Analysis
-
max time kernel
142s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
03-01-2024 14:41
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
15ab0a725fb6a659909cc1faf2600910.exe
Resource
win7-20231215-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
15ab0a725fb6a659909cc1faf2600910.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
24 signatures
150 seconds
General
-
Target
15ab0a725fb6a659909cc1faf2600910.exe
-
Size
512KB
-
MD5
15ab0a725fb6a659909cc1faf2600910
-
SHA1
c7522e69040c0780f297937cd7c70a91fa44fc3e
-
SHA256
caf8e784f7a32ab970dc20feb31848377f4705fd4c093a96123fcdd948be8e4a
-
SHA512
3adfc2caaa45030e8346c01e8b791f541fb4f663c82d7ea33d72dfa477f355cbc82fb9fa5bbbae857882668930a4615eba245ad2b34583d05cd4208815423412
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6W:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5r
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" lvvaihqyul.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" lvvaihqyul.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" lvvaihqyul.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" lvvaihqyul.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" lvvaihqyul.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" lvvaihqyul.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" lvvaihqyul.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lvvaihqyul.exe -
Executes dropped EXE 5 IoCs
pid Process 3240 lvvaihqyul.exe 3248 ugfhltjvqbvgujn.exe 4780 bhzkyluf.exe 4852 cfviuwtobndxl.exe 3732 bhzkyluf.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" lvvaihqyul.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" lvvaihqyul.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" lvvaihqyul.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" lvvaihqyul.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" lvvaihqyul.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" lvvaihqyul.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "cfviuwtobndxl.exe" ugfhltjvqbvgujn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gvjmcqwg = "lvvaihqyul.exe" ugfhltjvqbvgujn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\czhatpkm = "ugfhltjvqbvgujn.exe" ugfhltjvqbvgujn.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\l: lvvaihqyul.exe File opened (read-only) \??\w: lvvaihqyul.exe File opened (read-only) \??\h: bhzkyluf.exe File opened (read-only) \??\y: bhzkyluf.exe File opened (read-only) \??\l: bhzkyluf.exe File opened (read-only) \??\g: lvvaihqyul.exe File opened (read-only) \??\s: lvvaihqyul.exe File opened (read-only) \??\v: bhzkyluf.exe File opened (read-only) \??\v: lvvaihqyul.exe File opened (read-only) \??\q: bhzkyluf.exe File opened (read-only) \??\t: bhzkyluf.exe File opened (read-only) \??\a: bhzkyluf.exe File opened (read-only) \??\o: bhzkyluf.exe File opened (read-only) \??\q: bhzkyluf.exe File opened (read-only) \??\g: bhzkyluf.exe File opened (read-only) \??\i: lvvaihqyul.exe File opened (read-only) \??\h: bhzkyluf.exe File opened (read-only) \??\t: bhzkyluf.exe File opened (read-only) \??\y: bhzkyluf.exe File opened (read-only) \??\k: lvvaihqyul.exe File opened (read-only) \??\x: lvvaihqyul.exe File opened (read-only) \??\i: bhzkyluf.exe File opened (read-only) \??\u: lvvaihqyul.exe File opened (read-only) \??\m: bhzkyluf.exe File opened (read-only) \??\m: lvvaihqyul.exe File opened (read-only) \??\z: lvvaihqyul.exe File opened (read-only) \??\k: bhzkyluf.exe File opened (read-only) \??\p: bhzkyluf.exe File opened (read-only) \??\j: lvvaihqyul.exe File opened (read-only) \??\a: lvvaihqyul.exe File opened (read-only) \??\n: lvvaihqyul.exe File opened (read-only) \??\t: lvvaihqyul.exe File opened (read-only) \??\j: bhzkyluf.exe File opened (read-only) \??\v: bhzkyluf.exe File opened (read-only) \??\b: bhzkyluf.exe File opened (read-only) \??\u: bhzkyluf.exe File opened (read-only) \??\z: bhzkyluf.exe File opened (read-only) \??\r: bhzkyluf.exe File opened (read-only) \??\e: bhzkyluf.exe File opened (read-only) \??\b: lvvaihqyul.exe File opened (read-only) \??\y: lvvaihqyul.exe File opened (read-only) \??