Analysis
-
max time kernel
136s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 04:45
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
28b84dca448ab58fa3a35940a125f7d4.exe
Resource
win7-20231215-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
28b84dca448ab58fa3a35940a125f7d4.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
28b84dca448ab58fa3a35940a125f7d4.exe
-
Size
512KB
-
MD5
28b84dca448ab58fa3a35940a125f7d4
-
SHA1
9ce6b74321a985ee2ca0888147eab15796a6c013
-
SHA256
6e8742ca1f6c692bfa9933281637d47aaf08b77909a51629fcfa60d87a1b4e1b
-
SHA512
d019b108fab6c3b87a8cfae2f78e29288a14f0842686ec0bc4388109d8cafc0444c5763858c72208848846e5338e5780f0254160793b10245df4066922dadeda
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6H:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5g
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" tdlvgbtsdm.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" tdlvgbtsdm.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" tdlvgbtsdm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" tdlvgbtsdm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" tdlvgbtsdm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" tdlvgbtsdm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" tdlvgbtsdm.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tdlvgbtsdm.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation 28b84dca448ab58fa3a35940a125f7d4.exe -
Executes dropped EXE 5 IoCs
pid Process 5068 tdlvgbtsdm.exe 4948 ybcpadacbtblawa.exe 4572 gmvrcxpl.exe 3420 lmphrnaarexoz.exe 2756 gmvrcxpl.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" tdlvgbtsdm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" tdlvgbtsdm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" tdlvgbtsdm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" tdlvgbtsdm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" tdlvgbtsdm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" tdlvgbtsdm.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avtvnpsa = "tdlvgbtsdm.exe" ybcpadacbtblawa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vuawlvcm = "ybcpadacbtblawa.exe" ybcpadacbtblawa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "lmphrnaarexoz.exe" ybcpadacbtblawa.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\l: gmvrcxpl.exe File opened (read-only) \??\s: tdlvgbtsdm.exe File opened (read-only) \??\h: gmvrcxpl.exe File opened (read-only) \??\r: tdlvgbtsdm.exe File opened (read-only) \??\s: gmvrcxpl.exe File opened (read-only) \??\g: gmvrcxpl.exe File opened (read-only) \??\m: tdlvgbtsdm.exe File opened (read-only) \??\j: gmvrcxpl.exe File opened (read-only) \??\w: gmvrcxpl.exe File opened (read-only) \??\y: gmvrcxpl.exe File opened (read-only) \??\h: gmvrcxpl.exe File opened (read-only) \??\h: tdlvgbtsdm.exe File opened (read-only) \??\x: gmvrcxpl.exe File opened (read-only) \??\o: gmvrcxpl.exe File opened (read-only) \??\p: gmvrcxpl.exe File opened (read-only) \??\r: gmvrcxpl.exe File opened (read-only) \??\m: gmvrcxpl.exe File opened (read-only) \??\x: gmvrcxpl.exe File opened (read-only) \??\t: gmvrcxpl.exe File opened (read-only) \??\x: tdlvgbtsdm.exe File opened (read-only) \??\b: gmvrcxpl.exe File opened (read-only) \??\y: gmvrcxpl.exe File opened (read-only) \??\z: tdlvgbtsdm.exe File opened (read-only) \??\k: tdlvgbtsdm.exe File opened (read-only) \??\r: gmvrcxpl.exe File opened (read-only) \??\a: gmvrcxpl.exe File opened (read-only) \??\q: gmvrcxpl.exe File opened (read-only) \??\m: gmvrcxpl.exe File opened (read-only) \??\i: tdlvgbtsdm.exe File opened (read-only) \??\i: gmvrcxpl.exe File opened (read-only) \??\j: gmvrcxpl.exe File opened (read-only) \??\g: gmvrcxpl.exe File opened (read-only) \??\v: gmvrcxpl.exe File opened (read-only) \??\e: gmvrcxpl.exe File opened (read-only) \??\g: tdlvgbtsdm.exe File opened (read-only) \??\w: tdlvgbtsdm.exe File opened (read-only) \??