Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
174s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2023, 15:50
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
7a3f9c429e317fabda989e9b74efd2aa.exe
Resource
win7-20231215-en
windows7-x64
28 signatures
150 seconds
Behavioral task
behavioral2
Sample
7a3f9c429e317fabda989e9b74efd2aa.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
7a3f9c429e317fabda989e9b74efd2aa.exe
-
Size
512KB
-
MD5
7a3f9c429e317fabda989e9b74efd2aa
-
SHA1
149dbee672829f6947ec86a0a9a64dbcc9542947
-
SHA256
09f9a9776b4fa76b653ef0062eb8d6f9b12b22f887c0eb3f9062e69b11a93100
-
SHA512
a44118b8e80d415fced8c3988c33c9387e5f7393fc05938c6c8d05a1cc64dbda215df18d107aaa60b8315d23e94e596e5c0de39a92533eaa327161c0180c310b
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6H:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5S
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" gxqbajtmmq.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" gxqbajtmmq.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" gxqbajtmmq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" gxqbajtmmq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" gxqbajtmmq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" gxqbajtmmq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" gxqbajtmmq.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gxqbajtmmq.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation 7a3f9c429e317fabda989e9b74efd2aa.exe -
Executes dropped EXE 5 IoCs
pid Process 3216 gxqbajtmmq.exe 3888 hsbfvxllijzhpdr.exe 1612 qcvdetwh.exe 4908 hnacvjhqxfznv.exe 2244 qcvdetwh.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" gxqbajtmmq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" gxqbajtmmq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" gxqbajtmmq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" gxqbajtmmq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" gxqbajtmmq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" gxqbajtmmq.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pecroyue = "gxqbajtmmq.exe" hsbfvxllijzhpdr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bokysegp = "hsbfvxllijzhpdr.exe" hsbfvxllijzhpdr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "hnacvjhqxfznv.exe" hsbfvxllijzhpdr.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\s: qcvdetwh.exe File opened (read-only) \??\g: gxqbajtmmq.exe File opened (read-only) \??\w: gxqbajtmmq.exe File opened (read-only) \??\o: qcvdetwh.exe File opened (read-only) \??\u: gxqbajtmmq.exe File opened (read-only) \??\g: qcvdetwh.exe File opened (read-only) \??\h: qcvdetwh.exe File opened (read-only) \??\v: qcvdetwh.exe File opened (read-only) \??\i: qcvdetwh.exe File opened (read-only) \??\x: qcvdetwh.exe File opened (read-only) \??\j: gxqbajtmmq.exe File opened (read-only) \??\e: qcvdetwh.exe File opened (read-only) \??\r: qcvdetwh.exe File opened (read-only) \??\e: gxqbajtmmq.exe File opened (read-only) \??\k: qcvdetwh.exe File opened (read-only) \??\m: qcvdetwh.exe File opened (read-only) \??\n: qcvdetwh.exe File opened (read-only) \??\g: qcvdetwh.exe File opened (read-only) \??\h: qcvdetwh.exe File opened (read-only) \??\n: gxqbajtmmq.exe File opened (read-only) \??\l: qcvdetwh.exe File opened (read-only) \??\q: qcvdetwh.exe File opened (read-only) \??\o: gxqbajtmmq.exe File opened (read-only) \??\p: gxqbajtmmq.exe File opened (read-only) \??\b: qcvdetwh.exe File opened (read-only) \??\w: qcvdetwh.exe File opened (read-only) \??\x: gxqbajtmmq.exe File opened (read-only) \??