Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
14s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2023, 08:28
Static task
static1
Behavioral task
behavioral1
Sample
5fd1ff1d035c67c382afa55817ac6f40.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
5fd1ff1d035c67c382afa55817ac6f40.exe
Resource
win10v2004-20231215-en
General
-
Target
5fd1ff1d035c67c382afa55817ac6f40.exe
-
Size
512KB
-
MD5
5fd1ff1d035c67c382afa55817ac6f40
-
SHA1
9126223a8d4f8a5541a1a200c4d3a71610a41a82
-
SHA256
0158b219726d86f4fd078dc12c0b4276028ad604ce0903947034dc3c88b856e4
-
SHA512
468b4abb8715bfe787e1e6ee6a869543fef2baedbea8a350e5a65583a973a701c3b182eda8740c8627b09b6efe7f1b200b1006ca65df60e6a96b6bce7c04e29c
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6y:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5x
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" gsyzzvjubk.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" gsyzzvjubk.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" gsyzzvjubk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" gsyzzvjubk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" gsyzzvjubk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" gsyzzvjubk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" gsyzzvjubk.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gsyzzvjubk.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation 5fd1ff1d035c67c382afa55817ac6f40.exe -
Executes dropped EXE 5 IoCs
pid Process 1668 gsyzzvjubk.exe 2628 xpgcwaqqvwnnvxm.exe 3076 ndydbygf.exe 4360 smrbsavggsldg.exe 1028 ndydbygf.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" gsyzzvjubk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" gsyzzvjubk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" gsyzzvjubk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" gsyzzvjubk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" gsyzzvjubk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" gsyzzvjubk.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ymbvydco = "gsyzzvjubk.exe" xpgcwaqqvwnnvxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ymqftsyf = "xpgcwaqqvwnnvxm.exe" xpgcwaqqvwnnvxm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "smrbsavggsldg.exe" xpgcwaqqvwnnvxm.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\h: ndydbygf.exe File opened (read-only) \??\h: ndydbygf.exe File opened (read-only) \??\k: gsyzzvjubk.exe File opened (read-only) \??\m: gsyzzvjubk.exe File opened (read-only) \??\k: ndydbygf.exe File opened (read-only) \??\q: ndydbygf.exe File opened (read-only) \??\p: gsyzzvjubk.exe File opened (read-only) \??\l: ndydbygf.exe File opened (read-only) \??\x: ndydbygf.exe File opened (read-only) \??\z: ndydbygf.exe File opened (read-only) \??\a: gsyzzvjubk.exe File opened (read-only) \??\e: gsyzzvjubk.exe File opened (read-only) \??\v: gsyzzvjubk.exe File opened (read-only) \??\m: ndydbygf.exe File opened (read-only) \??\u: ndydbygf.exe File opened (read-only) \??\y: gsyzzvjubk.exe File opened (read-only) \??\i: ndydbygf.exe File opened (read-only) \??\s: ndydbygf.exe File opened (read-only) \??\a: ndydbygf.exe File opened (read-only) \??\g: ndydbygf.exe File opened (read-only) \??\j: ndydbygf.exe File opened (read-only) \??\s: gsyzzvjubk.exe File opened (read-only) \??\w: gsyzzvjubk.exe File opened (read-only) \??\u: gsyzzvjubk.exe File opened (read-only) \??\x: gsyzzvjubk.exe File opened (read-only) \??\b: ndydbygf.exe File opened (read-only) \??\b: ndydbygf.exe File opened (read-only) \??\w: ndydbygf.exe File opened (read-only) \??\x: ndydbygf.exe File opened (read-only) \??\n: gsyzzvjubk.exe File opened (read-only) \??\o: gsyzzvjubk.exe File opened (read-only) \??\q: ndydbygf.exe File opened (read-only) \??\w: ndydbygf.exe File opened (read-only) \??\b: gsyzzvjubk.exe File opened (read-only) \??\g: gsyzzvjubk.exe File opened (read-only) \??\j: gsyzzvjubk.exe File opened (read-only) \??\r: gsyzzvjubk.exe File opened (read-only) \??\v: ndydbygf.exe File opened (read-only) \??