Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2023, 00:12
Static task
static1
Behavioral task
behavioral1
Sample
4583dc20ee9c673bfcd517fab7d88bbf.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
4583dc20ee9c673bfcd517fab7d88bbf.exe
Resource
win10v2004-20231215-en
General
-
Target
4583dc20ee9c673bfcd517fab7d88bbf.exe
-
Size
512KB
-
MD5
4583dc20ee9c673bfcd517fab7d88bbf
-
SHA1
cc4fdf65702ff682b9e1692ce83aa9d3e2828111
-
SHA256
478e070b3f86342ff2fc22562142633932121d6244bb55160ae4713159580cb1
-
SHA512
d06f549136eb15f83001f405a3005594b1544e9944c14c1c85eaf57079fe701ef03a729c29a5365321a63fd909f51b889a152ec16fd01f89c257056edd7c9d97
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6E:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5R
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" duqqdysuwz.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" duqqdysuwz.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" duqqdysuwz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" duqqdysuwz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" duqqdysuwz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" duqqdysuwz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" duqqdysuwz.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" duqqdysuwz.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation 4583dc20ee9c673bfcd517fab7d88bbf.exe -
Executes dropped EXE 5 IoCs
pid Process 5016 duqqdysuwz.exe 3000 obmokcsqkdlmosx.exe 1204 mlonvgzl.exe 2192 zpkkoajaskbtc.exe 404 mlonvgzl.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" duqqdysuwz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" duqqdysuwz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" duqqdysuwz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" duqqdysuwz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" duqqdysuwz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" duqqdysuwz.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hgvavndu = "duqqdysuwz.exe" obmokcsqkdlmosx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\chgovngy = "obmokcsqkdlmosx.exe" obmokcsqkdlmosx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "zpkkoajaskbtc.exe" obmokcsqkdlmosx.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\i: mlonvgzl.exe File opened (read-only) \??\h: mlonvgzl.exe File opened (read-only) \??\j: mlonvgzl.exe File opened (read-only) \??\j: duqqdysuwz.exe File opened (read-only) \??\t: duqqdysuwz.exe File opened (read-only) \??\v: duqqdysuwz.exe File opened (read-only) \??\b: mlonvgzl.exe File opened (read-only) \??\y: mlonvgzl.exe File opened (read-only) \??\n: duqqdysuwz.exe File opened (read-only) \??\z: duqqdysuwz.exe File opened (read-only) \??\h: mlonvgzl.exe File opened (read-only) \??\r: mlonvgzl.exe File opened (read-only) \??\w: mlonvgzl.exe File opened (read-only) \??\k: mlonvgzl.exe File opened (read-only) \??\n: mlonvgzl.exe File opened (read-only) \??\o: mlonvgzl.exe File opened (read-only) \??\s: mlonvgzl.exe File opened (read-only) \??\v: mlonvgzl.exe File opened (read-only) \??\a: duqqdysuwz.exe File opened (read-only) \??\m: duqqdysuwz.exe File opened (read-only) \??\o: duqqdysuwz.exe File opened (read-only) \??\z: mlonvgzl.exe File opened (read-only) \??\y: mlonvgzl.exe File opened (read-only) \??\k: mlonvgzl.exe File opened (read-only) \??\i: mlonvgzl.exe File opened (read-only) \??\b: duqqdysuwz.exe File opened (read-only) \??\k: duqqdysuwz.exe File opened (read-only) \??\y: duqqdysuwz.exe File opened (read-only) \??