Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
157s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 05:20
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
29c550be18671e1c38bf1726ec71da44.exe
Resource
win7-20231129-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
29c550be18671e1c38bf1726ec71da44.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
29c550be18671e1c38bf1726ec71da44.exe
-
Size
512KB
-
MD5
29c550be18671e1c38bf1726ec71da44
-
SHA1
7cf7e29d1e77b71eb45bf68c5254d8b14a228d64
-
SHA256
74cb279926b4e3b7d64b6bbcf88b7303650cdb4e84020f1275c9adfba67dcd48
-
SHA512
338a1dd60ca37722560d58f9e603a98a5b0ec8950ade3959e57c95d492b830fdda659ca1f1f9fe1f2504b0b9dbecfa3c47208dae82e6b5757119ac0b394007dd
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6I:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5V
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" qiutkdzigg.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" qiutkdzigg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" qiutkdzigg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" qiutkdzigg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" qiutkdzigg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" qiutkdzigg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" qiutkdzigg.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qiutkdzigg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation 29c550be18671e1c38bf1726ec71da44.exe -
Executes dropped EXE 5 IoCs
pid Process 796 qiutkdzigg.exe 4624 mbjzqtmp.exe 828 omtjxuzvuxrrtpy.exe 2704 wldcwsevxefia.exe 540 mbjzqtmp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" qiutkdzigg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" qiutkdzigg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" qiutkdzigg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" qiutkdzigg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" qiutkdzigg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" qiutkdzigg.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gjkbtegp = "qiutkdzigg.exe" omtjxuzvuxrrtpy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mipukued = "omtjxuzvuxrrtpy.exe" omtjxuzvuxrrtpy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "wldcwsevxefia.exe" omtjxuzvuxrrtpy.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\b: mbjzqtmp.exe File opened (read-only) \??\t: mbjzqtmp.exe File opened (read-only) \??\b: qiutkdzigg.exe File opened (read-only) \??\b: mbjzqtmp.exe File opened (read-only) \??\x: mbjzqtmp.exe File opened (read-only) \??\a: mbjzqtmp.exe File opened (read-only) \??\e: mbjzqtmp.exe File opened (read-only) \??\g: mbjzqtmp.exe File opened (read-only) \??\s: qiutkdzigg.exe File opened (read-only) \??\v: qiutkdzigg.exe File opened (read-only) \??\e: mbjzqtmp.exe File opened (read-only) \??\k: mbjzqtmp.exe File opened (read-only) \??\u: mbjzqtmp.exe File opened (read-only) \??\h: qiutkdzigg.exe File opened (read-only) \??\o: qiutkdzigg.exe File opened (read-only) \??\n: mbjzqtmp.exe File opened (read-only) \??\g: mbjzqtmp.exe File opened (read-only) \??\r: mbjzqtmp.exe File opened (read-only) \??\z: mbjzqtmp.exe File opened (read-only) \??\k: mbjzqtmp.exe File opened (read-only) \??\e: qiutkdzigg.exe File opened (read-only) \??\s: mbjzqtmp.exe File opened (read-only) \??\r: qiutkdzigg.exe File opened (read-only) \??\l: mbjzqtmp.exe File opened (read-only) \??\j: mbjzqtmp.exe File opened (read-only) \??\l: mbjzqtmp.exe File opened (read-only) \??\x: mbjzqtmp.exe File opened (read-only) \??\m: qiutkdzigg.exe File opened (read-only) \??