Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
07/01/2024, 19:20
Static task
static1
Behavioral task
behavioral1
Sample
a55653f091ed18edbe657030b185c23e.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
a55653f091ed18edbe657030b185c23e.exe
Resource
win10v2004-20231222-en
General
-
Target
a55653f091ed18edbe657030b185c23e.exe
-
Size
512KB
-
MD5
a55653f091ed18edbe657030b185c23e
-
SHA1
e628497e30e768b0c19451b053c2764ff9d5f01f
-
SHA256
e2f3a6e1d219c9304c3cfabcf3ed5436b7b94fae2c578df159b40ac9e1fbf8ec
-
SHA512
26ff643e78e748a8ae81ff83ba549a901348904efdbbe94aa432c4707254072b5cd9efa611a6994b8c7ac2aab49049e85fe7f48a661f0583647fd3c7a1d2804c
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6y:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm55
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" rltnmyqkan.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" rltnmyqkan.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rltnmyqkan.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rltnmyqkan.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" rltnmyqkan.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rltnmyqkan.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rltnmyqkan.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rltnmyqkan.exe -
Executes dropped EXE 5 IoCs
pid Process 1228 rltnmyqkan.exe 3016 gvdgjvfuvlcgdve.exe 2664 xdahcslvewojh.exe 2592 ibdzrjpv.exe 2640 ibdzrjpv.exe -
Loads dropped DLL 5 IoCs
pid Process 2380 a55653f091ed18edbe657030b185c23e.exe 2380 a55653f091ed18edbe657030b185c23e.exe 2380 a55653f091ed18edbe657030b185c23e.exe 2380 a55653f091ed18edbe657030b185c23e.exe 1228 rltnmyqkan.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" rltnmyqkan.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rltnmyqkan.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" rltnmyqkan.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rltnmyqkan.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rltnmyqkan.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rltnmyqkan.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uojkxcsj = "rltnmyqkan.exe" gvdgjvfuvlcgdve.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mgcuvekd = "gvdgjvfuvlcgdve.exe" gvdgjvfuvlcgdve.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "xdahcslvewojh.exe" gvdgjvfuvlcgdve.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\l: ibdzrjpv.exe File opened (read-only) \??\b: ibdzrjpv.exe File opened (read-only) \??\l: ibdzrjpv.exe File opened (read-only) \??\o: ibdzrjpv.exe File opened (read-only) \??\s: ibdzrjpv.exe File opened (read-only) \??\h: ibdzrjpv.exe File opened (read-only) \??\p: ibdzrjpv.exe File opened (read-only) \??\i: rltnmyqkan.exe File opened (read-only) \??\u: rltnmyqkan.exe File opened (read-only) \??\k: ibdzrjpv.exe File opened (read-only) \??\t: ibdzrjpv.exe File opened (read-only) \??\v: rltnmyqkan.exe File opened (read-only) \??\w: rltnmyqkan.exe File opened (read-only) \??\i: ibdzrjpv.exe File opened (read-only) \??\n: ibdzrjpv.exe File opened (read-only) \??\u: ibdzrjpv.exe File opened (read-only) \??\g: rltnmyqkan.exe File opened (read-only) \??\g: ibdzrjpv.exe File opened (read-only) \??\w: ibdzrjpv.exe File opened (read-only) \??\y: ibdzrjpv.exe File opened (read-only) \??\g: ibdzrjpv.exe File opened (read-only) \??