\a: mlonvgzl.exe File opened (read-only) \??\m: mlonvgzl.exe File opened (read-only) \??\w: duqqdysuwz.exe File opened (read-only) \??\w: mlonvgzl.exe File opened (read-only) \??\z: mlonvgzl.exe File opened (read-only) \??\n: mlonvgzl.exe File opened (read-only) \??\t: mlonvgzl.exe File opened (read-only) \??\l: duqqdysuwz.exe File opened (read-only) \??\u: duqqdysuwz.exe File opened (read-only) \??\g: mlonvgzl.exe File opened (read-only) \??\u: mlonvgzl.exe File opened (read-only) \??\a: mlonvgzl.exe File opened (read-only) \??\t: mlonvgzl.exe File opened (read-only) \??\q: mlonvgzl.exe File opened (read-only) \??\s: mlonvgzl.exe File opened (read-only) \??\x: mlonvgzl.exe File opened (read-only) \??\m: mlonvgzl.exe File opened (read-only) \??\r: mlonvgzl.exe File opened (read-only) \??\j: mlonvgzl.exe File opened (read-only) \??\v: mlonvgzl.exe File opened (read-only) \??\g: mlonvgzl.exe File opened (read-only) \??\x: mlonvgzl.exe File opened (read-only) \??\q: duqqdysuwz.exe File opened (read-only) \??\r: duqqdysuwz.exe File opened (read-only) \??\b: mlonvgzl.exe File opened (read-only) \??\i: duqqdysuwz.exe File opened (read-only) \??\p: duqqdysuwz.exe File opened (read-only) \??\e: mlonvgzl.exe File opened (read-only) \??\p: mlonvgzl.exe File opened (read-only) \??\e: mlonvgzl.exe File opened (read-only) \??\p: mlonvgzl.exe File opened (read-only) \??\u: mlonvgzl.exe File opened (read-only) \??\g: duqqdysuwz.exe File opened (read-only) \??\h: duqqdysuwz.exe File opened (read-only) \??\l: mlonvgzl.exe File opened (read-only) \??\q: mlonvgzl.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" duqqdysuwz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" duqqdysuwz.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/680-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0006000000023229-5.dat autoit_exe behavioral2/files/0x0007000000023226-18.dat autoit_exe behavioral2/files/0x0007000000023226-19.dat autoit_exe behavioral2/files/0x0006000000023229-23.dat autoit_exe behavioral2/files/0x000600000002322b-28.dat autoit_exe behavioral2/files/0x000600000002322a-27.dat autoit_exe behavioral2/files/0x000600000002322b-29.dat autoit_exe behavioral2/files/0x0006000000023262-106.dat autoit_exe behavioral2/files/0x000b00000002312b-141.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\obmokcsqkdlmosx.exe 4583dc20ee9c673bfcd517fab7d88bbf.exe File created C:\Windows\SysWOW64\zpkkoajaskbtc.exe 4583dc20ee9c673bfcd517fab7d88bbf.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll duqqdysuwz.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe mlonvgzl.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe mlonvgzl.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe mlonvgzl.exe File created C:\Windows\SysWOW64\duqqdysuwz.exe 4583dc20ee9c673bfcd517fab7d88bbf.exe File opened for modification C:\Windows\SysWOW64\duqqdysuwz.exe 4583dc20ee9c673bfcd517fab7d88bbf.exe File created C:\Windows\SysWOW64\obmokcsqkdlmosx.exe 4583dc20ee9c673bfcd517fab7d88bbf.exe File created C:\Windows\SysWOW64\mlonvgzl.exe 4583dc20ee9c673bfcd517fab7d88bbf.exe File opened for modification C:\Windows\SysWOW64\mlonvgzl.exe 4583dc20ee9c673bfcd517fab7d88bbf.exe File opened for modification C:\Windows\SysWOW64\zpkkoajaskbtc.exe 4583dc20ee9c673bfcd517fab7d88bbf.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mlonvgzl.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mlonvgzl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mlonvgzl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mlonvgzl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mlonvgzl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mlonvgzl.