\b: qcvdetwh.exe File opened (read-only) \??\u: qcvdetwh.exe File opened (read-only) \??\m: gxqbajtmmq.exe File opened (read-only) \??\a: qcvdetwh.exe File opened (read-only) \??\i: qcvdetwh.exe File opened (read-only) \??\w: qcvdetwh.exe File opened (read-only) \??\z: gxqbajtmmq.exe File opened (read-only) \??\x: qcvdetwh.exe File opened (read-only) \??\q: gxqbajtmmq.exe File opened (read-only) \??\z: qcvdetwh.exe File opened (read-only) \??\j: qcvdetwh.exe File opened (read-only) \??\q: qcvdetwh.exe File opened (read-only) \??\r: qcvdetwh.exe File opened (read-only) \??\t: qcvdetwh.exe File opened (read-only) \??\n: qcvdetwh.exe File opened (read-only) \??\a: gxqbajtmmq.exe File opened (read-only) \??\k: gxqbajtmmq.exe File opened (read-only) \??\l: gxqbajtmmq.exe File opened (read-only) \??\s: qcvdetwh.exe File opened (read-only) \??\m: qcvdetwh.exe File opened (read-only) \??\t: qcvdetwh.exe File opened (read-only) \??\z: qcvdetwh.exe File opened (read-only) \??\r: gxqbajtmmq.exe File opened (read-only) \??\y: gxqbajtmmq.exe File opened (read-only) \??\e: qcvdetwh.exe File opened (read-only) \??\p: qcvdetwh.exe File opened (read-only) \??\a: qcvdetwh.exe File opened (read-only) \??\p: qcvdetwh.exe File opened (read-only) \??\v: qcvdetwh.exe File opened (read-only) \??\l: qcvdetwh.exe File opened (read-only) \??\o: qcvdetwh.exe File opened (read-only) \??\k: qcvdetwh.exe File opened (read-only) \??\h: gxqbajtmmq.exe File opened (read-only) \??\i: gxqbajtmmq.exe File opened (read-only) \??\t: gxqbajtmmq.exe File opened (read-only) \??\v: gxqbajtmmq.exe File opened (read-only) \??\j: qcvdetwh.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" gxqbajtmmq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" gxqbajtmmq.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4308-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0006000000023229-5.dat autoit_exe behavioral2/files/0x0006000000023228-18.dat autoit_exe behavioral2/files/0x000600000002322b-30.dat autoit_exe behavioral2/files/0x000600000002322a-29.dat autoit_exe behavioral2/files/0x0006000000023234-66.dat autoit_exe behavioral2/files/0x0006000000023233-60.dat autoit_exe behavioral2/files/0x0007000000023269-107.dat autoit_exe behavioral2/files/0x0007000000023269-109.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe qcvdetwh.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe qcvdetwh.exe File created C:\Windows\SysWOW64\gxqbajtmmq.exe 7a3f9c429e317fabda989e9b74efd2aa.exe File opened for modification C:\Windows\SysWOW64\gxqbajtmmq.exe 7a3f9c429e317fabda989e9b74efd2aa.exe File opened for modification C:\Windows\SysWOW64\hsbfvxllijzhpdr.exe 7a3f9c429e317fabda989e9b74efd2aa.exe File created C:\Windows\SysWOW64\qcvdetwh.exe 7a3f9c429e317fabda989e9b74efd2aa.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll gxqbajtmmq.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe qcvdetwh.exe File created C:\Windows\SysWOW64\hsbfvxllijzhpdr.exe 7a3f9c429e317fabda989e9b74efd2aa.exe File opened for modification C:\Windows\SysWOW64\qcvdetwh.exe 7a3f9c429e317fabda989e9b74efd2aa.exe File created C:\Windows\SysWOW64\hnacvjhqxfznv.exe 7a3f9c429e317fabda989e9b74efd2aa.exe File opened for modification C:\Windows\SysWOW64\hnacvjhqxfznv.exe 7a3f9c429e317fabda989e9b74efd2aa.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qcvdetwh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qcvdetwh.