Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
158s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
03/01/2024, 15:08
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
4649ca4d0e4bef77de0ec1b6bcbc8731.exe
Resource
win7-20231215-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
4649ca4d0e4bef77de0ec1b6bcbc8731.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
24 signatures
150 seconds
General
-
Target
4649ca4d0e4bef77de0ec1b6bcbc8731.exe
-
Size
512KB
-
MD5
4649ca4d0e4bef77de0ec1b6bcbc8731
-
SHA1
35723a8b9712b244de3c0e418d061bb9c9195adb
-
SHA256
a28a251fa493872079dc0d9cac5f66c363641544b8b0ec297ce3f5d71514a129
-
SHA512
303b701c65f05a19eadeff371853ffbf0376b0b7fd8ca4df6c4f5f587f25fb68c6b8f2c8786b4dd597d15f172a2a3995f10dac3a2221ad8d365d85fadf784664
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6+:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5r
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" mmbwyysway.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" mmbwyysway.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" mmbwyysway.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" mmbwyysway.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" mmbwyysway.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" mmbwyysway.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" mmbwyysway.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mmbwyysway.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation 4649ca4d0e4bef77de0ec1b6bcbc8731.exe -
Executes dropped EXE 5 IoCs
pid Process 1072 mmbwyysway.exe 324 dnmhvwudkppqjgj.exe 1304 wzydropc.exe 1528 kmbaahdulriri.exe 3092 wzydropc.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" mmbwyysway.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" mmbwyysway.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" mmbwyysway.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" mmbwyysway.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" mmbwyysway.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" mmbwyysway.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wuropolf = "mmbwyysway.exe" dnmhvwudkppqjgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rxdactli = "dnmhvwudkppqjgj.exe" dnmhvwudkppqjgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "kmbaahdulriri.exe" dnmhvwudkppqjgj.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\w: wzydropc.exe File opened (read-only) \??\n: mmbwyysway.exe File opened (read-only) \??\q: wzydropc.exe File opened (read-only) \??\k: mmbwyysway.exe File opened (read-only) \??\p: mmbwyysway.exe File opened (read-only) \??\i: wzydropc.exe File opened (read-only) \??\l: wzydropc.exe File opened (read-only) \??\m: wzydropc.exe File opened (read-only) \??\w: mmbwyysway.exe File opened (read-only) \??\n: wzydropc.exe File opened (read-only) \??\a: wzydropc.exe File opened (read-only) \??\h: wzydropc.exe File opened (read-only) \??\o: wzydropc.exe File opened (read-only) \??\j: wzydropc.exe File opened (read-only) \??\u: wzydropc.exe File opened (read-only) \??\b: wzydropc.exe File opened (read-only) \??\v: wzydropc.exe File opened (read-only) \??\t: mmbwyysway.exe File opened (read-only) \??\z: mmbwyysway.exe File opened (read-only) \??\i: wzydropc.exe File opened (read-only) \??