Analysis
-
max time kernel
210s -
max time network
219s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
03-01-2024 14:40
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
2b80011bbbee3f57ba7ee431b1e1904f.exe
Resource
win7-20231215-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
2b80011bbbee3f57ba7ee431b1e1904f.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
24 signatures
150 seconds
General
-
Target
2b80011bbbee3f57ba7ee431b1e1904f.exe
-
Size
512KB
-
MD5
2b80011bbbee3f57ba7ee431b1e1904f
-
SHA1
6bb90708595987f5f9a0dff7a7f738020433ed2f
-
SHA256
0a927d7e6771b961587b4d6cf122083077ee92714c4ae2548767f636af9f9881
-
SHA512
7fabbf7fb5cd692c7d6af3b2e26e9e73bf4f44bc67101d1a71bc64e908117445a2affa2cc3f0699f585fc305ac398cc4e6278e079ab8d45d556e5f1aeb256388
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6F:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5c
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" rvghrrbdlj.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" rvghrrbdlj.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rvghrrbdlj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rvghrrbdlj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rvghrrbdlj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rvghrrbdlj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rvghrrbdlj.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rvghrrbdlj.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation 2b80011bbbee3f57ba7ee431b1e1904f.exe -
Executes dropped EXE 5 IoCs
pid Process 416 rvghrrbdlj.exe 3996 sokkkowlwjlscwl.exe 4384 xwbweype.exe 3252 cgtlivbdvbrxs.exe 1332 xwbweype.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rvghrrbdlj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" rvghrrbdlj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rvghrrbdlj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rvghrrbdlj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rvghrrbdlj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rvghrrbdlj.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lcjcamwl = "rvghrrbdlj.exe" sokkkowlwjlscwl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\edmmbmcf = "sokkkowlwjlscwl.exe" sokkkowlwjlscwl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "cgtlivbdvbrxs.exe" sokkkowlwjlscwl.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\n: xwbweype.exe File opened (read-only) \??\a: rvghrrbdlj.exe File opened (read-only) \??\l: rvghrrbdlj.exe File opened (read-only) \??\q: rvghrrbdlj.exe File opened (read-only) \??\b: xwbweype.exe File opened (read-only) \??\j: xwbweype.exe File opened (read-only) \??\z: xwbweype.exe File opened (read-only) \??\i: xwbweype.exe File opened (read-only) \??\o: xwbweype.exe File opened (read-only) \??\p: xwbweype.exe File opened (read-only) \??\t: xwbweype.exe File opened (read-only) \??\e: rvghrrbdlj.exe File opened (read-only) \??\k: xwbweype.exe File opened (read-only) \??\p: xwbweype.exe File opened (read-only) \??\y: xwbweype.exe File opened (read-only) \??\r: rvghrrbdlj.exe File opened (read-only) \??\v: xwbweype.exe File opened (read-only) \??\s: xwbweype.exe File opened (read-only) \??\x: rvghrrbdlj.exe File opened (read-only) \??\n: xwbweype.exe File opened (read-only) \??\h: xwbweype.exe File opened (read-only) \??\t: rvghrrbdlj.exe File opened (read-only) \??\m: xwbweype.exe File opened (read-only) \??\b: xwbweype.exe File opened (read-only) \??