Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 14:34
Static task
static1
Behavioral task
behavioral1
Sample
39faf8ddc75b4758a1a35b1c3841a776.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
39faf8ddc75b4758a1a35b1c3841a776.exe
Resource
win10v2004-20231215-en
General
-
Target
39faf8ddc75b4758a1a35b1c3841a776.exe
-
Size
512KB
-
MD5
39faf8ddc75b4758a1a35b1c3841a776
-
SHA1
c1909d6b03d78abc536fd19c6c083a92a6c4a2d2
-
SHA256
6148091e925f575ac4977fc4120455f5269dcabcc850997b55dd0f7dc2567662
-
SHA512
de906f80ebcf32659b2bf48ed3d6e08a37f319cfeabca3148fae21394e66e2d4b9dc86ceb1537d41cd6493ea7d21a3fbb960428e9692fd57f22880dcfc65eb0a
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6v:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm58
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" gikchvknzy.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" gikchvknzy.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" gikchvknzy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" gikchvknzy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" gikchvknzy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" gikchvknzy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" gikchvknzy.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gikchvknzy.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation 39faf8ddc75b4758a1a35b1c3841a776.exe -
Executes dropped EXE 5 IoCs
pid Process 2352 gikchvknzy.exe 2712 fxomsazbsfxihxq.exe 3624 uhwaauwy.exe 5840 zjrfqqssowewc.exe 1316 uhwaauwy.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" gikchvknzy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" gikchvknzy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" gikchvknzy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" gikchvknzy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" gikchvknzy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" gikchvknzy.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vugswnds = "gikchvknzy.exe" fxomsazbsfxihxq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pwbtfssp = "fxomsazbsfxihxq.exe" fxomsazbsfxihxq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "zjrfqqssowewc.exe" fxomsazbsfxihxq.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\z: uhwaauwy.exe File opened (read-only) \??\j: uhwaauwy.exe File opened (read-only) \??\t: uhwaauwy.exe File opened (read-only) \??\w: uhwaauwy.exe File opened (read-only) \??\e: uhwaauwy.exe File opened (read-only) \??\h: uhwaauwy.exe File opened (read-only) \??\b: uhwaauwy.exe File opened (read-only) \??\u: uhwaauwy.exe File opened (read-only) \??\v: uhwaauwy.exe File opened (read-only) \??\l: uhwaauwy.exe File opened (read-only) \??\s: uhwaauwy.exe File opened (read-only) \??\n: uhwaauwy.exe File opened (read-only) \??\z: uhwaauwy.exe File opened (read-only) \??\b: gikchvknzy.exe File opened (read-only) \??\l: gikchvknzy.exe File opened (read-only) \??\k: uhwaauwy.exe File opened (read-only) \??\o: uhwaauwy.exe File opened (read-only) \??\k: gikchvknzy.exe File opened (read-only) \??\u: gikchvknzy.exe File opened (read-only) \??\p: uhwaauwy.exe File opened (read-only) \??\u: uhwaauwy.exe File opened (read-only) \??