Analysis
-
max time kernel
2s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2023, 00:34
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
46be791e1d684cab3ce45b7a31636c1c.exe
Resource
win7-20231215-en
windows7-x64
28 signatures
150 seconds
Behavioral task
behavioral2
Sample
46be791e1d684cab3ce45b7a31636c1c.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
21 signatures
150 seconds
General
-
Target
46be791e1d684cab3ce45b7a31636c1c.exe
-
Size
512KB
-
MD5
46be791e1d684cab3ce45b7a31636c1c
-
SHA1
9c7f6c85a3d1cf8a961dba4119919ec1f4c6962a
-
SHA256
1c4a8ad37745d67aa28d6244600bad43a2d69e6b5e6c761a7c996a4d1ce93a0d
-
SHA512
5d54abd44925bafe0425300815aab177ea18eb7d3fc8c5963250d4ba6256297df15c66e5e51efcc0c87e9a05202b910c29bf338bac18a353eae9fe0eb1b6364b
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj60:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5t
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" bxnqzicrwd.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" bxnqzicrwd.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" bxnqzicrwd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" bxnqzicrwd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" bxnqzicrwd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" bxnqzicrwd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" bxnqzicrwd.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bxnqzicrwd.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation 46be791e1d684cab3ce45b7a31636c1c.exe -
Executes dropped EXE 5 IoCs
pid Process 2472 bxnqzicrwd.exe 4900 drgdcioimrutnll.exe 2892 sudqvaih.exe 4612 nhrrmnclnhbnw.exe 3556 sudqvaih.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" bxnqzicrwd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" bxnqzicrwd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" bxnqzicrwd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" bxnqzicrwd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" bxnqzicrwd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" bxnqzicrwd.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vqjkgzpx = "bxnqzicrwd.exe" drgdcioimrutnll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lqvkgmlp = "drgdcioimrutnll.exe" drgdcioimrutnll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "nhrrmnclnhbnw.exe" drgdcioimrutnll.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\o: sudqvaih.exe File opened (read-only) \??\g: bxnqzicrwd.exe File opened (read-only) \??\a: sudqvaih.exe File opened (read-only) \??\m: sudqvaih.exe File opened (read-only) \??\g: sudqvaih.exe File opened (read-only) \??\u: sudqvaih.exe File opened (read-only) \??\u: sudqvaih.exe File opened (read-only) \??\e: bxnqzicrwd.exe File opened (read-only) \??\q: bxnqzicrwd.exe File opened (read-only) \??\e: sudqvaih.exe File opened (read-only) \??\e: sudqvaih.exe File opened (read-only) \??\m: bxnqzicrwd.exe File opened (read-only) \??\t: bxnqzicrwd.exe File opened (read-only) \??\v: sudqvaih.exe File opened (read-only) \??\l: sudqvaih.exe File opened (read-only) \??\n: sudqvaih.exe File opened (read-only) \??\t: sudqvaih.exe File opened (read-only) \??\z: sudqvaih.exe File opened (read-only) \??\a: sudqvaih.exe File opened (read-only) \??\j: bxnqzicrwd.exe File opened (read-only) \??\k: bxnqzicrwd.exe File opened (read-only) \??\r: bxnqzicrwd.exe File opened (read-only) \??\w: bxnqzicrwd.exe File opened (read-only) \??\o: sudqvaih.exe File opened (read-only) \??\i: sudqvaih.exe File opened (read-only) \??\m: sudqvaih.exe File opened (read-only) \??\v: sudqvaih.exe File opened (read-only) \??\y: sudqvaih.exe File opened (read-only) \??\a: bxnqzicrwd.exe File opened (read-only) \??\k: sudqvaih.exe File opened (read-only) \??\x: sudqvaih.exe File opened (read-only) \??\r: sudqvaih.exe File opened (read-only) \??\x: bxnqzicrwd.exe File opened (read-only) \??