Analysis
-
max time kernel
0s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
07/01/2024, 19:20
Static task
static1
Behavioral task
behavioral1
Sample
ad7a5d13335355b29d8ea0f3f2878aa4.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
ad7a5d13335355b29d8ea0f3f2878aa4.exe
Resource
win10v2004-20231222-en
General
-
Target
ad7a5d13335355b29d8ea0f3f2878aa4.exe
-
Size
512KB
-
MD5
ad7a5d13335355b29d8ea0f3f2878aa4
-
SHA1
153204300260657de1724b4f6571724d8c49a17e
-
SHA256
b262b9df3885d2b65839220bf0ff28ac8f889859fd056371a8435c31e84d2f7c
-
SHA512
9cdc38bde5ecf397192b3e2190b677b33b9f8ca42f9e24b9d5eda4366f88460c7c23e8c7d2a4690f7097bcfbbe3f91258f094ec48ff72590a2fed8119d7fc2d1
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6R:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5c
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" sedqhxonze.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" sedqhxonze.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sedqhxonze.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sedqhxonze.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" sedqhxonze.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sedqhxonze.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sedqhxonze.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" sedqhxonze.exe -
Executes dropped EXE 4 IoCs
pid Process 3016 sedqhxonze.exe 2724 spglagvmteyzxqc.exe 2060 jnhdippi.exe 2688 isctssvucdjfd.exe -
Loads dropped DLL 4 IoCs
pid Process 2044 ad7a5d13335355b29d8ea0f3f2878aa4.exe 2044 ad7a5d13335355b29d8ea0f3f2878aa4.exe 2044 ad7a5d13335355b29d8ea0f3f2878aa4.exe 2044 ad7a5d13335355b29d8ea0f3f2878aa4.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" sedqhxonze.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sedqhxonze.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sedqhxonze.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sedqhxonze.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" sedqhxonze.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sedqhxonze.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" sedqhxonze.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" sedqhxonze.exe -
AutoIT Executable 7 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2044-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x0009000000016287-9.dat autoit_exe behavioral1/files/0x0009000000015d1a-17.dat autoit_exe behavioral1/files/0x0009000000016287-32.dat autoit_exe behavioral1/files/0x00080000000167d5-33.dat autoit_exe behavioral1/files/0x000b000000015d31-28.dat autoit_exe behavioral1/files/0x0006000000017371-66.dat autoit_exe -
Drops file in System32 directory 8 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\jnhdippi.exe ad7a5d13335355b29d8ea0f3f2878aa4.exe File created C:\Windows\SysWOW64\isctssvucdjfd.exe ad7a5d13335355b29d8ea0f3f2878aa4.exe File opened for modification C:\Windows\SysWOW64\isctssvucdjfd.exe ad7a5d13335355b29d8ea0f3f2878aa4.exe File created C:\Windows\SysWOW64\sedqhxonze.exe ad7a5d13335355b29d8ea0f3f2878aa4.exe File opened for modification C:\Windows\SysWOW64\sedqhxonze.exe ad7a5d13335355b29d8ea0f3f2878aa4.exe File created C:\Windows\SysWOW64\spglagvmteyzxqc.exe ad7a5d13335355b29d8ea0f3f2878aa4.exe File opened for modification C:\Windows\SysWOW64\spglagvmteyzxqc.exe ad7a5d13335355b29d8ea0f3f2878aa4.exe File created C:\Windows\SysWOW64\jnhdippi.exe ad7a5d13335355b29d8ea0f3f2878aa4.