Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
03/01/2024, 13:45
Static task
static1
Behavioral task
behavioral1
Sample
3eb04652a3a57731b166a03425639ddd.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
3eb04652a3a57731b166a03425639ddd.exe
Resource
win10v2004-20231215-en
General
-
Target
3eb04652a3a57731b166a03425639ddd.exe
-
Size
512KB
-
MD5
3eb04652a3a57731b166a03425639ddd
-
SHA1
0dab4b6bdd78b3495bab0ed32ca24d9d4d25d23f
-
SHA256
cfb4d6ee578e544d7eebf0d054801c482878b0aa1bf6187ed236db3b8da6a8ca
-
SHA512
215b4b65d4a40eb000f42d5c218c34b5b2205d6bd513989dbf37d418f4feb88844b7f3641eaa9fe46f6810516dab8bd4febe757e241c309bb8bff6e45382280b
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6l:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm54
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ufvmyrjnxg.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ufvmyrjnxg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" ufvmyrjnxg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ufvmyrjnxg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ufvmyrjnxg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ufvmyrjnxg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ufvmyrjnxg.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ufvmyrjnxg.exe -
Executes dropped EXE 5 IoCs
pid Process 2768 ufvmyrjnxg.exe 2704 vdbwmmaackoasil.exe 2868 hvnmarun.exe 2736 pmdebqrkeeryv.exe 2644 hvnmarun.exe -
Loads dropped DLL 5 IoCs
pid Process 2904 3eb04652a3a57731b166a03425639ddd.exe 2904 3eb04652a3a57731b166a03425639ddd.exe 2904 3eb04652a3a57731b166a03425639ddd.exe 2904 3eb04652a3a57731b166a03425639ddd.exe 2768 ufvmyrjnxg.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ufvmyrjnxg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ufvmyrjnxg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ufvmyrjnxg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ufvmyrjnxg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ufvmyrjnxg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" ufvmyrjnxg.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ahgntjpt = "ufvmyrjnxg.exe" vdbwmmaackoasil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\walahjbo = "vdbwmmaackoasil.exe" vdbwmmaackoasil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "pmdebqrkeeryv.exe" vdbwmmaackoasil.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\o: hvnmarun.exe File opened (read-only) \??\i: ufvmyrjnxg.exe File opened (read-only) \??\o: ufvmyrjnxg.exe File opened (read-only) \??\y: hvnmarun.exe File opened (read-only) \??\y: hvnmarun.exe File opened (read-only) \??\x: ufvmyrjnxg.exe File opened (read-only) \??\i: hvnmarun.exe File opened (read-only) \??\w: hvnmarun.exe File opened (read-only) \??\v: hvnmarun.exe File opened (read-only) \??\s: hvnmarun.exe File opened (read-only) \??\r: ufvmyrjnxg.exe File opened (read-only) \??\v: ufvmyrjnxg.exe File opened (read-only) \??\g: hvnmarun.exe File opened (read-only) \??\l: ufvmyrjnxg.exe File opened (read-only) \??\s: hvnmarun.exe File opened (read-only) \??\a: hvnmarun.exe File opened (read-only) \??\h: hvnmarun.exe File opened (read-only) \??\n: hvnmarun.exe File opened (read-only) \??