Analysis
-
max time kernel
13s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2023, 04:57
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
560d6cd1b5204f3ed86260fcbbd12665.exe
Resource
win7-20231215-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
560d6cd1b5204f3ed86260fcbbd12665.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
560d6cd1b5204f3ed86260fcbbd12665.exe
-
Size
512KB
-
MD5
560d6cd1b5204f3ed86260fcbbd12665
-
SHA1
b17b2cfe9380688340d92545c84817d693adce88
-
SHA256
b3db3a2d7648aa94616e60e2d17ba63818a73127cdda7f53eaf901c0a258dadd
-
SHA512
4863b5c0390fa4315891d906820fcc76ff9dfb8921ea00ad2f0a5bee3fce8681fad5923fb4a3ac9ba3e28feff8e84b28fb44f9efea48d3423000c04285441481
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6f:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm54
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" xcdehhrkks.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" xcdehhrkks.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" xcdehhrkks.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" xcdehhrkks.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" xcdehhrkks.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" xcdehhrkks.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" xcdehhrkks.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xcdehhrkks.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation 560d6cd1b5204f3ed86260fcbbd12665.exe -
Executes dropped EXE 5 IoCs
pid Process 2496 xcdehhrkks.exe 3108 gvuhjmxhfthqudl.exe 4484 scpynfkh.exe 944 hcwntzhbggmnw.exe 3320 scpynfkh.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" xcdehhrkks.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" xcdehhrkks.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" xcdehhrkks.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" xcdehhrkks.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" xcdehhrkks.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" xcdehhrkks.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wolbdsld = "xcdehhrkks.exe" gvuhjmxhfthqudl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rgfsqfxf = "gvuhjmxhfthqudl.exe" gvuhjmxhfthqudl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "hcwntzhbggmnw.exe" gvuhjmxhfthqudl.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\k: scpynfkh.exe File opened (read-only) \??\t: scpynfkh.exe File opened (read-only) \??\y: scpynfkh.exe File opened (read-only) \??\u: xcdehhrkks.exe File opened (read-only) \??\b: scpynfkh.exe File opened (read-only) \??\e: scpynfkh.exe File opened (read-only) \??\n: scpynfkh.exe File opened (read-only) \??\q: scpynfkh.exe File opened (read-only) \??\r: scpynfkh.exe File opened (read-only) \??\h: xcdehhrkks.exe File opened (read-only) \??\m: xcdehhrkks.exe File opened (read-only) \??\v: xcdehhrkks.exe File opened (read-only) \??\g: scpynfkh.exe File opened (read-only) \??\k: scpynfkh.exe File opened (read-only) \??\y: scpynfkh.exe File opened (read-only) \??\w: xcdehhrkks.exe File opened (read-only) \??\u: scpynfkh.exe File opened (read-only) \??\z: scpynfkh.exe File opened (read-only) \??\g: xcdehhrkks.exe File opened (read-only) \??\m: scpynfkh.exe File opened (read-only) \??\r: scpynfkh.exe File opened (read-only) \??\b: xcdehhrkks.exe File opened (read-only) \??\x: xcdehhrkks.exe File opened (read-only) \??\v: scpynfkh.exe File opened (read-only) \??\a: scpynfkh.exe File opened (read-only) \??\h: scpynfkh.exe File opened (read-only) \??