Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
07/01/2024, 19:20
Static task
static1
Behavioral task
behavioral1
Sample
a55653f091ed18edbe657030b185c23e.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
a55653f091ed18edbe657030b185c23e.exe
Resource
win10v2004-20231222-en
General
-
Target
a55653f091ed18edbe657030b185c23e.exe
-
Size
512KB
-
MD5
a55653f091ed18edbe657030b185c23e
-
SHA1
e628497e30e768b0c19451b053c2764ff9d5f01f
-
SHA256
e2f3a6e1d219c9304c3cfabcf3ed5436b7b94fae2c578df159b40ac9e1fbf8ec
-
SHA512
26ff643e78e748a8ae81ff83ba549a901348904efdbbe94aa432c4707254072b5cd9efa611a6994b8c7ac2aab49049e85fe7f48a661f0583647fd3c7a1d2804c
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6y:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm55
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" xqkjqhcidd.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" xqkjqhcidd.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" xqkjqhcidd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" xqkjqhcidd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" xqkjqhcidd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" xqkjqhcidd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" xqkjqhcidd.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xqkjqhcidd.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation a55653f091ed18edbe657030b185c23e.exe -
Executes dropped EXE 5 IoCs
pid Process 5020 xqkjqhcidd.exe 2904 zknqubcpxzdrnyg.exe 2324 sdvvumaw.exe 4568 nevaqadkxpwwr.exe 3924 sdvvumaw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" xqkjqhcidd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" xqkjqhcidd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" xqkjqhcidd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" xqkjqhcidd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" xqkjqhcidd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" xqkjqhcidd.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nblnkjqf = "xqkjqhcidd.exe" zknqubcpxzdrnyg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cyoqdean = "zknqubcpxzdrnyg.exe" zknqubcpxzdrnyg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "nevaqadkxpwwr.exe" zknqubcpxzdrnyg.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\o: sdvvumaw.exe File opened (read-only) \??\z: sdvvumaw.exe File opened (read-only) \??\p: sdvvumaw.exe File opened (read-only) \??\z: xqkjqhcidd.exe File opened (read-only) \??\h: sdvvumaw.exe File opened (read-only) \??\x: sdvvumaw.exe File opened (read-only) \??\e: xqkjqhcidd.exe File opened (read-only) \??\k: xqkjqhcidd.exe File opened (read-only) \??\t: xqkjqhcidd.exe File opened (read-only) \??\m: sdvvumaw.exe File opened (read-only) \??\a: sdvvumaw.exe File opened (read-only) \??\b: sdvvumaw.exe File opened (read-only) \??\h: sdvvumaw.exe File opened (read-only) \??\y: sdvvumaw.exe File opened (read-only) \??\l: xqkjqhcidd.exe File opened (read-only) \??\l: sdvvumaw.exe File opened (read-only) \??\n: sdvvumaw.exe File opened (read-only) \??\o: sdvvumaw.exe File opened (read-only) \??\i: sdvvumaw.exe File opened (read-only) \??\v: sdvvumaw.exe File opened (read-only) \??\s: sdvvumaw.exe File opened (read-only) \??\v: sdvvumaw.exe File opened (read-only) \??\u: xqkjqhcidd.exe File opened (read-only) \??\g: xqkjqhcidd.exe File opened (read-only) \??\i: sdvvumaw.exe File opened (read-only) \??\g: sdvvumaw.exe File opened (read-only) \??\y: sdvvumaw.exe File opened (read-only) \??\z: sdvvumaw.exe File opened (read-only) \??\l: sdvvumaw.exe File opened (read-only) \??\x: sdvvumaw.exe File opened (read-only) \??\w: sdvvumaw.exe File opened (read-only) \??