\x: bhzkyluf.exe File opened (read-only) \??\e: bhzkyluf.exe File opened (read-only) \??\g: bhzkyluf.exe File opened (read-only) \??\o: bhzkyluf.exe File opened (read-only) \??\a: bhzkyluf.exe File opened (read-only) \??\b: bhzkyluf.exe File opened (read-only) \??\j: bhzkyluf.exe File opened (read-only) \??\x: bhzkyluf.exe File opened (read-only) \??\o: lvvaihqyul.exe File opened (read-only) \??\m: bhzkyluf.exe File opened (read-only) \??\q: lvvaihqyul.exe File opened (read-only) \??\k: bhzkyluf.exe File opened (read-only) \??\i: bhzkyluf.exe File opened (read-only) \??\l: bhzkyluf.exe File opened (read-only) \??\n: bhzkyluf.exe File opened (read-only) \??\u: bhzkyluf.exe File opened (read-only) \??\z: bhzkyluf.exe File opened (read-only) \??\r: bhzkyluf.exe File opened (read-only) \??\p: lvvaihqyul.exe File opened (read-only) \??\r: lvvaihqyul.exe File opened (read-only) \??\n: bhzkyluf.exe File opened (read-only) \??\w: bhzkyluf.exe File opened (read-only) \??\h: lvvaihqyul.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" lvvaihqyul.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" lvvaihqyul.exe -
AutoIT Executable 7 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4180-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0006000000023238-43.dat autoit_exe behavioral2/files/0x0007000000023234-23.dat autoit_exe behavioral2/files/0x00020000000227b5-77.dat autoit_exe behavioral2/files/0x0007000000023231-18.dat autoit_exe behavioral2/files/0x0007000000023234-5.dat autoit_exe behavioral2/files/0x00080000000231cd-95.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\lvvaihqyul.exe Process not Found File created C:\Windows\SysWOW64\ugfhltjvqbvgujn.exe Process not Found File opened for modification C:\Windows\SysWOW64\ugfhltjvqbvgujn.exe Process not Found File opened for modification C:\Windows\SysWOW64\msvbvm60.dll lvvaihqyul.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bhzkyluf.exe File created C:\Windows\SysWOW64\lvvaihqyul.exe Process not Found File opened for modification C:\Windows\SysWOW64\cfviuwtobndxl.exe Process not Found File created C:\Windows\SysWOW64\bhzkyluf.exe Process not Found File opened for modification C:\Windows\SysWOW64\bhzkyluf.exe Process not Found File created C:\Windows\SysWOW64\cfviuwtobndxl.exe Process not Found File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bhzkyluf.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bhzkyluf.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe bhzkyluf.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bhzkyluf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bhzkyluf.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bhzkyluf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bhzkyluf.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bhzkyluf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bhzkyluf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal bhzkyluf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bhzkyluf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bhzkyluf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal bhzkyluf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe bhzkyluf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal bhzkyluf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe bhzkyluf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal bhzkyluf.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bhzkyluf.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bhzkyluf.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bhzkyluf.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bhzkyluf.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bhzkyluf.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bhzkyluf.exe File opened for modification C:\Windows\mydoc.rtf Process not Found File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bhzkyluf.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bhzkyluf.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bhzkyluf.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe bhzkyluf.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bhzkyluf.