\g: scpynfkh.exe File opened (read-only) \??\l: xcdehhrkks.exe File opened (read-only) \??\p: xcdehhrkks.exe File opened (read-only) \??\a: scpynfkh.exe File opened (read-only) \??\i: scpynfkh.exe File opened (read-only) \??\p: scpynfkh.exe File opened (read-only) \??\a: xcdehhrkks.exe File opened (read-only) \??\i: xcdehhrkks.exe File opened (read-only) \??\j: xcdehhrkks.exe File opened (read-only) \??\i: scpynfkh.exe File opened (read-only) \??\j: scpynfkh.exe File opened (read-only) \??\m: scpynfkh.exe File opened (read-only) \??\w: scpynfkh.exe File opened (read-only) \??\z: xcdehhrkks.exe File opened (read-only) \??\w: scpynfkh.exe File opened (read-only) \??\h: scpynfkh.exe File opened (read-only) \??\e: xcdehhrkks.exe File opened (read-only) \??\t: xcdehhrkks.exe File opened (read-only) \??\s: scpynfkh.exe File opened (read-only) \??\t: scpynfkh.exe File opened (read-only) \??\b: scpynfkh.exe File opened (read-only) \??\v: scpynfkh.exe File opened (read-only) \??\k: xcdehhrkks.exe File opened (read-only) \??\n: xcdehhrkks.exe File opened (read-only) \??\o: scpynfkh.exe File opened (read-only) \??\n: scpynfkh.exe File opened (read-only) \??\s: xcdehhrkks.exe File opened (read-only) \??\q: scpynfkh.exe File opened (read-only) \??\x: scpynfkh.exe File opened (read-only) \??\z: scpynfkh.exe File opened (read-only) \??\e: scpynfkh.exe File opened (read-only) \??\l: scpynfkh.exe File opened (read-only) \??\q: xcdehhrkks.exe File opened (read-only) \??\u: scpynfkh.exe File opened (read-only) \??\o: scpynfkh.exe File opened (read-only) \??\s: scpynfkh.exe File opened (read-only) \??\o: xcdehhrkks.exe File opened (read-only) \??\r: xcdehhrkks.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" xcdehhrkks.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" xcdehhrkks.exe -
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4908-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0008000000023210-5.dat autoit_exe behavioral2/files/0x0008000000023210-23.dat autoit_exe behavioral2/files/0x0006000000023215-26.dat autoit_exe behavioral2/files/0x0006000000023216-31.dat autoit_exe behavioral2/files/0x0006000000023216-30.dat autoit_exe behavioral2/files/0x000c000000023163-19.dat autoit_exe behavioral2/files/0x0006000000023232-83.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\scpynfkh.exe 560d6cd1b5204f3ed86260fcbbd12665.exe File created C:\Windows\SysWOW64\hcwntzhbggmnw.exe 560d6cd1b5204f3ed86260fcbbd12665.exe File opened for modification C:\Windows\SysWOW64\hcwntzhbggmnw.exe 560d6cd1b5204f3ed86260fcbbd12665.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll xcdehhrkks.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe scpynfkh.exe File created C:\Windows\SysWOW64\xcdehhrkks.exe 560d6cd1b5204f3ed86260fcbbd12665.exe File opened for modification C:\Windows\SysWOW64\xcdehhrkks.exe 560d6cd1b5204f3ed86260fcbbd12665.exe File opened for modification C:\Windows\SysWOW64\gvuhjmxhfthqudl.exe 560d6cd1b5204f3ed86260fcbbd12665.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe scpynfkh.exe File created C:\Windows\SysWOW64\gvuhjmxhfthqudl.exe 560d6cd1b5204f3ed86260fcbbd12665.exe File created C:\Windows\SysWOW64\scpynfkh.exe 560d6cd1b5204f3ed86260fcbbd12665.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe scpynfkh.