\b: ufvmyrjnxg.exe File opened (read-only) \??\b: hvnmarun.exe File opened (read-only) \??\s: ufvmyrjnxg.exe File opened (read-only) \??\k: hvnmarun.exe File opened (read-only) \??\p: hvnmarun.exe File opened (read-only) \??\g: hvnmarun.exe File opened (read-only) \??\j: hvnmarun.exe File opened (read-only) \??\h: ufvmyrjnxg.exe File opened (read-only) \??\j: ufvmyrjnxg.exe File opened (read-only) \??\u: ufvmyrjnxg.exe File opened (read-only) \??\j: hvnmarun.exe File opened (read-only) \??\r: hvnmarun.exe File opened (read-only) \??\b: hvnmarun.exe File opened (read-only) \??\l: hvnmarun.exe File opened (read-only) \??\q: hvnmarun.exe File opened (read-only) \??\a: ufvmyrjnxg.exe File opened (read-only) \??\l: hvnmarun.exe File opened (read-only) \??\z: hvnmarun.exe File opened (read-only) \??\t: hvnmarun.exe File opened (read-only) \??\x: hvnmarun.exe File opened (read-only) \??\e: ufvmyrjnxg.exe File opened (read-only) \??\g: ufvmyrjnxg.exe File opened (read-only) \??\u: hvnmarun.exe File opened (read-only) \??\w: hvnmarun.exe File opened (read-only) \??\o: hvnmarun.exe File opened (read-only) \??\x: hvnmarun.exe File opened (read-only) \??\w: ufvmyrjnxg.exe File opened (read-only) \??\a: hvnmarun.exe File opened (read-only) \??\k: hvnmarun.exe File opened (read-only) \??\r: hvnmarun.exe File opened (read-only) \??\k: ufvmyrjnxg.exe File opened (read-only) \??\n: ufvmyrjnxg.exe File opened (read-only) \??\m: hvnmarun.exe File opened (read-only) \??\q: ufvmyrjnxg.exe File opened (read-only) \??\u: hvnmarun.exe File opened (read-only) \??\e: hvnmarun.exe File opened (read-only) \??\i: hvnmarun.exe File opened (read-only) \??\e: hvnmarun.exe File opened (read-only) \??\q: hvnmarun.exe File opened (read-only) \??\p: hvnmarun.exe File opened (read-only) \??\v: hvnmarun.exe File opened (read-only) \??\y: ufvmyrjnxg.exe File opened (read-only) \??\z: ufvmyrjnxg.exe File opened (read-only) \??\m: ufvmyrjnxg.exe File opened (read-only) \??\p: ufvmyrjnxg.exe File opened (read-only) \??\n: hvnmarun.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ufvmyrjnxg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ufvmyrjnxg.exe -
AutoIT Executable 7 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2904-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x000d00000001473e-5.dat autoit_exe behavioral1/files/0x000b000000012243-17.dat autoit_exe behavioral1/files/0x0030000000014b90-28.dat autoit_exe behavioral1/files/0x0007000000015580-34.dat autoit_exe behavioral1/files/0x0005000000018671-73.dat autoit_exe behavioral1/files/0x00050000000186a4-76.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\pmdebqrkeeryv.exe 3eb04652a3a57731b166a03425639ddd.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ufvmyrjnxg.exe File opened for modification C:\Windows\SysWOW64\ufvmyrjnxg.exe 3eb04652a3a57731b166a03425639ddd.exe File opened for modification C:\Windows\SysWOW64\vdbwmmaackoasil.exe 3eb04652a3a57731b166a03425639ddd.exe File created C:\Windows\SysWOW64\hvnmarun.exe 3eb04652a3a57731b166a03425639ddd.exe File created C:\Windows\SysWOW64\pmdebqrkeeryv.exe 3eb04652a3a57731b166a03425639ddd.exe File created C:\Windows\SysWOW64\ufvmyrjnxg.exe 3eb04652a3a57731b166a03425639ddd.exe File created C:\Windows\SysWOW64\vdbwmmaackoasil.exe 3eb04652a3a57731b166a03425639ddd.exe File opened for modification C:\Windows\SysWOW64\hvnmarun.exe 3eb04652a3a57731b166a03425639ddd.