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bhzkyluf.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe bhzkyluf.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bhzkyluf.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe bhzkyluf.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe bhzkyluf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCFFACAF96BF191837C3A4586EA3E97B38E028F4215033EE2CB42EA08A4" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" lvvaihqyul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" lvvaihqyul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8BFFF84F268518903DD6207E91BDE2E130593267436236D798" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F668B3FE6E21ACD273D1D68B7E9114" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183AC77B1593DAC5B9C07FE4ED9534BD" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" lvvaihqyul.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg lvvaihqyul.exe Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "334F2D7E9D5683276A3576A777272DD77CF464AC" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB2B15B44E439E952BEBAA533E9D7B9" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat lvvaihqyul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" lvvaihqyul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" lvvaihqyul.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs lvvaihqyul.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh lvvaihqyul.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc lvvaihqyul.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" lvvaihqyul.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf lvvaihqyul.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4748 WINWORD.EXE 4748 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4180 Process not Found 4180 Process not Found 4180 Process not Found 4180 Process not Found 4180 Process not Found 4180 Process not Found 4180 Process not Found 4180 Process not Found 4180 Process not Found 4180 Process not Found 4180 Process not Found 4180 Process not Found 4180 Process not Found 4180 Process not Found 4180 Process not Found 4180 Process not Found 3240 lvvaihqyul.exe 3240 lvvaihqyul.exe 3240 lvvaihqyul.exe 3240 lvvaihqyul.exe 3240 lvvaihqyul.exe 3240 lvvaihqyul.exe 3240 lvvaihqyul.exe 3248 ugfhltjvqbvgujn.exe 3240 lvvaihqyul.exe 3248 ugfhltjvqbvgujn.exe 3240 lvvaihqyul.exe 3248 ugfhltjvqbvgujn.exe 3248 ugfhltjvqbvgujn.exe 3240 lvvaihqyul.exe 3248 ugfhltjvqbvgujn.exe 3248 ugfhltjvqbvgujn.exe 3248 ugfhltjvqbvgujn.exe 3248 ugfhltjvqbvgujn.exe 4780 bhzkyluf.exe 4780 bhzkyluf.exe 4780 bhzkyluf.exe 4780 bhzkyluf.exe 4780 bhzkyluf.exe 4780 bhzkyluf.exe 4780 bhzkyluf.exe 4780 bhzkyluf.exe 3248 ugfhltjvqbvgujn.exe 3248 ugfhltjvqbvgujn.exe 4852 cfviuwtobndxl.exe 4852 cfviuwtobndxl.exe 4852 cfviuwtobndxl.exe 4852 cfviuwtobndxl.exe 4852 cfviuwtobndxl.exe 4852 cfviuwtobndxl.exe 4852 cfviuwtobndxl.exe 4852 cfviuwtobndxl.exe 4852 cfviuwtobndxl.exe 4852 cfviuwtobndxl.exe 4852 cfviuwtobndxl.exe 4852 cfviuwtobndxl.exe 3732 bhzkyluf.exe 3732 bhzkyluf.exe 3732 bhzkyluf.exe 3732 bhzkyluf.exe 3732 bhzkyluf.exe 3732 bhzkyluf.exe 3732 bhzkyluf.exe 3732 bhzkyluf.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4180 Process not Found 4180 Process not Found 4180 Process not Found 3240 lvvaihqyul.exe 3248 ugfhltjvqbvgujn.exe 3240 lvvaihqyul.exe 3248 ugfhltjvqbvgujn.exe 4780 bhzkyluf.exe 3240 lvvaihqyul.exe 3248 ugfhltjvqbvgujn.exe 4780 bhzkyluf.exe 4780 bhzkyluf.exe 4852 cfviuwtobndxl.exe 4852 cfviuwtobndxl.exe 4852 cfviuwtobndxl.exe 3732 bhzkyluf.exe 3732 bhzkyluf.exe 3732 bhzkyluf.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4180 Process not Found 4180 Process not Found 4180 Process not Found 3240 lvvaihqyul.exe 3248 ugfhltjvqbvgujn.exe 3240 lvvaihqyul.exe 3248 ugfhltjvqbvgujn.exe 3240 lvvaihqyul.exe 3248 ugfhltjvqbvgujn.exe 4780 bhzkyluf.exe 4780 bhzkyluf.exe 4780 bhzkyluf.exe 4852 cfviuwtobndxl.exe 4852 cfviuwtobndxl.exe 4852 cfviuwtobndxl.exe 3732 bhzkyluf.exe 3732 bhzkyluf.exe 3732 bhzkyluf.