Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2023, 22:40
Static task
static1
Behavioral task
behavioral1
Sample
fd63cdc6ad0b5b4a7500a7084e112b1d.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
fd63cdc6ad0b5b4a7500a7084e112b1d.exe
Resource
win10v2004-20231215-en
General
-
Target
fd63cdc6ad0b5b4a7500a7084e112b1d.exe
-
Size
512KB
-
MD5
fd63cdc6ad0b5b4a7500a7084e112b1d
-
SHA1
a761149a9e8add86b0639045388fae73534ad4e6
-
SHA256
d339d5b92f7fa93f65e87a24a565d37ea3ff48d4818f04fdab0455848fa58b34
-
SHA512
062ff33d11a8fb71a027a7f0999ad86e12ee200e3f6b3c980d1451da8a5750ca8fb47fd7a8165beb68198a5fda6e24b16ea8a845aca96d48bfbc3062f4685230
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6c:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm59
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" mbvimomcss.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" mbvimomcss.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" mbvimomcss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" mbvimomcss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" mbvimomcss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" mbvimomcss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" mbvimomcss.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mbvimomcss.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation fd63cdc6ad0b5b4a7500a7084e112b1d.exe -
Executes dropped EXE 5 IoCs
pid Process 2072 mbvimomcss.exe 2108 rzwzbaawepywvbm.exe 4584 gowidfvt.exe 1584 qmiswfpgfbndn.exe 5112 gowidfvt.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" mbvimomcss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" mbvimomcss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" mbvimomcss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" mbvimomcss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" mbvimomcss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" mbvimomcss.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eqjhudtc = "mbvimomcss.exe" rzwzbaawepywvbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gulqpyrc = "rzwzbaawepywvbm.exe" rzwzbaawepywvbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "qmiswfpgfbndn.exe" rzwzbaawepywvbm.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\g: gowidfvt.exe File opened (read-only) \??\n: gowidfvt.exe File opened (read-only) \??\o: gowidfvt.exe File opened (read-only) \??\r: mbvimomcss.exe File opened (read-only) \??\w: gowidfvt.exe File opened (read-only) \??\j: gowidfvt.exe File opened (read-only) \??\r: gowidfvt.exe File opened (read-only) \??\w: gowidfvt.exe File opened (read-only) \??\l: mbvimomcss.exe File opened (read-only) \??\b: gowidfvt.exe File opened (read-only) \??\e: gowidfvt.exe File opened (read-only) \??\v: mbvimomcss.exe File opened (read-only) \??\x: gowidfvt.exe File opened (read-only) \??\k: gowidfvt.exe File opened (read-only) \??\q: gowidfvt.exe File opened (read-only) \??\x: gowidfvt.exe File opened (read-only) \??\a: gowidfvt.exe File opened (read-only) \??\l: gowidfvt.exe File opened (read-only) \??\i: gowidfvt.exe File opened (read-only) \??\z: gowidfvt.exe File opened (read-only) \??\t: gowidfvt.exe File opened (read-only) \??\g: mbvimomcss.exe File opened (read-only) \??\h: mbvimomcss.exe File opened (read-only) \??\i: mbvimomcss.exe File opened (read-only) \??\q: gowidfvt.exe File opened (read-only) \??\e: gowidfvt.exe File opened (read-only) \??\l: gowidfvt.exe File opened (read-only) \??\o: mbvimomcss.exe File opened (read-only) \??