Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30-12-2023 13:16
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
19b27abb987d5162d029710981820847.exe
Resource
win7-20231215-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
19b27abb987d5162d029710981820847.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
19b27abb987d5162d029710981820847.exe
-
Size
512KB
-
MD5
19b27abb987d5162d029710981820847
-
SHA1
b585c7dd57a7e9f10f87bcbd492f3c12446fd113
-
SHA256
eef38e74b284a86c40ecb68777c0cd6b77398b9ce4bc7046694e77673e5bca61
-
SHA512
6986e785e9257a5a731fbb3a7d9eb718b21a4b3a9200d000d63701c56eda217debcc0331a7d0b6706abfb5ab13407d572aa3c6f8d5057fc7927da36063711347
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6m:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5N
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" saylpbworu.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" saylpbworu.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" saylpbworu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" saylpbworu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" saylpbworu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" saylpbworu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" saylpbworu.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" saylpbworu.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation 19b27abb987d5162d029710981820847.exe -
Executes dropped EXE 5 IoCs
pid Process 4772 saylpbworu.exe 4224 nsqlehmgyxmjlth.exe 2160 iyaqcshl.exe 1436 duwbomlqvhxec.exe 4420 iyaqcshl.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" saylpbworu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" saylpbworu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" saylpbworu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" saylpbworu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" saylpbworu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" saylpbworu.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "duwbomlqvhxec.exe" nsqlehmgyxmjlth.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xdbnfqom = "saylpbworu.exe" nsqlehmgyxmjlth.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uymfsyix = "nsqlehmgyxmjlth.exe" nsqlehmgyxmjlth.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\y: saylpbworu.exe File opened (read-only) \??\i: saylpbworu.exe File opened (read-only) \??\q: saylpbworu.exe File opened (read-only) \??\y: iyaqcshl.exe File opened (read-only) \??\l: saylpbworu.exe File opened (read-only) \??\y: iyaqcshl.exe File opened (read-only) \??\h: iyaqcshl.exe File opened (read-only) \??\k: iyaqcshl.exe File opened (read-only) \??\q: iyaqcshl.exe File opened (read-only) \??\o: iyaqcshl.exe File opened (read-only) \??\b: iyaqcshl.exe File opened (read-only) \??\i: iyaqcshl.exe File opened (read-only) \??\v: iyaqcshl.exe File opened (read-only) \??\l: iyaqcshl.exe File opened (read-only) \??\w: saylpbworu.exe File opened (read-only) \??\l: iyaqcshl.exe File opened (read-only) \??\r: saylpbworu.exe File opened (read-only) \??\z: saylpbworu.exe File opened (read-only) \??\m: saylpbworu.exe File opened (read-only) \??\s: iyaqcshl.exe File opened (read-only) \??\t: iyaqcshl.exe File opened (read-only) \??\v: saylpbworu.exe File opened (read-only) \??\i: iyaqcshl.exe File opened (read-only) \??\p: iyaqcshl.exe File opened (read-only) \??\t: iyaqcshl.exe File opened (read-only) \??\x: iyaqcshl.exe File opened (read-only) \??\g: saylpbworu.exe File opened (read-only) \??\z: iyaqcshl.exe File opened (read-only) \??\j: saylpbworu.exe File opened (read-only) \??\j: iyaqcshl.exe File opened (read-only) \??\u: iyaqcshl.exe File opened (read-only) \??\w: iyaqcshl.exe File opened (read-only) \??\o: iyaqcshl.exe File opened (read-only) \??\s: iyaqcshl.exe File opened (read-only) \??\u: iyaqcshl.exe File opened (read-only) \??\n: saylpbworu.exe File opened (read-only) \??\g: iyaqcshl.exe File opened (read-only) \??\k: iyaqcshl.exe File opened (read-only) \??\q: iyaqcshl.exe File opened (read-only) \??\z: iyaqcshl.exe File opened (read-only) \??\g: iyaqcshl.exe File opened (read-only) \??\j: iyaqcshl.exe File opened (read-only) \??\p: iyaqcshl.exe File opened (read-only) \??\b: saylpbworu.exe File opened (read-only) \??\e: saylpbworu.exe File opened (read-only) \??