Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31-12-2023 13:03
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
4213e024bc4f015c556788cca0b65ecb.exe
Resource
win7-20231215-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
4213e024bc4f015c556788cca0b65ecb.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
4213e024bc4f015c556788cca0b65ecb.exe
-
Size
512KB
-
MD5
4213e024bc4f015c556788cca0b65ecb
-
SHA1
33b9a14783b91d8c5adea252353a8ed1e4ce2d5b
-
SHA256
f39cb551404435ca1292f4671d84519dac7969927ef5c622009b746338e89c4c
-
SHA512
3b7c68c575285cee4c837f5e7969f11b650a0f9827d2314dc9426542ec897e5393585628f1306d5351efd00568270488d26cefeec416fe55456191ac7e367b55
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj65:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5K
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" gncywgfigj.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" gncywgfigj.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" gncywgfigj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" gncywgfigj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" gncywgfigj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" gncywgfigj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" gncywgfigj.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gncywgfigj.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation 4213e024bc4f015c556788cca0b65ecb.exe -
Executes dropped EXE 5 IoCs
pid Process 3236 gncywgfigj.exe 1984 khuajycwrlfoulw.exe 4532 hynpczhl.exe 5036 rqsekccsmkuib.exe 4240 hynpczhl.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" gncywgfigj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" gncywgfigj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" gncywgfigj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" gncywgfigj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" gncywgfigj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" gncywgfigj.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\adeccsok = "khuajycwrlfoulw.exe" khuajycwrlfoulw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "rqsekccsmkuib.exe" khuajycwrlfoulw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kcnxpvxl = "gncywgfigj.exe" khuajycwrlfoulw.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\y: hynpczhl.exe File opened (read-only) \??\m: hynpczhl.exe File opened (read-only) \??\s: gncywgfigj.exe File opened (read-only) \??\e: gncywgfigj.exe File opened (read-only) \??\j: gncywgfigj.exe File opened (read-only) \??\z: gncywgfigj.exe File opened (read-only) \??\v: hynpczhl.exe File opened (read-only) \??\y: hynpczhl.exe File opened (read-only) \??\z: hynpczhl.exe File opened (read-only) \??\w: hynpczhl.exe File opened (read-only) \??\u: gncywgfigj.exe File opened (read-only) \??\x: hynpczhl.exe File opened (read-only) \??\g: hynpczhl.exe File opened (read-only) \??\o: hynpczhl.exe File opened (read-only) \??\u: hynpczhl.exe File opened (read-only) \??\w: hynpczhl.exe File opened (read-only) \??\v: gncywgfigj.exe File opened (read-only) \??\i: hynpczhl.exe File opened (read-only) \??\h: gncywgfigj.exe File opened (read-only) \??\p: gncywgfigj.exe File opened (read-only) \??\r: gncywgfigj.exe File opened (read-only) \??\y: gncywgfigj.exe File opened (read-only) \??\a: hynpczhl.exe File opened (read-only) \??\e: hynpczhl.exe File opened (read-only) \??\q: hynpczhl.exe File opened (read-only) \??\s: hynpczhl.exe File opened (read-only) \??\m: hynpczhl.exe File opened (read-only) \??\q: hynpczhl.exe File opened (read-only) \??\w: gncywgfigj.exe File opened (read-only) \??\u: hynpczhl.exe File opened (read-only) \??\a: gncywgfigj.exe File opened (read-only) \??\k: gncywgfigj.exe File opened (read-only) \??\l: gncywgfigj.exe File opened (read-only) \??\n: gncywgfigj.exe File opened (read-only) \??