Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
28-12-2023 22:56
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
fe450b70dcaf04311221eb9154381ffd.exe
Resource
win7-20231215-en
windows7-x64
28 signatures
150 seconds
Behavioral task
behavioral2
Sample
fe450b70dcaf04311221eb9154381ffd.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
fe450b70dcaf04311221eb9154381ffd.exe
-
Size
512KB
-
MD5
fe450b70dcaf04311221eb9154381ffd
-
SHA1
11116866f0dae652f0f1dcfb57423b1aea6a637c
-
SHA256
134310abaa5cd750c8c111ca19b66b4b1ffbfa89673d09d0f6c896f09706f523
-
SHA512
5e9acda6f60d2052e2dbd7f9f7db028443d12be6c59efa0cee18f05d6fcc8ae97866e18ecd884871e32328f4bb3c624fb27a12c3d7db0cc2f0106f6a191c4812
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6L:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5E
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" kwnthpcrfp.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" kwnthpcrfp.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" kwnthpcrfp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" kwnthpcrfp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" kwnthpcrfp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" kwnthpcrfp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" kwnthpcrfp.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" kwnthpcrfp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation fe450b70dcaf04311221eb9154381ffd.exe -
Executes dropped EXE 5 IoCs
pid Process 3024 kwnthpcrfp.exe 4040 ksrpsmnhokfbqum.exe 4204 hhpxjwiqymvlf.exe 3748 tbjbcsfb.exe 1364 tbjbcsfb.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" kwnthpcrfp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" kwnthpcrfp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" kwnthpcrfp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" kwnthpcrfp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" kwnthpcrfp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" kwnthpcrfp.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\usrpisgk = "kwnthpcrfp.exe" ksrpsmnhokfbqum.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qnxqhfxe = "ksrpsmnhokfbqum.exe" ksrpsmnhokfbqum.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "hhpxjwiqymvlf.exe" ksrpsmnhokfbqum.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\t: tbjbcsfb.exe File opened (read-only) \??\y: tbjbcsfb.exe File opened (read-only) \??\e: kwnthpcrfp.exe File opened (read-only) \??\p: kwnthpcrfp.exe File opened (read-only) \??\b: tbjbcsfb.exe File opened (read-only) \??\x: tbjbcsfb.exe File opened (read-only) \??\n: tbjbcsfb.exe File opened (read-only) \??\m: tbjbcsfb.exe File opened (read-only) \??\p: tbjbcsfb.exe File opened (read-only) \??\l: kwnthpcrfp.exe File opened (read-only) \??\t: kwnthpcrfp.exe File opened (read-only) \??\i: tbjbcsfb.exe File opened (read-only) \??\j: tbjbcsfb.exe File opened (read-only) \??\n: tbjbcsfb.exe File opened (read-only) \??\o: tbjbcsfb.exe File opened (read-only) \??\n: kwnthpcrfp.exe File opened (read-only) \??\r: kwnthpcrfp.exe File opened (read-only) \??\u: kwnthpcrfp.exe File opened (read-only) \??\e: tbjbcsfb.exe File opened (read-only) \??\i: tbjbcsfb.exe File opened (read-only) \??\m: tbjbcsfb.exe File opened (read-only) \??\r: tbjbcsfb.exe File opened (read-only) \??\g: tbjbcsfb.exe File opened (read-only) \??\h: kwnthpcrfp.exe File opened (read-only) \??\i: kwnthpcrfp.exe File opened (read-only) \??\y: tbjbcsfb.exe File opened (read-only) \??\t: tbjbcsfb.exe File opened (read-only) \??\v: tbjbcsfb.exe File opened (read-only) \??\a: tbjbcsfb.exe File opened (read-only) \??