Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2023, 08:18
Static task
static1
Behavioral task
behavioral1
Sample
5f3ca048a2b085e7ab53d25f2f565682.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral2
Sample
5f3ca048a2b085e7ab53d25f2f565682.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
General
-
Target
5f3ca048a2b085e7ab53d25f2f565682.exe
-
Size
512KB
-
MD5
5f3ca048a2b085e7ab53d25f2f565682
-
SHA1
eaef69141dc9a347dcb9af36d8afc1e57e426c02
-
SHA256
c93dcc55a1620214857eb4862bc0467424047ff13ede76e9414e5b3d1e968845
-
SHA512
b60b936b9172ae56f610599c554961865c01baf2617fb89dcd474f14c8503a9ad0ac5aa63cb31bc410bd246909e1a4d72efd16f84e9234553cd2c6fceac233ac
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj69:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5E
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" jdkvrrrzoq.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" jdkvrrrzoq.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" jdkvrrrzoq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" jdkvrrrzoq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" jdkvrrrzoq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" jdkvrrrzoq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" jdkvrrrzoq.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jdkvrrrzoq.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation 5f3ca048a2b085e7ab53d25f2f565682.exe -
Executes dropped EXE 5 IoCs
pid Process 4188 jdkvrrrzoq.exe 3772 ilrnvqxbrjrfqoh.exe 3480 wvbabdme.exe 1604 xvaledsfdirpr.exe 4880 wvbabdme.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" jdkvrrrzoq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" jdkvrrrzoq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" jdkvrrrzoq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" jdkvrrrzoq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" jdkvrrrzoq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" jdkvrrrzoq.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vtquanpf = "jdkvrrrzoq.exe" ilrnvqxbrjrfqoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ynvoeira = "ilrnvqxbrjrfqoh.exe" ilrnvqxbrjrfqoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "xvaledsfdirpr.exe" ilrnvqxbrjrfqoh.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\y: jdkvrrrzoq.exe File opened (read-only) \??\r: wvbabdme.exe File opened (read-only) \??\s: wvbabdme.exe File opened (read-only) \??\z: wvbabdme.exe File opened (read-only) \??\s: wvbabdme.exe File opened (read-only) \??\a: jdkvrrrzoq.exe File opened (read-only) \??\q: jdkvrrrzoq.exe File opened (read-only) \??\k: wvbabdme.exe File opened (read-only) \??\j: jdkvrrrzoq.exe File opened (read-only) \??\x: wvbabdme.exe File opened (read-only) \??\v: wvbabdme.exe File opened (read-only) \??\z: wvbabdme.exe File opened (read-only) \??\q: wvbabdme.exe File opened (read-only) \??\t: wvbabdme.exe File opened (read-only) \??\y: wvbabdme.exe File opened (read-only) \??\m: wvbabdme.exe File opened (read-only) \??\w: jdkvrrrzoq.exe File opened (read-only) \??\j: wvbabdme.exe File opened (read-only) \??\r: wvbabdme.exe File opened (read-only) \??\x: wvbabdme.exe File opened (read-only) \??