Analysis
-
max time kernel
199s -
max time network
208s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2023, 11:52
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
6c455ae1a49319aae860e13541f6903b.exe
Resource
win7-20231215-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
6c455ae1a49319aae860e13541f6903b.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
24 signatures
150 seconds
General
-
Target
6c455ae1a49319aae860e13541f6903b.exe
-
Size
512KB
-
MD5
6c455ae1a49319aae860e13541f6903b
-
SHA1
f6737e61743aafaceb70abe8b728c4de0eeb202e
-
SHA256
f0f527fc41c9985c610dd0cc583b07f0e1fbea589a0895994ab189ffdf22305b
-
SHA512
0ed506f956f0dc09ae24f86cc79662a3ff9ac6c531034da5256a5d8768fcdbb7586b778979fc70ee7dfb5572908fb76a17018264a9b188c3d922b357f8455ca3
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6d:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5m
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" rzqzutomuo.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" rzqzutomuo.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rzqzutomuo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rzqzutomuo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rzqzutomuo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rzqzutomuo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rzqzutomuo.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rzqzutomuo.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation 6c455ae1a49319aae860e13541f6903b.exe -
Executes dropped EXE 5 IoCs
pid Process 2496 rzqzutomuo.exe 892 seozvzgwkxmdeep.exe 4896 oyxyrwpo.exe 2296 pjkrpgsjaxwzv.exe 2320 oyxyrwpo.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rzqzutomuo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rzqzutomuo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" rzqzutomuo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rzqzutomuo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rzqzutomuo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rzqzutomuo.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\auzycwjj = "rzqzutomuo.exe" seozvzgwkxmdeep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\offkfjgs = "seozvzgwkxmdeep.exe" seozvzgwkxmdeep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "pjkrpgsjaxwzv.exe" seozvzgwkxmdeep.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\i: oyxyrwpo.exe File opened (read-only) \??\p: oyxyrwpo.exe File opened (read-only) \??\o: oyxyrwpo.exe File opened (read-only) \??\o: rzqzutomuo.exe File opened (read-only) \??\h: rzqzutomuo.exe File opened (read-only) \??\b: oyxyrwpo.exe File opened (read-only) \??\j: oyxyrwpo.exe File opened (read-only) \??\n: oyxyrwpo.exe File opened (read-only) \??\y: oyxyrwpo.exe File opened (read-only) \??\e: oyxyrwpo.exe File opened (read-only) \??\i: oyxyrwpo.exe File opened (read-only) \??\y: oyxyrwpo.exe File opened (read-only) \??\l: rzqzutomuo.exe File opened (read-only) \??\n: oyxyrwpo.exe File opened (read-only) \??\q: oyxyrwpo.exe File opened (read-only) \??\s: rzqzutomuo.exe File opened (read-only) \??\v: rzqzutomuo.exe File opened (read-only) \??\h: oyxyrwpo.exe File opened (read-only) \??\q: oyxyrwpo.exe File opened (read-only) \??\p: oyxyrwpo.exe File opened (read-only) \??\i: rzqzutomuo.exe File opened (read-only) \??\o: oyxyrwpo.exe File opened (read-only) \??\b: oyxyrwpo.exe File opened (read-only) \??\t: rzqzutomuo.exe File opened (read-only) \??\z: oyxyrwpo.exe File opened (read-only) \??\e: rzqzutomuo.exe File opened (read-only) \??