\n: uhwaauwy.exe File opened (read-only) \??\t: uhwaauwy.exe File opened (read-only) \??\a: uhwaauwy.exe File opened (read-only) \??\h: uhwaauwy.exe File opened (read-only) \??\m: gikchvknzy.exe File opened (read-only) \??\v: gikchvknzy.exe File opened (read-only) \??\w: gikchvknzy.exe File opened (read-only) \??\q: uhwaauwy.exe File opened (read-only) \??\x: uhwaauwy.exe File opened (read-only) \??\n: gikchvknzy.exe File opened (read-only) \??\o: gikchvknzy.exe File opened (read-only) \??\s: gikchvknzy.exe File opened (read-only) \??\t: gikchvknzy.exe File opened (read-only) \??\p: uhwaauwy.exe File opened (read-only) \??\q: uhwaauwy.exe File opened (read-only) \??\p: gikchvknzy.exe File opened (read-only) \??\x: gikchvknzy.exe File opened (read-only) \??\a: gikchvknzy.exe File opened (read-only) \??\v: uhwaauwy.exe File opened (read-only) \??\g: uhwaauwy.exe File opened (read-only) \??\i: uhwaauwy.exe File opened (read-only) \??\w: uhwaauwy.exe File opened (read-only) \??\k: uhwaauwy.exe File opened (read-only) \??\r: uhwaauwy.exe File opened (read-only) \??\s: uhwaauwy.exe File opened (read-only) \??\r: gikchvknzy.exe File opened (read-only) \??\y: gikchvknzy.exe File opened (read-only) \??\m: uhwaauwy.exe File opened (read-only) \??\z: gikchvknzy.exe File opened (read-only) \??\x: uhwaauwy.exe File opened (read-only) \??\j: gikchvknzy.exe File opened (read-only) \??\a: uhwaauwy.exe File opened (read-only) \??\j: uhwaauwy.exe File opened (read-only) \??\m: uhwaauwy.exe File opened (read-only) \??\r: uhwaauwy.exe File opened (read-only) \??\q: gikchvknzy.exe File opened (read-only) \??\b: uhwaauwy.exe File opened (read-only) \??\g: uhwaauwy.exe File opened (read-only) \??\l: uhwaauwy.exe File opened (read-only) \??\y: uhwaauwy.exe File opened (read-only) \??\i: gikchvknzy.exe File opened (read-only) \??\y: uhwaauwy.exe File opened (read-only) \??\o: uhwaauwy.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" gikchvknzy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" gikchvknzy.exe -
AutoIT Executable 18 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3136-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00070000000231fe-5.dat autoit_exe behavioral2/files/0x00070000000231fb-20.dat autoit_exe behavioral2/files/0x00070000000231fe-22.dat autoit_exe behavioral2/files/0x0006000000023203-31.dat autoit_exe behavioral2/files/0x0006000000023202-29.dat autoit_exe behavioral2/files/0x0006000000023203-32.dat autoit_exe behavioral2/files/0x0006000000023202-26.dat autoit_exe behavioral2/files/0x00070000000231fe-21.dat autoit_exe behavioral2/files/0x00070000000231fb-18.dat autoit_exe behavioral2/files/0x0006000000023202-45.dat autoit_exe behavioral2/files/0x000600000002320d-80.dat autoit_exe behavioral2/files/0x000600000002320c-74.dat autoit_exe behavioral2/files/0x000f00000001da82-92.dat autoit_exe behavioral2/files/0x000b0000000231af-112.dat autoit_exe behavioral2/files/0x000b0000000231af-106.dat autoit_exe behavioral2/files/0x000b0000000231af-109.dat autoit_exe behavioral2/files/0x000b0000000231af-115.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\gikchvknzy.exe 39faf8ddc75b4758a1a35b1c3841a776.