Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2023, 22:04
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
051ff21bdc212a57f9566453dcd94626.exe
Resource
win7-20231215-en
windows7-x64
28 signatures
150 seconds
Behavioral task
behavioral2
Sample
051ff21bdc212a57f9566453dcd94626.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
051ff21bdc212a57f9566453dcd94626.exe
-
Size
512KB
-
MD5
051ff21bdc212a57f9566453dcd94626
-
SHA1
367aa83efed957dc3012f9d6b03194e183127ba6
-
SHA256
05614d9b432c03e510b8b2ec3b318ace77e5b64d6ea6e4356d2b72bb5ad3fc85
-
SHA512
9ee34c73758b014164ee3da4ca7d66ed150d080e1112df7fad13ae5175f17d70655aaf81d03dc0fea1828e3d1e47546dbb31fd9a973f82aad071ed47a705ba84
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj66:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5H
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" lrqgaqupgy.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" lrqgaqupgy.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" lrqgaqupgy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" lrqgaqupgy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" lrqgaqupgy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" lrqgaqupgy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" lrqgaqupgy.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lrqgaqupgy.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation 051ff21bdc212a57f9566453dcd94626.exe -
Executes dropped EXE 5 IoCs
pid Process 1476 lrqgaqupgy.exe 1004 ygwfnhac.exe 4708 xeafrgyvfgxxkqe.exe 5008 tmnstkfkepzxy.exe 4544 ygwfnhac.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" lrqgaqupgy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" lrqgaqupgy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" lrqgaqupgy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" lrqgaqupgy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" lrqgaqupgy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" lrqgaqupgy.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ftpexejq = "lrqgaqupgy.exe" xeafrgyvfgxxkqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uxrfkgtw = "xeafrgyvfgxxkqe.exe" xeafrgyvfgxxkqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "tmnstkfkepzxy.exe" xeafrgyvfgxxkqe.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\l: ygwfnhac.exe File opened (read-only) \??\m: lrqgaqupgy.exe File opened (read-only) \??\o: lrqgaqupgy.exe File opened (read-only) \??\e: lrqgaqupgy.exe File opened (read-only) \??\q: ygwfnhac.exe File opened (read-only) \??\u: ygwfnhac.exe File opened (read-only) \??\x: lrqgaqupgy.exe File opened (read-only) \??\z: ygwfnhac.exe File opened (read-only) \??\m: ygwfnhac.exe File opened (read-only) \??\x: ygwfnhac.exe File opened (read-only) \??\l: lrqgaqupgy.exe File opened (read-only) \??\b: lrqgaqupgy.exe File opened (read-only) \??\h: ygwfnhac.exe File opened (read-only) \??\i: ygwfnhac.exe File opened (read-only) \??\e: ygwfnhac.exe File opened (read-only) \??\y: ygwfnhac.exe File opened (read-only) \??\a: lrqgaqupgy.exe File opened (read-only) \??\n: ygwfnhac.exe File opened (read-only) \??\i: lrqgaqupgy.exe File opened (read-only) \??\y: ygwfnhac.exe File opened (read-only) \??\a: ygwfnhac.exe File opened (read-only) \??\h: ygwfnhac.exe File opened (read-only) \??\j: ygwfnhac.exe File opened (read-only) \??\s: lrqgaqupgy.exe File opened (read-only) \??\j: ygwfnhac.exe File opened (read-only) \??\g: lrqgaqupgy.exe File opened (read-only) \??\h: lrqgaqupgy.exe File opened (read-only) \??\j: lrqgaqupgy.exe File opened (read-only) \??\i: ygwfnhac.exe File opened (read-only) \??\v: ygwfnhac.exe File opened (read-only) \??\o: ygwfnhac.exe File opened (read-only) \??