Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
10s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
03/01/2024, 15:07
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
9ca4427a910e9f15fc2a87757cd871b6.exe
Resource
win7-20231215-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
9ca4427a910e9f15fc2a87757cd871b6.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
9ca4427a910e9f15fc2a87757cd871b6.exe
-
Size
512KB
-
MD5
9ca4427a910e9f15fc2a87757cd871b6
-
SHA1
e32d9df9ccb1ccdb5b8f345b880c46de84160c14
-
SHA256
8d0ab5f2c2d326b874b9def3652767889e524e5c645c6c73848d4eb736441272
-
SHA512
4560e5750edf7a883a0985af4a58d05f6e11d635ba5bc79686f98b77cfc52294db10e7b612f080c0183fa03680b74c37b338992496459360041831a3342b6a54
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6G:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5V
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" alqbmdgpas.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" alqbmdgpas.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" alqbmdgpas.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" alqbmdgpas.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" alqbmdgpas.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" alqbmdgpas.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" alqbmdgpas.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" alqbmdgpas.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation 9ca4427a910e9f15fc2a87757cd871b6.exe -
Executes dropped EXE 5 IoCs
pid Process 528 alqbmdgpas.exe 1188 kxjenevdtsylbtp.exe 1592 dkdvyjda.exe 2668 wwzjzvpyeixkt.exe 2408 dkdvyjda.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" alqbmdgpas.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" alqbmdgpas.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" alqbmdgpas.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" alqbmdgpas.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" alqbmdgpas.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" alqbmdgpas.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxmlnlmt = "alqbmdgpas.exe" kxjenevdtsylbtp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\euuxqwsv = "kxjenevdtsylbtp.exe" kxjenevdtsylbtp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "wwzjzvpyeixkt.exe" kxjenevdtsylbtp.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\v: alqbmdgpas.exe File opened (read-only) \??\l: dkdvyjda.exe File opened (read-only) \??\p: dkdvyjda.exe File opened (read-only) \??\l: alqbmdgpas.exe File opened (read-only) \??\i: dkdvyjda.exe File opened (read-only) \??\p: dkdvyjda.exe File opened (read-only) \??\a: dkdvyjda.exe File opened (read-only) \??\t: dkdvyjda.exe File opened (read-only) \??\y: dkdvyjda.exe File opened (read-only) \??\g: dkdvyjda.exe File opened (read-only) \??\j: dkdvyjda.exe File opened (read-only) \??\p: alqbmdgpas.exe File opened (read-only) \??\o: dkdvyjda.exe File opened (read-only) \??\k: dkdvyjda.exe File opened (read-only) \??\n: dkdvyjda.exe File opened (read-only) \??\v: dkdvyjda.exe File opened (read-only) \??\n: alqbmdgpas.exe File opened (read-only) \??\e: dkdvyjda.exe File opened (read-only) \??\k: dkdvyjda.exe File opened (read-only) \??\h: dkdvyjda.exe File opened (read-only) \??\t: dkdvyjda.exe File opened (read-only) \??\u: alqbmdgpas.exe File opened (read-only) \??\i: dkdvyjda.exe File opened (read-only) \??\w: dkdvyjda.exe File opened (read-only) \??\h: alqbmdgpas.exe File opened (read-only) \??\j: alqbmdgpas.exe File opened (read-only) \??