bf35a155a6ea06ff48d879db20312a0007aa823d84e110f7835a1b552e26c605

General

Target

5c7621b4003a08922095e160be8a1474.exe
Size

512KB
MD5

5c7621b4003a08922095e160be8a1474
SHA1

0e6c17a860747f929dd3abe41da5926d27396f48
SHA256

bf35a155a6ea06ff48d879db20312a0007aa823d84e110f7835a1b552e26c605
SHA512

783066a4499df3c1b5867e50d3b4f19e96e2cef7dd22a8a0cf4c182d0713c398b986302452350963f95d2646df325be87575e63b881c87f212e96993683c6822
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6/:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5C

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	ewojxbndte.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ewojxbndte.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	ewojxbndte.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	ewojxbndte.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	ewojxbndte.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	ewojxbndte.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	ewojxbndte.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ewojxbndte.exe

Executes dropped EXE 4 IoCs

pid	Process
2664	ewojxbndte.exe
2812	bhsptuwcdypzzpg.exe
2712	wfnvzyxt.exe
2524	wpvxgjyazgnen.exe

Loads dropped DLL 4 IoCs

pid	Process
1928	5c7621b4003a08922095e160be8a1474.exe
1928	5c7621b4003a08922095e160be8a1474.exe
1928	5c7621b4003a08922095e160be8a1474.exe
1928	5c7621b4003a08922095e160be8a1474.exe

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	ewojxbndte.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	ewojxbndte.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	ewojxbndte.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	ewojxbndte.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	ewojxbndte.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	ewojxbndte.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	ewojxbndte.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	ewojxbndte.exe

AutoIT Executable 6 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1928-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x000b000000012234-17.dat	autoit_exe
behavioral1/files/0x0035000000016c67-27.dat	autoit_exe
behavioral1/files/0x000d000000014313-25.dat	autoit_exe
behavioral1/files/0x000d000000014313-21.dat	autoit_exe
behavioral1/files/0x000d000000014313-5.dat	autoit_exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wpvxgjyazgnen.exe	5c7621b4003a08922095e160be8a1474.exe
File opened for modification	C:\Windows\SysWOW64\wpvxgjyazgnen.exe	5c7621b4003a08922095e160be8a1474.exe
File created	C:\Windows\SysWOW64\ewojxbndte.exe	5c7621b4003a08922095e160be8a1474.exe
File opened for modification	C:\Windows\SysWOW64\ewojxbndte.exe	5c7621b4003a08922095e160be8a1474.exe
File created	C:\Windows\SysWOW64\bhsptuwcdypzzpg.exe	5c7621b4003a08922095e160be8a1474.exe
File opened for modification	C:\Windows\SysWOW64\bhsptuwcdypzzpg.exe	5c7621b4003a08922095e160be8a1474.exe
File created	C:\Windows\SysWOW64\wfnvzyxt.exe	5c7621b4003a08922095e160be8a1474.exe
File opened for modification	C:\Windows\SysWOW64\wfnvzyxt.exe	5c7621b4003a08922095e160be8a1474.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	5c7621b4003a08922095e160be8a1474.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 19 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACEFABCFE11F29984743A44819C3992B08B03FD42680233E2C4459908D4"	5c7621b4003a08922095e160be8a1474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB5B12C47E0389D52C4B9A2339DD4BB"	5c7621b4003a08922095e160be8a1474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	ewojxbndte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	ewojxbndte.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	5c7621b4003a08922095e160be8a1474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F668C6FF6D22DED27BD1A98A749167"	5c7621b4003a08922095e160be8a1474.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	ewojxbndte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	ewojxbndte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	ewojxbndte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193DC70914E0DAC4B8BC7FE1EC9434CA"	5c7621b4003a08922095e160be8a1474.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	ewojxbndte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	ewojxbndte.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	ewojxbndte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	ewojxbndte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33462D7F9C2683556D3476D270512CDA7CF364DC"	5c7621b4003a08922095e160be8a1474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8FFCFE4F2682199146D72D7E9CBD97E641594067326344D79A"	5c7621b4003a08922095e160be8a1474.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	ewojxbndte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	ewojxbndte.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	ewojxbndte.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1928	5c7621b4003a08922095e160be8a1474.exe
1928	5c7621b4003a08922095e160be8a1474.exe
1928	5c7621b4003a08922095e160be8a1474.exe
1928	5c7621b4003a08922095e160be8a1474.exe
1928	5c7621b4003a08922095e160be8a1474.exe
1928	5c7621b4003a08922095e160be8a1474.exe
1928	5c7621b4003a08922095e160be8a1474.exe
1928	5c7621b4003a08922095e160be8a1474.exe
2664	ewojxbndte.exe
2664	ewojxbndte.exe
2664	ewojxbndte.exe
2664	ewojxbndte.exe
2664	ewojxbndte.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
1928	5c7621b4003a08922095e160be8a1474.exe
1928	5c7621b4003a08922095e160be8a1474.exe
1928	5c7621b4003a08922095e160be8a1474.exe
2664	ewojxbndte.exe
2664	ewojxbndte.exe
2664	ewojxbndte.exe
2712	wfnvzyxt.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
1928	5c7621b4003a08922095e160be8a1474.exe
1928	5c7621b4003a08922095e160be8a1474.exe
1928	5c7621b4003a08922095e160be8a1474.exe
2664	ewojxbndte.exe
2664	ewojxbndte.exe
2664	ewojxbndte.exe
2712	wfnvzyxt.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 2664	1928	5c7621b4003a08922095e160be8a1474.exe	23
PID 1928 wrote to memory of 2664	1928	5c7621b4003a08922095e160be8a1474.exe	23
PID 1928 wrote to memory of 2664	1928	5c7621b4003a08922095e160be8a1474.exe	23
PID 1928 wrote to memory of 2664	1928	5c7621b4003a08922095e160be8a1474.exe	23
PID 1928 wrote to memory of 2812	1928	5c7621b4003a08922095e160be8a1474.exe	22
PID 1928 wrote to memory of 2812	1928	5c7621b4003a08922095e160be8a1474.exe	22
PID 1928 wrote to memory of 2812	1928	5c7621b4003a08922095e160be8a1474.exe	22
PID 1928 wrote to memory of 2812	1928	5c7621b4003a08922095e160be8a1474.exe	22
PID 1928 wrote to memory of 2712	1928	5c7621b4003a08922095e160be8a1474.exe	20
PID 1928 wrote to memory of 2712	1928	5c7621b4003a08922095e160be8a1474.exe	20
PID 1928 wrote to memory of 2712	1928	5c7621b4003a08922095e160be8a1474.exe	20
PID 1928 wrote to memory of 2712	1928	5c7621b4003a08922095e160be8a1474.exe	20
PID 1928 wrote to memory of 2524	1928	5c7621b4003a08922095e160be8a1474.exe	18
PID 1928 wrote to memory of 2524	1928	5c7621b4003a08922095e160be8a1474.exe	18
PID 1928 wrote to memory of 2524	1928	5c7621b4003a08922095e160be8a1474.exe	18
PID 1928 wrote to memory of 2524	1928	5c7621b4003a08922095e160be8a1474.exe	18