\u: ibdzrjpv.exe File opened (read-only) \??\m: rltnmyqkan.exe File opened (read-only) \??\n: rltnmyqkan.exe File opened (read-only) \??\x: rltnmyqkan.exe File opened (read-only) \??\w: ibdzrjpv.exe File opened (read-only) \??\q: ibdzrjpv.exe File opened (read-only) \??\k: rltnmyqkan.exe File opened (read-only) \??\p: ibdzrjpv.exe File opened (read-only) \??\r: ibdzrjpv.exe File opened (read-only) \??\v: ibdzrjpv.exe File opened (read-only) \??\x: ibdzrjpv.exe File opened (read-only) \??\z: ibdzrjpv.exe File opened (read-only) \??\q: rltnmyqkan.exe File opened (read-only) \??\a: ibdzrjpv.exe File opened (read-only) \??\v: ibdzrjpv.exe File opened (read-only) \??\y: ibdzrjpv.exe File opened (read-only) \??\a: rltnmyqkan.exe File opened (read-only) \??\j: rltnmyqkan.exe File opened (read-only) \??\l: rltnmyqkan.exe File opened (read-only) \??\o: rltnmyqkan.exe File opened (read-only) \??\z: ibdzrjpv.exe File opened (read-only) \??\n: ibdzrjpv.exe File opened (read-only) \??\q: ibdzrjpv.exe File opened (read-only) \??\o: ibdzrjpv.exe File opened (read-only) \??\r: rltnmyqkan.exe File opened (read-only) \??\i: ibdzrjpv.exe File opened (read-only) \??\j: ibdzrjpv.exe File opened (read-only) \??\k: ibdzrjpv.exe File opened (read-only) \??\a: ibdzrjpv.exe File opened (read-only) \??\s: ibdzrjpv.exe File opened (read-only) \??\b: rltnmyqkan.exe File opened (read-only) \??\e: ibdzrjpv.exe File opened (read-only) \??\x: ibdzrjpv.exe File opened (read-only) \??\m: ibdzrjpv.exe File opened (read-only) \??\h: ibdzrjpv.exe File opened (read-only) \??\m: ibdzrjpv.exe File opened (read-only) \??\t: ibdzrjpv.exe File opened (read-only) \??\p: rltnmyqkan.exe File opened (read-only) \??\b: ibdzrjpv.exe File opened (read-only) \??\j: ibdzrjpv.exe File opened (read-only) \??\e: rltnmyqkan.exe File opened (read-only) \??\h: rltnmyqkan.exe File opened (read-only) \??\e: ibdzrjpv.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" rltnmyqkan.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" rltnmyqkan.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2380-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x000b000000015c52-5.dat autoit_exe behavioral1/files/0x0009000000015c33-17.dat autoit_exe behavioral1/files/0x0007000000015d2b-34.dat autoit_exe behavioral1/files/0x0009000000015cfa-41.dat autoit_exe behavioral1/files/0x000b000000015c52-40.dat autoit_exe behavioral1/files/0x0009000000015cfa-43.dat autoit_exe behavioral1/files/0x0007000000015d2b-38.dat autoit_exe behavioral1/files/0x0007000000015d2b-30.dat autoit_exe behavioral1/files/0x0009000000015cfa-26.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\gvdgjvfuvlcgdve.exe a55653f091ed18edbe657030b185c23e.exe File opened for modification C:\Windows\SysWOW64\gvdgjvfuvlcgdve.exe a55653f091ed18edbe657030b185c23e.exe File opened for modification C:\Windows\SysWOW64\ibdzrjpv.exe a55653f091ed18edbe657030b185c23e.exe File created C:\Windows\SysWOW64\xdahcslvewojh.exe a55653f091ed18edbe657030b185c23e.exe File created C:\Windows\SysWOW64\rltnmyqkan.exe a55653f091ed18edbe657030b185c23e.exe File opened for modification C:\Windows\SysWOW64\rltnmyqkan.exe a55653f091ed18edbe657030b185c23e.exe File created C:\Windows\SysWOW64\ibdzrjpv.exe a55653f091ed18edbe657030b185c23e.exe File opened for modification C:\Windows\SysWOW64\xdahcslvewojh.exe a55653f091ed18edbe657030b185c23e.