\b: iyaqcshl.exe File opened (read-only) \??\e: iyaqcshl.exe File opened (read-only) \??\a: iyaqcshl.exe File opened (read-only) \??\e: iyaqcshl.exe File opened (read-only) \??\n: iyaqcshl.exe File opened (read-only) \??\r: iyaqcshl.exe File opened (read-only) \??\x: iyaqcshl.exe File opened (read-only) \??\r: iyaqcshl.exe File opened (read-only) \??\p: saylpbworu.exe File opened (read-only) \??\n: iyaqcshl.exe File opened (read-only) \??\h: iyaqcshl.exe File opened (read-only) \??\h: saylpbworu.exe File opened (read-only) \??\x: saylpbworu.exe File opened (read-only) \??\o: saylpbworu.exe File opened (read-only) \??\s: saylpbworu.exe File opened (read-only) \??\m: iyaqcshl.exe File opened (read-only) \??\a: saylpbworu.exe File opened (read-only) \??\k: saylpbworu.exe File opened (read-only) \??\w: iyaqcshl.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" saylpbworu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" saylpbworu.exe -
AutoIT Executable 7 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2116-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0008000000023223-5.dat autoit_exe behavioral2/files/0x000c000000023176-18.dat autoit_exe behavioral2/files/0x0008000000023223-22.dat autoit_exe behavioral2/files/0x0006000000023229-28.dat autoit_exe behavioral2/files/0x0006000000023229-29.dat autoit_exe behavioral2/files/0x000c000000023176-19.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\nsqlehmgyxmjlth.exe 19b27abb987d5162d029710981820847.exe File created C:\Windows\SysWOW64\iyaqcshl.exe 19b27abb987d5162d029710981820847.exe File opened for modification C:\Windows\SysWOW64\iyaqcshl.exe 19b27abb987d5162d029710981820847.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe iyaqcshl.exe File opened for modification C:\Windows\SysWOW64\saylpbworu.exe 19b27abb987d5162d029710981820847.exe File created C:\Windows\SysWOW64\nsqlehmgyxmjlth.exe 19b27abb987d5162d029710981820847.exe File opened for modification C:\Windows\SysWOW64\duwbomlqvhxec.exe 19b27abb987d5162d029710981820847.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll saylpbworu.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe iyaqcshl.exe File created C:\Windows\SysWOW64\saylpbworu.exe 19b27abb987d5162d029710981820847.exe File created C:\Windows\SysWOW64\duwbomlqvhxec.exe 19b27abb987d5162d029710981820847.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe iyaqcshl.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe iyaqcshl.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe iyaqcshl.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe iyaqcshl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal iyaqcshl.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe iyaqcshl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe iyaqcshl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe iyaqcshl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal iyaqcshl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe iyaqcshl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal iyaqcshl.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe iyaqcshl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe iyaqcshl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe iyaqcshl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal iyaqcshl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe iyaqcshl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe iyaqcshl.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe iyaqcshl.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe iyaqcshl.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe iyaqcshl.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe iyaqcshl.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe iyaqcshl.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe iyaqcshl.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe iyaqcshl.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe iyaqcshl.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe iyaqcshl.exe File opened for modification C:\Windows\mydoc.rtf 19b27abb987d5162d029710981820847.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe iyaqcshl.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe iyaqcshl.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe iyaqcshl.