Analysis
-
max time kernel
162s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
06-01-2024 08:05
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
45b5f66f35a83b37e94c3c6e634938e5.exe
Resource
win7-20231215-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral2
Sample
45b5f66f35a83b37e94c3c6e634938e5.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
24 signatures
150 seconds
General
-
Target
45b5f66f35a83b37e94c3c6e634938e5.exe
-
Size
512KB
-
MD5
45b5f66f35a83b37e94c3c6e634938e5
-
SHA1
e53a167d1bd7f8ff5496b6d637c7de712ab20bed
-
SHA256
d97e4e4578b009a7c9c30b05773877f833fd4557f844cf68e2b2e177c8a2c07d
-
SHA512
6806d8b80b450d195c6e21a65e88f68670a5010e15fdaa035434bf250ee1f60da6e7189cea85fd58787a8a6128f537d243c2a787fdc912eeaee06fb3f6a7a143
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6I:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm55
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" anvifeymzj.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" anvifeymzj.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" anvifeymzj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" anvifeymzj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" anvifeymzj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" anvifeymzj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" anvifeymzj.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" anvifeymzj.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation 45b5f66f35a83b37e94c3c6e634938e5.exe -
Executes dropped EXE 5 IoCs
pid Process 4328 anvifeymzj.exe 1148 owoxudbairwthve.exe 4024 mhaonbgm.exe 2352 ckxxfzsjhfqpi.exe 3608 mhaonbgm.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" anvifeymzj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" anvifeymzj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" anvifeymzj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" anvifeymzj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" anvifeymzj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" anvifeymzj.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qqnqhxwp = "anvifeymzj.exe" owoxudbairwthve.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\akllleey = "owoxudbairwthve.exe" owoxudbairwthve.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ckxxfzsjhfqpi.exe" owoxudbairwthve.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\b: anvifeymzj.exe File opened (read-only) \??\z: anvifeymzj.exe File opened (read-only) \??\e: mhaonbgm.exe File opened (read-only) \??\g: mhaonbgm.exe File opened (read-only) \??\h: mhaonbgm.exe File opened (read-only) \??\o: mhaonbgm.exe File opened (read-only) \??\i: anvifeymzj.exe File opened (read-only) \??\y: anvifeymzj.exe File opened (read-only) \??\j: mhaonbgm.exe File opened (read-only) \??\l: mhaonbgm.exe File opened (read-only) \??\u: mhaonbgm.exe File opened (read-only) \??\j: anvifeymzj.exe File opened (read-only) \??\p: anvifeymzj.exe File opened (read-only) \??\t: anvifeymzj.exe File opened (read-only) \??\h: mhaonbgm.exe File opened (read-only) \??\x: mhaonbgm.exe File opened (read-only) \??\u: mhaonbgm.exe File opened (read-only) \??\x: mhaonbgm.exe File opened (read-only) \??\a: anvifeymzj.exe File opened (read-only) \??\h: anvifeymzj.exe File opened (read-only) \??\k: anvifeymzj.exe File opened (read-only) \??\i: mhaonbgm.exe File opened (read-only) \??\m: mhaonbgm.exe File opened (read-only) \??\s: mhaonbgm.exe File opened (read-only) \??\v: mhaonbgm.exe File opened (read-only) \??\n: mhaonbgm.exe File opened (read-only) \??\t: mhaonbgm.exe File opened (read-only) \??\s: anvifeymzj.exe File opened (read-only) \??\s: mhaonbgm.exe File opened (read-only) \??\v: mhaonbgm.exe File opened (read-only) \??\b: mhaonbgm.exe File opened (read-only) \??\q: mhaonbgm.exe File opened (read-only) \??\u: anvifeymzj.exe File opened (read-only) \??\i: mhaonbgm.exe File opened (read-only) \??\o: mhaonbgm.exe File opened (read-only) \??\t: mhaonbgm.exe File opened (read-only) \??