C:\Users\Admin\AppData\Local\Temp\5c7621b4003a08922095e160be8a1474.exe
"C:\Users\Admin\AppData\Local\Temp\5c7621b4003a08922095e160be8a1474.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  PID:2580
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1724
- C:\Windows\SysWOW64\wpvxgjyazgnen.exe
  wpvxgjyazgnen.exe
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\SysWOW64\wfnvzyxt.exe
  wfnvzyxt.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2712
- C:\Windows\SysWOW64\bhsptuwcdypzzpg.exe
  bhsptuwcdypzzpg.exe
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\SysWOW64\ewojxbndte.exe
  ewojxbndte.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Windows security modification
  - Modifies WinLogon
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2664

C:\Windows\SysWOW64\wfnvzyxt.exe
C:\Windows\system32\wfnvzyxt.exe
1⤵
PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

2

T1564.001

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\bhsptuwcdypzzpg.exe

Filesize
92KB

MD5
59ebf1358a9b829f5709baaedeeee6fa

SHA1
1409fd65da1b814db0a08feae54366dfca196f1c

SHA256
d251f3126813d9f42461b0d23153c37c405979347a47fb0f04e0503beaf31a06

SHA512
a2d71b94a087aa6d376f4f065d9f7ff987fd50ea93949372fa9ef5b6692b45cef7ae267c88376b9d2953e4476496f67af1173e9f0f8ba81101dc94c6872cf417

Download Submit
C:\Windows\SysWOW64\bhsptuwcdypzzpg.exe

Filesize
382KB

MD5
badd716c7c48a8241873d9251da496d1

SHA1
6bd2a072c8f64a1780fe75d983cb7b6584985c6d

SHA256
ad4373bfa026f66380b8ce44d6bc300d146770114fb10087019af7c616dc11d7

SHA512
7bf3f09216e2ba376053e668963797cd78f91119467917a84f467dd3110d6bd26592784cdf7cefd293413ff5b6dbe10a996d89627177235d9f109732c05f36c5

Download Submit
\Windows\SysWOW64\bhsptuwcdypzzpg.exe

Filesize
381KB

MD5
30aec9e0b33fbd99234328357879f812

SHA1
3c9d37139d4ccfe2b694afba9633170d0f510a92

SHA256
15aad0daaaeea2f1eb8d19a8999f42844b2885d6bef949f6787feba7dad46563

SHA512
2060f2cc8c90181dd0a9965f0ff3a94aece08c82c4a68454846f66778bc60dade3ba5ddc38be57311ff4a7bd78217b89a9cd09837eee4b5d9893277299dad415

Download Submit
\Windows\SysWOW64\ewojxbndte.exe

Filesize
512KB

MD5
e73178897252555311c0cd35de1060bd

SHA1
194d0b1d34fa94129d25aaaad4655a7f5086646a

SHA256
057a11fa1cdd56a561b6bb34d7d1b566f7e6bfba0cd858bf5729039219200ff3

SHA512
2cdedbb979d523364959fa7bf5c1ab4320ef280ac5b7f3fb7577a09434b8017b2ae8441faf71815195f19e5c035e79cf55c7f4638d95ff106a06718d074cc54f

Download Submit
memory/1928-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2580-45-0x000000002F5A1000-0x000000002F5A2000-memory.dmp

Filesize
4KB

Download
memory/2580-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2580-47-0x000000007144D000-0x0000000071458000-memory.dmp

Filesize
44KB

Download
memory/2580-76-0x000000007144D000-0x0000000071458000-memory.dmp

Filesize
44KB

Download
memory/2580-97-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads