Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2023, 06:46
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
5a9a3c0573ad6bbf8ab99941801dbeec.exe
Resource
win7-20231215-en
windows7-x64
28 signatures
150 seconds
Behavioral task
behavioral2
Sample
5a9a3c0573ad6bbf8ab99941801dbeec.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
5a9a3c0573ad6bbf8ab99941801dbeec.exe
-
Size
512KB
-
MD5
5a9a3c0573ad6bbf8ab99941801dbeec
-
SHA1
7445faccb3896c4e18e0140b5a208ad5f7773e88
-
SHA256
9586d4cb6b50068c7a98f5c8c05b3717712a7724754a491b0851f2de8ce122e6
-
SHA512
d5c141078fad9bddcb34e8d3fa1e8a01028c7e3c107a8806a625f02d19cf17dae5349b564d613e0f0431095f6de359eab1cf4134972f32f36662ae5c4a7d0556
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6/:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5k
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" rehqbdgifv.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" rehqbdgifv.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rehqbdgifv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rehqbdgifv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rehqbdgifv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rehqbdgifv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rehqbdgifv.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rehqbdgifv.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation 5a9a3c0573ad6bbf8ab99941801dbeec.exe -
Executes dropped EXE 5 IoCs
pid Process 4740 rehqbdgifv.exe 2228 ynglaqsragsvlmx.exe 2184 gdwwhjbw.exe 4032 qtnuezbthbcix.exe 1740 gdwwhjbw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rehqbdgifv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rehqbdgifv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rehqbdgifv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rehqbdgifv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rehqbdgifv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" rehqbdgifv.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ypcddfck = "rehqbdgifv.exe" ynglaqsragsvlmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nynhnmnt = "ynglaqsragsvlmx.exe" ynglaqsragsvlmx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "qtnuezbthbcix.exe" ynglaqsragsvlmx.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\q: rehqbdgifv.exe File opened (read-only) \??\j: gdwwhjbw.exe File opened (read-only) \??\q: gdwwhjbw.exe File opened (read-only) \??\n: gdwwhjbw.exe File opened (read-only) \??\o: gdwwhjbw.exe File opened (read-only) \??\q: gdwwhjbw.exe File opened (read-only) \??\v: gdwwhjbw.exe File opened (read-only) \??\b: gdwwhjbw.exe File opened (read-only) \??\h: gdwwhjbw.exe File opened (read-only) \??\z: gdwwhjbw.exe File opened (read-only) \??\n: rehqbdgifv.exe File opened (read-only) \??\o: rehqbdgifv.exe File opened (read-only) \??\l: gdwwhjbw.exe File opened (read-only) \??\j: gdwwhjbw.exe File opened (read-only) \??\x: gdwwhjbw.exe File opened (read-only) \??\s: rehqbdgifv.exe File opened (read-only) \??\g: gdwwhjbw.exe File opened (read-only) \??\p: gdwwhjbw.exe File opened (read-only) \??\t: gdwwhjbw.exe File opened (read-only) \??\g: gdwwhjbw.exe File opened (read-only) \??\p: rehqbdgifv.exe File opened (read-only) \??\p: gdwwhjbw.exe File opened (read-only) \??\m: rehqbdgifv.exe File opened (read-only) \??\i: gdwwhjbw.exe File opened (read-only) \??\m: gdwwhjbw.exe File opened (read-only) \??\a: rehqbdgifv.exe File opened (read-only) \??\j: rehqbdgifv.exe File opened (read-only) \??