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf ad7a5d13335355b29d8ea0f3f2878aa4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 19 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" sedqhxonze.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" sedqhxonze.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" sedqhxonze.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" sedqhxonze.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC1B15D47E6399F53BEB9D233EED7CF" ad7a5d13335355b29d8ea0f3f2878aa4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" sedqhxonze.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF8FCFF485A826E9042D65D7E93BC93E131594367366341D790" ad7a5d13335355b29d8ea0f3f2878aa4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc sedqhxonze.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs sedqhxonze.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCDF9CBF96AF195830E3B46819D39E3B38B02F142610233E2BD459A08A9" ad7a5d13335355b29d8ea0f3f2878aa4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32402C7D9C2D82276A3477A770522CA97C8464DC" ad7a5d13335355b29d8ea0f3f2878aa4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F668C4FE6A22DCD27AD0A48A7F9167" ad7a5d13335355b29d8ea0f3f2878aa4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1948C70C14E5DBC3B8BC7FE6ED9434CC" ad7a5d13335355b29d8ea0f3f2878aa4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat sedqhxonze.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh sedqhxonze.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" sedqhxonze.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf sedqhxonze.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes ad7a5d13335355b29d8ea0f3f2878aa4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg sedqhxonze.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 2044 ad7a5d13335355b29d8ea0f3f2878aa4.exe 2044 ad7a5d13335355b29d8ea0f3f2878aa4.exe 2044 ad7a5d13335355b29d8ea0f3f2878aa4.exe 2044 ad7a5d13335355b29d8ea0f3f2878aa4.exe 2044 ad7a5d13335355b29d8ea0f3f2878aa4.exe 2044 ad7a5d13335355b29d8ea0f3f2878aa4.exe 2044 ad7a5d13335355b29d8ea0f3f2878aa4.exe 2044 ad7a5d13335355b29d8ea0f3f2878aa4.exe 3016 sedqhxonze.exe 3016 sedqhxonze.exe 3016 sedqhxonze.exe 3016 sedqhxonze.exe 3016 sedqhxonze.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
pid Process 2044 ad7a5d13335355b29d8ea0f3f2878aa4.exe 2044 ad7a5d13335355b29d8ea0f3f2878aa4.exe 2044 ad7a5d13335355b29d8ea0f3f2878aa4.exe 2724 spglagvmteyzxqc.exe 3016 sedqhxonze.exe 2724 spglagvmteyzxqc.exe 2724 spglagvmteyzxqc.exe 3016 sedqhxonze.exe 3016 sedqhxonze.exe 2060 jnhdippi.exe 2060 jnhdippi.exe 2060 jnhdippi.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 2044 ad7a5d13335355b29d8ea0f3f2878aa4.exe 2044 ad7a5d13335355b29d8ea0f3f2878aa4.exe 2044 ad7a5d13335355b29d8ea0f3f2878aa4.exe 2724 spglagvmteyzxqc.exe 3016 sedqhxonze.exe 2724 spglagvmteyzxqc.exe 2724 spglagvmteyzxqc.exe 3016 sedqhxonze.exe 3016 sedqhxonze.exe 2060 jnhdippi.exe 2060 jnhdippi.exe 2060 jnhdippi.