Analysis
-
max time kernel
153s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2023, 01:24
Static task
static1
Behavioral task
behavioral1
Sample
49166ed9fe1b1d7cb9114196bdd92c8f.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral2
Sample
49166ed9fe1b1d7cb9114196bdd92c8f.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
General
-
Target
49166ed9fe1b1d7cb9114196bdd92c8f.exe
-
Size
512KB
-
MD5
49166ed9fe1b1d7cb9114196bdd92c8f
-
SHA1
628a9a57069d6655cf1d1b920a3681d18d2dad07
-
SHA256
7b83d7b3bcc89e8adc45e834e13137e2d1ecd08952d5888a51317f1f194bcf2f
-
SHA512
2588e7c513ece4062d97a5187194e05a49163443642e6ef234dd4955e2b7c33100053fe0291cbbc45d63866fdb36664ff3fc46efb2f19d678b16fe773ad68856
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj61:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5k
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" dupirqgzpn.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" dupirqgzpn.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" dupirqgzpn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" dupirqgzpn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" dupirqgzpn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" dupirqgzpn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" dupirqgzpn.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dupirqgzpn.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation 49166ed9fe1b1d7cb9114196bdd92c8f.exe -
Executes dropped EXE 5 IoCs
pid Process 892 dupirqgzpn.exe 768 yywawnbnuwhawkq.exe 1132 ndhmkejs.exe 4988 cnysatwyavcwv.exe 3964 ndhmkejs.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" dupirqgzpn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" dupirqgzpn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" dupirqgzpn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" dupirqgzpn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" dupirqgzpn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" dupirqgzpn.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nviiawzo = "dupirqgzpn.exe" yywawnbnuwhawkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\koohwtwb = "yywawnbnuwhawkq.exe" yywawnbnuwhawkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "cnysatwyavcwv.exe" yywawnbnuwhawkq.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\t: ndhmkejs.exe File opened (read-only) \??\o: dupirqgzpn.exe File opened (read-only) \??\e: ndhmkejs.exe File opened (read-only) \??\y: dupirqgzpn.exe File opened (read-only) \??\h: ndhmkejs.exe File opened (read-only) \??\n: ndhmkejs.exe File opened (read-only) \??\q: ndhmkejs.exe File opened (read-only) \??\a: ndhmkejs.exe File opened (read-only) \??\p: ndhmkejs.exe File opened (read-only) \??\w: ndhmkejs.exe File opened (read-only) \??\w: dupirqgzpn.exe File opened (read-only) \??\o: ndhmkejs.exe File opened (read-only) \??\g: ndhmkejs.exe File opened (read-only) \??\k: ndhmkejs.exe File opened (read-only) \??\y: ndhmkejs.exe File opened (read-only) \??\l: ndhmkejs.exe File opened (read-only) \??\s: ndhmkejs.exe File opened (read-only) \??\x: ndhmkejs.exe File opened (read-only) \??\i: ndhmkejs.exe File opened (read-only) \??\n: ndhmkejs.exe File opened (read-only) \??\v: ndhmkejs.exe File opened (read-only) \??\x: dupirqgzpn.exe File opened (read-only) \??\h: dupirqgzpn.exe File opened (read-only) \??\j: dupirqgzpn.exe File opened (read-only) \??\m: dupirqgzpn.exe File opened (read-only) \??\o: ndhmkejs.exe File opened (read-only) \??\g: ndhmkejs.exe File opened (read-only) \??\r: ndhmkejs.exe File opened (read-only) \??\v: ndhmkejs.exe File opened (read-only) \??\b: ndhmkejs.exe File opened (read-only) \??