\l: rehqbdgifv.exe File opened (read-only) \??\x: rehqbdgifv.exe File opened (read-only) \??\l: gdwwhjbw.exe File opened (read-only) \??\m: gdwwhjbw.exe File opened (read-only) \??\o: gdwwhjbw.exe File opened (read-only) \??\u: gdwwhjbw.exe File opened (read-only) \??\x: gdwwhjbw.exe File opened (read-only) \??\h: gdwwhjbw.exe File opened (read-only) \??\y: rehqbdgifv.exe File opened (read-only) \??\k: gdwwhjbw.exe File opened (read-only) \??\w: gdwwhjbw.exe File opened (read-only) \??\h: rehqbdgifv.exe File opened (read-only) \??\k: rehqbdgifv.exe File opened (read-only) \??\z: rehqbdgifv.exe File opened (read-only) \??\n: gdwwhjbw.exe File opened (read-only) \??\w: gdwwhjbw.exe File opened (read-only) \??\a: gdwwhjbw.exe File opened (read-only) \??\y: gdwwhjbw.exe File opened (read-only) \??\y: gdwwhjbw.exe File opened (read-only) \??\r: rehqbdgifv.exe File opened (read-only) \??\w: rehqbdgifv.exe File opened (read-only) \??\r: gdwwhjbw.exe File opened (read-only) \??\z: gdwwhjbw.exe File opened (read-only) \??\e: gdwwhjbw.exe File opened (read-only) \??\k: gdwwhjbw.exe File opened (read-only) \??\s: gdwwhjbw.exe File opened (read-only) \??\e: rehqbdgifv.exe File opened (read-only) \??\t: gdwwhjbw.exe File opened (read-only) \??\b: rehqbdgifv.exe File opened (read-only) \??\i: rehqbdgifv.exe File opened (read-only) \??\v: rehqbdgifv.exe File opened (read-only) \??\e: gdwwhjbw.exe File opened (read-only) \??\r: gdwwhjbw.exe File opened (read-only) \??\b: gdwwhjbw.exe File opened (read-only) \??\t: rehqbdgifv.exe File opened (read-only) \??\u: rehqbdgifv.exe File opened (read-only) \??\a: gdwwhjbw.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" rehqbdgifv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" rehqbdgifv.exe -
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1008-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000600000002320d-5.dat autoit_exe behavioral2/files/0x000600000002320c-18.dat autoit_exe behavioral2/files/0x0007000000023208-26.dat autoit_exe behavioral2/files/0x000600000002320e-32.dat autoit_exe behavioral2/files/0x000a00000002319f-92.dat autoit_exe behavioral2/files/0x0011000000023142-106.dat autoit_exe behavioral2/files/0x0011000000023142-109.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\qtnuezbthbcix.exe 5a9a3c0573ad6bbf8ab99941801dbeec.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll rehqbdgifv.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe gdwwhjbw.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe gdwwhjbw.exe File opened for modification C:\Windows\SysWOW64\qtnuezbthbcix.exe 5a9a3c0573ad6bbf8ab99941801dbeec.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe gdwwhjbw.exe File created C:\Windows\SysWOW64\rehqbdgifv.exe 5a9a3c0573ad6bbf8ab99941801dbeec.exe File opened for modification C:\Windows\SysWOW64\rehqbdgifv.exe 5a9a3c0573ad6bbf8ab99941801dbeec.exe File created C:\Windows\SysWOW64\ynglaqsragsvlmx.exe 5a9a3c0573ad6bbf8ab99941801dbeec.exe File opened for modification C:\Windows\SysWOW64\ynglaqsragsvlmx.exe 5a9a3c0573ad6bbf8ab99941801dbeec.exe File created C:\Windows\SysWOW64\gdwwhjbw.exe 5a9a3c0573ad6bbf8ab99941801dbeec.exe File opened for modification C:\Windows\SysWOW64\gdwwhjbw.exe 5a9a3c0573ad6bbf8ab99941801dbeec.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gdwwhjbw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal gdwwhjbw.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gdwwhjbw.