Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2023, 09:59
Static task
static1
Behavioral task
behavioral1
Sample
658e7379a10fc02deab35987b5b9c9e7.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
658e7379a10fc02deab35987b5b9c9e7.exe
Resource
win10v2004-20231215-en
General
-
Target
658e7379a10fc02deab35987b5b9c9e7.exe
-
Size
512KB
-
MD5
658e7379a10fc02deab35987b5b9c9e7
-
SHA1
b056a36f59c8f1ddd34713cc4939764e34ef9c98
-
SHA256
d13e693c2f11aad7e810be1be2276653fc747d3b6c8781af20c769c18eb95556
-
SHA512
c2b28701d9967e07b620d11d5226f872072ae46a75fde06ccbbb122270bada6596491ed91e0db1dd6192f1e331d0e67a6db922684467be98d25abc7d22b2d164
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6C:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5B
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" uvkksscncl.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" uvkksscncl.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" uvkksscncl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" uvkksscncl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" uvkksscncl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" uvkksscncl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" uvkksscncl.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" uvkksscncl.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation 658e7379a10fc02deab35987b5b9c9e7.exe -
Executes dropped EXE 5 IoCs
pid Process 876 uvkksscncl.exe 2520 yzzzhzwhnfpurmi.exe 4024 lxoiackt.exe 1792 ivnpzjbccuuhh.exe 3568 lxoiackt.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" uvkksscncl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" uvkksscncl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" uvkksscncl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" uvkksscncl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" uvkksscncl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" uvkksscncl.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ivnpzjbccuuhh.exe" yzzzhzwhnfpurmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxachfcn = "uvkksscncl.exe" yzzzhzwhnfpurmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pfiyaiar = "yzzzhzwhnfpurmi.exe" yzzzhzwhnfpurmi.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\r: lxoiackt.exe File opened (read-only) \??\j: uvkksscncl.exe File opened (read-only) \??\y: uvkksscncl.exe File opened (read-only) \??\i: lxoiackt.exe File opened (read-only) \??\k: lxoiackt.exe File opened (read-only) \??\v: lxoiackt.exe File opened (read-only) \??\u: uvkksscncl.exe File opened (read-only) \??\o: lxoiackt.exe File opened (read-only) \??\l: lxoiackt.exe File opened (read-only) \??\s: uvkksscncl.exe File opened (read-only) \??\s: lxoiackt.exe File opened (read-only) \??\y: lxoiackt.exe File opened (read-only) \??\h: uvkksscncl.exe File opened (read-only) \??\l: uvkksscncl.exe File opened (read-only) \??\m: uvkksscncl.exe File opened (read-only) \??\r: lxoiackt.exe File opened (read-only) \??\e: uvkksscncl.exe File opened (read-only) \??\j: lxoiackt.exe File opened (read-only) \??\m: lxoiackt.exe File opened (read-only) \??\w: uvkksscncl.exe File opened (read-only) \??\a: lxoiackt.exe File opened (read-only) \??\n: lxoiackt.exe File opened (read-only) \??\b: uvkksscncl.exe File opened (read-only) \??\n: uvkksscncl.exe File opened (read-only) \??\r: uvkksscncl.exe File opened (read-only) \??\z: lxoiackt.exe File opened (read-only) \??\n: lxoiackt.exe File opened (read-only) \??\t: lxoiackt.exe File opened (read-only) \??\a: lxoiackt.exe File opened (read-only) \??\m: lxoiackt.exe File opened (read-only) \??\p: lxoiackt.exe File opened (read-only) \??