\m: ndhmkejs.exe File opened (read-only) \??\x: ndhmkejs.exe File opened (read-only) \??\i: dupirqgzpn.exe File opened (read-only) \??\v: dupirqgzpn.exe File opened (read-only) \??\z: dupirqgzpn.exe File opened (read-only) \??\a: ndhmkejs.exe File opened (read-only) \??\p: dupirqgzpn.exe File opened (read-only) \??\r: ndhmkejs.exe File opened (read-only) \??\s: ndhmkejs.exe File opened (read-only) \??\u: ndhmkejs.exe File opened (read-only) \??\l: dupirqgzpn.exe File opened (read-only) \??\j: ndhmkejs.exe File opened (read-only) \??\r: dupirqgzpn.exe File opened (read-only) \??\k: dupirqgzpn.exe File opened (read-only) \??\t: ndhmkejs.exe File opened (read-only) \??\y: ndhmkejs.exe File opened (read-only) \??\z: ndhmkejs.exe File opened (read-only) \??\h: ndhmkejs.exe File opened (read-only) \??\q: ndhmkejs.exe File opened (read-only) \??\z: ndhmkejs.exe File opened (read-only) \??\e: dupirqgzpn.exe File opened (read-only) \??\u: ndhmkejs.exe File opened (read-only) \??\l: ndhmkejs.exe File opened (read-only) \??\n: dupirqgzpn.exe File opened (read-only) \??\u: dupirqgzpn.exe File opened (read-only) \??\w: ndhmkejs.exe File opened (read-only) \??\m: ndhmkejs.exe File opened (read-only) \??\e: ndhmkejs.exe File opened (read-only) \??\s: dupirqgzpn.exe File opened (read-only) \??\b: ndhmkejs.exe File opened (read-only) \??\k: ndhmkejs.exe File opened (read-only) \??\i: ndhmkejs.exe File opened (read-only) \??\j: ndhmkejs.exe File opened (read-only) \??\p: ndhmkejs.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" dupirqgzpn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" dupirqgzpn.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3604-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000600000002320b-5.dat autoit_exe behavioral2/files/0x0007000000023209-18.dat autoit_exe behavioral2/files/0x0007000000023209-19.dat autoit_exe behavioral2/files/0x000600000002320d-31.dat autoit_exe behavioral2/files/0x000600000002320c-26.dat autoit_exe behavioral2/files/0x000600000002320b-24.dat autoit_exe behavioral2/files/0x000600000002320c-44.dat autoit_exe behavioral2/files/0x000600000002321e-67.dat autoit_exe behavioral2/files/0x000600000002321d-61.dat autoit_exe behavioral2/files/0x0007000000023236-112.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\yywawnbnuwhawkq.exe 49166ed9fe1b1d7cb9114196bdd92c8f.exe File opened for modification C:\Windows\SysWOW64\cnysatwyavcwv.exe 49166ed9fe1b1d7cb9114196bdd92c8f.exe File opened for modification C:\Windows\SysWOW64\dupirqgzpn.exe 49166ed9fe1b1d7cb9114196bdd92c8f.exe File opened for modification C:\Windows\SysWOW64\yywawnbnuwhawkq.exe 49166ed9fe1b1d7cb9114196bdd92c8f.exe File created C:\Windows\SysWOW64\ndhmkejs.exe 49166ed9fe1b1d7cb9114196bdd92c8f.exe File opened for modification C:\Windows\SysWOW64\ndhmkejs.exe 49166ed9fe1b1d7cb9114196bdd92c8f.exe File created C:\Windows\SysWOW64\cnysatwyavcwv.exe 49166ed9fe1b1d7cb9114196bdd92c8f.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll dupirqgzpn.exe File created C:\Windows\SysWOW64\dupirqgzpn.exe 49166ed9fe1b1d7cb9114196bdd92c8f.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ndhmkejs.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ndhmkejs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ndhmkejs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ndhmkejs.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ndhmkejs.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ndhmkejs.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ndhmkejs.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ndhmkejs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ndhmkejs.