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe hvnmarun.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe hvnmarun.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe hvnmarun.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe hvnmarun.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe hvnmarun.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe hvnmarun.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal hvnmarun.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal hvnmarun.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe hvnmarun.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe hvnmarun.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe hvnmarun.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe hvnmarun.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal hvnmarun.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal hvnmarun.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 3eb04652a3a57731b166a03425639ddd.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" ufvmyrjnxg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ufvmyrjnxg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F06BC4FE1A21ADD10FD0A48B799011" 3eb04652a3a57731b166a03425639ddd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193EC6091597DAC5B8CC7C97EDE734C6" 3eb04652a3a57731b166a03425639ddd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf ufvmyrjnxg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2852 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2904 3eb04652a3a57731b166a03425639ddd.exe 2904 3eb04652a3a57731b166a03425639ddd.exe 2904 3eb04652a3a57731b166a03425639ddd.exe 2904 3eb04652a3a57731b166a03425639ddd.exe 2904 3eb04652a3a57731b166a03425639ddd.exe 2904 3eb04652a3a57731b166a03425639ddd.exe 2904 3eb04652a3a57731b166a03425639ddd.exe 2768 ufvmyrjnxg.exe 2768 ufvmyrjnxg.exe 2768 ufvmyrjnxg.exe 2768 ufvmyrjnxg.exe 2768 ufvmyrjnxg.exe 2904 3eb04652a3a57731b166a03425639ddd.exe 2868 hvnmarun.exe 2868 hvnmarun.exe 2868 hvnmarun.exe 2868 hvnmarun.exe 2704 vdbwmmaackoasil.exe 2704 vdbwmmaackoasil.exe 2704 vdbwmmaackoasil.exe 2704 vdbwmmaackoasil.exe 2704 vdbwmmaackoasil.exe 2736 pmdebqrkeeryv.exe 2736 pmdebqrkeeryv.exe 2736 pmdebqrkeeryv.exe 2736 pmdebqrkeeryv.exe 2736 pmdebqrkeeryv.exe 2736 pmdebqrkeeryv.exe 2644 hvnmarun.exe 2644 hvnmarun.exe 2644 hvnmarun.exe 2644 hvnmarun.exe 2704 vdbwmmaackoasil.exe 2736 pmdebqrkeeryv.exe 2736 pmdebqrkeeryv.exe 2704 vdbwmmaackoasil.exe 2704 vdbwmmaackoasil.exe 2736 pmdebqrkeeryv.exe 2736 pmdebqrkeeryv.exe 2704 vdbwmmaackoasil.exe 2736 pmdebqrkeeryv.exe 2736 pmdebqrkeeryv.exe 2704 vdbwmmaackoasil.exe 2736 pmdebqrkeeryv.exe 2736 pmdebqrkeeryv.exe 2704 vdbwmmaackoasil.exe 2736 pmdebqrkeeryv.exe 2736 pmdebqrkeeryv.exe 2704 vdbwmmaackoasil.exe 2736 pmdebqrkeeryv.exe 2736 pmdebqrkeeryv.exe 2704 vdbwmmaackoasil.exe 2736 pmdebqrkeeryv.exe 2736 pmdebqrkeeryv.exe 2704 vdbwmmaackoasil.exe 2736 pmdebqrkeeryv.exe 2736 pmdebqrkeeryv.exe 2704 vdbwmmaackoasil.exe 2736 pmdebqrkeeryv.exe 2736 pmdebqrkeeryv.exe 2704 vdbwmmaackoasil.exe 2736 pmdebqrkeeryv.exe 2736 pmdebqrkeeryv.exe 2704 vdbwmmaackoasil.