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qcvdetwh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qcvdetwh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qcvdetwh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal qcvdetwh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qcvdetwh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal qcvdetwh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qcvdetwh.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qcvdetwh.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qcvdetwh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qcvdetwh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal qcvdetwh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qcvdetwh.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal qcvdetwh.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf 7a3f9c429e317fabda989e9b74efd2aa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1839C67E1596DBB2B9BE7CE1EDE037C9" 7a3f9c429e317fabda989e9b74efd2aa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat gxqbajtmmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" gxqbajtmmq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf gxqbajtmmq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg gxqbajtmmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" gxqbajtmmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABDF9CEF916F1E4840F3A32869739E4B0FD02FE42620348E2CE429D09A8" 7a3f9c429e317fabda989e9b74efd2aa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2ECAB1294493399F53CBB9D63392D7CE" 7a3f9c429e317fabda989e9b74efd2aa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF9FF89485885129045D72D7D9DBC97E643594166366330D6E9" 7a3f9c429e317fabda989e9b74efd2aa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh gxqbajtmmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" gxqbajtmmq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs gxqbajtmmq.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 7a3f9c429e317fabda989e9b74efd2aa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F16BB0FE6722DAD27FD1A78B7C9116" 7a3f9c429e317fabda989e9b74efd2aa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" gxqbajtmmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" gxqbajtmmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33442D0B9D5783226A4676A177222CAC7D8365D8" 7a3f9c429e317fabda989e9b74efd2aa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" gxqbajtmmq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc gxqbajtmmq.exe Key created \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings 7a3f9c429e317fabda989e9b74efd2aa.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4092 WINWORD.EXE 4092 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4308 7a3f9c429e317fabda989e9b74efd2aa.exe 4308 7a3f9c429e317fabda989e9b74efd2aa.exe 4308 7a3f9c429e317fabda989e9b74efd2aa.exe 4308 7a3f9c429e317fabda989e9b74efd2aa.exe 4308 7a3f9c429e317fabda989e9b74efd2aa.exe 4308 7a3f9c429e317fabda989e9b74efd2aa.exe 4308 7a3f9c429e317fabda989e9b74efd2aa.exe 4308 7a3f9c429e317fabda989e9b74efd2aa.exe 4308 7a3f9c429e317fabda989e9b74efd2aa.exe 4308 7a3f9c429e317fabda989e9b74efd2aa.exe 4308 7a3f9c429e317fabda989e9b74efd2aa.exe 4308 7a3f9c429e317fabda989e9b74efd2aa.exe 4308 7a3f9c429e317fabda989e9b74efd2aa.exe 4308 7a3f9c429e317fabda989e9b74efd2aa.exe 4308 7a3f9c429e317fabda989e9b74efd2aa.exe 4308 7a3f9c429e317fabda989e9b74efd2aa.exe 3216 gxqbajtmmq.exe 3216 gxqbajtmmq.exe 3216 gxqbajtmmq.exe 3216 gxqbajtmmq.exe 3216 gxqbajtmmq.exe 3216 gxqbajtmmq.exe 3216 gxqbajtmmq.exe 3216 gxqbajtmmq.exe 3216 gxqbajtmmq.exe 3216 gxqbajtmmq.exe 3888 hsbfvxllijzhpdr.exe 3888 hsbfvxllijzhpdr.exe 3888 