Analysis
-
max time kernel
160s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
01-01-2024 10:36
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
3ca1017ce9db8d1410b6a80d36010a29.exe
Resource
win7-20231215-en
windows7-x64
29 signatures
150 seconds
Behavioral task
behavioral2
Sample
3ca1017ce9db8d1410b6a80d36010a29.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
24 signatures
150 seconds
General
-
Target
3ca1017ce9db8d1410b6a80d36010a29.exe
-
Size
512KB
-
MD5
3ca1017ce9db8d1410b6a80d36010a29
-
SHA1
e7c33a26079f18203552ad8a46826d68357ca112
-
SHA256
2a3d618022b62a1229e1ff44a667540070672c2789707b82a2fae3bdde1acfd0
-
SHA512
4f91de27eacb90480463c56b2763862a72ff8789500d0d64cd7ffeb180813eab877e3fe2c01a715c1d61f55220edc1faa13e28ca474217f716ab3700a076639b
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj66:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5h
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" bstcdbtesd.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" bstcdbtesd.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" bstcdbtesd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" bstcdbtesd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" bstcdbtesd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" bstcdbtesd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" bstcdbtesd.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bstcdbtesd.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation 3ca1017ce9db8d1410b6a80d36010a29.exe -
Executes dropped EXE 5 IoCs
pid Process 2492 bstcdbtesd.exe 1436 rysbhsrkwqsyosq.exe 2236 vxvonjps.exe 4036 kutejmjsvfbif.exe 2428 vxvonjps.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" bstcdbtesd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" bstcdbtesd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" bstcdbtesd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" bstcdbtesd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" bstcdbtesd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" bstcdbtesd.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "kutejmjsvfbif.exe" rysbhsrkwqsyosq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\trengbpl = "bstcdbtesd.exe" rysbhsrkwqsyosq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jasktbxq = "rysbhsrkwqsyosq.exe" rysbhsrkwqsyosq.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\l: vxvonjps.exe File opened (read-only) \??\t: vxvonjps.exe File opened (read-only) \??\z: vxvonjps.exe File opened (read-only) \??\o: bstcdbtesd.exe File opened (read-only) \??\u: bstcdbtesd.exe File opened (read-only) \??\j: vxvonjps.exe File opened (read-only) \??\y: bstcdbtesd.exe File opened (read-only) \??\j: vxvonjps.exe File opened (read-only) \??\y: vxvonjps.exe File opened (read-only) \??\h: bstcdbtesd.exe File opened (read-only) \??\l: bstcdbtesd.exe File opened (read-only) \??\s: bstcdbtesd.exe File opened (read-only) \??\n: vxvonjps.exe File opened (read-only) \??\g: vxvonjps.exe File opened (read-only) \??\p: vxvonjps.exe File opened (read-only) \??\i: vxvonjps.exe File opened (read-only) \??\o: vxvonjps.exe File opened (read-only) \??\x: vxvonjps.exe File opened (read-only) \??\r: vxvonjps.exe File opened (read-only) \??\x: bstcdbtesd.exe File opened (read-only) \??\v: bstcdbtesd.exe File opened (read-only) \??\e: vxvonjps.exe File opened (read-only) \??\l: vxvonjps.exe File opened (read-only) \??\r: vxvonjps.exe File opened (read-only) \??