Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
28-12-2023 23:08
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
fee45afc99fab9e2b0f358d1dff45a70.exe
Resource
win7-20231215-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
fee45afc99fab9e2b0f358d1dff45a70.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
fee45afc99fab9e2b0f358d1dff45a70.exe
-
Size
512KB
-
MD5
fee45afc99fab9e2b0f358d1dff45a70
-
SHA1
b758af04b35f4c60e30b2aff265486e6dcf78254
-
SHA256
5d4c68f55e0662006cfc119cf15e2395c9c3902ede93690e0233e89077c94ef7
-
SHA512
fb986e2903d0776b0912ed9057c8e82fcf639f708c7a2d94265087522faef62368f40443431e16ad49813b872250da06f36a328289cd86307e045061048a9566
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj65:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5o
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" kffkyqbymi.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" kffkyqbymi.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" kffkyqbymi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" kffkyqbymi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" kffkyqbymi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" kffkyqbymi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" kffkyqbymi.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" kffkyqbymi.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation fee45afc99fab9e2b0f358d1dff45a70.exe -
Executes dropped EXE 5 IoCs
pid Process 1448 kffkyqbymi.exe 3312 vewoanso.exe 2248 fhzjawtnnpdvy.exe 3596 jipexfrwhbqnoxi.exe 1632 vewoanso.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" kffkyqbymi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" kffkyqbymi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" kffkyqbymi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" kffkyqbymi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" kffkyqbymi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" kffkyqbymi.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\otsvlhzb = "kffkyqbymi.exe" jipexfrwhbqnoxi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zzezbowo = "jipexfrwhbqnoxi.exe" jipexfrwhbqnoxi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "fhzjawtnnpdvy.exe" jipexfrwhbqnoxi.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\k: vewoanso.exe File opened (read-only) \??\i: kffkyqbymi.exe File opened (read-only) \??\n: vewoanso.exe File opened (read-only) \??\x: vewoanso.exe File opened (read-only) \??\s: kffkyqbymi.exe File opened (read-only) \??\y: kffkyqbymi.exe File opened (read-only) \??\n: vewoanso.exe File opened (read-only) \??\w: vewoanso.exe File opened (read-only) \??\k: vewoanso.exe File opened (read-only) \??\o: vewoanso.exe File opened (read-only) \??\u: kffkyqbymi.exe File opened (read-only) \??\e: vewoanso.exe File opened (read-only) \??\e: vewoanso.exe File opened (read-only) \??\r: vewoanso.exe File opened (read-only) \??\q: vewoanso.exe File opened (read-only) \??\e: kffkyqbymi.exe File opened (read-only) \??\t: kffkyqbymi.exe File opened (read-only) \??\h: vewoanso.exe File opened (read-only) \??\i: vewoanso.exe File opened (read-only) \??\y: vewoanso.exe File opened (read-only) \??\w: vewoanso.exe File opened (read-only) \??\m: kffkyqbymi.exe File opened (read-only) \??\o: kffkyqbymi.exe File opened (read-only) \??\p: kffkyqbymi.exe File opened (read-only) \??\h: kffkyqbymi.exe File opened (read-only) \??\l: vewoanso.exe File opened (read-only) \??\x: vewoanso.exe File opened (read-only) \??\v: kffkyqbymi.exe File opened (read-only) \??\l: kffkyqbymi.exe File opened (read-only) \??\h: vewoanso.exe File opened (read-only) \??\o: vewoanso.exe File opened (read-only) \??