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe scpynfkh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal scpynfkh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal scpynfkh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe scpynfkh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe scpynfkh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe scpynfkh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe scpynfkh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal scpynfkh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe scpynfkh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe scpynfkh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe scpynfkh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal scpynfkh.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe scpynfkh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe scpynfkh.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe scpynfkh.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 560d6cd1b5204f3ed86260fcbbd12665.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB1B12944EE38EB53BFBAD4329ED7CE" 560d6cd1b5204f3ed86260fcbbd12665.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc xcdehhrkks.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" xcdehhrkks.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg xcdehhrkks.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 560d6cd1b5204f3ed86260fcbbd12665.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" xcdehhrkks.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh xcdehhrkks.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" xcdehhrkks.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" xcdehhrkks.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings 560d6cd1b5204f3ed86260fcbbd12665.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1939C60F15E4DBC3B9BC7CE2EC9634CF" 560d6cd1b5204f3ed86260fcbbd12665.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AC9F9C9FE13F191837A3B3581EC3999B08903F043600238E2CB429D08A6" 560d6cd1b5204f3ed86260fcbbd12665.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF9FFFF4F27851F903CD62D7D9DBDEFE135594067336330D6EA" 560d6cd1b5204f3ed86260fcbbd12665.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F66BC1FE6821DAD20FD1D48A759111" 560d6cd1b5204f3ed86260fcbbd12665.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat xcdehhrkks.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" xcdehhrkks.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf xcdehhrkks.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs xcdehhrkks.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32322C7B9C2D83236A3476A777242CAE7D8565DA" 560d6cd1b5204f3ed86260fcbbd12665.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" xcdehhrkks.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4304 WINWORD.EXE 4304 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4908 560d6cd1b5204f3ed86260fcbbd12665.exe 4908 560d6cd1b5204f3ed86260fcbbd12665.exe 4908 560d6cd1b5204f3ed86260fcbbd12665.exe 4908 560d6cd1b5204f3ed86260fcbbd12665.exe 4908 560d6cd1b5204f3ed86260fcbbd12665.exe 4908 560d6cd1b5204f3ed86260fcbbd12665.exe 4908 560d6cd1b5204f3ed86260fcbbd12665.exe 4908 560d6cd1b5204f3ed86260fcbbd12665.exe 4908 560d6cd1b5204f3ed86260fcbbd12665.exe 4908 560d6cd1b5204f3ed86260fcbbd12665.exe 4908 560d6cd1b5204f3ed86260fcbbd12665.exe 4908 560d6cd1b5204f3ed86260fcbbd12665.exe 4908 560d6cd1b5204f3ed86260fcbbd12665.exe 4908 560d6cd1b5204f3ed86260fcbbd12665.exe 4908 560d6cd1b5204f3ed86260fcbbd12665.exe 4908 560d6cd1b5204f3ed86260fcbbd12665.exe 2496 xcdehhrkks.exe 2496 xcdehhrkks.exe 2496 xcdehhrkks.exe 2496 xcdehhrkks.exe 2496 