\w: mhaonbgm.exe File opened (read-only) \??\w: mhaonbgm.exe File opened (read-only) \??\m: anvifeymzj.exe File opened (read-only) \??\o: anvifeymzj.exe File opened (read-only) \??\y: mhaonbgm.exe File opened (read-only) \??\a: mhaonbgm.exe File opened (read-only) \??\e: mhaonbgm.exe File opened (read-only) \??\y: mhaonbgm.exe File opened (read-only) \??\z: mhaonbgm.exe File opened (read-only) \??\b: mhaonbgm.exe File opened (read-only) \??\r: mhaonbgm.exe File opened (read-only) \??\m: mhaonbgm.exe File opened (read-only) \??\r: mhaonbgm.exe File opened (read-only) \??\e: anvifeymzj.exe File opened (read-only) \??\a: mhaonbgm.exe File opened (read-only) \??\k: mhaonbgm.exe File opened (read-only) \??\n: mhaonbgm.exe File opened (read-only) \??\z: mhaonbgm.exe File opened (read-only) \??\j: mhaonbgm.exe File opened (read-only) \??\p: mhaonbgm.exe File opened (read-only) \??\g: anvifeymzj.exe File opened (read-only) \??\n: anvifeymzj.exe File opened (read-only) \??\w: anvifeymzj.exe File opened (read-only) \??\p: mhaonbgm.exe File opened (read-only) \??\q: anvifeymzj.exe File opened (read-only) \??\v: anvifeymzj.exe File opened (read-only) \??\x: anvifeymzj.exe File opened (read-only) \??\l: anvifeymzj.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" anvifeymzj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" anvifeymzj.exe -
AutoIT Executable 6 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4216-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000400000001e7f3-9.dat autoit_exe behavioral2/files/0x000400000001e7f2-18.dat autoit_exe behavioral2/files/0x000600000001e7ed-22.dat autoit_exe behavioral2/files/0x000200000001e7f4-32.dat autoit_exe behavioral2/files/0x000200000001e7fb-64.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\anvifeymzj.exe 45b5f66f35a83b37e94c3c6e634938e5.exe File created C:\Windows\SysWOW64\owoxudbairwthve.exe 45b5f66f35a83b37e94c3c6e634938e5.exe File opened for modification C:\Windows\SysWOW64\owoxudbairwthve.exe 45b5f66f35a83b37e94c3c6e634938e5.exe File created C:\Windows\SysWOW64\mhaonbgm.exe 45b5f66f35a83b37e94c3c6e634938e5.exe File opened for modification C:\Windows\SysWOW64\mhaonbgm.exe 45b5f66f35a83b37e94c3c6e634938e5.exe File opened for modification C:\Windows\SysWOW64\anvifeymzj.exe 45b5f66f35a83b37e94c3c6e634938e5.exe File created C:\Windows\SysWOW64\ckxxfzsjhfqpi.exe 45b5f66f35a83b37e94c3c6e634938e5.exe File opened for modification C:\Windows\SysWOW64\ckxxfzsjhfqpi.exe 45b5f66f35a83b37e94c3c6e634938e5.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll anvifeymzj.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mhaonbgm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal mhaonbgm.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mhaonbgm.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mhaonbgm.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mhaonbgm.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mhaonbgm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mhaonbgm.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mhaonbgm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal mhaonbgm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mhaonbgm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal mhaonbgm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mhaonbgm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mhaonbgm.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mhaonbgm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal mhaonbgm.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 45b5f66f35a83b37e94c3c6e634938e5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf anvifeymzj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg anvifeymzj.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings 45b5f66f35a83b37e94c3c6e634938e5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC6B15B47EF39ED53BFBAD03292D7CB" 45b5f66f35a83b37e94c3c6e634938e5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" anvifeymzj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" anvifeymzj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat anvifeymzj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" anvifeymzj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" anvifeymzj.