Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 07:06
Static task
static1
Behavioral task
behavioral1
Sample
2cb51ba4e2ff06f522ce4f5beeb2bfff.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2cb51ba4e2ff06f522ce4f5beeb2bfff.exe
Resource
win10v2004-20231215-en
General
-
Target
2cb51ba4e2ff06f522ce4f5beeb2bfff.exe
-
Size
512KB
-
MD5
2cb51ba4e2ff06f522ce4f5beeb2bfff
-
SHA1
5c1e980a851438111df7420989a1a6dc1c6a930e
-
SHA256
f8230fbfb661d9749b10071ee16ffc0220e3d37c5b344241368ccf6c042f9923
-
SHA512
5e6320758901400882216835d05b87e2002997a2a656af4805b1d8f36800436b6061dd96b1ad2596894f3bfe65967541a0ac22b7d09a0cbf3f14fea7cf1894c0
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6s:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5r
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" lgvycsfyuv.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" lgvycsfyuv.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" lgvycsfyuv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" lgvycsfyuv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" lgvycsfyuv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" lgvycsfyuv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" lgvycsfyuv.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lgvycsfyuv.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe -
Executes dropped EXE 5 IoCs
pid Process 748 lgvycsfyuv.exe 1252 fkhblpwddcvnreg.exe 1112 ivwskqtv.exe 572 ythqstgbzbakl.exe 3088 ivwskqtv.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" lgvycsfyuv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" lgvycsfyuv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" lgvycsfyuv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" lgvycsfyuv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" lgvycsfyuv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" lgvycsfyuv.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ythqstgbzbakl.exe" fkhblpwddcvnreg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\twmwntld = "lgvycsfyuv.exe" fkhblpwddcvnreg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zwjxyjtn = "fkhblpwddcvnreg.exe" fkhblpwddcvnreg.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\p: lgvycsfyuv.exe File opened (read-only) \??\h: ivwskqtv.exe File opened (read-only) \??\u: lgvycsfyuv.exe File opened (read-only) \??\u: ivwskqtv.exe File opened (read-only) \??\k: ivwskqtv.exe File opened (read-only) \??\i: ivwskqtv.exe File opened (read-only) \??\k: ivwskqtv.exe File opened (read-only) \??\e: ivwskqtv.exe File opened (read-only) \??\n: ivwskqtv.exe File opened (read-only) \??\y: ivwskqtv.exe File opened (read-only) \??\a: lgvycsfyuv.exe File opened (read-only) \??\l: ivwskqtv.exe File opened (read-only) \??\z: lgvycsfyuv.exe File opened (read-only) \??\a: ivwskqtv.exe File opened (read-only) \??\l: ivwskqtv.exe File opened (read-only) \??\m: ivwskqtv.exe File opened (read-only) \??\p: ivwskqtv.exe File opened (read-only) \??\v: ivwskqtv.exe File opened (read-only) \??\v: ivwskqtv.exe File opened (read-only) \??\l: lgvycsfyuv.exe File opened (read-only) \??\n: lgvycsfyuv.exe File opened (read-only) \??\o: lgvycsfyuv.exe File opened (read-only) \??\g: ivwskqtv.exe File opened (read-only) \??\z: ivwskqtv.exe File opened (read-only) \??\a: ivwskqtv.exe File opened (read-only) \??\b: ivwskqtv.exe File opened (read-only) \??\w: ivwskqtv.exe File opened (read-only) \??\z: ivwskqtv.exe File opened (read-only) \??\t: lgvycsfyuv.exe File opened (read-only) \??\p: ivwskqtv.exe File opened (read-only) \??\r: ivwskqtv.exe File opened (read-only) \??\s: ivwskqtv.exe File opened (read-only) \??\h: lgvycsfyuv.exe File opened (read-only) \??\m: lgvycsfyuv.exe File opened (read-only) \??\q: lgvycsfyuv.exe File opened (read-only) \??\y: lgvycsfyuv.exe File opened (read-only) \??\m: ivwskqtv.exe File opened (read-only) \??\r: ivwskqtv.exe File opened (read-only) \??