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll gikchvknzy.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe uhwaauwy.exe File opened for modification C:\Windows\SysWOW64\uhwaauwy.exe 39faf8ddc75b4758a1a35b1c3841a776.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe uhwaauwy.exe File opened for modification C:\Windows\SysWOW64\gikchvknzy.exe 39faf8ddc75b4758a1a35b1c3841a776.exe File created C:\Windows\SysWOW64\zjrfqqssowewc.exe 39faf8ddc75b4758a1a35b1c3841a776.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe uhwaauwy.exe File created C:\Windows\SysWOW64\fxomsazbsfxihxq.exe 39faf8ddc75b4758a1a35b1c3841a776.exe File opened for modification C:\Windows\SysWOW64\fxomsazbsfxihxq.exe 39faf8ddc75b4758a1a35b1c3841a776.exe File created C:\Windows\SysWOW64\uhwaauwy.exe 39faf8ddc75b4758a1a35b1c3841a776.exe File opened for modification C:\Windows\SysWOW64\zjrfqqssowewc.exe 39faf8ddc75b4758a1a35b1c3841a776.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe uhwaauwy.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe uhwaauwy.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal uhwaauwy.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe uhwaauwy.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal uhwaauwy.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe uhwaauwy.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe uhwaauwy.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe uhwaauwy.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe uhwaauwy.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal uhwaauwy.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe uhwaauwy.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe uhwaauwy.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe uhwaauwy.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe uhwaauwy.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal uhwaauwy.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe uhwaauwy.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe uhwaauwy.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe uhwaauwy.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe uhwaauwy.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe uhwaauwy.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe uhwaauwy.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe uhwaauwy.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe uhwaauwy.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe uhwaauwy.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe uhwaauwy.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe uhwaauwy.exe File opened for modification C:\Windows\mydoc.rtf 39faf8ddc75b4758a1a35b1c3841a776.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe uhwaauwy.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe uhwaauwy.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe uhwaauwy.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe uhwaauwy.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe uhwaauwy.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe uhwaauwy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FFBFF8D4F5D85689040D65F7E96BCEEE13D584067426242D7EE" 39faf8ddc75b4758a1a35b1c3841a776.