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mlonvgzl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mlonvgzl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mlonvgzl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal mlonvgzl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal mlonvgzl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal mlonvgzl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mlonvgzl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal mlonvgzl.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 4583dc20ee9c673bfcd517fab7d88bbf.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat duqqdysuwz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" duqqdysuwz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" duqqdysuwz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" duqqdysuwz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" duqqdysuwz.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 4583dc20ee9c673bfcd517fab7d88bbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33472D7D9D5782276A4177A077252DDB7CF265AA" 4583dc20ee9c673bfcd517fab7d88bbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7866BB2FF1D21D9D109D0A08A7D9016" 4583dc20ee9c673bfcd517fab7d88bbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs duqqdysuwz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg duqqdysuwz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" duqqdysuwz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABAFACDF960F196837B3B4281983E90B0FB02F04364034FE1B8459C09A2" 4583dc20ee9c673bfcd517fab7d88bbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC6B15F47E139EC52C8BAD5339FD7CA" 4583dc20ee9c673bfcd517fab7d88bbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FFBFCFE482B851A9137D75F7DE6BD97E631593567456243D7EE" 4583dc20ee9c673bfcd517fab7d88bbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" duqqdysuwz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh duqqdysuwz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183AC67915E5DAB4B9B97C93EDE037B9" 4583dc20ee9c673bfcd517fab7d88bbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc duqqdysuwz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf duqqdysuwz.exe Key created \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings 4583dc20ee9c673bfcd517fab7d88bbf.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4488 WINWORD.EXE 4488 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 680 4583dc20ee9c673bfcd517fab7d88bbf.exe 680 4583dc20ee9c673bfcd517fab7d88bbf.exe 680 4583dc20ee9c673bfcd517fab7d88bbf.exe 680 4583dc20ee9c673bfcd517fab7d88bbf.exe 680 4583dc20ee9c673bfcd517fab7d88bbf.exe 680 4583dc20ee9c673bfcd517fab7d88bbf.exe 680 4583dc20ee9c673bfcd517fab7d88bbf.exe 680 4583dc20ee9c673bfcd517fab7d88bbf.exe 680 4583dc20ee9c673bfcd517fab7d88bbf.exe 680 4583dc20ee9c673bfcd517fab7d88bbf.exe 680 4583dc20ee9c673bfcd517fab7d88bbf.exe 680 4583dc20ee9c673bfcd517fab7d88bbf.exe 680 4583dc20ee9c673bfcd517fab7d88bbf.exe 680 4583dc20ee9c673bfcd517fab7d88bbf.exe 680 4583dc20ee9c673bfcd517fab7d88bbf.exe 680 4583dc20ee9c673bfcd517fab7d88bbf.exe 5016 duqqdysuwz.exe 5016 duqqdysuwz.exe 3000 obmokcsqkdlmosx.exe 3000 obmokcsqkdlmosx.exe 5016 duqqdysuwz.exe 5016 duqqdysuwz.exe 3000 obmokcsqkdlmosx.exe 3000 obmokcsqkdlmosx.exe 5016 duqqdysuwz.exe 5016 duqqdysuwz.exe 3000 obmokcsqkdlmosx.exe 3000 obmokcsqkdlmosx.exe 5016 