\y: tdlvgbtsdm.exe File opened (read-only) \??\t: gmvrcxpl.exe File opened (read-only) \??\v: gmvrcxpl.exe File opened (read-only) \??\t: tdlvgbtsdm.exe File opened (read-only) \??\o: gmvrcxpl.exe File opened (read-only) \??\a: gmvrcxpl.exe File opened (read-only) \??\z: gmvrcxpl.exe File opened (read-only) \??\b: gmvrcxpl.exe File opened (read-only) \??\n: gmvrcxpl.exe File opened (read-only) \??\q: gmvrcxpl.exe File opened (read-only) \??\a: tdlvgbtsdm.exe File opened (read-only) \??\o: tdlvgbtsdm.exe File opened (read-only) \??\w: gmvrcxpl.exe File opened (read-only) \??\p: tdlvgbtsdm.exe File opened (read-only) \??\n: gmvrcxpl.exe File opened (read-only) \??\k: gmvrcxpl.exe File opened (read-only) \??\s: gmvrcxpl.exe File opened (read-only) \??\k: gmvrcxpl.exe File opened (read-only) \??\l: gmvrcxpl.exe File opened (read-only) \??\u: gmvrcxpl.exe File opened (read-only) \??\j: tdlvgbtsdm.exe File opened (read-only) \??\l: tdlvgbtsdm.exe File opened (read-only) \??\n: tdlvgbtsdm.exe File opened (read-only) \??\q: tdlvgbtsdm.exe File opened (read-only) \??\v: tdlvgbtsdm.exe File opened (read-only) \??\e: gmvrcxpl.exe File opened (read-only) \??\z: gmvrcxpl.exe File opened (read-only) \??\b: tdlvgbtsdm.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" tdlvgbtsdm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" tdlvgbtsdm.exe -
AutoIT Executable 6 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/428-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000700000002320b-5.dat autoit_exe behavioral2/files/0x000700000002320e-26.dat autoit_exe behavioral2/files/0x000700000002320b-23.dat autoit_exe behavioral2/files/0x000700000002320b-22.dat autoit_exe behavioral2/files/0x00080000000224fc-18.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\tdlvgbtsdm.exe 28b84dca448ab58fa3a35940a125f7d4.exe File opened for modification C:\Windows\SysWOW64\ybcpadacbtblawa.exe 28b84dca448ab58fa3a35940a125f7d4.exe File opened for modification C:\Windows\SysWOW64\gmvrcxpl.exe 28b84dca448ab58fa3a35940a125f7d4.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe gmvrcxpl.exe File created C:\Windows\SysWOW64\lmphrnaarexoz.exe 28b84dca448ab58fa3a35940a125f7d4.exe File opened for modification C:\Windows\SysWOW64\lmphrnaarexoz.exe 28b84dca448ab58fa3a35940a125f7d4.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe gmvrcxpl.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe gmvrcxpl.exe File created C:\Windows\SysWOW64\ybcpadacbtblawa.exe 28b84dca448ab58fa3a35940a125f7d4.exe File created C:\Windows\SysWOW64\gmvrcxpl.exe 28b84dca448ab58fa3a35940a125f7d4.exe File created C:\Windows\SysWOW64\tdlvgbtsdm.exe 28b84dca448ab58fa3a35940a125f7d4.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll tdlvgbtsdm.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe gmvrcxpl.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gmvrcxpl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gmvrcxpl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gmvrcxpl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gmvrcxpl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal gmvrcxpl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal gmvrcxpl.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gmvrcxpl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gmvrcxpl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gmvrcxpl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal gmvrcxpl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal gmvrcxpl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe gmvrcxpl.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gmvrcxpl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe gmvrcxpl.