\j: dkdvyjda.exe File opened (read-only) \??\q: dkdvyjda.exe File opened (read-only) \??\x: dkdvyjda.exe File opened (read-only) \??\n: dkdvyjda.exe File opened (read-only) \??\g: dkdvyjda.exe File opened (read-only) \??\s: dkdvyjda.exe File opened (read-only) \??\a: alqbmdgpas.exe File opened (read-only) \??\b: alqbmdgpas.exe File opened (read-only) \??\m: alqbmdgpas.exe File opened (read-only) \??\q: alqbmdgpas.exe File opened (read-only) \??\y: alqbmdgpas.exe File opened (read-only) \??\x: dkdvyjda.exe File opened (read-only) \??\e: dkdvyjda.exe File opened (read-only) \??\u: dkdvyjda.exe File opened (read-only) \??\e: alqbmdgpas.exe File opened (read-only) \??\s: alqbmdgpas.exe File opened (read-only) \??\a: dkdvyjda.exe File opened (read-only) \??\h: dkdvyjda.exe File opened (read-only) \??\z: dkdvyjda.exe File opened (read-only) \??\q: dkdvyjda.exe File opened (read-only) \??\r: dkdvyjda.exe File opened (read-only) \??\y: dkdvyjda.exe File opened (read-only) \??\i: alqbmdgpas.exe File opened (read-only) \??\l: dkdvyjda.exe File opened (read-only) \??\s: dkdvyjda.exe File opened (read-only) \??\u: dkdvyjda.exe File opened (read-only) \??\b: dkdvyjda.exe File opened (read-only) \??\k: alqbmdgpas.exe File opened (read-only) \??\v: dkdvyjda.exe File opened (read-only) \??\m: dkdvyjda.exe File opened (read-only) \??\z: dkdvyjda.exe File opened (read-only) \??\g: alqbmdgpas.exe File opened (read-only) \??\t: alqbmdgpas.exe File opened (read-only) \??\b: dkdvyjda.exe File opened (read-only) \??\m: dkdvyjda.exe File opened (read-only) \??\w: dkdvyjda.exe File opened (read-only) \??\o: dkdvyjda.exe File opened (read-only) \??\r: alqbmdgpas.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" alqbmdgpas.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" alqbmdgpas.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/5108-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0007000000023232-5.dat autoit_exe behavioral2/files/0x000700000002322f-19.dat autoit_exe behavioral2/files/0x0006000000023236-29.dat autoit_exe behavioral2/files/0x0006000000023237-32.dat autoit_exe behavioral2/files/0x0006000000023236-42.dat autoit_exe behavioral2/files/0x000400000002271f-82.dat autoit_exe behavioral2/files/0x0007000000023247-87.dat autoit_exe behavioral2/files/0x0007000000023247-101.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\wwzjzvpyeixkt.exe 9ca4427a910e9f15fc2a87757cd871b6.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe dkdvyjda.exe File opened for modification C:\Windows\SysWOW64\alqbmdgpas.exe 9ca4427a910e9f15fc2a87757cd871b6.exe File opened for modification C:\Windows\SysWOW64\dkdvyjda.exe 9ca4427a910e9f15fc2a87757cd871b6.exe File opened for modification C:\Windows\SysWOW64\wwzjzvpyeixkt.exe 9ca4427a910e9f15fc2a87757cd871b6.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll alqbmdgpas.exe File created C:\Windows\SysWOW64\alqbmdgpas.exe 9ca4427a910e9f15fc2a87757cd871b6.exe File created C:\Windows\SysWOW64\dkdvyjda.exe 9ca4427a910e9f15fc2a87757cd871b6.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe dkdvyjda.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe dkdvyjda.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe dkdvyjda.exe File created C:\Windows\SysWOW64\kxjenevdtsylbtp.exe 9ca4427a910e9f15fc2a87757cd871b6.exe File opened for modification C:\Windows\SysWOW64\kxjenevdtsylbtp.exe 9ca4427a910e9f15fc2a87757cd871b6.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dkdvyjda.