Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2023 20:03
Static task
static1
Behavioral task
behavioral1
Sample
39faf8ddc75b4758a1a35b1c3841a776.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral2
Sample
39faf8ddc75b4758a1a35b1c3841a776.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
General
-
Target
39faf8ddc75b4758a1a35b1c3841a776.exe
-
Size
512KB
-
MD5
39faf8ddc75b4758a1a35b1c3841a776
-
SHA1
c1909d6b03d78abc536fd19c6c083a92a6c4a2d2
-
SHA256
6148091e925f575ac4977fc4120455f5269dcabcc850997b55dd0f7dc2567662
-
SHA512
de906f80ebcf32659b2bf48ed3d6e08a37f319cfeabca3148fae21394e66e2d4b9dc86ceb1537d41cd6493ea7d21a3fbb960428e9692fd57f22880dcfc65eb0a
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6v:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm58
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" fzvxroxygp.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" fzvxroxygp.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" fzvxroxygp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" fzvxroxygp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" fzvxroxygp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" fzvxroxygp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" fzvxroxygp.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" fzvxroxygp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation 39faf8ddc75b4758a1a35b1c3841a776.exe -
Executes dropped EXE 5 IoCs
pid Process 3632 fzvxroxygp.exe 3256 csjnejztsrpyhyt.exe 1700 bfmnloqd.exe 32 jhktrcwogdhst.exe 936 bfmnloqd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" fzvxroxygp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" fzvxroxygp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" fzvxroxygp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" fzvxroxygp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" fzvxroxygp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" fzvxroxygp.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fkxhwqml = "fzvxroxygp.exe" csjnejztsrpyhyt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yxvdkira = "csjnejztsrpyhyt.exe" csjnejztsrpyhyt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "jhktrcwogdhst.exe" csjnejztsrpyhyt.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\h: bfmnloqd.exe File opened (read-only) \??\l: bfmnloqd.exe File opened (read-only) \??\t: bfmnloqd.exe File opened (read-only) \??\r: fzvxroxygp.exe File opened (read-only) \??\l: bfmnloqd.exe File opened (read-only) \??\n: bfmnloqd.exe File opened (read-only) \??\e: fzvxroxygp.exe File opened (read-only) \??\a: bfmnloqd.exe File opened (read-only) \??\o: bfmnloqd.exe File opened (read-only) \??\z: fzvxroxygp.exe File opened (read-only) \??\r: bfmnloqd.exe File opened (read-only) \??\q: bfmnloqd.exe File opened (read-only) \??\r: bfmnloqd.exe File opened (read-only) \??\a: fzvxroxygp.exe File opened (read-only) \??\j: fzvxroxygp.exe File opened (read-only) \??\p: bfmnloqd.exe File opened (read-only) \??\k: bfmnloqd.exe File opened (read-only) \??\p: fzvxroxygp.exe File opened (read-only) \??\e: bfmnloqd.exe File opened (read-only) \??\i: bfmnloqd.exe File opened (read-only) \??\s: bfmnloqd.exe File opened (read-only) \??\e: bfmnloqd.exe File opened (read-only) \??\m: bfmnloqd.exe File opened (read-only) \??\y: fzvxroxygp.exe File opened (read-only) \??\p: bfmnloqd.exe File opened (read-only) \??\g: fzvxroxygp.exe File opened (read-only) \??\k: bfmnloqd.exe File opened (read-only) \??\w: bfmnloqd.exe File opened (read-only) \??\h: fzvxroxygp.exe File opened (read-only) \??