\g: kwnthpcrfp.exe File opened (read-only) \??\w: tbjbcsfb.exe File opened (read-only) \??\h: tbjbcsfb.exe File opened (read-only) \??\v: kwnthpcrfp.exe File opened (read-only) \??\h: tbjbcsfb.exe File opened (read-only) \??\x: tbjbcsfb.exe File opened (read-only) \??\z: tbjbcsfb.exe File opened (read-only) \??\l: tbjbcsfb.exe File opened (read-only) \??\b: kwnthpcrfp.exe File opened (read-only) \??\z: kwnthpcrfp.exe File opened (read-only) \??\g: tbjbcsfb.exe File opened (read-only) \??\e: tbjbcsfb.exe File opened (read-only) \??\j: kwnthpcrfp.exe File opened (read-only) \??\w: kwnthpcrfp.exe File opened (read-only) \??\q: tbjbcsfb.exe File opened (read-only) \??\q: tbjbcsfb.exe File opened (read-only) \??\y: kwnthpcrfp.exe File opened (read-only) \??\k: tbjbcsfb.exe File opened (read-only) \??\j: tbjbcsfb.exe File opened (read-only) \??\s: tbjbcsfb.exe File opened (read-only) \??\r: tbjbcsfb.exe File opened (read-only) \??\u: tbjbcsfb.exe File opened (read-only) \??\w: tbjbcsfb.exe File opened (read-only) \??\k: kwnthpcrfp.exe File opened (read-only) \??\o: kwnthpcrfp.exe File opened (read-only) \??\u: tbjbcsfb.exe File opened (read-only) \??\b: tbjbcsfb.exe File opened (read-only) \??\z: tbjbcsfb.exe File opened (read-only) \??\x: kwnthpcrfp.exe File opened (read-only) \??\a: tbjbcsfb.exe File opened (read-only) \??\k: tbjbcsfb.exe File opened (read-only) \??\a: kwnthpcrfp.exe File opened (read-only) \??\l: tbjbcsfb.exe File opened (read-only) \??\q: kwnthpcrfp.exe File opened (read-only) \??\v: tbjbcsfb.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" kwnthpcrfp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" kwnthpcrfp.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2328-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0008000000023218-5.dat autoit_exe behavioral2/files/0x0010000000023169-19.dat autoit_exe behavioral2/files/0x000600000002321f-29.dat autoit_exe behavioral2/files/0x000600000002321e-31.dat autoit_exe behavioral2/files/0x000600000002321f-28.dat autoit_exe behavioral2/files/0x000600000002321e-32.dat autoit_exe behavioral2/files/0x0010000000023169-18.dat autoit_exe behavioral2/files/0x000600000002321e-40.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe tbjbcsfb.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll kwnthpcrfp.exe File created C:\Windows\SysWOW64\hhpxjwiqymvlf.exe fe450b70dcaf04311221eb9154381ffd.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe tbjbcsfb.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe tbjbcsfb.exe File created C:\Windows\SysWOW64\tbjbcsfb.exe fe450b70dcaf04311221eb9154381ffd.exe File opened for modification C:\Windows\SysWOW64\tbjbcsfb.exe fe450b70dcaf04311221eb9154381ffd.exe File opened for modification C:\Windows\SysWOW64\hhpxjwiqymvlf.exe fe450b70dcaf04311221eb9154381ffd.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe tbjbcsfb.exe File opened for modification C:\Windows\SysWOW64\ksrpsmnhokfbqum.exe fe450b70dcaf04311221eb9154381ffd.exe File opened for modification C:\Windows\SysWOW64\kwnthpcrfp.exe fe450b70dcaf04311221eb9154381ffd.exe File created C:\Windows\SysWOW64\ksrpsmnhokfbqum.exe fe450b70dcaf04311221eb9154381ffd.exe File created C:\Windows\SysWOW64\kwnthpcrfp.exe fe450b70dcaf04311221eb9154381ffd.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe tbjbcsfb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe tbjbcsfb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal tbjbcsfb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe tbjbcsfb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal tbjbcsfb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal tbjbcsfb.