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ndhmkejs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ndhmkejs.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ndhmkejs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ndhmkejs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ndhmkejs.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ndhmkejs.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 49166ed9fe1b1d7cb9114196bdd92c8f.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC5B12E47E639EF53C5BAD7329FD4C5" 49166ed9fe1b1d7cb9114196bdd92c8f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8BFF894F2982129140D6587E92BCE4E133584167446242D6E9" 49166ed9fe1b1d7cb9114196bdd92c8f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78468B3FE6D21D1D208D1A98B089165" 49166ed9fe1b1d7cb9114196bdd92c8f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc dupirqgzpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" dupirqgzpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg dupirqgzpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" dupirqgzpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBCF9BDFE6AF198840C3B30869939E6B38A038843600338E2C942EB09D2" 49166ed9fe1b1d7cb9114196bdd92c8f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184BC67E15EDDAB3B9BA7FE0ECE034CB" 49166ed9fe1b1d7cb9114196bdd92c8f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh dupirqgzpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs dupirqgzpn.exe Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings 49166ed9fe1b1d7cb9114196bdd92c8f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33472D7D9D5083566D3E77D170212DAD7C8E64D7" 49166ed9fe1b1d7cb9114196bdd92c8f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" dupirqgzpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" dupirqgzpn.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 49166ed9fe1b1d7cb9114196bdd92c8f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat dupirqgzpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" dupirqgzpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf dupirqgzpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" dupirqgzpn.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1140 WINWORD.EXE 1140 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3604 49166ed9fe1b1d7cb9114196bdd92c8f.exe 3604 49166ed9fe1b1d7cb9114196bdd92c8f.exe 3604 49166ed9fe1b1d7cb9114196bdd92c8f.exe 3604 49166ed9fe1b1d7cb9114196bdd92c8f.exe 3604 49166ed9fe1b1d7cb9114196bdd92c8f.exe 3604 49166ed9fe1b1d7cb9114196bdd92c8f.exe 3604 49166ed9fe1b1d7cb9114196bdd92c8f.exe 3604 49166ed9fe1b1d7cb9114196bdd92c8f.exe 3604 49166ed9fe1b1d7cb9114196bdd92c8f.exe 3604 49166ed9fe1b1d7cb9114196bdd92c8f.exe 3604 49166ed9fe1b1d7cb9114196bdd92c8f.exe 3604 49166ed9fe1b1d7cb9114196bdd92c8f.exe 3604 49166ed9fe1b1d7cb9114196bdd92c8f.exe 3604 49166ed9fe1b1d7cb9114196bdd92c8f.exe 3604 49166ed9fe1b1d7cb9114196bdd92c8f.exe 3604 49166ed9fe1b1d7cb9114196bdd92c8f.exe 768 yywawnbnuwhawkq.exe 768 yywawnbnuwhawkq.exe 768 yywawnbnuwhawkq.exe 768 yywawnbnuwhawkq.exe 768 yywawnbnuwhawkq.exe 768 yywawnbnuwhawkq.exe 768 yywawnbnuwhawkq.exe 768 yywawnbnuwhawkq.exe 892 dupirqgzpn.exe 892 dupirqgzpn.exe 768 yywawnbnuwhawkq.exe 768 yywawnbnuwhawkq.exe 892 dupirqgzpn.exe 892 dupirqgzpn.exe 892 dupirqgzpn.exe 892 dupirqgzpn.exe 892 dupirqgzpn.exe 892 dupirqgzpn.exe 892 dupirqgzpn.exe 892 dupirqgzpn.exe 1132 ndhmkejs.exe 1132 ndhmkejs.exe 1132 ndhmkejs.exe 1132 ndhmkejs.exe 1132 ndhmkejs.exe 1132 ndhmkejs.exe 1132 ndhmkejs.exe 1132 ndhmkejs.exe 4988 cnysatwyavcwv.exe 4988 cnysatwyavcwv.exe 4988 cnysatwyavcwv.exe 4988 cnysatwyavcwv.exe 4988 cnysatwyavcwv.exe 4988 cnysatwyavcwv.exe 4988 cnysatwyavcwv.exe 4988 cnysatwyavcwv.exe 4988 cnysatwyavcwv.exe 4988 cnysatwyavcwv.exe 4988 cnysatwyavcwv.exe 4988 cnysatwyavcwv.exe 768 yywawnbnuwhawkq.exe 768 yywawnbnuwhawkq.exe 4988 cnysatwyavcwv.exe 4988 cnysatwyavcwv.exe 4988 cnysatwyavcwv.exe 4988 cnysatwyavcwv.exe 768 yywawnbnuwhawkq.exe 768 yywawnbnuwhawkq.