\t: qiutkdzigg.exe File opened (read-only) \??\i: mbjzqtmp.exe File opened (read-only) \??\a: qiutkdzigg.exe File opened (read-only) \??\g: qiutkdzigg.exe File opened (read-only) \??\j: qiutkdzigg.exe File opened (read-only) \??\y: qiutkdzigg.exe File opened (read-only) \??\a: mbjzqtmp.exe File opened (read-only) \??\n: mbjzqtmp.exe File opened (read-only) \??\j: mbjzqtmp.exe File opened (read-only) \??\w: mbjzqtmp.exe File opened (read-only) \??\r: mbjzqtmp.exe File opened (read-only) \??\w: mbjzqtmp.exe File opened (read-only) \??\l: qiutkdzigg.exe File opened (read-only) \??\u: mbjzqtmp.exe File opened (read-only) \??\y: mbjzqtmp.exe File opened (read-only) \??\p: qiutkdzigg.exe File opened (read-only) \??\z: qiutkdzigg.exe File opened (read-only) \??\o: mbjzqtmp.exe File opened (read-only) \??\t: mbjzqtmp.exe File opened (read-only) \??\y: mbjzqtmp.exe File opened (read-only) \??\i: qiutkdzigg.exe File opened (read-only) \??\n: qiutkdzigg.exe File opened (read-only) \??\q: qiutkdzigg.exe File opened (read-only) \??\w: qiutkdzigg.exe File opened (read-only) \??\h: mbjzqtmp.exe File opened (read-only) \??\m: mbjzqtmp.exe File opened (read-only) \??\s: mbjzqtmp.exe File opened (read-only) \??\z: mbjzqtmp.exe File opened (read-only) \??\k: qiutkdzigg.exe File opened (read-only) \??\q: mbjzqtmp.exe File opened (read-only) \??\u: qiutkdzigg.exe File opened (read-only) \??\x: qiutkdzigg.exe File opened (read-only) \??\m: mbjzqtmp.exe File opened (read-only) \??\o: mbjzqtmp.exe File opened (read-only) \??\v: mbjzqtmp.exe File opened (read-only) \??\p: mbjzqtmp.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" qiutkdzigg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" qiutkdzigg.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4716-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0006000000023205-5.dat autoit_exe behavioral2/files/0x0006000000023204-18.dat autoit_exe behavioral2/files/0x0006000000023207-32.dat autoit_exe behavioral2/files/0x0006000000023206-24.dat autoit_exe behavioral2/files/0x0006000000023206-35.dat autoit_exe behavioral2/files/0x000600000002320e-70.dat autoit_exe behavioral2/files/0x0008000000023226-110.dat autoit_exe behavioral2/files/0x0008000000023226-113.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\wldcwsevxefia.exe 29c550be18671e1c38bf1726ec71da44.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe mbjzqtmp.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe mbjzqtmp.exe File opened for modification C:\Windows\SysWOW64\wldcwsevxefia.exe 29c550be18671e1c38bf1726ec71da44.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll qiutkdzigg.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe mbjzqtmp.exe File created C:\Windows\SysWOW64\qiutkdzigg.exe 29c550be18671e1c38bf1726ec71da44.exe File opened for modification C:\Windows\SysWOW64\qiutkdzigg.exe 29c550be18671e1c38bf1726ec71da44.exe File opened for modification C:\Windows\SysWOW64\omtjxuzvuxrrtpy.exe 29c550be18671e1c38bf1726ec71da44.exe File opened for modification C:\Windows\SysWOW64\mbjzqtmp.exe 29c550be18671e1c38bf1726ec71da44.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe mbjzqtmp.exe File created C:\Windows\SysWOW64\omtjxuzvuxrrtpy.exe 29c550be18671e1c38bf1726ec71da44.exe File created C:\Windows\SysWOW64\mbjzqtmp.exe 29c550be18671e1c38bf1726ec71da44.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mbjzqtmp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mbjzqtmp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal mbjzqtmp.