\p: uvkksscncl.exe File opened (read-only) \??\w: lxoiackt.exe File opened (read-only) \??\y: lxoiackt.exe File opened (read-only) \??\e: lxoiackt.exe File opened (read-only) \??\h: lxoiackt.exe File opened (read-only) \??\i: lxoiackt.exe File opened (read-only) \??\u: lxoiackt.exe File opened (read-only) \??\q: uvkksscncl.exe File opened (read-only) \??\v: uvkksscncl.exe File opened (read-only) \??\l: lxoiackt.exe File opened (read-only) \??\a: uvkksscncl.exe File opened (read-only) \??\g: uvkksscncl.exe File opened (read-only) \??\o: uvkksscncl.exe File opened (read-only) \??\x: lxoiackt.exe File opened (read-only) \??\s: lxoiackt.exe File opened (read-only) \??\k: uvkksscncl.exe File opened (read-only) \??\t: uvkksscncl.exe File opened (read-only) \??\v: lxoiackt.exe File opened (read-only) \??\w: lxoiackt.exe File opened (read-only) \??\k: lxoiackt.exe File opened (read-only) \??\x: uvkksscncl.exe File opened (read-only) \??\o: lxoiackt.exe File opened (read-only) \??\q: lxoiackt.exe File opened (read-only) \??\h: lxoiackt.exe File opened (read-only) \??\u: lxoiackt.exe File opened (read-only) \??\j: lxoiackt.exe File opened (read-only) \??\t: lxoiackt.exe File opened (read-only) \??\i: uvkksscncl.exe File opened (read-only) \??\b: lxoiackt.exe File opened (read-only) \??\b: lxoiackt.exe File opened (read-only) \??\g: lxoiackt.exe File opened (read-only) \??\z: lxoiackt.exe File opened (read-only) \??\g: lxoiackt.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" uvkksscncl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" uvkksscncl.exe -
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/264-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000c000000023149-5.dat autoit_exe behavioral2/files/0x000300000001e982-18.dat autoit_exe behavioral2/files/0x00060000000231fc-32.dat autoit_exe behavioral2/files/0x00080000000231f7-29.dat autoit_exe behavioral2/files/0x0008000000023214-95.dat autoit_exe behavioral2/files/0x0008000000023214-94.dat autoit_exe behavioral2/files/0x0008000000023214-104.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\yzzzhzwhnfpurmi.exe 658e7379a10fc02deab35987b5b9c9e7.exe File opened for modification C:\Windows\SysWOW64\ivnpzjbccuuhh.exe 658e7379a10fc02deab35987b5b9c9e7.exe File opened for modification C:\Windows\SysWOW64\uvkksscncl.exe 658e7379a10fc02deab35987b5b9c9e7.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe lxoiackt.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe lxoiackt.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe lxoiackt.exe File created C:\Windows\SysWOW64\ivnpzjbccuuhh.exe 658e7379a10fc02deab35987b5b9c9e7.exe File created C:\Windows\SysWOW64\yzzzhzwhnfpurmi.exe 658e7379a10fc02deab35987b5b9c9e7.exe File created C:\Windows\SysWOW64\lxoiackt.exe 658e7379a10fc02deab35987b5b9c9e7.exe File opened for modification C:\Windows\SysWOW64\lxoiackt.exe 658e7379a10fc02deab35987b5b9c9e7.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll uvkksscncl.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe lxoiackt.exe File created C:\Windows\SysWOW64\uvkksscncl.exe 658e7379a10fc02deab35987b5b9c9e7.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal lxoiackt.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lxoiackt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lxoiackt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lxoiackt.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lxoiackt.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lxoiackt.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lxoiackt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lxoiackt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal lxoiackt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal lxoiackt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lxoiackt.