\m: xqkjqhcidd.exe File opened (read-only) \??\a: sdvvumaw.exe File opened (read-only) \??\u: sdvvumaw.exe File opened (read-only) \??\w: sdvvumaw.exe File opened (read-only) \??\o: xqkjqhcidd.exe File opened (read-only) \??\g: sdvvumaw.exe File opened (read-only) \??\p: sdvvumaw.exe File opened (read-only) \??\h: xqkjqhcidd.exe File opened (read-only) \??\w: xqkjqhcidd.exe File opened (read-only) \??\s: sdvvumaw.exe File opened (read-only) \??\a: xqkjqhcidd.exe File opened (read-only) \??\j: sdvvumaw.exe File opened (read-only) \??\k: sdvvumaw.exe File opened (read-only) \??\s: xqkjqhcidd.exe File opened (read-only) \??\x: xqkjqhcidd.exe File opened (read-only) \??\e: sdvvumaw.exe File opened (read-only) \??\q: sdvvumaw.exe File opened (read-only) \??\e: sdvvumaw.exe File opened (read-only) \??\n: xqkjqhcidd.exe File opened (read-only) \??\q: xqkjqhcidd.exe File opened (read-only) \??\y: xqkjqhcidd.exe File opened (read-only) \??\b: sdvvumaw.exe File opened (read-only) \??\t: sdvvumaw.exe File opened (read-only) \??\j: xqkjqhcidd.exe File opened (read-only) \??\k: sdvvumaw.exe File opened (read-only) \??\r: sdvvumaw.exe File opened (read-only) \??\u: sdvvumaw.exe File opened (read-only) \??\r: sdvvumaw.exe File opened (read-only) \??\j: sdvvumaw.exe File opened (read-only) \??\m: sdvvumaw.exe File opened (read-only) \??\n: sdvvumaw.exe File opened (read-only) \??\r: xqkjqhcidd.exe File opened (read-only) \??\v: xqkjqhcidd.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" xqkjqhcidd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" xqkjqhcidd.exe -
AutoIT Executable 17 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4716-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000700000002323a-23.dat autoit_exe behavioral2/files/0x000600000002323e-29.dat autoit_exe behavioral2/files/0x000600000002323e-28.dat autoit_exe behavioral2/files/0x000600000002323f-32.dat autoit_exe behavioral2/files/0x000600000002323e-44.dat autoit_exe behavioral2/files/0x000600000002323f-31.dat autoit_exe behavioral2/files/0x000700000002323a-22.dat autoit_exe behavioral2/files/0x0007000000023237-19.dat autoit_exe behavioral2/files/0x0007000000023237-18.dat autoit_exe behavioral2/files/0x000700000002323a-5.dat autoit_exe behavioral2/files/0x000600000002324b-78.dat autoit_exe behavioral2/files/0x000600000002324a-72.dat autoit_exe behavioral2/files/0x000700000002313c-92.dat autoit_exe behavioral2/files/0x000700000002313c-90.dat autoit_exe behavioral2/files/0x000700000002313c-86.dat autoit_exe behavioral2/files/0x000700000002313c-97.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\xqkjqhcidd.exe a55653f091ed18edbe657030b185c23e.exe File opened for modification C:\Windows\SysWOW64\zknqubcpxzdrnyg.exe a55653f091ed18edbe657030b185c23e.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe sdvvumaw.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe sdvvumaw.exe File created C:\Windows\SysWOW64\sdvvumaw.exe a55653f091ed18edbe657030b185c23e.exe File opened for modification C:\Windows\SysWOW64\nevaqadkxpwwr.exe a55653f091ed18edbe657030b185c23e.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe sdvvumaw.exe File opened for modification C:\Windows\SysWOW64\sdvvumaw.exe a55653f091ed18edbe657030b185c23e.exe File created C:\Windows\SysWOW64\nevaqadkxpwwr.exe a55653f091ed18edbe657030b185c23e.exe File opened for modification C:\Windows\SysWOW64\xqkjqhcidd.exe a55653f091ed18edbe657030b185c23e.exe File created C:\Windows\SysWOW64\zknqubcpxzdrnyg.exe a55653f091ed18edbe657030b185c23e.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll xqkjqhcidd.