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf 28b84dca448ab58fa3a35940a125f7d4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F068B3FF1B22DED27ED1D58B7A916B" 28b84dca448ab58fa3a35940a125f7d4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat tdlvgbtsdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh tdlvgbtsdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" tdlvgbtsdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" tdlvgbtsdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193DC77415E3DBC7B8C87FE2EDE434BD" 28b84dca448ab58fa3a35940a125f7d4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" tdlvgbtsdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs tdlvgbtsdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg tdlvgbtsdm.exe Key created \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings 28b84dca448ab58fa3a35940a125f7d4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" tdlvgbtsdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" tdlvgbtsdm.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 28b84dca448ab58fa3a35940a125f7d4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFDFF8A4F5B85199041D7297D94BD97E6305942664F6331D69E" 28b84dca448ab58fa3a35940a125f7d4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" tdlvgbtsdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc tdlvgbtsdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf tdlvgbtsdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32472C7C9C2582596A4476D277222DDD7DF364AF" 28b84dca448ab58fa3a35940a125f7d4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBCFACDF911F299830E3B45869A3992B08D03F04311034CE1CF45E708D2" 28b84dca448ab58fa3a35940a125f7d4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB5B15C4493389953CDB9A133EED7CA" 28b84dca448ab58fa3a35940a125f7d4.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1228 WINWORD.EXE 1228 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 428 28b84dca448ab58fa3a35940a125f7d4.exe 428 28b84dca448ab58fa3a35940a125f7d4.exe 428 28b84dca448ab58fa3a35940a125f7d4.exe 428 28b84dca448ab58fa3a35940a125f7d4.exe 428 28b84dca448ab58fa3a35940a125f7d4.exe 428 28b84dca448ab58fa3a35940a125f7d4.exe 428 28b84dca448ab58fa3a35940a125f7d4.exe 428 28b84dca448ab58fa3a35940a125f7d4.exe 428 28b84dca448ab58fa3a35940a125f7d4.exe 428 28b84dca448ab58fa3a35940a125f7d4.exe 428 28b84dca448ab58fa3a35940a125f7d4.exe 428 28b84dca448ab58fa3a35940a125f7d4.exe 428 28b84dca448ab58fa3a35940a125f7d4.exe 428 28b84dca448ab58fa3a35940a125f7d4.exe 428 28b84dca448ab58fa3a35940a125f7d4.exe 428 28b84dca448ab58fa3a35940a125f7d4.exe 4572 gmvrcxpl.exe 4572 gmvrcxpl.exe 4948 ybcpadacbtblawa.exe 4948 ybcpadacbtblawa.exe 4572 gmvrcxpl.exe 4572 gmvrcxpl.exe 4948 ybcpadacbtblawa.exe 4948 ybcpadacbtblawa.exe 4572 gmvrcxpl.exe 4572 gmvrcxpl.exe 4948 ybcpadacbtblawa.exe 4948 ybcpadacbtblawa.exe 4572 gmvrcxpl.exe 4572 gmvrcxpl.exe 4948 ybcpadacbtblawa.exe 4948 ybcpadacbtblawa.exe 5068 tdlvgbtsdm.exe 5068 tdlvgbtsdm.exe 5068 tdlvgbtsdm.exe 5068 tdlvgbtsdm.exe 5068 tdlvgbtsdm.exe 5068 tdlvgbtsdm.exe 4948 ybcpadacbtblawa.exe 4948 ybcpadacbtblawa.exe 5068 tdlvgbtsdm.exe 5068 tdlvgbtsdm.exe 5068 tdlvgbtsdm.exe 5068 tdlvgbtsdm.exe 3420 lmphrnaarexoz.exe 3420 lmphrnaarexoz.exe 3420 lmphrnaarexoz.exe 3420 lmphrnaarexoz.exe 3420 lmphrnaarexoz.exe 3420 lmphrnaarexoz.exe 3420 lmphrnaarexoz.exe 3420 lmphrnaarexoz.exe 3420 lmphrnaarexoz.exe 3420 lmphrnaarexoz.exe 3420 lmphrnaarexoz.exe 3420 lmphrnaarexoz.exe 4948 ybcpadacbtblawa.exe 4948 ybcpadacbtblawa.exe 2756 gmvrcxpl.exe 2756 gmvrcxpl.exe 2756 gmvrcxpl.exe 2756 gmvrcxpl.exe 2756 gmvrcxpl.exe 2756 gmvrcxpl.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 428 28b84dca448ab58fa3a35940a125f7d4.exe 428 28b84dca448ab58fa3a35940a125f7d4.exe 428 28b84dca448ab58fa3a35940a125f7d4.exe 4572 gmvrcxpl.exe 4572 gmvrcxpl.exe 4572 gmvrcxpl.exe 4948 ybcpadacbtblawa.exe 4948 ybcpadacbtblawa.exe 4948 ybcpadacbtblawa.exe 5068 tdlvgbtsdm.exe 5068 tdlvgbtsdm.exe 5068 tdlvgbtsdm.exe 3420 lmphrnaarexoz.exe 3420 lmphrnaarexoz.exe 3420 lmphrnaarexoz.exe 2756 gmvrcxpl.exe 2756 gmvrcxpl.exe 2756 gmvrcxpl.