\u: wzydropc.exe File opened (read-only) \??\k: wzydropc.exe File opened (read-only) \??\p: wzydropc.exe File opened (read-only) \??\e: wzydropc.exe File opened (read-only) \??\j: wzydropc.exe File opened (read-only) \??\s: wzydropc.exe File opened (read-only) \??\y: wzydropc.exe File opened (read-only) \??\e: mmbwyysway.exe File opened (read-only) \??\m: mmbwyysway.exe File opened (read-only) \??\o: mmbwyysway.exe File opened (read-only) \??\q: mmbwyysway.exe File opened (read-only) \??\y: mmbwyysway.exe File opened (read-only) \??\e: wzydropc.exe File opened (read-only) \??\g: wzydropc.exe File opened (read-only) \??\a: wzydropc.exe File opened (read-only) \??\g: wzydropc.exe File opened (read-only) \??\o: wzydropc.exe File opened (read-only) \??\s: wzydropc.exe File opened (read-only) \??\t: wzydropc.exe File opened (read-only) \??\b: mmbwyysway.exe File opened (read-only) \??\h: mmbwyysway.exe File opened (read-only) \??\v: mmbwyysway.exe File opened (read-only) \??\b: wzydropc.exe File opened (read-only) \??\h: wzydropc.exe File opened (read-only) \??\y: wzydropc.exe File opened (read-only) \??\n: wzydropc.exe File opened (read-only) \??\r: wzydropc.exe File opened (read-only) \??\z: wzydropc.exe File opened (read-only) \??\q: wzydropc.exe File opened (read-only) \??\x: wzydropc.exe File opened (read-only) \??\l: mmbwyysway.exe File opened (read-only) \??\u: mmbwyysway.exe File opened (read-only) \??\x: mmbwyysway.exe File opened (read-only) \??\v: wzydropc.exe File opened (read-only) \??\m: wzydropc.exe File opened (read-only) \??\x: wzydropc.exe File opened (read-only) \??\a: mmbwyysway.exe File opened (read-only) \??\k: wzydropc.exe File opened (read-only) \??\t: wzydropc.exe File opened (read-only) \??\j: mmbwyysway.exe File opened (read-only) \??\r: mmbwyysway.exe File opened (read-only) \??\l: wzydropc.exe File opened (read-only) \??\p: wzydropc.exe File opened (read-only) \??\g: mmbwyysway.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" mmbwyysway.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" mmbwyysway.exe -
AutoIT Executable 7 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1512-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000500000001e7e2-5.dat autoit_exe behavioral2/files/0x000300000001e7e7-18.dat autoit_exe behavioral2/files/0x000300000001e7e9-26.dat autoit_exe behavioral2/files/0x000200000001e7ea-31.dat autoit_exe behavioral2/files/0x0017000000018133-56.dat autoit_exe behavioral2/files/0x001500000001da2d-61.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\dnmhvwudkppqjgj.exe 4649ca4d0e4bef77de0ec1b6bcbc8731.exe File created C:\Windows\SysWOW64\wzydropc.exe 4649ca4d0e4bef77de0ec1b6bcbc8731.exe File created C:\Windows\SysWOW64\kmbaahdulriri.exe 4649ca4d0e4bef77de0ec1b6bcbc8731.exe File created C:\Windows\SysWOW64\dnmhvwudkppqjgj.exe 4649ca4d0e4bef77de0ec1b6bcbc8731.exe File opened for modification C:\Windows\SysWOW64\mmbwyysway.exe 4649ca4d0e4bef77de0ec1b6bcbc8731.exe File opened for modification C:\Windows\SysWOW64\wzydropc.exe 4649ca4d0e4bef77de0ec1b6bcbc8731.exe File opened for modification C:\Windows\SysWOW64\kmbaahdulriri.exe 4649ca4d0e4bef77de0ec1b6bcbc8731.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll mmbwyysway.exe File created C:\Windows\SysWOW64\mmbwyysway.exe 4649ca4d0e4bef77de0ec1b6bcbc8731.