\v: jdkvrrrzoq.exe File opened (read-only) \??\b: wvbabdme.exe File opened (read-only) \??\k: wvbabdme.exe File opened (read-only) \??\q: wvbabdme.exe File opened (read-only) \??\n: jdkvrrrzoq.exe File opened (read-only) \??\i: jdkvrrrzoq.exe File opened (read-only) \??\o: wvbabdme.exe File opened (read-only) \??\h: wvbabdme.exe File opened (read-only) \??\i: wvbabdme.exe File opened (read-only) \??\n: wvbabdme.exe File opened (read-only) \??\b: jdkvrrrzoq.exe File opened (read-only) \??\g: wvbabdme.exe File opened (read-only) \??\u: wvbabdme.exe File opened (read-only) \??\y: wvbabdme.exe File opened (read-only) \??\l: wvbabdme.exe File opened (read-only) \??\p: wvbabdme.exe File opened (read-only) \??\k: jdkvrrrzoq.exe File opened (read-only) \??\t: jdkvrrrzoq.exe File opened (read-only) \??\a: wvbabdme.exe File opened (read-only) \??\e: jdkvrrrzoq.exe File opened (read-only) \??\s: jdkvrrrzoq.exe File opened (read-only) \??\w: wvbabdme.exe File opened (read-only) \??\z: jdkvrrrzoq.exe File opened (read-only) \??\h: wvbabdme.exe File opened (read-only) \??\p: wvbabdme.exe File opened (read-only) \??\g: wvbabdme.exe File opened (read-only) \??\u: wvbabdme.exe File opened (read-only) \??\h: jdkvrrrzoq.exe File opened (read-only) \??\r: jdkvrrrzoq.exe File opened (read-only) \??\m: wvbabdme.exe File opened (read-only) \??\t: wvbabdme.exe File opened (read-only) \??\x: jdkvrrrzoq.exe File opened (read-only) \??\a: wvbabdme.exe File opened (read-only) \??\e: wvbabdme.exe File opened (read-only) \??\w: wvbabdme.exe File opened (read-only) \??\g: jdkvrrrzoq.exe File opened (read-only) \??\j: wvbabdme.exe File opened (read-only) \??\o: wvbabdme.exe File opened (read-only) \??\n: wvbabdme.exe File opened (read-only) \??\i: wvbabdme.exe File opened (read-only) \??\p: jdkvrrrzoq.exe File opened (read-only) \??\u: jdkvrrrzoq.exe File opened (read-only) \??\b: wvbabdme.exe File opened (read-only) \??\e: wvbabdme.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" jdkvrrrzoq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" jdkvrrrzoq.exe -
AutoIT Executable 13 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2576-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0006000000023227-5.dat autoit_exe behavioral2/files/0x0006000000023227-23.dat autoit_exe behavioral2/files/0x0006000000023229-31.dat autoit_exe behavioral2/files/0x0006000000023228-30.dat autoit_exe behavioral2/files/0x0006000000023229-29.dat autoit_exe behavioral2/files/0x0006000000023228-28.dat autoit_exe behavioral2/files/0x0006000000023227-22.dat autoit_exe behavioral2/files/0x0007000000023220-19.dat autoit_exe behavioral2/files/0x0007000000023220-18.dat autoit_exe behavioral2/files/0x0006000000023228-35.dat autoit_exe behavioral2/files/0x0006000000023233-62.dat autoit_exe behavioral2/files/0x0006000000023232-59.