\k: ndydbygf.exe File opened (read-only) \??\n: ndydbygf.exe File opened (read-only) \??\z: gsyzzvjubk.exe File opened (read-only) \??\l: ndydbygf.exe File opened (read-only) \??\s: ndydbygf.exe File opened (read-only) \??\t: ndydbygf.exe File opened (read-only) \??\n: ndydbygf.exe File opened (read-only) \??\y: ndydbygf.exe File opened (read-only) \??\e: ndydbygf.exe File opened (read-only) \??\o: ndydbygf.exe File opened (read-only) \??\v: ndydbygf.exe File opened (read-only) \??\i: gsyzzvjubk.exe File opened (read-only) \??\t: gsyzzvjubk.exe File opened (read-only) \??\u: ndydbygf.exe File opened (read-only) \??\l: gsyzzvjubk.exe File opened (read-only) \??\a: ndydbygf.exe File opened (read-only) \??\j: ndydbygf.exe File opened (read-only) \??\p: ndydbygf.exe File opened (read-only) \??\t: ndydbygf.exe File opened (read-only) \??\i: ndydbygf.exe File opened (read-only) \??\m: ndydbygf.exe File opened (read-only) \??\r: ndydbygf.exe File opened (read-only) \??\z: ndydbygf.exe File opened (read-only) \??\y: ndydbygf.exe File opened (read-only) \??\r: ndydbygf.exe File opened (read-only) \??\o: ndydbygf.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" gsyzzvjubk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" gsyzzvjubk.exe -
AutoIT Executable 7 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2288-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000800000002320d-5.dat autoit_exe behavioral2/files/0x000800000002320d-24.dat autoit_exe behavioral2/files/0x0006000000023213-29.dat autoit_exe behavioral2/files/0x0006000000023213-28.dat autoit_exe behavioral2/files/0x000800000002320d-22.dat autoit_exe behavioral2/files/0x001100000002315e-19.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\gsyzzvjubk.exe 5fd1ff1d035c67c382afa55817ac6f40.exe File opened for modification C:\Windows\SysWOW64\ndydbygf.exe 5fd1ff1d035c67c382afa55817ac6f40.exe File created C:\Windows\SysWOW64\xpgcwaqqvwnnvxm.exe 5fd1ff1d035c67c382afa55817ac6f40.exe File opened for modification C:\Windows\SysWOW64\xpgcwaqqvwnnvxm.exe 5fd1ff1d035c67c382afa55817ac6f40.exe File created C:\Windows\SysWOW64\ndydbygf.exe 5fd1ff1d035c67c382afa55817ac6f40.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ndydbygf.exe File created C:\Windows\SysWOW64\smrbsavggsldg.exe 5fd1ff1d035c67c382afa55817ac6f40.exe File opened for modification C:\Windows\SysWOW64\smrbsavggsldg.exe 5fd1ff1d035c67c382afa55817ac6f40.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ndydbygf.exe File created C:\Windows\SysWOW64\gsyzzvjubk.exe 5fd1ff1d035c67c382afa55817ac6f40.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll gsyzzvjubk.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ndydbygf.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ndydbygf.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ndydbygf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ndydbygf.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ndydbygf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ndydbygf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ndydbygf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ndydbygf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ndydbygf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ndydbygf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ndydbygf.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ndydbygf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ndydbygf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ndydbygf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ndydbygf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ndydbygf.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 5fd1ff1d035c67c382afa55817ac6f40.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8BFF8A4F5D85139042D75F7E93BD95E135584467346343D7EA" 5fd1ff1d035c67c382afa55817ac6f40.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf gsyzzvjubk.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 5fd1ff1d035c67c382afa55817ac6f40.