Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
136s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 20:03
Static task
static1
Behavioral task
behavioral1
Sample
3a030c486057917499b7ceb5b7c779b7.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
3a030c486057917499b7ceb5b7c779b7.exe
Resource
win10v2004-20231215-en
General
-
Target
3a030c486057917499b7ceb5b7c779b7.exe
-
Size
512KB
-
MD5
3a030c486057917499b7ceb5b7c779b7
-
SHA1
6c9f1049b204b6188bb045e2aab068aa025c31fd
-
SHA256
ba1f3a8af79b8d23dcff35ca835a8585291b3db1307c0a0f1a58a8866d83f2e0
-
SHA512
edb117caa41be4dab98ad2aa208ebd9d42852b3fb903d408dbba70f10f9f8d42c3bd109a1bcd7de999da8e248df5ccf5f146cddc8d0b62395bff18269cf70d8f
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6I:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5j
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" rcpqjbfixn.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" rcpqjbfixn.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rcpqjbfixn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rcpqjbfixn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rcpqjbfixn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rcpqjbfixn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rcpqjbfixn.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rcpqjbfixn.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation 3a030c486057917499b7ceb5b7c779b7.exe -
Executes dropped EXE 5 IoCs
pid Process 4424 rcpqjbfixn.exe 4612 zqzpiywruopxcff.exe 2256 vhxflvyz.exe 1556 puvfodurdkctp.exe 3612 vhxflvyz.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rcpqjbfixn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rcpqjbfixn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" rcpqjbfixn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rcpqjbfixn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rcpqjbfixn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rcpqjbfixn.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xtbszfns = "rcpqjbfixn.exe" zqzpiywruopxcff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dgkkzxxi = "zqzpiywruopxcff.exe" zqzpiywruopxcff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "puvfodurdkctp.exe" zqzpiywruopxcff.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\p: rcpqjbfixn.exe File opened (read-only) \??\x: rcpqjbfixn.exe File opened (read-only) \??\h: vhxflvyz.exe File opened (read-only) \??\p: vhxflvyz.exe File opened (read-only) \??\b: vhxflvyz.exe File opened (read-only) \??\e: vhxflvyz.exe File opened (read-only) \??\o: rcpqjbfixn.exe File opened (read-only) \??\i: rcpqjbfixn.exe File opened (read-only) \??\h: vhxflvyz.exe File opened (read-only) \??\j: vhxflvyz.exe File opened (read-only) \??\m: vhxflvyz.exe File opened (read-only) \??\o: vhxflvyz.exe File opened (read-only) \??\w: vhxflvyz.exe File opened (read-only) \??\e: rcpqjbfixn.exe File opened (read-only) \??\g: vhxflvyz.exe File opened (read-only) \??\v: rcpqjbfixn.exe File opened (read-only) \??\w: rcpqjbfixn.exe File opened (read-only) \??\i: vhxflvyz.exe File opened (read-only) \??\b: rcpqjbfixn.exe File opened (read-only) \??\j: rcpqjbfixn.exe File opened (read-only) \??\n: rcpqjbfixn.exe File opened (read-only) \??\u: rcpqjbfixn.exe File opened (read-only) \??\y: vhxflvyz.exe File opened (read-only) \??\n: vhxflvyz.exe File opened (read-only) \??\o: vhxflvyz.exe File opened (read-only) \??\q: vhxflvyz.exe File opened (read-only) \??\v: vhxflvyz.exe File opened (read-only) \??\l: vhxflvyz.exe File opened (read-only) \??