\w: vxvonjps.exe File opened (read-only) \??\o: vxvonjps.exe File opened (read-only) \??\v: vxvonjps.exe File opened (read-only) \??\h: vxvonjps.exe File opened (read-only) \??\q: vxvonjps.exe File opened (read-only) \??\b: vxvonjps.exe File opened (read-only) \??\e: vxvonjps.exe File opened (read-only) \??\h: vxvonjps.exe File opened (read-only) \??\i: bstcdbtesd.exe File opened (read-only) \??\m: bstcdbtesd.exe File opened (read-only) \??\g: vxvonjps.exe File opened (read-only) \??\y: vxvonjps.exe File opened (read-only) \??\a: bstcdbtesd.exe File opened (read-only) \??\m: vxvonjps.exe File opened (read-only) \??\u: vxvonjps.exe File opened (read-only) \??\q: bstcdbtesd.exe File opened (read-only) \??\v: vxvonjps.exe File opened (read-only) \??\z: vxvonjps.exe File opened (read-only) \??\n: vxvonjps.exe File opened (read-only) \??\q: vxvonjps.exe File opened (read-only) \??\j: bstcdbtesd.exe File opened (read-only) \??\r: bstcdbtesd.exe File opened (read-only) \??\b: vxvonjps.exe File opened (read-only) \??\s: vxvonjps.exe File opened (read-only) \??\u: vxvonjps.exe File opened (read-only) \??\a: vxvonjps.exe File opened (read-only) \??\k: vxvonjps.exe File opened (read-only) \??\p: vxvonjps.exe File opened (read-only) \??\t: vxvonjps.exe File opened (read-only) \??\w: vxvonjps.exe File opened (read-only) \??\x: vxvonjps.exe File opened (read-only) \??\e: bstcdbtesd.exe File opened (read-only) \??\z: bstcdbtesd.exe File opened (read-only) \??\k: vxvonjps.exe File opened (read-only) \??\s: vxvonjps.exe File opened (read-only) \??\n: bstcdbtesd.exe File opened (read-only) \??\a: vxvonjps.exe File opened (read-only) \??\i: vxvonjps.exe File opened (read-only) \??\g: bstcdbtesd.exe File opened (read-only) \??\t: bstcdbtesd.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" bstcdbtesd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" bstcdbtesd.exe -
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2376-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000400000001e715-5.dat autoit_exe behavioral2/files/0x000200000001e7de-17.dat autoit_exe behavioral2/files/0x000400000001e715-22.dat autoit_exe behavioral2/files/0x000300000001e7e1-26.dat autoit_exe behavioral2/files/0x000200000001e7e2-32.dat autoit_exe behavioral2/files/0x000800000001e7f0-46.dat autoit_exe behavioral2/files/0x000500000001e7f1-52.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll bstcdbtesd.exe File opened for modification C:\Windows\SysWOW64\rysbhsrkwqsyosq.exe 3ca1017ce9db8d1410b6a80d36010a29.exe File opened for modification C:\Windows\SysWOW64\vxvonjps.exe 3ca1017ce9db8d1410b6a80d36010a29.exe File opened for modification C:\Windows\SysWOW64\kutejmjsvfbif.exe 3ca1017ce9db8d1410b6a80d36010a29.exe File created C:\Windows\SysWOW64\vxvonjps.exe 3ca1017ce9db8d1410b6a80d36010a29.exe File created C:\Windows\SysWOW64\kutejmjsvfbif.exe 3ca1017ce9db8d1410b6a80d36010a29.exe File created C:\Windows\SysWOW64\bstcdbtesd.exe 3ca1017ce9db8d1410b6a80d36010a29.exe File opened for modification C:\Windows\SysWOW64\bstcdbtesd.exe 3ca1017ce9db8d1410b6a80d36010a29.exe File created C:\Windows\SysWOW64\rysbhsrkwqsyosq.exe 3ca1017ce9db8d1410b6a80d36010a29.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vxvonjps.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vxvonjps.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal vxvonjps.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vxvonjps.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vxvonjps.