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33442D7B9D2082556D3677D670552DDB7DF564AD" 5fd1ff1d035c67c382afa55817ac6f40.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC5B12E44E7399F53CCB9A23292D7B9" 5fd1ff1d035c67c382afa55817ac6f40.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh gsyzzvjubk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg gsyzzvjubk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBDF9CBF96AF1E3840C3B40819A3E90B38903884366034EE2C845E808A7" 5fd1ff1d035c67c382afa55817ac6f40.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1949C67C14E3DAC4B9C07FE7EC9734CF" 5fd1ff1d035c67c382afa55817ac6f40.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" gsyzzvjubk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" gsyzzvjubk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs gsyzzvjubk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0816BB8FE6622DED179D0D18A7A9165" 5fd1ff1d035c67c382afa55817ac6f40.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" gsyzzvjubk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc gsyzzvjubk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" gsyzzvjubk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" gsyzzvjubk.exe Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings 5fd1ff1d035c67c382afa55817ac6f40.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat gsyzzvjubk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" gsyzzvjubk.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3144 WINWORD.EXE 3144 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2288 5fd1ff1d035c67c382afa55817ac6f40.exe 2288 5fd1ff1d035c67c382afa55817ac6f40.exe 2288 5fd1ff1d035c67c382afa55817ac6f40.exe 2288 5fd1ff1d035c67c382afa55817ac6f40.exe 2288 5fd1ff1d035c67c382afa55817ac6f40.exe 2288 5fd1ff1d035c67c382afa55817ac6f40.exe 2288 5fd1ff1d035c67c382afa55817ac6f40.exe 2288 5fd1ff1d035c67c382afa55817ac6f40.exe 2288 5fd1ff1d035c67c382afa55817ac6f40.exe 2288 5fd1ff1d035c67c382afa55817ac6f40.exe 2288 5fd1ff1d035c67c382afa55817ac6f40.exe 2288 5fd1ff1d035c67c382afa55817ac6f40.exe 2288 5fd1ff1d035c67c382afa55817ac6f40.exe 2288 5fd1ff1d035c67c382afa55817ac6f40.exe 2288 5fd1ff1d035c67c382afa55817ac6f40.exe 2288 5fd1ff1d035c67c382afa55817ac6f40.exe 2628 xpgcwaqqvwnnvxm.exe 2628 xpgcwaqqvwnnvxm.exe 2628 xpgcwaqqvwnnvxm.exe 2628 xpgcwaqqvwnnvxm.exe 2628 xpgcwaqqvwnnvxm.exe 2628 xpgcwaqqvwnnvxm.exe 2628 xpgcwaqqvwnnvxm.exe 2628 xpgcwaqqvwnnvxm.exe 2628 xpgcwaqqvwnnvxm.exe 2628 xpgcwaqqvwnnvxm.exe 3076 ndydbygf.exe 3076 ndydbygf.exe 3076 ndydbygf.exe 3076 ndydbygf.exe 3076 ndydbygf.exe 3076 ndydbygf.exe 3076 ndydbygf.exe 3076 ndydbygf.exe 4360 smrbsavggsldg.exe 4360 smrbsavggsldg.exe 1668 gsyzzvjubk.exe 1668 gsyzzvjubk.exe 4360 smrbsavggsldg.exe 4360 smrbsavggsldg.exe 1668 gsyzzvjubk.exe 1668 gsyzzvjubk.exe 4360 smrbsavggsldg.exe 4360 smrbsavggsldg.exe 1668 gsyzzvjubk.exe 1668 gsyzzvjubk.exe 4360 smrbsavggsldg.exe 4360 smrbsavggsldg.exe 1668 gsyzzvjubk.exe 1668 gsyzzvjubk.exe 4360 smrbsavggsldg.exe 4360 smrbsavggsldg.exe 1668 gsyzzvjubk.exe 1668 gsyzzvjubk.exe 4360 smrbsavggsldg.exe 4360 smrbsavggsldg.exe 2628 xpgcwaqqvwnnvxm.exe 2628 xpgcwaqqvwnnvxm.exe 1028 ndydbygf.exe 1028 ndydbygf.exe 1028 ndydbygf.exe 1028 ndydbygf.exe 1028 ndydbygf.exe 1028 ndydbygf.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2288 5fd1ff1d035c67c382afa55817ac6f40.exe 2288 5fd1ff1d035c67c382afa55817ac6f40.exe 2288 5fd1ff1d035c67c382afa55817ac6f40.exe 2628 xpgcwaqqvwnnvxm.exe 2628 xpgcwaqqvwnnvxm.exe 2628 xpgcwaqqvwnnvxm.exe 4360 smrbsavggsldg.exe 3076 ndydbygf.exe 1668 gsyzzvjubk.exe 4360 smrbsavggsldg.exe 3076 ndydbygf.exe 1668 gsyzzvjubk.exe 4360 smrbsavggsldg.exe 3076 ndydbygf.exe 1668 gsyzzvjubk.exe 1028 ndydbygf.exe 1028 ndydbygf.exe 1028 ndydbygf.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2288 5fd1ff1d035c67c382afa55817ac6f40.exe 2288 5fd1ff1d035c67c382afa55817ac6f40.exe 2288 5fd1ff1d035c67c382afa55817ac6f40.exe 2628 xpgcwaqqvwnnvxm.exe 2628 xpgcwaqqvwnnvxm.exe 2628 xpgcwaqqvwnnvxm.exe 4360 smrbsavggsldg.exe 3076 ndydbygf.exe 1668 gsyzzvjubk.exe 4360 smrbsavggsldg.exe 3076 ndydbygf.exe 1668 gsyzzvjubk.exe 4360 smrbsavggsldg.exe 3076 ndydbygf.exe 1668 gsyzzvjubk.exe 1028 ndydbygf.exe 1028 ndydbygf.exe 1028 ndydbygf.