\e: ygwfnhac.exe File opened (read-only) \??\g: ygwfnhac.exe File opened (read-only) \??\v: lrqgaqupgy.exe File opened (read-only) \??\z: lrqgaqupgy.exe File opened (read-only) \??\b: ygwfnhac.exe File opened (read-only) \??\w: ygwfnhac.exe File opened (read-only) \??\z: ygwfnhac.exe File opened (read-only) \??\w: lrqgaqupgy.exe File opened (read-only) \??\q: lrqgaqupgy.exe File opened (read-only) \??\m: ygwfnhac.exe File opened (read-only) \??\n: ygwfnhac.exe File opened (read-only) \??\x: ygwfnhac.exe File opened (read-only) \??\b: ygwfnhac.exe File opened (read-only) \??\o: ygwfnhac.exe File opened (read-only) \??\p: ygwfnhac.exe File opened (read-only) \??\k: lrqgaqupgy.exe File opened (read-only) \??\u: lrqgaqupgy.exe File opened (read-only) \??\p: ygwfnhac.exe File opened (read-only) \??\t: ygwfnhac.exe File opened (read-only) \??\w: ygwfnhac.exe File opened (read-only) \??\k: ygwfnhac.exe File opened (read-only) \??\q: ygwfnhac.exe File opened (read-only) \??\r: ygwfnhac.exe File opened (read-only) \??\t: lrqgaqupgy.exe File opened (read-only) \??\y: lrqgaqupgy.exe File opened (read-only) \??\k: ygwfnhac.exe File opened (read-only) \??\s: ygwfnhac.exe File opened (read-only) \??\v: ygwfnhac.exe File opened (read-only) \??\s: ygwfnhac.exe File opened (read-only) \??\p: lrqgaqupgy.exe File opened (read-only) \??\r: lrqgaqupgy.exe File opened (read-only) \??\r: ygwfnhac.exe File opened (read-only) \??\u: ygwfnhac.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" lrqgaqupgy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" lrqgaqupgy.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3332-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000800000002320d-25.dat autoit_exe behavioral2/files/0x000600000002321a-31.dat autoit_exe behavioral2/files/0x000600000002321a-32.dat autoit_exe behavioral2/files/0x000800000002320d-24.dat autoit_exe behavioral2/files/0x0006000000023219-37.dat autoit_exe behavioral2/files/0x0006000000023219-29.dat autoit_exe behavioral2/files/0x000c000000023200-19.dat autoit_exe behavioral2/files/0x000c000000023200-18.dat autoit_exe behavioral2/files/0x000800000002320d-5.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\lrqgaqupgy.exe 051ff21bdc212a57f9566453dcd94626.exe File created C:\Windows\SysWOW64\xeafrgyvfgxxkqe.exe 051ff21bdc212a57f9566453dcd94626.exe File opened for modification C:\Windows\SysWOW64\xeafrgyvfgxxkqe.exe 051ff21bdc212a57f9566453dcd94626.exe File opened for modification C:\Windows\SysWOW64\ygwfnhac.exe 051ff21bdc212a57f9566453dcd94626.exe File created C:\Windows\SysWOW64\tmnstkfkepzxy.exe 051ff21bdc212a57f9566453dcd94626.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ygwfnhac.exe File created C:\Windows\SysWOW64\lrqgaqupgy.exe 051ff21bdc212a57f9566453dcd94626.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll lrqgaqupgy.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ygwfnhac.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ygwfnhac.exe File created C:\Windows\SysWOW64\ygwfnhac.exe 051ff21bdc212a57f9566453dcd94626.exe File opened for modification C:\Windows\SysWOW64\tmnstkfkepzxy.exe 051ff21bdc212a57f9566453dcd94626.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ygwfnhac.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ygwfnhac.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ygwfnhac.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ygwfnhac.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ygwfnhac.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ygwfnhac.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ygwfnhac.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ygwfnhac.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ygwfnhac.