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe sdvvumaw.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe sdvvumaw.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe sdvvumaw.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe sdvvumaw.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe sdvvumaw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe sdvvumaw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal sdvvumaw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal sdvvumaw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal sdvvumaw.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe sdvvumaw.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe sdvvumaw.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe sdvvumaw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal sdvvumaw.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe sdvvumaw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe sdvvumaw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe sdvvumaw.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe sdvvumaw.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe sdvvumaw.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe sdvvumaw.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe sdvvumaw.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe sdvvumaw.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe sdvvumaw.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe sdvvumaw.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe sdvvumaw.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe sdvvumaw.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe sdvvumaw.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe sdvvumaw.exe File opened for modification C:\Windows\mydoc.rtf a55653f091ed18edbe657030b185c23e.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe sdvvumaw.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe sdvvumaw.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe sdvvumaw.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe sdvvumaw.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe sdvvumaw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32322D799C2283556D4676A770252CD77DF364DD" a55653f091ed18edbe657030b185c23e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7846BB7FE6821ADD27BD0A48B789117" a55653f091ed18edbe657030b185c23e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat xqkjqhcidd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" xqkjqhcidd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" xqkjqhcidd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBFFABFF963F29884753B4386983E91B3FE03FE4313023BE1BF45E908D4" a55653f091ed18edbe657030b185c23e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB1B12E4493389D52CBBAA632EDD4BE" a55653f091ed18edbe657030b185c23e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFFFF824F2685699040D75F7D91BDE6E643584766406242D6ED" a55653f091ed18edbe657030b185c23e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf xqkjqhcidd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg xqkjqhcidd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" xqkjqhcidd.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes a55653f091ed18edbe657030b185c23e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183AC77815EDDBC5B8C07CE1ED9F34C7" a55653f091ed18edbe657030b185c23e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" xqkjqhcidd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc xqkjqhcidd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs xqkjqhcidd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh xqkjqhcidd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" xqkjqhcidd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" xqkjqhcidd.