Analysis
-
max time kernel
157s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
07-01-2024 13:22
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
4917ba3beadc5eef20ca601a0b7d8058.exe
Resource
win7-20231129-en
windows7-x64
28 signatures
150 seconds
Behavioral task
behavioral2
Sample
4917ba3beadc5eef20ca601a0b7d8058.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
24 signatures
150 seconds
General
-
Target
4917ba3beadc5eef20ca601a0b7d8058.exe
-
Size
512KB
-
MD5
4917ba3beadc5eef20ca601a0b7d8058
-
SHA1
782dc660354cb7b447f6648f8c193ba5b9f4ac83
-
SHA256
13a803e227775518e0edfe175167a9ea93252962773cbc9f20da3cc0cd698167
-
SHA512
52779a6dced5078271fb376cc7c67cb0984804ff8b8bf8b5cf4939a65eff35961ce5849e90472c9988f54885cc9fc26e0d8e2151120cbeba698fa21de2fe57e0
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6e:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5r
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" vqvmwoygmi.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" vqvmwoygmi.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" vqvmwoygmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" vqvmwoygmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" vqvmwoygmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" vqvmwoygmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" vqvmwoygmi.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vqvmwoygmi.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation 4917ba3beadc5eef20ca601a0b7d8058.exe -
Executes dropped EXE 5 IoCs
pid Process 1684 vqvmwoygmi.exe 3104 gbddptkyepaalxy.exe 4988 udjkjjhj.exe 3272 gwauabewnmmdk.exe 5016 udjkjjhj.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" vqvmwoygmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" vqvmwoygmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" vqvmwoygmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" vqvmwoygmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" vqvmwoygmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" vqvmwoygmi.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gnhdcswg = "vqvmwoygmi.exe" gbddptkyepaalxy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wqdnnvly = "gbddptkyepaalxy.exe" gbddptkyepaalxy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "gwauabewnmmdk.exe" gbddptkyepaalxy.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\p: vqvmwoygmi.exe File opened (read-only) \??\u: vqvmwoygmi.exe File opened (read-only) \??\z: vqvmwoygmi.exe File opened (read-only) \??\k: udjkjjhj.exe File opened (read-only) \??\h: vqvmwoygmi.exe File opened (read-only) \??\u: udjkjjhj.exe File opened (read-only) \??\q: vqvmwoygmi.exe File opened (read-only) \??\g: udjkjjhj.exe File opened (read-only) \??\i: udjkjjhj.exe File opened (read-only) \??\w: vqvmwoygmi.exe File opened (read-only) \??\l: udjkjjhj.exe File opened (read-only) \??\q: udjkjjhj.exe File opened (read-only) \??\r: udjkjjhj.exe File opened (read-only) \??\v: udjkjjhj.exe File opened (read-only) \??\v: udjkjjhj.exe File opened (read-only) \??\o: vqvmwoygmi.exe File opened (read-only) \??\t: vqvmwoygmi.exe File opened (read-only) \??\y: vqvmwoygmi.exe File opened (read-only) \??\p: udjkjjhj.exe File opened (read-only) \??\x: udjkjjhj.exe File opened (read-only) \??\a: udjkjjhj.exe File opened (read-only) \??\t: udjkjjhj.exe File opened (read-only) \??\e: udjkjjhj.exe File opened (read-only) \??