\q: vewoanso.exe File opened (read-only) \??\r: vewoanso.exe File opened (read-only) \??\u: vewoanso.exe File opened (read-only) \??\j: vewoanso.exe File opened (read-only) \??\p: vewoanso.exe File opened (read-only) \??\g: kffkyqbymi.exe File opened (read-only) \??\j: kffkyqbymi.exe File opened (read-only) \??\q: kffkyqbymi.exe File opened (read-only) \??\m: vewoanso.exe File opened (read-only) \??\m: vewoanso.exe File opened (read-only) \??\y: vewoanso.exe File opened (read-only) \??\k: kffkyqbymi.exe File opened (read-only) \??\j: vewoanso.exe File opened (read-only) \??\p: vewoanso.exe File opened (read-only) \??\g: vewoanso.exe File opened (read-only) \??\v: vewoanso.exe File opened (read-only) \??\a: vewoanso.exe File opened (read-only) \??\s: vewoanso.exe File opened (read-only) \??\z: vewoanso.exe File opened (read-only) \??\b: vewoanso.exe File opened (read-only) \??\s: vewoanso.exe File opened (read-only) \??\u: vewoanso.exe File opened (read-only) \??\w: kffkyqbymi.exe File opened (read-only) \??\i: vewoanso.exe File opened (read-only) \??\l: vewoanso.exe File opened (read-only) \??\a: kffkyqbymi.exe File opened (read-only) \??\b: kffkyqbymi.exe File opened (read-only) \??\r: kffkyqbymi.exe File opened (read-only) \??\t: vewoanso.exe File opened (read-only) \??\v: vewoanso.exe File opened (read-only) \??\a: vewoanso.exe File opened (read-only) \??\z: vewoanso.exe File opened (read-only) \??\x: kffkyqbymi.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" kffkyqbymi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" kffkyqbymi.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4524-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0008000000023208-5.dat autoit_exe behavioral2/files/0x00090000000231fb-18.dat autoit_exe behavioral2/files/0x0006000000023215-26.dat autoit_exe behavioral2/files/0x0006000000023214-25.dat autoit_exe behavioral2/files/0x0008000000023208-28.dat autoit_exe behavioral2/files/0x0006000000023215-30.dat autoit_exe behavioral2/files/0x0006000000023214-39.dat autoit_exe behavioral2/files/0x0006000000023225-100.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll kffkyqbymi.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe vewoanso.exe File opened for modification C:\Windows\SysWOW64\vewoanso.exe fee45afc99fab9e2b0f358d1dff45a70.exe File created C:\Windows\SysWOW64\fhzjawtnnpdvy.exe fee45afc99fab9e2b0f358d1dff45a70.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe vewoanso.exe File opened for modification C:\Windows\SysWOW64\jipexfrwhbqnoxi.exe fee45afc99fab9e2b0f358d1dff45a70.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe vewoanso.exe File opened for modification C:\Windows\SysWOW64\kffkyqbymi.exe fee45afc99fab9e2b0f358d1dff45a70.exe File opened for modification C:\Windows\SysWOW64\fhzjawtnnpdvy.exe fee45afc99fab9e2b0f358d1dff45a70.exe File created C:\Windows\SysWOW64\vewoanso.exe fee45afc99fab9e2b0f358d1dff45a70.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe vewoanso.exe File created C:\Windows\SysWOW64\kffkyqbymi.exe fee45afc99fab9e2b0f358d1dff45a70.exe File created C:\Windows\SysWOW64\jipexfrwhbqnoxi.exe fee45afc99fab9e2b0f358d1dff45a70.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vewoanso.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal vewoanso.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vewoanso.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal vewoanso.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vewoanso.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vewoanso.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vewoanso.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal vewoanso.