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wzydropc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wzydropc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wzydropc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal wzydropc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wzydropc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal wzydropc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wzydropc.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wzydropc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal wzydropc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wzydropc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wzydropc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal wzydropc.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wzydropc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wzydropc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wzydropc.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 4649ca4d0e4bef77de0ec1b6bcbc8731.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "334E2C0C9C5282586D3577A077252DD97D8F65AB" 4649ca4d0e4bef77de0ec1b6bcbc8731.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AC8FABAF960F191840F3A46819E3995B0FB038D42680238E1C442E708A0" 4649ca4d0e4bef77de0ec1b6bcbc8731.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc mmbwyysway.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf mmbwyysway.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" mmbwyysway.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings 4649ca4d0e4bef77de0ec1b6bcbc8731.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 4649ca4d0e4bef77de0ec1b6bcbc8731.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" mmbwyysway.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" mmbwyysway.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" mmbwyysway.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg mmbwyysway.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat mmbwyysway.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1939C77915E6DAC5B8BE7FE0ED9234B9" 4649ca4d0e4bef77de0ec1b6bcbc8731.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh mmbwyysway.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" mmbwyysway.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFAFF8A485D85699140D72F7D91BC93E1475845674E6245D79D" 4649ca4d0e4bef77de0ec1b6bcbc8731.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F668B0FF6621AED10BD0A18A759117" 4649ca4d0e4bef77de0ec1b6bcbc8731.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" mmbwyysway.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs mmbwyysway.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB5B02044E7399F52CCBADD33EED7C5" 4649ca4d0e4bef77de0ec1b6bcbc8731.