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ygwfnhac.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ygwfnhac.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ygwfnhac.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ygwfnhac.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ygwfnhac.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ygwfnhac.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ygwfnhac.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ygwfnhac.exe File opened for modification C:\Windows\mydoc.rtf 051ff21bdc212a57f9566453dcd94626.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ygwfnhac.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ygwfnhac.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ygwfnhac.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ygwfnhac.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ygwfnhac.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ygwfnhac.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ygwfnhac.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ygwfnhac.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ygwfnhac.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ygwfnhac.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ygwfnhac.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ygwfnhac.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ygwfnhac.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ygwfnhac.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ygwfnhac.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" lrqgaqupgy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" lrqgaqupgy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" lrqgaqupgy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" lrqgaqupgy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" lrqgaqupgy.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 051ff21bdc212a57f9566453dcd94626.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "334F2D7A9D5783586A4677D177232DDE7DF265AB" 051ff21bdc212a57f9566453dcd94626.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF5FF8A482E8212903CD72C7D93BDE6E137584766366236D69D" 051ff21bdc212a57f9566453dcd94626.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1945C77914E0DAC4B8CF7CE3ECE537CE" 051ff21bdc212a57f9566453dcd94626.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat lrqgaqupgy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc lrqgaqupgy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg lrqgaqupgy.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings 051ff21bdc212a57f9566453dcd94626.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBDFAB1F917F1E4840B3B4681EB3E97B089028842600248E1C5459A08D6" 051ff21bdc212a57f9566453dcd94626.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC2B12D4490399D53BFBAA132EDD7C5" 051ff21bdc212a57f9566453dcd94626.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F768B1FF1F21DDD178D0D28A08906B" 051ff21bdc212a57f9566453dcd94626.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh lrqgaqupgy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" lrqgaqupgy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf lrqgaqupgy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs lrqgaqupgy.