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vewoanso.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vewoanso.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vewoanso.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal vewoanso.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vewoanso.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vewoanso.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe vewoanso.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe vewoanso.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe vewoanso.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe vewoanso.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe vewoanso.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe vewoanso.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe vewoanso.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe vewoanso.exe File opened for modification C:\Windows\mydoc.rtf fee45afc99fab9e2b0f358d1dff45a70.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe vewoanso.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe vewoanso.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe vewoanso.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe vewoanso.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe vewoanso.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe vewoanso.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe vewoanso.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe vewoanso.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78768B1FF6722DED27CD0A68B089113" fee45afc99fab9e2b0f358d1dff45a70.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat kffkyqbymi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" kffkyqbymi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" kffkyqbymi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg kffkyqbymi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" kffkyqbymi.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes fee45afc99fab9e2b0f358d1dff45a70.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs kffkyqbymi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" kffkyqbymi.exe Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings fee45afc99fab9e2b0f358d1dff45a70.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh kffkyqbymi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABFFABDFE14F1E584783B4781993E96B0FE028F4269034EE1B845E808A3" fee45afc99fab9e2b0f358d1dff45a70.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB6B12F449039ED53CFBADC33EFD7C9" fee45afc99fab9e2b0f358d1dff45a70.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc kffkyqbymi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf kffkyqbymi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" kffkyqbymi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33332C7E9C5683546D3577D170242DD77D8364AB" fee45afc99fab9e2b0f358d1dff45a70.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "194AC77B15E7DBB1B8BD7C90ECE034C6" fee45afc99fab9e2b0f358d1dff45a70.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" kffkyqbymi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8CFF8F4F2A851B9140D6207E91BDE3E13C584767436241D69D" fee45afc99fab9e2b0f358d1dff45a70.