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2904 3eb04652a3a57731b166a03425639ddd.exe 2904 3eb04652a3a57731b166a03425639ddd.exe 2904 3eb04652a3a57731b166a03425639ddd.exe 2768 ufvmyrjnxg.exe 2768 ufvmyrjnxg.exe 2768 ufvmyrjnxg.exe 2704 vdbwmmaackoasil.exe 2704 vdbwmmaackoasil.exe 2704 vdbwmmaackoasil.exe 2868 hvnmarun.exe 2868 hvnmarun.exe 2868 hvnmarun.exe 2736 pmdebqrkeeryv.exe 2736 pmdebqrkeeryv.exe 2736 pmdebqrkeeryv.exe 2644 hvnmarun.exe 2644 hvnmarun.exe 2644 hvnmarun.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2904 3eb04652a3a57731b166a03425639ddd.exe 2904 3eb04652a3a57731b166a03425639ddd.exe 2904 3eb04652a3a57731b166a03425639ddd.exe 2768 ufvmyrjnxg.exe 2768 ufvmyrjnxg.exe 2768 ufvmyrjnxg.exe 2704 vdbwmmaackoasil.exe 2704 vdbwmmaackoasil.exe 2704 vdbwmmaackoasil.exe 2868 hvnmarun.exe 2868 hvnmarun.exe 2868 hvnmarun.exe 2736 pmdebqrkeeryv.exe 2736 pmdebqrkeeryv.exe 2736 pmdebqrkeeryv.exe 2644 hvnmarun.exe 2644 hvnmarun.exe 2644 hvnmarun.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2852 WINWORD.EXE 2852 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2904 wrote to memory of 2768 2904 3eb04652a3a57731b166a03425639ddd.exe 28 PID 2904 wrote to memory of 2768 2904 3eb04652a3a57731b166a03425639ddd.exe 28 PID 2904 wrote to memory of 2768 2904 3eb04652a3a57731b166a03425639ddd.exe 28 PID 2904 wrote to memory of 2768 2904 3eb04652a3a57731b166a03425639ddd.exe 28 PID 2904 wrote to memory of 2704 2904 3eb04652a3a57731b166a03425639ddd.exe 29 PID 2904 wrote to memory of 2704 2904 3eb04652a3a57731b166a03425639ddd.exe 29 PID 2904 wrote to memory of 2704 2904 3eb04652a3a57731b166a03425639ddd.exe 29 PID 2904 wrote to memory of 2704 2904 3eb04652a3a57731b166a03425639ddd.exe 29 PID 2904 wrote to memory of 2868 2904 3eb04652a3a57731b166a03425639ddd.exe 30 PID 2904 wrote to memory of 2868 2904 3eb04652a3a57731b166a03425639ddd.exe 30 PID 2904 wrote to memory of 2868 2904 3eb04652a3a57731b166a03425639ddd.exe 30 PID 2904 wrote to memory of 2868 2904 3eb04652a3a57731b166a03425639ddd.exe 30 PID 2904 wrote to memory of 2736 2904 3eb04652a3a57731b166a03425639ddd.exe 31 PID 2904 wrote to memory of 2736 2904 3eb04652a3a57731b166a03425639ddd.exe 31 PID 2904 wrote to memory of 2736 2904 3eb04652a3a57731b166a03425639ddd.exe 31 PID 2904 wrote to memory of 2736 2904 3eb04652a3a57731b166a03425639ddd.exe 31 PID 2768 wrote to memory of 2644 2768 ufvmyrjnxg.exe 32 PID 2768 wrote to memory of 2644 2768 ufvmyrjnxg.exe 32 PID 2768 wrote to memory of 2644 2768 ufvmyrjnxg.exe 32 PID 2768 wrote to memory of 2644 2768 ufvmyrjnxg.exe 32 PID 2904 wrote to memory of 2852 2904 3eb04652a3a57731b166a03425639ddd.exe 33 PID 2904 wrote to memory of 2852 2904 3eb04652a3a57731b166a03425639ddd.exe 33 PID 2904 wrote to memory of 2852 2904 3eb04652a3a57731b166a03425639ddd.exe 33 PID 2904 wrote to memory of 2852 2904 3eb04652a3a57731b166a03425639ddd.exe 33 PID 2852 wrote to memory of 1320 2852 WINWORD.EXE 36 PID 2852 wrote to memory of 1320 2852 WINWORD.EXE 36 PID 2852 wrote to memory of 1320 2852 WINWORD.EXE 36 PID 2852 wrote to memory of 1320 2852 WINWORD.EXE 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\3eb04652a3a57731b166a03425639ddd.exe"C:\Users\Admin\AppData\Local\Temp\3eb04652a3a57731b166a03425639ddd.