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vxvonjps.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vxvonjps.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal vxvonjps.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vxvonjps.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vxvonjps.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal vxvonjps.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal vxvonjps.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vxvonjps.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vxvonjps.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vxvonjps.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf 3ca1017ce9db8d1410b6a80d36010a29.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFAFC824F5F856D9132D72A7DE6BCEEE634594167456337D7E9" 3ca1017ce9db8d1410b6a80d36010a29.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" bstcdbtesd.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings 3ca1017ce9db8d1410b6a80d36010a29.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc bstcdbtesd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" bstcdbtesd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf bstcdbtesd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" bstcdbtesd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat bstcdbtesd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" bstcdbtesd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs bstcdbtesd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg bstcdbtesd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCEF9BDFE11F1E083783A42819939E1B388038A4212024BE1B8459C09D2" 3ca1017ce9db8d1410b6a80d36010a29.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB6B05B449339ED53BFBAA733EED4C5" 3ca1017ce9db8d1410b6a80d36010a29.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F568B7FE1821ADD20ED0D38B799166" 3ca1017ce9db8d1410b6a80d36010a29.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184AC60914E1DAB0B9C07CE6EC9637C8" 3ca1017ce9db8d1410b6a80d36010a29.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" bstcdbtesd.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 3ca1017ce9db8d1410b6a80d36010a29.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33412D7B9D2D83256A4176D277222CDB7CF664DD" 3ca1017ce9db8d1410b6a80d36010a29.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh bstcdbtesd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" bstcdbtesd.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 5032 WINWORD.EXE 5032 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2376 3ca1017ce9db8d1410b6a80d36010a29.exe 2376 3ca1017ce9db8d1410b6a80d36010a29.exe 2376 3ca1017ce9db8d1410b6a80d36010a29.exe 2376 3ca1017ce9db8d1410b6a80d36010a29.exe 2376 3ca1017ce9db8d1410b6a80d36010a29.exe 2376 3ca1017ce9db8d1410b6a80d36010a29.exe 2376 3ca1017ce9db8d1410b6a80d36010a29.exe 2376 3ca1017ce9db8d1410b6a80d36010a29.exe 2376 3ca1017ce9db8d1410b6a80d36010a29.exe 2376 3ca1017ce9db8d1410b6a80d36010a29.exe 2376 3ca1017ce9db8d1410b6a80d36010a29.exe 2376 3ca1017ce9db8d1410b6a80d36010a29.exe 2492 bstcdbtesd.exe 2492 bstcdbtesd.exe 2492 bstcdbtesd.exe 2492 bstcdbtesd.exe 2492 bstcdbtesd.exe 2492 bstcdbtesd.exe 2492 bstcdbtesd.exe 2492 bstcdbtesd.exe 2492 bstcdbtesd.exe 2492 bstcdbtesd.exe 2376 3ca1017ce9db8d1410b6a80d36010a29.exe 2376 3ca1017ce9db8d1410b6a80d36010a29.exe 2376 3ca1017ce9db8d1410b6a80d36010a29.exe 2376 3ca1017ce9db8d1410b6a80d36010a29.exe 1436 rysbhsrkwqsyosq.exe 1436 