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lxoiackt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal lxoiackt.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lxoiackt.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe lxoiackt.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe lxoiackt.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe lxoiackt.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe lxoiackt.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe lxoiackt.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe lxoiackt.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe lxoiackt.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe lxoiackt.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe lxoiackt.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe lxoiackt.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe lxoiackt.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe lxoiackt.exe File opened for modification C:\Windows\mydoc.rtf 658e7379a10fc02deab35987b5b9c9e7.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe lxoiackt.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe lxoiackt.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe lxoiackt.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe lxoiackt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193FC60C1590DBB2B8BC7C92ED9F37CB" 658e7379a10fc02deab35987b5b9c9e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" uvkksscncl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc uvkksscncl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBCF9BEFE67F29383783A4B819C3999B081028B4268023CE2CC42ED08A3" 658e7379a10fc02deab35987b5b9c9e7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat uvkksscncl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" uvkksscncl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32462D7E9C2283546D3F77D370252CA97DF664AC" 658e7379a10fc02deab35987b5b9c9e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF8FCF8482E826A9032D72D7D97BDEEE131584266426336D79C" 658e7379a10fc02deab35987b5b9c9e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F268C4FE1C21DBD278D0A88A7A9164" 658e7379a10fc02deab35987b5b9c9e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" uvkksscncl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" uvkksscncl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs uvkksscncl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" uvkksscncl.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 658e7379a10fc02deab35987b5b9c9e7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh uvkksscncl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf uvkksscncl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" uvkksscncl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg uvkksscncl.exe Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings 658e7379a10fc02deab35987b5b9c9e7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC7B05B47E139EB53CFBAD1329ED4BB" 658e7379a10fc02deab35987b5b9c9e7.