\k: fzvxroxygp.exe File opened (read-only) \??\q: fzvxroxygp.exe File opened (read-only) \??\g: bfmnloqd.exe File opened (read-only) \??\m: fzvxroxygp.exe File opened (read-only) \??\t: fzvxroxygp.exe File opened (read-only) \??\w: bfmnloqd.exe File opened (read-only) \??\w: fzvxroxygp.exe File opened (read-only) \??\m: bfmnloqd.exe File opened (read-only) \??\i: bfmnloqd.exe File opened (read-only) \??\j: bfmnloqd.exe File opened (read-only) \??\x: bfmnloqd.exe File opened (read-only) \??\y: bfmnloqd.exe File opened (read-only) \??\z: bfmnloqd.exe File opened (read-only) \??\v: fzvxroxygp.exe File opened (read-only) \??\q: bfmnloqd.exe File opened (read-only) \??\y: bfmnloqd.exe File opened (read-only) \??\x: bfmnloqd.exe File opened (read-only) \??\b: bfmnloqd.exe File opened (read-only) \??\t: bfmnloqd.exe File opened (read-only) \??\n: fzvxroxygp.exe File opened (read-only) \??\s: fzvxroxygp.exe File opened (read-only) \??\n: bfmnloqd.exe File opened (read-only) \??\u: bfmnloqd.exe File opened (read-only) \??\s: bfmnloqd.exe File opened (read-only) \??\u: bfmnloqd.exe File opened (read-only) \??\i: fzvxroxygp.exe File opened (read-only) \??\o: bfmnloqd.exe File opened (read-only) \??\z: bfmnloqd.exe File opened (read-only) \??\b: bfmnloqd.exe File opened (read-only) \??\j: bfmnloqd.exe File opened (read-only) \??\a: bfmnloqd.exe File opened (read-only) \??\g: bfmnloqd.exe File opened (read-only) \??\v: bfmnloqd.exe File opened (read-only) \??\b: fzvxroxygp.exe File opened (read-only) \??\o: fzvxroxygp.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" fzvxroxygp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" fzvxroxygp.exe -
AutoIT Executable 16 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/224-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0007000000023204-19.dat autoit_exe behavioral2/files/0x0007000000023207-24.dat autoit_exe behavioral2/files/0x000700000002320a-29.dat autoit_exe behavioral2/files/0x000600000002320b-32.dat autoit_exe behavioral2/files/0x000600000002320b-31.dat autoit_exe behavioral2/files/0x000700000002320a-28.dat autoit_exe behavioral2/files/0x0007000000023207-22.dat autoit_exe behavioral2/files/0x0007000000023204-18.dat autoit_exe behavioral2/files/0x0007000000023207-5.dat autoit_exe behavioral2/files/0x000700000002320a-62.dat autoit_exe behavioral2/files/0x0006000000023218-79.dat autoit_exe behavioral2/files/0x0006000000023217-74.dat autoit_exe behavioral2/files/0x0004000000022720-83.dat autoit_exe behavioral2/files/0x00080000000231ff-92.dat autoit_exe behavioral2/files/0x00080000000231ff-97.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\fzvxroxygp.exe 39faf8ddc75b4758a1a35b1c3841a776.exe File opened for modification C:\Windows\SysWOW64\csjnejztsrpyhyt.exe 39faf8ddc75b4758a1a35b1c3841a776.exe File opened for modification C:\Windows\SysWOW64\jhktrcwogdhst.exe 39faf8ddc75b4758a1a35b1c3841a776.exe File opened for modification C:\Windows\SysWOW64\bfmnloqd.exe 39faf8ddc75b4758a1a35b1c3841a776.exe File created C:\Windows\SysWOW64\jhktrcwogdhst.exe 39faf8ddc75b4758a1a35b1c3841a776.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll fzvxroxygp.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bfmnloqd.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bfmnloqd.exe File opened for modification C:\Windows\SysWOW64\fzvxroxygp.exe 39faf8ddc75b4758a1a35b1c3841a776.exe File created C:\Windows\SysWOW64\csjnejztsrpyhyt.exe 39faf8ddc75b4758a1a35b1c3841a776.exe File created C:\Windows\SysWOW64\bfmnloqd.exe 39faf8ddc75b4758a1a35b1c3841a776.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bfmnloqd.