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\wvbabdme.exe 5f3ca048a2b085e7ab53d25f2f565682.exe File created C:\Windows\SysWOW64\xvaledsfdirpr.exe 5f3ca048a2b085e7ab53d25f2f565682.exe File opened for modification C:\Windows\SysWOW64\jdkvrrrzoq.exe 5f3ca048a2b085e7ab53d25f2f565682.exe File created C:\Windows\SysWOW64\ilrnvqxbrjrfqoh.exe 5f3ca048a2b085e7ab53d25f2f565682.exe File opened for modification C:\Windows\SysWOW64\ilrnvqxbrjrfqoh.exe 5f3ca048a2b085e7ab53d25f2f565682.exe File created C:\Windows\SysWOW64\wvbabdme.exe 5f3ca048a2b085e7ab53d25f2f565682.exe File created C:\Windows\SysWOW64\jdkvrrrzoq.exe 5f3ca048a2b085e7ab53d25f2f565682.exe File opened for modification C:\Windows\SysWOW64\xvaledsfdirpr.exe 5f3ca048a2b085e7ab53d25f2f565682.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll jdkvrrrzoq.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wvbabdme.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal wvbabdme.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal wvbabdme.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal wvbabdme.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wvbabdme.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wvbabdme.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wvbabdme.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wvbabdme.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal wvbabdme.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wvbabdme.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wvbabdme.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wvbabdme.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wvbabdme.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wvbabdme.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 5f3ca048a2b085e7ab53d25f2f565682.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33302C7C9C2282596D3E77D277242DAD7D8165D8" 5f3ca048a2b085e7ab53d25f2f565682.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABCFAB8FE16F197840F3A4081EC3993B38D02FE4211033FE2CF42EF08A2" 5f3ca048a2b085e7ab53d25f2f565682.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F768B1FF1C22DDD208D0A08B799117" 5f3ca048a2b085e7ab53d25f2f565682.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" jdkvrrrzoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" jdkvrrrzoq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs jdkvrrrzoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1949C67F14E4DAB4B8C17C92ECE734C8" 5f3ca048a2b085e7ab53d25f2f565682.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc jdkvrrrzoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" jdkvrrrzoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" jdkvrrrzoq.exe Key created \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings 5f3ca048a2b085e7ab53d25f2f565682.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat jdkvrrrzoq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh jdkvrrrzoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" jdkvrrrzoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" jdkvrrrzoq.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 5f3ca048a2b085e7ab53d25f2f565682.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB5B02C479739E353CCBAD63298D7B8" 5f3ca048a2b085e7ab53d25f2f565682.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF9FCF84858851D913DD7587E96BD92E13659376645623ED6ED" 5f3ca048a2b085e7ab53d25f2f565682.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf jdkvrrrzoq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg jdkvrrrzoq.