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3276 WINWORD.EXE 3276 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 264 658e7379a10fc02deab35987b5b9c9e7.exe 264 658e7379a10fc02deab35987b5b9c9e7.exe 264 658e7379a10fc02deab35987b5b9c9e7.exe 264 658e7379a10fc02deab35987b5b9c9e7.exe 264 658e7379a10fc02deab35987b5b9c9e7.exe 264 658e7379a10fc02deab35987b5b9c9e7.exe 264 658e7379a10fc02deab35987b5b9c9e7.exe 264 658e7379a10fc02deab35987b5b9c9e7.exe 264 658e7379a10fc02deab35987b5b9c9e7.exe 264 658e7379a10fc02deab35987b5b9c9e7.exe 264 658e7379a10fc02deab35987b5b9c9e7.exe 264 658e7379a10fc02deab35987b5b9c9e7.exe 264 658e7379a10fc02deab35987b5b9c9e7.exe 264 658e7379a10fc02deab35987b5b9c9e7.exe 264 658e7379a10fc02deab35987b5b9c9e7.exe 264 658e7379a10fc02deab35987b5b9c9e7.exe 876 uvkksscncl.exe 876 uvkksscncl.exe 876 uvkksscncl.exe 876 uvkksscncl.exe 876 uvkksscncl.exe 876 uvkksscncl.exe 876 uvkksscncl.exe 876 uvkksscncl.exe 876 uvkksscncl.exe 876 uvkksscncl.exe 2520 yzzzhzwhnfpurmi.exe 2520 yzzzhzwhnfpurmi.exe 2520 yzzzhzwhnfpurmi.exe 2520 yzzzhzwhnfpurmi.exe 2520 yzzzhzwhnfpurmi.exe 2520 yzzzhzwhnfpurmi.exe 2520 yzzzhzwhnfpurmi.exe 2520 yzzzhzwhnfpurmi.exe 4024 lxoiackt.exe 4024 lxoiackt.exe 4024 lxoiackt.exe 4024 lxoiackt.exe 4024 lxoiackt.exe 4024 lxoiackt.exe 4024 lxoiackt.exe 4024 lxoiackt.exe 2520 yzzzhzwhnfpurmi.exe 2520 yzzzhzwhnfpurmi.exe 1792 ivnpzjbccuuhh.exe 1792 ivnpzjbccuuhh.exe 1792 ivnpzjbccuuhh.exe 1792 ivnpzjbccuuhh.exe 1792 ivnpzjbccuuhh.exe 1792 ivnpzjbccuuhh.exe 1792 ivnpzjbccuuhh.exe 1792 ivnpzjbccuuhh.exe 1792 ivnpzjbccuuhh.exe 1792 ivnpzjbccuuhh.exe 1792 ivnpzjbccuuhh.exe 1792 ivnpzjbccuuhh.exe 2520 yzzzhzwhnfpurmi.exe 2520 yzzzhzwhnfpurmi.exe 3568 lxoiackt.exe 3568 lxoiackt.exe 3568 lxoiackt.exe 3568 lxoiackt.exe 3568 lxoiackt.exe 3568 lxoiackt.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 264 658e7379a10fc02deab35987b5b9c9e7.exe 264 658e7379a10fc02deab35987b5b9c9e7.exe 264 658e7379a10fc02deab35987b5b9c9e7.exe 876 uvkksscncl.exe 876 uvkksscncl.exe 876 uvkksscncl.exe 2520 yzzzhzwhnfpurmi.exe 2520 yzzzhzwhnfpurmi.exe 2520 yzzzhzwhnfpurmi.exe 4024 lxoiackt.exe 1792 ivnpzjbccuuhh.exe 4024 lxoiackt.exe 1792 ivnpzjbccuuhh.exe 4024 lxoiackt.exe 1792 ivnpzjbccuuhh.exe 3568 lxoiackt.exe 3568 lxoiackt.exe 3568 lxoiackt.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 264 658e7379a10fc02deab35987b5b9c9e7.exe 264 658e7379a10fc02deab35987b5b9c9e7.exe 264 658e7379a10fc02deab35987b5b9c9e7.exe 876 uvkksscncl.exe 876 uvkksscncl.exe 876 uvkksscncl.exe 2520 yzzzhzwhnfpurmi.exe 2520 yzzzhzwhnfpurmi.exe 2520 yzzzhzwhnfpurmi.exe 4024 lxoiackt.exe 1792 ivnpzjbccuuhh.exe 4024 lxoiackt.exe 1792 ivnpzjbccuuhh.exe 4024 lxoiackt.exe 1792 ivnpzjbccuuhh.exe 3568 lxoiackt.exe 3568 lxoiackt.exe 3568 lxoiackt.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3276 WINWORD.EXE 3276 WINWORD.EXE 3276 WINWORD.EXE 3276 WINWORD.EXE 3276 WINWORD.EXE 3276 WINWORD.EXE 3276 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 264 wrote to memory of 876 264 658e7379a10fc02deab35987b5b9c9e7.exe 89 PID 264 wrote to memory of 876 264 658e7379a10fc02deab35987b5b9c9e7.exe 89 PID 264 wrote to memory of 876 264 658e7379a10fc02deab35987b5b9c9e7.exe 89 PID 264 wrote to memory of 2520 264 658e7379a10fc02deab35987b5b9c9e7.exe 90 PID 264 wrote to memory of 2520 264 658e7379a10fc02deab35987b5b9c9e7.exe 90 PID 264 wrote to memory of 2520 264 658e7379a10fc02deab35987b5b9c9e7.exe 90 PID 264 wrote to memory of 4024 264 658e7379a10fc02deab35987b5b9c9e7.exe 92 PID 264 wrote to memory of 4024 264 658e7379a10fc02deab35987b5b9c9e7.exe 92 PID 264 wrote to memory of 4024 264 658e7379a10fc02deab35987b5b9c9e7.exe 92 PID 264 wrote to memory of 1792 264 658e7379a10fc02deab35987b5b9c9e7.exe 91 PID 264 wrote to memory of 1792 264 658e7379a10fc02deab35987b5b9c9e7.exe 91 PID 264 wrote to memory of 1792 264 658e7379a10fc02deab35987b5b9c9e7.exe 91 PID 264 wrote to memory of 3276 264 658e7379a10fc02deab35987b5b9c9e7.exe 94 PID 264 wrote to memory of 3276 264 658e7379a10fc02deab35987b5b9c9e7.exe 94 PID 876 wrote to memory of 3568 876 uvkksscncl.exe 97 PID 876 wrote to memory of 3568 876 uvkksscncl.exe 97 PID 876 wrote to memory of 3568 876 uvkksscncl.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\658e7379a10fc02deab35987b5b9c9e7.exe"C:\Users\Admin\AppData\Local\Temp\658e7379a10fc02deab35987b5b9c9e7.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\SysWOW64\uvkksscncl.exeuvkksscncl.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\lxoiackt.exeC:\Windows\system32\lxoiackt.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3568