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings a55653f091ed18edbe657030b185c23e.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1888 WINWORD.EXE 1888 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4716 a55653f091ed18edbe657030b185c23e.exe 4716 a55653f091ed18edbe657030b185c23e.exe 4716 a55653f091ed18edbe657030b185c23e.exe 4716 a55653f091ed18edbe657030b185c23e.exe 4716 a55653f091ed18edbe657030b185c23e.exe 4716 a55653f091ed18edbe657030b185c23e.exe 4716 a55653f091ed18edbe657030b185c23e.exe 4716 a55653f091ed18edbe657030b185c23e.exe 4716 a55653f091ed18edbe657030b185c23e.exe 4716 a55653f091ed18edbe657030b185c23e.exe 4716 a55653f091ed18edbe657030b185c23e.exe 4716 a55653f091ed18edbe657030b185c23e.exe 4716 a55653f091ed18edbe657030b185c23e.exe 4716 a55653f091ed18edbe657030b185c23e.exe 4716 a55653f091ed18edbe657030b185c23e.exe 4716 a55653f091ed18edbe657030b185c23e.exe 5020 xqkjqhcidd.exe 5020 xqkjqhcidd.exe 5020 xqkjqhcidd.exe 5020 xqkjqhcidd.exe 5020 xqkjqhcidd.exe 5020 xqkjqhcidd.exe 5020 xqkjqhcidd.exe 5020 xqkjqhcidd.exe 2324 sdvvumaw.exe 2324 sdvvumaw.exe 5020 xqkjqhcidd.exe 5020 xqkjqhcidd.exe 2324 sdvvumaw.exe 2324 sdvvumaw.exe 2324 sdvvumaw.exe 2324 sdvvumaw.exe 2324 sdvvumaw.exe 2324 sdvvumaw.exe 4568 nevaqadkxpwwr.exe 4568 nevaqadkxpwwr.exe 4568 nevaqadkxpwwr.exe 4568 nevaqadkxpwwr.exe 4568 nevaqadkxpwwr.exe 4568 nevaqadkxpwwr.exe 4568 nevaqadkxpwwr.exe 4568 nevaqadkxpwwr.exe 4568 nevaqadkxpwwr.exe 4568 nevaqadkxpwwr.exe 4568 nevaqadkxpwwr.exe 4568 nevaqadkxpwwr.exe 2904 zknqubcpxzdrnyg.exe 2904 zknqubcpxzdrnyg.exe 2904 zknqubcpxzdrnyg.exe 2904 zknqubcpxzdrnyg.exe 2904 zknqubcpxzdrnyg.exe 2904 zknqubcpxzdrnyg.exe 2904 zknqubcpxzdrnyg.exe 2904 zknqubcpxzdrnyg.exe 2904 zknqubcpxzdrnyg.exe 2904 zknqubcpxzdrnyg.exe 2904 zknqubcpxzdrnyg.exe 2904 zknqubcpxzdrnyg.exe 3924 sdvvumaw.exe 3924 sdvvumaw.exe 3924 sdvvumaw.exe 3924 sdvvumaw.exe 3924 sdvvumaw.exe 3924 sdvvumaw.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4716 a55653f091ed18edbe657030b185c23e.exe 4716 a55653f091ed18edbe657030b185c23e.exe 4716 a55653f091ed18edbe657030b185c23e.exe 5020 xqkjqhcidd.exe 4568 nevaqadkxpwwr.exe 2324 sdvvumaw.exe 2904 zknqubcpxzdrnyg.exe 5020 xqkjqhcidd.exe 4568 nevaqadkxpwwr.exe 2324 sdvvumaw.exe 2904 zknqubcpxzdrnyg.exe 5020 xqkjqhcidd.exe 4568 nevaqadkxpwwr.exe 2324 sdvvumaw.exe 2904 zknqubcpxzdrnyg.exe 3924 sdvvumaw.exe 3924 sdvvumaw.exe 3924 sdvvumaw.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4716 a55653f091ed18edbe657030b185c23e.exe 4716 a55653f091ed18edbe657030b185c23e.exe 4716 a55653f091ed18edbe657030b185c23e.exe 5020 xqkjqhcidd.exe 4568 nevaqadkxpwwr.exe 2324 sdvvumaw.exe 2904 zknqubcpxzdrnyg.exe 5020 xqkjqhcidd.exe 4568 nevaqadkxpwwr.exe 2324 sdvvumaw.exe 2904 zknqubcpxzdrnyg.exe 5020 xqkjqhcidd.exe 4568 nevaqadkxpwwr.exe 2324 sdvvumaw.exe 2904 zknqubcpxzdrnyg.exe 3924 sdvvumaw.exe 3924 sdvvumaw.exe 3924 sdvvumaw.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1888 WINWORD.EXE 1888 WINWORD.EXE 1888 WINWORD.EXE 1888 WINWORD.EXE 1888 WINWORD.EXE 1888 WINWORD.EXE 1888 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4716 wrote to memory of 5020 4716 a55653f091ed18edbe657030b185c23e.exe 32 PID 4716 wrote to memory of 5020 4716 a55653f091ed18edbe657030b185c23e.exe 32 PID 4716 wrote to memory of 5020 4716 a55653f091ed18edbe657030b185c23e.exe 32 PID 4716 wrote to memory of 2904 4716 a55653f091ed18edbe657030b185c23e.exe 23 PID 4716 wrote to memory of 2904 4716 