\y: vhxflvyz.exe File opened (read-only) \??\q: rcpqjbfixn.exe File opened (read-only) \??\l: rcpqjbfixn.exe File opened (read-only) \??\m: vhxflvyz.exe File opened (read-only) \??\z: vhxflvyz.exe File opened (read-only) \??\r: vhxflvyz.exe File opened (read-only) \??\s: vhxflvyz.exe File opened (read-only) \??\t: vhxflvyz.exe File opened (read-only) \??\x: vhxflvyz.exe File opened (read-only) \??\h: rcpqjbfixn.exe File opened (read-only) \??\a: vhxflvyz.exe File opened (read-only) \??\l: vhxflvyz.exe File opened (read-only) \??\n: vhxflvyz.exe File opened (read-only) \??\i: vhxflvyz.exe File opened (read-only) \??\s: vhxflvyz.exe File opened (read-only) \??\m: rcpqjbfixn.exe File opened (read-only) \??\k: vhxflvyz.exe File opened (read-only) \??\k: vhxflvyz.exe File opened (read-only) \??\t: vhxflvyz.exe File opened (read-only) \??\u: vhxflvyz.exe File opened (read-only) \??\p: vhxflvyz.exe File opened (read-only) \??\q: vhxflvyz.exe File opened (read-only) \??\u: vhxflvyz.exe File opened (read-only) \??\a: rcpqjbfixn.exe File opened (read-only) \??\r: vhxflvyz.exe File opened (read-only) \??\v: vhxflvyz.exe File opened (read-only) \??\t: rcpqjbfixn.exe File opened (read-only) \??\z: rcpqjbfixn.exe File opened (read-only) \??\j: vhxflvyz.exe File opened (read-only) \??\g: vhxflvyz.exe File opened (read-only) \??\w: vhxflvyz.exe File opened (read-only) \??\e: vhxflvyz.exe File opened (read-only) \??\x: vhxflvyz.exe File opened (read-only) \??\a: vhxflvyz.exe File opened (read-only) \??\z: vhxflvyz.exe File opened (read-only) \??\g: rcpqjbfixn.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" rcpqjbfixn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" rcpqjbfixn.exe -
AutoIT Executable 16 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/960-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0008000000023243-23.dat autoit_exe behavioral2/files/0x0006000000023249-30.dat autoit_exe behavioral2/files/0x0006000000023248-32.dat autoit_exe behavioral2/files/0x0006000000023249-29.dat autoit_exe behavioral2/files/0x0006000000023248-28.dat autoit_exe behavioral2/files/0x0008000000023243-22.dat autoit_exe behavioral2/files/0x000e000000023192-19.dat autoit_exe behavioral2/files/0x0006000000023248-41.dat autoit_exe behavioral2/files/0x000e000000023192-18.dat autoit_exe behavioral2/files/0x0008000000023243-5.dat autoit_exe behavioral2/files/0x0006000000023255-66.dat autoit_exe behavioral2/files/0x0006000000023255-64.dat autoit_exe behavioral2/files/0x0006000000023254-61.dat autoit_exe behavioral2/files/0x000700000002325e-78.dat autoit_exe behavioral2/files/0x000700000002325e-95.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\vhxflvyz.exe 3a030c486057917499b7ceb5b7c779b7.exe File created C:\Windows\SysWOW64\puvfodurdkctp.exe 3a030c486057917499b7ceb5b7c779b7.exe File opened for modification C:\Windows\SysWOW64\puvfodurdkctp.exe 3a030c486057917499b7ceb5b7c779b7.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll rcpqjbfixn.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe vhxflvyz.exe File created C:\Windows\SysWOW64\rcpqjbfixn.exe 3a030c486057917499b7ceb5b7c779b7.exe File opened for modification C:\Windows\SysWOW64\rcpqjbfixn.exe 3a030c486057917499b7ceb5b7c779b7.exe File opened for modification C:\Windows\SysWOW64\zqzpiywruopxcff.exe 3a030c486057917499b7ceb5b7c779b7.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe vhxflvyz.exe File created C:\Windows\SysWOW64\zqzpiywruopxcff.exe 3a030c486057917499b7ceb5b7c779b7.exe File created C:\Windows\SysWOW64\vhxflvyz.exe 3a030c486057917499b7ceb5b7c779b7.