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1408 WINWORD.EXE 1408 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2576 5f3ca048a2b085e7ab53d25f2f565682.exe 2576 5f3ca048a2b085e7ab53d25f2f565682.exe 2576 5f3ca048a2b085e7ab53d25f2f565682.exe 2576 5f3ca048a2b085e7ab53d25f2f565682.exe 2576 5f3ca048a2b085e7ab53d25f2f565682.exe 2576 5f3ca048a2b085e7ab53d25f2f565682.exe 2576 5f3ca048a2b085e7ab53d25f2f565682.exe 2576 5f3ca048a2b085e7ab53d25f2f565682.exe 2576 5f3ca048a2b085e7ab53d25f2f565682.exe 2576 5f3ca048a2b085e7ab53d25f2f565682.exe 2576 5f3ca048a2b085e7ab53d25f2f565682.exe 2576 5f3ca048a2b085e7ab53d25f2f565682.exe 2576 5f3ca048a2b085e7ab53d25f2f565682.exe 2576 5f3ca048a2b085e7ab53d25f2f565682.exe 2576 5f3ca048a2b085e7ab53d25f2f565682.exe 2576 5f3ca048a2b085e7ab53d25f2f565682.exe 1604 xvaledsfdirpr.exe 1604 xvaledsfdirpr.exe 4188 jdkvrrrzoq.exe 3772 ilrnvqxbrjrfqoh.exe 3772 ilrnvqxbrjrfqoh.exe 1604 xvaledsfdirpr.exe 1604 xvaledsfdirpr.exe 3772 ilrnvqxbrjrfqoh.exe 3772 ilrnvqxbrjrfqoh.exe 1604 xvaledsfdirpr.exe 3772 ilrnvqxbrjrfqoh.exe 1604 xvaledsfdirpr.exe 3772 ilrnvqxbrjrfqoh.exe 4188 jdkvrrrzoq.exe 3772 ilrnvqxbrjrfqoh.exe 3772 ilrnvqxbrjrfqoh.exe 4188 jdkvrrrzoq.exe 4188 jdkvrrrzoq.exe 1604 xvaledsfdirpr.exe 4188 jdkvrrrzoq.exe 1604 xvaledsfdirpr.exe 4188 jdkvrrrzoq.exe 1604 xvaledsfdirpr.exe 1604 xvaledsfdirpr.exe 1604 xvaledsfdirpr.exe 1604 xvaledsfdirpr.exe 3772 ilrnvqxbrjrfqoh.exe 3772 ilrnvqxbrjrfqoh.exe 4188 jdkvrrrzoq.exe 4188 jdkvrrrzoq.exe 4188 jdkvrrrzoq.exe 4188 jdkvrrrzoq.exe 3480 wvbabdme.exe 3480 wvbabdme.exe 3480 wvbabdme.exe 3480 wvbabdme.exe 3480 wvbabdme.exe 3480 wvbabdme.exe 3480 wvbabdme.exe 3480 wvbabdme.exe 4880 wvbabdme.exe 4880 wvbabdme.exe 4880 wvbabdme.exe 4880 wvbabdme.exe 4880 wvbabdme.exe 4880 wvbabdme.exe 4880 wvbabdme.exe 4880 wvbabdme.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2576 5f3ca048a2b085e7ab53d25f2f565682.exe 2576 5f3ca048a2b085e7ab53d25f2f565682.exe 2576 5f3ca048a2b085e7ab53d25f2f565682.exe 3772 ilrnvqxbrjrfqoh.exe 3772 ilrnvqxbrjrfqoh.exe 3772 ilrnvqxbrjrfqoh.exe 4188 jdkvrrrzoq.exe 4188 jdkvrrrzoq.exe 1604 xvaledsfdirpr.exe 4188 jdkvrrrzoq.exe 1604 xvaledsfdirpr.exe 1604 xvaledsfdirpr.exe 3480 wvbabdme.exe 3480 wvbabdme.exe 3480 wvbabdme.exe 4880 wvbabdme.exe 4880 wvbabdme.exe 4880 wvbabdme.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2576 5f3ca048a2b085e7ab53d25f2f565682.exe 2576 5f3ca048a2b085e7ab53d25f2f565682.exe 2576 5f3ca048a2b085e7ab53d25f2f565682.exe 3772 ilrnvqxbrjrfqoh.exe 3772 ilrnvqxbrjrfqoh.exe 3772 ilrnvqxbrjrfqoh.exe 4188 jdkvrrrzoq.exe 4188 jdkvrrrzoq.exe 4188 jdkvrrrzoq.exe 1604 xvaledsfdirpr.exe 1604 xvaledsfdirpr.exe 1604 xvaledsfdirpr.exe 3480 wvbabdme.exe 3480 wvbabdme.exe 3480 wvbabdme.exe 4880 wvbabdme.exe 4880 wvbabdme.exe 4880 wvbabdme.