\s: oyxyrwpo.exe File opened (read-only) \??\j: oyxyrwpo.exe File opened (read-only) \??\v: oyxyrwpo.exe File opened (read-only) \??\x: oyxyrwpo.exe File opened (read-only) \??\n: rzqzutomuo.exe File opened (read-only) \??\r: rzqzutomuo.exe File opened (read-only) \??\x: oyxyrwpo.exe File opened (read-only) \??\a: rzqzutomuo.exe File opened (read-only) \??\b: rzqzutomuo.exe File opened (read-only) \??\y: rzqzutomuo.exe File opened (read-only) \??\e: oyxyrwpo.exe File opened (read-only) \??\t: oyxyrwpo.exe File opened (read-only) \??\k: oyxyrwpo.exe File opened (read-only) \??\t: oyxyrwpo.exe File opened (read-only) \??\u: oyxyrwpo.exe File opened (read-only) \??\s: oyxyrwpo.exe File opened (read-only) \??\q: rzqzutomuo.exe File opened (read-only) \??\m: oyxyrwpo.exe File opened (read-only) \??\g: oyxyrwpo.exe File opened (read-only) \??\r: oyxyrwpo.exe File opened (read-only) \??\a: oyxyrwpo.exe File opened (read-only) \??\l: oyxyrwpo.exe File opened (read-only) \??\w: oyxyrwpo.exe File opened (read-only) \??\a: oyxyrwpo.exe File opened (read-only) \??\w: rzqzutomuo.exe File opened (read-only) \??\j: rzqzutomuo.exe File opened (read-only) \??\p: rzqzutomuo.exe File opened (read-only) \??\r: oyxyrwpo.exe File opened (read-only) \??\v: oyxyrwpo.exe File opened (read-only) \??\u: oyxyrwpo.exe File opened (read-only) \??\m: rzqzutomuo.exe File opened (read-only) \??\l: oyxyrwpo.exe File opened (read-only) \??\g: oyxyrwpo.exe File opened (read-only) \??\h: oyxyrwpo.exe File opened (read-only) \??\u: rzqzutomuo.exe File opened (read-only) \??\x: rzqzutomuo.exe File opened (read-only) \??\w: oyxyrwpo.exe File opened (read-only) \??\g: rzqzutomuo.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" rzqzutomuo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" rzqzutomuo.exe -
AutoIT Executable 7 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1744-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0006000000023242-10.dat autoit_exe behavioral2/files/0x000700000002323b-17.dat autoit_exe behavioral2/files/0x0006000000023243-31.dat autoit_exe behavioral2/files/0x0006000000023241-23.dat autoit_exe behavioral2/files/0x00090000000231e9-93.dat autoit_exe behavioral2/files/0x0008000000023250-127.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\oyxyrwpo.exe 6c455ae1a49319aae860e13541f6903b.exe File created C:\Windows\SysWOW64\rzqzutomuo.exe 6c455ae1a49319aae860e13541f6903b.exe File opened for modification C:\Windows\SysWOW64\rzqzutomuo.exe 6c455ae1a49319aae860e13541f6903b.exe File opened for modification C:\Windows\SysWOW64\seozvzgwkxmdeep.exe 6c455ae1a49319aae860e13541f6903b.exe File opened for modification C:\Windows\SysWOW64\pjkrpgsjaxwzv.exe 6c455ae1a49319aae860e13541f6903b.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll rzqzutomuo.exe File created C:\Windows\SysWOW64\seozvzgwkxmdeep.exe 6c455ae1a49319aae860e13541f6903b.exe File opened for modification C:\Windows\SysWOW64\oyxyrwpo.exe 6c455ae1a49319aae860e13541f6903b.exe File created C:\Windows\SysWOW64\pjkrpgsjaxwzv.exe 6c455ae1a49319aae860e13541f6903b.exe -