\z: hynpczhl.exe File opened (read-only) \??\e: hynpczhl.exe File opened (read-only) \??\p: hynpczhl.exe File opened (read-only) \??\n: hynpczhl.exe File opened (read-only) \??\v: hynpczhl.exe File opened (read-only) \??\x: hynpczhl.exe File opened (read-only) \??\i: gncywgfigj.exe File opened (read-only) \??\k: hynpczhl.exe File opened (read-only) \??\h: hynpczhl.exe File opened (read-only) \??\i: hynpczhl.exe File opened (read-only) \??\n: hynpczhl.exe File opened (read-only) \??\s: hynpczhl.exe File opened (read-only) \??\g: gncywgfigj.exe File opened (read-only) \??\m: gncywgfigj.exe File opened (read-only) \??\t: gncywgfigj.exe File opened (read-only) \??\h: hynpczhl.exe File opened (read-only) \??\t: hynpczhl.exe File opened (read-only) \??\q: gncywgfigj.exe File opened (read-only) \??\j: hynpczhl.exe File opened (read-only) \??\j: hynpczhl.exe File opened (read-only) \??\l: hynpczhl.exe File opened (read-only) \??\p: hynpczhl.exe File opened (read-only) \??\r: hynpczhl.exe File opened (read-only) \??\k: hynpczhl.exe File opened (read-only) \??\r: hynpczhl.exe File opened (read-only) \??\b: hynpczhl.exe File opened (read-only) \??\t: hynpczhl.exe File opened (read-only) \??\a: hynpczhl.exe File opened (read-only) \??\b: gncywgfigj.exe File opened (read-only) \??\o: gncywgfigj.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" gncywgfigj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" gncywgfigj.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/5088-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0007000000023039-5.dat autoit_exe behavioral2/files/0x000300000001e982-18.dat autoit_exe behavioral2/files/0x0008000000023211-27.dat autoit_exe behavioral2/files/0x0006000000023216-31.dat autoit_exe behavioral2/files/0x0006000000023223-72.dat autoit_exe behavioral2/files/0x000c000000016933-86.dat autoit_exe behavioral2/files/0x000600000002322d-89.dat autoit_exe behavioral2/files/0x000600000002322d-107.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\rqsekccsmkuib.exe 4213e024bc4f015c556788cca0b65ecb.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe hynpczhl.exe File created C:\Windows\SysWOW64\hynpczhl.exe 4213e024bc4f015c556788cca0b65ecb.exe File opened for modification C:\Windows\SysWOW64\hynpczhl.exe 4213e024bc4f015c556788cca0b65ecb.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe hynpczhl.exe File created C:\Windows\SysWOW64\gncywgfigj.exe 4213e024bc4f015c556788cca0b65ecb.exe File created C:\Windows\SysWOW64\khuajycwrlfoulw.exe 4213e024bc4f015c556788cca0b65ecb.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe hynpczhl.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe hynpczhl.exe File opened for modification C:\Windows\SysWOW64\khuajycwrlfoulw.exe 4213e024bc4f015c556788cca0b65ecb.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll gncywgfigj.exe File opened for modification C:\Windows\SysWOW64\gncywgfigj.exe 4213e024bc4f015c556788cca0b65ecb.exe File created C:\Windows\SysWOW64\rqsekccsmkuib.exe 4213e024bc4f015c556788cca0b65ecb.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hynpczhl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hynpczhl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hynpczhl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal hynpczhl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hynpczhl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal hynpczhl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hynpczhl.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hynpczhl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hynpczhl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hynpczhl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe hynpczhl.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe hynpczhl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal hynpczhl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal hynpczhl.