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1408 WINWORD.EXE 1408 WINWORD.EXE 1408 WINWORD.EXE 1408 WINWORD.EXE 1408 WINWORD.EXE 1408 WINWORD.EXE 1408 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2576 wrote to memory of 4188 2576 5f3ca048a2b085e7ab53d25f2f565682.exe 92 PID 2576 wrote to memory of 4188 2576 5f3ca048a2b085e7ab53d25f2f565682.exe 92 PID 2576 wrote to memory of 4188 2576 5f3ca048a2b085e7ab53d25f2f565682.exe 92 PID 2576 wrote to memory of 3772 2576 5f3ca048a2b085e7ab53d25f2f565682.exe 93 PID 2576 wrote to memory of 3772 2576 5f3ca048a2b085e7ab53d25f2f565682.exe 93 PID 2576 wrote to memory of 3772 2576 5f3ca048a2b085e7ab53d25f2f565682.exe 93 PID 2576 wrote to memory of 3480 2576 5f3ca048a2b085e7ab53d25f2f565682.exe 95 PID 2576 wrote to memory of 3480 2576 5f3ca048a2b085e7ab53d25f2f565682.exe 95 PID 2576 wrote to memory of 3480 2576 5f3ca048a2b085e7ab53d25f2f565682.exe 95 PID 2576 wrote to memory of 1604 2576 5f3ca048a2b085e7ab53d25f2f565682.exe 94 PID 2576 wrote to memory of 1604 2576 5f3ca048a2b085e7ab53d25f2f565682.exe 94 PID 2576 wrote to memory of 1604 2576 5f3ca048a2b085e7ab53d25f2f565682.exe 94 PID 2576 wrote to memory of 1408 2576 5f3ca048a2b085e7ab53d25f2f565682.exe 99 PID 2576 wrote to memory of 1408 2576 5f3ca048a2b085e7ab53d25f2f565682.exe 99 PID 4188 wrote to memory of 4880 4188 jdkvrrrzoq.exe 98 PID 4188 wrote to memory of 4880 4188 jdkvrrrzoq.exe 98 PID 4188 wrote to memory of 4880 4188 jdkvrrrzoq.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f3ca048a2b085e7ab53d25f2f565682.exe"C:\Users\Admin\AppData\Local\Temp\5f3ca048a2b085e7ab53d25f2f565682.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\jdkvrrrzoq.exejdkvrrrzoq.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\SysWOW64\wvbabdme.exeC:\Windows\system32\wvbabdme.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4880
-
-
-
C:\Windows\SysWOW64\ilrnvqxbrjrfqoh.exeilrnvqxbrjrfqoh.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3772
-
-
C:\Windows\SysWOW64\xvaledsfdirpr.exexvaledsfdirpr.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1604
-
-
C:\Windows\SysWOW64\wvbabdme.exewvbabdme.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3480
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1408
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD59e43673374e639c2bd1bb8579d5059da
SHA1c12064d0145f7c03baece4a21bea31385ddc17b9
SHA2564fedb9ba2b3cba9e9d50ba4e03bed726614f4e65aa4fc6b664c96fd136bc4d18
SHA51202c7a5629b37cd920a2a24ff9c3f94e09560b29ea6e13525b80e6e73db430d12ca5661334a98a017d9dd06e1af2f01a568cd196c492644d9113b90625d91a67a
-
Filesize
65KB
MD56b6e0807898630971901cb90a1bc484c
SHA1a447037d27bb21212749a2c3e1794c4e81bee237
SHA256b108d889dcd0f3d4138f83e2951c6c4f771fc3e041ad65764378c227e86824c2
SHA512dcd022ae182eebbe9857b346842c981c22fe9b210a6439825e79c3ff0ab151d904e7c9aa84d5b68a85c1bc3e59d18fe59523f14fcce8ce6532819425c9c79d19
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5ebcb6d53aea722dddb4dd73862c2d57d
SHA1fc8bff158f9e9fc805ed437dc2774f15ab061def
SHA25634a6717d6f7369e04fab5c9602feaed90d26cc05da29729ce01c7e1e06fff642
SHA512873d1b579ca9fa4600fbda75fd2d9370acf63681d3d6af1c36caca4ef8c318e36e39ed5e3a6fe2681f9985bb3aa570ad5fcbe7fd40f5d0a1b722658e7c4833af
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD58157071080ee4ee2b47c08331a88855f
SHA16494b9e6b9a2e56b4546a0014930bc7848824206
SHA256a20a0d9b0363bc9ba599d2542e2c40192356aab38602e225023852f7a53966af