a55653f091ed18edbe657030b185c23e.exe 23 PID 4716 wrote to memory of 2904 4716 a55653f091ed18edbe657030b185c23e.exe 23 PID 4716 wrote to memory of 2324 4716 a55653f091ed18edbe657030b185c23e.exe 24 PID 4716 wrote to memory of 2324 4716 a55653f091ed18edbe657030b185c23e.exe 24 PID 4716 wrote to memory of 2324 4716 a55653f091ed18edbe657030b185c23e.exe 24 PID 4716 wrote to memory of 4568 4716 a55653f091ed18edbe657030b185c23e.exe 31 PID 4716 wrote to memory of 4568 4716 a55653f091ed18edbe657030b185c23e.exe 31 PID 4716 wrote to memory of 4568 4716 a55653f091ed18edbe657030b185c23e.exe 31 PID 4716 wrote to memory of 1888 4716 a55653f091ed18edbe657030b185c23e.exe 25 PID 4716 wrote to memory of 1888 4716 a55653f091ed18edbe657030b185c23e.exe 25 PID 5020 wrote to memory of 3924 5020 xqkjqhcidd.exe 27 PID 5020 wrote to memory of 3924 5020 xqkjqhcidd.exe 27 PID 5020 wrote to memory of 3924 5020 xqkjqhcidd.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe"C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\SysWOW64\zknqubcpxzdrnyg.exezknqubcpxzdrnyg.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2904
-
-
C:\Windows\SysWOW64\sdvvumaw.exesdvvumaw.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2324
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1888
-
-
C:\Windows\SysWOW64\nevaqadkxpwwr.exenevaqadkxpwwr.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4568
-
-
C:\Windows\SysWOW64\xqkjqhcidd.exexqkjqhcidd.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5020
-
-
C:\Windows\SysWOW64\sdvvumaw.exeC:\Windows\system32\sdvvumaw.exe1⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3924
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
94KB
MD5a01969a7ace301cfa146501768a2785f
SHA1b00866ee9a2a0ba411c4b576b628bb02c7eb377e
SHA2562e3f2a3e7f185b1049ff36e8f91ed75257e0630c16b3b064e91cf3c6a90aa1e4
SHA512f7af7b17e51a642088e8e78f9bc52fce49c207c033ef92363436350da7bdf2d97a19d1d1be7969d716c377a2b1cc387f1a39385ac1998734fedd00ff201c839c
-
Filesize
70KB
MD5178acb3a535958573d2d65f5765423eb
SHA1ab76495c02b1cce9d3a45af36898d541bc968a7f
SHA25661af45b4e5e6874cb17af4ca2e3200284e8eed1bdfa68cbcd2062ae4f422de0f
SHA512c8370c983aa955071b61aa4d167ffa8c96dbf36f5ac962f4a950ab8679bd6cde956daa3c31a9d4eab346c50e8213e88a06e0b8b000506cacfeddcf62e35ea7b2
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5edef1f39b6c213fe678c244843cde01f
SHA1d699b72ba58aaf977f97bcce42e53ff87776e935
SHA2568d673aef8428334f765845bd3c01fb552edf4f5a8f1838497ab729e41a45b83f
SHA51215bab0c4de17bbae495f517b69fd27c23ee9dbfef170457df3b50be31fdd8a4b3b1548d80fed9c0410afd85500a6fd48bdaeaad86a73ef441cb2a5369f3189e4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5e6100b7d0180b75d49c331f6d15fed9d
SHA161aeef274a26310dda0815d4308ef49c79d45774
SHA25650bee110d2282d15fb42f62109916d8323948a1516e028fba1e4b8da03b7c097
SHA5124b2397b65cfe6dcd248d941f3aecc965c155d06a635d5c943b51b8a5036391e1f5d985f36895f010f79c915e9390ba3c23660419c573f6bcd0e1b4c0a49feeb5
-
Filesize
149KB
MD55a1366d811460096a3c3f9960094826e
SHA173404ca8a2aad03e5abf7adeb6cbb311b2cf6a0a
SHA2564e9231d36d7c9aadd6a627de644ddf942629f80c1d33739a9cdded3380bfca92
SHA51295d7b50fe24e86d40df88c6c7c2c57c1e2a9575c3922316dc842e3cf41712b8f511a6602e83aa43b45e819dd85a0b853340e47055ea5d8e00794344328cb58e1
-
Filesize
141KB
MD5e083de0dae5df581fe8aebfdbe8a8515
SHA1de8f2a38d4c6acbdba6525f1154e73d1c32bf9c8
SHA256d5da42b3e1193ccddc2c6a6ede9d12156d6a05ab2d23e389662777810204ac5b
SHA51265db92855de2eaf9e7e8782277fb21b2e872137fd2da7c16676af0616c19ad47e958557d61d649bdd312dec7353f2a4661b32134299726914a5e568164935465
-
Filesize
286KB
MD50349bcc51e358b089b8a916c085924ac