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gdwwhjbw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gdwwhjbw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gdwwhjbw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gdwwhjbw.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gdwwhjbw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gdwwhjbw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal gdwwhjbw.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gdwwhjbw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal gdwwhjbw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal gdwwhjbw.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gdwwhjbw.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gdwwhjbw.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf 5a9a3c0573ad6bbf8ab99941801dbeec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf rehqbdgifv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" rehqbdgifv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg rehqbdgifv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32412C7D9C2182276A3E76D470212CD77DF165DF" 5a9a3c0573ad6bbf8ab99941801dbeec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E08168B5FE6721DCD20FD0A88A7A9161" 5a9a3c0573ad6bbf8ab99941801dbeec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat rehqbdgifv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" rehqbdgifv.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 5a9a3c0573ad6bbf8ab99941801dbeec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F89FC83482E826D913DD62D7D97BC90E143594567446337D69C" 5a9a3c0573ad6bbf8ab99941801dbeec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc rehqbdgifv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" rehqbdgifv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" rehqbdgifv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184EC77815ECDAB3B8CA7CE9ED9037CD" 5a9a3c0573ad6bbf8ab99941801dbeec.exe Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings 5a9a3c0573ad6bbf8ab99941801dbeec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh rehqbdgifv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs rehqbdgifv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBCFABAF96AF195830E3A4081983E93B08E02884212023FE1B942ED09A2" 5a9a3c0573ad6bbf8ab99941801dbeec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB5B12E4490389E53BDBAA732E8D4BE" 5a9a3c0573ad6bbf8ab99941801dbeec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" rehqbdgifv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" rehqbdgifv.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1648 WINWORD.EXE 1648 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1008 5a9a3c0573ad6bbf8ab99941801dbeec.exe 1008 5a9a3c0573ad6bbf8ab99941801dbeec.exe 1008 5a9a3c0573ad6bbf8ab99941801dbeec.exe 1008 5a9a3c0573ad6bbf8ab99941801dbeec.exe 1008 5a9a3c0573ad6bbf8ab99941801dbeec.exe 1008 5a9a3c0573ad6bbf8ab99941801dbeec.exe 1008 5a9a3c0573ad6bbf8ab99941801dbeec.exe 1008 5a9a3c0573ad6bbf8ab99941801dbeec.exe 1008 5a9a3c0573ad6bbf8ab99941801dbeec.exe 1008 5a9a3c0573ad6bbf8ab99941801dbeec.exe 1008 5a9a3c0573ad6bbf8ab99941801dbeec.exe 1008 5a9a3c0573ad6bbf8ab99941801dbeec.exe 1008 5a9a3c0573ad6bbf8ab99941801dbeec.exe 1008 5a9a3c0573ad6bbf8ab99941801dbeec.exe 1008 5a9a3c0573ad6bbf8ab99941801dbeec.exe 1008 5a9a3c0573ad6bbf8ab99941801dbeec.exe 4740 rehqbdgifv.exe 4740 rehqbdgifv.exe 4740 rehqbdgifv.exe 4740 rehqbdgifv.exe 4740 rehqbdgifv.exe 4740 rehqbdgifv.exe 4740 rehqbdgifv.exe 4740 rehqbdgifv.exe 4740 rehqbdgifv.exe 