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll rltnmyqkan.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ibdzrjpv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ibdzrjpv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal ibdzrjpv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal ibdzrjpv.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ibdzrjpv.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ibdzrjpv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal ibdzrjpv.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ibdzrjpv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ibdzrjpv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal ibdzrjpv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe ibdzrjpv.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ibdzrjpv.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ibdzrjpv.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe ibdzrjpv.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf a55653f091ed18edbe657030b185c23e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs rltnmyqkan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" rltnmyqkan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg rltnmyqkan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184DC60F15E1DBBEB9B97CE1ED9534CD" a55653f091ed18edbe657030b185c23e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2496 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2380 a55653f091ed18edbe657030b185c23e.exe 2380 a55653f091ed18edbe657030b185c23e.exe 2380 a55653f091ed18edbe657030b185c23e.exe 2380 a55653f091ed18edbe657030b185c23e.exe 2380 a55653f091ed18edbe657030b185c23e.exe 2380 a55653f091ed18edbe657030b185c23e.exe 2380 a55653f091ed18edbe657030b185c23e.exe 2380 a55653f091ed18edbe657030b185c23e.exe 1228 rltnmyqkan.exe 1228 rltnmyqkan.exe 1228 rltnmyqkan.exe 1228 rltnmyqkan.exe 1228 rltnmyqkan.exe 2592 ibdzrjpv.exe 2592 ibdzrjpv.exe 2592 ibdzrjpv.exe 2592 ibdzrjpv.exe 2664 xdahcslvewojh.exe 2664 xdahcslvewojh.exe 2664 xdahcslvewojh.exe 2664 xdahcslvewojh.exe 2664 xdahcslvewojh.exe 3016 gvdgjvfuvlcgdve.exe 2664 xdahcslvewojh.exe 3016 gvdgjvfuvlcgdve.exe 3016 gvdgjvfuvlcgdve.exe 3016 gvdgjvfuvlcgdve.exe 3016 gvdgjvfuvlcgdve.exe 2640 ibdzrjpv.exe 2640 ibdzrjpv.exe 2640 ibdzrjpv.exe 2640 ibdzrjpv.exe 3016 gvdgjvfuvlcgdve.exe 2664 xdahcslvewojh.exe 2664 xdahcslvewojh.exe 3016 gvdgjvfuvlcgdve.exe 2664 xdahcslvewojh.exe 2664 xdahcslvewojh.exe 3016 gvdgjvfuvlcgdve.exe 2664 xdahcslvewojh.exe 2664 xdahcslvewojh.exe 3016 gvdgjvfuvlcgdve.exe 2664 xdahcslvewojh.exe 2664 xdahcslvewojh.exe 3016 gvdgjvfuvlcgdve.exe 2664 xdahcslvewojh.exe 2664 xdahcslvewojh.exe 3016 gvdgjvfuvlcgdve.exe 2664 xdahcslvewojh.exe 3016 gvdgjvfuvlcgdve.exe 2664 xdahcslvewojh.exe 2664 xdahcslvewojh.exe 2664 xdahcslvewojh.exe 3016 gvdgjvfuvlcgdve.exe 2664 xdahcslvewojh.exe 2664 xdahcslvewojh.exe 3016 gvdgjvfuvlcgdve.exe 3016 gvdgjvfuvlcgdve.exe 2664 xdahcslvewojh.exe 2664 xdahcslvewojh.exe 2664 xdahcslvewojh.exe 2664 xdahcslvewojh.exe 3016 gvdgjvfuvlcgdve.exe 2664 xdahcslvewojh.