duqqdysuwz.exe 5016 duqqdysuwz.exe 3000 obmokcsqkdlmosx.exe 3000 obmokcsqkdlmosx.exe 5016 duqqdysuwz.exe 5016 duqqdysuwz.exe 3000 obmokcsqkdlmosx.exe 3000 obmokcsqkdlmosx.exe 2192 zpkkoajaskbtc.exe 2192 zpkkoajaskbtc.exe 2192 zpkkoajaskbtc.exe 2192 zpkkoajaskbtc.exe 1204 mlonvgzl.exe 1204 mlonvgzl.exe 2192 zpkkoajaskbtc.exe 2192 zpkkoajaskbtc.exe 1204 mlonvgzl.exe 1204 mlonvgzl.exe 2192 zpkkoajaskbtc.exe 2192 zpkkoajaskbtc.exe 1204 mlonvgzl.exe 1204 mlonvgzl.exe 1204 mlonvgzl.exe 1204 mlonvgzl.exe 2192 zpkkoajaskbtc.exe 2192 zpkkoajaskbtc.exe 2192 zpkkoajaskbtc.exe 2192 zpkkoajaskbtc.exe 404 mlonvgzl.exe 404 mlonvgzl.exe 404 mlonvgzl.exe 404 mlonvgzl.exe 404 mlonvgzl.exe 404 mlonvgzl.exe 404 mlonvgzl.exe 404 mlonvgzl.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 680 4583dc20ee9c673bfcd517fab7d88bbf.exe 680 4583dc20ee9c673bfcd517fab7d88bbf.exe 680 4583dc20ee9c673bfcd517fab7d88bbf.exe 5016 duqqdysuwz.exe 5016 duqqdysuwz.exe 5016 duqqdysuwz.exe 3000 obmokcsqkdlmosx.exe 3000 obmokcsqkdlmosx.exe 3000 obmokcsqkdlmosx.exe 2192 zpkkoajaskbtc.exe 1204 mlonvgzl.exe 2192 zpkkoajaskbtc.exe 1204 mlonvgzl.exe 2192 zpkkoajaskbtc.exe 1204 mlonvgzl.exe 404 mlonvgzl.exe 404 mlonvgzl.exe 404 mlonvgzl.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 680 4583dc20ee9c673bfcd517fab7d88bbf.exe 680 4583dc20ee9c673bfcd517fab7d88bbf.exe 680 4583dc20ee9c673bfcd517fab7d88bbf.exe 5016 duqqdysuwz.exe 5016 duqqdysuwz.exe 5016 duqqdysuwz.exe 3000 obmokcsqkdlmosx.exe 3000 obmokcsqkdlmosx.exe 3000 obmokcsqkdlmosx.exe 2192 zpkkoajaskbtc.exe 1204 mlonvgzl.exe 2192 zpkkoajaskbtc.exe 1204 mlonvgzl.exe 2192 zpkkoajaskbtc.exe 1204 mlonvgzl.exe 404 mlonvgzl.exe 404 mlonvgzl.exe 404 mlonvgzl.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4488 WINWORD.EXE 4488 WINWORD.EXE 4488 WINWORD.EXE 4488 WINWORD.EXE 4488 WINWORD.EXE 4488 WINWORD.EXE 4488 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 680 wrote to memory of 5016 680 4583dc20ee9c673bfcd517fab7d88bbf.exe 91 PID 680 wrote to memory of 5016 680 4583dc20ee9c673bfcd517fab7d88bbf.exe 91 PID 680 wrote to memory of 5016 680 4583dc20ee9c673bfcd517fab7d88bbf.exe 91 PID 680 wrote to memory of 3000 680 4583dc20ee9c673bfcd517fab7d88bbf.exe 92 PID 680 wrote to memory of 3000 680 4583dc20ee9c673bfcd517fab7d88bbf.exe 92 PID 680 wrote to memory of 3000 680 4583dc20ee9c673bfcd517fab7d88bbf.exe 92 PID 680 wrote to memory of 1204 680 4583dc20ee9c673bfcd517fab7d88bbf.exe 94 PID 680 wrote to memory of 1204 680 4583dc20ee9c673bfcd517fab7d88bbf.exe 94 PID 680 wrote to memory of 1204 680 4583dc20ee9c673bfcd517fab7d88bbf.exe 94 PID 680 wrote to memory of 2192 680 4583dc20ee9c673bfcd517fab7d88bbf.exe 93 PID 680 wrote to memory of 2192 680 4583dc20ee9c673bfcd517fab7d88bbf.exe 93 PID 680 wrote to memory of 2192 680 4583dc20ee9c673bfcd517fab7d88bbf.exe 93 PID 5016 wrote to memory of 404 5016 duqqdysuwz.exe 96 PID 5016 wrote to memory of 404 5016 duqqdysuwz.exe 96 PID 5016 wrote to memory of 404 5016 duqqdysuwz.exe 96 PID 680 wrote to memory of 4488 680 4583dc20ee9c673bfcd517fab7d88bbf.exe 95 PID 680 wrote to memory of 4488 680 4583dc20ee9c673bfcd517fab7d88bbf.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\4583dc20ee9c673bfcd517fab7d88bbf.exe"C:\Users\Admin\AppData\Local\Temp\4583dc20ee9c673bfcd517fab7d88bbf.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Windows\SysWOW64\duqqdysuwz.exeduqqdysuwz.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\mlonvgzl.exeC:\Windows\system32\mlonvgzl.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:404