\g: ivwskqtv.exe File opened (read-only) \??\j: ivwskqtv.exe File opened (read-only) \??\q: ivwskqtv.exe File opened (read-only) \??\s: lgvycsfyuv.exe File opened (read-only) \??\v: lgvycsfyuv.exe File opened (read-only) \??\e: ivwskqtv.exe File opened (read-only) \??\s: ivwskqtv.exe File opened (read-only) \??\o: ivwskqtv.exe File opened (read-only) \??\x: ivwskqtv.exe File opened (read-only) \??\g: lgvycsfyuv.exe File opened (read-only) \??\r: lgvycsfyuv.exe File opened (read-only) \??\o: ivwskqtv.exe File opened (read-only) \??\e: lgvycsfyuv.exe File opened (read-only) \??\j: ivwskqtv.exe File opened (read-only) \??\q: ivwskqtv.exe File opened (read-only) \??\h: ivwskqtv.exe File opened (read-only) \??\b: lgvycsfyuv.exe File opened (read-only) \??\w: lgvycsfyuv.exe File opened (read-only) \??\b: ivwskqtv.exe File opened (read-only) \??\w: ivwskqtv.exe File opened (read-only) \??\x: ivwskqtv.exe File opened (read-only) \??\u: ivwskqtv.exe File opened (read-only) \??\k: lgvycsfyuv.exe File opened (read-only) \??\n: ivwskqtv.exe File opened (read-only) \??\t: ivwskqtv.exe File opened (read-only) \??\i: ivwskqtv.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" lgvycsfyuv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" lgvycsfyuv.exe -
AutoIT Executable 13 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4732-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000600000002323b-19.dat autoit_exe behavioral2/files/0x000600000002323c-22.dat autoit_exe behavioral2/files/0x000600000002323d-26.dat autoit_exe behavioral2/files/0x000600000002323e-32.dat autoit_exe behavioral2/files/0x000600000002323e-31.dat autoit_exe behavioral2/files/0x000600000002323d-27.dat autoit_exe behavioral2/files/0x000600000002323c-23.dat autoit_exe behavioral2/files/0x000600000002323b-18.dat autoit_exe behavioral2/files/0x000600000002323d-9.dat autoit_exe behavioral2/files/0x000600000002323d-35.dat autoit_exe behavioral2/files/0x00020000000227bd-80.dat autoit_exe behavioral2/files/0x000600000002324d-105.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\lgvycsfyuv.exe 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe File opened for modification C:\Windows\SysWOW64\fkhblpwddcvnreg.exe 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe File created C:\Windows\SysWOW64\ivwskqtv.exe 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe File created C:\Windows\SysWOW64\ythqstgbzbakl.exe 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe File opened for modification C:\Windows\SysWOW64\ythqstgbzbakl.exe 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll lgvycsfyuv.exe File opened for modification C:\Windows\SysWOW64\lgvycsfyuv.exe 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe File created C:\Windows\SysWOW64\fkhblpwddcvnreg.exe 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe File opened for modification C:\Windows\SysWOW64\ivwskqtv.exe 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ivwskqtv.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ivwskqtv.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ivwskqtv.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ivwskqtv.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ivwskqtv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ivwskqtv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ivwskqtv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ivwskqtv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ivwskqtv.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ivwskqtv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ivwskqtv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ivwskqtv.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ivwskqtv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ivwskqtv.