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 45b5f66f35a83b37e94c3c6e634938e5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33422C769D5683566A4376D5772F2CAC7C8464AA" 45b5f66f35a83b37e94c3c6e634938e5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8BFF8C4F2882199145D62D7E96BDE7E14359416646623ED79D" 45b5f66f35a83b37e94c3c6e634938e5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" anvifeymzj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs anvifeymzj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" anvifeymzj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABAF9CAF962F29184753B4586993990B0FD038F4216023DE1BD45E608D6" 45b5f66f35a83b37e94c3c6e634938e5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F068B4FE6A22D9D278D1A68B7E906A" 45b5f66f35a83b37e94c3c6e634938e5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1838C67A1597DAB7B8C87CE1EDE237B9" 45b5f66f35a83b37e94c3c6e634938e5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh anvifeymzj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc anvifeymzj.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3988 WINWORD.EXE 3988 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4216 45b5f66f35a83b37e94c3c6e634938e5.exe 4216 45b5f66f35a83b37e94c3c6e634938e5.exe 4216 45b5f66f35a83b37e94c3c6e634938e5.exe 4216 45b5f66f35a83b37e94c3c6e634938e5.exe 4216 45b5f66f35a83b37e94c3c6e634938e5.exe 4216 45b5f66f35a83b37e94c3c6e634938e5.exe 4216 45b5f66f35a83b37e94c3c6e634938e5.exe 4216 45b5f66f35a83b37e94c3c6e634938e5.exe 4216 45b5f66f35a83b37e94c3c6e634938e5.exe 4216 45b5f66f35a83b37e94c3c6e634938e5.exe 4216 45b5f66f35a83b37e94c3c6e634938e5.exe 4216 45b5f66f35a83b37e94c3c6e634938e5.exe 4328 anvifeymzj.exe 4328 anvifeymzj.exe 4328 anvifeymzj.exe 4328 anvifeymzj.exe 4328 anvifeymzj.exe 4328 anvifeymzj.exe 4328 anvifeymzj.exe 4328 anvifeymzj.exe 4328 anvifeymzj.exe 4328 anvifeymzj.exe 4216 45b5f66f35a83b37e94c3c6e634938e5.exe 4216 45b5f66f35a83b37e94c3c6e634938e5.exe 4216 45b5f66f35a83b37e94c3c6e634938e5.exe 4216 45b5f66f35a83b37e94c3c6e634938e5.exe 1148 owoxudbairwthve.exe 1148 owoxudbairwthve.exe 1148 owoxudbairwthve.exe 1148 owoxudbairwthve.exe 1148 owoxudbairwthve.exe 1148 owoxudbairwthve.exe 1148 owoxudbairwthve.exe 1148 owoxudbairwthve.exe 4024 mhaonbgm.exe 4024 mhaonbgm.exe 4024 mhaonbgm.exe 4024 mhaonbgm.exe 4024 mhaonbgm.exe 4024 mhaonbgm.exe 4024 mhaonbgm.exe 4024 mhaonbgm.exe 1148 owoxudbairwthve.exe 1148 owoxudbairwthve.exe 2352 ckxxfzsjhfqpi.exe 2352 ckxxfzsjhfqpi.exe 2352 ckxxfzsjhfqpi.exe 2352 ckxxfzsjhfqpi.exe 2352 ckxxfzsjhfqpi.exe 2352 ckxxfzsjhfqpi.exe 2352 ckxxfzsjhfqpi.exe 2352 ckxxfzsjhfqpi.exe 2352 ckxxfzsjhfqpi.exe 2352 ckxxfzsjhfqpi.exe 2352 ckxxfzsjhfqpi.exe 2352 ckxxfzsjhfqpi.exe 1148 owoxudbairwthve.exe 1148 owoxudbairwthve.exe 2352 ckxxfzsjhfqpi.exe 2352 ckxxfzsjhfqpi.exe 2352 ckxxfzsjhfqpi.exe 2352 ckxxfzsjhfqpi.exe 1148 owoxudbairwthve.exe 1148 owoxudbairwthve.exe -
Suspicious use of FindShellTrayWindow 19 IoCs
pid Process 4216 45b5f66f35a83b37e94c3c6e634938e5.exe 4216 45b5f66f35a83b37e94c3c6e634938e5.exe 4216 45b5f66f35a83b37e94c3c6e634938e5.exe 4216 45b5f66f35a83b37e94c3c6e634938e5.exe 4328 anvifeymzj.exe 4328 anvifeymzj.exe 4328 anvifeymzj.exe 1148 owoxudbairwthve.exe 4024 mhaonbgm.exe 1148 owoxudbairwthve.exe 4024 mhaonbgm.exe 1148 owoxudbairwthve.exe 4024 mhaonbgm.exe 2352 ckxxfzsjhfqpi.exe 2352 ckxxfzsjhfqpi.exe 2352 ckxxfzsjhfqpi.exe 3608 mhaonbgm.exe 3608 mhaonbgm.exe 3608 mhaonbgm.exe -
Suspicious use of SendNotifyMessage 19 IoCs