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe tbjbcsfb.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe tbjbcsfb.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe tbjbcsfb.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe tbjbcsfb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal tbjbcsfb.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe tbjbcsfb.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe tbjbcsfb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe tbjbcsfb.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe tbjbcsfb.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe tbjbcsfb.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe tbjbcsfb.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe tbjbcsfb.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe tbjbcsfb.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe tbjbcsfb.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe tbjbcsfb.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe tbjbcsfb.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe tbjbcsfb.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe tbjbcsfb.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe tbjbcsfb.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe tbjbcsfb.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe tbjbcsfb.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe tbjbcsfb.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe tbjbcsfb.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe tbjbcsfb.exe File opened for modification C:\Windows\mydoc.rtf fe450b70dcaf04311221eb9154381ffd.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat kwnthpcrfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F468B6FF6622D8D279D1D48A7E9161" fe450b70dcaf04311221eb9154381ffd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh kwnthpcrfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" kwnthpcrfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc kwnthpcrfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" kwnthpcrfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33332D7F9C2782206A3477D070252DDC7DF165D9" fe450b70dcaf04311221eb9154381ffd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABEF9CEFE16F29984083B3586EE3999B08002FF4315033BE2CF459E08A7" fe450b70dcaf04311221eb9154381ffd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF9FF8F4F5B82199132D6207D9CBC97E640594A66416332D7E9" fe450b70dcaf04311221eb9154381ffd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs kwnthpcrfp.exe Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings fe450b70dcaf04311221eb9154381ffd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" kwnthpcrfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" kwnthpcrfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1938C67F1493DBC5B8CC7CE2EC9634CC" fe450b70dcaf04311221eb9154381ffd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" kwnthpcrfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" kwnthpcrfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg kwnthpcrfp.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes fe450b70dcaf04311221eb9154381ffd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB0B12847E4399953CDB9D13293D7C4" fe450b70dcaf04311221eb9154381ffd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf kwnthpcrfp.