\w: sudqvaih.exe File opened (read-only) \??\s: sudqvaih.exe File opened (read-only) \??\z: sudqvaih.exe File opened (read-only) \??\b: bxnqzicrwd.exe File opened (read-only) \??\i: bxnqzicrwd.exe File opened (read-only) \??\h: sudqvaih.exe File opened (read-only) \??\w: sudqvaih.exe File opened (read-only) \??\l: bxnqzicrwd.exe File opened (read-only) \??\p: sudqvaih.exe File opened (read-only) \??\r: sudqvaih.exe File opened (read-only) \??\p: sudqvaih.exe File opened (read-only) \??\o: bxnqzicrwd.exe File opened (read-only) \??\u: bxnqzicrwd.exe File opened (read-only) \??\g: sudqvaih.exe File opened (read-only) \??\b: sudqvaih.exe File opened (read-only) \??\q: sudqvaih.exe File opened (read-only) \??\v: bxnqzicrwd.exe File opened (read-only) \??\b: sudqvaih.exe File opened (read-only) \??\h: sudqvaih.exe File opened (read-only) \??\l: sudqvaih.exe File opened (read-only) \??\q: sudqvaih.exe File opened (read-only) \??\t: sudqvaih.exe File opened (read-only) \??\k: sudqvaih.exe File opened (read-only) \??\h: bxnqzicrwd.exe File opened (read-only) \??\s: bxnqzicrwd.exe File opened (read-only) \??\z: bxnqzicrwd.exe File opened (read-only) \??\j: sudqvaih.exe File opened (read-only) \??\n: sudqvaih.exe File opened (read-only) \??\j: sudqvaih.exe File opened (read-only) \??\n: bxnqzicrwd.exe File opened (read-only) \??\p: bxnqzicrwd.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" bxnqzicrwd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" bxnqzicrwd.exe -
AutoIT Executable 7 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3892-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000700000002321b-6.dat autoit_exe behavioral2/files/0x0008000000023217-18.dat autoit_exe behavioral2/files/0x0008000000023217-19.dat autoit_exe behavioral2/files/0x000600000002321f-26.dat autoit_exe behavioral2/files/0x0006000000023220-32.dat autoit_exe behavioral2/files/0x000600000002321f-35.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\drgdcioimrutnll.exe 46be791e1d684cab3ce45b7a31636c1c.exe File created C:\Windows\SysWOW64\sudqvaih.exe 46be791e1d684cab3ce45b7a31636c1c.exe File created C:\Windows\SysWOW64\nhrrmnclnhbnw.exe 46be791e1d684cab3ce45b7a31636c1c.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll bxnqzicrwd.exe File created C:\Windows\SysWOW64\bxnqzicrwd.exe 46be791e1d684cab3ce45b7a31636c1c.exe File opened for modification C:\Windows\SysWOW64\bxnqzicrwd.exe 46be791e1d684cab3ce45b7a31636c1c.exe File opened for modification C:\Windows\SysWOW64\drgdcioimrutnll.exe 46be791e1d684cab3ce45b7a31636c1c.exe File opened for modification C:\Windows\SysWOW64\sudqvaih.exe 46be791e1d684cab3ce45b7a31636c1c.exe File opened for modification C:\Windows\SysWOW64\nhrrmnclnhbnw.exe 46be791e1d684cab3ce45b7a31636c1c.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 46be791e1d684cab3ce45b7a31636c1c.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" bxnqzicrwd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs bxnqzicrwd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AC8F9CDF96AF1E283083B3186ED3998B0F9038F4214023DE1BF42EC08A6" 46be791e1d684cab3ce45b7a31636c1c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184CC70914E4DAB0B8BA7CE9ED9237C9" 46be791e1d684cab3ce45b7a31636c1c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" bxnqzicrwd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh bxnqzicrwd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" bxnqzicrwd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg bxnqzicrwd.