4740 rehqbdgifv.exe 2228 ynglaqsragsvlmx.exe 2228 ynglaqsragsvlmx.exe 2228 ynglaqsragsvlmx.exe 2228 ynglaqsragsvlmx.exe 2228 ynglaqsragsvlmx.exe 2228 ynglaqsragsvlmx.exe 2228 ynglaqsragsvlmx.exe 2228 ynglaqsragsvlmx.exe 2228 ynglaqsragsvlmx.exe 2228 ynglaqsragsvlmx.exe 2184 gdwwhjbw.exe 4032 qtnuezbthbcix.exe 4032 qtnuezbthbcix.exe 2184 gdwwhjbw.exe 4032 qtnuezbthbcix.exe 4032 qtnuezbthbcix.exe 2184 gdwwhjbw.exe 2184 gdwwhjbw.exe 4032 qtnuezbthbcix.exe 4032 qtnuezbthbcix.exe 2184 gdwwhjbw.exe 2184 gdwwhjbw.exe 4032 qtnuezbthbcix.exe 4032 qtnuezbthbcix.exe 2184 gdwwhjbw.exe 2184 gdwwhjbw.exe 4032 qtnuezbthbcix.exe 4032 qtnuezbthbcix.exe 4032 qtnuezbthbcix.exe 4032 qtnuezbthbcix.exe 2228 ynglaqsragsvlmx.exe 2228 ynglaqsragsvlmx.exe 4032 qtnuezbthbcix.exe 4032 qtnuezbthbcix.exe 4032 qtnuezbthbcix.exe 4032 qtnuezbthbcix.exe 2228 ynglaqsragsvlmx.exe 2228 ynglaqsragsvlmx.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1008 5a9a3c0573ad6bbf8ab99941801dbeec.exe 1008 5a9a3c0573ad6bbf8ab99941801dbeec.exe 1008 5a9a3c0573ad6bbf8ab99941801dbeec.exe 4740 rehqbdgifv.exe 4740 rehqbdgifv.exe 4740 rehqbdgifv.exe 2228 ynglaqsragsvlmx.exe 2228 ynglaqsragsvlmx.exe 2228 ynglaqsragsvlmx.exe 2184 gdwwhjbw.exe 4032 qtnuezbthbcix.exe 2184 gdwwhjbw.exe 4032 qtnuezbthbcix.exe 2184 gdwwhjbw.exe 4032 qtnuezbthbcix.exe 1740 gdwwhjbw.exe 1740 gdwwhjbw.exe 1740 gdwwhjbw.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1008 5a9a3c0573ad6bbf8ab99941801dbeec.exe 1008 5a9a3c0573ad6bbf8ab99941801dbeec.exe 1008 5a9a3c0573ad6bbf8ab99941801dbeec.exe 4740 rehqbdgifv.exe 4740 rehqbdgifv.exe 4740 rehqbdgifv.exe 2228 ynglaqsragsvlmx.exe 2228 ynglaqsragsvlmx.exe 2228 ynglaqsragsvlmx.exe 2184 gdwwhjbw.exe 4032 qtnuezbthbcix.exe 2184 gdwwhjbw.exe 4032 qtnuezbthbcix.exe 2184 gdwwhjbw.exe 4032 qtnuezbthbcix.exe 1740 gdwwhjbw.exe 1740 gdwwhjbw.exe 1740 gdwwhjbw.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1648 WINWORD.EXE 1648 WINWORD.EXE 1648 WINWORD.EXE 1648 WINWORD.EXE 1648 WINWORD.EXE 1648 WINWORD.EXE 1648 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1008 wrote to memory of 4740 1008 5a9a3c0573ad6bbf8ab99941801dbeec.exe 90 PID 1008 wrote to memory of 4740 1008 5a9a3c0573ad6bbf8ab99941801dbeec.exe 90 PID 1008 wrote to memory of 4740 1008 5a9a3c0573ad6bbf8ab99941801dbeec.exe 90 PID 1008 wrote to memory of 2228 1008 5a9a3c0573ad6bbf8ab99941801dbeec.exe 91 PID 1008 wrote to memory of 2228 1008 5a9a3c0573ad6bbf8ab99941801dbeec.exe 91 PID 1008 wrote to memory of 2228 1008 5a9a3c0573ad6bbf8ab99941801dbeec.exe 91 PID 1008 wrote to memory of 2184 1008 5a9a3c0573ad6bbf8ab99941801dbeec.exe 92 PID 1008 wrote to memory of 2184 1008 5a9a3c0573ad6bbf8ab99941801dbeec.exe 92 PID 1008 wrote to memory of 2184 1008 5a9a3c0573ad6bbf8ab99941801dbeec.exe 92 PID 1008 wrote to memory of 4032 1008 5a9a3c0573ad6bbf8ab99941801dbeec.exe 93 PID 1008 wrote to memory of 4032 1008 5a9a3c0573ad6bbf8ab99941801dbeec.exe 93 PID 1008 wrote to memory of 4032 1008 5a9a3c0573ad6bbf8ab99941801dbeec.exe 93 PID 1008 wrote to memory of 1648 1008 5a9a3c0573ad6bbf8ab99941801dbeec.exe 94 PID 1008 wrote to memory of 1648 1008 5a9a3c0573ad6bbf8ab99941801dbeec.exe 94 PID 4740 wrote to memory of 1740 4740 rehqbdgifv.exe 97 PID 4740 wrote to memory of 1740 4740 rehqbdgifv.exe 97 PID 4740 wrote to memory of 1740 4740 rehqbdgifv.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a9a3c0573ad6bbf8ab99941801dbeec.exe"C:\Users\Admin\AppData\Local\Temp\5a9a3c0573ad6bbf8ab99941801dbeec.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\rehqbdgifv.exerehqbdgifv.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\gdwwhjbw.exeC:\Windows\system32\gdwwhjbw.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1740