hsbfvxllijzhpdr.exe 3888 hsbfvxllijzhpdr.exe 3888 hsbfvxllijzhpdr.exe 3888 hsbfvxllijzhpdr.exe 3888 hsbfvxllijzhpdr.exe 3888 hsbfvxllijzhpdr.exe 1612 qcvdetwh.exe 1612 qcvdetwh.exe 3888 hsbfvxllijzhpdr.exe 3888 hsbfvxllijzhpdr.exe 1612 qcvdetwh.exe 1612 qcvdetwh.exe 1612 qcvdetwh.exe 1612 qcvdetwh.exe 1612 qcvdetwh.exe 1612 qcvdetwh.exe 4908 hnacvjhqxfznv.exe 4908 hnacvjhqxfznv.exe 4908 hnacvjhqxfznv.exe 4908 hnacvjhqxfznv.exe 4908 hnacvjhqxfznv.exe 4908 hnacvjhqxfznv.exe 4908 hnacvjhqxfznv.exe 4908 hnacvjhqxfznv.exe 4908 hnacvjhqxfznv.exe 4908 hnacvjhqxfznv.exe 4908 hnacvjhqxfznv.exe 4908 hnacvjhqxfznv.exe 3888 hsbfvxllijzhpdr.exe 3888 hsbfvxllijzhpdr.exe 4908 hnacvjhqxfznv.exe 4908 hnacvjhqxfznv.exe 4908 hnacvjhqxfznv.exe 4908 hnacvjhqxfznv.exe 2244 qcvdetwh.exe 2244 qcvdetwh.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4308 7a3f9c429e317fabda989e9b74efd2aa.exe 4308 7a3f9c429e317fabda989e9b74efd2aa.exe 4308 7a3f9c429e317fabda989e9b74efd2aa.exe 3888 hsbfvxllijzhpdr.exe 3888 hsbfvxllijzhpdr.exe 3888 hsbfvxllijzhpdr.exe 3216 gxqbajtmmq.exe 3216 gxqbajtmmq.exe 3216 gxqbajtmmq.exe 1612 qcvdetwh.exe 1612 qcvdetwh.exe 1612 qcvdetwh.exe 4908 hnacvjhqxfznv.exe 4908 hnacvjhqxfznv.exe 4908 hnacvjhqxfznv.exe 2244 qcvdetwh.exe 2244 qcvdetwh.exe 2244 qcvdetwh.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4308 7a3f9c429e317fabda989e9b74efd2aa.exe 4308 7a3f9c429e317fabda989e9b74efd2aa.exe 4308 7a3f9c429e317fabda989e9b74efd2aa.exe 3888 hsbfvxllijzhpdr.exe 3888 hsbfvxllijzhpdr.exe 3888 hsbfvxllijzhpdr.exe 3216 gxqbajtmmq.exe 3216 gxqbajtmmq.exe 3216 gxqbajtmmq.exe 1612 qcvdetwh.exe 1612 qcvdetwh.exe 1612 qcvdetwh.exe 4908 hnacvjhqxfznv.exe 4908 hnacvjhqxfznv.exe 4908 hnacvjhqxfznv.exe 2244 qcvdetwh.exe 2244 qcvdetwh.exe 2244 qcvdetwh.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE 4092 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4308 wrote to memory of 3216 4308 7a3f9c429e317fabda989e9b74efd2aa.exe 89 PID 4308 wrote to memory of 3216 4308 7a3f9c429e317fabda989e9b74efd2aa.exe 89 PID 4308 wrote to memory of 3216 4308 7a3f9c429e317fabda989e9b74efd2aa.exe 89 PID 4308 wrote to memory of 3888 4308 7a3f9c429e317fabda989e9b74efd2aa.exe 91 PID 4308 wrote to memory of 3888 4308 7a3f9c429e317fabda989e9b74efd2aa.exe 91 PID 4308 wrote to memory of 3888 4308 7a3f9c429e317fabda989e9b74efd2aa.exe 91 PID 4308 wrote to memory of 1612 4308 7a3f9c429e317fabda989e9b74efd2aa.exe 90 PID 4308 wrote to memory of 1612 4308 7a3f9c429e317fabda989e9b74efd2aa.exe 90 PID 4308 wrote to memory of 1612 4308 7a3f9c429e317fabda989e9b74efd2aa.exe 90 PID 4308 wrote to memory of 4908 4308 7a3f9c429e317fabda989e9b74efd2aa.exe 92 PID 4308 wrote to memory of 4908 4308 7a3f9c429e317fabda989e9b74efd2aa.exe 92 PID 4308 wrote to memory of 4908 4308 7a3f9c429e317fabda989e9b74efd2aa.exe 92 PID 4308 wrote to memory of 4092 4308 7a3f9c429e317fabda989e9b74efd2aa.exe 93 PID 4308 wrote to memory of 4092 4308 7a3f9c429e317fabda989e9b74efd2aa.exe 93 PID 3216 wrote to memory of 2244 3216 gxqbajtmmq.exe 95 PID 3216 wrote to memory of 2244 3216 gxqbajtmmq.exe 95 PID 3216 wrote to memory of 2244 3216 gxqbajtmmq.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a3f9c429e317fabda989e9b74efd2aa.exe"C:\Users\Admin\AppData\Local\Temp\7a3f9c429e317fabda989e9b74efd2aa.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\SysWOW64\gxqbajtmmq.exegxqbajtmmq.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\SysWOW64\qcvdetwh.exeC:\Windows\system32\qcvdetwh.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2244
-
-
-