xcdehhrkks.exe 2496 xcdehhrkks.exe 2496 xcdehhrkks.exe 2496 xcdehhrkks.exe 2496 xcdehhrkks.exe 2496 xcdehhrkks.exe 3108 gvuhjmxhfthqudl.exe 3108 gvuhjmxhfthqudl.exe 3108 gvuhjmxhfthqudl.exe 3108 gvuhjmxhfthqudl.exe 3108 gvuhjmxhfthqudl.exe 3108 gvuhjmxhfthqudl.exe 3108 gvuhjmxhfthqudl.exe 3108 gvuhjmxhfthqudl.exe 944 hcwntzhbggmnw.exe 944 hcwntzhbggmnw.exe 944 hcwntzhbggmnw.exe 944 hcwntzhbggmnw.exe 944 hcwntzhbggmnw.exe 944 hcwntzhbggmnw.exe 944 hcwntzhbggmnw.exe 944 hcwntzhbggmnw.exe 944 hcwntzhbggmnw.exe 944 hcwntzhbggmnw.exe 944 hcwntzhbggmnw.exe 944 hcwntzhbggmnw.exe 3108 gvuhjmxhfthqudl.exe 3108 gvuhjmxhfthqudl.exe 4484 scpynfkh.exe 4484 scpynfkh.exe 4484 scpynfkh.exe 4484 scpynfkh.exe 4484 scpynfkh.exe 4484 scpynfkh.exe 4484 scpynfkh.exe 4484 scpynfkh.exe 3108 gvuhjmxhfthqudl.exe 3108 gvuhjmxhfthqudl.exe 3320 scpynfkh.exe 3320 scpynfkh.exe 3320 scpynfkh.exe 3320 scpynfkh.exe 3320 scpynfkh.exe 3320 scpynfkh.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4908 560d6cd1b5204f3ed86260fcbbd12665.exe 4908 560d6cd1b5204f3ed86260fcbbd12665.exe 4908 560d6cd1b5204f3ed86260fcbbd12665.exe 2496 xcdehhrkks.exe 2496 xcdehhrkks.exe 2496 xcdehhrkks.exe 3108 gvuhjmxhfthqudl.exe 3108 gvuhjmxhfthqudl.exe 3108 gvuhjmxhfthqudl.exe 944 hcwntzhbggmnw.exe 4484 scpynfkh.exe 944 hcwntzhbggmnw.exe 4484 scpynfkh.exe 944 hcwntzhbggmnw.exe 4484 scpynfkh.exe 3320 scpynfkh.exe 3320 scpynfkh.exe 3320 scpynfkh.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4908 560d6cd1b5204f3ed86260fcbbd12665.exe 4908 560d6cd1b5204f3ed86260fcbbd12665.exe 4908 560d6cd1b5204f3ed86260fcbbd12665.exe 2496 xcdehhrkks.exe 2496 xcdehhrkks.exe 2496 xcdehhrkks.exe 3108 gvuhjmxhfthqudl.exe 3108 gvuhjmxhfthqudl.exe 3108 gvuhjmxhfthqudl.exe 944 hcwntzhbggmnw.exe 4484 scpynfkh.exe 944 hcwntzhbggmnw.exe 4484 scpynfkh.exe 944 hcwntzhbggmnw.exe 4484 scpynfkh.exe 3320 scpynfkh.exe 3320 scpynfkh.exe 3320 scpynfkh.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4304 WINWORD.EXE 4304 WINWORD.EXE 4304 WINWORD.EXE 4304 WINWORD.EXE 4304 WINWORD.EXE 4304 WINWORD.EXE 4304 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4908 wrote to memory of 2496 4908 560d6cd1b5204f3ed86260fcbbd12665.exe 88 PID 4908 wrote to memory of 2496 4908 560d6cd1b5204f3ed86260fcbbd12665.exe 88 PID 4908 wrote to memory of 2496 4908 560d6cd1b5204f3ed86260fcbbd12665.exe 88 PID 4908 wrote to memory of 3108 4908 560d6cd1b5204f3ed86260fcbbd12665.exe 96 PID 4908 wrote to memory of 3108 4908 560d6cd1b5204f3ed86260fcbbd12665.exe 96 PID 4908 wrote to memory of 3108 4908 560d6cd1b5204f3ed86260fcbbd12665.exe 96 PID 4908 wrote to memory of 4484 4908 560d6cd1b5204f3ed86260fcbbd12665.exe 95 PID 4908 wrote to memory of 4484 4908 560d6cd1b5204f3ed86260fcbbd12665.exe 95 PID 4908 wrote to memory of 4484 4908 560d6cd1b5204f3ed86260fcbbd12665.exe 95 PID 4908 wrote to memory of 944 4908 560d6cd1b5204f3ed86260fcbbd12665.exe 90 PID 4908 wrote to memory of 944 4908 560d6cd1b5204f3ed86260fcbbd12665.exe 90 PID 4908 wrote to memory of 944 4908 560d6cd1b5204f3ed86260fcbbd12665.exe 90 PID 4908 wrote to memory of 4304 4908 560d6cd1b5204f3ed86260fcbbd12665.exe 92 PID 4908 wrote to memory of 4304 4908 560d6cd1b5204f3ed86260fcbbd12665.exe 92 PID 2496 wrote to memory of 3320 2496 xcdehhrkks.exe 94 PID 2496 wrote to memory of 3320 2496 xcdehhrkks.exe 94 PID 2496 wrote to memory of 3320 2496 xcdehhrkks.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\560d6cd1b5204f3ed86260fcbbd12665.exe"C:\Users\Admin\AppData\Local\Temp\560d6cd1b5204f3ed86260fcbbd12665.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\SysWOW64\xcdehhrkks.exexcdehhrkks.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\scpynfkh.exeC:\Windows\system32\scpynfkh.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3320