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe iyaqcshl.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe iyaqcshl.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe iyaqcshl.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe iyaqcshl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32402C799D2083536D4576D277212CAA7CF565DC" 19b27abb987d5162d029710981820847.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABBF9CEFE17F19583753B3286963996B3FD03FC43650333E1B9459D08A2" 19b27abb987d5162d029710981820847.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF5FC824F2785139137D72A7DE0BC97E6345930664F6344D7EE" 19b27abb987d5162d029710981820847.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs saylpbworu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1945C7781594DAC4B9BE7F92ED9737BA" 19b27abb987d5162d029710981820847.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat saylpbworu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" saylpbworu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh saylpbworu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf saylpbworu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" saylpbworu.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 19b27abb987d5162d029710981820847.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC2B05847EF38E353CDB9D1329DD7CA" 19b27abb987d5162d029710981820847.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" saylpbworu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" saylpbworu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg saylpbworu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0866BB1FE6621ADD209D1D68A0F9167" 19b27abb987d5162d029710981820847.exe Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings 19b27abb987d5162d029710981820847.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc saylpbworu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" saylpbworu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" saylpbworu.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4680 WINWORD.EXE 4680 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2116 19b27abb987d5162d029710981820847.exe 2116 19b27abb987d5162d029710981820847.exe 2116 19b27abb987d5162d029710981820847.exe 2116 19b27abb987d5162d029710981820847.exe 2116 19b27abb987d5162d029710981820847.exe 2116 19b27abb987d5162d029710981820847.exe 2116 19b27abb987d5162d029710981820847.exe 2116 19b27abb987d5162d029710981820847.exe 2116 19b27abb987d5162d029710981820847.exe 2116 19b27abb987d5162d029710981820847.exe 2116 19b27abb987d5162d029710981820847.exe 2116 19b27abb987d5162d029710981820847.exe 2116 19b27abb987d5162d029710981820847.exe 2116 19b27abb987d5162d029710981820847.exe 2116 19b27abb987d5162d029710981820847.exe 2116 19b27abb987d5162d029710981820847.exe 4772 saylpbworu.exe 4772 saylpbworu.exe 4772 saylpbworu.exe 4772 saylpbworu.exe 4772 saylpbworu.exe 4772 saylpbworu.exe 4772 saylpbworu.exe 4772 saylpbworu.exe 4772 saylpbworu.exe 4772 saylpbworu.exe 4224 nsqlehmgyxmjlth.exe 4224 nsqlehmgyxmjlth.exe 4224 nsqlehmgyxmjlth.exe 4224 nsqlehmgyxmjlth.exe 4224 nsqlehmgyxmjlth.exe 4224 nsqlehmgyxmjlth.exe 4224 nsqlehmgyxmjlth.exe 4224 nsqlehmgyxmjlth.exe 4224 nsqlehmgyxmjlth.exe 4224 nsqlehmgyxmjlth.exe 2160 iyaqcshl.exe 2160 iyaqcshl.exe 2160 iyaqcshl.exe 2160 iyaqcshl.exe 2160 iyaqcshl.exe 2160 iyaqcshl.exe 2160 iyaqcshl.exe 2160 iyaqcshl.exe 1436 duwbomlqvhxec.exe 1436 duwbomlqvhxec.exe 1436 duwbomlqvhxec.exe 1436 duwbomlqvhxec.exe 1436 duwbomlqvhxec.exe 1436 duwbomlqvhxec.exe 1436 duwbomlqvhxec.exe 1436 duwbomlqvhxec.exe 1436 duwbomlqvhxec.exe 1436 duwbomlqvhxec.exe 1436 duwbomlqvhxec.exe 1436 duwbomlqvhxec.exe 4224 nsqlehmgyxmjlth.exe 4224 nsqlehmgyxmjlth.exe 4420 iyaqcshl.exe 4420 iyaqcshl.exe 4420 iyaqcshl.exe 4420 iyaqcshl.exe 4420 iyaqcshl.exe 4420 iyaqcshl.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2116 19b27abb987d5162d029710981820847.exe 2116 19b27abb987d5162d029710981820847.exe 2116 19b27abb987d5162d029710981820847.exe 4772 saylpbworu.exe 4772 saylpbworu.exe 2160 iyaqcshl.exe 4772 saylpbworu.exe 4224 nsqlehmgyxmjlth.exe 1436 duwbomlqvhxec.exe 2160 iyaqcshl.exe 4224 nsqlehmgyxmjlth.exe 1436 duwbomlqvhxec.exe 2160 iyaqcshl.exe 4224 nsqlehmgyxmjlth.exe 1436 duwbomlqvhxec.exe 4420 iyaqcshl.exe 4420 iyaqcshl.exe 4420 iyaqcshl.