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dkdvyjda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal dkdvyjda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dkdvyjda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal dkdvyjda.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dkdvyjda.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dkdvyjda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dkdvyjda.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dkdvyjda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dkdvyjda.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dkdvyjda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal dkdvyjda.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dkdvyjda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dkdvyjda.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal dkdvyjda.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf 9ca4427a910e9f15fc2a87757cd871b6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8FFCFB4F2A851B9032D6217E95BCE4E1375937664F6335D690" 9ca4427a910e9f15fc2a87757cd871b6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs alqbmdgpas.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg alqbmdgpas.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat alqbmdgpas.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" alqbmdgpas.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc alqbmdgpas.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf alqbmdgpas.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" alqbmdgpas.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 9ca4427a910e9f15fc2a87757cd871b6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33422C0F9D5783226A3176D470212DDE7D8F65DA" 9ca4427a910e9f15fc2a87757cd871b6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1845C77414E7DBB3B9BC7FE3ECE437CF" 9ca4427a910e9f15fc2a87757cd871b6.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings 9ca4427a910e9f15fc2a87757cd871b6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB0B1214795389D52BEBAA732EAD7BC" 9ca4427a910e9f15fc2a87757cd871b6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" alqbmdgpas.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" alqbmdgpas.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" alqbmdgpas.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" alqbmdgpas.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABEF9BCF967F1E5837E3B44819D3995B38B038C4261034CE1CC459D09D1" 9ca4427a910e9f15fc2a87757cd871b6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F268C4FE6921ABD27ED0A28A749011" 9ca4427a910e9f15fc2a87757cd871b6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh alqbmdgpas.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2196 WINWORD.EXE 2196 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5108 9ca4427a910e9f15fc2a87757cd871b6.exe 5108 9ca4427a910e9f15fc2a87757cd871b6.exe 5108 9ca4427a910e9f15fc2a87757cd871b6.exe 5108 9ca4427a910e9f15fc2a87757cd871b6.exe 5108 9ca4427a910e9f15fc2a87757cd871b6.exe 5108 9ca4427a910e9f15fc2a87757cd871b6.exe 5108 9ca4427a910e9f15fc2a87757cd871b6.exe 5108 9ca4427a910e9f15fc2a87757cd871b6.exe 5108 9ca4427a910e9f15fc2a87757cd871b6.exe 5108 9ca4427a910e9f15fc2a87757cd871b6.exe 5108 9ca4427a910e9f15fc2a87757cd871b6.exe 5108 9ca4427a910e9f15fc2a87757cd871b6.exe 5108 9ca4427a910e9f15fc2a87757cd871b6.exe 5108 9ca4427a910e9f15fc2a87757cd871b6.exe 5108 9ca4427a910e9f15fc2a87757cd871b6.exe 5108 9ca4427a910e9f15fc2a87757cd871b6.exe 528 alqbmdgpas.exe 528 