-
-
-
C:\Windows\SysWOW64\hcwntzhbggmnw.exehcwntzhbggmnw.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:944
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4304
-
-
C:\Windows\SysWOW64\scpynfkh.exescpynfkh.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4484
-
-
C:\Windows\SysWOW64\gvuhjmxhfthqudl.exegvuhjmxhfthqudl.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3108
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD52ed05ee53432515a234fd1eab1285483
SHA1119db267ab9ffee7dda052cd8a542a308ced579b
SHA25653e75fb4092f89d90cb587b7928330d4aee41ff88eb0fd658eefe800ccb26250
SHA512b22932faa091396eae541ecaea810047ae9b18891bdfce42459232abcb34561b7d47dd7a520ad13e7c4934219b37d48f1222891254129b86a7a87bbe189f4dc5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD57acafb5dc2d8b8c2041fa670052a13fc
SHA16f004751a418314ce88f49df9884e18ab49fe0d1
SHA256b62779c9a33a7647ee3fb2cf943d2845aeabc9548f5b2065ee9c5d675ea611e3
SHA512dc13cd257653f2e22c697d06692c00c9f8fb4f915524d977f3086077315971bf46ec4d41268f16c836eedc59aca5a5c43c764173e84585fa7f32ada7fc176d07
-
Filesize
512KB
MD56bb2d0ec012aeda822935951c82a6c51
SHA14eb8c6378830d70270d62fd3708bff9a7a0e1965
SHA25692d9ff2128cedf0531d27ccc570ec20db33da90c574311537959cff97455d3b1
SHA51280ce1eb3b2da5b4faf338ac76fad3a92884bb8a8b1bf45988adc3c16f8bfaebbfa57807b99c7b9961779533ab485212fe509eab75dcf17282666feab266d6abc
-
Filesize
391KB
MD5b794cf5978f026c541a9987612ecc397
SHA19f4e5748fefcf1a75d5983d1b4d27072551d0700
SHA2562dd06051b96d775d901faabbaeb34158d812650925da00087f215987b5f6ce90
SHA5129afb687a0dc345b2bf470a933f88c985f6c11d7d157ed29aa25bf88fb7171008a40af739d3299a60ab46b0ea5f537c9e016fff6e25e4ff334dcbef47fd590668
-
Filesize
381KB
MD530aec9e0b33fbd99234328357879f812
SHA13c9d37139d4ccfe2b694afba9633170d0f510a92
SHA25615aad0daaaeea2f1eb8d19a8999f42844b2885d6bef949f6787feba7dad46563
SHA5122060f2cc8c90181dd0a9965f0ff3a94aece08c82c4a68454846f66778bc60dade3ba5ddc38be57311ff4a7bd78217b89a9cd09837eee4b5d9893277299dad415
-
Filesize
389KB
MD5456755027a97317d437578c9e4b18007
SHA14273bc918f07b287550025b3f36025ef11dcf4ce
SHA25644095f829506dd8592d3f6902898ede550b667aea0042ed50408f09aa03af637
SHA512758325ecd1f1da2baf234fdc93bd6ad0940dec3d5dc42ea208db1d781b80069c552161e8c46eddf4bdf1faa301c243bc3b1dfe2f1ca71dca6d2de1e4fbdcfedf
-
Filesize
512KB
MD5c67902baaa45113c6f5d185b9c85a9eb
SHA1ff6f9874b58786f2b68dbd39b9241efd3e0d029f
SHA25619a5f1ef49782fa5b0709e1dbb14fd40a3778b81c00ceef7d7b479a1f71b2059
SHA5129d041446cd3198d829daf9c0aaccf7982356f0c4256e404eafb263c1870b9471aa65231587dedd79d04c826334bafca665001e2baef125ef6ac08f11241a8b77
-
Filesize
512KB
MD59be47e3c2150966a2552714ca783b587
SHA14116616c16a2b50741267a823f8e65fc9ed39a9f
SHA256161548f15057df96ae143e38f3ba80773030c7f7f1fa2ff003f23cabeaea6349
SHA512ff70d72bbed3389cbc3f49765633df2d386a4846e7fc35859b6739bdee2496601596dea0975b0b031cf2eaf5792c11857b2726f70cce298930eecbcddf239640
-
Filesize
512KB
MD5da3a6ed36a95b6561f73580410fa0daa
SHA10510e7d77aaf764766456955165ec371e9ca3d70
SHA25623debe6ede5d26d2dffc82ac15ff03241e228439886e99b0c6739465e44ea33e
SHA512d975f6297b8ebcb266a0de14485ab608b0016cc4cbd77940178f7a148deabfea9710fc7b3b65235c6009a6689d6087e3c324bae3ca37d08a825b8fd7cc62a3cb