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2356 WINWORD.EXE 2356 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2328 fe450b70dcaf04311221eb9154381ffd.exe 2328 fe450b70dcaf04311221eb9154381ffd.exe 2328 fe450b70dcaf04311221eb9154381ffd.exe 2328 fe450b70dcaf04311221eb9154381ffd.exe 2328 fe450b70dcaf04311221eb9154381ffd.exe 2328 fe450b70dcaf04311221eb9154381ffd.exe 2328 fe450b70dcaf04311221eb9154381ffd.exe 2328 fe450b70dcaf04311221eb9154381ffd.exe 2328 fe450b70dcaf04311221eb9154381ffd.exe 2328 fe450b70dcaf04311221eb9154381ffd.exe 2328 fe450b70dcaf04311221eb9154381ffd.exe 2328 fe450b70dcaf04311221eb9154381ffd.exe 2328 fe450b70dcaf04311221eb9154381ffd.exe 2328 fe450b70dcaf04311221eb9154381ffd.exe 2328 fe450b70dcaf04311221eb9154381ffd.exe 2328 fe450b70dcaf04311221eb9154381ffd.exe 3024 kwnthpcrfp.exe 3024 kwnthpcrfp.exe 3024 kwnthpcrfp.exe 3024 kwnthpcrfp.exe 3024 kwnthpcrfp.exe 3024 kwnthpcrfp.exe 3024 kwnthpcrfp.exe 3024 kwnthpcrfp.exe 3024 kwnthpcrfp.exe 3024 kwnthpcrfp.exe 4204 hhpxjwiqymvlf.exe 4204 hhpxjwiqymvlf.exe 4204 hhpxjwiqymvlf.exe 4204 hhpxjwiqymvlf.exe 4204 hhpxjwiqymvlf.exe 4204 hhpxjwiqymvlf.exe 4204 hhpxjwiqymvlf.exe 4204 hhpxjwiqymvlf.exe 4204 hhpxjwiqymvlf.exe 4204 hhpxjwiqymvlf.exe 4204 hhpxjwiqymvlf.exe 4204 hhpxjwiqymvlf.exe 4040 ksrpsmnhokfbqum.exe 4040 ksrpsmnhokfbqum.exe 4040 ksrpsmnhokfbqum.exe 4040 ksrpsmnhokfbqum.exe 4040 ksrpsmnhokfbqum.exe 4040 ksrpsmnhokfbqum.exe 4040 ksrpsmnhokfbqum.exe 4040 ksrpsmnhokfbqum.exe 4040 ksrpsmnhokfbqum.exe 4040 ksrpsmnhokfbqum.exe 3748 tbjbcsfb.exe 3748 tbjbcsfb.exe 3748 tbjbcsfb.exe 3748 tbjbcsfb.exe 3748 tbjbcsfb.exe 3748 tbjbcsfb.exe 3748 tbjbcsfb.exe 3748 tbjbcsfb.exe 1364 tbjbcsfb.exe 1364 tbjbcsfb.exe 1364 tbjbcsfb.exe 1364 tbjbcsfb.exe 1364 tbjbcsfb.exe 1364 tbjbcsfb.exe 1364 tbjbcsfb.exe 1364 tbjbcsfb.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2328 fe450b70dcaf04311221eb9154381ffd.exe 2328 fe450b70dcaf04311221eb9154381ffd.exe 2328 fe450b70dcaf04311221eb9154381ffd.exe 3024 kwnthpcrfp.exe 3024 kwnthpcrfp.exe 3024 kwnthpcrfp.exe 4040 ksrpsmnhokfbqum.exe 4204 hhpxjwiqymvlf.exe 3748 tbjbcsfb.exe 4040 ksrpsmnhokfbqum.exe 4204 hhpxjwiqymvlf.exe 3748 tbjbcsfb.exe 4040 ksrpsmnhokfbqum.exe 4204 hhpxjwiqymvlf.exe 3748 tbjbcsfb.exe 1364 tbjbcsfb.exe 1364 tbjbcsfb.exe 1364 tbjbcsfb.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2328 fe450b70dcaf04311221eb9154381ffd.exe 2328 fe450b70dcaf04311221eb9154381ffd.exe 2328 fe450b70dcaf04311221eb9154381ffd.exe 3024 kwnthpcrfp.exe 3024 kwnthpcrfp.exe 3024 kwnthpcrfp.exe 4040 ksrpsmnhokfbqum.exe 4204 hhpxjwiqymvlf.exe 3748 tbjbcsfb.exe 4040 ksrpsmnhokfbqum.exe 4204 hhpxjwiqymvlf.exe 3748 tbjbcsfb.exe 4040 ksrpsmnhokfbqum.exe 4204 hhpxjwiqymvlf.exe 3748 tbjbcsfb.exe 1364 tbjbcsfb.exe 1364 tbjbcsfb.exe 1364 tbjbcsfb.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2356 WINWORD.EXE 2356 WINWORD.EXE 2356 WINWORD.EXE 2356 WINWORD.EXE 2356 WINWORD.EXE 2356 WINWORD.EXE 2356 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2328 wrote to memory of 3024 2328 fe450b70dcaf04311221eb9154381ffd.exe 89 PID 2328 wrote to memory of 3024 2328 fe450b70dcaf04311221eb9154381ffd.exe 89 PID 2328 wrote to memory of 3024 2328 fe450b70dcaf04311221eb9154381ffd.exe 89 PID 2328 wrote to memory of 4040 2328 fe450b70dcaf04311221eb9154381ffd.exe 90 PID 2328 wrote to memory of 4040 2328 fe450b70dcaf04311221eb9154381ffd.exe 90 PID 2328 wrote to memory of 4040 2328 fe450b70dcaf04311221eb9154381ffd.exe 90 PID 2328 wrote to memory of 3748 2328 fe450b70dcaf04311221eb9154381ffd.exe 92 PID 2328 wrote to memory of 3748 2328 fe450b70dcaf04311221eb9154381ffd.exe 92 PID 2328 wrote to memory of 3748 2328 fe450b70dcaf04311221eb9154381ffd.exe 92 PID 2328 wrote to memory of 4204 2328 fe450b70dcaf04311221eb9154381ffd.exe 91 PID 2328 wrote to memory of 4204 2328 fe450b70dcaf04311221eb9154381ffd.exe 91 PID 2328 wrote to memory of 4204 2328 fe450b70dcaf04311221eb9154381ffd.exe 91 PID 2328 wrote to memory of 2356 2328 fe450b70dcaf04311221eb9154381ffd.exe 93 PID 2328 wrote to memory of 2356 2328 fe450b70dcaf04311221eb9154381ffd.exe 93 PID 3024 wrote to memory of 1364 3024 kwnthpcrfp.exe 97 PID 3024 wrote to memory of 1364 3024 kwnthpcrfp.exe 97 PID 3024 wrote to memory of 1364 3024 kwnthpcrfp.