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe vhxflvyz.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vhxflvyz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vhxflvyz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal vhxflvyz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vhxflvyz.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vhxflvyz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vhxflvyz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vhxflvyz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal vhxflvyz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vhxflvyz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal vhxflvyz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal vhxflvyz.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vhxflvyz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vhxflvyz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vhxflvyz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vhxflvyz.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 3a030c486057917499b7ceb5b7c779b7.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe vhxflvyz.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe vhxflvyz.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe vhxflvyz.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe vhxflvyz.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe vhxflvyz.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe vhxflvyz.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe vhxflvyz.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe vhxflvyz.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe vhxflvyz.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe vhxflvyz.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe vhxflvyz.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe vhxflvyz.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe vhxflvyz.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe vhxflvyz.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe vhxflvyz.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe vhxflvyz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs rcpqjbfixn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" rcpqjbfixn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" rcpqjbfixn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc rcpqjbfixn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat rcpqjbfixn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg rcpqjbfixn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB6B15B44E6399D53B9B9D4339CD4CC" 3a030c486057917499b7ceb5b7c779b7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E08668B1FE6622DBD17AD0A88A0C9010" 3a030c486057917499b7ceb5b7c779b7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1844C60F1596DAB0B9CE7F95EC9634B9" 3a030c486057917499b7ceb5b7c779b7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh rcpqjbfixn.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings 3a030c486057917499b7ceb5b7c779b7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32412C7B9D5082276A3676D270202CD77C8664D7" 3a030c486057917499b7ceb5b7c779b7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8EFC824F2685689137D7587E90BCEFE136593567446243D6EB" 3a030c486057917499b7ceb5b7c779b7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" rcpqjbfixn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" rcpqjbfixn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf rcpqjbfixn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" rcpqjbfixn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" rcpqjbfixn.