Drops file in Program Files directory 21 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe oyxyrwpo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe oyxyrwpo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal oyxyrwpo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal oyxyrwpo.exe File created \??\c:\Program Files\UnlockSelect.doc.exe oyxyrwpo.exe File opened for modification C:\Program Files\UnlockSelect.doc.exe oyxyrwpo.exe File opened for modification \??\c:\Program Files\UnlockSelect.doc.exe oyxyrwpo.exe File opened for modification C:\Program Files\UnlockSelect.nal oyxyrwpo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe oyxyrwpo.exe File opened for modification C:\Program Files\UnlockSelect.nal oyxyrwpo.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe oyxyrwpo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal oyxyrwpo.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe oyxyrwpo.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe oyxyrwpo.exe File opened for modification \??\c:\Program Files\UnlockSelect.doc.exe oyxyrwpo.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe oyxyrwpo.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe oyxyrwpo.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe oyxyrwpo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe oyxyrwpo.exe File opened for modification C:\Program Files\UnlockSelect.doc.exe oyxyrwpo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal oyxyrwpo.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 6c455ae1a49319aae860e13541f6903b.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 6c455ae1a49319aae860e13541f6903b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC4B05844E638EB52CCB9D533EED7C9" 6c455ae1a49319aae860e13541f6903b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" rzqzutomuo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" rzqzutomuo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" rzqzutomuo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCDFAB1F962F293840F3A4B869C3E96B0FB03FC4365033DE1CB429E09D1" 6c455ae1a49319aae860e13541f6903b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh rzqzutomuo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc rzqzutomuo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf rzqzutomuo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs rzqzutomuo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F068B0FF6E22D1D273D1A98A089160" 6c455ae1a49319aae860e13541f6903b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat rzqzutomuo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" rzqzutomuo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" rzqzutomuo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg rzqzutomuo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32412D0D9D5782556D4277D470522CAC7CF464D6" 6c455ae1a49319aae860e13541f6903b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8EFF8D482B82139047D7207E96BDE7E133583066406234D6E9" 6c455ae1a49319aae860e13541f6903b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184FC60C15E4DAB0B8B97C97EDE037CA" 6c455ae1a49319aae860e13541f6903b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" rzqzutomuo.exe Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings 6c455ae1a49319aae860e13541f6903b.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4120 WINWORD.EXE 4120 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1744 6c455ae1a49319aae860e13541f6903b.exe 1744 6c455ae1a49319aae860e13541f6903b.exe 1744 6c455ae1a49319aae860e13541f6903b.exe 1744 6c455ae1a49319aae860e13541f6903b.exe 1744 6c455ae1a49319aae860e13541f6903b.exe 1744 6c455ae1a49319aae860e13541f6903b.exe 1744 6c455ae1a49319aae860e13541f6903b.exe 1744 6c455ae1a49319aae860e13541f6903b.exe 1744 6c455ae1a49319aae860e13541f6903b.exe 1744 6c455ae1a49319aae860e13541f6903b.exe 1744 6c455ae1a49319aae860e13541f6903b.exe 1744 6c455ae1a49319aae860e13541f6903b.exe 