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\ufvmyrjnxg.exeufvmyrjnxg.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\hvnmarun.exeC:\Windows\system32\hvnmarun.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2644
-
-
-
C:\Windows\SysWOW64\vdbwmmaackoasil.exevdbwmmaackoasil.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2704
-
-
C:\Windows\SysWOW64\hvnmarun.exehvnmarun.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2868
-
-
C:\Windows\SysWOW64\pmdebqrkeeryv.exepmdebqrkeeryv.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2736
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:1320
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5f682077ddb9a29d0cb8ee9e0e5a4e5d2
SHA18c03b23ea0fd375784b690b99cefadf9a82466ff
SHA2561024a92626aa830e11f75054033cc232a37c986fef68e2112e110bf857710c3e
SHA51252a0e26bd29aa1ddfeb9a711873643e1c0e82e8a4c2a7d2e21c838a91dc6535b688bd09f74e058dc8f38cc3e4830481eec9fabd9cd0bf473ba1e2c97b73e14b3
-
Filesize
20KB
MD5d287d6d06034f960c17d764e5615dab5
SHA1778950f9ad1eb3b13b92d369e1ef21253ad6d00e
SHA2568e712a1acd46933ca432da20cddb14f0247f535dabf9e856c7be3940e0a048e2
SHA512995b83fb998e78ee5028f90ec041ddbd3d6b0019a4ff4c827dfd573e76c408fc2fff31e3ab80df02df6066fb7dd9f3adf96b6f1497a38fbe4427ae65f4a95e4d
-
Filesize
512KB
MD521d9c4405f2b79e0094d69fa9a3132b4
SHA147483c4292cdecda1a1b99508079ca6f96e2ab12
SHA256a02c1ee9671f70cb05b31a721091a2b883be09fa6f57debf437d17cd9ad9d705
SHA51232e7c40e7f9d2f66832326fe0f77c3535be7055b3df42504a943c7bf70833ae0f65f3bc0d270225711c92ef699f57e5e998607582a9f9978b80455be475447cf
-
Filesize
512KB
MD54223aecd5e0d8938d1a84b2de151abd0
SHA13943f90ea7c3e190a99768c3967ca1c774b0b56f
SHA256db69334bac7e8346e1e08bb1f562b4ae9761d2810895a04feab67981463b91ed
SHA51264f94ae2ecb087685e9b03de46beb5c8c076edc2fecc5d63401871a4872bf24a73d090ef14d50b30e790ad1bda2d2ac8e64d4fd383f27b1af322f5839bc4a5df
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5aed766f6b3a87af0cb7ca04706e76847
SHA1b115fdb0a3cfed6ba9287ea021dcba317a7f34e8
SHA256aaee4eef4b11f00a8db4f5dad15d2fc263c33b9d6795053bad7cf6d8e35d54e5
SHA51236973f26ae450d4bf6af7b02a691894cb576a0c9d17353c65538ea1798029d2f64ab06921630f0ff47044f20da18b32cd2fc397b449f3c7e801ec0d3aad7b922
-
Filesize
512KB
MD54704948efd3888decec6fd4ac99e91a7
SHA12ca28197b82d9477620ceb298cb0120e8c0bd132
SHA256543e99a96631edf67499528e26cf1edc09f2021d8dcd8abab8cfe80cb41d0d5d
SHA512e80f9e501c239775f43863281e034cb98798a820c1a0510a5f5dbff2e5c91919b567acb4d7c9c43edc04215923715f84ccc7fefe01363627e5c869a28c32b845
-
Filesize
512KB
MD5772f77ee8805f7dcefec641f729953bc
SHA11fc4bf802be2b73631aad53066ace824181e677c
SHA25665664c712c6592d9e2f99d269c1b26d6aab249ce3c09c286388f8ad33cb70217
SHA51285acad7a6cd8b27e7bc4727ef799eeb47107d2e0980bd93ecbf8d3e6f95ec7fbdf548249b73f650886d4d60403c47d4cc59cf0c13a5d53c3b890731d1da48e64