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe450b70dcaf04311221eb9154381ffd.exe"C:\Users\Admin\AppData\Local\Temp\fe450b70dcaf04311221eb9154381ffd.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\kwnthpcrfp.exekwnthpcrfp.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\tbjbcsfb.exeC:\Windows\system32\tbjbcsfb.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1364
-
-
-
C:\Windows\SysWOW64\ksrpsmnhokfbqum.exeksrpsmnhokfbqum.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4040
-
-
C:\Windows\SysWOW64\hhpxjwiqymvlf.exehhpxjwiqymvlf.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4204
-
-
C:\Windows\SysWOW64\tbjbcsfb.exetbjbcsfb.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3748
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2356
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD576f495fdf06cd616f9161e1af5b33a4a
SHA168c249b86353f902dffc6b79261be70716b718c7
SHA256610f2bbe4c75e0ff4a51ad81246a941bfca89bdf8ba6a5ee3796046871463bb0
SHA51254a80bee73c35714bfe810e584bf2fb2e1e594c1287941f84db382bb6cb99e59b460c3ad27d3c6e32a00139511293c00ff4d84a26b1442aca3e8e1f79dff9ca2
-
Filesize
192KB
MD5110f40dbeb901f612cee1dc242fdb309
SHA10d668d172ef81b3f17c1f870513988629c697600
SHA2562776ac73ff5e792a5a804395643f25e611d6eb66037ffd261caacd95ae084b82
SHA512076fda5dfa04f3c443f91657f607ef768185b7753767eb70d557635d398a76f85c8b3c19c7d864f9c342ced1af18c9c98f6f4da4b7bb86dca104230fa71b6df1
-
Filesize
512KB
MD5d3fd383563f2a9a4efa4de8b1eee55bf
SHA1b80c8fdf377a36476e3fa307b84849f5b9b89f68
SHA25620837c84b9edd050d6dd018c25d09de0ac0e9c314854911fa118f51a55c5944f
SHA512b4dd892ae67caf6929f3ddf1a9308bd6021ec0f2d09257227c382276e14b81d518c063730990b17d8e0de016b504f7889a040b7446aef44c2d27993bfefbfc86
-
Filesize
512KB
MD5b2a535b4f645d638c64b3195dc9f5ecd
SHA1b4f573ff690c05afcd98d5f501f0d8e325f02346
SHA2568f3d98beec51b81391dea21a1c092adc955e79cf28322e28628cb7179f0e65d4
SHA5122a9eef5bce296eff695e57853d2efea86308c3cf5fcc72784054d2cdaa2fd86db7d9149c77720199ea53f41fe271ae1bbe3c663584fa5eb0b9cd80ffe3f80ee8
-
Filesize
250KB
MD57720aa1cf310dd003a20ca9a7e15712c
SHA18feaea8aa8b1055ef87e77840334a45d155b9bc3
SHA25685ac9762dd2dd47fe10dce6f0a5ce7df0c7ddfb9cde3fc28b3646760872844e9
SHA512b9dc798957008aec60ed49aad7fb1746a21b8c392c5bced2276d2c57094405beb7417621c69a84dee17af82e0e7d228b42ed0aa54c8f3eb0aa4f5fc440598f95
-
Filesize
128KB
MD533be84de0fa03c6883fec2ead970e3ba
SHA1dbe35ed4343779aa93200c24966ccb805e18f223
SHA256ef0f2733bf476c4dc632a27627cb24681d552719aafcc969eec5db1a90996887
SHA5123e93ab8677009d404503e243038ae323b1bc55af56c8c53bd3d44f5313ed4383c987ccb1f1f0e86111fc36db67c7b1b76de4eb4b1c6742baadffd70d7dc6c093
-
Filesize
512KB
MD51075d7a359e670fa744f000267c825f6
SHA199e72eafc1d50c78a5e50d3ae08d8d745e4ae258
SHA2562a78e5fe9eb02c9a8c3a4001465e5286b5eef1762a5adb6d04a557f1d2964b99
SHA5126130a9ab9e0d6871a5f78a1423b4fda8f1e1ece0a1ad65beef846f43d1bb71e641a944679b2a73dba5021e7f8301677b4b230cf2a26464d7e303c5aa415754c1
-
Filesize
382KB
MD5badd716c7c48a8241873d9251da496d1
SHA16bd2a072c8f64a1780fe75d983cb7b6584985c6d
SHA256ad4373bfa026f66380b8ce44d6bc300d146770114fb10087019af7c616dc11d7
SHA5127bf3f09216e2ba376053e668963797cd78f91119467917a84f467dd3110d6bd26592784cdf7cefd293413ff5b6dbe10a996d89627177235d9f109732c05f36c5