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mbjzqtmp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal mbjzqtmp.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mbjzqtmp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal mbjzqtmp.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mbjzqtmp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal mbjzqtmp.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mbjzqtmp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mbjzqtmp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mbjzqtmp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mbjzqtmp.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mbjzqtmp.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf 29c550be18671e1c38bf1726ec71da44.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat qiutkdzigg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" qiutkdzigg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" qiutkdzigg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" qiutkdzigg.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 29c550be18671e1c38bf1726ec71da44.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32422C089D2C82206A3776D477552CD77DF264DE" 29c550be18671e1c38bf1726ec71da44.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" qiutkdzigg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf qiutkdzigg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh qiutkdzigg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc qiutkdzigg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" qiutkdzigg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg qiutkdzigg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABAFAB9FE10F19384783A4481EA3E97B38A03FC4211023BE2CA459909A3" 29c550be18671e1c38bf1726ec71da44.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8FFF8B485F85129046D65D7D90BC92E643594267416337D7EC" 29c550be18671e1c38bf1726ec71da44.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F66BC6FE6F21DAD10FD0D28A7E906A" 29c550be18671e1c38bf1726ec71da44.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184DC67814E2DBBEB8CF7FE1EDE234CD" 29c550be18671e1c38bf1726ec71da44.exe Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings 29c550be18671e1c38bf1726ec71da44.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC6B12847E438E852CFB9D63298D4BF" 29c550be18671e1c38bf1726ec71da44.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" qiutkdzigg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs qiutkdzigg.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 768 WINWORD.EXE 768 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4716 29c550be18671e1c38bf1726ec71da44.exe 4716 29c550be18671e1c38bf1726ec71da44.exe 4716 29c550be18671e1c38bf1726ec71da44.exe 4716 29c550be18671e1c38bf1726ec71da44.exe 4716 29c550be18671e1c38bf1726ec71da44.exe 4716 29c550be18671e1c38bf1726ec71da44.exe 4716 29c550be18671e1c38bf1726ec71da44.exe 4716 29c550be18671e1c38bf1726ec71da44.exe 4716 29c550be18671e1c38bf1726ec71da44.exe 4716 29c550be18671e1c38bf1726ec71da44.exe 4716 29c550be18671e1c38bf1726ec71da44.exe 4716 29c550be18671e1c38bf1726ec71da44.exe 4716 29c550be18671e1c38bf1726ec71da44.exe 4716 29c550be18671e1c38bf1726ec71da44.exe 4716 29c550be18671e1c38bf1726ec71da44.exe 4716 29c550be18671e1c38bf1726ec71da44.exe 796 qiutkdzigg.exe 796 qiutkdzigg.exe 796 qiutkdzigg.exe 796 qiutkdzigg.exe 828 omtjxuzvuxrrtpy.exe 828 omtjxuzvuxrrtpy.exe 796 qiutkdzigg.exe 796 qiutkdzigg.exe 828 omtjxuzvuxrrtpy.exe 828 omtjxuzvuxrrtpy.exe 796 qiutkdzigg.exe 828 omtjxuzvuxrrtpy.exe 796 