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2380 a55653f091ed18edbe657030b185c23e.exe 2380 a55653f091ed18edbe657030b185c23e.exe 2380 a55653f091ed18edbe657030b185c23e.exe 1228 rltnmyqkan.exe 2664 xdahcslvewojh.exe 2664 xdahcslvewojh.exe 2664 xdahcslvewojh.exe 3016 gvdgjvfuvlcgdve.exe 3016 gvdgjvfuvlcgdve.exe 3016 gvdgjvfuvlcgdve.exe 1228 rltnmyqkan.exe 1228 rltnmyqkan.exe 2592 ibdzrjpv.exe 2592 ibdzrjpv.exe 2592 ibdzrjpv.exe 2640 ibdzrjpv.exe 2640 ibdzrjpv.exe 2640 ibdzrjpv.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2380 a55653f091ed18edbe657030b185c23e.exe 2380 a55653f091ed18edbe657030b185c23e.exe 2380 a55653f091ed18edbe657030b185c23e.exe 1228 rltnmyqkan.exe 2664 xdahcslvewojh.exe 2664 xdahcslvewojh.exe 2664 xdahcslvewojh.exe 3016 gvdgjvfuvlcgdve.exe 3016 gvdgjvfuvlcgdve.exe 3016 gvdgjvfuvlcgdve.exe 1228 rltnmyqkan.exe 1228 rltnmyqkan.exe 2592 ibdzrjpv.exe 2592 ibdzrjpv.exe 2592 ibdzrjpv.exe 2640 ibdzrjpv.exe 2640 ibdzrjpv.exe 2640 ibdzrjpv.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2496 WINWORD.EXE 2496 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2380 wrote to memory of 1228 2380 a55653f091ed18edbe657030b185c23e.exe 28 PID 2380 wrote to memory of 1228 2380 a55653f091ed18edbe657030b185c23e.exe 28 PID 2380 wrote to memory of 1228 2380 a55653f091ed18edbe657030b185c23e.exe 28 PID 2380 wrote to memory of 1228 2380 a55653f091ed18edbe657030b185c23e.exe 28 PID 2380 wrote to memory of 3016 2380 a55653f091ed18edbe657030b185c23e.exe 35 PID 2380 wrote to memory of 3016 2380 a55653f091ed18edbe657030b185c23e.exe 35 PID 2380 wrote to memory of 3016 2380 a55653f091ed18edbe657030b185c23e.exe 35 PID 2380 wrote to memory of 3016 2380 a55653f091ed18edbe657030b185c23e.exe 35 PID 2380 wrote to memory of 2592 2380 a55653f091ed18edbe657030b185c23e.exe 34 PID 2380 wrote to memory of 2592 2380 a55653f091ed18edbe657030b185c23e.exe 34 PID 2380 wrote to memory of 2592 2380 a55653f091ed18edbe657030b185c23e.exe 34 PID 2380 wrote to memory of 2592 2380 a55653f091ed18edbe657030b185c23e.exe 34 PID 2380 wrote to memory of 2664 2380 a55653f091ed18edbe657030b185c23e.exe 32 PID 2380 wrote to memory of 2664 2380 a55653f091ed18edbe657030b185c23e.exe 32 PID 2380 wrote to memory of 2664 2380 a55653f091ed18edbe657030b185c23e.exe 32 PID 2380 wrote to memory of 2664 2380 a55653f091ed18edbe657030b185c23e.exe 32 PID 1228 wrote to memory of 2640 1228 rltnmyqkan.exe 30 PID 1228 wrote to memory of 2640 1228 rltnmyqkan.exe 30 PID 1228 wrote to memory of 2640 1228 rltnmyqkan.exe 30 PID 1228 wrote to memory of 2640 1228 rltnmyqkan.exe 30 PID 2380 wrote to memory of 2496 2380 a55653f091ed18edbe657030b185c23e.exe 29 PID 2380 wrote to memory of 2496 2380 a55653f091ed18edbe657030b185c23e.exe 29 PID 2380 wrote to memory of 2496 2380 a55653f091ed18edbe657030b185c23e.exe 29 PID 2380 wrote to memory of 2496 2380 a55653f091ed18edbe657030b185c23e.exe 29 PID 2496 wrote to memory of 2832 2496 WINWORD.EXE 36 PID 2496 wrote to memory of 2832 2496 WINWORD.EXE 36 PID 2496 wrote to memory of 2832 2496 WINWORD.EXE 36 PID 2496 wrote to memory of 2832 2496 WINWORD.EXE 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe"C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\rltnmyqkan.exerltnmyqkan.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\ibdzrjpv.exeC:\Windows\system32\ibdzrjpv.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2640
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2832
-
-
-
C:\Windows\SysWOW64\xdahcslvewojh.exexdahcslvewojh.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2664