C:\Windows\SysWOW64\qcvdetwh.exeqcvdetwh.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1612
-
-
C:\Windows\SysWOW64\hsbfvxllijzhpdr.exehsbfvxllijzhpdr.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3888
-
-
C:\Windows\SysWOW64\hnacvjhqxfznv.exehnacvjhqxfznv.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4908
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4092
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39KB
MD5569e1bb558dbf660cc4cf6aec367d1c3
SHA1f67759fe206f5aba815a144bf5c22b21e9ff50e2
SHA256f12f334dfaa90cff48658f773b41f97f4eedd44aa782f78b300463e04b64d0ca
SHA51266225dc721b279aee688b3638620c67074e98dba0fac88f921acc030c423b39ad30c2ca478096eaf920e15e4659f2d50c76a1f938765128888dd48b84fd0c69e
-
Filesize
100KB
MD54998ed4037f562c39e52a05aa11fd1c4
SHA199409ea2b6cdaff3aaee1fe52c9fb50f908aa563
SHA256acaf0c244c665ffc132fd8745cd19514c7a6a9bbb3fa410eab095adb2dfb7cd6
SHA512a28469c29417dd9452eb083bc21b50940d0840859b60fe78096a14f7f36145de44408fd41f10d387cdb4473c87ae4384ef8d2dbe4159be1bcc188ca1bbd136ab
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5d121a59086ddfd79d4bd69e4fa02a3f3
SHA11543c9ac5238599aa53426abf7c387a9d2aafa3e
SHA256de2a9e96cf7d7809fe62bfeef1ab5f49aaf53611ebd796d5e7a0da251620de4b
SHA512af832f2ecea1fed7016b68b9df432c67f75fa2397523a1325927189a936b1f0d1635e4ea8b0f6ef7a0414f21a64e354ad3368f065ae5eae2e7456848f1043b93
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5c34e2fe9023f10e58fd611c217b5c84e
SHA115559d59d98fb4d4750b840ab0dcfd87bcc9e4a0
SHA256154abf97903aafff6ca50d50e8f85d5cc9581c25a3ae21b03db84ee14807f505
SHA51218c6e36d65e4361526bae72a604fea487bdc4e8bb0ce427e7223ea95e3f52e69f9be71daadb79f2b0cf954dc64baee40e140930be1d935fca0d6471f3568947e
-
Filesize
512KB
MD56f08905921832020c3b5527c17e78206
SHA16c4b25d19e0af503830d911c1b593d2a6db7f6c1
SHA256bce2114e3dd0e895aaa70c66e3660f93e81a880423c3ecddb271216a686a81d8
SHA51299f36c3a343ac64453e2af7b96a132c6af93f464cc2781a8cd61a51c5c315eae2e6779eb137c4fad715c437dd1f0e222bce980a47655385a159661b0d59c7233
-
Filesize
512KB
MD546d493c77f19b8566bd1cebcd27121da
SHA1497c59d9b3feb75f1928e6d8224206b4fb692cc0
SHA25695d931fdea75ebbbed9d135c8a2d0c62feddc373f994f6a727593f75f6bd60b8
SHA51234441d93ff45ed2504f4da6cc329455adcaacc264b2c816bda3d6be52e8074845b88875c3143fb3390cf3cf5e0ccdb4dbc4e4d5b39646447b0ad85790f8e805a
-
Filesize
512KB
MD52bcf531e1779be83673731ace6dedc52
SHA1d8880884ee70d5b8e2883b9bf9868c89ac94d91f
SHA25695bafff75828284134ad4b005094c4cec2032acf8c5d438fffb4f1e1b44297b6
SHA5129954f33b652ce0926a801e441a052be9556618d2e76b02eb31a5ea712101447aee6ccc3a80b4f83447248df1ef9cf22329bbd201eaf3f45efcab490b592b4e34
-
Filesize
512KB
MD552808bc04c22a9b397ec80c04ef0664b
SHA10b6c3e077f175bdfab5d14041d12ef9c9f62f786
SHA2566acbdc55f461efbda07f9c34e344e9598090cce7e4d6897f71876351dc55f56b
SHA512bd98b2c4c977261244203cca4fc5bf039daa90c1d625c204db587f015fd0922e5de5a61ad9b7f1497f12490359ce18a8a68bb3c0cf69ff54522a973ca8855fe8
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD598a04fa482273527a034f2b80e244248
SHA1dd486f50ad11a4a54c12c3ac0b45df28e66d3b72
SHA25663febc8794b170817aeaee2acdaf012e0e1ab6bbbb4b9d708f20ea71d7f8531c
SHA512c027d67adc8f5060866f1e54e37f402094032cb3ce8120f725a6659a1bf13e4bfe70e0768bdbcb2cedbfe1eb1fdc59a5c06d00f1609eca444305e75c44ba36dd
-
Filesize
512KB
MD5eb4cb514d33ef022f56e47fe3bfeddcd
SHA1b0c8df2bb56c2ad63190a8cec66b7e51ef55111b
SHA2563620f5ff0ea2877864b9990c7200c4ac04b42214da9103db6ebd71de898d078e
SHA51218eea2a0c06df5bee8178f2d2c091260ed83e87fbab2eb889f02ad2eac9108f9841399bf804e85b35273a3da9d6afec2399885e5f77608e6f62c26fb527a5247