qiutkdzigg.exe 828 omtjxuzvuxrrtpy.exe 828 omtjxuzvuxrrtpy.exe 828 omtjxuzvuxrrtpy.exe 796 qiutkdzigg.exe 796 qiutkdzigg.exe 4624 mbjzqtmp.exe 4624 mbjzqtmp.exe 4624 mbjzqtmp.exe 4624 mbjzqtmp.exe 4624 mbjzqtmp.exe 4624 mbjzqtmp.exe 4624 mbjzqtmp.exe 4624 mbjzqtmp.exe 828 omtjxuzvuxrrtpy.exe 828 omtjxuzvuxrrtpy.exe 2704 wldcwsevxefia.exe 2704 wldcwsevxefia.exe 2704 wldcwsevxefia.exe 2704 wldcwsevxefia.exe 2704 wldcwsevxefia.exe 2704 wldcwsevxefia.exe 2704 wldcwsevxefia.exe 2704 wldcwsevxefia.exe 2704 wldcwsevxefia.exe 2704 wldcwsevxefia.exe 2704 wldcwsevxefia.exe 2704 wldcwsevxefia.exe 540 mbjzqtmp.exe 540 mbjzqtmp.exe 540 mbjzqtmp.exe 540 mbjzqtmp.exe 540 mbjzqtmp.exe 540 mbjzqtmp.exe 540 mbjzqtmp.exe 540 mbjzqtmp.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4716 29c550be18671e1c38bf1726ec71da44.exe 4716 29c550be18671e1c38bf1726ec71da44.exe 4716 29c550be18671e1c38bf1726ec71da44.exe 796 qiutkdzigg.exe 796 qiutkdzigg.exe 796 qiutkdzigg.exe 4624 mbjzqtmp.exe 4624 mbjzqtmp.exe 4624 mbjzqtmp.exe 828 omtjxuzvuxrrtpy.exe 828 omtjxuzvuxrrtpy.exe 828 omtjxuzvuxrrtpy.exe 2704 wldcwsevxefia.exe 2704 wldcwsevxefia.exe 2704 wldcwsevxefia.exe 540 mbjzqtmp.exe 540 mbjzqtmp.exe 540 mbjzqtmp.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4716 29c550be18671e1c38bf1726ec71da44.exe 4716 29c550be18671e1c38bf1726ec71da44.exe 4716 29c550be18671e1c38bf1726ec71da44.exe 796 qiutkdzigg.exe 796 qiutkdzigg.exe 796 qiutkdzigg.exe 4624 mbjzqtmp.exe 4624 mbjzqtmp.exe 4624 mbjzqtmp.exe 828 omtjxuzvuxrrtpy.exe 828 omtjxuzvuxrrtpy.exe 828 omtjxuzvuxrrtpy.exe 2704 wldcwsevxefia.exe 2704 wldcwsevxefia.exe 2704 wldcwsevxefia.exe 540 mbjzqtmp.exe 540 mbjzqtmp.exe 540 mbjzqtmp.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 768 WINWORD.EXE 768 WINWORD.EXE 768 WINWORD.EXE 768 WINWORD.EXE 768 WINWORD.EXE 768 WINWORD.EXE 768 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4716 wrote to memory of 796 4716 29c550be18671e1c38bf1726ec71da44.exe 91 PID 4716 wrote to memory of 796 4716 29c550be18671e1c38bf1726ec71da44.exe 91 PID 4716 wrote to memory of 796 4716 29c550be18671e1c38bf1726ec71da44.exe 91 PID 4716 wrote to memory of 828 4716 29c550be18671e1c38bf1726ec71da44.exe 90 PID 4716 wrote to memory of 828 4716 29c550be18671e1c38bf1726ec71da44.exe 90 PID 4716 wrote to memory of 828 4716 29c550be18671e1c38bf1726ec71da44.exe 90 PID 4716 wrote to memory of 4624 4716 29c550be18671e1c38bf1726ec71da44.exe 92 PID 4716 wrote to memory of 4624 4716 29c550be18671e1c38bf1726ec71da44.exe 92 PID 4716 wrote to memory of 4624 4716 29c550be18671e1c38bf1726ec71da44.exe 92 PID 4716 wrote to memory of 2704 4716 29c550be18671e1c38bf1726ec71da44.exe 93 PID 4716 wrote to memory of 2704 4716 29c550be18671e1c38bf1726ec71da44.exe 93 PID 4716 wrote to memory of 2704 4716 29c550be18671e1c38bf1726ec71da44.exe 93 PID 4716 wrote to memory of 768 4716 29c550be18671e1c38bf1726ec71da44.exe 96 PID 4716 wrote to memory of 768 4716 29c550be18671e1c38bf1726ec71da44.exe 96 PID 796 wrote to memory of 540 796 qiutkdzigg.exe 95 PID 796 wrote to memory of 540 796 qiutkdzigg.exe 95 PID 796 wrote to memory of 540 796 qiutkdzigg.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\29c550be18671e1c38bf1726ec71da44.exe"C:\Users\Admin\AppData\Local\Temp\29c550be18671e1c38bf1726ec71da44.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\SysWOW64\omtjxuzvuxrrtpy.exeomtjxuzvuxrrtpy.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:828
-
-
C:\Windows\SysWOW64\qiutkdzigg.exeqiutkdzigg.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\SysWOW64\mbjzqtmp.exeC:\Windows\system32\mbjzqtmp.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:540