\j: vqvmwoygmi.exe File opened (read-only) \??\e: vqvmwoygmi.exe File opened (read-only) \??\m: vqvmwoygmi.exe File opened (read-only) \??\v: vqvmwoygmi.exe File opened (read-only) \??\o: udjkjjhj.exe File opened (read-only) \??\s: udjkjjhj.exe File opened (read-only) \??\i: vqvmwoygmi.exe File opened (read-only) \??\s: udjkjjhj.exe File opened (read-only) \??\j: udjkjjhj.exe File opened (read-only) \??\g: vqvmwoygmi.exe File opened (read-only) \??\b: vqvmwoygmi.exe File opened (read-only) \??\z: udjkjjhj.exe File opened (read-only) \??\m: udjkjjhj.exe File opened (read-only) \??\z: udjkjjhj.exe File opened (read-only) \??\k: udjkjjhj.exe File opened (read-only) \??\t: udjkjjhj.exe File opened (read-only) \??\s: vqvmwoygmi.exe File opened (read-only) \??\b: udjkjjhj.exe File opened (read-only) \??\o: udjkjjhj.exe File opened (read-only) \??\w: udjkjjhj.exe File opened (read-only) \??\n: vqvmwoygmi.exe File opened (read-only) \??\h: udjkjjhj.exe File opened (read-only) \??\a: vqvmwoygmi.exe File opened (read-only) \??\l: vqvmwoygmi.exe File opened (read-only) \??\r: vqvmwoygmi.exe File opened (read-only) \??\x: vqvmwoygmi.exe File opened (read-only) \??\u: udjkjjhj.exe File opened (read-only) \??\l: udjkjjhj.exe File opened (read-only) \??\r: udjkjjhj.exe File opened (read-only) \??\i: udjkjjhj.exe File opened (read-only) \??\k: vqvmwoygmi.exe File opened (read-only) \??\j: udjkjjhj.exe File opened (read-only) \??\b: udjkjjhj.exe File opened (read-only) \??\n: udjkjjhj.exe File opened (read-only) \??\y: udjkjjhj.exe File opened (read-only) \??\y: udjkjjhj.exe File opened (read-only) \??\w: udjkjjhj.exe File opened (read-only) \??\x: udjkjjhj.exe File opened (read-only) \??\q: udjkjjhj.exe File opened (read-only) \??\a: udjkjjhj.exe File opened (read-only) \??\e: udjkjjhj.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" vqvmwoygmi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" vqvmwoygmi.exe -
AutoIT Executable 7 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4440-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000200000001e7df-5.dat autoit_exe behavioral2/files/0x000200000001e7de-18.dat autoit_exe behavioral2/files/0x000200000001e7e1-31.dat autoit_exe behavioral2/files/0x000200000001e7e0-30.dat autoit_exe behavioral2/files/0x000200000001e7f0-61.dat autoit_exe behavioral2/files/0x000200000001e7f1-64.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\gbddptkyepaalxy.exe 4917ba3beadc5eef20ca601a0b7d8058.exe File created C:\Windows\SysWOW64\udjkjjhj.exe 4917ba3beadc5eef20ca601a0b7d8058.exe File created C:\Windows\SysWOW64\gwauabewnmmdk.exe 4917ba3beadc5eef20ca601a0b7d8058.exe File opened for modification C:\Windows\SysWOW64\gwauabewnmmdk.exe 4917ba3beadc5eef20ca601a0b7d8058.exe File created C:\Windows\SysWOW64\vqvmwoygmi.exe 4917ba3beadc5eef20ca601a0b7d8058.exe File opened for modification C:\Windows\SysWOW64\vqvmwoygmi.exe 4917ba3beadc5eef20ca601a0b7d8058.exe File opened for modification C:\Windows\SysWOW64\gbddptkyepaalxy.exe 4917ba3beadc5eef20ca601a0b7d8058.exe File opened for modification C:\Windows\SysWOW64\udjkjjhj.exe 4917ba3beadc5eef20ca601a0b7d8058.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll vqvmwoygmi.