rysbhsrkwqsyosq.exe 1436 rysbhsrkwqsyosq.exe 1436 rysbhsrkwqsyosq.exe 1436 rysbhsrkwqsyosq.exe 1436 rysbhsrkwqsyosq.exe 1436 rysbhsrkwqsyosq.exe 1436 rysbhsrkwqsyosq.exe 1436 rysbhsrkwqsyosq.exe 1436 rysbhsrkwqsyosq.exe 2236 vxvonjps.exe 2236 vxvonjps.exe 2236 vxvonjps.exe 2236 vxvonjps.exe 2236 vxvonjps.exe 2236 vxvonjps.exe 2236 vxvonjps.exe 2236 vxvonjps.exe 4036 kutejmjsvfbif.exe 4036 kutejmjsvfbif.exe 4036 kutejmjsvfbif.exe 4036 kutejmjsvfbif.exe 4036 kutejmjsvfbif.exe 4036 kutejmjsvfbif.exe 4036 kutejmjsvfbif.exe 4036 kutejmjsvfbif.exe 4036 kutejmjsvfbif.exe 4036 kutejmjsvfbif.exe 4036 kutejmjsvfbif.exe 4036 kutejmjsvfbif.exe 1436 rysbhsrkwqsyosq.exe 1436 rysbhsrkwqsyosq.exe 4036 kutejmjsvfbif.exe 4036 kutejmjsvfbif.exe 4036 kutejmjsvfbif.exe 4036 kutejmjsvfbif.exe 1436 rysbhsrkwqsyosq.exe 1436 rysbhsrkwqsyosq.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2376 3ca1017ce9db8d1410b6a80d36010a29.exe 2376 3ca1017ce9db8d1410b6a80d36010a29.exe 2376 3ca1017ce9db8d1410b6a80d36010a29.exe 2492 bstcdbtesd.exe 2492 bstcdbtesd.exe 2492 bstcdbtesd.exe 1436 rysbhsrkwqsyosq.exe 1436 rysbhsrkwqsyosq.exe 1436 rysbhsrkwqsyosq.exe 2236 vxvonjps.exe 2236 vxvonjps.exe 2236 vxvonjps.exe 4036 kutejmjsvfbif.exe 4036 kutejmjsvfbif.exe 4036 kutejmjsvfbif.exe 2428 vxvonjps.exe 2428 vxvonjps.exe 2428 vxvonjps.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2376 3ca1017ce9db8d1410b6a80d36010a29.exe 2376 3ca1017ce9db8d1410b6a80d36010a29.exe 2376 3ca1017ce9db8d1410b6a80d36010a29.exe 2492 bstcdbtesd.exe 2492 bstcdbtesd.exe 2492 bstcdbtesd.exe 1436 rysbhsrkwqsyosq.exe 1436 rysbhsrkwqsyosq.exe 1436 rysbhsrkwqsyosq.exe 2236 vxvonjps.exe 2236 vxvonjps.exe 2236 vxvonjps.exe 4036 kutejmjsvfbif.exe 4036 kutejmjsvfbif.exe 4036 kutejmjsvfbif.exe 2428 vxvonjps.exe 2428 vxvonjps.exe 2428 vxvonjps.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 5032 WINWORD.EXE 5032 WINWORD.EXE 5032 WINWORD.EXE 5032 WINWORD.EXE 5032 WINWORD.EXE 5032 WINWORD.EXE 5032 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2376 wrote to memory of 2492 2376 3ca1017ce9db8d1410b6a80d36010a29.exe 91 PID 2376 wrote to memory of 2492 2376 3ca1017ce9db8d1410b6a80d36010a29.exe 91 PID 2376 wrote to memory of 2492 2376 3ca1017ce9db8d1410b6a80d36010a29.exe 91 PID 2376 wrote to memory of 1436 2376 3ca1017ce9db8d1410b6a80d36010a29.exe 92 PID 2376 wrote to memory of 1436 2376 3ca1017ce9db8d1410b6a80d36010a29.exe 92 PID 2376 wrote to memory of 1436 2376 3ca1017ce9db8d1410b6a80d36010a29.exe 92 PID 2376 wrote to memory of 2236 2376 3ca1017ce9db8d1410b6a80d36010a29.exe 93 PID 2376 wrote to memory of 2236 2376 3ca1017ce9db8d1410b6a80d36010a29.exe 93 PID 2376 wrote to memory of 2236 2376 3ca1017ce9db8d1410b6a80d36010a29.exe 93 PID 2376 wrote to memory of 4036 2376 3ca1017ce9db8d1410b6a80d36010a29.exe 94 PID 2376 wrote to memory of 4036 2376 3ca1017ce9db8d1410b6a80d36010a29.exe 94 PID 2376 wrote to memory of 4036 2376 3ca1017ce9db8d1410b6a80d36010a29.exe 94 PID 2492 wrote to memory of 2428 2492 bstcdbtesd.exe 96 PID 2492 wrote to memory of 2428 2492 bstcdbtesd.exe 96 PID 2492 wrote to memory of 2428 2492 bstcdbtesd.exe 96 PID 2376 wrote to memory of 5032 2376 3ca1017ce9db8d1410b6a80d36010a29.exe 98 PID 2376 wrote to memory of 5032 2376 3ca1017ce9db8d1410b6a80d36010a29.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ca1017ce9db8d1410b6a80d36010a29.exe"C:\Users\Admin\AppData\Local\Temp\3ca1017ce9db8d1410b6a80d36010a29.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\bstcdbtesd.exebstcdbtesd.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\vxvonjps.exeC:\Windows\system32\vxvonjps.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2428