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4748 WINWORD.EXE 4748 WINWORD.EXE 4748 WINWORD.EXE 4748 WINWORD.EXE 4748 WINWORD.EXE 4748 WINWORD.EXE 4748 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4180 wrote to memory of 3240 4180 Process not Found 21 PID 4180 wrote to memory of 3240 4180 Process not Found 21 PID 4180 wrote to memory of 3240 4180 Process not Found 21 PID 4180 wrote to memory of 3248 4180 Process not Found 32 PID 4180 wrote to memory of 3248 4180 Process not Found 32 PID 4180 wrote to memory of 3248 4180 Process not Found 32 PID 4180 wrote to memory of 4780 4180 Process not Found 29 PID 4180 wrote to memory of 4780 4180 Process not Found 29 PID 4180 wrote to memory of 4780 4180 Process not Found 29 PID 4180 wrote to memory of 4852 4180 Process not Found 27 PID 4180 wrote to memory of 4852 4180 Process not Found 27 PID 4180 wrote to memory of 4852 4180 Process not Found 27 PID 4180 wrote to memory of 4748 4180 Process not Found 23 PID 4180 wrote to memory of 4748 4180 Process not Found 23 PID 3240 wrote to memory of 3732 3240 lvvaihqyul.exe 24 PID 3240 wrote to memory of 3732 3240 lvvaihqyul.exe 24 PID 3240 wrote to memory of 3732 3240 lvvaihqyul.exe 24
Processes
-
C:\Users\Admin\AppData\Local\Temp\15ab0a725fb6a659909cc1faf2600910.exe"C:\Users\Admin\AppData\Local\Temp\15ab0a725fb6a659909cc1faf2600910.exe"1⤵PID:4180
-
C:\Windows\SysWOW64\lvvaihqyul.exelvvaihqyul.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Windows\SysWOW64\bhzkyluf.exeC:\Windows\system32\bhzkyluf.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3732
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4748
-
-
C:\Windows\SysWOW64\cfviuwtobndxl.execfviuwtobndxl.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4852
-
-
C:\Windows\SysWOW64\bhzkyluf.exebhzkyluf.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4780
-
-
C:\Windows\SysWOW64\ugfhltjvqbvgujn.exeugfhltjvqbvgujn.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3248
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD54f0aeb066d669139ea4a9f51203710f8
SHA155f7922d399bcc23b7f017d1dde0c1d9570731d1
SHA256f81e2e5fe5cb8cdcc2c3c4fd9e80df0e0cb3e4a42ac467fc57645cc046ea1eae
SHA512fa6cf111619a70763f82adb354e42fdaa88c7d03467eee5bbedc700f179591773c08b0d48ea8c3ea2194ccbd9ce02d4fea2369b7108ec42dd99b087aae0bcade
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5c968e8924e1d7c7c1094a05bb4dfd172
SHA1b6a5883f20b1717d51415e9ae2f888ca8e8e066b
SHA2565226ec930687229a53fbba0177aa0d8b8e4196f4f5f2179dc8cca0e3b4c3a955
SHA51283b1853845bd2a00cb425b694fa9fad755f42f9c0be9e868f41ce9df78dc16eaa84ada930745da94444d989652268715c8d1442928abb535e3695fe64d8c0f5d
-
Filesize
512KB
MD51936223300c6671f0c94f423bb81c1cb
SHA193936837be52cb592dca38c1ddafcd4927e0bf95
SHA25641e3bc322368cb46404868bb14d38406da990159deec67949fbf57a695a0bb59
SHA512be2c03325d6e85525bd19207dae9d51181e7deac3c08db96cb8b75532857faa8cf883f78b9c5540d4e5c60d3a2bf72ff060931b8a1174ad5485f726a9477bcdb
-
Filesize
381KB
MD530aec9e0b33fbd99234328357879f812
SHA13c9d37139d4ccfe2b694afba9633170d0f510a92
SHA25615aad0daaaeea2f1eb8d19a8999f42844b2885d6bef949f6787feba7dad46563
SHA5122060f2cc8c90181dd0a9965f0ff3a94aece08c82c4a68454846f66778bc60dade3ba5ddc38be57311ff4a7bd78217b89a9cd09837eee4b5d9893277299dad415
-
Filesize
92KB
MD559ebf1358a9b829f5709baaedeeee6fa
SHA11409fd65da1b814db0a08feae54366dfca196f1c
SHA256d251f3126813d9f42461b0d23153c37c405979347a47fb0f04e0503beaf31a06
SHA512a2d71b94a087aa6d376f4f065d9f7ff987fd50ea93949372fa9ef5b6692b45cef7ae267c88376b9d2953e4476496f67af1173e9f0f8ba81101dc94c6872cf417
-
Filesize
94KB
MD5adf240d1843e40ab9617e9dc12bc9b5b
SHA170923ac6636077728d2721b22d312002f735deea
SHA256f53d3e249050f489475559b9c39548a2afb7157dbd9e87551ef5349fa76ccb62
SHA512e2aec62114f1f6b5e94e0888efc2758e284835e0099abbfd3dd80cf3500a1e0d628c3ecb66b6b48fe051327746af38f2e953e1f816819c6b18126212621e7ccd
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5122e0d7f428c2d7c98733524c85975af
SHA12ac439e5732a4c0b33440fe3fb96e1f8ac8d0fa1
SHA256b59cc85cc7a7ee5f1f97db0e343a03c32bb1c076127a28bb875f4e8fe9136821
SHA51200621003896bad55221d651f8bf69d5a535aedabf085d8329913d61e3a93b3e6d59da6aa6a6e186120b10aafdcc7d465ff7da4fb6d4d63e1d4e26fd8f2b1de09