alqbmdgpas.exe 528 alqbmdgpas.exe 528 alqbmdgpas.exe 528 alqbmdgpas.exe 528 alqbmdgpas.exe 528 alqbmdgpas.exe 528 alqbmdgpas.exe 528 alqbmdgpas.exe 528 alqbmdgpas.exe 1592 dkdvyjda.exe 1592 dkdvyjda.exe 1592 dkdvyjda.exe 1592 dkdvyjda.exe 1592 dkdvyjda.exe 1592 dkdvyjda.exe 1592 dkdvyjda.exe 1592 dkdvyjda.exe 1188 kxjenevdtsylbtp.exe 1188 kxjenevdtsylbtp.exe 1188 kxjenevdtsylbtp.exe 1188 kxjenevdtsylbtp.exe 1188 kxjenevdtsylbtp.exe 1188 kxjenevdtsylbtp.exe 1188 kxjenevdtsylbtp.exe 1188 kxjenevdtsylbtp.exe 1188 kxjenevdtsylbtp.exe 1188 kxjenevdtsylbtp.exe 2668 wwzjzvpyeixkt.exe 2668 wwzjzvpyeixkt.exe 2668 wwzjzvpyeixkt.exe 2668 wwzjzvpyeixkt.exe 2668 wwzjzvpyeixkt.exe 2668 wwzjzvpyeixkt.exe 2668 wwzjzvpyeixkt.exe 2668 wwzjzvpyeixkt.exe 2668 wwzjzvpyeixkt.exe 2668 wwzjzvpyeixkt.exe 2668 wwzjzvpyeixkt.exe 2668 wwzjzvpyeixkt.exe 2408 dkdvyjda.exe 2408 dkdvyjda.exe 2408 dkdvyjda.exe 2408 dkdvyjda.exe 2408 dkdvyjda.exe 2408 dkdvyjda.exe 2408 dkdvyjda.exe 2408 dkdvyjda.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 5108 9ca4427a910e9f15fc2a87757cd871b6.exe 5108 9ca4427a910e9f15fc2a87757cd871b6.exe 5108 9ca4427a910e9f15fc2a87757cd871b6.exe 528 alqbmdgpas.exe 528 alqbmdgpas.exe 528 alqbmdgpas.exe 1592 dkdvyjda.exe 1592 dkdvyjda.exe 1592 dkdvyjda.exe 1188 kxjenevdtsylbtp.exe 2668 wwzjzvpyeixkt.exe 1188 kxjenevdtsylbtp.exe 2668 wwzjzvpyeixkt.exe 1188 kxjenevdtsylbtp.exe 2668 wwzjzvpyeixkt.exe 2408 dkdvyjda.exe 2408 dkdvyjda.exe 2408 dkdvyjda.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 5108 9ca4427a910e9f15fc2a87757cd871b6.exe 5108 9ca4427a910e9f15fc2a87757cd871b6.exe 5108 9ca4427a910e9f15fc2a87757cd871b6.exe 528 alqbmdgpas.exe 528 alqbmdgpas.exe 528 alqbmdgpas.exe 1592 dkdvyjda.exe 1592 dkdvyjda.exe 1592 dkdvyjda.exe 1188 kxjenevdtsylbtp.exe 2668 wwzjzvpyeixkt.exe 1188 kxjenevdtsylbtp.exe 2668 wwzjzvpyeixkt.exe 1188 kxjenevdtsylbtp.exe 2668 wwzjzvpyeixkt.exe 2408 dkdvyjda.exe 2408 dkdvyjda.exe 2408 dkdvyjda.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2196 WINWORD.EXE 2196 WINWORD.EXE 2196 WINWORD.EXE 2196 WINWORD.EXE 2196 WINWORD.EXE 2196 WINWORD.EXE 2196 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 5108 wrote to memory of 528 5108 9ca4427a910e9f15fc2a87757cd871b6.exe 89 PID 5108 wrote to memory of 528 5108 9ca4427a910e9f15fc2a87757cd871b6.exe 89 PID 5108 wrote to memory of 528 5108 9ca4427a910e9f15fc2a87757cd871b6.exe 89 PID 5108 wrote to memory of 1188 5108 9ca4427a910e9f15fc2a87757cd871b6.exe 92 PID 5108 wrote to memory of 1188 5108 9ca4427a910e9f15fc2a87757cd871b6.exe 92 PID 5108 wrote to memory of 1188 5108 9ca4427a910e9f15fc2a87757cd871b6.exe 92 PID 5108 wrote to memory of 1592 5108 9ca4427a910e9f15fc2a87757cd871b6.exe 90 PID 5108 wrote to memory of 1592 5108 9ca4427a910e9f15fc2a87757cd871b6.exe 90 PID 5108 wrote to memory of 1592 5108 9ca4427a910e9f15fc2a87757cd871b6.exe 90 PID 5108 wrote to memory of 2668 5108 9ca4427a910e9f15fc2a87757cd871b6.exe 91 PID 5108 wrote to memory of 2668 5108 9ca4427a910e9f15fc2a87757cd871b6.exe 91 PID 5108 wrote to memory of 2668 5108 9ca4427a910e9f15fc2a87757cd871b6.exe 91 PID 5108 wrote to memory of 2196 5108 9ca4427a910e9f15fc2a87757cd871b6.exe 94 PID 5108 wrote to memory of 2196 5108 9ca4427a910e9f15fc2a87757cd871b6.exe 94 PID 528 wrote to memory of 2408 528 alqbmdgpas.exe 96 PID 528 wrote to memory of 2408 528 alqbmdgpas.exe 96 PID 528 wrote to memory of 2408 528 alqbmdgpas.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ca4427a910e9f15fc2a87757cd871b6.exe"C:\Users\Admin\AppData\Local\Temp\9ca4427a910e9f15fc2a87757cd871b6.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\SysWOW64\alqbmdgpas.exealqbmdgpas.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\SysWOW64\dkdvyjda.exeC:\Windows\system32\dkdvyjda.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2408