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc gikchvknzy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" gikchvknzy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" gikchvknzy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg gikchvknzy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf gikchvknzy.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 39faf8ddc75b4758a1a35b1c3841a776.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193FC70F15E0DBBFB8B97FE7ECE437C9" 39faf8ddc75b4758a1a35b1c3841a776.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" gikchvknzy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh gikchvknzy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" gikchvknzy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACAF9BCF962F19484083B4081EA3993B38C028B4260034BE1BD45E809D2" 39faf8ddc75b4758a1a35b1c3841a776.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs gikchvknzy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" gikchvknzy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" gikchvknzy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33442C089C2283256A3477D670562CA97C8465AB" 39faf8ddc75b4758a1a35b1c3841a776.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB7B15B449039E353CFB9D73392D4CF" 39faf8ddc75b4758a1a35b1c3841a776.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F768B0FE1A22DBD10ED0A08A7D9010" 39faf8ddc75b4758a1a35b1c3841a776.exe Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings 39faf8ddc75b4758a1a35b1c3841a776.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat gikchvknzy.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4564 WINWORD.EXE 4564 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3136 39faf8ddc75b4758a1a35b1c3841a776.exe 3136 39faf8ddc75b4758a1a35b1c3841a776.exe 3136 39faf8ddc75b4758a1a35b1c3841a776.exe 3136 39faf8ddc75b4758a1a35b1c3841a776.exe 3136 39faf8ddc75b4758a1a35b1c3841a776.exe 3136 39faf8ddc75b4758a1a35b1c3841a776.exe 3136 39faf8ddc75b4758a1a35b1c3841a776.exe 3136 39faf8ddc75b4758a1a35b1c3841a776.exe 3136 39faf8ddc75b4758a1a35b1c3841a776.exe 3136 39faf8ddc75b4758a1a35b1c3841a776.exe 3136 39faf8ddc75b4758a1a35b1c3841a776.exe 3136 39faf8ddc75b4758a1a35b1c3841a776.exe 3136 39faf8ddc75b4758a1a35b1c3841a776.exe 3136 39faf8ddc75b4758a1a35b1c3841a776.exe 3136 39faf8ddc75b4758a1a35b1c3841a776.exe 3136 39faf8ddc75b4758a1a35b1c3841a776.exe 2712 fxomsazbsfxihxq.exe 2712 fxomsazbsfxihxq.exe 2712 fxomsazbsfxihxq.exe 2712 fxomsazbsfxihxq.exe 2712 fxomsazbsfxihxq.exe 2712 fxomsazbsfxihxq.exe 2712 fxomsazbsfxihxq.exe 2712 fxomsazbsfxihxq.exe 2712 fxomsazbsfxihxq.exe 2712 fxomsazbsfxihxq.exe 2352 gikchvknzy.exe 2352 gikchvknzy.exe 2352 gikchvknzy.exe 2352 gikchvknzy.exe 2352 gikchvknzy.exe 2352 gikchvknzy.exe 2352 gikchvknzy.exe 2352 gikchvknzy.exe 2352 gikchvknzy.exe 2352 gikchvknzy.exe 5840 zjrfqqssowewc.exe 5840 zjrfqqssowewc.exe 5840 zjrfqqssowewc.exe 5840 zjrfqqssowewc.exe 5840 zjrfqqssowewc.exe 5840 zjrfqqssowewc.exe 5840 zjrfqqssowewc.exe 5840 zjrfqqssowewc.exe 5840 zjrfqqssowewc.exe 5840 zjrfqqssowewc.exe 5840 zjrfqqssowewc.exe 5840 zjrfqqssowewc.exe 3624 uhwaauwy.exe 3624 uhwaauwy.exe 3624 uhwaauwy.exe 3624 uhwaauwy.exe 3624 uhwaauwy.exe 3624 uhwaauwy.exe 3624 uhwaauwy.exe 3624 uhwaauwy.exe 2712 fxomsazbsfxihxq.exe 2712 fxomsazbsfxihxq.exe 5840 zjrfqqssowewc.exe 5840 zjrfqqssowewc.exe 5840 zjrfqqssowewc.exe 5840 zjrfqqssowewc.exe 1316 uhwaauwy.exe 1316 uhwaauwy.