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2116 19b27abb987d5162d029710981820847.exe 2116 19b27abb987d5162d029710981820847.exe 2116 19b27abb987d5162d029710981820847.exe 4772 saylpbworu.exe 4772 saylpbworu.exe 4772 saylpbworu.exe 2160 iyaqcshl.exe 4224 nsqlehmgyxmjlth.exe 1436 duwbomlqvhxec.exe 2160 iyaqcshl.exe 4224 nsqlehmgyxmjlth.exe 1436 duwbomlqvhxec.exe 2160 iyaqcshl.exe 4224 nsqlehmgyxmjlth.exe 1436 duwbomlqvhxec.exe 4420 iyaqcshl.exe 4420 iyaqcshl.exe 4420 iyaqcshl.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4680 WINWORD.EXE 4680 WINWORD.EXE 4680 WINWORD.EXE 4680 WINWORD.EXE 4680 WINWORD.EXE 4680 WINWORD.EXE 4680 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2116 wrote to memory of 4772 2116 19b27abb987d5162d029710981820847.exe 91 PID 2116 wrote to memory of 4772 2116 19b27abb987d5162d029710981820847.exe 91 PID 2116 wrote to memory of 4772 2116 19b27abb987d5162d029710981820847.exe 91 PID 2116 wrote to memory of 4224 2116 19b27abb987d5162d029710981820847.exe 92 PID 2116 wrote to memory of 4224 2116 19b27abb987d5162d029710981820847.exe 92 PID 2116 wrote to memory of 4224 2116 19b27abb987d5162d029710981820847.exe 92 PID 2116 wrote to memory of 2160 2116 19b27abb987d5162d029710981820847.exe 99 PID 2116 wrote to memory of 2160 2116 19b27abb987d5162d029710981820847.exe 99 PID 2116 wrote to memory of 2160 2116 19b27abb987d5162d029710981820847.exe 99 PID 2116 wrote to memory of 1436 2116 19b27abb987d5162d029710981820847.exe 93 PID 2116 wrote to memory of 1436 2116 19b27abb987d5162d029710981820847.exe 93 PID 2116 wrote to memory of 1436 2116 19b27abb987d5162d029710981820847.exe 93 PID 2116 wrote to memory of 4680 2116 19b27abb987d5162d029710981820847.exe 98 PID 2116 wrote to memory of 4680 2116 19b27abb987d5162d029710981820847.exe 98 PID 4772 wrote to memory of 4420 4772 saylpbworu.exe 96 PID 4772 wrote to memory of 4420 4772 saylpbworu.exe 96 PID 4772 wrote to memory of 4420 4772 saylpbworu.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\19b27abb987d5162d029710981820847.exe"C:\Users\Admin\AppData\Local\Temp\19b27abb987d5162d029710981820847.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\saylpbworu.exesaylpbworu.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\SysWOW64\iyaqcshl.exeC:\Windows\system32\iyaqcshl.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4420
-
-
-
C:\Windows\SysWOW64\nsqlehmgyxmjlth.exensqlehmgyxmjlth.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4224
-
-
C:\Windows\SysWOW64\duwbomlqvhxec.exeduwbomlqvhxec.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1436
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4680
-
-
C:\Windows\SysWOW64\iyaqcshl.exeiyaqcshl.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2160
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD56662b185f19fbf697c56a25c92de7961
SHA10df0c0df0de3724258df2549c583e3c934aca726
SHA256c11edb9e97848e20319fba876d9382c7193f68323eff1f7ed805bb04303bdc86
SHA512c6e2cb83f68a63ca299dae843d2697d41dab8b565fb4005755b0d255b388779b6c1dad97375009c995f0a3d2e0acb4cc820090ca5dc24ee11e1a3de5b1a4921f
-
Filesize
152KB
MD5bac1439a35feb1f91e2e74c05c4150db
SHA1e105c50524f5acb1457c4b67a8348897f18ffcc5
SHA256028c2509d2743e26bc414331a2e6b1aed3d5f51f94a690a211d03bd563636749
SHA512e660baf725c99f4a69ea7847d6be8af0556ef054e58eed5eae984a47cdb6df299b7e2bea9c2e946fd277e0b7fdfee23d4b75eddb8ecbfc09862c8356e680f7ab
-
Filesize
512KB
MD5176f60aa231a9ad05fb1c35b240d9e91
SHA1d8afffe11d34c91b8ccb3912b5747f428455a076
SHA256ee0ba95b9ac9e77a15b8e1e7b7eaaa4614d9caa83aa244312427f2a026ad3977
SHA512fb236e8244d89d8f3f104527bd512d876d9fbb1893898e0395b8cbc862746459f7614dd4ca50c66ccaa7ff110cb7cfe782b5ace5dc3e3c79f03fa5164512af5f
-
Filesize
193KB
MD5a31008e1bf36948c5790f46d6a5b364b
SHA153e1bd64f986806dc72e3343c87b65f8afed897a
SHA2560fe3f5e6e9138cafa7435072ebda5646c80f646add2cc306b55a468cd10c4886
SHA5121474fa94a858054307521aa2fc7d0880d9ea131693643bf113304ee32d9a7b731a14668d2a2944bcc7e8b7644408bd98ac2bb7f305b0d74447cc13630fa63538
-
Filesize
512KB
MD5ef92fdbf97ca082c82c6bbb014dd9f82
SHA16691a6480fa1792724302580a0101eb344f462fd
SHA2568b373ffe714eb09c8e96bdc82d3ee5808eb6a6c08fe018865ffa0657e8506744
SHA512b6616bea5f4e81f52c0ebb055f7f7ab672c47c660b58f294064d327004133e9e7adb3c7f890b3080184d296f7666f0681fd1a919a289fb2f18780381f80f9929