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 428 28b84dca448ab58fa3a35940a125f7d4.exe 428 28b84dca448ab58fa3a35940a125f7d4.exe 428 28b84dca448ab58fa3a35940a125f7d4.exe 4572 gmvrcxpl.exe 4572 gmvrcxpl.exe 4572 gmvrcxpl.exe 4948 ybcpadacbtblawa.exe 4948 ybcpadacbtblawa.exe 4948 ybcpadacbtblawa.exe 5068 tdlvgbtsdm.exe 5068 tdlvgbtsdm.exe 5068 tdlvgbtsdm.exe 3420 lmphrnaarexoz.exe 3420 lmphrnaarexoz.exe 3420 lmphrnaarexoz.exe 2756 gmvrcxpl.exe 2756 gmvrcxpl.exe 2756 gmvrcxpl.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1228 WINWORD.EXE 1228 WINWORD.EXE 1228 WINWORD.EXE 1228 WINWORD.EXE 1228 WINWORD.EXE 1228 WINWORD.EXE 1228 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 428 wrote to memory of 5068 428 28b84dca448ab58fa3a35940a125f7d4.exe 34 PID 428 wrote to memory of 5068 428 28b84dca448ab58fa3a35940a125f7d4.exe 34 PID 428 wrote to memory of 5068 428 28b84dca448ab58fa3a35940a125f7d4.exe 34 PID 428 wrote to memory of 4948 428 28b84dca448ab58fa3a35940a125f7d4.exe 30 PID 428 wrote to memory of 4948 428 28b84dca448ab58fa3a35940a125f7d4.exe 30 PID 428 wrote to memory of 4948 428 28b84dca448ab58fa3a35940a125f7d4.exe 30 PID 428 wrote to memory of 4572 428 28b84dca448ab58fa3a35940a125f7d4.exe 33 PID 428 wrote to memory of 4572 428 28b84dca448ab58fa3a35940a125f7d4.exe 33 PID 428 wrote to memory of 4572 428 28b84dca448ab58fa3a35940a125f7d4.exe 33 PID 428 wrote to memory of 3420 428 28b84dca448ab58fa3a35940a125f7d4.exe 31 PID 428 wrote to memory of 3420 428 28b84dca448ab58fa3a35940a125f7d4.exe 31 PID 428 wrote to memory of 3420 428 28b84dca448ab58fa3a35940a125f7d4.exe 31 PID 5068 wrote to memory of 2756 5068 tdlvgbtsdm.exe 36 PID 5068 wrote to memory of 2756 5068 tdlvgbtsdm.exe 36 PID 5068 wrote to memory of 2756 5068 tdlvgbtsdm.exe 36 PID 428 wrote to memory of 1228 428 28b84dca448ab58fa3a35940a125f7d4.exe 38 PID 428 wrote to memory of 1228 428 28b84dca448ab58fa3a35940a125f7d4.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\28b84dca448ab58fa3a35940a125f7d4.exe"C:\Users\Admin\AppData\Local\Temp\28b84dca448ab58fa3a35940a125f7d4.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Windows\SysWOW64\ybcpadacbtblawa.exeybcpadacbtblawa.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4948
-
-
C:\Windows\SysWOW64\lmphrnaarexoz.exelmphrnaarexoz.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3420
-
-
C:\Windows\SysWOW64\gmvrcxpl.exegmvrcxpl.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4572
-
-
C:\Windows\SysWOW64\tdlvgbtsdm.exetdlvgbtsdm.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\gmvrcxpl.exeC:\Windows\system32\gmvrcxpl.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2756
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1228
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
382KB
MD5badd716c7c48a8241873d9251da496d1
SHA16bd2a072c8f64a1780fe75d983cb7b6584985c6d
SHA256ad4373bfa026f66380b8ce44d6bc300d146770114fb10087019af7c616dc11d7
SHA5127bf3f09216e2ba376053e668963797cd78f91119467917a84f467dd3110d6bd26592784cdf7cefd293413ff5b6dbe10a996d89627177235d9f109732c05f36c5
-
Filesize
512KB
MD5d403c76f8ac2c16d30aa6fec5ad5c550
SHA11637d0c8c53997cfc3102c7820bf8dc7f8c0d2c9
SHA2562dfbc2fb7064cebfa45aee661a9cdfd61e2334cb025591ab0d3e4f1474da6647
SHA512a97fb23b50d3f090f98d0a19338c5fb848bbc269b0d778731e7c6c6dd2058ffd592e7cc975cb9131fb3c51973a7e8e2be088faab6e61df5b82a824e740e89640
-
Filesize
92KB
MD559ebf1358a9b829f5709baaedeeee6fa
SHA11409fd65da1b814db0a08feae54366dfca196f1c
SHA256d251f3126813d9f42461b0d23153c37c405979347a47fb0f04e0503beaf31a06
SHA512a2d71b94a087aa6d376f4f065d9f7ff987fd50ea93949372fa9ef5b6692b45cef7ae267c88376b9d2953e4476496f67af1173e9f0f8ba81101dc94c6872cf417
-
Filesize
384KB
MD50e151ec3919b72f9a6c7fe60d10f4ea0
SHA191fb01badc6db9808233ff95abf39c37982a8c85
SHA256f644299fe8f10c5f3e24c1943fc808270b5d4f853e2316abf091c8d18344193c
SHA51241d25f82ce04a14c21d19a9ad2d12663714221b6ecb1c3ee579a4a134949de0bfb3e6212e9acf97d0659d50e7a034dcdc103ecbedd8a71fbfefdc30f5728c12b