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2488 WINWORD.EXE 2488 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3332 051ff21bdc212a57f9566453dcd94626.exe 3332 051ff21bdc212a57f9566453dcd94626.exe 3332 051ff21bdc212a57f9566453dcd94626.exe 3332 051ff21bdc212a57f9566453dcd94626.exe 3332 051ff21bdc212a57f9566453dcd94626.exe 3332 051ff21bdc212a57f9566453dcd94626.exe 3332 051ff21bdc212a57f9566453dcd94626.exe 3332 051ff21bdc212a57f9566453dcd94626.exe 3332 051ff21bdc212a57f9566453dcd94626.exe 3332 051ff21bdc212a57f9566453dcd94626.exe 3332 051ff21bdc212a57f9566453dcd94626.exe 3332 051ff21bdc212a57f9566453dcd94626.exe 3332 051ff21bdc212a57f9566453dcd94626.exe 3332 051ff21bdc212a57f9566453dcd94626.exe 3332 051ff21bdc212a57f9566453dcd94626.exe 3332 051ff21bdc212a57f9566453dcd94626.exe 1476 lrqgaqupgy.exe 1476 lrqgaqupgy.exe 1476 lrqgaqupgy.exe 1476 lrqgaqupgy.exe 1476 lrqgaqupgy.exe 1476 lrqgaqupgy.exe 1476 lrqgaqupgy.exe 1476 lrqgaqupgy.exe 1476 lrqgaqupgy.exe 1476 lrqgaqupgy.exe 1004 ygwfnhac.exe 1004 ygwfnhac.exe 1004 ygwfnhac.exe 1004 ygwfnhac.exe 4708 xeafrgyvfgxxkqe.exe 4708 xeafrgyvfgxxkqe.exe 4708 xeafrgyvfgxxkqe.exe 4708 xeafrgyvfgxxkqe.exe 4708 xeafrgyvfgxxkqe.exe 4708 xeafrgyvfgxxkqe.exe 1004 ygwfnhac.exe 4708 xeafrgyvfgxxkqe.exe 4708 xeafrgyvfgxxkqe.exe 1004 ygwfnhac.exe 1004 ygwfnhac.exe 1004 ygwfnhac.exe 4708 xeafrgyvfgxxkqe.exe 4708 xeafrgyvfgxxkqe.exe 5008 tmnstkfkepzxy.exe 5008 tmnstkfkepzxy.exe 5008 tmnstkfkepzxy.exe 5008 tmnstkfkepzxy.exe 5008 tmnstkfkepzxy.exe 5008 tmnstkfkepzxy.exe 5008 tmnstkfkepzxy.exe 5008 tmnstkfkepzxy.exe 5008 tmnstkfkepzxy.exe 5008 tmnstkfkepzxy.exe 5008 tmnstkfkepzxy.exe 5008 tmnstkfkepzxy.exe 4544 ygwfnhac.exe 4544 ygwfnhac.exe 4544 ygwfnhac.exe 4544 ygwfnhac.exe 4544 ygwfnhac.exe 4544 ygwfnhac.exe 4544 ygwfnhac.exe 4544 ygwfnhac.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 3332 051ff21bdc212a57f9566453dcd94626.exe 3332 051ff21bdc212a57f9566453dcd94626.exe 3332 051ff21bdc212a57f9566453dcd94626.exe 1476 lrqgaqupgy.exe 1476 lrqgaqupgy.exe 1476 lrqgaqupgy.exe 4708 xeafrgyvfgxxkqe.exe 1004 ygwfnhac.exe 5008 tmnstkfkepzxy.exe 4708 xeafrgyvfgxxkqe.exe 1004 ygwfnhac.exe 5008 tmnstkfkepzxy.exe 4708 xeafrgyvfgxxkqe.exe 1004 ygwfnhac.exe 5008 tmnstkfkepzxy.exe 4544 ygwfnhac.exe 4544 ygwfnhac.exe 4544 ygwfnhac.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 3332 051ff21bdc212a57f9566453dcd94626.exe 3332 051ff21bdc212a57f9566453dcd94626.exe 3332 051ff21bdc212a57f9566453dcd94626.exe 1476 lrqgaqupgy.exe 1476 lrqgaqupgy.exe 1476 lrqgaqupgy.exe 4708 xeafrgyvfgxxkqe.exe 1004 ygwfnhac.exe 5008 tmnstkfkepzxy.exe 4708 xeafrgyvfgxxkqe.exe 1004 ygwfnhac.exe 5008 tmnstkfkepzxy.exe 4708 xeafrgyvfgxxkqe.exe 1004 ygwfnhac.exe 5008 tmnstkfkepzxy.exe 4544 ygwfnhac.exe 4544 ygwfnhac.exe 4544 ygwfnhac.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2488 WINWORD.EXE 2488 WINWORD.EXE 2488 WINWORD.EXE 2488 WINWORD.EXE 2488 WINWORD.EXE 2488 WINWORD.EXE 2488 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3332 wrote to memory of 1476 3332 051ff21bdc212a57f9566453dcd94626.exe 99 PID 3332 wrote to memory of 1476 3332 051ff21bdc212a57f9566453dcd94626.exe 99 PID 3332 wrote to memory of 1476 3332 051ff21bdc212a57f9566453dcd94626.exe 99 PID 3332 wrote to memory of 4708 3332 051ff21bdc212a57f9566453dcd94626.exe 98 PID 3332 wrote to memory of 4708 3332 051ff21bdc212a57f9566453dcd94626.exe 98 PID 3332 wrote to memory of 4708 3332 051ff21bdc212a57f9566453dcd94626.exe 98 PID 3332 wrote to memory of 1004 3332 051ff21bdc212a57f9566453dcd94626.exe 92 PID 3332 wrote to memory of 1004 3332 051ff21bdc212a57f9566453dcd94626.exe 92 PID 3332 wrote to memory of 1004 3332 051ff21bdc212a57f9566453dcd94626.exe 92 PID 3332 wrote to memory of 5008 3332 051ff21bdc212a57f9566453dcd94626.exe 97 PID 3332 wrote to memory of 5008 3332 051ff21bdc212a57f9566453dcd94626.exe 97 PID 3332 wrote to memory of 5008 3332 051ff21bdc212a57f9566453dcd94626.exe 97 PID 3332 wrote to memory of 2488 3332 051ff21bdc212a57f9566453dcd94626.exe 93 PID 3332 wrote to memory of 2488 3332 051ff21bdc212a57f9566453dcd94626.exe 93 PID 1476 wrote to memory of 4544 1476 lrqgaqupgy.exe 95 PID 1476 wrote to memory of 4544 1476 lrqgaqupgy.exe 95 PID 1476 wrote to memory of 4544 1476 lrqgaqupgy.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\051ff21bdc212a57f9566453dcd94626.exe"C:\Users\Admin\AppData\Local\Temp\051ff21bdc212a57f9566453dcd94626.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Windows\SysWOW64\ygwfnhac.exeygwfnhac.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1004