-
-
-
C:\Windows\SysWOW64\dkdvyjda.exedkdvyjda.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1592
-
-
C:\Windows\SysWOW64\wwzjzvpyeixkt.exewwzjzvpyeixkt.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2668
-
-
C:\Windows\SysWOW64\kxjenevdtsylbtp.exekxjenevdtsylbtp.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1188
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2196
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5091062a5ebfbbea5fc23f651f926db51
SHA1bc73041a7314b3b92d33bb67f712ff69ff6d4440
SHA256e721b437ff22ff25b57a2235c78086c7b4bf11dded16ba83e8cc844b44e575e0
SHA512339e3fb367b5c8b47548baf9a3433c57d3744ac43e934b4c1274fffb6f12d4fc0db8f93731215d3becec6ffd3160ed4223c3f76dd6cc91b819efab838c08d7e5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD59346be0f415a51d4a2f6e7ae5541c011
SHA1888061c933b92038550297fc75fd5d301a650ef4
SHA256b525f2d7879c76ca1a91241d9c75ac76718e7c094ef87a629d006dd5ae780aab
SHA5124cd250fdc70148b2b907819b34dcb759f1d306ec4b59c259712d6137b6bdf571437b4c5849abb5ecf17ee31e92c69ec1d02e763a78eaa91af80692e573d57fca
-
Filesize
385KB
MD5279a2620e67ba2860803639715d616fb
SHA12d61471cafcc1c2fb06dd6ac75396f9e7c856f52
SHA256399ca40a278578c7b9ec69d047c914ea58fcd007d6703c4fcd3db2a892a016f1
SHA512bd2c40f12ad56957ec0c184c0f84fcaeed8bf39efd985fe14130e93f0ac568fc578d215defa208a168b171a5947dd0d0de5b5c46f304b5e9c3b6d377e5438a69
-
Filesize
512KB
MD5de97bc8590a44c98ade0dd18e3643ae5
SHA1fe5fb02b9122477038b9d847b2042ecf4c1f17af
SHA256bec89692dc8ed0dabbd318c3bdf2773056d5160a3740f5edee11ef65cbb426bc
SHA5126652b9914177b170feed54b73ccf40d2e6b1571f80e1576c68cfa0b082c9cd80a973b91cf086d21b13abb1387f59d85584963122357a8af36c310a7b1ef2d8e4
-
Filesize
512KB
MD5504526abc61d50a2f015984435464eb6
SHA1e68f20f758905ee31d7df479f7135d4b7d027cee
SHA2565ea8b868d7f984338b72dd63fcbf827a48ee47587eef6446db24e0e8f4b21236
SHA512c41bb963ed2a77233ecee4e670e15de24807fda0aed1e125c87d56922098857a1313f95844393ac72c4f77b2826dfa48bb4d6cac042af632ddf3d3d121b033fb
-
Filesize
512KB
MD5dfdfcc7c470357d4f0d27a27af8bb28f
SHA15db4db70ca6dc381243c9376c0103b4fb381821e
SHA256f7c0b9198f11db36d04345fb816fe181705dab83e8112e6a29a57170a5b9f537
SHA5120bf2654dc52e607c493368c094658f855579134ea1ec7d95981b1126260f7de130388fc44de28973398afd7f14f84ca38331fab5b45c778d584a7ff4f4b8466f
-
Filesize
512KB
MD5cfc59823390b09d0d117fcc15c7e556a
SHA14307dda93561aee55f2ff54bababd3e4284c5dec
SHA2566aceb413f942574c06480086901917c97942db7df513b1c6847e8575b2fb9090
SHA5121b777cf06d5eeed34d32e7c4416a44109ec178b629932f3e3b8b0921e0e8acfd9a0b0f67272ae68717cb6cb004738b2ca6319a82ac2294d2c6ec8da83fc8b3dc
-
Filesize
512KB
MD5381a4c33cd1c23fa5551ba5317fda3e0
SHA1ec1e5a0d91c8fb206bd4224506a8c6226b2eafbb
SHA25643894cede7446ae740277825d74edd9a11771ff5786b862eafff0b3a970f77a8
SHA5125c0449096fa51f42591d3b7c85c9f397c2b33addaf80d7d8ba975cc52661f561bd194dadf61d77d54f162b3f6b0bcdd055058d2a6c12003203b4d63f1228de9b
-
Filesize
512KB
MD5212e62d36c1442714112545cba5cd367
SHA1202a6722c7184fd0ab107de49e14e04173e3ca8e
SHA2568a60e6f7a8541c4d217ef42966ee52fa354ca73bc8f696971e1d5fe02492722e
SHA5125e269c07c03dfdc820c539285807cab8602d3ab2539c595786a4fc285237fb687b05382d83bc018ffdffdbbc35dd76c5d66d0afe36a2592a30bb40234d82b2e0