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 3136 39faf8ddc75b4758a1a35b1c3841a776.exe 3136 39faf8ddc75b4758a1a35b1c3841a776.exe 3136 39faf8ddc75b4758a1a35b1c3841a776.exe 2712 fxomsazbsfxihxq.exe 2712 fxomsazbsfxihxq.exe 2712 fxomsazbsfxihxq.exe 2352 gikchvknzy.exe 2352 gikchvknzy.exe 2352 gikchvknzy.exe 5840 zjrfqqssowewc.exe 3624 uhwaauwy.exe 5840 zjrfqqssowewc.exe 3624 uhwaauwy.exe 5840 zjrfqqssowewc.exe 3624 uhwaauwy.exe 1316 uhwaauwy.exe 1316 uhwaauwy.exe 1316 uhwaauwy.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 3136 39faf8ddc75b4758a1a35b1c3841a776.exe 3136 39faf8ddc75b4758a1a35b1c3841a776.exe 3136 39faf8ddc75b4758a1a35b1c3841a776.exe 2712 fxomsazbsfxihxq.exe 2712 fxomsazbsfxihxq.exe 2712 fxomsazbsfxihxq.exe 2352 gikchvknzy.exe 2352 gikchvknzy.exe 2352 gikchvknzy.exe 5840 zjrfqqssowewc.exe 3624 uhwaauwy.exe 5840 zjrfqqssowewc.exe 3624 uhwaauwy.exe 5840 zjrfqqssowewc.exe 3624 uhwaauwy.exe 1316 uhwaauwy.exe 1316 uhwaauwy.exe 1316 uhwaauwy.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4564 WINWORD.EXE 4564 WINWORD.EXE 4564 WINWORD.EXE 4564 WINWORD.EXE 4564 WINWORD.EXE 4564 WINWORD.EXE 4564 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3136 wrote to memory of 2352 3136 39faf8ddc75b4758a1a35b1c3841a776.exe 89 PID 3136 wrote to memory of 2352 3136 39faf8ddc75b4758a1a35b1c3841a776.exe 89 PID 3136 wrote to memory of 2352 3136 39faf8ddc75b4758a1a35b1c3841a776.exe 89 PID 3136 wrote to memory of 2712 3136 39faf8ddc75b4758a1a35b1c3841a776.exe 92 PID 3136 wrote to memory of 2712 3136 39faf8ddc75b4758a1a35b1c3841a776.exe 92 PID 3136 wrote to memory of 2712 3136 39faf8ddc75b4758a1a35b1c3841a776.exe 92 PID 3136 wrote to memory of 3624 3136 39faf8ddc75b4758a1a35b1c3841a776.exe 91 PID 3136 wrote to memory of 3624 3136 39faf8ddc75b4758a1a35b1c3841a776.exe 91 PID 3136 wrote to memory of 3624 3136 39faf8ddc75b4758a1a35b1c3841a776.exe 91 PID 3136 wrote to memory of 5840 3136 39faf8ddc75b4758a1a35b1c3841a776.exe 90 PID 3136 wrote to memory of 5840 3136 39faf8ddc75b4758a1a35b1c3841a776.exe 90 PID 3136 wrote to memory of 5840 3136 39faf8ddc75b4758a1a35b1c3841a776.exe 90 PID 3136 wrote to memory of 4564 3136 39faf8ddc75b4758a1a35b1c3841a776.exe 93 PID 3136 wrote to memory of 4564 3136 39faf8ddc75b4758a1a35b1c3841a776.exe 93 PID 2352 wrote to memory of 1316 2352 gikchvknzy.exe 96 PID 2352 wrote to memory of 1316 2352 gikchvknzy.exe 96 PID 2352 wrote to memory of 1316 2352 gikchvknzy.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\39faf8ddc75b4758a1a35b1c3841a776.exe"C:\Users\Admin\AppData\Local\Temp\39faf8ddc75b4758a1a35b1c3841a776.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Windows\SysWOW64\gikchvknzy.exegikchvknzy.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\uhwaauwy.exeC:\Windows\system32\uhwaauwy.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1316