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe hynpczhl.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe hynpczhl.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe hynpczhl.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe hynpczhl.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe hynpczhl.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe hynpczhl.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe hynpczhl.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe hynpczhl.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe hynpczhl.exe File opened for modification C:\Windows\mydoc.rtf 4213e024bc4f015c556788cca0b65ecb.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe hynpczhl.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe hynpczhl.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe hynpczhl.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe hynpczhl.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe hynpczhl.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe hynpczhl.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe hynpczhl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABEFABCFE13F198837A3A3186983E96B38D02F843150349E2CB42EC09D4" 4213e024bc4f015c556788cca0b65ecb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat gncywgfigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" gncywgfigj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs gncywgfigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" gncywgfigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" gncywgfigj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf gncywgfigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" gncywgfigj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh gncywgfigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" gncywgfigj.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 4213e024bc4f015c556788cca0b65ecb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33442C769C5182566D4476D770202CD77DF264AA" 4213e024bc4f015c556788cca0b65ecb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC3B05847E038E253CDB9A7329DD7CA" 4213e024bc4f015c556788cca0b65ecb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F88FCF94F5A856D9133D75D7D96BCEEE144593566426337D7ED" 4213e024bc4f015c556788cca0b65ecb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7836BB6FE6A22D0D10BD1A88B0E9166" 4213e024bc4f015c556788cca0b65ecb.exe Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings 4213e024bc4f015c556788cca0b65ecb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1838C67515E7DAC3B8BE7FE7ED9134BB" 4213e024bc4f015c556788cca0b65ecb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc gncywgfigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" gncywgfigj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg gncywgfigj.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2884 WINWORD.EXE 2884 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5088 4213e024bc4f015c556788cca0b65ecb.exe 5088 4213e024bc4f015c556788cca0b65ecb.exe 5088 4213e024bc4f015c556788cca0b65ecb.exe 5088 4213e024bc4f015c556788cca0b65ecb.exe 5088 4213e024bc4f015c556788cca0b65ecb.exe 5088 4213e024bc4f015c556788cca0b65ecb.exe 5088 4213e024bc4f015c556788cca0b65ecb.exe 5088 4213e024bc4f015c556788cca0b65ecb.exe 5088 4213e024bc4f015c556788cca0b65ecb.exe 5088 4213e024bc4f015c556788cca0b65ecb.exe 5088 4213e024bc4f015c556788cca0b65ecb.exe 5088 4213e024bc4f015c556788cca0b65ecb.exe 5088 4213e024bc4f015c556788cca0b65ecb.exe 5088 4213e024bc4f015c556788cca0b65ecb.exe 5088 4213e024bc4f015c556788cca0b65ecb.exe 5088 4213e024bc4f015c556788cca0b65ecb.exe 1984 khuajycwrlfoulw.exe 3236 gncywgfigj.exe 1984 khuajycwrlfoulw.exe 3236 gncywgfigj.exe 1984 khuajycwrlfoulw.exe 