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F568B2FE6922DFD27ED1D18A759111" 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh lgvycsfyuv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" lgvycsfyuv.exe Key created \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" lgvycsfyuv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "334F2C7F9D5682566A3F77D370202DD77CF465DF" 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC2B02C4490389A53C5B9D333EAD4B9" 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf lgvycsfyuv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" lgvycsfyuv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs lgvycsfyuv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" lgvycsfyuv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF8FC83482882699042D6587D92BDEFE641594567466335D798" 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "194AC70F1591DBB3B9CD7C97ECE534C7" 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" lgvycsfyuv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc lgvycsfyuv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" lgvycsfyuv.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACAFABFF965F1E0837C3A41819C3995B08B028C4215034EE2CC429E08D4" 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat lgvycsfyuv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg lgvycsfyuv.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1636 WINWORD.EXE 1636 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4732 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe 4732 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe 4732 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe 4732 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe 4732 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe 4732 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe 4732 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe 4732 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe 4732 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe 4732 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe 4732 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe 4732 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe 4732 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe 4732 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe 4732 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe 4732 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe 748 lgvycsfyuv.exe 748 lgvycsfyuv.exe 748 lgvycsfyuv.exe 748 lgvycsfyuv.exe 748 lgvycsfyuv.exe 748 lgvycsfyuv.exe 748 lgvycsfyuv.exe 748 lgvycsfyuv.exe 748 lgvycsfyuv.exe 748 lgvycsfyuv.exe 1252 fkhblpwddcvnreg.exe 1252 fkhblpwddcvnreg.exe 1252 fkhblpwddcvnreg.exe 1252 fkhblpwddcvnreg.exe 1252 fkhblpwddcvnreg.exe 1252 fkhblpwddcvnreg.exe 1252 fkhblpwddcvnreg.exe 1252 fkhblpwddcvnreg.exe 1252 fkhblpwddcvnreg.exe 1252 fkhblpwddcvnreg.exe 1112 ivwskqtv.exe 1112 ivwskqtv.exe 1112 ivwskqtv.exe 1112 ivwskqtv.exe 1112 ivwskqtv.exe 1112 ivwskqtv.exe 1112 ivwskqtv.exe 1112 ivwskqtv.exe 572 ythqstgbzbakl.exe 572 ythqstgbzbakl.exe 572 ythqstgbzbakl.exe 572 ythqstgbzbakl.exe 572 ythqstgbzbakl.exe 572 ythqstgbzbakl.exe 572 ythqstgbzbakl.exe 572 ythqstgbzbakl.exe 572 ythqstgbzbakl.exe 572 ythqstgbzbakl.exe 572 ythqstgbzbakl.exe 572 ythqstgbzbakl.exe 3088 ivwskqtv.exe 3088 ivwskqtv.exe 3088 ivwskqtv.exe 3088 ivwskqtv.exe 3088 ivwskqtv.exe 3088 ivwskqtv.exe 3088 ivwskqtv.exe 3088 ivwskqtv.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4732 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe 4732 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe 4732 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe 748 lgvycsfyuv.exe 748 lgvycsfyuv.exe 748 lgvycsfyuv.exe 1252 fkhblpwddcvnreg.exe 1252 fkhblpwddcvnreg.exe 1252 fkhblpwddcvnreg.exe 1112 ivwskqtv.exe 1112 ivwskqtv.exe 1112 ivwskqtv.exe 572 ythqstgbzbakl.exe 572 ythqstgbzbakl.exe 572 ythqstgbzbakl.exe 3088 ivwskqtv.exe 3088 ivwskqtv.exe 3088 ivwskqtv.