SHA111c4a2209bb79d933ed4f211c296df184f4aaaf0
SHA25638a68a4cc5711fe9b2b363f745f286aa7de369f2c13e4ddca571a6b2c6e72c43
SHA5127197219549c21a228d7b1ea529a09ed011ac11551cffedd3d04c8863a52936c5fb3c0eade219b661a3444c9546275c14d6d2f2f714effedf38a9a74a2ddaa864
-
Filesize
227KB
MD5c218401b7a4f9c830d294d1dfa145d3b
SHA1d528cce0e980d5cbcfb4971f6b1dec309871f0fc
SHA256e292c9c81908f49e54e9ed0c03c024b2764eebca44e8ab1228efea1154c8bdf2
SHA5124d0aea282bfa11108722f4c7cb129c1d5cf30e5d4bf988e5d3a6f3aaea85401f31a55b43c17c6a678e17c3a395a4eef7b5e4a884c9bd27b9eb3d4cf9e039be02
-
Filesize
154KB
MD58ce5c42dcb5bb99b42dfc99b5d8f0609
SHA1aa66771f7ead7bd41b82d908b65086a43e57e354
SHA2560dfba2ab75a66072278603be912db56295bb4470aa11f50f590994ddbfaf6784
SHA512388bdc31b12c990b04615e13e7b114572bf4ef881dfd1b11a71422f3c757ba0ec586d3de4d52155ec72923ed2b2fee30b2d952bfeb728ec76404cacecfbaaa74
-
Filesize
193KB
MD547e578d1d1ac0d9041eee6b4967d3025
SHA19b6c732f33155469ddc490001df01d423036b493
SHA256fa2dbaf77184be2125a7faf94a4d38d809da41fe96969d8c683a948898a6ae52
SHA51269a64594725188939e30c3615897c48cdcfd49c596b78c6dd6c3cdbe6f66c1351655ac17d20c78a09cf18917be7592671854b5be9fe638d680888edf0a22866b
-
Filesize
126KB
MD57798e437ad2675b7b314967f97bd1d65
SHA175adcc02ed0238da96d122816b472dc5ce39ccfe
SHA2568aa300da89e9875ebd69cd5173ed5e8fab83043c6cf701e71628841b75cf67d0
SHA51215bf7c270b3f030f39a88d5e2808444533a90841419c3a506fdf63a887d6520e69b79e82f4f90ca7f5686953b5e7d2b45e03dfb51b31f9b0312baed4ed0d8455
-
Filesize
157KB
MD560c7cc5b0ecff4d2fd54a78d33e530bc
SHA1ac796bcce2ceff3d37dfad327f70ca809766f37b
SHA25621b01eb8aca8303499059d54f5c0bf11f2ae0bf3f3a58253c8794d1bb8842f42
SHA51217c1288ff18565a5823b95f6e7621a828242b8632b41ce5c14b31e899894ff76d795b0de0cb90a8b2d32c3b4a41f25ebab7123b6e988118d29caea569d44b4d5
-
Filesize
176KB
MD530af0cd048a6f5be623951643cd14d28
SHA147ee81993a3603fd840b2eaf5b4f83e2feba0b80
SHA2564f1498efede0d439e3644d0b6d63e056c934ea63bbf1429d91e2e39ddc921ef3
SHA512cfe4c237a33c51529bc685c4fd1548261262a1612f67cb26b7b618771d8a8ab7ab20eea1a86bc787d8556eeaf8f9ec9f568f3d2205804b47d908504da6586f80
-
Filesize
388KB
MD539fefc2896d1c99bc0faee45069e4235
SHA13deb22d173ccf88365d2f87fff4db906178fc3ea
SHA2568332e6d7217ee1aa5adf469e8b25ab25b73a0b8dff1a93e9b99fe6eeccfdd2e9
SHA51219944cf7177de370faab030134d587d3fa4455cf0d87624fedebde0553a259c686e75ddbb47796e461a87e420e43e7af5c8071ddf43795cbb2503ef580985b8b
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
57KB
MD53a81bb7f89fff51fd80d1e9e1e60471f
SHA17c04e73b47855108f7cb0f1f8e76b71078d74158
SHA2567afee2b09ec479879bca80da134ceff2df40ad8eff99ed5b1461e6b64e3c474e
SHA512d8500626b99b14b8e441c88b9a8431db9188b5dea17610b1d5ff35a199195026f6c9961281e7c3a4babe8c88b1a949a03a42c6872e2eb0ec1761f65095f777cc
-
Filesize
31KB
MD5cb773013b2b1110e85a5b84471babddf
SHA167583aa38c393612a3d18c55faa71b18c72bf2fd
SHA256f575abb671bdaed6cff1648fd5caf0426c3d88e40e41c2902844b015536634b2
SHA5120e57db1a4476573e0003c47c951303df939f281d482746fdb73557b7ec06293bb72ccff7d900c20d09d558f021065f624f0dd73a2957f08f06dd1954f7e53fd1
-
Filesize
21KB
MD5c1ac0478509acff17293605b5c0769e4
SHA19ea219a8886ab0f868f2139bcd858cfb90c254e0
SHA2568f1d8d9584e76cf3dba8216171376d8a8fecea53d3f98008ea432fb9326547a7
SHA512b6ce1b16d3694c9271e269573243e77136378a46645b1dba1a644920183769eed958facff19ee8e62722d2d61c30add412745b4db26db33ce9a2fa0236e60d97
-
Filesize
296KB
MD5625d8f23cc5676a6b6a5e520be0ee917
SHA132e34e6f577e98666d51c91d4971bc6a8d873fb4
SHA256f3ccf8404009dddb8b726cc094e8835e6fa5e5ed91dde8edfeb927c8ad2de99c
SHA51252507463d4afade3b4717d9d7ea0661c78464d31e4a613ab9e7876e67e0d9d0197e18684ccf264e2c3e9bedcaab4a4e42aefec6e06b850f9bd75d1430244feb7