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2488
-
-
C:\Windows\SysWOW64\tmnstkfkepzxy.exetmnstkfkepzxy.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5008
-
-
C:\Windows\SysWOW64\xeafrgyvfgxxkqe.exexeafrgyvfgxxkqe.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4708
-
-
C:\Windows\SysWOW64\lrqgaqupgy.exelrqgaqupgy.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1476
-
-
C:\Windows\SysWOW64\ygwfnhac.exeC:\Windows\system32\ygwfnhac.exe1⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4544
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5856816cc593137aaf0bd8bdd51e02974
SHA1bf710fd6ace89c070214ba7bf36ef3866aef2f27
SHA256b0a6ebe1136148ddd7617dc7773b63d18af0ccaf2bafcdac71d17e590ad0177c
SHA512e196745117b75f4a65d824707bd180a140b476ae55b16a1020f7a89c698ef6d00ad5bed8f54a1f08d22f59fd36547e5b3eab5b5a7eeed20578b669ed24cc3cce
-
Filesize
418KB
MD5f188b9544b1c8ffc47805e11cb39fc2d
SHA14149bc219294549e810ca120377471ec7ef05a00
SHA256ae8d2465a79e11d9ed8eed2d1f6a67590e346e86e335d9c0cebc33ccdf14d24d
SHA5124b478b2e3730c686beeeba50138e7a2429125cff49c644d0bec06c7ec314d19fd08faa31e57e6270d2920d12770a916f7bbb897963ab62d46ee0de082bf930cf
-
Filesize
96KB
MD597ebe3e5294035e674d3a6df982e678e
SHA110bcf2334dfd7bbc1b2a61064b928c155a7ca3f9
SHA256d7882b4cdbfa3b49c93cced26e1f896f01b7dc7b1b456933847a9acf837360a6
SHA512162c51631007ab9549cb6868654d0f62c91d0e2711c0f744d5cebd06d52f34aa4ac0088d5cf2322566df7e29b4f610b93ad5b6dcf8090116b2657ac81045038f
-
Filesize
97KB
MD5a0f177221af94bc8256a874db7470127
SHA1d3e64a65c5dcc1171875a0f019e2a143c8604276
SHA256b340d2a2391f6634b7d3623dc808c445d48f2a9a19f43630102e91fea755592a
SHA5126409e48714ebdb286d5c8b6c7cf64180c14fe0788d5ee98108851fc3cd5f3eab2fc11a6f78197b204759c68160e76299ded3d363bd2b9c0b2b9af80b61e9c3c6
-
Filesize
382KB
MD5badd716c7c48a8241873d9251da496d1
SHA16bd2a072c8f64a1780fe75d983cb7b6584985c6d
SHA256ad4373bfa026f66380b8ce44d6bc300d146770114fb10087019af7c616dc11d7
SHA5127bf3f09216e2ba376053e668963797cd78f91119467917a84f467dd3110d6bd26592784cdf7cefd293413ff5b6dbe10a996d89627177235d9f109732c05f36c5
-
Filesize
101KB
MD50b6655a92648fb3c6324ccb973de6d39
SHA1bb527ae6b025cdbaa90a8e94975d16dd735af097
SHA256460083c2a35b94a23467ba9db46aec04f77e1a5b40962fc3b07864001f9f8e4f
SHA512b5d9c4931d53f7499ceeaed673e2f1b7e2597d14e71632fc5a0a418c621dffb5e916741437a85fa94bb66f1106e21eee4eaf0a4d305d4a66255c3c1061ab9290
-
Filesize
512KB
MD571000233bda938c3fb4288961fe9bf55
SHA1851b723804679bb74010bf523017ef7d8ee1ea76
SHA256e7a1226942aeaffc24b36dfb4ee9073da78d1a763317d8def3d6ccdda7c3534d
SHA51223d131e94bd5e6fbcbdb28bc8076c06eaaedda73e5aaaf0e4522215a158f94f304fd6004aee667a2d54518bde559bd424e68d0492f197ed90ec3ee86fb01d0d4
-
Filesize
512KB
MD525adc8722d4d7db7fa04ff8759a58a35
SHA196a7dd619969e6b17b575a6ba0cff99454ea6c39
SHA256c36823f941ef8159251a52d3aee4eb0fce73cabcac938edfe7834b296d0144fa
SHA512c26d099d3299d905833f96e53715f3607063e1ceb2ddfb9954932520ed249afb9c6e6be0d2086546918b0db1db7e8595b9d1441f5c54918824f7064e67cee4ef
-
Filesize
95KB
MD5325d35d16810bf2ca20f49e9369ceafc
SHA116a818972ea75b6656eba8b6ca090be9e0bc8f03
SHA2568798efdb1d409d30daf09e596ff0a6875f2f9b89e08c16e891206ddf0771a645
SHA512a0664efd0a950150ffa3b7f79d76038579f20835e4b99043db61586a475ca9f06f1907b7cbdc46e36feb556a8d4cbf473a7f8a5aa51872a41b997c8904284893