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 46be791e1d684cab3ce45b7a31636c1c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33412D0B9C2782276D3676A070252DDC7CF264DD" 46be791e1d684cab3ce45b7a31636c1c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F768B4FE6E21AAD20ED1A48B799062" 46be791e1d684cab3ce45b7a31636c1c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" bxnqzicrwd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFFFF8F4F5D82139135D7297D96BDE1E13C593067456330D6EA" 46be791e1d684cab3ce45b7a31636c1c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc bxnqzicrwd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" bxnqzicrwd.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings 46be791e1d684cab3ce45b7a31636c1c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB1B02F479538E352C8BAD3329CD7CE" 46be791e1d684cab3ce45b7a31636c1c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat bxnqzicrwd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf bxnqzicrwd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" bxnqzicrwd.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1364 WINWORD.EXE 1364 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3892 46be791e1d684cab3ce45b7a31636c1c.exe 3892 46be791e1d684cab3ce45b7a31636c1c.exe 3892 46be791e1d684cab3ce45b7a31636c1c.exe 3892 46be791e1d684cab3ce45b7a31636c1c.exe 3892 46be791e1d684cab3ce45b7a31636c1c.exe 3892 46be791e1d684cab3ce45b7a31636c1c.exe 3892 46be791e1d684cab3ce45b7a31636c1c.exe 3892 46be791e1d684cab3ce45b7a31636c1c.exe 3892 46be791e1d684cab3ce45b7a31636c1c.exe 3892 46be791e1d684cab3ce45b7a31636c1c.exe 3892 46be791e1d684cab3ce45b7a31636c1c.exe 3892 46be791e1d684cab3ce45b7a31636c1c.exe 3892 46be791e1d684cab3ce45b7a31636c1c.exe 3892 46be791e1d684cab3ce45b7a31636c1c.exe 3892 46be791e1d684cab3ce45b7a31636c1c.exe 3892 46be791e1d684cab3ce45b7a31636c1c.exe 4900 drgdcioimrutnll.exe 4900 drgdcioimrutnll.exe 2892 sudqvaih.exe 2892 sudqvaih.exe 4900 drgdcioimrutnll.exe 4900 drgdcioimrutnll.exe 2892 sudqvaih.exe 2892 sudqvaih.exe 2892 sudqvaih.exe 4900 drgdcioimrutnll.exe 2892 sudqvaih.exe 4900 drgdcioimrutnll.exe 2892 sudqvaih.exe 2892 sudqvaih.exe 4900 drgdcioimrutnll.exe 4900 drgdcioimrutnll.exe 2472 bxnqzicrwd.exe 2472 bxnqzicrwd.exe 2472 bxnqzicrwd.exe 2472 bxnqzicrwd.exe 2472 bxnqzicrwd.exe 2472 bxnqzicrwd.exe 2472 bxnqzicrwd.exe 2472 bxnqzicrwd.exe 2472 bxnqzicrwd.exe 2472 bxnqzicrwd.exe 4900 drgdcioimrutnll.exe 4900 drgdcioimrutnll.exe 4612 nhrrmnclnhbnw.exe 4612 nhrrmnclnhbnw.exe 4612 nhrrmnclnhbnw.exe 4612 nhrrmnclnhbnw.exe 4612 nhrrmnclnhbnw.exe 4612 nhrrmnclnhbnw.exe 4612 nhrrmnclnhbnw.exe 4612 nhrrmnclnhbnw.exe 4612 nhrrmnclnhbnw.exe 4612 nhrrmnclnhbnw.exe 4612 nhrrmnclnhbnw.exe 4612 nhrrmnclnhbnw.exe 4900 drgdcioimrutnll.exe 4900 drgdcioimrutnll.exe 4612 nhrrmnclnhbnw.exe 4612 nhrrmnclnhbnw.exe 4612 nhrrmnclnhbnw.exe 4612 nhrrmnclnhbnw.exe 4900 drgdcioimrutnll.exe 4900 drgdcioimrutnll.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 3892 46be791e1d684cab3ce45b7a31636c1c.exe 3892 46be791e1d684cab3ce45b7a31636c1c.exe 3892 46be791e1d684cab3ce45b7a31636c1c.exe 4900 drgdcioimrutnll.exe 2472 bxnqzicrwd.exe 2892 sudqvaih.exe 4900 drgdcioimrutnll.exe 4612 nhrrmnclnhbnw.exe 2472 bxnqzicrwd.exe 2892 sudqvaih.exe 4900 drgdcioimrutnll.exe 2472 bxnqzicrwd.exe 4612 nhrrmnclnhbnw.exe 2892 sudqvaih.exe 4612 nhrrmnclnhbnw.exe 3556 sudqvaih.exe 3556 sudqvaih.exe 3556 sudqvaih.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 3892 46be791e1d684cab3ce45b7a31636c1c.exe 3892 46be791e1d684cab3ce45b7a31636c1c.exe 3892 46be791e1d684cab3ce45b7a31636c1c.exe 4900 drgdcioimrutnll.exe 2472 bxnqzicrwd.exe 2892 sudqvaih.exe 4900 drgdcioimrutnll.exe 2472 bxnqzicrwd.exe 4612 nhrrmnclnhbnw.exe 2892 sudqvaih.exe 4900 drgdcioimrutnll.exe 2472 bxnqzicrwd.exe 4612 nhrrmnclnhbnw.exe 2892 sudqvaih.exe 4612 nhrrmnclnhbnw.exe 3556 sudqvaih.exe 3556 sudqvaih.exe 3556 sudqvaih.