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2044 wrote to memory of 3016 2044 ad7a5d13335355b29d8ea0f3f2878aa4.exe 28 PID 2044 wrote to memory of 3016 2044 ad7a5d13335355b29d8ea0f3f2878aa4.exe 28 PID 2044 wrote to memory of 3016 2044 ad7a5d13335355b29d8ea0f3f2878aa4.exe 28 PID 2044 wrote to memory of 3016 2044 ad7a5d13335355b29d8ea0f3f2878aa4.exe 28 PID 2044 wrote to memory of 2724 2044 ad7a5d13335355b29d8ea0f3f2878aa4.exe 29 PID 2044 wrote to memory of 2724 2044 ad7a5d13335355b29d8ea0f3f2878aa4.exe 29 PID 2044 wrote to memory of 2724 2044 ad7a5d13335355b29d8ea0f3f2878aa4.exe 29 PID 2044 wrote to memory of 2724 2044 ad7a5d13335355b29d8ea0f3f2878aa4.exe 29 PID 2044 wrote to memory of 2060 2044 ad7a5d13335355b29d8ea0f3f2878aa4.exe 34 PID 2044 wrote to memory of 2060 2044 ad7a5d13335355b29d8ea0f3f2878aa4.exe 34 PID 2044 wrote to memory of 2060 2044 ad7a5d13335355b29d8ea0f3f2878aa4.exe 34 PID 2044 wrote to memory of 2060 2044 ad7a5d13335355b29d8ea0f3f2878aa4.exe 34 PID 2044 wrote to memory of 2688 2044 ad7a5d13335355b29d8ea0f3f2878aa4.exe 32 PID 2044 wrote to memory of 2688 2044 ad7a5d13335355b29d8ea0f3f2878aa4.exe 32 PID 2044 wrote to memory of 2688 2044 ad7a5d13335355b29d8ea0f3f2878aa4.exe 32 PID 2044 wrote to memory of 2688 2044 ad7a5d13335355b29d8ea0f3f2878aa4.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe"C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\sedqhxonze.exesedqhxonze.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Modifies WinLogon
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3016 -
C:\Windows\SysWOW64\jnhdippi.exeC:\Windows\system32\jnhdippi.exe3⤵PID:2668
-
-
-
C:\Windows\SysWOW64\spglagvmteyzxqc.exespglagvmteyzxqc.exe2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2724
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵PID:2508
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:1708
-
-
-
C:\Windows\SysWOW64\isctssvucdjfd.exeisctssvucdjfd.exe2⤵
- Executes dropped EXE
PID:2688
-
-
C:\Windows\SysWOW64\jnhdippi.exejnhdippi.exe2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2060
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD50cea8562c1c8813e310c831c969d6a4f
SHA1d7e3119723a1694161d86ce09a6f752689af236c
SHA25683aaa2f7964c5b15ca14002033e4d746bcaff93196a2883b114df9a4066561fd
SHA512eb7f1791ebe5d32ab05759323cf77a46aa6ef2ef7797b77f170279455d1e2196251036ed9bd75c33869583c1297b3f9aab2371ff5960932f6770394f98853664
-
Filesize
92KB
MD56662b185f19fbf697c56a25c92de7961
SHA10df0c0df0de3724258df2549c583e3c934aca726
SHA256c11edb9e97848e20319fba876d9382c7193f68323eff1f7ed805bb04303bdc86
SHA512c6e2cb83f68a63ca299dae843d2697d41dab8b565fb4005755b0d255b388779b6c1dad97375009c995f0a3d2e0acb4cc820090ca5dc24ee11e1a3de5b1a4921f
-
Filesize
512KB
MD50a0846a1b1d06361151ab94d05d5c6c8
SHA1b3c00db5280d830046a2b1dcdec7a5c82e132186
SHA256617d0f092af9a0bf7ad4696060e5a867439ce896183dd11b1d539e2ae8acc7fe
SHA512a9315851ee6de995af605dfe0cca5b0df02db05690964398eb0dcf1c47beb36d898f23fd2eef91ff4e4a23b5fc4d4edccf50b60a185a4eb4af8e9af612270712
-
Filesize
512KB
MD59a7addefe11d860d9355f1ed0d8f80ab
SHA1c4dab3ed23731d35edfed17a0c1baa074325644e
SHA256acac40a4f7d7cce42f30c2dcc0b443dce599a1497d6d1dfd1dea1919707b2996
SHA512842e89a8cd2b22268c2815d3c022c30ba762b68d6038270d0aad13a7506ccb7c5ab767a5b48a22912a95d3e69b6a3f375725895e0c84c549f0f1299728fa365b
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD57546625059e6afddb354e2b79d02b5b8
SHA1aa9ba8bbeec815758d027df42d661c9660d0785f
SHA25603547ea2fad82b0b3762261f0e9fa06ee88516bdde6d15184807bb4f4bc22919
SHA5120f91352d7d3d962cb80c3514b96bd08dee1a88aa028ca3dd6e94ec0e89b9df48d78b25cf843f7b0f333ca4033cab4eca4d98993e71980d8c45ebfd42e5375bc2
-
Filesize
512KB
MD516876a7b264d720366fa0d8072cbbfc9
SHA166bc7200cc412fadbcba03e3123f90cf44ca36de
SHA2568570de4fc971cb1c0e13b2841bff4491a489e032903499c675c35a82e101918e
SHA512d5e43e5e406e7a682ac67615a98a785f9bd18fad1b240c9128471cc736f6ccd081194d02842a315026299673c70642f0d10b346f8094cc88edd2af06228cf0b7