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal bfmnloqd.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bfmnloqd.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bfmnloqd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal bfmnloqd.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bfmnloqd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal bfmnloqd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bfmnloqd.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bfmnloqd.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bfmnloqd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal bfmnloqd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bfmnloqd.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bfmnloqd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bfmnloqd.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bfmnloqd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bfmnloqd.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bfmnloqd.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bfmnloqd.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bfmnloqd.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bfmnloqd.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bfmnloqd.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bfmnloqd.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bfmnloqd.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bfmnloqd.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bfmnloqd.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bfmnloqd.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bfmnloqd.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bfmnloqd.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bfmnloqd.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bfmnloqd.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bfmnloqd.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bfmnloqd.exe File opened for modification C:\Windows\mydoc.rtf 39faf8ddc75b4758a1a35b1c3841a776.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFBFF8F482B826E9041D75D7E92BDE2E1355943674F6246D690" 39faf8ddc75b4758a1a35b1c3841a776.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F76BC5FF6C21D0D10ED1D68A749166" 39faf8ddc75b4758a1a35b1c3841a776.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1949C77914E4DABFB8CF7C92ECE734C8" 39faf8ddc75b4758a1a35b1c3841a776.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh fzvxroxygp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc fzvxroxygp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf fzvxroxygp.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 39faf8ddc75b4758a1a35b1c3841a776.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB2B12C47E339EC53B9BADD33EDD7BB" 39faf8ddc75b4758a1a35b1c3841a776.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs fzvxroxygp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg fzvxroxygp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" fzvxroxygp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" fzvxroxygp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACDF9CEF967F19783753B4B81EA3E95B38C038F4268024BE1BD45E909D5" 39faf8ddc75b4758a1a35b1c3841a776.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat fzvxroxygp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" fzvxroxygp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" fzvxroxygp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" fzvxroxygp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" fzvxroxygp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33452D0D9D5682576D3E76A6772E2DD77DF265D9" 39faf8ddc75b4758a1a35b1c3841a776.