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal udjkjjhj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe udjkjjhj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe udjkjjhj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe udjkjjhj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal udjkjjhj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe udjkjjhj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe udjkjjhj.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe udjkjjhj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe udjkjjhj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal udjkjjhj.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe udjkjjhj.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe udjkjjhj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal udjkjjhj.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe udjkjjhj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe udjkjjhj.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 4917ba3beadc5eef20ca601a0b7d8058.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32452D799D5683526D4476A6772F2CD97D8364AB" 4917ba3beadc5eef20ca601a0b7d8058.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AC9FACDF910F1E284093A4586E93E98B08A038D43690338E1B945E809A3" 4917ba3beadc5eef20ca601a0b7d8058.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat vqvmwoygmi.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings 4917ba3beadc5eef20ca601a0b7d8058.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8FFCFB4858826D9140D75A7D90BC95E13C594A67336343D79F" 4917ba3beadc5eef20ca601a0b7d8058.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193EC70915E6DAB5B8CA7FE2ED9237B9" 4917ba3beadc5eef20ca601a0b7d8058.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh vqvmwoygmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc vqvmwoygmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" vqvmwoygmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg vqvmwoygmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB7B12E47E439E953C4BAA7329DD7CC" 4917ba3beadc5eef20ca601a0b7d8058.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F66BC2FE6C21DCD273D1D48B7E9114" 4917ba3beadc5eef20ca601a0b7d8058.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" vqvmwoygmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" vqvmwoygmi.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 4917ba3beadc5eef20ca601a0b7d8058.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" vqvmwoygmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf vqvmwoygmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs vqvmwoygmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" vqvmwoygmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" vqvmwoygmi.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 180 WINWORD.EXE 180 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4440 4917ba3beadc5eef20ca601a0b7d8058.exe 4440 4917ba3beadc5eef20ca601a0b7d8058.exe 4440 4917ba3beadc5eef20ca601a0b7d8058.exe 4440 4917ba3beadc5eef20ca601a0b7d8058.exe 4440 4917ba3beadc5eef20ca601a0b7d8058.exe 4440 4917ba3beadc5eef20ca601a0b7d8058.exe 4440 4917ba3beadc5eef20ca601a0b7d8058.exe 4440 4917ba3beadc5eef20ca601a0b7d8058.exe 4440 4917ba3beadc5eef20ca601a0b7d8058.exe 4440 4917ba3beadc5eef20ca601a0b7d8058.exe 4440 4917ba3beadc5eef20ca601a0b7d8058.exe 4440 4917ba3beadc5eef20ca601a0b7d8058.exe 4440 4917ba3beadc5eef20ca601a0b7d8058.exe 4440 4917ba3beadc5eef20ca601a0b7d8058.exe 4440 4917ba3beadc5eef20ca601a0b7d8058.exe 4440 4917ba3beadc5eef20ca601a0b7d8058.exe 1684 vqvmwoygmi.exe 1684 vqvmwoygmi.exe 