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 3a030c486057917499b7ceb5b7c779b7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBFF9CCFE67F29983793A31819C3E93B38A02FB42680248E1CD42E608D3" 3a030c486057917499b7ceb5b7c779b7.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1732 WINWORD.EXE 1732 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 960 3a030c486057917499b7ceb5b7c779b7.exe 960 3a030c486057917499b7ceb5b7c779b7.exe 960 3a030c486057917499b7ceb5b7c779b7.exe 960 3a030c486057917499b7ceb5b7c779b7.exe 960 3a030c486057917499b7ceb5b7c779b7.exe 960 3a030c486057917499b7ceb5b7c779b7.exe 960 3a030c486057917499b7ceb5b7c779b7.exe 960 3a030c486057917499b7ceb5b7c779b7.exe 960 3a030c486057917499b7ceb5b7c779b7.exe 960 3a030c486057917499b7ceb5b7c779b7.exe 960 3a030c486057917499b7ceb5b7c779b7.exe 960 3a030c486057917499b7ceb5b7c779b7.exe 960 3a030c486057917499b7ceb5b7c779b7.exe 960 3a030c486057917499b7ceb5b7c779b7.exe 960 3a030c486057917499b7ceb5b7c779b7.exe 960 3a030c486057917499b7ceb5b7c779b7.exe 4612 zqzpiywruopxcff.exe 4612 zqzpiywruopxcff.exe 4612 zqzpiywruopxcff.exe 4612 zqzpiywruopxcff.exe 4612 zqzpiywruopxcff.exe 4612 zqzpiywruopxcff.exe 4612 zqzpiywruopxcff.exe 4612 zqzpiywruopxcff.exe 4424 rcpqjbfixn.exe 4424 rcpqjbfixn.exe 4424 rcpqjbfixn.exe 4424 rcpqjbfixn.exe 4424 rcpqjbfixn.exe 4424 rcpqjbfixn.exe 4424 rcpqjbfixn.exe 4424 rcpqjbfixn.exe 4424 rcpqjbfixn.exe 4424 rcpqjbfixn.exe 4612 zqzpiywruopxcff.exe 4612 zqzpiywruopxcff.exe 2256 vhxflvyz.exe 2256 vhxflvyz.exe 2256 vhxflvyz.exe 2256 vhxflvyz.exe 2256 vhxflvyz.exe 2256 vhxflvyz.exe 2256 vhxflvyz.exe 2256 vhxflvyz.exe 1556 puvfodurdkctp.exe 1556 puvfodurdkctp.exe 1556 puvfodurdkctp.exe 1556 puvfodurdkctp.exe 1556 puvfodurdkctp.exe 1556 puvfodurdkctp.exe 1556 puvfodurdkctp.exe 1556 puvfodurdkctp.exe 1556 puvfodurdkctp.exe 1556 puvfodurdkctp.exe 1556 puvfodurdkctp.exe 1556 puvfodurdkctp.exe 3612 vhxflvyz.exe 3612 vhxflvyz.exe 3612 vhxflvyz.exe 3612 vhxflvyz.exe 3612 vhxflvyz.exe 3612 vhxflvyz.exe 3612 vhxflvyz.exe 3612 vhxflvyz.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 960 3a030c486057917499b7ceb5b7c779b7.exe 960 3a030c486057917499b7ceb5b7c779b7.exe 960 3a030c486057917499b7ceb5b7c779b7.exe 4612 zqzpiywruopxcff.exe 4612 zqzpiywruopxcff.exe 4612 zqzpiywruopxcff.exe 4424 rcpqjbfixn.exe 4424 rcpqjbfixn.exe 4424 rcpqjbfixn.exe 1556 puvfodurdkctp.exe 2256 vhxflvyz.exe 1556 puvfodurdkctp.exe 2256 vhxflvyz.exe 2256 vhxflvyz.exe 1556 puvfodurdkctp.exe 3612 vhxflvyz.exe 3612 vhxflvyz.exe 3612 vhxflvyz.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 960 3a030c486057917499b7ceb5b7c779b7.exe 960 3a030c486057917499b7ceb5b7c779b7.exe 960 3a030c486057917499b7ceb5b7c779b7.exe 4612 zqzpiywruopxcff.exe 4612 zqzpiywruopxcff.exe 4612 zqzpiywruopxcff.exe 4424 rcpqjbfixn.exe 4424 rcpqjbfixn.exe 4424 rcpqjbfixn.exe 1556 puvfodurdkctp.exe 2256 vhxflvyz.exe 1556 puvfodurdkctp.exe 2256 vhxflvyz.exe 2256 vhxflvyz.exe 1556 puvfodurdkctp.exe 3612 vhxflvyz.exe 3612 vhxflvyz.exe 3612 vhxflvyz.