-
-
-
C:\Windows\SysWOW64\yzzzhzwhnfpurmi.exeyzzzhzwhnfpurmi.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2520
-
-
C:\Windows\SysWOW64\ivnpzjbccuuhh.exeivnpzjbccuuhh.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1792
-
-
C:\Windows\SysWOW64\lxoiackt.exelxoiackt.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4024
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3276
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD53c18e4aa67d2b20e6a5935e5c1264dd1
SHA1b2e3073c934e1b2e91b411e330b7cfd24e4592f2
SHA256fc2974194e50f07f15381da93640fe3dd36301fdf1f9efe2a5fbeecfa06fe04e
SHA51298ad20dcb0b7ba2938c004aa76b018cd057fc94df2bc7fd674fd424d7a5b89b7357b3db3276cda8c32faa743020e00aedb8f74be7d1cb4004a56db5091a094eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD580161a87c4203b505ad77a59a1cdca79
SHA1ec65d85c00fa4204db890e61753a3718d5153afb
SHA2565ee175cd2a29588c26775023617abe27decef92eaef0c7b613d3f060ffb2c4b8
SHA512532ad3ce3325a9ce692fa0cfa067518403ec75208e839b8419dc409b0a46d4b2a720e95f98442896047eec20ee6a49269eee7a17e695dfb8ea2af4f30b5a1c20
-
Filesize
512KB
MD502c82309ed9b224cfa35df50f7451fea
SHA17f6f30f2731c2dbb3202597c1144805cb15b1198
SHA2566a32de6233434eeb117d73696c03152e73fc6ddcdc1cb41d85980707aacb07c3
SHA512e03c969a512234e0d4d8c387d597c55c8162d50d5a58ffc4ea0a9759c06ba5c0b522a4b822d52d7c884daeb3f91f07fc83324da2b4f6035c18da30506d8736b0
-
Filesize
512KB
MD5c996ca121ecbcc01bcc6a522a5dba228
SHA113f77fb41069cf690867cf13777b43964ec98617
SHA256c3ce7c17ae286fd1ff6906a90e36ac811e7b695483dd21160e2bb52a38ab8f53
SHA512a0831a4b7fff306a4888f5574a804dfd83808b47496ebb5da9bc6cc4832704fa2656c11ec5b352c5f5572ef73fb501abf0f0d7d5d50d971e668567e99b221c78
-
Filesize
512KB
MD5d486ee08cc8fb85e720cd6debb2e8bb1
SHA1b82b7b33ba54fd9975bd779ba87306eaccee0473
SHA256acc878f05db16e093f445aa5fe05f8d1a733838cee75f897d507c7d8606ee7a1
SHA512964c719c8f0be4a475fe183adea95acead6a906e5b82a81f307e47f9169a682040c959a13451f9dac3e86a48a40f6d053c2723fbf0086b465e1637a6754d0dd2
-
Filesize
512KB
MD5b4993686a9303b1be989e72908c351c8
SHA128b866ab7a71cb74cec1f5fe6ec24c6c52ec64fb
SHA256f6bbff4133888b089c033587bd20e946bd3851980aee725d6c5db245022c3f2d
SHA512e5e95bfd7c69c3edc7004baca628fb122ce574ab27546c1d51139ded4629c78bd692be9300df022b80079c03101bb8906ac705c865942f066824a6391ca2575d
-
Filesize
512KB
MD50bcefccc6212f59539c8305f7cba9461
SHA10b1f641538b7f3b3a415cf11496a970a84ea1a54
SHA25667d5541e020386f47dc6088178216ff31b487523edf14f7640897fc8d7585b80
SHA5123f95b03810aeab4aed4735e0523ee80fc4136a7c2f83c946ddb940946a7c79192e06b23eb42ac404b5ef70d19cbbe4476e7ec293c48b1322b4a80fb12baf6c19
-
Filesize
86KB
MD505d53073f755dd677cf809335471ba55
SHA16f22614c07b7de97e8f4c67c58df004df89bbe3b
SHA256f4c193e283a44e96ee9da022ad2198face202881b3fd8e25b1fb80df74e19d6b
SHA5126f604791cb9588c1d7002a527b9a12ee1437987ca8eebed5c0c78440530be75bbeff6fbb8b4bd10413ec7fa88f2513f0c1aa88bf3621f2b6670ae4332742d3ce
-
Filesize
85KB
MD527623bf17711551baa843bbab18a4b07
SHA12d6d50bab42c5defdd9bdf3f14fb826853558392
SHA2566a2c1908feaaa4585f579f19881c7fec6c64bfe38500306f55eaeb5fa0a7b368
SHA51253f01abdb0a6c91cedd6e7bb705ad27f9dfc89722bd6bb07ad9df87ff00ca5c9fc6764706ab6edc018fd90f519cf4d12af670416b3fff7cee5e6aca87e9f153b