-
-
-
C:\Windows\SysWOW64\ynglaqsragsvlmx.exeynglaqsragsvlmx.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2228
-
-
C:\Windows\SysWOW64\gdwwhjbw.exegdwwhjbw.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2184
-
-
C:\Windows\SysWOW64\qtnuezbthbcix.exeqtnuezbthbcix.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4032
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1648
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5a94f73b6253d7e5d7b88dbfea27308f0
SHA1814fbe06c682d60adbdb4aefa82944cda90cd8e3
SHA256702050354860167e8d74287446c73da90326ad53229b2539245ff5c7ca5c1400
SHA512d22f4bc1bb5b7f351b34b99448eb8de12ac6ee4f290574f92834ff24d779ccf68274d62126c812f9ec4387305cdd933596000b03b5a8093901db5891cc46caf1
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD59a494572bfb6ac11bce4e30abd7a3132
SHA1c40eb70e93a8e7641744e252d093d6ad2a4acf50
SHA2564cd13cd56b1b14b745da7c7e9e16ad37bbc9764d11a91ea03b49276dbb2a439a
SHA5127be03aba8921d9d1413e2d90a03ea7abde6869a951d286bbc6e908729f8fd8eab0c90643112e2440addc4a30589642769e6a6520ff32a71a426f525172f48b4d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD53c91db440e4f0d7cb749690e342b8098
SHA1347d4493ed4ba3fd7ad0eb4bcc7fb34be5a85161
SHA2569d07c5b955aab9841de8e5cf8d563305db4aa842bb68bed29cb5008f7c4ae82b
SHA5124047138a86785ed205ccc3b32d7f649aef8e474e7be20d82e96fa0e66c5a74da4ce98fcb2082085f2a4cc185b5ddf5cc5cdd599fa5cb0840a1d431c2a5d5e2f4
-
Filesize
512KB
MD5e5356b0aa1dd0244665c12b03a58c29b
SHA1da9771ee1b281241253a4db1b065485750bad991
SHA25665186176b59d3ee5776a7fb2ae09275154647b894b83c7dcadfeeee2d78b837e
SHA5120227f923af555088cee397eb8a3b77d2fc9c4250f6ddcc02ea1e2da545b1607014b193b90c49402c893afd4f07e44ef87d975564bbc5f02d6a235655428957b7
-
Filesize
512KB
MD59d4f39e6a3eb8b09df362556518e6fac
SHA1a8e2dd9bea1b5a51daadb8061794aa5976893749
SHA2569deb09a99907b5830dea4587c1e53853915612f0101d52191f1cd927f2cfcd28
SHA512c8232fa145280837a718fcac93f7b9a93beb7a6eee2c422a0a78c6fbfdab76ce08d53fa3bfaa4bc0202e35a51d1de01bbd998779254059f02bf93a8b947bb147
-
Filesize
512KB
MD5843ad554b8ec530477ce3c5c03b537ca
SHA17cd8de2900dd22b0b7c581a60308bf231c700334
SHA2568c97898415ee15389808291be8f249d2e25e722743a2e893b835efb5d036911c
SHA5122f4ae7e40839724f469dd33e0e54ebbb0de58a5ad9f8acc464de929f4166abd7463671838295f5825440ae2250a84d8809aa8bb13ed8820ad0e04c54deeb8323
-
Filesize
512KB
MD5bb94c073095e8b1f26238dc1623631d3
SHA13c41f593eec0a339f9d59b34531b4709fe8cdebc
SHA256bc7c4f76f1e665bb5d18d73ccdcd56908d8547d5a108c70a8fee9d66e35e6fa7
SHA512cd8762dfbc4da6ddc0f08c6980020e7bba7e634f78b0614c5ed0761e15bbd484ec020b256088143bc53a336323834a807ec6cff0897a23f1d8fb0a4f50747508
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5590bf675663ef76c333c76f1a17b38f1
SHA1a38b449c8e0edbdfd95c5f914dcf894cd9382db7
SHA256bcf7e6c04240224e8d4e38196765c927869d293a614aaf832ff6bcc096956295
SHA512f1b71912123786cea9f514dd461a4eb3cf8e61f0474fab56e4cc098e7d00142ef895f2c48bddc3cd421807148cc9e6567fd5d284b8ada5f0b30cf599208bd5ba
-
Filesize
512KB
MD537644cbf6bd22509e1670f2505010c1c
SHA1eba50c5d43332f71afe677d28ea1e909f072f1c9
SHA256a602f98b842893838562b440a21f1606df37c784e6ed2331483fd189e819e4b8
SHA512778657b3c6a4be402b8d2a347937ba9a915f4b26ebeb7d7c9faac7b0940072ee6f2d319143636de96b5101f83b0fc45e3ef349153c84c584eea2a53b5c385625