-
-
-
C:\Windows\SysWOW64\zjrfqqssowewc.exezjrfqqssowewc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5840
-
-
C:\Windows\SysWOW64\uhwaauwy.exeuhwaauwy.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3624
-
-
C:\Windows\SysWOW64\fxomsazbsfxihxq.exefxomsazbsfxihxq.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2712
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4564
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34KB
MD5ebf291be7bb846c7283ec72417cf72b7
SHA1b97fac339d370e87170eac35f938a9f03129dae1
SHA256c08eaf54514f2d880ff73d93b95b98bb4afb5b5056495135ad605e06589f0a76
SHA5125b172daa72be0858dad3e92a739e83aabd4607889a3a0a583e3a1315e0fb03f222da5d5ef1e92862cebf894e2487f15f579df66e51d9d8d0ff9d97c2be909e4e
-
Filesize
69KB
MD5296b9bbdc792d87f207b1f560cf8d60f
SHA1668f7ee3c96ef5517a4026b2777cb551f7784d63
SHA256dfbbfe2062d38fddef6ce01ad66385edb8ef4b42233470ccb64fe1fc1b12acb5
SHA512df4708c918ad116c4da3104e81372613d2c8b94f6f14d8259adb45904777149e41c5be5d63a7b185545d7c04661895a7604c5fdb24f245685c9bd70d8b0920ed
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD57a979bcd981d7dca26a4fd00e6e3c00a
SHA1941c0dafc5014f0ae16efcfea8c88d327fe7def6
SHA2567336d169641cc5e7486ca2cb49387f8cf986d915a7959f51097f1e772d456738
SHA512f582fa9725c1b6a2c5a9565fc4dca2a9b9bf8df92227fbc2b8e5ceb04252104c3e5d1015a1004225181448099051fb95a4c6e43c7bed04d9a5a5b8112541b382
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5ef9677ee80a08581f9a4b43c86436bee
SHA1bddeac74246c9858e1c399772ca83fffb8f44e12
SHA256a1aa6d1f8725d98487a5c49d5d5db50603e04c2e72bc389964f418914788713c
SHA512e73b8c08a23983ba5a7ae37f8ebb5e5bca745c8d540d40166eb01f338ea1edbefcc046af9a50c086bcbcf7d0e81944e26750734212cc2885883531a05632db9c
-
Filesize
142KB
MD55a9370af373542f3e21e1a8c4f2c36da
SHA12c5e7850f8c18ca2d813ffee4b4b1f7486fbb419
SHA25674c65ac1b80254a24b7e8c3c0c4343ff22d40a5cb0ad72bdf5d7c736b2589be1
SHA512ae5ea277631eae6ce9bb05a31bbcfb24a6c7d07523351045e569c0dc2bc3942a24663a19f5e5a900c798331e5b2ccce349a4720c2e036abe3a28aae12511db0a
-
Filesize
47KB
MD5e4600ab59246343a67a56ba96d0775be
SHA1c2c4f6f33dc7ad68d9d798a47e15b8419805e8df
SHA256fa26230a3e627efa9f304a5034cca8d1fb0b5728743160288ccc72b7e7faee6c
SHA5126d19ed368b625be102b0bd6daac04548d7439d2a17c3141ead234e44c6e32985164e1990bdf5785e1e3558267ed478f8bfcbeb50f6d9530fd7625c7e8f167acc
-
Filesize
56KB
MD50ae3879933a7a62ee6c89f2afb50aad8
SHA170370d5a6a81f019e3869aaaef147c86385121d5
SHA256fd10bba604fbb0a713ba915262828a67aa2c649cdec86e87ff98a3e5afcbb3aa
SHA5125ef4173775ad3e3e9a575310430780bfb20dbfa05bbde55adc45bd5df76d073a3a957f7f32d6018c1eae8bb4da6a6c7d6361e13f8b36888aa7da81ed7236025a
-
Filesize
207KB
MD56eb5c2b06b5b61957be625e5dccd3828
SHA1ff1fbb5276184c9049e85d21bcdd21384d9160ba
SHA25671e33bbd92a3d525257498bdf3de005af100daa5241df2598ff456ad22211dba
SHA51284e0145c6a4812995d542d704984fa2a0b6c37f8f17afc20b60a23b7c304ed2d6cf6ef8856a9648d9c84be09afa7d19809872875993fb1d2fb2d68ec865587c0
-
Filesize
269KB
MD53161b6b4413d72a8e3c3fe7a626b11ad
SHA15e3a8bec773307fd596bdfb0034c9385a04257f8
SHA256289342640ccdbf6d672b78e70022299815918dc99716aa54a2d808a89c1fa77e