pid Process 4216 45b5f66f35a83b37e94c3c6e634938e5.exe 4216 45b5f66f35a83b37e94c3c6e634938e5.exe 4216 45b5f66f35a83b37e94c3c6e634938e5.exe 4216 45b5f66f35a83b37e94c3c6e634938e5.exe 4328 anvifeymzj.exe 4328 anvifeymzj.exe 4328 anvifeymzj.exe 1148 owoxudbairwthve.exe 4024 mhaonbgm.exe 1148 owoxudbairwthve.exe 4024 mhaonbgm.exe 1148 owoxudbairwthve.exe 4024 mhaonbgm.exe 2352 ckxxfzsjhfqpi.exe 2352 ckxxfzsjhfqpi.exe 2352 ckxxfzsjhfqpi.exe 3608 mhaonbgm.exe 3608 mhaonbgm.exe 3608 mhaonbgm.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3988 WINWORD.EXE 3988 WINWORD.EXE 3988 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4216 wrote to memory of 4328 4216 45b5f66f35a83b37e94c3c6e634938e5.exe 96 PID 4216 wrote to memory of 4328 4216 45b5f66f35a83b37e94c3c6e634938e5.exe 96 PID 4216 wrote to memory of 4328 4216 45b5f66f35a83b37e94c3c6e634938e5.exe 96 PID 4216 wrote to memory of 1148 4216 45b5f66f35a83b37e94c3c6e634938e5.exe 97 PID 4216 wrote to memory of 1148 4216 45b5f66f35a83b37e94c3c6e634938e5.exe 97 PID 4216 wrote to memory of 1148 4216 45b5f66f35a83b37e94c3c6e634938e5.exe 97 PID 4216 wrote to memory of 4024 4216 45b5f66f35a83b37e94c3c6e634938e5.exe 98 PID 4216 wrote to memory of 4024 4216 45b5f66f35a83b37e94c3c6e634938e5.exe 98 PID 4216 wrote to memory of 4024 4216 45b5f66f35a83b37e94c3c6e634938e5.exe 98 PID 4216 wrote to memory of 2352 4216 45b5f66f35a83b37e94c3c6e634938e5.exe 99 PID 4216 wrote to memory of 2352 4216 45b5f66f35a83b37e94c3c6e634938e5.exe 99 PID 4216 wrote to memory of 2352 4216 45b5f66f35a83b37e94c3c6e634938e5.exe 99 PID 4328 wrote to memory of 3608 4328 anvifeymzj.exe 100 PID 4328 wrote to memory of 3608 4328 anvifeymzj.exe 100 PID 4328 wrote to memory of 3608 4328 anvifeymzj.exe 100 PID 4216 wrote to memory of 3988 4216 45b5f66f35a83b37e94c3c6e634938e5.exe 101 PID 4216 wrote to memory of 3988 4216 45b5f66f35a83b37e94c3c6e634938e5.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\45b5f66f35a83b37e94c3c6e634938e5.exe"C:\Users\Admin\AppData\Local\Temp\45b5f66f35a83b37e94c3c6e634938e5.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\SysWOW64\anvifeymzj.exeanvifeymzj.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\SysWOW64\mhaonbgm.exeC:\Windows\system32\mhaonbgm.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3608
-
-
-
C:\Windows\SysWOW64\owoxudbairwthve.exeowoxudbairwthve.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1148
-
-
C:\Windows\SysWOW64\mhaonbgm.exemhaonbgm.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4024
-
-
C:\Windows\SysWOW64\ckxxfzsjhfqpi.execkxxfzsjhfqpi.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2352
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3988
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5ef8bacbe0d6970932f2b7eb7df968381
SHA1fef9aec7f8764d513f9c8b379dc459c6925c8c0f
SHA25650e83eff65ae9094210c5745667057b9a616b936d372b1df2fa6cccf01915438
SHA51265b8aa535b3f6b201c9fe4b373b4285a41c25c4d0aaefa95c622c743f4dcd492dce723b4afb1c5897609bafdcf1a119063f277e357475abbd01c57a4f9a69e84
-
Filesize
512KB
MD52fef7c0c601424a0ad00698310db8c04
SHA170baf8d3f0a6a96eb953a422bd2576a28d5fe523
SHA2561fb0b20842f6e9e2ab885de95d4ecad4989cdc553ba4ae4f13f52dbaffd2ba3c
SHA5128c00a2d6db461174a3a038fb5882d692048d4190f1f3479b62a3d05343d2d6c9944f29d1b833b12702a4e9230127dbcbab5b038121397e29dbedbf0907ebc4c7
-
Filesize
512KB
MD5a73d5077b390dc3c2bdec7cebcaa2274
SHA1a62b5a255adaf99e01234557e76c951482c63d8c
SHA256adff6dca53cd1726a541fb34bf844ff2d4ba965ba76364e975ff57362639418d
SHA51224c470cec639286eb29472e4c64947c1b0ac422882fd8cfb6ff7f24ae247c48f337365dd521eb9538d0cf5b5094702891c25e9f6e42da48f1481e3e2efda5da3
-
Filesize
512KB
MD5c62286d07498348bc69a47b497b5f0ba
SHA14c12731189dd7c75ee26c75b59a5da0656f00191
SHA2561b7a5e95d01c149be9643dbf267f210af99d43ccd58192b8c9e4d26ee1abf4a0
SHA512011e7916487f0fa6b08ba6ab7b4851215b5a259259f4d39b3fc408418f6b84c16c4ddf007c486d2a13bfb29db55d818489fbcbbe4033e67f5aef231c80c0942a
-
Filesize
512KB
MD5931d49cc77ef20c43f04d767f1535631
SHA1ec44b91e75c111a2465b4f9a01c3e41a90dc6954
SHA256199052fa3f50f28f2fb6c2582d87549c7b9fb6e9257d9a87c837d78c50dd6027
SHA5122a7eb081be893123a697a6b471ff513e0bbf953cb43c5d327e9b8ea2da79fb4af610b201d848e86619a4e6a62a9ea164ed592c69dde84cc2d5ef91e7aa67716d