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1732 WINWORD.EXE 1732 WINWORD.EXE 1732 WINWORD.EXE 1732 WINWORD.EXE 1732 WINWORD.EXE 1732 WINWORD.EXE 1732 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 960 wrote to memory of 4424 960 3a030c486057917499b7ceb5b7c779b7.exe 29 PID 960 wrote to memory of 4424 960 3a030c486057917499b7ceb5b7c779b7.exe 29 PID 960 wrote to memory of 4424 960 3a030c486057917499b7ceb5b7c779b7.exe 29 PID 960 wrote to memory of 4612 960 3a030c486057917499b7ceb5b7c779b7.exe 28 PID 960 wrote to memory of 4612 960 3a030c486057917499b7ceb5b7c779b7.exe 28 PID 960 wrote to memory of 4612 960 3a030c486057917499b7ceb5b7c779b7.exe 28 PID 960 wrote to memory of 2256 960 3a030c486057917499b7ceb5b7c779b7.exe 27 PID 960 wrote to memory of 2256 960 3a030c486057917499b7ceb5b7c779b7.exe 27 PID 960 wrote to memory of 2256 960 3a030c486057917499b7ceb5b7c779b7.exe 27 PID 960 wrote to memory of 1556 960 3a030c486057917499b7ceb5b7c779b7.exe 26 PID 960 wrote to memory of 1556 960 3a030c486057917499b7ceb5b7c779b7.exe 26 PID 960 wrote to memory of 1556 960 3a030c486057917499b7ceb5b7c779b7.exe 26 PID 960 wrote to memory of 1732 960 3a030c486057917499b7ceb5b7c779b7.exe 21 PID 960 wrote to memory of 1732 960 3a030c486057917499b7ceb5b7c779b7.exe 21 PID 4424 wrote to memory of 3612 4424 rcpqjbfixn.exe 23 PID 4424 wrote to memory of 3612 4424 rcpqjbfixn.exe 23 PID 4424 wrote to memory of 3612 4424 rcpqjbfixn.exe 23
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a030c486057917499b7ceb5b7c779b7.exe"C:\Users\Admin\AppData\Local\Temp\3a030c486057917499b7ceb5b7c779b7.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1732
-
-
C:\Windows\SysWOW64\puvfodurdkctp.exepuvfodurdkctp.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1556
-
-
C:\Windows\SysWOW64\vhxflvyz.exevhxflvyz.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2256
-
-
C:\Windows\SysWOW64\zqzpiywruopxcff.exezqzpiywruopxcff.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4612
-
-
C:\Windows\SysWOW64\rcpqjbfixn.exercpqjbfixn.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4424
-
-
C:\Windows\SysWOW64\vhxflvyz.exeC:\Windows\system32\vhxflvyz.exe1⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3612
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
146KB
MD5e0de1984688e173c21ab967490c681e8
SHA18ed5479a5e9072d75ceef9358e1d4a5fe13d783c
SHA25692d892f02c4a21fe80cad55dfc11e7e5705ccb0910dc1cb47536101654d4a52b
SHA512b49c82f4c2ead6d7cf59792ae4fcf235db9d433a83a01910cfdb27639aaa5d028f0dc3e118a5be6fc254f763ab5f2f57a523dc74f09269d8843dcfba40707cfc
-
Filesize
176KB
MD5a586d8638265bc28622988cc4bfd3154
SHA145a21a3d7367c51d9f56a232679b18259d80f1f1
SHA2560d50b8e24e66254574098b0e05f128a7f75100c1ab4fc1dc889ec4e7f12b241f
SHA512d7b276d0742a82583a8275ea583a0c237ab090660dbf3c38d3ac3f95d3447995652f29266d70d14a96b30e862a9794b57664abafe95f0faa456cf575f3322c0f
-
Filesize
142KB
MD5c8de8c1593636e26d12693d031a2ee2e
SHA1c7414711ec0bf4b9d44eae920f963c700958e349
SHA25645882c5c47d929c0ac20016cf579d2c67eb939ffbeef2d75657301db504fd2fa
SHA512c84d6dffc34076c181091d239e8324546325a0384c3fa4a04b460a65d5fefb1b5b8b875b85100cfe0fa228b6da4531032ede60c92532ecae8ff6d49b18b0baed
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5001aea52c180946a15bf4500a3fb6b2b
SHA1138306c3568a81c272b11b7e1c53e64824a9327c
SHA2564576d9e1fb2b36b3964b0d6bacbe1ce53e7026339a26232149c2bdafce0252b8
SHA5123e8ff89d3cab9eb912eabd47a32494d9fb05e09afb9ac6b7ae609a40adab740a0953b66c4602cc608b79e098f3fb43aa0e67bab9d393198b4d6ede76ae00b95f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5e1649a4c11ae0728121060306b9c3b60
SHA143fb88234b3dbf3656e7abec4f2ba6bc61a4dd37
SHA256b6ef1bbe7e6f74d1238a92decec228bebb8559930ea23a9bf16e9ef4268f96f2
SHA51217f67318c9f2a60ef14eb52ef59e2b306061e3c997c96aea56d61a318ebaec122b9d22c4e46e02ef1fc329668a33f60fe994c22ddc2c38cff1fa7615acc34ee3
-
Filesize
152KB
MD5ff108a08be7484ecf2f294d5ba6fa14a
SHA19012aef2b824eb470526f50a43d4e404fcaa9f1c
SHA2561315a0c8c246d6348f9652331f7ad9f271d596741cb0cc1b642187c79800bac0