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 3604 49166ed9fe1b1d7cb9114196bdd92c8f.exe 3604 49166ed9fe1b1d7cb9114196bdd92c8f.exe 3604 49166ed9fe1b1d7cb9114196bdd92c8f.exe 892 dupirqgzpn.exe 892 dupirqgzpn.exe 892 dupirqgzpn.exe 768 yywawnbnuwhawkq.exe 768 yywawnbnuwhawkq.exe 768 yywawnbnuwhawkq.exe 4988 cnysatwyavcwv.exe 1132 ndhmkejs.exe 4988 cnysatwyavcwv.exe 1132 ndhmkejs.exe 4988 cnysatwyavcwv.exe 1132 ndhmkejs.exe 3964 ndhmkejs.exe 3964 ndhmkejs.exe 3964 ndhmkejs.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 3604 49166ed9fe1b1d7cb9114196bdd92c8f.exe 3604 49166ed9fe1b1d7cb9114196bdd92c8f.exe 3604 49166ed9fe1b1d7cb9114196bdd92c8f.exe 892 dupirqgzpn.exe 892 dupirqgzpn.exe 892 dupirqgzpn.exe 768 yywawnbnuwhawkq.exe 768 yywawnbnuwhawkq.exe 768 yywawnbnuwhawkq.exe 4988 cnysatwyavcwv.exe 1132 ndhmkejs.exe 4988 cnysatwyavcwv.exe 1132 ndhmkejs.exe 4988 cnysatwyavcwv.exe 1132 ndhmkejs.exe 3964 ndhmkejs.exe 3964 ndhmkejs.exe 3964 ndhmkejs.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1140 WINWORD.EXE 1140 WINWORD.EXE 1140 WINWORD.EXE 1140 WINWORD.EXE 1140 WINWORD.EXE 1140 WINWORD.EXE 1140 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3604 wrote to memory of 892 3604 49166ed9fe1b1d7cb9114196bdd92c8f.exe 92 PID 3604 wrote to memory of 892 3604 49166ed9fe1b1d7cb9114196bdd92c8f.exe 92 PID 3604 wrote to memory of 892 3604 49166ed9fe1b1d7cb9114196bdd92c8f.exe 92 PID 3604 wrote to memory of 768 3604 49166ed9fe1b1d7cb9114196bdd92c8f.exe 93 PID 3604 wrote to memory of 768 3604 49166ed9fe1b1d7cb9114196bdd92c8f.exe 93 PID 3604 wrote to memory of 768 3604 49166ed9fe1b1d7cb9114196bdd92c8f.exe 93 PID 3604 wrote to memory of 1132 3604 49166ed9fe1b1d7cb9114196bdd92c8f.exe 94 PID 3604 wrote to memory of 1132 3604 49166ed9fe1b1d7cb9114196bdd92c8f.exe 94 PID 3604 wrote to memory of 1132 3604 49166ed9fe1b1d7cb9114196bdd92c8f.exe 94 PID 3604 wrote to memory of 4988 3604 49166ed9fe1b1d7cb9114196bdd92c8f.exe 95 PID 3604 wrote to memory of 4988 3604 49166ed9fe1b1d7cb9114196bdd92c8f.exe 95 PID 3604 wrote to memory of 4988 3604 49166ed9fe1b1d7cb9114196bdd92c8f.exe 95 PID 3604 wrote to memory of 1140 3604 49166ed9fe1b1d7cb9114196bdd92c8f.exe 96 PID 3604 wrote to memory of 1140 3604 49166ed9fe1b1d7cb9114196bdd92c8f.exe 96 PID 892 wrote to memory of 3964 892 dupirqgzpn.exe 98 PID 892 wrote to memory of 3964 892 dupirqgzpn.exe 98 PID 892 wrote to memory of 3964 892 dupirqgzpn.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\49166ed9fe1b1d7cb9114196bdd92c8f.exe"C:\Users\Admin\AppData\Local\Temp\49166ed9fe1b1d7cb9114196bdd92c8f.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\SysWOW64\dupirqgzpn.exedupirqgzpn.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\ndhmkejs.exeC:\Windows\system32\ndhmkejs.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3964
-
-
-
C:\Windows\SysWOW64\yywawnbnuwhawkq.exeyywawnbnuwhawkq.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:768
-
-
C:\Windows\SysWOW64\ndhmkejs.exendhmkejs.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1132
-
-
C:\Windows\SysWOW64\cnysatwyavcwv.execnysatwyavcwv.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4988
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1140
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5c62a4f7736a8742f646b37f2975a4f45
SHA15f95ffbbe0fb1860ff5d26b49c17888d00cecb7a