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4564 WINWORD.EXE 4564 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4524 fee45afc99fab9e2b0f358d1dff45a70.exe 4524 fee45afc99fab9e2b0f358d1dff45a70.exe 4524 fee45afc99fab9e2b0f358d1dff45a70.exe 4524 fee45afc99fab9e2b0f358d1dff45a70.exe 4524 fee45afc99fab9e2b0f358d1dff45a70.exe 4524 fee45afc99fab9e2b0f358d1dff45a70.exe 4524 fee45afc99fab9e2b0f358d1dff45a70.exe 4524 fee45afc99fab9e2b0f358d1dff45a70.exe 4524 fee45afc99fab9e2b0f358d1dff45a70.exe 4524 fee45afc99fab9e2b0f358d1dff45a70.exe 4524 fee45afc99fab9e2b0f358d1dff45a70.exe 4524 fee45afc99fab9e2b0f358d1dff45a70.exe 4524 fee45afc99fab9e2b0f358d1dff45a70.exe 4524 fee45afc99fab9e2b0f358d1dff45a70.exe 4524 fee45afc99fab9e2b0f358d1dff45a70.exe 4524 fee45afc99fab9e2b0f358d1dff45a70.exe 1448 kffkyqbymi.exe 1448 kffkyqbymi.exe 1448 kffkyqbymi.exe 1448 kffkyqbymi.exe 1448 kffkyqbymi.exe 1448 kffkyqbymi.exe 1448 kffkyqbymi.exe 1448 kffkyqbymi.exe 1448 kffkyqbymi.exe 1448 kffkyqbymi.exe 2248 fhzjawtnnpdvy.exe 3312 vewoanso.exe 3312 vewoanso.exe 2248 fhzjawtnnpdvy.exe 2248 fhzjawtnnpdvy.exe 2248 fhzjawtnnpdvy.exe 2248 fhzjawtnnpdvy.exe 2248 fhzjawtnnpdvy.exe 3312 vewoanso.exe 2248 fhzjawtnnpdvy.exe 2248 fhzjawtnnpdvy.exe 3312 vewoanso.exe 2248 fhzjawtnnpdvy.exe 2248 fhzjawtnnpdvy.exe 2248 fhzjawtnnpdvy.exe 2248 fhzjawtnnpdvy.exe 3312 vewoanso.exe 3312 vewoanso.exe 3312 vewoanso.exe 3312 vewoanso.exe 3596 jipexfrwhbqnoxi.exe 3596 jipexfrwhbqnoxi.exe 3596 jipexfrwhbqnoxi.exe 3596 jipexfrwhbqnoxi.exe 3596 jipexfrwhbqnoxi.exe 3596 jipexfrwhbqnoxi.exe 3596 jipexfrwhbqnoxi.exe 3596 jipexfrwhbqnoxi.exe 3596 jipexfrwhbqnoxi.exe 3596 jipexfrwhbqnoxi.exe 1632 vewoanso.exe 1632 vewoanso.exe 1632 vewoanso.exe 1632 vewoanso.exe 1632 vewoanso.exe 1632 vewoanso.exe 1632 vewoanso.exe 1632 vewoanso.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4524 fee45afc99fab9e2b0f358d1dff45a70.exe 4524 fee45afc99fab9e2b0f358d1dff45a70.exe 4524 fee45afc99fab9e2b0f358d1dff45a70.exe 1448 kffkyqbymi.exe 1448 kffkyqbymi.exe 1448 kffkyqbymi.exe 2248 fhzjawtnnpdvy.exe 3312 vewoanso.exe 3596 jipexfrwhbqnoxi.exe 2248 fhzjawtnnpdvy.exe 3312 vewoanso.exe 3596 jipexfrwhbqnoxi.exe 2248 fhzjawtnnpdvy.exe 3312 vewoanso.exe 3596 jipexfrwhbqnoxi.exe 1632 vewoanso.exe 1632 vewoanso.exe 1632 vewoanso.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4524 fee45afc99fab9e2b0f358d1dff45a70.exe 4524 fee45afc99fab9e2b0f358d1dff45a70.exe 4524 fee45afc99fab9e2b0f358d1dff45a70.exe 1448 kffkyqbymi.exe 1448 kffkyqbymi.exe 1448 kffkyqbymi.exe 2248 fhzjawtnnpdvy.exe 3312 vewoanso.exe 3596 jipexfrwhbqnoxi.exe 2248 fhzjawtnnpdvy.exe 3312 vewoanso.exe 3596 jipexfrwhbqnoxi.exe 2248 fhzjawtnnpdvy.exe 3312 vewoanso.exe 3596 jipexfrwhbqnoxi.exe 1632 vewoanso.exe 1632 vewoanso.exe 1632 vewoanso.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4564 WINWORD.EXE 4564 WINWORD.EXE 4564 WINWORD.EXE 4564 WINWORD.EXE 4564 WINWORD.EXE 4564 WINWORD.EXE 4564 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4524 wrote to memory of 1448 4524 fee45afc99fab9e2b0f358d1dff45a70.exe 92 PID 4524 wrote to memory of 1448 4524 fee45afc99fab9e2b0f358d1dff45a70.exe 92 PID 4524 wrote to memory of 1448 4524 fee45afc99fab9e2b0f358d1dff45a70.exe 92 PID 4524 wrote to memory of 3596 4524 fee45afc99fab9e2b0f358d1dff45a70.exe 95 PID 4524 wrote to memory of 3596 4524 fee45afc99fab9e2b0f358d1dff45a70.exe 95 PID 4524 wrote to memory of 3596 4524 fee45afc99fab9e2b0f358d1dff45a70.exe 95 PID 4524 wrote to memory of 3312 4524 fee45afc99fab9e2b0f358d1dff45a70.exe 94 PID 4524 wrote to memory of 3312 4524 fee45afc99fab9e2b0f358d1dff45a70.exe 94 PID 4524 wrote to memory of 3312 4524 fee45afc99fab9e2b0f358d1dff45a70.exe 94 PID 4524 wrote to memory of 2248 4524 fee45afc99fab9e2b0f358d1dff45a70.exe 93 PID 4524 wrote to memory of 2248 4524 fee45afc99fab9e2b0f358d1dff45a70.exe 93 PID 4524 wrote to memory of 2248 4524 fee45afc99fab9e2b0f358d1dff45a70.exe 93 PID 4524 wrote to memory of 4564 4524 fee45afc99fab9e2b0f358d1dff45a70.exe 97 PID 4524 wrote to memory of 4564 4524 fee45afc99fab9e2b0f358d1dff45a70.exe 97 PID 1448 wrote to memory of 1632 1448 kffkyqbymi.exe 98 PID 1448 wrote to memory of 1632 1448 kffkyqbymi.exe 98 PID 1448 wrote to memory of 1632 1448 kffkyqbymi.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\fee45afc99fab9e2b0f358d1dff45a70.exe"C:\Users\Admin\AppData\Local\Temp\fee45afc99fab9e2b0f358d1dff45a70.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\kffkyqbymi.exekffkyqbymi.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\vewoanso.exeC:\Windows\system32\vewoanso.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1632
-
-
-
C:\Windows\SysWOW64\fhzjawtnnpdvy.exefhzjawtnnpdvy.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2248
-
-
C:\Windows\SysWOW64\vewoanso.exevewoanso.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3312
-
-
C:\Windows\SysWOW64\jipexfrwhbqnoxi.exejipexfrwhbqnoxi.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3596
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4564
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD582d818dc13ae1baae378129f167a4041
SHA1b42792165a73b6fd4c8e4b0138c98ccd8b0f49e1
SHA256e4c375e83aa41caf043a42b7c89afd11e4a64b042926f43fcf4d77c6a28a9b15
SHA512c299e9a8b990c9cec40e2381db6bcc4a4458dbcd266ce037bfa1ab6bdf7bd0f31bb7e0e2956b6bf33e956694758d896b12f508466c8aebd9902ebcb8f37f57b2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD598fc924cdacb93ecee222e329e4275b0
SHA13b9940f84edc968485ecc0d48ff1053a40366403
SHA2565500fccf17051e6a1af88a31b7f65a6fb122119d1b8268ad81739fb339e52720
SHA5125a7b4e5b77358db4eb4f5969666152893f2f2e855099316de116357ee90ed785fffe0d4e0d73a87b737a6d9e269a3810d3b55d6b548a1faed3f36c133f8f1c71
-
Filesize
128KB
MD533be84de0fa03c6883fec2ead970e3ba
SHA1dbe35ed4343779aa93200c24966ccb805e18f223
SHA256ef0f2733bf476c4dc632a27627cb24681d552719aafcc969eec5db1a90996887
SHA5123e93ab8677009d404503e243038ae323b1bc55af56c8c53bd3d44f5313ed4383c987ccb1f1f0e86111fc36db67c7b1b76de4eb4b1c6742baadffd70d7dc6c093
-
Filesize
512KB
MD54117633ea73567831df10b5d54d1e3c0
SHA1c222f1d585c20123092805283e8c8837bd955bae
SHA256d6301496c4eaf088b25af6bff7ca0ddf9371d9dfe4a0540af8823a18a61cf3ed
SHA512c9dcdb5040e907e7b55a78e90aeab4ad40eb8df79db829c4078aa0e936857d2b53ab5b0a6e82bd94efb34616c16bbe46994e870dd2ab1f1cfc5b476e17b0459d
-
Filesize
512KB
MD59c1714638777f217b67fb392fa1d8dd7
SHA1971f0597920fbf5278918880119a36eb694595dd
SHA25612d8e12dd0cd79099492a75e35bca0ee60f34980869bca3c28405959467ef1e3
SHA512c3419abb2f8be8cbf6544e0f8e21ff64e37e756c26daf4aaf621612bfe5ec93cdcb94a5ec9a9d170f72bfd8054f85c4527a94552f924b602d059bb235a613e6c
-
Filesize
512KB
MD5c6a609730ce7fd261def27eaa84c78db
SHA1166dc2d919aeea628770084a45dd3d8ef9c274b7
SHA256e5553860d5506361947252acf2f447626de54c5d56aeb2ee53f3f9a68258b3a6
SHA512b8f1b18a0388b2d6329c009494eca530891e18fcae0850ed326d8575af61a22127849a1d48f030394537671f4357521cb992088cd874369bef8afcde0c1a08c3
-
Filesize
64KB
MD5d76d22b81130bc9206c7c947d7a9ea5e
SHA15956e88a6ec7949ce5a350e21703307d855f34b1
SHA256b96acd28ea28c51de470bf63ebbc33a346440fe63e236ab9f092e0cb3035b870
SHA512112f4f23127929556f27e12a7979ebd1536af790c92f8ff7870a5b39470bd02d83fbf1697e7ab3eccebd71c44ae7bfbd1dac9c39fefa6e15a488baf840b8aaf1
-
Filesize
512KB
MD528fdee8eda9b2a531246086d5a8f16bc
SHA122f4ded1395c5f7e4ac42dc844d4213ff3e5a901
SHA2563c622dfca5f28df5e48b794cc1137d6374af16de0422f8f5c3681256278c767d
SHA5125ae1448996edab47ad65fd7098b0927143ece81fb8b56bd8154385be641c8f6138fb90c66ae41d33121055b961410813a13aa6ad63c87135f5b5d37c8935bc19
-
Filesize
512KB
MD5a2fd88b4891edce23a849f66d17571d6
SHA1524f18d87544e3f7b9f6cbe7b16b89f436d01f67
SHA256d2b3c4bc6ba00b168b0d6c72efbda970285444b4965790587db930ef36a169f4
SHA512c11e2bdcd2c32e0d6f3e59e387d364c3aaed928139750ba011f0755edeee9438370e0145a50abc052788b9f44a14f0df95af89f7847f965d115809ab7e03e765