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3348 WINWORD.EXE 3348 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1512 4649ca4d0e4bef77de0ec1b6bcbc8731.exe 1512 4649ca4d0e4bef77de0ec1b6bcbc8731.exe 1512 4649ca4d0e4bef77de0ec1b6bcbc8731.exe 1512 4649ca4d0e4bef77de0ec1b6bcbc8731.exe 1512 4649ca4d0e4bef77de0ec1b6bcbc8731.exe 1512 4649ca4d0e4bef77de0ec1b6bcbc8731.exe 1512 4649ca4d0e4bef77de0ec1b6bcbc8731.exe 1512 4649ca4d0e4bef77de0ec1b6bcbc8731.exe 1512 4649ca4d0e4bef77de0ec1b6bcbc8731.exe 1512 4649ca4d0e4bef77de0ec1b6bcbc8731.exe 1512 4649ca4d0e4bef77de0ec1b6bcbc8731.exe 1512 4649ca4d0e4bef77de0ec1b6bcbc8731.exe 1512 4649ca4d0e4bef77de0ec1b6bcbc8731.exe 1512 4649ca4d0e4bef77de0ec1b6bcbc8731.exe 1512 4649ca4d0e4bef77de0ec1b6bcbc8731.exe 1512 4649ca4d0e4bef77de0ec1b6bcbc8731.exe 1072 mmbwyysway.exe 1072 mmbwyysway.exe 1072 mmbwyysway.exe 1072 mmbwyysway.exe 1072 mmbwyysway.exe 1072 mmbwyysway.exe 1072 mmbwyysway.exe 1072 mmbwyysway.exe 1072 mmbwyysway.exe 1072 mmbwyysway.exe 324 dnmhvwudkppqjgj.exe 324 dnmhvwudkppqjgj.exe 324 dnmhvwudkppqjgj.exe 324 dnmhvwudkppqjgj.exe 324 dnmhvwudkppqjgj.exe 324 dnmhvwudkppqjgj.exe 324 dnmhvwudkppqjgj.exe 324 dnmhvwudkppqjgj.exe 324 dnmhvwudkppqjgj.exe 324 dnmhvwudkppqjgj.exe 1304 wzydropc.exe 1304 wzydropc.exe 1304 wzydropc.exe 1304 wzydropc.exe 1304 wzydropc.exe 1304 wzydropc.exe 1304 wzydropc.exe 1304 wzydropc.exe 1528 kmbaahdulriri.exe 1528 kmbaahdulriri.exe 1528 kmbaahdulriri.exe 1528 kmbaahdulriri.exe 1528 kmbaahdulriri.exe 1528 kmbaahdulriri.exe 1528 kmbaahdulriri.exe 1528 kmbaahdulriri.exe 1528 kmbaahdulriri.exe 1528 kmbaahdulriri.exe 1528 kmbaahdulriri.exe 1528 kmbaahdulriri.exe 324 dnmhvwudkppqjgj.exe 324 dnmhvwudkppqjgj.exe 1528 kmbaahdulriri.exe 1528 kmbaahdulriri.exe 1528 kmbaahdulriri.exe 1528 kmbaahdulriri.exe 324 dnmhvwudkppqjgj.exe 324 dnmhvwudkppqjgj.exe -
Suspicious use of FindShellTrayWindow 19 IoCs
pid Process 1512 4649ca4d0e4bef77de0ec1b6bcbc8731.exe 1512 4649ca4d0e4bef77de0ec1b6bcbc8731.exe 1512 4649ca4d0e4bef77de0ec1b6bcbc8731.exe 1512 4649ca4d0e4bef77de0ec1b6bcbc8731.exe 1072 mmbwyysway.exe 1072 mmbwyysway.exe 1072 mmbwyysway.exe 324 dnmhvwudkppqjgj.exe 324 dnmhvwudkppqjgj.exe 324 dnmhvwudkppqjgj.exe 1304 wzydropc.exe 1304 wzydropc.exe 1304 wzydropc.exe 1528 kmbaahdulriri.exe 1528 kmbaahdulriri.exe 1528 kmbaahdulriri.exe 3092 wzydropc.exe 3092 wzydropc.exe 3092 wzydropc.exe -
Suspicious use of SendNotifyMessage 19 IoCs
pid Process 1512 4649ca4d0e4bef77de0ec1b6bcbc8731.exe 1512 4649ca4d0e4bef77de0ec1b6bcbc8731.exe 1512 4649ca4d0e4bef77de0ec1b6bcbc8731.exe 1512 4649ca4d0e4bef77de0ec1b6bcbc8731.exe 1072 mmbwyysway.exe 1072 mmbwyysway.exe 1072 mmbwyysway.exe 324 dnmhvwudkppqjgj.exe 324 dnmhvwudkppqjgj.exe 324 dnmhvwudkppqjgj.exe 1304 wzydropc.exe 1304 wzydropc.exe 1304 wzydropc.exe 1528 kmbaahdulriri.exe 1528 kmbaahdulriri.exe 1528 kmbaahdulriri.exe 3092 wzydropc.exe 3092 wzydropc.exe 3092 wzydropc.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3348 WINWORD.EXE 3348 WINWORD.EXE 3348 WINWORD.EXE 3348 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1512 wrote to memory of 1072 1512 4649ca4d0e4bef77de0ec1b6bcbc8731.exe 93 PID 1512 wrote to memory of 1072 1512 4649ca4d0e4bef77de0ec1b6bcbc8731.exe 93 PID 1512 wrote to memory of 1072 1512 4649ca4d0e4bef77de0ec1b6bcbc8731.exe 93 PID 1512 wrote to memory of 324 1512 4649ca4d0e4bef77de0ec1b6bcbc8731.exe 94 PID 1512 wrote to memory of 324 1512 4649ca4d0e4bef77de0ec1b6bcbc8731.exe 94 PID 1512 wrote to memory of 324 1512 4649ca4d0e4bef77de0ec1b6bcbc8731.exe 94 PID 1512 wrote to memory of 1304 1512 4649ca4d0e4bef77de0ec1b6bcbc8731.exe 95 PID 1512 wrote to memory of 1304 1512 4649ca4d0e4bef77de0ec1b6bcbc8731.exe 95 PID 1512 wrote to memory of 1304 