1684 vqvmwoygmi.exe 1684 vqvmwoygmi.exe 1684 vqvmwoygmi.exe 1684 vqvmwoygmi.exe 1684 vqvmwoygmi.exe 1684 vqvmwoygmi.exe 1684 vqvmwoygmi.exe 1684 vqvmwoygmi.exe 3104 gbddptkyepaalxy.exe 3104 gbddptkyepaalxy.exe 3104 gbddptkyepaalxy.exe 3104 gbddptkyepaalxy.exe 3104 gbddptkyepaalxy.exe 3104 gbddptkyepaalxy.exe 3104 gbddptkyepaalxy.exe 3104 gbddptkyepaalxy.exe 4988 udjkjjhj.exe 4988 udjkjjhj.exe 4988 udjkjjhj.exe 4988 udjkjjhj.exe 4988 udjkjjhj.exe 4988 udjkjjhj.exe 4988 udjkjjhj.exe 4988 udjkjjhj.exe 3272 gwauabewnmmdk.exe 3272 gwauabewnmmdk.exe 3272 gwauabewnmmdk.exe 3272 gwauabewnmmdk.exe 3272 gwauabewnmmdk.exe 3272 gwauabewnmmdk.exe 3272 gwauabewnmmdk.exe 3272 gwauabewnmmdk.exe 3272 gwauabewnmmdk.exe 3272 gwauabewnmmdk.exe 3272 gwauabewnmmdk.exe 3272 gwauabewnmmdk.exe 3104 gbddptkyepaalxy.exe 3104 gbddptkyepaalxy.exe 3104 gbddptkyepaalxy.exe 3104 gbddptkyepaalxy.exe 3272 gwauabewnmmdk.exe 3272 gwauabewnmmdk.exe 3272 gwauabewnmmdk.exe 3272 gwauabewnmmdk.exe 3104 gbddptkyepaalxy.exe 3104 gbddptkyepaalxy.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4440 4917ba3beadc5eef20ca601a0b7d8058.exe 4440 4917ba3beadc5eef20ca601a0b7d8058.exe 4440 4917ba3beadc5eef20ca601a0b7d8058.exe 1684 vqvmwoygmi.exe 1684 vqvmwoygmi.exe 1684 vqvmwoygmi.exe 3104 gbddptkyepaalxy.exe 3104 gbddptkyepaalxy.exe 3104 gbddptkyepaalxy.exe 4988 udjkjjhj.exe 3272 gwauabewnmmdk.exe 4988 udjkjjhj.exe 3272 gwauabewnmmdk.exe 4988 udjkjjhj.exe 3272 gwauabewnmmdk.exe 5016 udjkjjhj.exe 5016 udjkjjhj.exe 5016 udjkjjhj.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4440 4917ba3beadc5eef20ca601a0b7d8058.exe 4440 4917ba3beadc5eef20ca601a0b7d8058.exe 4440 4917ba3beadc5eef20ca601a0b7d8058.exe 1684 vqvmwoygmi.exe 1684 vqvmwoygmi.exe 1684 vqvmwoygmi.exe 3104 gbddptkyepaalxy.exe 3104 gbddptkyepaalxy.exe 3104 gbddptkyepaalxy.exe 4988 udjkjjhj.exe 3272 gwauabewnmmdk.exe 4988 udjkjjhj.exe 3272 gwauabewnmmdk.exe 4988 udjkjjhj.exe 3272 gwauabewnmmdk.exe 5016 udjkjjhj.exe 5016 udjkjjhj.exe 5016 udjkjjhj.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 180 WINWORD.EXE 180 WINWORD.EXE 180 WINWORD.EXE 180 WINWORD.EXE 180 WINWORD.EXE 180 WINWORD.EXE 180 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4440 wrote to memory of 1684 4440 4917ba3beadc5eef20ca601a0b7d8058.exe 91 PID 4440 wrote to memory of 1684 4440 4917ba3beadc5eef20ca601a0b7d8058.exe 91 PID 4440 wrote to memory of 1684 4440 4917ba3beadc5eef20ca601a0b7d8058.exe 91 PID 4440 wrote to memory of 3104 4440 4917ba3beadc5eef20ca601a0b7d8058.exe 92 PID 4440 wrote to memory of 3104 4440 4917ba3beadc5eef20ca601a0b7d8058.exe 92 PID 4440 wrote to memory of 3104 4440 4917ba3beadc5eef20ca601a0b7d8058.exe 92 PID 4440 wrote to memory of 4988 4440 4917ba3beadc5eef20ca601a0b7d8058.exe 93 PID 4440 wrote to memory of 4988 4440 4917ba3beadc5eef20ca601a0b7d8058.exe 93 PID 4440 wrote to memory of 4988 4440 4917ba3beadc5eef20ca601a0b7d8058.exe 93 PID 4440 wrote to memory of 3272 4440 4917ba3beadc5eef20ca601a0b7d8058.exe 94 PID 4440 wrote to memory of 3272 4440 4917ba3beadc5eef20ca601a0b7d8058.exe 94 PID 4440 wrote to memory of 3272 4440 4917ba3beadc5eef20ca601a0b7d8058.exe 94 PID 1684 wrote to memory of 5016 1684 vqvmwoygmi.exe 96 PID 1684 wrote to memory of 5016 1684 vqvmwoygmi.exe 96 PID 1684 wrote to memory of 5016 1684 vqvmwoygmi.exe 96 PID 4440 wrote to memory of 180 4440 4917ba3beadc5eef20ca601a0b7d8058.exe 98 PID 4440 wrote to memory of 180 4440 4917ba3beadc5eef20ca601a0b7d8058.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\4917ba3beadc5eef20ca601a0b7d8058.exe"C:\Users\Admin\AppData\Local\Temp\4917ba3beadc5eef20ca601a0b7d8058.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\vqvmwoygmi.exevqvmwoygmi.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\udjkjjhj.exeC:\Windows\system32\udjkjjhj.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5016