\j: gowidfvt.exe File opened (read-only) \??\p: mbvimomcss.exe File opened (read-only) \??\r: gowidfvt.exe File opened (read-only) \??\v: gowidfvt.exe File opened (read-only) \??\a: gowidfvt.exe File opened (read-only) \??\q: mbvimomcss.exe File opened (read-only) \??\o: gowidfvt.exe File opened (read-only) \??\y: gowidfvt.exe File opened (read-only) \??\g: gowidfvt.exe File opened (read-only) \??\t: gowidfvt.exe File opened (read-only) \??\m: gowidfvt.exe File opened (read-only) \??\p: gowidfvt.exe File opened (read-only) \??\b: mbvimomcss.exe File opened (read-only) \??\u: mbvimomcss.exe File opened (read-only) \??\y: mbvimomcss.exe File opened (read-only) \??\p: gowidfvt.exe File opened (read-only) \??\h: gowidfvt.exe File opened (read-only) \??\v: gowidfvt.exe File opened (read-only) \??\x: mbvimomcss.exe File opened (read-only) \??\k: gowidfvt.exe File opened (read-only) \??\n: gowidfvt.exe File opened (read-only) \??\u: gowidfvt.exe File opened (read-only) \??\s: gowidfvt.exe File opened (read-only) \??\s: mbvimomcss.exe File opened (read-only) \??\t: mbvimomcss.exe File opened (read-only) \??\z: mbvimomcss.exe File opened (read-only) \??\m: gowidfvt.exe File opened (read-only) \??\i: gowidfvt.exe File opened (read-only) \??\b: gowidfvt.exe File opened (read-only) \??\z: gowidfvt.exe File opened (read-only) \??\k: mbvimomcss.exe File opened (read-only) \??\s: gowidfvt.exe File opened (read-only) \??\n: mbvimomcss.exe File opened (read-only) \??\w: mbvimomcss.exe File opened (read-only) \??\u: gowidfvt.exe File opened (read-only) \??\a: mbvimomcss.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" mbvimomcss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" mbvimomcss.exe -
AutoIT Executable 18 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2196-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000700000002321a-6.dat autoit_exe behavioral2/files/0x0007000000023217-19.dat autoit_exe behavioral2/files/0x0007000000023217-18.dat autoit_exe behavioral2/files/0x000600000002321e-27.dat autoit_exe behavioral2/files/0x000600000002321e-26.dat autoit_exe behavioral2/files/0x000600000002321f-31.dat autoit_exe behavioral2/files/0x000600000002321f-32.dat autoit_exe behavioral2/files/0x000700000002321a-23.dat autoit_exe behavioral2/files/0x000700000002321a-22.dat autoit_exe behavioral2/files/0x000600000002321e-35.dat autoit_exe behavioral2/files/0x0006000000023225-70.dat autoit_exe behavioral2/files/0x0008000000023159-106.dat autoit_exe behavioral2/files/0x000800000002315b-117.dat autoit_exe behavioral2/files/0x000800000002315a-115.dat autoit_exe behavioral2/files/0x0006000000023254-121.dat autoit_exe behavioral2/files/0x0006000000023254-128.dat autoit_exe behavioral2/files/0x0006000000023254-130.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe gowidfvt.exe File created C:\Windows\SysWOW64\mbvimomcss.exe fd63cdc6ad0b5b4a7500a7084e112b1d.exe File opened for modification C:\Windows\SysWOW64\mbvimomcss.exe fd63cdc6ad0b5b4a7500a7084e112b1d.exe File opened for modification C:\Windows\SysWOW64\rzwzbaawepywvbm.exe fd63cdc6ad0b5b4a7500a7084e112b1d.exe File opened for modification C:\Windows\SysWOW64\gowidfvt.exe fd63cdc6ad0b5b4a7500a7084e112b1d.exe File opened for modification C:\Windows\SysWOW64\qmiswfpgfbndn.exe fd63cdc6ad0b5b4a7500a7084e112b1d.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe gowidfvt.exe File created C:\Windows\SysWOW64\rzwzbaawepywvbm.exe fd63cdc6ad0b5b4a7500a7084e112b1d.exe File created C:\Windows\SysWOW64\gowidfvt.exe fd63cdc6ad0b5b4a7500a7084e112b1d.exe File created C:\Windows\SysWOW64\qmiswfpgfbndn.exe fd63cdc6ad0b5b4a7500a7084e112b1d.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll mbvimomcss.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe gowidfvt.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal gowidfvt.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gowidfvt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gowidfvt.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gowidfvt.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gowidfvt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gowidfvt.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gowidfvt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gowidfvt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal gowidfvt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal gowidfvt.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gowidfvt.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gowidfvt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gowidfvt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal gowidfvt.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf fd63cdc6ad0b5b4a7500a7084e112b1d.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh mbvimomcss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc mbvimomcss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "334E2C7A9D5683566A3176A670542CDD7CF665DA" fd63cdc6ad0b5b4a7500a7084e112b1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F89FF8A482982129046D7217E95BD95E134594567326343D79A" fd63cdc6ad0b5b4a7500a7084e112b1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" mbvimomcss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf mbvimomcss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" mbvimomcss.exe Key created \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\Local Settings fd63cdc6ad0b5b4a7500a7084e112b1d.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes fd63cdc6ad0b5b4a7500a7084e112b1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183EC7741597DBC5B9BB7F92ECE734CA" fd63cdc6ad0b5b4a7500a7084e112b1d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat mbvimomcss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" mbvimomcss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg mbvimomcss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCEF9BEFE6AF293830B3B40869A3E96B08A038D4261023EE2C8429B08A7" fd63cdc6ad0b5b4a7500a7084e112b1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F468B4FE6E21D0D10CD0D18B7D9110" fd63cdc6ad0b5b4a7500a7084e112b1d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs mbvimomcss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" mbvimomcss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" mbvimomcss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB5B15A449039EB53CABAD43393D4BB" fd63cdc6ad0b5b4a7500a7084e112b1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" mbvimomcss.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4844 WINWORD.EXE 4844 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2196 fd63cdc6ad0b5b4a7500a7084e112b1d.exe 2196 fd63cdc6ad0b5b4a7500a7084e112b1d.exe 2196 fd63cdc6ad0b5b4a7500a7084e112b1d.exe 2196 fd63cdc6ad0b5b4a7500a7084e112b1d.exe 2196 fd63cdc6ad0b5b4a7500a7084e112b1d.exe 2196 fd63cdc6ad0b5b4a7500a7084e112b1d.exe 2196 fd63cdc6ad0b5b4a7500a7084e112b1d.exe 2196 fd63cdc6ad0b5b4a7500a7084e112b1d.exe 2196 fd63cdc6ad0b5b4a7500a7084e112b1d.exe 2196 fd63cdc6ad0b5b4a7500a7084e112b1d.exe 2196 fd63cdc6ad0b5b4a7500a7084e112b1d.exe 2196 fd63cdc6ad0b5b4a7500a7084e112b1d.exe 2196 fd63cdc6ad0b5b4a7500a7084e112b1d.exe 2196 fd63cdc6ad0b5b4a7500a7084e112b1d.exe 2196 fd63cdc6ad0b5b4a7500a7084e112b1d.exe 2196 fd63cdc6ad0b5b4a7500a7084e112b1d.exe 2072 mbvimomcss.exe 2072 mbvimomcss.exe 2072 mbvimomcss.exe 2072 mbvimomcss.exe 2072 mbvimomcss.exe 2072 mbvimomcss.exe 2072 mbvimomcss.exe 2072 mbvimomcss.exe 2072 mbvimomcss.exe 2072 mbvimomcss.exe 2108 rzwzbaawepywvbm.exe 2108 rzwzbaawepywvbm.exe 2108 rzwzbaawepywvbm.exe 2108 rzwzbaawepywvbm.exe 2108 rzwzbaawepywvbm.exe 2108 rzwzbaawepywvbm.exe 2108 rzwzbaawepywvbm.exe 2108 rzwzbaawepywvbm.exe 2108 rzwzbaawepywvbm.exe 2108 rzwzbaawepywvbm.exe 4584 gowidfvt.exe 4584 gowidfvt.exe 4584 gowidfvt.exe 4584 gowidfvt.exe 4584 gowidfvt.exe 4584 gowidfvt.exe 4584 gowidfvt.exe 4584 gowidfvt.exe 1584 qmiswfpgfbndn.exe 1584 qmiswfpgfbndn.exe 1584 qmiswfpgfbndn.exe 1584 qmiswfpgfbndn.exe 1584 qmiswfpgfbndn.exe 1584 qmiswfpgfbndn.exe 1584 qmiswfpgfbndn.exe 1584 qmiswfpgfbndn.exe 1584 qmiswfpgfbndn.exe 1584 qmiswfpgfbndn.exe 1584 qmiswfpgfbndn.exe 1584 qmiswfpgfbndn.exe 5112 gowidfvt.exe 5112 gowidfvt.exe 5112 gowidfvt.exe 5112 gowidfvt.exe 5112 gowidfvt.exe 5112 gowidfvt.exe 5112 gowidfvt.exe 5112 gowidfvt.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2196 fd63cdc6ad0b5b4a7500a7084e112b1d.exe 2196 fd63cdc6ad0b5b4a7500a7084e112b1d.exe 2196 fd63cdc6ad0b5b4a7500a7084e112b1d.exe 2072 mbvimomcss.exe 2108 rzwzbaawepywvbm.exe 2072 mbvimomcss.exe 2108 rzwzbaawepywvbm.exe 2072 mbvimomcss.exe 2108 rzwzbaawepywvbm.exe 4584 gowidfvt.exe 4584 gowidfvt.exe 4584 gowidfvt.exe 1584 qmiswfpgfbndn.exe 1584 qmiswfpgfbndn.exe 1584 qmiswfpgfbndn.exe 5112 gowidfvt.exe 5112 gowidfvt.exe 5112 gowidfvt.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2196 fd63cdc6ad0b5b4a7500a7084e112b1d.exe 2196 fd63cdc6ad0b5b4a7500a7084e112b1d.exe 2196 fd63cdc6ad0b5b4a7500a7084e112b1d.exe 2072 mbvimomcss.exe 2108 rzwzbaawepywvbm.exe 2072 mbvimomcss.exe 2108 rzwzbaawepywvbm.exe 2072 mbvimomcss.exe 2108 rzwzbaawepywvbm.exe 4584 gowidfvt.exe 4584 gowidfvt.exe 4584 gowidfvt.exe 1584 qmiswfpgfbndn.exe 1584 qmiswfpgfbndn.exe 1584 qmiswfpgfbndn.exe 5112 gowidfvt.exe 5112 gowidfvt.exe 5112 gowidfvt.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4844 WINWORD.EXE 4844 WINWORD.EXE 4844 WINWORD.EXE 4844 WINWORD.EXE 4844 WINWORD.EXE 4844 WINWORD.EXE 4844 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2196 wrote to memory of 2072 2196 fd63cdc6ad0b5b4a7500a7084e112b1d.exe 84 PID 2196 wrote to memory of 2072 2196 fd63cdc6ad0b5b4a7500a7084e112b1d.exe 84 PID 2196 wrote to memory of 2072 2196 fd63cdc6ad0b5b4a7500a7084e112b1d.exe 84 PID 2196 wrote to memory of 2108 2196 fd63cdc6ad0b5b4a7500a7084e112b1d.exe 83 PID 2196 wrote to memory of 2108 2196 fd63cdc6ad0b5b4a7500a7084e112b1d.exe 83 PID 2196 wrote to memory of 2108 2196 fd63cdc6ad0b5b4a7500a7084e112b1d.exe 83 PID 2196 wrote to memory of 4584 2196 fd63cdc6ad0b5b4a7500a7084e112b1d.exe 82 PID 2196 wrote to memory of 4584 2196 fd63cdc6ad0b5b4a7500a7084e112b1d.exe 82 PID 2196 wrote to memory of 4584 2196 fd63cdc6ad0b5b4a7500a7084e112b1d.exe 82 PID 2196 wrote to memory of 1584 2196 fd63cdc6ad0b5b4a7500a7084e112b1d.exe 81 PID 2196 wrote to memory of 1584 2196 fd63cdc6ad0b5b4a7500a7084e112b1d.exe 81 PID 2196 wrote to memory of 1584 2196 fd63cdc6ad0b5b4a7500a7084e112b1d.exe 81 PID 2072 wrote to memory of 5112 2072 mbvimomcss.exe 91 PID 2072 wrote to memory of 5112 2072 mbvimomcss.exe 91 PID 2072 wrote to memory of 5112 2072 mbvimomcss.exe 91 PID 2196 wrote to memory of 4844 2196 fd63cdc6ad0b5b4a7500a7084e112b1d.exe 94 PID 2196 wrote to memory of 4844 2196 fd63cdc6ad0b5b4a7500a7084e112b1d.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd63cdc6ad0b5b4a7500a7084e112b1d.exe"C:\Users\Admin\AppData\Local\Temp\fd63cdc6ad0b5b4a7500a7084e112b1d.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\qmiswfpgfbndn.exeqmiswfpgfbndn.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1584
-
-
C:\Windows\SysWOW64\gowidfvt.exegowidfvt.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4584
-
-
C:\Windows\SysWOW64\rzwzbaawepywvbm.exerzwzbaawepywvbm.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2108
-
-
C:\Windows\SysWOW64\mbvimomcss.exembvimomcss.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\gowidfvt.exeC:\Windows\system32\gowidfvt.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5112
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4844
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
157KB
MD524f623875fe84e4213b5aba3acd94e0f
SHA1d3844313fdd17bca5f26bf87c8a731be37074bbe
SHA2566cd811e88ef3ed6ffbac89e664a7a9fa119181b7bbe393ed2ba35fd8a251ed23
SHA512e35a5253cb0f378d83bf1c20c81b63c35386e21216fd2b8facd241354c4c5817bbf1b57c58e881fa653409256d1e2ac20389f7a08db149cd1283c2fc2655cf1c
-
Filesize
512KB
MD5a9ce151693cf9baac0a0612e0bef18c4
SHA137244dd9f504ead9ff71953d1715d1c1a3ec5854
SHA256d2be773d8ceb80969480e33841c2c562f67bd3698bc7f3cde3b128d595572630
SHA5128c2589307c2d081d75cbb1446c542826239f79f2f5e56361ad8c661c4e7ec8d7d4fa8d61f6ed993cad3b242e3580a51da5426786a34a18ecd3ea8f3d3c1cfe95
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD55fdb6f98bcbb1a99618256efe2246bb8
SHA179cd347616449211d5f8891dbc83e2915cff8055
SHA256e2f3732db5e4fcb6b8dbf68100cab78d798eaaa6b771acbc1b0aca1324a2db90
SHA512c6a711db99785ec2c87d58d9f91dd1bdfa68848dd7ad6aac821a12013f6dea6c3a064c338a0f0bef695fcdd44e1813499fa720c8efd67dd0d00418951cb4ab5d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5958d966fcb41daa8c0c394aa7b6337d0
SHA1972b32ad2108d92cf0d5faeabfc43792aaddeb3c
SHA2564d7dcaecbd7c023d77f33f3bec0fed2b2c2bf8b12826a1607495656fdab90f26
SHA5127426902a504660b78ad47f0adbba6a8883ca46d10009966b5baf5adf76a41a9eb3840f5737d48d08797f1c2d453978b6bfb2285c217f313547298e7992d265be
-
Filesize
512KB
MD5a67043face8f696bbd86c255bdfe3ead
SHA18b0c483ac655b880821f529f74a5ef2e3eedf428
SHA2564dac901021d50ae14fd881da76b24186a06527a48bc3e6aef32dae99fddede3a
SHA5125326fe7c1a81e1510c05436779181e6ec0977630f2eaa6c57f4197246d66441358cfc88f4fd3ed184f3c7a2f13c6deda0f167dc38a4c38c75c0ed28b1865ddb0
-
Filesize
512KB
MD55e2f8be176fdcaa21bddaa98e2c86fb8
SHA1fa92c2ce0ce4a4db3fb0132a6cdcab689b66403d
SHA256343632e91566e586841352f84ecba06cf3e48b1fb94c9ba2b76cd7a6b1ae46c4
SHA51271d4e8554a72399df3984500e671411d49ad7a49d0fbc85f1b669d881803d2f738bbcacca1c04e2879b800cff1f9f77c0c8c1638bc4bbf0fb100e25a08006815
-
Filesize
340KB
MD582ccdb21ad2872ccac9ff3f44d509e98
SHA1b7b54a11112e3d68f8adf800a3f139881654c795
SHA2566f6d2c7e2fd084736607cdd5e63d98a17278a3b2b94ffad50389b73d4a4560b7
SHA5126b4e87e705741860ad7b14bd75d4b58fd33c5d42444a7336a49f95aa96d2cb0c3f3cbf7dfa7111e8dbe878869d0e6a49cadd209a8d89d90e982022dfa934c40d
-
Filesize
432KB
MD58007bd8c672da930bd254124aad085c3
SHA15bf0cde877809e66ce658927b54d1b83719f9bf9
SHA2567e476ba8cb550b4184168519ed3370ed17a2d1d830fc8d557856ecf2693df92a
SHA512198060e83918a309ea113ad59acc0455d688ec3ae7b7f1f9d248a8ddbc871db1115db8cd26c48f643ac983a8ac6a06d867ca1edc1764b188cad4e2a1f18d4649
-
Filesize
238KB
MD5453ff2792fd2d92ea22fd27b894ad4da
SHA1ad9317b08973ffa461dda8d2cf23e7b2035a43f4
SHA2568fa98362ac6fff5ab38ae22fcf1a852e70881a99402638f78fb16615ac2747c4
SHA51245da067642397bf28b820158b99a492849b2837d93614e8583747b2df9bd967a90934d9283652c5962276a742c6c0442db9480cf45e60d4653e7b8e50ec7e566
-
Filesize
474KB
MD5c2dfc11aac04e2f3ad7df65693cc5eb5
SHA1d03e413efb205f49f3d88e9530dd9131794e1f00
SHA2560e1bbe91d41a3b70f2fc439e501930d3d6c2c55c7081c425f078c1daf66f7428
SHA51216fab7c13c5095fa54a1922154ca3c19d53bb038d361043d49ec7156d7e22d0b8200ea43b811f0d79e29ab75cef53898748efd25ba1d07455a36e9509fd241f5
-
Filesize
305KB
MD5c4644c8cb06179c3155f0f46448e2c53
SHA1fdc304c0857ecde34ed3d85b4e0aa04fe165d764
SHA2561a0f92b39060cdea0a250748018310f0768cb7d05dd233b038f9d86e4bad080c
SHA512c1bab1645d97ebd9deb972862284ab3378120ba9a2ec57f71425de5568c1154ebe5f9b3acc07f6f1da242559157c68dad4d3b7b5406cb8425ff7c6fa4fd3f4d8
-
Filesize
204KB
MD5dadedd389da85877662eba2d85c55fa3
SHA1204ac06ae8572548cb7cabe440c8f4eb931ada0b
SHA256a5b02bb1040c7214ea0d8e8b9f2473602140d9a2d710732d0ef3844e7473fc68
SHA512baad799e7aae2f84ef691b6afc58ff364357cf5f09cb5c41efa31b71105de2b4cd717baf0693c59ea2298b9fe0c24ac22d4510d2259dc95d2be86b1aced9959d
-
Filesize
219KB
MD583c27ef643ad8cf6b43ed5c5fa297185
SHA1cbf7b16b0886c9a6c6a1ff7dd6926c003dd25bb0
SHA25684d54bf45e1801b3ba60dbef303de370e8bc7be359f005ba14ca5a65de653b78
SHA512a7b956e3b23d9bae8670d31de2f49df616fb8fdaee4c54d8246948201680b0dff7938d791c03891d07612033d66402eeb3646a57f2125f8106d5cb1ca134d1e3
-
Filesize
333KB
MD5959fc1527417a2ba7f7bb33696a5a28c
SHA1d0357b0116a007a3516d6598b4a9cf5fd745cdb0
SHA25671420db950b18c7ed11dfcec1d2424805f3eeb1781b99fd781d0959f0ff34be9
SHA512bbf0cbbab1be78c53e567bdd54c5acbcbf590a0dc93ab20404a8dc643f09e23c38ed3627f618dccb7051ae7dd0e6ba4166f2701cfb0dbba7f89bb0de01d915f3
-
Filesize
360KB
MD5729261ca5475f71cba8f866d55f06cdc
SHA1a8bb26a5eb78b2d41544cea6b2dbde39e70b38fe
SHA256139cba3fc4a2e5ed6b22378a95b4c90202b69da6f6a7ebfc8a50b481761792f6
SHA5123c9d20fb44a234913f7811e740252a784c5e80569fbfb02122d879007796bbf8cd2d994d143e70b5b54b4d35e9bf07084095faacfb52748ef61cbd7735264cfb
-
Filesize
470KB
MD593f697d015930fae33947f87f1441504
SHA1ce730379d56a30442b3dd0d0601169519f0dc445
SHA25610e571f176b3f1d3d9f377ded7ebdd1bb028d97001f840521df39df6d660bc76
SHA5129a55f111e3954487235b12772e746b4548261f4769314af8e6f621c2ed99749722c4bf223afd93e1275917ebce6a51915e5256912e809bb346d907bfcb0d99d5
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5304b9429e6c9e884f577d8445f2570cf
SHA129b7e91d9f9e4f0c383d9e78bdfdd0198bd67200
SHA2568dd09c14d98d329343944e497fcdeb813acefb647173ff7925c7dae829cc6801
SHA5129b535de254f6330d372a2e58a84be9cbf81cbc27b10518685dbd2755a367fffd3ad2ce3fbf5db7e2c13a0da5f7afd9091c3b7c6123d844844db0707790ffcc06
-
Filesize
263KB
MD5645a670fbb21c136049f10b236bb31db
SHA1f84cf78865828831fe9baf86cf8b200b76d4ad01
SHA256c7ebde0b47834e561dd7d3ffd2b868331000fdd68f0fc10f1b86069f84bb76b5
SHA5122d81fcda156324b8789ce15e05d99279ca8f3ac246cec8f2f3acb3cda3eda905544c1912e48c634ffe228e4cd67ff527e3e76adad54214a78aaa3b4c6f136239
-
Filesize
512KB
MD5d54b9cbd695e3cab734506d0530cce26
SHA154f28915f9109fe19c8408c5d412ab362a501329
SHA2561dafde3cd0835bd5b5532a9fe64cfb2904ee2e20bfc1dab721b223335b7dda3a
SHA512944a0e83df9314947f591819d0ba1749c7022777af00416f80986e09b279e7b5b30093c7dd92ff2b2a2010214c988292023abc1f1f7fa271592a053b715fe397