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings 39faf8ddc75b4758a1a35b1c3841a776.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4008 WINWORD.EXE 4008 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 224 39faf8ddc75b4758a1a35b1c3841a776.exe 224 39faf8ddc75b4758a1a35b1c3841a776.exe 224 39faf8ddc75b4758a1a35b1c3841a776.exe 224 39faf8ddc75b4758a1a35b1c3841a776.exe 224 39faf8ddc75b4758a1a35b1c3841a776.exe 224 39faf8ddc75b4758a1a35b1c3841a776.exe 224 39faf8ddc75b4758a1a35b1c3841a776.exe 224 39faf8ddc75b4758a1a35b1c3841a776.exe 224 39faf8ddc75b4758a1a35b1c3841a776.exe 224 39faf8ddc75b4758a1a35b1c3841a776.exe 224 39faf8ddc75b4758a1a35b1c3841a776.exe 224 39faf8ddc75b4758a1a35b1c3841a776.exe 224 39faf8ddc75b4758a1a35b1c3841a776.exe 224 39faf8ddc75b4758a1a35b1c3841a776.exe 224 39faf8ddc75b4758a1a35b1c3841a776.exe 224 39faf8ddc75b4758a1a35b1c3841a776.exe 3256 csjnejztsrpyhyt.exe 3256 csjnejztsrpyhyt.exe 3256 csjnejztsrpyhyt.exe 3256 csjnejztsrpyhyt.exe 3256 csjnejztsrpyhyt.exe 3256 csjnejztsrpyhyt.exe 3256 csjnejztsrpyhyt.exe 3256 csjnejztsrpyhyt.exe 3256 csjnejztsrpyhyt.exe 3256 csjnejztsrpyhyt.exe 3256 csjnejztsrpyhyt.exe 3256 csjnejztsrpyhyt.exe 1700 bfmnloqd.exe 1700 bfmnloqd.exe 1700 bfmnloqd.exe 1700 bfmnloqd.exe 1700 bfmnloqd.exe 1700 bfmnloqd.exe 1700 bfmnloqd.exe 1700 bfmnloqd.exe 32 jhktrcwogdhst.exe 32 jhktrcwogdhst.exe 32 jhktrcwogdhst.exe 32 jhktrcwogdhst.exe 32 jhktrcwogdhst.exe 32 jhktrcwogdhst.exe 32 jhktrcwogdhst.exe 32 jhktrcwogdhst.exe 32 jhktrcwogdhst.exe 32 jhktrcwogdhst.exe 32 jhktrcwogdhst.exe 32 jhktrcwogdhst.exe 3632 fzvxroxygp.exe 3632 fzvxroxygp.exe 3632 fzvxroxygp.exe 3632 fzvxroxygp.exe 3632 fzvxroxygp.exe 3632 fzvxroxygp.exe 3632 fzvxroxygp.exe 3632 fzvxroxygp.exe 3632 fzvxroxygp.exe 3632 fzvxroxygp.exe 936 bfmnloqd.exe 936 bfmnloqd.exe 936 bfmnloqd.exe 936 bfmnloqd.exe 936 bfmnloqd.exe 936 bfmnloqd.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 224 39faf8ddc75b4758a1a35b1c3841a776.exe 224 39faf8ddc75b4758a1a35b1c3841a776.exe 224 39faf8ddc75b4758a1a35b1c3841a776.exe 3256 csjnejztsrpyhyt.exe 3256 csjnejztsrpyhyt.exe 3256 csjnejztsrpyhyt.exe 3632 fzvxroxygp.exe 1700 bfmnloqd.exe 32 jhktrcwogdhst.exe 3632 fzvxroxygp.exe 1700 bfmnloqd.exe 32 jhktrcwogdhst.exe 3632 fzvxroxygp.exe 1700 bfmnloqd.exe 32 jhktrcwogdhst.exe 936 bfmnloqd.exe 936 bfmnloqd.exe 936 bfmnloqd.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 224 39faf8ddc75b4758a1a35b1c3841a776.exe 224 39faf8ddc75b4758a1a35b1c3841a776.exe 224 39faf8ddc75b4758a1a35b1c3841a776.exe 3256 csjnejztsrpyhyt.exe 3256 csjnejztsrpyhyt.exe 3256 csjnejztsrpyhyt.exe 3632 fzvxroxygp.exe 1700 bfmnloqd.exe 32 jhktrcwogdhst.exe 3632 fzvxroxygp.exe 1700 bfmnloqd.exe 32 jhktrcwogdhst.exe 3632 fzvxroxygp.exe 1700 bfmnloqd.exe 32 jhktrcwogdhst.exe 936 bfmnloqd.exe 936 bfmnloqd.exe 936 bfmnloqd.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4008 WINWORD.EXE 4008 WINWORD.EXE 4008 WINWORD.EXE 4008 WINWORD.EXE 4008 WINWORD.EXE 4008 WINWORD.EXE 4008 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 224 wrote to memory of 3632 224 39faf8ddc75b4758a1a35b1c3841a776.exe 48 PID 224 wrote to memory of 3632 224 39faf8ddc75b4758a1a35b1c3841a776.exe 48 PID 224 wrote to memory of 3632 224 39faf8ddc75b4758a1a35b1c3841a776.exe 48 PID 224 wrote to memory of 3256 224 39faf8ddc75b4758a1a35b1c3841a776.exe 47 PID 224 wrote to memory of 3256 224 39faf8ddc75b4758a1a35b1c3841a776.exe 47 PID 224 wrote to memory of 3256 224 39faf8ddc75b4758a1a35b1c3841a776.exe 47 PID 224 