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3144 WINWORD.EXE 3144 WINWORD.EXE 3144 WINWORD.EXE 3144 WINWORD.EXE 3144 WINWORD.EXE 3144 WINWORD.EXE 3144 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2288 wrote to memory of 1668 2288 5fd1ff1d035c67c382afa55817ac6f40.exe 40 PID 2288 wrote to memory of 1668 2288 5fd1ff1d035c67c382afa55817ac6f40.exe 40 PID 2288 wrote to memory of 1668 2288 5fd1ff1d035c67c382afa55817ac6f40.exe 40 PID 2288 wrote to memory of 2628 2288 5fd1ff1d035c67c382afa55817ac6f40.exe 38 PID 2288 wrote to memory of 2628 2288 5fd1ff1d035c67c382afa55817ac6f40.exe 38 PID 2288 wrote to memory of 2628 2288 5fd1ff1d035c67c382afa55817ac6f40.exe 38 PID 2288 wrote to memory of 3076 2288 5fd1ff1d035c67c382afa55817ac6f40.exe 37 PID 2288 wrote to memory of 3076 2288 5fd1ff1d035c67c382afa55817ac6f40.exe 37 PID 2288 wrote to memory of 3076 2288 5fd1ff1d035c67c382afa55817ac6f40.exe 37 PID 2288 wrote to memory of 4360 2288 5fd1ff1d035c67c382afa55817ac6f40.exe 36 PID 2288 wrote to memory of 4360 2288 5fd1ff1d035c67c382afa55817ac6f40.exe 36 PID 2288 wrote to memory of 4360 2288 5fd1ff1d035c67c382afa55817ac6f40.exe 36 PID 2288 wrote to memory of 3144 2288 5fd1ff1d035c67c382afa55817ac6f40.exe 29 PID 2288 wrote to memory of 3144 2288 5fd1ff1d035c67c382afa55817ac6f40.exe 29 PID 1668 wrote to memory of 1028 1668 gsyzzvjubk.exe 32 PID 1668 wrote to memory of 1028 1668 gsyzzvjubk.exe 32 PID 1668 wrote to memory of 1028 1668 gsyzzvjubk.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\5fd1ff1d035c67c382afa55817ac6f40.exe"C:\Users\Admin\AppData\Local\Temp\5fd1ff1d035c67c382afa55817ac6f40.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3144
-
-
C:\Windows\SysWOW64\smrbsavggsldg.exesmrbsavggsldg.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4360
-
-
C:\Windows\SysWOW64\ndydbygf.exendydbygf.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3076
-
-
C:\Windows\SysWOW64\xpgcwaqqvwnnvxm.exexpgcwaqqvwnnvxm.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2628
-
-
C:\Windows\SysWOW64\gsyzzvjubk.exegsyzzvjubk.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1668
-
-
C:\Windows\SysWOW64\ndydbygf.exeC:\Windows\system32\ndydbygf.exe1⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1028
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5ad03e41dddaffa499273873e8c76bf37
SHA15dfb2fd1e9e554dfeccddb0fd12094bc1dd58d15
SHA256b3cf44cdf20221a68ea019a156aeaccca48e3dc650c37f0e9c36f3bf614d196d
SHA5122afb67c7991fe53473fdb532a488916b267f36b7f5ae039bf6e3f320c1466363730f3df1f96ebb1741b15e114cad1d331f6b7a21853599ee10ac7a744c55a568
-
Filesize
375KB
MD5e1f7b6be9e636b11c3951989b87bad5b
SHA190f49c20dcde2672173aae81f917d38be38f37e0
SHA25636870ea33766370dc0a510433bf11c147a565ec01bb679db97f06a725d2a0f33
SHA51205210c877e30f9a8d1ae0afe4a8ffdeea62d4e789b2c23ad01568d7b4e6654a58ef413b3198cdf294ade860076ad65dd684f20f6a67c7360f8f981f3885d38ea
-
Filesize
512KB
MD57f370884a8e99fdaf4f226e4ecf930ed
SHA13b0cbb44d9bb57c95cf63c390e4ae081f5ff7903
SHA256fe73079eeba6018fa7c9f3d82e450796473b7957bf63cbf28d60542f481f1a66
SHA51258ed7b3acbc233bb2d7ff997c38682d5aa7fbd9ad8ad3dc544efd06ea47c61c7323e9067f12f799656889478d76b9854ee37fd34c3bf9b6ca326fc502b9d024f
-
Filesize
93KB
MD5257f28bd5bdc2b725434b7ab570814e7
SHA1972446e0f8d210c5d6f42a57a921391a236d564d
SHA256d80f45a5995ba038d69dbe87f7c12827ffa2b53e79beedb0bc6ee91c10a61688
SHA512c27aa91c3c3605941a1a121021c840fc7886cf27d43e9d6b2c371888a276d9dfd39135600a4f933f62dfa3d46cb6e12de6e31b3f8b939676701ff37f8cc61575
-
Filesize
99KB
MD57fc6cf931da79ecd4267f22c6a1aefa8
SHA1913682b9a75a4089cc18ec25b28e082916a6b314
SHA2562672445b36639d26c7bcf277704d7f634ea7a6f4eac634027b98fb3f94062487
SHA512272947751145ba29cbfecc6fe73cf5e20cf017c8c436a8af45198499e8b34c5f70215c3d5f21676a2a5de87616e85aa12b5cf0e263d57042e4221f7e12d81eaf