hmyhlgfw.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4948 38a2dc78195df4e156b72471ebd19337.exe 4948 38a2dc78195df4e156b72471ebd19337.exe 4948 38a2dc78195df4e156b72471ebd19337.exe 628 fvdjgmqthfnhcsv.exe 628 fvdjgmqthfnhcsv.exe 628 fvdjgmqthfnhcsv.exe 2764 czffyfwqyi.exe 2764 czffyfwqyi.exe 2764 czffyfwqyi.exe 3692 rbpzmfpotgrsm.exe 2928 hmyhlgfw.exe 3692 rbpzmfpotgrsm.exe 3692 rbpzmfpotgrsm.exe 2928 hmyhlgfw.exe 2928 hmyhlgfw.exe 4300 hmyhlgfw.exe 4300 hmyhlgfw.exe 4300 hmyhlgfw.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4948 38a2dc78195df4e156b72471ebd19337.exe 4948 38a2dc78195df4e156b72471ebd19337.exe 4948 38a2dc78195df4e156b72471ebd19337.exe 628 fvdjgmqthfnhcsv.exe 628 fvdjgmqthfnhcsv.exe 628 fvdjgmqthfnhcsv.exe 2764 czffyfwqyi.exe 2764 czffyfwqyi.exe 2764 czffyfwqyi.exe 3692 rbpzmfpotgrsm.exe 2928 hmyhlgfw.exe 3692 rbpzmfpotgrsm.exe 3692 rbpzmfpotgrsm.exe 2928 hmyhlgfw.exe 2928 hmyhlgfw.exe 4300 hmyhlgfw.exe 4300 hmyhlgfw.exe 4300 hmyhlgfw.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4580 WINWORD.EXE 4580 WINWORD.EXE 4580 WINWORD.EXE 4580 WINWORD.EXE 4580 WINWORD.EXE 4580 WINWORD.EXE 4580 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4948 wrote to memory of 2764 4948 38a2dc78195df4e156b72471ebd19337.exe 89 PID 4948 wrote to memory of 2764 4948 38a2dc78195df4e156b72471ebd19337.exe 89 PID 4948 wrote to memory of 2764 4948 38a2dc78195df4e156b72471ebd19337.exe 89 PID 4948 wrote to memory of 628 4948 38a2dc78195df4e156b72471ebd19337.exe 92 PID 4948 wrote to memory of 628 4948 38a2dc78195df4e156b72471ebd19337.exe 92 PID 4948 wrote to memory of 628 4948 38a2dc78195df4e156b72471ebd19337.exe 92 PID 4948 wrote to memory of 2928 4948 38a2dc78195df4e156b72471ebd19337.exe 90 PID 4948 wrote to memory of 2928 4948 38a2dc78195df4e156b72471ebd19337.exe 90 PID 4948 wrote to memory of 2928 4948 38a2dc78195df4e156b72471ebd19337.exe 90 PID 4948 wrote to memory of 3692 4948 38a2dc78195df4e156b72471ebd19337.exe 91 PID 4948 wrote to memory of 3692 4948 38a2dc78195df4e156b72471ebd19337.exe 91 PID 4948 wrote to memory of 3692 4948 38a2dc78195df4e156b72471ebd19337.exe 91 PID 4948 wrote to memory of 4580 4948 38a2dc78195df4e156b72471ebd19337.exe 93 PID 4948 wrote to memory of 4580 4948 38a2dc78195df4e156b72471ebd19337.exe 93 PID 2764 wrote to memory of 4300 2764 czffyfwqyi.exe 95 PID 2764 wrote to memory of 4300 2764 czffyfwqyi.exe 95 PID 2764 wrote to memory of 4300 2764 czffyfwqyi.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\38a2dc78195df4e156b72471ebd19337.exe"C:\Users\Admin\AppData\Local\Temp\38a2dc78195df4e156b72471ebd19337.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\czffyfwqyi.execzffyfwqyi.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\hmyhlgfw.exeC:\Windows\system32\hmyhlgfw.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4300
-
-
-
C:\Windows\SysWOW64\hmyhlgfw.exehmyhlgfw.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2928
-
-
C:\Windows\SysWOW64\rbpzmfpotgrsm.exerbpzmfpotgrsm.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3692
-
-
C:\Windows\SysWOW64\fvdjgmqthfnhcsv.exefvdjgmqthfnhcsv.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:628
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4580
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD584f1d4b7528ddefafccd0380341f2682
SHA17f922a82393efc7df8b9d921aff41375497932e4
SHA2563e9420de1b2fb1ac630e833a5db7064aa2ee64c78134ba4aa5a7b7d91ef626f8
SHA5129539572fc5ed2cdc01bc7a04144dce72bdac9bd9da19227f855a98dad2fb69ee7ee195ff5b7d97d5ea6e1ddfc284feaa0b9a957675b4951c02c3f5a082b4e4f0
-
Filesize
512KB
MD583c1b234e60f88e1c0284b8de5533958
SHA1894481f31ecb0ee09582246e083e5d053ef700c1