1744 6c455ae1a49319aae860e13541f6903b.exe 1744 6c455ae1a49319aae860e13541f6903b.exe 1744 6c455ae1a49319aae860e13541f6903b.exe 1744 6c455ae1a49319aae860e13541f6903b.exe 892 seozvzgwkxmdeep.exe 892 seozvzgwkxmdeep.exe 892 seozvzgwkxmdeep.exe 892 seozvzgwkxmdeep.exe 892 seozvzgwkxmdeep.exe 892 seozvzgwkxmdeep.exe 4896 oyxyrwpo.exe 4896 oyxyrwpo.exe 892 seozvzgwkxmdeep.exe 892 seozvzgwkxmdeep.exe 4896 oyxyrwpo.exe 4896 oyxyrwpo.exe 4896 oyxyrwpo.exe 4896 oyxyrwpo.exe 4896 oyxyrwpo.exe 4896 oyxyrwpo.exe 892 seozvzgwkxmdeep.exe 892 seozvzgwkxmdeep.exe 2496 rzqzutomuo.exe 2496 rzqzutomuo.exe 2496 rzqzutomuo.exe 2496 rzqzutomuo.exe 2496 rzqzutomuo.exe 2496 rzqzutomuo.exe 2496 rzqzutomuo.exe 2496 rzqzutomuo.exe 2296 pjkrpgsjaxwzv.exe 2296 pjkrpgsjaxwzv.exe 2496 rzqzutomuo.exe 2496 rzqzutomuo.exe 2296 pjkrpgsjaxwzv.exe 2296 pjkrpgsjaxwzv.exe 2296 pjkrpgsjaxwzv.exe 2296 pjkrpgsjaxwzv.exe 2296 pjkrpgsjaxwzv.exe 2296 pjkrpgsjaxwzv.exe 2296 pjkrpgsjaxwzv.exe 2296 pjkrpgsjaxwzv.exe 2296 pjkrpgsjaxwzv.exe 2296 pjkrpgsjaxwzv.exe 892 seozvzgwkxmdeep.exe 892 seozvzgwkxmdeep.exe 2296 pjkrpgsjaxwzv.exe 2296 pjkrpgsjaxwzv.exe 2296 pjkrpgsjaxwzv.exe 2296 pjkrpgsjaxwzv.exe 892 seozvzgwkxmdeep.exe 892 seozvzgwkxmdeep.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1744 6c455ae1a49319aae860e13541f6903b.exe 1744 6c455ae1a49319aae860e13541f6903b.exe 1744 6c455ae1a49319aae860e13541f6903b.exe 4896 oyxyrwpo.exe 4896 oyxyrwpo.exe 4896 oyxyrwpo.exe 892 seozvzgwkxmdeep.exe 892 seozvzgwkxmdeep.exe 892 seozvzgwkxmdeep.exe 2496 rzqzutomuo.exe 2496 rzqzutomuo.exe 2496 rzqzutomuo.exe 2296 pjkrpgsjaxwzv.exe 2296 pjkrpgsjaxwzv.exe 2296 pjkrpgsjaxwzv.exe 2320 oyxyrwpo.exe 2320 oyxyrwpo.exe 2320 oyxyrwpo.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1744 6c455ae1a49319aae860e13541f6903b.exe 1744 6c455ae1a49319aae860e13541f6903b.exe 1744 6c455ae1a49319aae860e13541f6903b.exe 4896 oyxyrwpo.exe 4896 oyxyrwpo.exe 4896 oyxyrwpo.exe 892 seozvzgwkxmdeep.exe 892 seozvzgwkxmdeep.exe 892 seozvzgwkxmdeep.exe 2496 rzqzutomuo.exe 2496 rzqzutomuo.exe 2496 rzqzutomuo.exe 2296 pjkrpgsjaxwzv.exe 2296 pjkrpgsjaxwzv.exe 2296 pjkrpgsjaxwzv.exe 2320 oyxyrwpo.exe 2320 oyxyrwpo.exe 2320 oyxyrwpo.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4120 WINWORD.EXE 4120 WINWORD.EXE 4120 WINWORD.EXE 4120 WINWORD.EXE 4120 WINWORD.EXE 4120 WINWORD.EXE 4120 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1744 wrote to memory of 2496 1744 6c455ae1a49319aae860e13541f6903b.exe 88 PID 1744 wrote to memory of 2496 1744 6c455ae1a49319aae860e13541f6903b.exe 88 PID 1744 wrote to memory of 2496 1744 6c455ae1a49319aae860e13541f6903b.exe 88 PID 1744 wrote to memory of 892 1744 6c455ae1a49319aae860e13541f6903b.exe 89 PID 1744 wrote to memory of 892 1744 6c455ae1a49319aae860e13541f6903b.exe 89 PID 1744 wrote to memory of 892 1744 6c455ae1a49319aae860e13541f6903b.exe 89 PID 1744 wrote to memory of 4896 1744 6c455ae1a49319aae860e13541f6903b.exe 90 PID 1744 wrote to memory of 4896 1744 6c455ae1a49319aae860e13541f6903b.exe 90 PID 1744 wrote to memory of 4896 1744 6c455ae1a49319aae860e13541f6903b.exe 90 PID 1744 wrote to memory of 2296 1744 6c455ae1a49319aae860e13541f6903b.exe 91 PID 1744 wrote to memory of 2296 1744 6c455ae1a49319aae860e13541f6903b.exe 91 PID 1744 wrote to memory of 2296 1744 6c455ae1a49319aae860e13541f6903b.exe 91 PID 2496 wrote to memory of 2320 2496 rzqzutomuo.exe 95 PID 2496 wrote to memory of 2320 2496 rzqzutomuo.exe 95 PID 2496 wrote to memory of 2320 2496 rzqzutomuo.exe 95 PID 1744 wrote to memory of 4120 1744 6c455ae1a49319aae860e13541f6903b.exe 96 PID 1744 wrote to memory of 4120 1744 6c455ae1a49319aae860e13541f6903b.