\u: xwbweype.exe File opened (read-only) \??\b: rvghrrbdlj.exe File opened (read-only) \??\k: rvghrrbdlj.exe File opened (read-only) \??\u: rvghrrbdlj.exe File opened (read-only) \??\q: xwbweype.exe File opened (read-only) \??\r: xwbweype.exe File opened (read-only) \??\z: xwbweype.exe File opened (read-only) \??\v: rvghrrbdlj.exe File opened (read-only) \??\w: rvghrrbdlj.exe File opened (read-only) \??\p: rvghrrbdlj.exe File opened (read-only) \??\e: xwbweype.exe File opened (read-only) \??\y: xwbweype.exe File opened (read-only) \??\x: xwbweype.exe File opened (read-only) \??\g: rvghrrbdlj.exe File opened (read-only) \??\n: rvghrrbdlj.exe File opened (read-only) \??\i: xwbweype.exe File opened (read-only) \??\m: xwbweype.exe File opened (read-only) \??\w: xwbweype.exe File opened (read-only) \??\a: xwbweype.exe File opened (read-only) \??\h: xwbweype.exe File opened (read-only) \??\t: xwbweype.exe File opened (read-only) \??\e: xwbweype.exe File opened (read-only) \??\i: rvghrrbdlj.exe File opened (read-only) \??\y: rvghrrbdlj.exe File opened (read-only) \??\g: xwbweype.exe File opened (read-only) \??\r: xwbweype.exe File opened (read-only) \??\u: xwbweype.exe File opened (read-only) \??\w: xwbweype.exe File opened (read-only) \??\x: xwbweype.exe File opened (read-only) \??\j: rvghrrbdlj.exe File opened (read-only) \??\m: rvghrrbdlj.exe File opened (read-only) \??\z: rvghrrbdlj.exe File opened (read-only) \??\j: xwbweype.exe File opened (read-only) \??\l: xwbweype.exe File opened (read-only) \??\v: xwbweype.exe File opened (read-only) \??\h: rvghrrbdlj.exe File opened (read-only) \??\s: xwbweype.exe File opened (read-only) \??\o: rvghrrbdlj.exe File opened (read-only) \??\s: rvghrrbdlj.exe File opened (read-only) \??\q: xwbweype.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" rvghrrbdlj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" rvghrrbdlj.exe -
AutoIT Executable 7 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1464-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000700000002321a-9.dat autoit_exe behavioral2/files/0x001700000002272b-18.dat autoit_exe behavioral2/files/0x000900000002312b-22.dat autoit_exe behavioral2/files/0x000700000002321b-30.dat autoit_exe behavioral2/files/0x0006000000023245-89.dat autoit_exe behavioral2/files/0x0006000000023248-98.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\sokkkowlwjlscwl.exe 2b80011bbbee3f57ba7ee431b1e1904f.exe File created C:\Windows\SysWOW64\xwbweype.exe 2b80011bbbee3f57ba7ee431b1e1904f.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll rvghrrbdlj.exe File created C:\Windows\SysWOW64\rvghrrbdlj.exe 2b80011bbbee3f57ba7ee431b1e1904f.exe File opened for modification C:\Windows\SysWOW64\rvghrrbdlj.exe 2b80011bbbee3f57ba7ee431b1e1904f.exe File created C:\Windows\SysWOW64\sokkkowlwjlscwl.exe 2b80011bbbee3f57ba7ee431b1e1904f.exe File opened for modification C:\Windows\SysWOW64\xwbweype.exe 2b80011bbbee3f57ba7ee431b1e1904f.exe File created C:\Windows\SysWOW64\cgtlivbdvbrxs.exe 2b80011bbbee3f57ba7ee431b1e1904f.exe File opened for modification C:\Windows\SysWOW64\cgtlivbdvbrxs.exe 2b80011bbbee3f57ba7ee431b1e1904f.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xwbweype.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal xwbweype.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal xwbweype.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal xwbweype.