wrote to memory of 1700 224 39faf8ddc75b4758a1a35b1c3841a776.exe 46 PID 224 wrote to memory of 1700 224 39faf8ddc75b4758a1a35b1c3841a776.exe 46 PID 224 wrote to memory of 1700 224 39faf8ddc75b4758a1a35b1c3841a776.exe 46 PID 224 wrote to memory of 32 224 39faf8ddc75b4758a1a35b1c3841a776.exe 45 PID 224 wrote to memory of 32 224 39faf8ddc75b4758a1a35b1c3841a776.exe 45 PID 224 wrote to memory of 32 224 39faf8ddc75b4758a1a35b1c3841a776.exe 45 PID 224 wrote to memory of 4008 224 39faf8ddc75b4758a1a35b1c3841a776.exe 51 PID 224 wrote to memory of 4008 224 39faf8ddc75b4758a1a35b1c3841a776.exe 51 PID 3632 wrote to memory of 936 3632 fzvxroxygp.exe 54 PID 3632 wrote to memory of 936 3632 fzvxroxygp.exe 54 PID 3632 wrote to memory of 936 3632 fzvxroxygp.exe 54
Processes
-
C:\Users\Admin\AppData\Local\Temp\39faf8ddc75b4758a1a35b1c3841a776.exe"C:\Users\Admin\AppData\Local\Temp\39faf8ddc75b4758a1a35b1c3841a776.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\jhktrcwogdhst.exejhktrcwogdhst.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:32
-
-
C:\Windows\SysWOW64\bfmnloqd.exebfmnloqd.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1700
-
-
C:\Windows\SysWOW64\csjnejztsrpyhyt.execsjnejztsrpyhyt.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3256
-
-
C:\Windows\SysWOW64\fzvxroxygp.exefzvxroxygp.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\SysWOW64\bfmnloqd.exeC:\Windows\system32\bfmnloqd.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:936
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4008
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
154KB
MD51b421bab409b2aa188d8d495a25f901f
SHA1e722e445244508f32e88f6914e5cd961e06b28a3
SHA256ea369edd9f65fb1de3dd2af8d989bba41a8cc5548126954c281967f002d9080d
SHA5125eb8697e5219216021b82574da9f40c86cd1b4063b98f4c5f37725dafcc52f42b5a80c37d80af553b65b0ff37a30fe7ec7ac397868f35bb8e481059e27984ead
-
Filesize
119KB
MD5a4e35ddf39ef70bc33c3e656576338d8
SHA15c405713c57054373061f45eda272fb01076abab
SHA256ac8afc3f7fcfa5146356c9a0b317aa4396a02cc4424f36bfcefae0be4c0778c5
SHA5127762f9a8cd5f6efd0c9dffefd831fd0ce8e4a56a9ff2a452f791d2ee766b9a8da3a1ff0d95bd024c5d8cd10a9d678c4019605be051c272fae258769c12c2a44c
-
Filesize
247B
MD51b529425a37b1334b8b33ebd890269a4
SHA184768e6475b45e3431d5dd62968dde9b92bcb799
SHA256774609fb895e024729e533b8420e732453a0f7ad9cc4599a871157b4f2ca0440
SHA5128d82cb100fb6e979061a2a86aedf2f77de9bb5abf4431ed7add5c75d04988a3cd747119ade26856e8c2fdf7fe75e6aedf0025f2015e525b6835c80cfa2eff295
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5df4b63d7fd709da8301eed64b1729e9f
SHA1b2b2c7c915b3b607c16dc1c907c23c90ddaab608
SHA25630510ea5d8ac25b39d701a5020470f3a5eb6275b56883abf9843ebd574875878
SHA51231f501d0cb7b5a53fed89691deb0816ffc2448761a4e6e90c4f4618cabdc15cd3bc61c9e8215ac5f0ee6d2174e6956171008cedfd2f8eeb8f1a9a37f841432a7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD50d7238d92167671e250fb1ddf4049cc8
SHA1f3ea4c256443a534ccb36c623f1b7020ef9164f0
SHA25625907d32ce251ddabda3fe3b74858bae624dff31b394f15fa7f3b626e6b0c596
SHA5123d405f56e52b04ca4a0f90936fa0b04c922c4955bbcc2bba6bf6e6095f279fb25331626fb6d7c373c917e072087d2de143b336af8516bd7ac5231384c9312009
-
Filesize
271KB
MD5462ed12d80b8dd3023b4f681b6ff68c2
SHA19b41af72c1426c7f7d24c4dc1621ca1c52cbc879
SHA256844a9ebbeaa59249c5f116ac6d6ded2378bc71516bfa29e81ff12c847fae0c7f
SHA51263905df66601ec32ac13a2027130cf8c1219e1a7327da91d32e4ad09399fd0f561080abe23a809902df87d788c7e590c1500ad2e00896ad34129cba1d76377f2
-
Filesize
207KB
MD590839ecb3e06bcf349cc8ba8e18a2638
SHA1b988d6e55925c2d90596128129f7879b3c33148a