-
-
-
C:\Windows\SysWOW64\gbddptkyepaalxy.exegbddptkyepaalxy.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3104
-
-
C:\Windows\SysWOW64\udjkjjhj.exeudjkjjhj.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4988
-
-
C:\Windows\SysWOW64\gwauabewnmmdk.exegwauabewnmmdk.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3272
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:180
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD56423c3d19d11e31c0ae54bfd2b22b8f5
SHA1324f37e8b9f7a520cc70d504b54073c2227c1270
SHA2565b71e8bee5c870b14cbf52aef63fb7fc1b61841a5248165048b6c3f08c89528d
SHA5129fb30387e3ff4734c1fea32c3a94b6ce53782025b10577694c81ce315efc7cd7b0f318a31f932ec91bde5895fae8fcc074de8bffaf3bfd062d5362876fafa9c6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5ec1ab70297a1ac84da6e6d96015e5eea
SHA19bb4476b86d0a838efc24cf4d50a166aea97dfff
SHA25689280d2faa06c64c051a47afb899ba2d8d6eeb84aa5b1fef5839d21cecf0ac4f
SHA51213b6ead3b30030ff7b520f811431a41a7d9700d49efa9c03fd638b692f310767db2783c1c1643d47128a830652f4c9214917e4aacc9f63f148d9be244a765e93
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5818f80c294142e860aa3242acc162bff
SHA15f94da329abc65a2bc1a25e12517f1087e9e6e06
SHA25615dd7bb91632bcf300dfbf58a769b0976ef4eeea2bbd58dcfc007c4f34464455
SHA512218d97fb782b13bd4481cc5d7c917368ed360956121ba9f9612c037ba2722f1d75ca511be4759ac5356b450c855fb7a361334d59bb81f978b6ff589ff0b2ed34
-
Filesize
512KB
MD5bb07c290be2005bf030b7b782c036e09
SHA12982f9f3986b8576b294233ebfa677de8df34ab7
SHA2563de7f4b51f9f75c8a81c8de4fe17d18d4636903982751dcfa7a78f3fb3ad3de0
SHA512ee45a33fd85ed43eed7bfe21faf3cbf3b9a13e1a762eb6e42196f01cda3992bcee9c1bb934a6965b508a34cc2877dcc120e93bfdc7a792044f66c5c62bf5d3d4
-
Filesize
512KB
MD5e010a360385ed0e1386f1ae636a0a3be
SHA19f603b93b09c989dcced6285704603a8a661891b
SHA25696eb55174f6ad03bef8d6c0a162ddc7a799671e04a72cd579efb59b49477795f
SHA5123f2c544c96bc2f5167e14ae85cb6b8228c7f623d906762341dc1bb307b46fc6a30b7e2b421afa6a57a774c42cd1a68ca33f5cb7d66b85f5dd9af6509e9f82868
-
Filesize
512KB
MD504be35adda58d1037af626409d632262
SHA118860d26260fa0972d426b8ae2fe6cfe7669c36e
SHA25649ca807b0c35c8c4beb715b6370f84c0ad36e1bb5848c9de40fb1ae34b577cc7
SHA512ec60c94662156cd7580638bdd732b2168fb3547a2df41842303295dc2d5c4bc90ea8dbc5e4a573c6405bfae66684bb02687c414e9c0696f310aa7dbec350094f
-
Filesize
512KB
MD5aec22116d4e7c31ab97a7730e02aab18
SHA13e1697b7e14dd09e48afcb28aac51d57733f22a5
SHA256c555e399d0db8b78b2dda34166a0cf62ccdeb69f939455be4b49cd865e4d5f04
SHA5129b5c09cdc0934d849026e7fbaae1e19480e2a9b41d42413d5d321439028baa0a1b7769c04087b5e4cb4317968312be561b073cada2c59b76ec97f75e0302ee81
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5034168bd7834d83a7f2e8933f34cd46c
SHA17025ca99be411dc1fa7711ed4bcd1004dfaeb5b9
SHA2569fb5038fdd0cbf1661f7fab12657dab2c3808177c8a9c98293bb5738ea562a47
SHA51220c787ef1a5713ee4c0f147512255032208866a25c8c85e2ea8f40c144da5e05075ee904c936a6fa2618fd0b376519c5149a12ebf2b8db89a1ce3e70b061e4b9