-
-
-
C:\Windows\SysWOW64\obmokcsqkdlmosx.exeobmokcsqkdlmosx.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3000
-
-
C:\Windows\SysWOW64\zpkkoajaskbtc.exezpkkoajaskbtc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2192
-
-
C:\Windows\SysWOW64\mlonvgzl.exemlonvgzl.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1204
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4488
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5a4944b1c5d5c5840e557842437ef9208
SHA1898136b71930a24f0cf9de57509a25990d80d090
SHA256d6a89a53bc69fc865b3a01c758d8734f26db78314bc6707630cb090046a33aaf
SHA512efb4027afe5c2fd9f980641d6d292623adefdb1ed6eb2d8022a4de29000bac5b640662f0cf94dac20922c8f2c75f12eb2a01a7bde9cf7d17cd2389e377f18e01
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5537a467d27abe78d4a7b4e01c7ca7ea4
SHA1479d59c7998944bcfd4c4a6932ded5c2d8ee05e2
SHA256317b01f799954c115892be4b0bbcc6482dc9b8b732545630934487715910b0bd
SHA512687b6e5ce9a96dc0f6a5b76087c6530ac83cdde235b719632fb29927705542fd592f91c7f84c805ea10d23f13e621e3f224e343fe40fb44c102030ed5f8f5509
-
Filesize
93KB
MD5257f28bd5bdc2b725434b7ab570814e7
SHA1972446e0f8d210c5d6f42a57a921391a236d564d
SHA256d80f45a5995ba038d69dbe87f7c12827ffa2b53e79beedb0bc6ee91c10a61688
SHA512c27aa91c3c3605941a1a121021c840fc7886cf27d43e9d6b2c371888a276d9dfd39135600a4f933f62dfa3d46cb6e12de6e31b3f8b939676701ff37f8cc61575
-
Filesize
385KB
MD5279a2620e67ba2860803639715d616fb
SHA12d61471cafcc1c2fb06dd6ac75396f9e7c856f52
SHA256399ca40a278578c7b9ec69d047c914ea58fcd007d6703c4fcd3db2a892a016f1
SHA512bd2c40f12ad56957ec0c184c0f84fcaeed8bf39efd985fe14130e93f0ac568fc578d215defa208a168b171a5947dd0d0de5b5c46f304b5e9c3b6d377e5438a69
-
Filesize
193KB
MD5a31008e1bf36948c5790f46d6a5b364b
SHA153e1bd64f986806dc72e3343c87b65f8afed897a
SHA2560fe3f5e6e9138cafa7435072ebda5646c80f646add2cc306b55a468cd10c4886
SHA5121474fa94a858054307521aa2fc7d0880d9ea131693643bf113304ee32d9a7b731a14668d2a2944bcc7e8b7644408bd98ac2bb7f305b0d74447cc13630fa63538
-
Filesize
381KB
MD530aec9e0b33fbd99234328357879f812
SHA13c9d37139d4ccfe2b694afba9633170d0f510a92
SHA25615aad0daaaeea2f1eb8d19a8999f42844b2885d6bef949f6787feba7dad46563
SHA5122060f2cc8c90181dd0a9965f0ff3a94aece08c82c4a68454846f66778bc60dade3ba5ddc38be57311ff4a7bd78217b89a9cd09837eee4b5d9893277299dad415
-
Filesize
79KB
MD523d80d6c0f188b47e51f974a0b802708
SHA15b510e857b46de80c83e904a670f22db4c06ba4d
SHA256a068be9b5cc41de25f043a1f42d6a9b3a126c1b3062db6a5612299b8519da527
SHA512a09d83298f2d15fef3bb9699878a40d07ecb69b13d340709a32423b56edcc79e97cc398cba7b6915bf5b0e186a239e1d800c59e04c9fa4b82e45c042d94a3799
-
Filesize
512KB
MD54daa3607e31fca67b398b1f1176fb57e
SHA1a1b49c6edda15b30e6b97e5afad456e61c66f247
SHA256f8fe772e9c350eca73958d3782001e5541a44600a13224660c213315b023314a
SHA5122017b9605a70e2c7ab68a6b77b636f7fca5abf9f39e15a9866a693fd2206bffa1daeafb6150de0e00cac2515c3af8be8a59aa651c8252ea737e293fa39374ac2
-
Filesize
92KB
MD56662b185f19fbf697c56a25c92de7961
SHA10df0c0df0de3724258df2549c583e3c934aca726
SHA256c11edb9e97848e20319fba876d9382c7193f68323eff1f7ed805bb04303bdc86
SHA512c6e2cb83f68a63ca299dae843d2697d41dab8b565fb4005755b0d255b388779b6c1dad97375009c995f0a3d2e0acb4cc820090ca5dc24ee11e1a3de5b1a4921f
-
Filesize
512KB
MD5fb3648ab18a1337709071b816c52d595
SHA1b018964b38e779a41939be9bf4d42ebaa46b526c
SHA2561fe2174c568996251b181d16d3adbff657d4fb95636ed9b555f7d8752b14c01b
SHA5120c6b1ee3c81e34d555136e0b8ad16d300f3aa3c35770012c303c9b207260b0331e44f2758d1fe3f3d8a6f95049f9856ca583a532e6fbfa98c624543a2a867ee4