SHA512f4fe00dd03dcbf8070db34697add482fa7dfc9045d9303b4384e9505aa152dc9db4028bdc0fab2752bd75f63bd139b32918a89e505ca19c9909c88033ccd848f
-
Filesize
130KB
MD53f4a624f388bd1aee33f3d256ccb0185
SHA114c277bd0e607d4718dde5803b1fdd00bc6c99c2
SHA25615fa0ebcae0b79aaf4f609324bf48ab82c184c3ba6575526595cf15537bb9ffc
SHA5123d7c2b053c6865257fb1617efbd545a4c2235f6ba072590c92223ba4d4740f3bd183434a01c7944b682ea05453e8b04936d9837dde619e87fb392461d92a49d4
-
Filesize
269KB
MD502b9f59803f68c1101e5f47ebab415a6
SHA1976a35dac3a4ab6401ddd63192476930522877eb
SHA256287de6621d2a0b8c028a4a931d8ed25770b5e925163b964faf54027b3ca491a5
SHA5122bc738be640b586e63d4932ae5d8a4336528b8699b529a396fa2e7d265a68deac3d75e89c46e102be03b139bf41e746a807175cbbb25210541ef9bf7474e9677
-
Filesize
78KB
MD5a658ae04d262c1b93632871ab33c6a19
SHA1350962fed050613d00efa829a9581a6a7a5024ee
SHA2566c3928ad85d999624e34db8c48ac407cc0bbe4df761646c22a0a60c9b0366f03
SHA512ae92f14d2cf2db1a9465692388097e44a916a44b54ac350b35634908f2f52615d06096d2b412666872fbcd7a89d6d311a3d2bab2bdfbdd7b644e7b2057d472fb
-
Filesize
92KB
MD56662b185f19fbf697c56a25c92de7961
SHA10df0c0df0de3724258df2549c583e3c934aca726
SHA256c11edb9e97848e20319fba876d9382c7193f68323eff1f7ed805bb04303bdc86
SHA512c6e2cb83f68a63ca299dae843d2697d41dab8b565fb4005755b0d255b388779b6c1dad97375009c995f0a3d2e0acb4cc820090ca5dc24ee11e1a3de5b1a4921f
-
Filesize
150KB
MD59526c7e867cc0ea52f75de15ba32a88d
SHA12e0d46a1d5158f9ff6c979dfddf29b011ea66587
SHA25677ef44e7df31a16453ee770a3f811958a41b9c913c49673e4b634d30caa88f75
SHA512d15aa4e9d5635423c771294c4835e80dd23aa696aea498338caf29d508d0d3e4dfc5aa7278081b49758a0e8e28b90c0e63238d3f5d59c39b7afe5c296f97a544
-
Filesize
52KB
MD582eb4313c660248ab97362018028764b
SHA1a6e21ef74bf7565b84c4ab1abe6cf5c94e6dd089
SHA2563211eb7b899697d19e9962c35cd0453c6c252ddf0c1dfac1e3d9f58efdb5cf1b
SHA5123c04bb21ab13dc5d50dd8843a3493b461e6831cc63f477a207850ba4d821963ba4488c1e15899365fef42096b6e49d2d790e8ae20086a979743f32063d5ef15e
-
Filesize
71KB
MD56761d8ea9ab8896dca0297acd1b1ad06
SHA1fd9a5fc2dd8ad78dc666283c67a57f81a956a045
SHA256ffa787a628cdee1001cee80bbd7ab390f62961d898925c753eb546dbdeaa20d8
SHA512d0cc1b0a68dfc185e8c50c1d6dfe8a4d54e7afc44639033f8f6f6dcd16e8eb6791dec2a1627b8356b1cd7b84088039bd9fcb8d5b623e7c2afd01d12bf2725e8a
-
Filesize
143KB
MD5adb56d45d5344d410725ad988b1e0b81
SHA19181b4699916ae7268f299cd0ee95a6f4e9fca66
SHA2566a30aae357d3d05b1ed60056aa7db52063c42e2e07435cab632ea0c6c5142899
SHA5123fedb824965108ca750c3f05756a57ce2caef48a92a140fc343375b16c612a1de6b3f56cc493156577e8453a04fb9bc2aba3e7817bbd34e2aefbf19ec22474f9
-
Filesize
333KB
MD534031dd7adc9afa7395c7d9c511ddaf1
SHA136c231e06fdf6dc5371bbb9112b6fcb70cab211f
SHA25668fed7abb5854c0ccdbc4ccbc904d70e834bbb3701544373e09136018ed1039e
SHA512d0f2f8044529da4b5a4a1ce6054c0e788b0ce8fd097d8af4dbf32eadcf55ba6f18ca12712fc6419db02e0b795c64f50a3a9b107a9000f892fe8aefccced47698
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD55c794e3605555d6f83311c4d1bd05094
SHA1de4292dc733c959cef97c2463322d76e34527a3a
SHA256571aa5acf9208e7203532420194024d7dd10d44df952e0d2a4f788c43b863ee8
SHA512eecb6f220c2b922913403360537edac60f1d953632372beee0d3b5544cd675c67e3d4c39c7430c59b133c915532444174e920757231fe97965d13d77e4ac26af
-
Filesize
512KB
MD5bb7e30febeb904d0b87a57931068caaf
SHA1708719afbb343dc0629e95b85cbaed83b1bc751d
SHA256651b7540e19ab88233b257c953e6f229e2f290870d037fe7f31a27b00cebd4bf
SHA5125450c4f933db4d2902727035ed0d82f37f0e26e5df063f5a9adba600f66668b16b3a23125e049bd30d9ef4103b86d66c768f55a10321b81f7f154da3ab7fccae