1984 khuajycwrlfoulw.exe 3236 gncywgfigj.exe 3236 gncywgfigj.exe 1984 khuajycwrlfoulw.exe 1984 khuajycwrlfoulw.exe 1984 khuajycwrlfoulw.exe 1984 khuajycwrlfoulw.exe 3236 gncywgfigj.exe 3236 gncywgfigj.exe 3236 gncywgfigj.exe 3236 gncywgfigj.exe 3236 gncywgfigj.exe 3236 gncywgfigj.exe 1984 khuajycwrlfoulw.exe 1984 khuajycwrlfoulw.exe 4532 hynpczhl.exe 4532 hynpczhl.exe 4532 hynpczhl.exe 4532 hynpczhl.exe 4532 hynpczhl.exe 4532 hynpczhl.exe 4532 hynpczhl.exe 4532 hynpczhl.exe 5036 rqsekccsmkuib.exe 5036 rqsekccsmkuib.exe 5036 rqsekccsmkuib.exe 5036 rqsekccsmkuib.exe 5036 rqsekccsmkuib.exe 5036 rqsekccsmkuib.exe 5036 rqsekccsmkuib.exe 5036 rqsekccsmkuib.exe 5036 rqsekccsmkuib.exe 5036 rqsekccsmkuib.exe 5036 rqsekccsmkuib.exe 5036 rqsekccsmkuib.exe 4240 hynpczhl.exe 4240 hynpczhl.exe 4240 hynpczhl.exe 4240 hynpczhl.exe 4240 hynpczhl.exe 4240 hynpczhl.exe 4240 hynpczhl.exe 4240 hynpczhl.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 5088 4213e024bc4f015c556788cca0b65ecb.exe 5088 4213e024bc4f015c556788cca0b65ecb.exe 5088 4213e024bc4f015c556788cca0b65ecb.exe 3236 gncywgfigj.exe 3236 gncywgfigj.exe 3236 gncywgfigj.exe 1984 khuajycwrlfoulw.exe 1984 khuajycwrlfoulw.exe 1984 khuajycwrlfoulw.exe 4532 hynpczhl.exe 5036 rqsekccsmkuib.exe 4532 hynpczhl.exe 5036 rqsekccsmkuib.exe 4532 hynpczhl.exe 5036 rqsekccsmkuib.exe 4240 hynpczhl.exe 4240 hynpczhl.exe 4240 hynpczhl.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 5088 4213e024bc4f015c556788cca0b65ecb.exe 5088 4213e024bc4f015c556788cca0b65ecb.exe 5088 4213e024bc4f015c556788cca0b65ecb.exe 3236 gncywgfigj.exe 3236 gncywgfigj.exe 3236 gncywgfigj.exe 1984 khuajycwrlfoulw.exe 1984 khuajycwrlfoulw.exe 1984 khuajycwrlfoulw.exe 4532 hynpczhl.exe 5036 rqsekccsmkuib.exe 4532 hynpczhl.exe 5036 rqsekccsmkuib.exe 4532 hynpczhl.exe 5036 rqsekccsmkuib.exe 4240 hynpczhl.exe 4240 hynpczhl.exe 4240 hynpczhl.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2884 WINWORD.EXE 2884 WINWORD.EXE 2884 WINWORD.EXE 2884 WINWORD.EXE 2884 WINWORD.EXE 2884 WINWORD.EXE 2884 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 5088 wrote to memory of 3236 5088 4213e024bc4f015c556788cca0b65ecb.exe 89 PID 5088 wrote to memory of 3236 5088 4213e024bc4f015c556788cca0b65ecb.exe 89 PID 5088 wrote to memory of 3236 5088 4213e024bc4f015c556788cca0b65ecb.exe 89 PID 5088 wrote to memory of 1984 5088 4213e024bc4f015c556788cca0b65ecb.exe 90 PID 5088 wrote to memory of 1984 5088 4213e024bc4f015c556788cca0b65ecb.exe 90 PID 5088 wrote to memory of 1984 5088 4213e024bc4f015c556788cca0b65ecb.exe 90 PID 5088 wrote to memory of 4532 5088 4213e024bc4f015c556788cca0b65ecb.exe 91 PID 5088 wrote to memory of 4532 5088 4213e024bc4f015c556788cca0b65ecb.exe 91 PID 5088 wrote to memory of 4532 5088 4213e024bc4f015c556788cca0b65ecb.exe 91 PID 5088 wrote to memory of 5036 5088 4213e024bc4f015c556788cca0b65ecb.exe 92 PID 5088 wrote to memory of 5036 5088 4213e024bc4f015c556788cca0b65ecb.exe 92 PID 5088 wrote to memory of 5036 5088 4213e024bc4f015c556788cca0b65ecb.exe 92 PID 5088 wrote to memory of 2884 5088 4213e024bc4f015c556788cca0b65ecb.exe 94 PID 5088 wrote to memory of 2884 5088 4213e024bc4f015c556788cca0b65ecb.exe 94 PID 3236 wrote to memory of 4240 3236 gncywgfigj.exe 96 PID 3236 wrote to memory of 4240 3236 gncywgfigj.exe 96 PID 3236 wrote to memory of 4240 3236 gncywgfigj.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\4213e024bc4f015c556788cca0b65ecb.exe"C:\Users\Admin\AppData\Local\Temp\4213e024bc4f015c556788cca0b65ecb.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\SysWOW64\gncywgfigj.exegncywgfigj.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Windows\SysWOW64\hynpczhl.exeC:\Windows\system32\hynpczhl.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4240
-
-
-
C:\Windows\SysWOW64\khuajycwrlfoulw.exekhuajycwrlfoulw.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1984