1512 4649ca4d0e4bef77de0ec1b6bcbc8731.exe 95 PID 1512 wrote to memory of 1528 1512 4649ca4d0e4bef77de0ec1b6bcbc8731.exe 96 PID 1512 wrote to memory of 1528 1512 4649ca4d0e4bef77de0ec1b6bcbc8731.exe 96 PID 1512 wrote to memory of 1528 1512 4649ca4d0e4bef77de0ec1b6bcbc8731.exe 96 PID 1072 wrote to memory of 3092 1072 mmbwyysway.exe 98 PID 1072 wrote to memory of 3092 1072 mmbwyysway.exe 98 PID 1072 wrote to memory of 3092 1072 mmbwyysway.exe 98 PID 1512 wrote to memory of 3348 1512 4649ca4d0e4bef77de0ec1b6bcbc8731.exe 100 PID 1512 wrote to memory of 3348 1512 4649ca4d0e4bef77de0ec1b6bcbc8731.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\4649ca4d0e4bef77de0ec1b6bcbc8731.exe"C:\Users\Admin\AppData\Local\Temp\4649ca4d0e4bef77de0ec1b6bcbc8731.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\mmbwyysway.exemmbwyysway.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\wzydropc.exeC:\Windows\system32\wzydropc.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3092
-
-
-
C:\Windows\SysWOW64\dnmhvwudkppqjgj.exednmhvwudkppqjgj.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:324
-
-
C:\Windows\SysWOW64\wzydropc.exewzydropc.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1304
-
-
C:\Windows\SysWOW64\kmbaahdulriri.exekmbaahdulriri.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1528
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3348
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD569dfa9908d2a527a8f2ed303a2eb138f
SHA1d76b4477d27f6a216b3fb7e6c1380aaa9059bf24
SHA256593be5e284f9c8d0485034e6d9fa1e85b8d319cb0a87cfa7458e8bbf17c8741e
SHA512bbfecfaae58df9b8a68cc82f0c1572246b4ed9feb7efbe2a96ec6ad177abea98043701a6e5504eb56ec4a8b70e49ffbe1dfdd6748c0c9d23e5a855f8f94df1ce
-
Filesize
512KB
MD5bd62cd41fcfdc062155f7850105c6391
SHA1800964fb9a339f140902385f2e28f0d0c7a23ec8
SHA256f280ab7cf4ebf79c40ec90ae0b848b7c832de42ebcc45d11684da7b9759ae0c8
SHA51226990fbb644848368ab6b5beae0d3ac691213fdbd812a5c4d2543eafb151b9241a837c88d14fa2bfc8ceb3dc00648428581b3b57e344f8295a7cc4695ac38f08
-
Filesize
512KB
MD58a9f42b76ff948889946e3eac5ec0d1a
SHA14b8aba30c60abae4771b032de7ea52f1b517589d
SHA2560457669dda3dd996c64cc238b3ec0c2d619de9e679e779a3fd8bffc1a0dfa015
SHA512439102872c2adeadf1a52c7ffacb39e1292ed3b90df84d8ee3b9f41a580a0229039eede7492322c05090725649cec79166bca73e49add1149c03d569f25173fb
-
Filesize
512KB
MD51ba054b9aaf7e9e81c46910a3bb3eef8
SHA14af66ebced12736f44a1768feb3e07459d21163e
SHA2568052404683a9bca651beffef9834652ff7e53ad6d0d60bdc9e7f8047cc630092
SHA5127532019dd59cc1b2cf870fdc423a75068392991b8671e1cf701b8d7153dbf19f2ce78b8a00666a9f23c9cbf4350cc9bfc810d21f53f3bfd898ac4176258f3cb3
-
Filesize
512KB
MD51342f1b2a97df1287c35fe211668bff5
SHA1075a2af99fdae2a5a78e62b902c1a1cb3f2fc518
SHA256d299b24730e18fd0873b3acbb4eaf04c0398c3e6d79fb7577294e3333f4917e4
SHA5126f3d61719cef3041d4945461d9e95392ecf80fad0affac7def026aa49c01b7aef9a9a9fa81dde511bb1de0e17b2f6ba89832f9618c65c6735e6f45e313aebbbf
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD50fdc05cc3f4720a05b923b4156b813c1
SHA1912fe4fbce97a3553a08e62dd0f7bbd9591326bb
SHA25684c4cba26c8bc3a578b0f1924b702641d9ca37f0ff8a883a72a6369482539863
SHA5123a3a1f38cbe39d5e742473349351fc9c0275bd0e0df367e5ea41155f286a89c5c45b4dd625ed2409aa3a4ba78613daf7c6205c447d30289e442429bbbb97a822