-
-
C:\Windows\SysWOW64\ibdzrjpv.exeibdzrjpv.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2592
-
-
C:\Windows\SysWOW64\gvdgjvfuvlcgdve.exegvdgjvfuvlcgdve.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3016
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD5070c0b58a341f40f0f1d37f9d21c60d9
SHA1d37f5fe58b3eeb24cff982dee4d0d846f57e537c
SHA256b027be3f271bbf5ccf238d9db22b5c76853700aa5cbb201ff0fdb9e9a387f048
SHA512902563e4388f56c1361ccd5aa20a032ff2fdad87969967ee6a87edfb96231d64a3cc922600c49297408f9ba0034d03e22aea51d45f960a32dd737d23206f6d51
-
Filesize
99KB
MD57fc6cf931da79ecd4267f22c6a1aefa8
SHA1913682b9a75a4089cc18ec25b28e082916a6b314
SHA2562672445b36639d26c7bcf277704d7f634ea7a6f4eac634027b98fb3f94062487
SHA512272947751145ba29cbfecc6fe73cf5e20cf017c8c436a8af45198499e8b34c5f70215c3d5f21676a2a5de87616e85aa12b5cf0e263d57042e4221f7e12d81eaf
-
Filesize
512KB
MD55adafb3372e232d25d0ab54e6c97f2ea
SHA13ca5e80575c139319a0e6ce6d1ca13d90ca35210
SHA256177d690f7659284712ead93d9a8e78f169142225a02525e3f816644565d0a9e9
SHA5129389505b00e0243eb36436665497774abdde574410b9746784a123623bda8c7857780f8297105d2850ea7b3f63c8c40c2657ce60a3143d936c805379a4d2ec71
-
Filesize
384KB
MD50e151ec3919b72f9a6c7fe60d10f4ea0
SHA191fb01badc6db9808233ff95abf39c37982a8c85
SHA256f644299fe8f10c5f3e24c1943fc808270b5d4f853e2316abf091c8d18344193c
SHA51241d25f82ce04a14c21d19a9ad2d12663714221b6ecb1c3ee579a4a134949de0bfb3e6212e9acf97d0659d50e7a034dcdc103ecbedd8a71fbfefdc30f5728c12b
-
Filesize
93KB
MD5257f28bd5bdc2b725434b7ab570814e7
SHA1972446e0f8d210c5d6f42a57a921391a236d564d
SHA256d80f45a5995ba038d69dbe87f7c12827ffa2b53e79beedb0bc6ee91c10a61688
SHA512c27aa91c3c3605941a1a121021c840fc7886cf27d43e9d6b2c371888a276d9dfd39135600a4f933f62dfa3d46cb6e12de6e31b3f8b939676701ff37f8cc61575
-
Filesize
382KB
MD5badd716c7c48a8241873d9251da496d1
SHA16bd2a072c8f64a1780fe75d983cb7b6584985c6d
SHA256ad4373bfa026f66380b8ce44d6bc300d146770114fb10087019af7c616dc11d7
SHA5127bf3f09216e2ba376053e668963797cd78f91119467917a84f467dd3110d6bd26592784cdf7cefd293413ff5b6dbe10a996d89627177235d9f109732c05f36c5
-
Filesize
98KB
MD5609af11fd29d08e54980de8c57a56b23
SHA1e50dccaa3bd6cb5b4793d75239949664c7b7b85c
SHA256263becbbaf456f58f41f0ac5b3d64a9146f02fe787e80917150392fa4b571274
SHA512598fc2efae60327ed354d106300f79ddd327756e93b5afaa7178dde66f28b9326c31b553190840a55c1d1d3b027015fbfe7b8a004564aed9dc1b3ecb184f8586
-
Filesize
512KB
MD5d1b3806f6ce4b24ff6eb532197bef5be
SHA1c59b2fa57ca35afdccd930c058f6346b3b1e7b7d
SHA2564a5c8955f353a366774fe39bc856111dfc9372adc5095cb68080041a5cbaf959
SHA51251c5d4da159f11a9b5a6325fc53907e10be011509bed0ee795284ab65eadab503265a313ae6c56b171691da2d722a43f02605df76f4c1a06a1eb3f07d941bf9d
-
Filesize
512KB
MD567c515e91b0456bd93889826750ea960
SHA122fbd4d942c1753a5ec08a06295e2de07cc8a7f0
SHA256c52bf1c19b874dd1222e224529ac47e673311abd5d4c78a58bf7d9c710093c4e
SHA512f76187c2f9c5feada49b612125aaa08d7000a411c1dd427b0f6dfc11925e246b9e509169e699c25cece160829f363105773a42dcc3c5dba63bd48fc82660bca5
-
Filesize
512KB
MD5c03f1b415c1a0f85ad198a005bf7046e
SHA1a2efaf68ab7dd7dcc79269aa3cd97522358a9cdb
SHA25674e015f4c2e9e3124b63eb60f1c32a8a593cdedc52057a6d92d718246e48f0de
SHA512e1174f2d5c4af620eb9fd1baebff76c3bec1cc70a061424ce0d82cdcca358d39d9d79154838d507973bbcb5cf574a18eb20b4347e84aaf8a4431017a25011f49