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xwbweype.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xwbweype.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xwbweype.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xwbweype.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xwbweype.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xwbweype.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xwbweype.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal xwbweype.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xwbweype.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xwbweype.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 2b80011bbbee3f57ba7ee431b1e1904f.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8BFFFB4F5F851D9131D6217D97BD90E634594566456236D6EE" 2b80011bbbee3f57ba7ee431b1e1904f.exe Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings 2b80011bbbee3f57ba7ee431b1e1904f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC3B02D4797389E53CBB9A233EED7B8" 2b80011bbbee3f57ba7ee431b1e1904f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" rvghrrbdlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" rvghrrbdlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg rvghrrbdlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" rvghrrbdlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCDFABBF966F192837B3B37819C39E4B38802FE4364023AE1CD45E708A6" 2b80011bbbee3f57ba7ee431b1e1904f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf rvghrrbdlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" rvghrrbdlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs rvghrrbdlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh rvghrrbdlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" rvghrrbdlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc rvghrrbdlj.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 2b80011bbbee3f57ba7ee431b1e1904f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32412D7E9C5583576D3E77D270242CDA7D8264AA" 2b80011bbbee3f57ba7ee431b1e1904f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7FD6BB6FE6E21DBD208D0A38B7E9166" 2b80011bbbee3f57ba7ee431b1e1904f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1845C6751594DAB6B8BD7CE9EDE434CF" 2b80011bbbee3f57ba7ee431b1e1904f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat rvghrrbdlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" rvghrrbdlj.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4620 WINWORD.EXE 4620 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1464 2b80011bbbee3f57ba7ee431b1e1904f.exe 1464 2b80011bbbee3f57ba7ee431b1e1904f.exe 1464 2b80011bbbee3f57ba7ee431b1e1904f.exe 1464 2b80011bbbee3f57ba7ee431b1e1904f.exe 1464 2b80011bbbee3f57ba7ee431b1e1904f.exe 1464 2b80011bbbee3f57ba7ee431b1e1904f.exe 1464 2b80011bbbee3f57ba7ee431b1e1904f.exe 1464 2b80011bbbee3f57ba7ee431b1e1904f.exe 1464 2b80011bbbee3f57ba7ee431b1e1904f.exe 1464 2b80011bbbee3f57ba7ee431b1e1904f.exe 1464 2b80011bbbee3f57ba7ee431b1e1904f.exe 1464 2b80011bbbee3f57ba7ee431b1e1904f.exe 1464 2b80011bbbee3f57ba7ee431b1e1904f.exe 1464 2b80011bbbee3f57ba7ee431b1e1904f.exe 416 rvghrrbdlj.exe 3996 sokkkowlwjlscwl.exe 416 rvghrrbdlj.exe 3996 sokkkowlwjlscwl.exe 416 rvghrrbdlj.exe 416 rvghrrbdlj.exe 3996 sokkkowlwjlscwl.exe 3996 sokkkowlwjlscwl.exe 416 rvghrrbdlj.exe 3996 sokkkowlwjlscwl.exe 416 rvghrrbdlj.exe 3996 sokkkowlwjlscwl.exe 416 rvghrrbdlj.exe 3996 sokkkowlwjlscwl.exe 