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c455ae1a49319aae860e13541f6903b.exe"C:\Users\Admin\AppData\Local\Temp\6c455ae1a49319aae860e13541f6903b.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\rzqzutomuo.exerzqzutomuo.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\oyxyrwpo.exeC:\Windows\system32\oyxyrwpo.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2320
-
-
-
C:\Windows\SysWOW64\seozvzgwkxmdeep.exeseozvzgwkxmdeep.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:892
-
-
C:\Windows\SysWOW64\oyxyrwpo.exeoyxyrwpo.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4896
-
-
C:\Windows\SysWOW64\pjkrpgsjaxwzv.exepjkrpgsjaxwzv.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2296
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4120
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD55771304cfb72a0b5e94b243a12e79d5f
SHA1c550c224d8c5eb3b097af86039fcf7e360df698c
SHA2561bb95a35efc09e62b238598a35cb864a928f8cd812ee8cae199ea4ce10528bed
SHA512b805ab8bf678d98301b16590cabd7c8109315e5b0e648d00f6f726f36b5b179698b6fd89ed3305edd8999dea6470d21aa208954dfca2a943fa8dab54ffb55f1d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5db51d2af76641c33b4e0af7023b46ac3
SHA1af6cf107f346f7dcc85cae88821d343b4a1ae4ce
SHA25658ca94754ab52a5900502fed82d8d3a7e64a607fe77f012b77e9c06ff20cc579
SHA51221c345add6563bc3179077eacf07412f458d43c6b5ae4e9171707c355895fa9a52d58ebf4ec366c1dbd011ae835b3368a2a5a59b0006a54d09e8f1e2c46a9cde
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5a27d9284332adea2a466cbb01b1bfe73
SHA14b1d40e685f6b254575712f2b5f4cadea6f54c66
SHA256b3c06951e5e95b9df7a4d4f4f691b031eb7330dac6bb79810a4d677913f61201
SHA5120a0ad48cb84e9967d54c36a5363111f463b99bb203c567eba7d5cae2808dd4bfc4d8fe931fd84b5cdcad4637c4d8f0d458ba1571076c0d91793b9e0d5fb8435f
-
Filesize
512KB
MD5d24ec9e7e308d4407a0b755f24b0e19d
SHA11ddc2e038bad7633cb1f568ea15f89af07d1724c
SHA256ef6c995c6626b141e5a5ba120f2b9feaaad3ba7e73bbad835379fd8ded3bf870
SHA51271b9dac7bdeebbf042852635ace3399a6c35d2abc7280d11e6ac2dc3884c76e14badc84ecb1f15ecf134f0e948e32e25aa937a4da630f5a1791d8b5c3089d5c3
-
Filesize
512KB
MD55c8aa2db1a6b893517cecdd93fdbb59e
SHA110e7ee750cbe271bb55d1ff016ef6cfa3b165bc6
SHA256e83f0b78674a634dca8d541e05dfe03410c2c2523692645460c7b4d61189415c
SHA51240f0d43b3d439c5378aaa6a1b481e7f81be681e3986284ffb63c8b7cff71aa73921b09e56ef4b40f5e2cea55de71a6ec23119e02a666d273805bc45c4c80dbf1
-
Filesize
512KB
MD516439ed7cfc6bb702854611ff05a190d
SHA12186fd8d61ba6be6f8cef7487e77b5041d11b8db
SHA2560761620c42be01c27bfcec4f7a577b95592042e66dfd78d120669c998e0ac442
SHA5128f597778b31cc7cd731d266aaa21c29130f9124df4086e3bbe47bec825bfaef07bed5bf1d8635c8c8835da82ce6733f05cec68c6f2b378b6b4d4d41f8c793642
-
Filesize
512KB
MD5ab439fdcc1123ccd886a6cfd316092f2
SHA11f2352a59c97d9932534312abb8d35c19a684109
SHA2561df119e33b55d2d95b514c5cf148390f486c4cd7771b0c50114e25c5d0e1438c
SHA5121786abdc446a8e48cd53fca1f9d521de3eeed8eb78b9fe6e2ea6b61271ffd9afcabd37644a9ff5286eaaa505e67961ce5b81cf667836241720765c0a8f91bf37
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD51e0157794e1f2720f19e1a01d4657a37
SHA18c40a41dcd14176542482a6c7973b9d1f3820019
SHA2565bbac10a0dd10e596bf1919ea2c9e5db9aa171e226731ab016de5c3f8de00424
SHA51225ce558f06276d4d51c9baa0d7cecc98edf9bb3fbe55c92732dd7469a35ecb89348bca1a8e47ea8d52d7a2ee8d858695c4464318631b9b64aa5538c698ac64a9