SHA256a80e2b6e2f3ee0c3e9451a4197968b6b003ea598187f69b9288ee63de012cf7e
SHA5121231369aa3db15beb021d724b9ab33e4d35160273ceddd5c1114c5698383ecd9d8f4839d303aca5169a6b8cae50d6d2d02c63a12e16940233f347e0d87be9bdd
-
Filesize
239B
MD5f5f219efcf259c0c15a0521bf15fafcf
SHA168b81f987dbe56b2c44e1c2b8ef4a9c078ea7a5c
SHA256d72d7074d338c425e95ab938b674f45cf7afe1e96a1434d956df4bbd0ecdebf9
SHA512d798ed0683b4bc7b025f5ebe96c8b557948bb7570a3ba7efe4d1844014e4415eead9c06db7454f2f5bc8a83fabea619173cea271cf12945b451c8f357c36ac54
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD54504f34a23f9525f13cb7e347aae582c
SHA1a16a424e8690849213c4a9f479494c79daadf4d0
SHA256c9dd9f17ccc04875bdf7d9d217598fcb291f2aca4a80ca47328be5093f0331e9
SHA512a9d07967d175c02d234dc8104221b462c6cb5eb9c9be031f84659951735613fd01a1d87521801ac5adacbee70ea52f78519ad85971cac046ac2eccb7e102d5e8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD51a66737efdb9df1d9ad6f3a47b728372
SHA13ce3d7cb19066adb740fe560594911a241a90f1b
SHA25675fb8aca7e897de562817a4ee1f4fa6e0f7d64b8385aad548dfbf5150cc8b36e
SHA512a7f5edc9eac7e7cd969a81181639e1fd89c828ad1fba0c2a980dc635b11fe4defcf6a61aa1ab4a34273ed250e95b34a23ffb38c251a1879cabe1887055ec9c46
-
Filesize
512KB
MD5926a20681b7e112afa243d86945d654a
SHA18501a35c350f4e4b06d5b8340ac63401cbd2e407
SHA256efd6427e8e8bc97f317eb198a3cc7b2e1e5ad4ee3fa1ed2c30d79bbd6b4eca06
SHA512dfb2bffbe3013782ec147a815718d3b9e40b8d489b92f01d99a3c9f7a45dc44223c0003cfe1c3d80dfc75d41385dd51873d640659f6d23570ed7011af39c978e
-
Filesize
512KB
MD574d46cf31d2ea8b0978c006d8df7d3d8
SHA1bd3eeb757b4425bc1a63fabeeacd0d40fcc11d3b
SHA2567d1ae7ffa21d7208fc3f88f787a44ca1d6e495ca4967e03828c13858fefe85f7
SHA5125bf413ec10f8360ca8623594a0fd4b2de4781592421e2bff35527a690788c94267939cd780ebe2dfed5a12b6d1d3cc0e2c3db03401b5456ba36af35f22085689
-
Filesize
512KB
MD5191a223aafa98001878eb77222aab935
SHA12a2c8934115fdac4fc2bd3d85b2f8cf90f1d328c
SHA2561af13c18aacc6b2d34e5ac0a749535c76e94d67079e1cf48ee817d86646425a0
SHA51294581302eca1347525485ed3d7fdd6241bca7eb4e208c6f5b4fb156d5846137ae74456235db03c2c80bf7931b5fa07bb93777fa6f09b5dc3836a749d412389aa
-
Filesize
512KB
MD52d8667af3f563f13f0463d8943a31071
SHA10d8725c38161a2ce4e6e57dad477ea379a3a09b4
SHA2567f79cf42c6c251ca02523d8795308401a9f7021cef7b8d7edb36872b1a7ce72d
SHA5126ddff5e07273438bd345354878d53b9a4cd7ca51dfaa61508eef863790ed1f20b4eecede52d92433740979da50700e1d4a7c6bd31ea41285afcf2b58a4096c2a
-
Filesize
512KB
MD5e504efc130209aee40b1fa915027a23b
SHA114b14c3eb0dcbe0fc3e7205bbfd2d1e780eb08f7
SHA2566807030e6242512ddb21afe57e7d0d12f5904b182afe8c6fb7ff89294b72ce76
SHA5127997983f9be0e59c371cd10ebb04fa40083a6c7c8b720a8d1894c3e8f6db81f85d5aefbe811b0c76e1cbd62b130140c68542bb919fc20266402c5eadf5a920f0
-
Filesize
512KB
MD5eaee7d2396abcf5962d95a4fbe290c5e
SHA113b765a42700c63d6dfb5dc3ecf738aae11e9820
SHA256d83ae12c33f4ea43af528d01e1e364bdfbd031137f68c6f7273e438d34c02dbe
SHA51204750d1cbc2f174e536bf2fcdfaab03e8e38b64d93a8f797f80b5c1dbfbf84c194364a437d1b5de8f0f35b50ce6f2f956470710f3d286fad0abd4e9ddf2a7d05
-
Filesize
512KB
MD5e993b00c2acfdedd2b492338587bb155
SHA1733246b745e8d7fe3accd6104ca7e5b5d976a699
SHA256efbdc4dd83a54f72973e21c7e10600c43e5eebb2ab64c98a4cda932cef66619c
SHA512eb04708d45f0cf8a6ea0ab9b7f508802e18c7f8634b76c475c5de27f39cfa1b78f7f4626f0688650d5b355bcfadee941d0f73aab84e79ebf0178a32276135566
-
Filesize
512KB
MD5b02e300e02eae3c5508532301d2658c7
SHA1e3b548de6310661972e204891beb5c00d2b19b2e
SHA2569e45ea87cdc4b3bea713dd0e4cd781a9caaf01a1aeab57a95d323d7dd73a7e97
SHA512e49d3d98b9025a4de98b31ed13a609befe39383a2c59e422426410b5e7d30d4b15c6d6d53cca77411f79e8c64d3d82c25ce369280e04edbbe8c77fb5690979f7