416 rvghrrbdlj.exe 3996 sokkkowlwjlscwl.exe 416 rvghrrbdlj.exe 416 rvghrrbdlj.exe 3996 sokkkowlwjlscwl.exe 3996 sokkkowlwjlscwl.exe 1464 2b80011bbbee3f57ba7ee431b1e1904f.exe 1464 2b80011bbbee3f57ba7ee431b1e1904f.exe 3996 sokkkowlwjlscwl.exe 3996 sokkkowlwjlscwl.exe 4384 xwbweype.exe 4384 xwbweype.exe 4384 xwbweype.exe 4384 xwbweype.exe 4384 xwbweype.exe 4384 xwbweype.exe 3252 cgtlivbdvbrxs.exe 3252 cgtlivbdvbrxs.exe 4384 xwbweype.exe 4384 xwbweype.exe 3252 cgtlivbdvbrxs.exe 3252 cgtlivbdvbrxs.exe 3252 cgtlivbdvbrxs.exe 3252 cgtlivbdvbrxs.exe 3252 cgtlivbdvbrxs.exe 3252 cgtlivbdvbrxs.exe 3252 cgtlivbdvbrxs.exe 3252 cgtlivbdvbrxs.exe 3252 cgtlivbdvbrxs.exe 3252 cgtlivbdvbrxs.exe 1332 xwbweype.exe 1332 xwbweype.exe 1332 xwbweype.exe 1332 xwbweype.exe 1332 xwbweype.exe 1332 xwbweype.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1464 2b80011bbbee3f57ba7ee431b1e1904f.exe 1464 2b80011bbbee3f57ba7ee431b1e1904f.exe 1464 2b80011bbbee3f57ba7ee431b1e1904f.exe 416 rvghrrbdlj.exe 3996 sokkkowlwjlscwl.exe 416 rvghrrbdlj.exe 3996 sokkkowlwjlscwl.exe 416 rvghrrbdlj.exe 3996 sokkkowlwjlscwl.exe 4384 xwbweype.exe 4384 xwbweype.exe 4384 xwbweype.exe 3252 cgtlivbdvbrxs.exe 3252 cgtlivbdvbrxs.exe 3252 cgtlivbdvbrxs.exe 1332 xwbweype.exe 1332 xwbweype.exe 1332 xwbweype.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1464 2b80011bbbee3f57ba7ee431b1e1904f.exe 1464 2b80011bbbee3f57ba7ee431b1e1904f.exe 1464 2b80011bbbee3f57ba7ee431b1e1904f.exe 416 rvghrrbdlj.exe 3996 sokkkowlwjlscwl.exe 416 rvghrrbdlj.exe 3996 sokkkowlwjlscwl.exe 416 rvghrrbdlj.exe 3996 sokkkowlwjlscwl.exe 4384 xwbweype.exe 4384 xwbweype.exe 4384 xwbweype.exe 3252 cgtlivbdvbrxs.exe 3252 cgtlivbdvbrxs.exe 3252 cgtlivbdvbrxs.exe 1332 xwbweype.exe 1332 xwbweype.exe 1332 xwbweype.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4620 WINWORD.EXE 4620 WINWORD.EXE 4620 WINWORD.EXE 4620 WINWORD.EXE 4620 WINWORD.EXE 4620 WINWORD.EXE 4620 WINWORD.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1464 wrote to memory of 416 1464 2b80011bbbee3f57ba7ee431b1e1904f.exe 93 PID 1464 wrote to memory of 416 1464 2b80011bbbee3f57ba7ee431b1e1904f.exe 93 PID 1464 wrote to memory of 416 1464 2b80011bbbee3f57ba7ee431b1e1904f.exe 93 PID 1464 wrote to memory of 3996 1464 2b80011bbbee3f57ba7ee431b1e1904f.exe 94 PID 1464 wrote to memory of 3996 1464 2b80011bbbee3f57ba7ee431b1e1904f.exe 94 PID 1464 wrote to memory of 3996 1464 2b80011bbbee3f57ba7ee431b1e1904f.exe 94 PID 1464 wrote to memory of 4384 1464 2b80011bbbee3f57ba7ee431b1e1904f.exe 95 PID 1464 wrote to memory of 4384 1464 2b80011bbbee3f57ba7ee431b1e1904f.exe 95 PID 1464 wrote to memory of 4384 1464 2b80011bbbee3f57ba7ee431b1e1904f.exe 95 PID 1464 wrote to memory of 3252 1464 2b80011bbbee3f57ba7ee431b1e1904f.exe 96 PID 1464 wrote to memory of 3252 1464 2b80011bbbee3f57ba7ee431b1e1904f.exe 96 PID 1464 wrote to memory of 3252 1464 2b80011bbbee3f57ba7ee431b1e1904f.exe 96 PID 3996 wrote to memory of 2020 3996 sokkkowlwjlscwl.exe 97 PID 3996 wrote to memory of 2020 3996 sokkkowlwjlscwl.exe 97 PID 3996 wrote to memory of 2020 3996 sokkkowlwjlscwl.exe 97 PID 416 wrote to memory of 1332 416 rvghrrbdlj.exe 99 PID 416 wrote to memory of 1332 416 rvghrrbdlj.exe 99 PID 416 wrote to memory of 1332 416 rvghrrbdlj.exe 99 PID 1464 wrote to memory of 4620 1464 2b80011bbbee3f57ba7ee431b1e1904f.exe 100 PID 1464 wrote to memory of 4620 1464 2b80011bbbee3f57ba7ee431b1e1904f.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b80011bbbee3f57ba7ee431b1e1904f.exe"C:\Users\Admin\AppData\Local\Temp\2b80011bbbee3f57ba7ee431b1e1904f.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\rvghrrbdlj.exervghrrbdlj.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:416 -