-
-
-
C:\Windows\SysWOW64\mbjzqtmp.exembjzqtmp.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4624
-
-
C:\Windows\SysWOW64\wldcwsevxefia.exewldcwsevxefia.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2704
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:768
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
237KB
MD5b7cc0b0edeb8504ac89443798bac49c6
SHA17e4d8c87bbac6882b88db59407ac9854d5964441
SHA256404a592be4405e2cb352eea8a6ad9697c868f0e6a7705cda89531a00f64ebd73
SHA51259141335a25a116c9327202439ba3c3f3147b76211479fd639458d2274a74c04f3b67652c7567a67676627c7f8c59bc34fe74f20866e59762cb631fdf108eee5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD58434ec21cfcc5a6f5ca4a8f0a8ffc3f7
SHA11819ce7fe083d550d0081c07672d4eedf2ff4501
SHA2565d12241d8e769cf1158006554a4d63c8a3a8a2f5db0d5483b578818818e21e5d
SHA51216b86f852ebcec42073094c6d6464f7c3104f34926798d0010db155ece84b9cefeb6225754fc6571b9cd0efbdce9b94f1a42d9d7b0fa3c49b7c69fd7dbfe2aa5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD548c2ab5c98d7288e7d7153e7ea54c084
SHA1cf79e2438a2ef39bdc3ca888691dbb79f120a2bb
SHA2566772d1a863476c65e17dc07e256ea09ffe9faaf955f559be246078551a361049
SHA512bbbb7d002f5867c4fddb65584a97c7a95d1e3278657486842aaa23d69dc4f389db14768777e09d726b5a3728186ae9bf2706b309da3ff497182d2149723d76ae
-
Filesize
512KB
MD5412236709460e757f2fe5554e4fc5632
SHA1993cc58b206b63e5f9089b67a35e95c3d8c4952e
SHA25674805578157a12962749b143012dc0ce1467025aca52196431cda2bb724b962f
SHA5124b5ca6b47651b5db40fb386bc8eb551d3684c8df8d7c4c3a20b4d31464b50880aec43a5b49edca7c7c86b74cd3ae2a4770168e09bae37d124c9ed5157b321086
-
Filesize
169KB
MD54f13248e69e15ed7aa820cc85e1f416e
SHA12388496e18b902e7320f32c76256b636a40ba5d2
SHA256fedb7eabbae227298346a5915ea4bcb47c7a94e1097a16e5dc4c2a9acc77bd61
SHA512b4c7f4291c45a4a76604f24da1d4a109e0dc93d0c9f28ca05de8ca9adb46bfb24391d95265b1b42673cdeec15b3bcb835077025a3c0bada47606c1c47ffd2c49
-
Filesize
512KB
MD564b4c53b03618f40ead1e53c9d1f62f3
SHA1037c3271840c4acd9d56134b8ba3d11d26a3515a
SHA256cb59a47ebf20126a9806d62412999af37f2e121b3c0fb0d3e8cdaa29236ca194
SHA51213c464e3054e2191a2c7d57887970122f4b20333313b0021717f475b41f2e63782dd7b8621bbc4eae2ba0f3e5e77312cbad0319fcf0e4c7242b903c5cb6ee717
-
Filesize
512KB
MD5697ac2e6d87f489b2cba41da98d4688a
SHA11ad0ba09293f2a5c418955588d5ed58e53d76ef4
SHA256b2f283a89e41d0396b87ff5b6a50dd5c247dd1cefbae7002880decd34c175d6f
SHA5124ac94bf5863edbd3b40a4ed3fd877c0003966af961bdc7debd96b0852d25d6655bcd4bc64a48d7e7cdc2972f5ba5278632e90fdb111fe0c96909c03dacffedb2
-
Filesize
512KB
MD5c1a829af5ab49d14b969ac791094a2f0
SHA1dced2a18cd40bc3b45cec3e2f229451994476757
SHA25630448959adbd575df3f1955001b73a65c7c591c5709c71a2ea825007449e975a
SHA51229e1b85babc5b068311e9c6bd3e8e62f04aac229c43ca34b1fb86b80f948d04adc4a94e052649bac92917f388babce1462e1001e896675f29f30343ff78ac6c1
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5fc1baaab159fa4ed4f81371599fee787
SHA174ff60cbee122989b271bd6ea6f6ff282be9365f
SHA256c1fc279280384c5c139ce6c1c34b95bfcb3db98690e3b390a2e31334f9a81320
SHA512471b02b613006baa8fdd189962de34404102cf1c1b694bebf3f455e8679ff5f0473b9ed113056686a46c77a18b46d2ac58253194c1446eb8bdbad18c7a694119
-
Filesize
512KB
MD5500f58d28187cb83b26e49a8893a4160
SHA17b23627bb8b8fcfe8c35be93beccaab83f84ca4d
SHA256011688bdd4b733d4e950d74c60afc5d77d0ec46eb6e3886aa3c812f1112a570c
SHA5120c90f10d8add2f8d87308851c6ce134a441b369886a1c70259df9004eb717760e6f18fefc9f705d347699769d73a3c9aee58e922e9d87b2d9f260ed5d7b46219