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4732 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe 4732 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe 4732 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe 748 lgvycsfyuv.exe 748 lgvycsfyuv.exe 748 lgvycsfyuv.exe 1252 fkhblpwddcvnreg.exe 1252 fkhblpwddcvnreg.exe 1252 fkhblpwddcvnreg.exe 1112 ivwskqtv.exe 1112 ivwskqtv.exe 1112 ivwskqtv.exe 572 ythqstgbzbakl.exe 572 ythqstgbzbakl.exe 572 ythqstgbzbakl.exe 3088 ivwskqtv.exe 3088 ivwskqtv.exe 3088 ivwskqtv.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1636 WINWORD.EXE 1636 WINWORD.EXE 1636 WINWORD.EXE 1636 WINWORD.EXE 1636 WINWORD.EXE 1636 WINWORD.EXE 1636 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4732 wrote to memory of 748 4732 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe 44 PID 4732 wrote to memory of 748 4732 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe 44 PID 4732 wrote to memory of 748 4732 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe 44 PID 4732 wrote to memory of 1252 4732 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe 47 PID 4732 wrote to memory of 1252 4732 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe 47 PID 4732 wrote to memory of 1252 4732 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe 47 PID 4732 wrote to memory of 1112 4732 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe 46 PID 4732 wrote to memory of 1112 4732 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe 46 PID 4732 wrote to memory of 1112 4732 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe 46 PID 4732 wrote to memory of 572 4732 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe 45 PID 4732 wrote to memory of 572 4732 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe 45 PID 4732 wrote to memory of 572 4732 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe 45 PID 748 wrote to memory of 3088 748 lgvycsfyuv.exe 49 PID 748 wrote to memory of 3088 748 lgvycsfyuv.exe 49 PID 748 wrote to memory of 3088 748 lgvycsfyuv.exe 49 PID 4732 wrote to memory of 1636 4732 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe 51 PID 4732 wrote to memory of 1636 4732 2cb51ba4e2ff06f522ce4f5beeb2bfff.exe 51
Processes
-
C:\Users\Admin\AppData\Local\Temp\2cb51ba4e2ff06f522ce4f5beeb2bfff.exe"C:\Users\Admin\AppData\Local\Temp\2cb51ba4e2ff06f522ce4f5beeb2bfff.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\SysWOW64\lgvycsfyuv.exelgvycsfyuv.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\ivwskqtv.exeC:\Windows\system32\ivwskqtv.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3088
-
-
-
C:\Windows\SysWOW64\ythqstgbzbakl.exeythqstgbzbakl.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:572
-
-
C:\Windows\SysWOW64\ivwskqtv.exeivwskqtv.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1112
-
-
C:\Windows\SysWOW64\fkhblpwddcvnreg.exefkhblpwddcvnreg.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1252
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1636
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD53389f632f0488e2085ab5d5009d08939
SHA1c6f029d83bc90fb7e908a3c3de292d5553bc65ae
SHA25623873784bea8b2a2f92a5cef5a79b60d7f2b892c6ebf48c0397cf80186ac5610
SHA512e499a98baa1405b684df40d4bbe10d5bfb2b86c77e87c4e5e751dab5cfcb2464ec3ed14105bdcbe0f866c82dc31b9a937a3a9edc2666b0f246cc888c89d28296
-
Filesize
239B
MD549cb7e42e96246112deafefe11d534b1
SHA127d12e47a95b587790ad980cca2db9ffdfa79caa
SHA256ec903863f323d8efec74a708b93951e7e0bb12faa5fc73b4ac295e7d094d17fb
SHA5129a744593b72eb0c5b0b0548e67beb1676fb4d4ca9750a5d72b8d2a3846ca3e6ebe50ead4f45df68736c4a3779ad9dbb7aed2a7ccf6cab08275a780c6f264376d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD55a9f75577f211887c1c347e2f8755252
SHA1a9b3a3951401e1d582e8041812753bb2c12ba142
SHA256532c6e79a16659bf91d59660ebf85ce72d60b8727d0e02c320636598fcd1cc63