SHA256ccf43f51c70eaca659532d787bef49b6d648d4ed84ee22c8a7409b5b153a22a8
SHA51221a8ef5c8183b22ea1c8da048b9d7400458452cbc294bade875a3c74f43d67b8b97b7654c3e2b2f6eb40e2427da072d19a143586777de0688263851c989eb153
-
Filesize
29KB
MD531cd9d9eec5347fca7a37b03847dd936
SHA105e32e79557be7a9d82fd299470d58f1803235f5
SHA256b8f3c521f756f04b862789bbb4c100d5f6f5dead398db0f2d915b116c137fb57
SHA512fc3376c70c26b8fd5caa1029097cbfe81fe9f0e8850a0712ea56c85575ffa62b89484b779a825246ce69b3e4f5bd4dd9ec32bb451ba9c9b021630245d74e1b69
-
Filesize
164KB
MD50403910c6a34fd2cc9d7bc39963263a7
SHA14c0e115cc81ac7dd09fc40601c78b7a5a01bd2d2
SHA2563c5c729d571957037db4c18a16f7ee709dfe58461a9b25c08d6b0cf5397984b5
SHA51280a781a93ea2c2242ce97b07ec1a297f823fc2bc1173d05bb08be4db8b9640015fd4b593a9908702bb7df42cf961946991c162bd8c32d491b37a8e5ea7d71f2e
-
Filesize
281KB
MD5ca25f6dbdb5a0e5a88639a0e3575eb43
SHA1c1507735334d3f17e072637b16f3c16625ab4761
SHA25603afe54720f687048521fb994b012d10f618e5282a26365860e4ab8e7d08f45f
SHA51260268801e9a948a5425d7d3c77d057a580b1e4bb3ef3e070d7a16a8fe5e4c1c15d8af5e8ba084854da23c60ede7636104b14b4651a09bbe2d78e8f96a8319730
-
Filesize
262KB
MD521023f09cba46a3697b003d281cedc31
SHA1d087dfdc9c242fa42048e103d8d12eef38b7955b
SHA256d94b736432db8d41d6da17cc3aed329ff8408698c0e55b21fec9e96c00b4c634
SHA512f8dc8592c6501434d4ca6a4b44771d024efaf5244e6e881aae856b726236e63559a37e83163d59370b53e2b1a694bce2c759126d3b8ac3dfa40720090dc715e7
-
Filesize
379KB
MD517112c4ea53d9ebb4dda722fbb00839a
SHA167bc0c8abdbdd6f70ba746b7a1a9dc14ecef5998
SHA25656dd1f5292b1fb65675d7217c2acb825e36d8bc031fcefc81217d89820deda9a
SHA512fa84b3311ea3a24d0a28c35613e78a33dca7ee4468da6c9b31a312751170b170d9e55e5094334b2d4b4cbe6bdb2c2f98ce55c11a6caeddc467e5f145bffa67a0
-
Filesize
275KB
MD5dcd0479e5b649b5e86016dbcb602e1fa
SHA1c01b9e4440de39fd7145cd92e74a25631fc3d85b
SHA25691a696977fc5c40f84868f12310b9d9c0fbe8c08585887b96a4a07aa5d6aee8f
SHA512f4b8a0c70ba57f51cf2276fa4ae9a428c8df7bedd343387f9717038bc990ef7f3736ccb66362f52f19d107e7b667f5f31dd77ba2fc5360d0f2d0735a186b9005
-
Filesize
292KB
MD5255776e3ce3cd48ffd056d96364f5b32
SHA1a3a6dd059b3ff2d3202a49fa2c2343c03f2ffc73
SHA256c6fa11482fe970394bbba916359ddbc63c3b289191f60a7b7e911ca0fa725e17
SHA512ea47b3781be9cad1c834a8ed94ae77a343605a7e154730921ae0f438907930b2acb3c07b61d064ee88dca0f64e5336d078ec05b38ca2d2ddb9086a2a567ed3af
-
Filesize
139KB
MD59213ab0ba28faa67b81e0a34b96d6c24
SHA1c2e7163d9f0bf92f13d34f442e1e2c963ff7c312
SHA2567440e1243d2f6aa79ccfa4e60c63c5924281986c5c612acd42a2164a2117d2c2
SHA512944f6fb26cbc9d47cff3c5327251d7b55cc37f2129206db120b83d7eab96f32cca9015d481dbb858f6a471e21a2c2ee185216fe3cfd026adfbdcc85b7a4aa2e3
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
132KB
MD58509509ae7fb7bcafba5cb482ef5de6f
SHA1e512b05ccdb5139ad0df15b70d130e1f7998ef1c
SHA256b989ae0b4cb984c94449c2d80e050f72a8bde76d040501ec2e8b0b89fbf549e3
SHA51203dfe0dde059d1da5197e074d51a9dea60f6bc8891942a4c214d504cf525da01e5eb4f88278e67d7ae81f25840b5b9274dfe62cac5978f7741b1ce302395cf08
-
Filesize
75KB
MD54fe21bcc3c5f7e60bd67db771ee74b69
SHA11033b9052fb1be0586d8d4c616b4ab5d508c1722
SHA2569c35ef50e4ed01724026f0257db2339902c0a4d5df80d9db25318fa24b522c4e
SHA5125d2fd8fe4633532ce2ae409eecbb65d49360a53b54305f18d351be7aef12744fb9d7a6de102fd69aebcd4e2c30939f1fda97443e126a85b0bb7418943179fec7
-
Filesize
125KB
MD5ac84ce4f7ceebb53e906473bfc55ac00
SHA19f26810ce43277440b0b4af047e52dcc87e6ff96
SHA25658d27f9160459d38b580eef73ad4b285678193ee5260f474887aa837838b329a
SHA512e2353e06b16c0d93d5aefb589a0493555e45fb9be77909eca825a2aad332b1c08d0ab2a37cc4ea34ee9603cd275dbbb3c3878599285d7cadfb681407511286b7