SHA25682e0680b15a7f0be81083020c3ac7a9a34279bfa9d6a81766ed65284f923a131
SHA5127de0c3467588ce14f7e9a6a49c377c93b1358e6ae53b9417c6e6a0ec380bbaff6736a473d51872cd5145e5d6cff32f79df09eb540225fc02aed56ad579801f6b
-
Filesize
92KB
MD56662b185f19fbf697c56a25c92de7961
SHA10df0c0df0de3724258df2549c583e3c934aca726
SHA256c11edb9e97848e20319fba876d9382c7193f68323eff1f7ed805bb04303bdc86
SHA512c6e2cb83f68a63ca299dae843d2697d41dab8b565fb4005755b0d255b388779b6c1dad97375009c995f0a3d2e0acb4cc820090ca5dc24ee11e1a3de5b1a4921f
-
Filesize
239B
MD50c59a5f4b604bdb95d678de25e7be485
SHA1b2f63dc74e24096cfaec01add4039bb6b4221650
SHA2564f67992a112a96b5f8fee2357028d149d02be8c07cfff8b729fc33ad27ab5561
SHA5129e31d6948d8d5d1ad4b8ec7ee4910eebda596ca73fd23dd72401e400c661b993b04ce907aa796597773feb9ef6f598b0c852b091996ec03d6bf69b74d5054e4b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD500257a173488ac196decf11fbef8b229
SHA19d91912227764358c17a84133741a78774d3bafb
SHA25634ca57e395c54cb8c45b76e2eac6ae9625c6ba470fcc2cd3365b3c1784007199
SHA512fd3df29aa2fc245132c2582532ea0442585ccf30836c748bf86b5f8a5ad7056f5c2f249bb5ce57aac0d1a1550138e7cee521b10584f2c616c1410201cf8ea3fc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5e9a2d23cb3ab3a513970d9680a1ae02e
SHA1773fffdf33b61e33aa2020f3b57ed00f943ca403
SHA256c610e0578f95dca585eea015c7417a7df0e686bd5fcead8d2a78241ac406d206
SHA512c2d61bb20a77099e2dc7de740d59c80a9bbe1d5da950d5912cf03394746d47e473997278b384efbb94aed2bb090b0308a44734a7fcfcce1f69352dfaaadf10a0
-
Filesize
406KB
MD53eb8df6e87c9760ec9812d69bd4a2727
SHA19831f9b1bbf81ba234259e797b4a19e48c28ad92
SHA256853d822a8b268e65c3ddd1d1d6b48f94bf5c5bddee9786758fed94c9f8afbb9c
SHA512fb611c6172069e1a69660fb904b0dbfde5cc466d718937d1fbce5891f91ce7d3daba62be876f771ea8d8895aac0267e50a91607392fcd5ee7d94d7c066254376
-
Filesize
73KB
MD54f77c97a33cb1e23c8c28b5efd81b6d4
SHA172bceadf5dd05e073dfece803bb90025e40f6603
SHA2566d9ce7390f53fc3e4e48e39cc87135d8d7712b8e87d96fd9688be6aea48b5b84
SHA512165d80dddb8c608863ea5017d287aab072a4ca323099662e9349ba4e58b557c5f89e709bdeb7de412f54bb4117708356f1edc72579e5ac3b67fc4e36917ccf3c
-
Filesize
35KB
MD583835fc12ca0468305aa25331db53132
SHA110c85517ce91c8c944f040271bef35d97ba06e23
SHA2564ca8c02664c9e93a3e57e2bce5d889361f1b1b0b111eaf1c860a2952809ba533
SHA512d51b9ab0250ffd16cfe711253a2355821b8a5deff09921e660d06246f1c726ea3bd56a52e1cfb79eac65c852b80fdffd13224d42d6f1c27800551923a63194d0
-
Filesize
13KB
MD54c83d6706938553f7fa57c6fa0588b88
SHA1bfd32507f59da6f8ee7129fd76c569082f0d46eb
SHA256266ed44f966fd0e2b2aad375bb0db50816370ddc530cb79ada555bfece5da14a
SHA51260e30aac6b4ea084fe7d22ef187a6277d7ea527f9de928fba3206401fda632bdf2bc32637ff4f752e5677cbd446371abba3b62a9c8f9e125568ea5bd1fe75f39
-
Filesize
297KB
MD5f51ca4d30a116dd8b0686cb3b80a38d4
SHA1cdc82562b561600c2c826681058b15fc1dd78727
SHA256e010993fd6e3922e870d42302151abf51d67a544dca334895c991dce2037a498
SHA5121476ade734ee496ac0b285a181b1b57c76869bfb21c98af579322beb622dd4d289f0c8b510705b1f69aa79d872e894f826d38f1833eb9deaf2dca76fe81a23a6
-
Filesize
512KB
MD54e6d379751276fe88d7c19c1b4e8d714
SHA18c2e1f9cf9fda147604d8f154267404c57d6c660
SHA256845ce7e269edbbbe950f5ea07fde490b0893cd7ce41148850e82436ac41364c1
SHA512ff38e0ed186267cc9aeb25858eb8156c97100b379544e30b787e5a313f2dcf8b095233a35299b289fc9651495b8cbe0699c4b70ed9ddc2a2977d630f5ec51c81
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD59c1f8a96db43e108b7c1ed2a0e8ba36b
SHA10d0b27a949f393d417ff20398c6bbfd3ecea937d
SHA256c23278e3d40413555b5f3c91595b604f7349b20a21000dcd43a89853d5f87b43
SHA512fbb739002339574c86d66f9d30758a803df7f313093b92bd4da33c0d6bc3af0061060b84c88b5c9ed43e493de4ea7c7ce6db96f38e02e8792fce5bc663b87e7b