SHA51256fe9b2dd4a38444090014fcdba680525324ecc72127ad1896dcd604455079e6a8846f79f546156abb9393d3307cd69b20342c64c4dd81b3210fcb0deddad2e2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD5ffcb25e9fbd9df30bdd9c6186a757cea
SHA1dd370a1640a1ee8a28bf9b7dcb68f1053b90f39b
SHA256aafdd7b2bcb914923b46f49aee991341feac9851f867296d10bd12ba8a6ecbac
SHA512bb988e54b1d00187f1df97b4092913d842d39617880aa891eade4871eeda547bb9a226eb98f293e1e65ba8f0576f46b7f55d8e5a618605b7e4c8257aa31d2e6a
-
Filesize
97KB
MD597ef2fa2bdb4cb136ee8af8985673e04
SHA1f50deff11374af26211c346b3eca1642ef5a083f
SHA2564466ab50283538f8e82c19b28bfea6b2a4c681b47955e4dd3f4037272c789536
SHA512e047c293b737d9586fd19d89578665cd9d8507f1a10bee57785d8aee2978b8964a9fa16ee522bb92766a7508519b97e0d0a84f4c55aa9e6c15de3f4df0bef786
-
Filesize
29KB
MD590546a5b190069b3fdb5398e6fbc56d8
SHA134679e111bdb54e212a960592cfeca1839714580
SHA2568fa9eaa112837e82cde011be3ae09ac414dbd9505f8fa19fb705c8163064151b
SHA512235cc4b9276ed24e9a5e78d93439e46dac2220113a46490dbbf6ed609c47c931981cffa5de57e4b6ab5d42402e9b31c80761c0bb9406e6400002e0350a98c0c9
-
Filesize
14KB
MD5620eb4462e7252093a354143d87d5d64
SHA13e73efb5c3ed3f39490fe8d39414db556e15d42a
SHA25647f9063876aeac06849eab05f0b6e5d8db9b39cd8c7467e0bc1e5e93611e80c8
SHA512c056e66207f10668d054fa58ae7f96242bf0f04e9e3fb6283083e25f5578ea82096593882fbaaf3f02fabcf2998954afe5af8ba825433fc0d57b06860cb5573f
-
Filesize
17KB
MD5dcf4c4b48b96ad557f57171d2056ac27
SHA1fcf6f953e31d5f4c2e6c6ebe34cdfe780dbe1b4e
SHA25670379f1765ec0972e064b9746cf94191df577cf6eab3ecfd28439e0cb9294a4c
SHA512196726c0993cf660c04b44a708d8019d08959476464171c2e50774ebf221860e49cdfe106896ee82db157e35d4943e91b6b17dab380a4d544789df4e5447af2e
-
Filesize
28KB
MD5e92aa768761af4868374b1cf2c5932b4
SHA1ab8fac618baf2e0913c7324355f2bc10838faba5
SHA2567b78abf2e002fb9d77c5521e1109ae3b1e504c98091f59e9d2675f74a6b1bbae
SHA5122d863a424a9709d783f06316b88b55eeab4dd0e562678d269257ba03c677c332479437b2121fd07ac331a9727a690950708b5b1d7dd3911b7deefb4d20117c1a
-
Filesize
14KB
MD5d0211b641498db052379f0b015706b7e
SHA1188a5e386fc2956caba29468825b04523505a36e
SHA256525e1b647d9570a90fdc42b8770bbaf1f97d85f225232b80d0dba267f150e93e
SHA51286c8587df318ad6196f1c09d4d91f11582b2c27b4e035cb1f829a4cef948b3ea7067b2d76b47d09da325f2816788f06d4e5a700383ee6284a29580e9c6c279e9
-
Filesize
24KB
MD5465f41fddedcb32147bef2a09614f792
SHA1ddb5421a58982cc564a02be1beb3620f03b913b2
SHA256c28054d8af6c85446c961c94dc1888d88555bba3118584c50f9ea3186495b581
SHA51222c58aac7566a1da1a7213555267d74d0a0133fc5ec1fde27292bbaed4144bd0b9a31f775dca352652db0b69a88174854510123edc1454cc89d4933e9a95cc41
-
Filesize
51KB
MD571dbce254726d1ae7045c7b064e5185c
SHA17f0f8e9f1fbb3fa302040ad7d45d2e3ca4e940ca
SHA25630a95a9f0bad6e09685a2b423b8f33d9d7225d859666dcddacc282c56b73f74f
SHA5124a18dff5f35148d611e0f42fec3890d0f5d9869f5c560b74c7fa65111c1f929f39417a258172b9b9da896baa222ddd11e2bea4fe039e7a01cbf85f32eb04854b
-
Filesize
26KB
MD52f9a7fe1d175f9e7125fed629c8d478f
SHA104f295108d837e54e819bca93f54c57efbd076c3
SHA256f75b46571f7fef31c9f47f5b4a754d99bd73634e7b73cff796f1609b07bf739a
SHA5126aaaa58d5a0b318862cc18edec71706418ec7c4ebd98f2366da5daa417f328cad11a80e3bfa916e77321475972e783bd203c2621107eb762538c6bffaf86a46a
-
Filesize
25KB
MD50137c58572dcee498669bcbeafd4c58f
SHA1cc2421f538d4ffa07f0a169a100d59bbcdf4ea01
SHA256dbb8ec94cdbf3dc3be1ddc80756a7d07b72083cedf0cf4abc875ac2e1b529cb8
SHA51279e6df73044b0804968890261a30c71a3125f7f9203c525413f34c3552e4295ce9f32d3121ff318694d33135d531ce84301650700290f9261916a36f06e8ac08
-
Filesize
30KB
MD55c5dabf4f7d699d296ebf98ae96ccdec
SHA1ff87bce5b611a14458e2af5ca96af53efbdf6bcf
SHA256752b39f0f2c45536684eea12d5c8ceb8ea6a6cdc1c569821f614042d1106ebf1
SHA5127a70e099cb4d7134139a5da2840e652ea67b69029ec3a98d67bbbd8c1f65b867cc7548fb39551160572f50c0f5593048f3f005672096f65235f2754c6858727d
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7