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1364 WINWORD.EXE 1364 WINWORD.EXE 1364 WINWORD.EXE 1364 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3892 wrote to memory of 2472 3892 46be791e1d684cab3ce45b7a31636c1c.exe 92 PID 3892 wrote to memory of 2472 3892 46be791e1d684cab3ce45b7a31636c1c.exe 92 PID 3892 wrote to memory of 2472 3892 46be791e1d684cab3ce45b7a31636c1c.exe 92 PID 3892 wrote to memory of 4900 3892 46be791e1d684cab3ce45b7a31636c1c.exe 93 PID 3892 wrote to memory of 4900 3892 46be791e1d684cab3ce45b7a31636c1c.exe 93 PID 3892 wrote to memory of 4900 3892 46be791e1d684cab3ce45b7a31636c1c.exe 93 PID 3892 wrote to memory of 2892 3892 46be791e1d684cab3ce45b7a31636c1c.exe 95 PID 3892 wrote to memory of 2892 3892 46be791e1d684cab3ce45b7a31636c1c.exe 95 PID 3892 wrote to memory of 2892 3892 46be791e1d684cab3ce45b7a31636c1c.exe 95 PID 3892 wrote to memory of 4612 3892 46be791e1d684cab3ce45b7a31636c1c.exe 94 PID 3892 wrote to memory of 4612 3892 46be791e1d684cab3ce45b7a31636c1c.exe 94 PID 3892 wrote to memory of 4612 3892 46be791e1d684cab3ce45b7a31636c1c.exe 94 PID 2472 wrote to memory of 3556 2472 bxnqzicrwd.exe 98 PID 2472 wrote to memory of 3556 2472 bxnqzicrwd.exe 98 PID 2472 wrote to memory of 3556 2472 bxnqzicrwd.exe 98 PID 3892 wrote to memory of 1364 3892 46be791e1d684cab3ce45b7a31636c1c.exe 97 PID 3892 wrote to memory of 1364 3892 46be791e1d684cab3ce45b7a31636c1c.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\46be791e1d684cab3ce45b7a31636c1c.exe"C:\Users\Admin\AppData\Local\Temp\46be791e1d684cab3ce45b7a31636c1c.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Windows\SysWOW64\bxnqzicrwd.exebxnqzicrwd.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\sudqvaih.exeC:\Windows\system32\sudqvaih.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3556
-
-
-
C:\Windows\SysWOW64\drgdcioimrutnll.exedrgdcioimrutnll.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4900
-
-
C:\Windows\SysWOW64\nhrrmnclnhbnw.exenhrrmnclnhbnw.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4612
-
-
C:\Windows\SysWOW64\sudqvaih.exesudqvaih.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2892
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1364
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD55bf0cb21b0dbc8bc2789b93072660fdc
SHA1f3d65959f3a7bd0749408e1196fad7457c149199
SHA256f1d539bd481f45eb22b25411eeb2670d49c04332c3ad8c69b1cc42ced398442b
SHA5122c860f353766957de143b20d8becd15aa0687df1f4012f47419570b41dedeaf0284d35f79899f6b36b5abc4466b0ba51329796fe03f40613fa9027f1852b9e57
-
Filesize
193KB
MD5a31008e1bf36948c5790f46d6a5b364b
SHA153e1bd64f986806dc72e3343c87b65f8afed897a
SHA2560fe3f5e6e9138cafa7435072ebda5646c80f646add2cc306b55a468cd10c4886
SHA5121474fa94a858054307521aa2fc7d0880d9ea131693643bf113304ee32d9a7b731a14668d2a2944bcc7e8b7644408bd98ac2bb7f305b0d74447cc13630fa63538
-
Filesize
512KB
MD58f9ce329ae69a4d32fab5dc29b509c82
SHA1701448e62e1aadef97b29c7c64e7131b5917abe7
SHA256195f9093e22f7034e17ce44a8cc9f36459c0de656593f9ba4439489ebcf24030
SHA512555512f7172cade064fce1ad3e924ee54b26861fb74903b29de489d2e853d8aa58edbd782a59776cfb01a0828898f9ea49d486681d7c740d68b3076f87ca9f22
-
Filesize
92KB
MD56662b185f19fbf697c56a25c92de7961
SHA10df0c0df0de3724258df2549c583e3c934aca726
SHA256c11edb9e97848e20319fba876d9382c7193f68323eff1f7ed805bb04303bdc86
SHA512c6e2cb83f68a63ca299dae843d2697d41dab8b565fb4005755b0d255b388779b6c1dad97375009c995f0a3d2e0acb4cc820090ca5dc24ee11e1a3de5b1a4921f
-
Filesize
128KB
MD533be84de0fa03c6883fec2ead970e3ba
SHA1dbe35ed4343779aa93200c24966ccb805e18f223
SHA256ef0f2733bf476c4dc632a27627cb24681d552719aafcc969eec5db1a90996887
SHA5123e93ab8677009d404503e243038ae323b1bc55af56c8c53bd3d44f5313ed4383c987ccb1f1f0e86111fc36db67c7b1b76de4eb4b1c6742baadffd70d7dc6c093
-
Filesize
386KB
MD5d867a655ae492b330d5de03a1a554ca7
SHA1ed3013d39ff6fe5e8431a2b229becd2e04926e61
SHA256542bf8c10a61473225004305bf2a49d8ef5106f4ef0c62af504926db90c0edd1
SHA5120b692aaa4d2d1d8b7ea6ac2e5b5b41884744a7bda3102634e5bb73b6a725caadada5f94b2759826e3dc354824055b183ecd35d47c0e9578082d3a05148f533dc