SHA5121fc01a93797855fb327fbbdd60ac18025771288731ec1bfa372e151a321ec469f9b45ea4cc53abc2ec1bda05471eeb403fd5bb009fd8827f2e316b6196be86ec
-
Filesize
52KB
MD571e09d198d98d71fb22189d10422a858
SHA1e36b8043138af8b680f71af06d22bfb4be8a0798
SHA256569d01cc926459cc617d5539e55f38d5bf1959725c958f206a8a94ab0513cef3
SHA512ab913deda65d003b97d3e5778cc9b72284f24616ff1d076ce75b6023f7f3c8a8bae867323eeb9aa8f45fcff931a83ae30510d272cd0852a011ab393c20e64c51
-
Filesize
49KB
MD546e4e9cc790212ccdb9952fa96e55793
SHA11c638133ea654ab0dec4c67015bce04aa96019fa
SHA256338ff390d676217bd8200e896204ff1e0768b51a95f188e5bb28c501d2393efd
SHA512cca2d3407a72113a670fae67e91540c7be0a84cbf64fb44d15e7118a19319d2e5aea004e0bf5d49ba715af19197c80f95aa68c588c507234cd5c29564c42c94b
-
Filesize
41KB
MD568856976b4466df7676daa981ba8fe95
SHA1c8f9ce2027a42e10e1cf03b6cc97b12c1dffbe98
SHA256903d5f642fde69ae1ac38bf203034fdf08a9b5a6e991e5135c4c8eff95329dc8
SHA5122005a5a038bd195d8efb203301d18ddc3aaad68bbdbeee13bff86495a502c61b92e2af3e233b27ab2bf8ea3d64acef2019c18def64b45036077feb8e756d3775
-
Filesize
143KB
MD533f089f58065917fc572dba070eb535a
SHA1be0a7b72759f255e04052c5f066180e8a900c5c8
SHA256e9c57d009b2d4de65be78ea172e2659d4fa4f1261d9d32a246d6524fe35fbeec
SHA51236fb5098d488fa38f79763ce1aadfe2d35482b8f285635ce6db6d31450688415b87d848fec718c06c80fc395169bd52079abd7ecb3ae7f38d0802278d935d9a1
-
Filesize
57KB
MD53a81bb7f89fff51fd80d1e9e1e60471f
SHA17c04e73b47855108f7cb0f1f8e76b71078d74158
SHA2567afee2b09ec479879bca80da134ceff2df40ad8eff99ed5b1461e6b64e3c474e
SHA512d8500626b99b14b8e441c88b9a8431db9188b5dea17610b1d5ff35a199195026f6c9961281e7c3a4babe8c88b1a949a03a42c6872e2eb0ec1761f65095f777cc
-
Filesize
22KB
MD575dc2bb818edcddc1a47c7158bd8a06c
SHA10c04ade97e81f3fe25805f153d4146a68b7c337b
SHA256e4ba6bd5aa524675d34022e0abfe643f0cb40255b2e06d2fb878bf636f32d12a
SHA512df90726bac6e876a1795acd4d3fbe3f7bf6bff89cc59d63587075e314841c961a86610793e1d85d716dfcdd99d3647767d2def7e17b246599705f1335c391578
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
99KB
MD5821912b1238e5ec089b7f4e4648d5d92
SHA151a0d563416ac0b236da9b0b1a6109c05485fecb
SHA25637c1021c2038a28d1ee4438f48e1641c7ddb330cd3aa85a45e1988be3a925944
SHA5124b86b74fb4c04b62740e46903ced47f966648b21a9d38b396da56ff7a8aebb79dddfe183c77a618359bbfb1ea634a7f54c3fbadc4583f42ddf5fae5f504cd647
-
Filesize
235KB
MD5c094ed281f716f88e4416665a4cd218c
SHA1b29aa861f627ec601b55937fd3cfdde7bac418b7
SHA2566c2a9cab990da35a0c9048cdcc960f37ed32d1c697a853319fa3d11b86753e15
SHA51298cea23193bfde44c343b0a8ee2ff17872dbb2947f0e689b3df0179452d50bee9d6b285907bf8c3c4cc994d9816d8400b7676252d8cb31dd1eb34a2f9fd132ae
-
Filesize
242KB
MD53d90fb418660d175dbbbd17f41dd2d89
SHA15d4030962e9ddef3800d233b3196dde29db8cbba
SHA256c2a859bdec7058150c723f06f366cc1adcf22aedf40bdc4670a17508bcf16c50
SHA51215cc927f473b42f6d7b4df4d6803074e19fcd2ff7041db5ecf75505c998f68f4818b082623610c3527d66b42afa4aa687e1f607aa1f2264188f6456e01c54218
-
Filesize
113KB
MD5dc618e2746e9f24e1b2e2bb5830bc3a1
SHA1cd317fef4e4071d77c7dc4d4121b5adf5c52d188
SHA2568aed40596bf5ceff55e81e1d6d2bcef8a4ff6b578260b9f869aca27f6abbbcf5
SHA51209092ff9d8888887fc515699ba51f3865efdef2fbee1c4de854668ed47a8ab3111ee3dadffac729a399ffce8e41aa0f8e4cd18a0d215d3473526758e595ebb17