-
-
C:\Windows\SysWOW64\hynpczhl.exehynpczhl.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4532
-
-
C:\Windows\SysWOW64\rqsekccsmkuib.exerqsekccsmkuib.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5036
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2884
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
383KB
MD5934ed045b796e575bf81d60cf435f0ef
SHA1b1f193965dad0397fbe483ccdc48b59976d44f72
SHA2561d10e104044b2243e721816a1554ae175093156947efb94337719dbc50231c48
SHA512bce519556c5c7f8d3627cbd6bd96859a2124ab342b4acf033d5d6dae48972735dafcc6dcb010b18d76084c617a47548e89c7f89b7f09b77ba0b7a1a0329effbb
-
Filesize
239B
MD50c59a5f4b604bdb95d678de25e7be485
SHA1b2f63dc74e24096cfaec01add4039bb6b4221650
SHA2564f67992a112a96b5f8fee2357028d149d02be8c07cfff8b729fc33ad27ab5561
SHA5129e31d6948d8d5d1ad4b8ec7ee4910eebda596ca73fd23dd72401e400c661b993b04ce907aa796597773feb9ef6f598b0c852b091996ec03d6bf69b74d5054e4b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD53a409192e8631b18e8722da41cd5ffd9
SHA15d316d0344a1dfc563d4e4c373a72dce97d61672
SHA2569a461ff1385505772d88b50e191efcc649977977f2e712ca72ca43fa60fb622d
SHA512e0c127e8812f6d9572b96790be160c19fa717014107add7f55347ddcad5f51f34ad12fb2a68604ab567061f8760e3df489461cc742596c55688b78a1f1047018
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD57fd2e56b1e5a14a95379ac525634335d
SHA1f1b8532b68c2698a11ee21e506f602a681d6ecb0
SHA256fff229b9359ec0004df6bbff411c31e7919512886b08276b5eb884928bc0b6dd
SHA512453e58878d8ca74392d64e7b7ddb1749decd7dcfc3676dd5890cb7eed76a483258352b231933c173bcec5e1ddff2484b5fd619760a1ca6671fc1b33307a12621
-
Filesize
512KB
MD56315e3cc3d1b7822cc0f9540fbfc0e2f
SHA15f0493536e05045f609428601d20b0a7dd5779dd
SHA2560b47eeeb659330ccdc26d7b53c788f86be69d729fcb5a8789103681507150827
SHA512a4323e6c66ac295d9ea35632e9ed6e1ea984e039d972cec73e6d6be9d60f46e48e63ed1130963aabef0e99ffd4d0a9260366dd367ca546f7c8ba4768aea6fa92
-
Filesize
512KB
MD54ccb062f33382762b99ad75f1ba2a5cb
SHA145f3f1390b0c11e307cce0c710c4cbe1bd42a1c8
SHA256cfcaa4d91905368d5a138a492a2f5d9ee94a255a781f3047854b5f308cf3f77b
SHA512ac3d004b5648147d8376fe4a56845c07cfc3f1ba397300783c8680a96aa826318344098bde2e88d96e9d0201c3e2b475aef78fbf73ad411ef4821800430d25ce
-
Filesize
512KB
MD5ef509e18c2b55c52b5bd36514d39f554
SHA15cc324e803456f8efa2ad1a25eff0edac652e025
SHA2564e2343816242c2f00be561d483e8794e0a9bad5a3440b6fe3c23b9899ced0c2f
SHA51267d8188c910d8f2581165abf59c3f25a753cdab45dcbb02e059e840d2924ec88635d002d6b7b510d508340db2f2f86c2e618459c2b641d1cb03b0895f22c7494
-
Filesize
512KB
MD5cd48a287cabfd9bc2f7d9d3ad6ab95a9
SHA10e6721a6e68fd2142ded21d7a4541181995ffa90
SHA25619f7ee2a9192ba7a86effb2dfc778658400c5e6d7a7aab00ae55134642d724b1
SHA512249f6dd773ca41ec78fc999724a36f89c12d863ea90f38c7d8e4038009911d07a3aeb6c45e6dbb3c718483f5b49befa93986ffda02b500936207ad10e4ef1a44
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5fe29cdf8017f8f31091f290c3cac1d15
SHA152146e32d0818af70a9e90fed1c15706818c81b4
SHA2569dbf33d090be2c3c67d3e0bd0261433d866d2d4b325eb7aec69e5322c69f5362
SHA512e6af8749e211d336d716e2ba8a43eeb3ffae868545fda0a928662d4c349c11f33f704c50e96ae3434bdac5a03daa13781f779a37b393bc0c6d3812c5fded093c
-
Filesize
512KB
MD5356718f4d82e9e2b1144d84cdffb0ada
SHA1ba0fdc7d0bb02662ae351cd1574d565e20bcaffc
SHA25696eba40027a93b58bbcd5d7360e8a6c3935cd696dc8f5ab82cc566a8ed34e85b
SHA5125416aab5afa11ed7d340fe2276ffc7ec41b9b9374611f5cf2a194a32e5a870330cccbfd27cab0a73acbd635269da180ba4f3a4f8e2f924548fe9e5cded74a97b
-
Filesize
512KB
MD5af61e9b7d91289c0ffb2eb2ec7b29eea
SHA146fb2b9a0d0df0a4eda6acb8122851bf51edc7ea
SHA2566735b03ca974077bac795a216c32fefc34aa4e8775ff7c55dd081139f84771b8
SHA512d37a4c6a33c829f4102ee824de6d7a1d1fe0f67627d4a6db53696a463b64371c4ec9a09e4e5628d26c18a0b443d40bdb171ec388d18dcedbf4bc057107516e75