-
-
-
C:\Windows\SysWOW64\rysbhsrkwqsyosq.exerysbhsrkwqsyosq.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1436
-
-
C:\Windows\SysWOW64\vxvonjps.exevxvonjps.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2236
-
-
C:\Windows\SysWOW64\kutejmjsvfbif.exekutejmjsvfbif.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4036
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5032
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5f3cc204ea25e332ffc3bb90ffae723ed
SHA17fc8e2d9d9e0c5fc014fe2add02468d45482e13f
SHA256b77b16dafa2ac9f0b9b109d92699829e8a1c6cdb36f089ef433a9c105080c529
SHA5128de722daf054d35a8e250bd3cfa2ab0852d1219ee79e04fd060959cc2d28c21ca5b468946da23fe457149c34cf9bce29cb2b88df192899f7086688c15c43b4c2
-
Filesize
512KB
MD587e55c780b938707a25a312141508152
SHA1a9a70175edd6f6be1a46aa45c9e49cf0c256c43f
SHA256cfec24e65e86cc8e5fac5cc7810efd808a89bd06bb3f80567fd916d219ad3eea
SHA51247eb6d515a34f1bd606c4db2f580773f37760726757f79683edd752afa38cd4c18cec65e8944bc07c0ef8228f4e85e37cb7c710d33fe48a536036def7c370dc9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD556b80b7e7550ec6dba5bda7b1569034d
SHA120ace4e1ad8ce35d4ccf302688c8cbc8352148f1
SHA256442270d05eecd0deeddb1fb8992c6ceef1334deaf94ff7190dcad9bf32de7162
SHA5124acee507a3243c40897dac541b2078da278d2637ee9ebbb0b2ec08baf92876f9349cc35da5c9dae1f21b578b19f636d2ca018269f01aa59991c5a6cf21cc8f07
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD50db13daf0d17d65066d3f5c690a149dc
SHA1324c62d23ba8d18b6c17e905f1e2270edcce2e41
SHA256ae2368c7fbbb6fbdbf1407c55a9ec062220340a6d6290680bd27483acf239d66
SHA51299054df28a74c008a5caf7ef882f2f5942e63fbbc964a34515b1c6e02786c5741c5ec3ae512453491658e78be2c69967201623563bc7930f3c312a311f89be38
-
Filesize
512KB
MD52d6f6b7a80deb8e8597444a2780ac1dc
SHA1c8b426eacb37b5878c5b04b9dd5809a892fe9235
SHA256d9f924b0ef60080ee72f4ffd07943e42b63ac686b6ab30617ec9d9d032e505e6
SHA5120a331bfaa2381c3af1d4b264b02a84be454472e1982a7a38b07893578de2e3092511d84ec27b352823bdca3a14d648a026e664830a7367dbfb26bb6e91a2b618
-
Filesize
512KB
MD52e5f3c2d6dd51ad2104a9ad5c7738129
SHA199ff9f5985e2e3967e6388903388eee2ba918d99
SHA256f1bc89db2c47f8a921a69fdde0e885ef700e70a6d95751dca0a3fdccfd615de1
SHA5129a15b772720a2b28354936646b0cedeb12475599ef863ad26873a5c300b9cc63c87342e1ff48b43055809181c4010f88643c701c43f42251c820cc4f73e4af09
-
Filesize
128KB
MD533be84de0fa03c6883fec2ead970e3ba
SHA1dbe35ed4343779aa93200c24966ccb805e18f223
SHA256ef0f2733bf476c4dc632a27627cb24681d552719aafcc969eec5db1a90996887
SHA5123e93ab8677009d404503e243038ae323b1bc55af56c8c53bd3d44f5313ed4383c987ccb1f1f0e86111fc36db67c7b1b76de4eb4b1c6742baadffd70d7dc6c093
-
Filesize
512KB
MD53a30b4221b716c689438b00cb50d786e
SHA11cb39ca61a798debcc876bf270d7718f332f81fa
SHA256ffee4f8aa9d706d386e8336f52df70b41c532b07baa79bac7b5c950f4069c136
SHA5121e184389009951a88e15ffe5655539c6e6e9e627d93114748c49df186b5200174c5e394df187b7eba3af78f8c1e1a9946d6cb11e498ce73376703c2f62f6abc0
-
Filesize
512KB
MD541f85c90cdb9af6c574740df541cfa82
SHA1626db7f45d55b1cbf43fa25dc3475f7c6e74ff01
SHA256021629b79e8dae38ae8880f937e042fbe1d539ccbdb7da3f216111dfa578d4cd
SHA51275e6c4f1d1b048d645b6db4c132d4cfd1cdf014403883ebb18ded67204ed9b105543d4ba9c0b81c7426a1c4aae36bc805272454110f440ad8f29e65ded0238fd
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7