C:\Windows\SysWOW64\xwbweype.exeC:\Windows\system32\xwbweype.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1332
-
-
-
C:\Windows\SysWOW64\sokkkowlwjlscwl.exesokkkowlwjlscwl.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\SysWOW64\cmd.execmd.exe /c cgtlivbdvbrxs.exe3⤵PID:2020
-
-
-
C:\Windows\SysWOW64\xwbweype.exexwbweype.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4384
-
-
C:\Windows\SysWOW64\cgtlivbdvbrxs.execgtlivbdvbrxs.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3252
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4620
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD51188f1ab15c3064827744f330755b1c1
SHA181089cd7096335c4e59f2df358c624472f8bd8b5
SHA256d1843706a09bff9227b69ca243efb2dc35c32ac7de89937593b35097d40e1343
SHA51276575072f9cec9d2ca6fea1869085d887e335f4c49771db8828068bcc039dc2a72d1b0afdbefdbdaf5cbd8853e3b7473356d9b0b9ba7e5eb3dcba4346357909d
-
Filesize
216KB
MD55b9c43f3acda66288926108bbd9f64d4
SHA1db391a04ba3434f316df01e0ec713ae2aff18ae0
SHA2568f6da58c2e35705e5f94a8d1a20b6ceda1b5df3c2cbd886f3226689e22ee35bc
SHA51211f80c9fd767a70bb5bf784f8975a63394ef0898b43a589f7054db3a0d1e390dfe043a04444437c7c238345c635064cafa0d8b70523ff346e5f53421d8ee6f5c
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD56d0dac17266cfa0b856e9e30cddb0439
SHA1bdf661c912d73f7038219270ae53d3a62943b7b6
SHA256eca69c8210d84ea7ed7c8640b11514893abb0446234b582e21cc56bae53f7878
SHA512d63b3aca0681626a2fc7416e1df1c6d204bd15b3a97aafe28d656bb10b9ed73d670de65125e113198c5a1fe382b4c600e2a49e118b65e5c146d73545b07db414
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD543340c592f003ef9eedd51a11411d5d1
SHA1cd42edd53f041e8a5c3a66de43f9a256d7f4dd78
SHA2561fd34ed8c805ef5dc7e4d9ec8d9da448e481892cc4353e936d61181d44160c9d
SHA51265859e3a4a0af144e38bc4a8bb3cff217dfe33ecdf6b63587a023905e4b2afbdb82a6293a88c86e40ba90c52558c967c720ff13a67b26c890c43d8b16c383506
-
Filesize
512KB
MD521c56716e338a1dc731492714fe0765e
SHA1d2dbc31313fbd372174eca356abf849e0852f721
SHA2560687ebbcab88e9536ab8a771f644e5ea6d959c3906966efc19ad28cde0d0e526
SHA512925e5176f8c598fa9b566bbac0dc09fd167206c49f9da0a08e01cd1ccfbdd8253c1d9178c96a334f4471aaad14f1e8d3b1bc7b6e4c083f56bb1b0162c183e852
-
Filesize
512KB
MD5225f8231e521a33c83693fae0a7e2ffb
SHA1bb3bee5c379da215c43d6b3a185f524d32edfd22
SHA256e1f8f6e74ab710339bfc1627fd3006bd3d3066178b76300947eaf6f907126dea
SHA5123ef9771556ed93182c823aa3f7d76dba7fc80ae4260bc53dda6a586e87f299e3d554ff371e35af81469d8b2631826c5aab6e888964cd930fcdf2b85a590a5dee
-
Filesize
512KB
MD5f7a9f2925b2c800e2f717addd45314c2
SHA10835d070633f85d73af67357bd8b7f212874f564
SHA256656f691d6930536363bda80c1362ac5b9df80ec5d5d278e2ed5f9d93d67276c1
SHA51286cde80d5a035f8de0fe2b1c5adfde6e8c45ec9d4b2e97f56c1f4c38fe20b3c1734ae8cd11a93b4ca972ee49ef6f554f4619debcc05e605f07c674ddf9bf7d0f
-
Filesize
512KB
MD570f3c547f09f0b30f66841ef245f99eb
SHA199e43cff3296bae42bed64d41042266d9a176ae6
SHA256db1e68dcb2959e906578404ae40e304161a5f1de84f3ae3e8a0a96d65280f619
SHA5122bf9622f6cf6692622e0cd9ede889faabbc5747b0b520d12b468299d95a1015796d6e1aea3373017be4ba7c8879b1868c0e89ee0a3bb1f52cf980d581ead7db2
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7