SHA512c8c034b1f60e6c5c06f0497fdc9437e70684e8166f182e03b0835ed367684f30b09263c774eab72ef2018408cd8540ae4efc4d97e8878e91f76c81baa1104baa
-
Filesize
75KB
MD562efcee5a98a9e7123cf0273e5a10b1c
SHA1a8fcbc45cfe2d785326ea61d9e5d808793bd2eb0
SHA256e723bb090de56fe181d5711459e647b95a9195a32ffea1230a9f0fcb4c1da3d5
SHA512759afbb03690ac147c311ae580f911371e5a727189a716fea204c5888460c0caac6419657f8beface7e9465bf4b9ef159e6f839e14325e70cae8135051978abb
-
Filesize
60KB
MD5683e7fc0831cb6e6061e5a967f6ca1de
SHA18f7b81800f18e5c6c8138980329111cf9a2cf4e2
SHA25647a64a002237eea50989a464db29fa7e665fc3a0a8dc33ee006fc648b198a6ad
SHA512b9d450a61f09615d02b97af5a01f48c6110a2ad8afa8df765bf09a0996e4eb2de14bba733ea2abed97f4d4e23f0bf5a0045172acde2a2964c43f5d3474e60b32
-
Filesize
45KB
MD572e54d1c3ebe6372cd193c4f6f9af9bb
SHA1edb2318c68147ff855fcfc82f3b0e0b86d087eb8
SHA256dad84255c14d17d513973924f6317bf58329456f15e50b28d9732c935969536f
SHA5125ed912a6521b987c0b30eecbd2018bf4b40877b0cc4ccfba6e5726b36b861f159a85829bfe748d8295085d11b3d99c4d209d0dcf8df1703384e7f1194a950282
-
Filesize
26KB
MD56a8fdc8f1029e115e23c41f96e2afb8e
SHA105d431514219bd6137628eed6d100b2c358b3c68
SHA256d92ed3a3963a0981d3cc10042f0ada01a552d2209ef3d7646c52fbfb78f484fd
SHA51204d1b4ef456d1a81c985b95657800b4f4bfc55915786afe0776022ee198dac21a571a09eab602cea0072352e87d91c66f67f35dbf32e56f4391f41b2829ceed4
-
Filesize
44KB
MD5bd0f2031fefc60891d8e877d8ceec794
SHA1da38e5c166e79014813d033d1c13aa6b767f9974
SHA256fbf31609a4a28f09ee11106a7cc630de6ce9b5862b98639187955242170b8f3a
SHA512e1af92eaa7c0fd8a862f39045e664c79ea69fd020cbb9a68b1273a9245b27996c227ff2c651dbd84bfcb563fc84f6f9297bc05f57fef7786fc453c0f29d7169f
-
Filesize
52KB
MD5d3fa02976570f112ae1e40388cd1b236
SHA18fb7a7510f5dd5c89886c748dba68a3930ac9e5e
SHA25684b37ac9d4740e2be74a3117ff55f3af3bbdd280524856bbaf91241a2d67bb83
SHA512e9e4dc615a1b17db9b0ce525c1b5308d1e9dc1e88f68e17f2f7cff7dfe824b790a635b0bfb712a809b2870249fd44858c05c659a4c69d4d281b45d8df79647aa
-
Filesize
41KB
MD53134125cd7a23a8ebd2551fce85471d0
SHA1d0daf483708d808ef96603904dbbcdd41375badf
SHA256ab0bbe12c8af1723b98d5036f0b60ed8fb8ddb62e3441e72b2a8fe2b77c9db79
SHA512a3bd3ec6c0285042a175575132ff5b0d4c5a367a3b2f97c5e5aa2f4e44062614340c49e90baa3b716b44421ec1e841a79a34af21a25d9d69cf6eebee18c49a5f
-
Filesize
32KB
MD5fac2a8b70376722b183238f5d3c6ee81
SHA15859e0f21cdf7a4e1d919f67b806a098cf14bff9
SHA2567d682034410940efaf35a318d0f5cc1104912da2a0665bd1f7e5201053ecf1e3
SHA512ab079039170884b57dcf3435dc2189a36f660562eb2bbc9c3475f83c9ff54fed27b089e1e0ccc6432e7cd9f9cf315a85332090243c0a95d127fb5173c52fd67c
-
Filesize
46KB
MD5e7778e1792b8f3c7cbaf752848fa5b55
SHA159917309eafb739f1293ec6fcc202103fe34b24a
SHA256a3e0ce9bddf7b5a4192d572b5f2362ba3a75c5fc859754412340a5a04a11e2c6
SHA51239b1ce26e28b94bd572e1d42f417167924ff7bc5a421bb3b5ac4cad8e8e965142f56a9b3cec8f0d7b3c0a82ba79e73afa4f3ae8083a2e5ea2f0004eb7bcb8a22
-
Filesize
40KB
MD5bc02573aa2c319b70dcb223e23401abc
SHA1f2dc710e84bd84ecc68acd57e523b26421043020
SHA256b7fe26f9e6c1e3b15f87339e04a2f45bb09b1966838b2566c997b11148f96f36
SHA5120a2a5fe57e9398065ed752162a5e5f74a04451376086bdff464cc89a05f9e39c4692db1b6c8adff0010460efb2038c79bf7d7ab25a2e113b056bbfe546676930
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7