Analysis
-
max time kernel
176s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
07/01/2024, 19:20
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
492aa041e8bc85623d4ee5ca79cb4994.exe
Resource
win7-20231215-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
492aa041e8bc85623d4ee5ca79cb4994.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
24 signatures
150 seconds
General
-
Target
492aa041e8bc85623d4ee5ca79cb4994.exe
-
Size
512KB
-
MD5
492aa041e8bc85623d4ee5ca79cb4994
-
SHA1
9dfe6b5e7216cec78d6637f8b97ea1dd0db2dceb
-
SHA256
40981dea368726c7fa3ff82e67c69da71275dde939a5ff28f034df0bd86b0a5b
-
SHA512
a4ef35f9f29b9d0847fb41413b473dbd1ddc1edec14cfc0265b14fde1eb828e3a47a5a426460d67586ccf744f512a10804ced1c0c8db49e068331134a4491be0
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj60:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5h
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" bcauizkzoa.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" bcauizkzoa.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" bcauizkzoa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" bcauizkzoa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" bcauizkzoa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" bcauizkzoa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" bcauizkzoa.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bcauizkzoa.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation 492aa041e8bc85623d4ee5ca79cb4994.exe -
Executes dropped EXE 5 IoCs
pid Process 568 bcauizkzoa.exe 1960 htglmeffqjbbrvx.exe 4156 wygxlmdf.exe 1512 bykzxjqvugdle.exe 4828 wygxlmdf.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" bcauizkzoa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" bcauizkzoa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" bcauizkzoa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" bcauizkzoa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" bcauizkzoa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" bcauizkzoa.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rhcqsbea = "bcauizkzoa.exe" htglmeffqjbbrvx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nrwrflka = "htglmeffqjbbrvx.exe" htglmeffqjbbrvx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "bykzxjqvugdle.exe" htglmeffqjbbrvx.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\s: bcauizkzoa.exe File opened (read-only) \??\g: wygxlmdf.exe File opened (read-only) \??\j: wygxlmdf.exe File opened (read-only) \??\u: wygxlmdf.exe File opened (read-only) \??\y: wygxlmdf.exe File opened (read-only) \??\s: wygxlmdf.exe File opened (read-only) \??\v: wygxlmdf.exe File opened (read-only) \??\p: wygxlmdf.exe File opened (read-only) \??\z: bcauizkzoa.exe File opened (read-only) \??\o: wygxlmdf.exe File opened (read-only) \??\a: wygxlmdf.exe File opened (read-only) \??\n: wygxlmdf.exe File opened (read-only) \??\w: wygxlmdf.exe File opened (read-only) \??\e: bcauizkzoa.exe File opened (read-only) \??\o: bcauizkzoa.exe File opened (read-only) \??\r: bcauizkzoa.exe File opened (read-only) \??\a: wygxlmdf.exe File opened (read-only) \??\h: wygxlmdf.exe File opened (read-only) \??\l: wygxlmdf.exe File opened (read-only) \??\i: wygxlmdf.exe File opened (read-only) \??\w: bcauizkzoa.exe File opened (read-only) \??\s: wygxlmdf.exe File opened (read-only) \??\n: bcauizkzoa.exe File opened (read-only) \??\u: bcauizkzoa.exe File opened (read-only) \??\u: wygxlmdf.exe File opened (read-only) \??\m: wygxlmdf.exe File opened (read-only) \??\o: wygxlmdf.exe File opened (read-only) \??\a: bcauizkzoa.exe File opened (read-only) \??\t: bcauizkzoa.exe File opened (read-only) \??\h: wygxlmdf.exe File opened (read-only) \??\p: wygxlmdf.exe File opened (read-only) \??\q: wygxlmdf.exe File opened (read-only) \??\e: wygxlmdf.exe File opened (read-only) \??\z: wygxlmdf.exe File opened (read-only) \??\l: bcauizkzoa.exe File opened (read-only) \??\n: wygxlmdf.exe File opened (read-only) \??\g: wygxlmdf.exe File opened (read-only) \??\b: wygxlmdf.exe File opened (read-only) \??\l: wygxlmdf.exe File opened (read-only) \??\y: wygxlmdf.exe File opened (read-only) \??\q: wygxlmdf.exe File opened (read-only) \??\x: wygxlmdf.exe File opened (read-only) \??\j: bcauizkzoa.exe File opened (read-only) \??\m: bcauizkzoa.exe File opened (read-only) \??\x: bcauizkzoa.exe File opened (read-only) \??\i: wygxlmdf.exe File opened (read-only) \??\t: wygxlmdf.exe File opened (read-only) \??\b: wygxlmdf.exe File opened (read-only) \??\t: wygxlmdf.exe File opened (read-only) \??\h: bcauizkzoa.exe File opened (read-only) \??\y: bcauizkzoa.exe File opened (read-only) \??\m: wygxlmdf.exe File opened (read-only) \??\w: wygxlmdf.exe File opened (read-only) \??\x: wygxlmdf.exe File opened (read-only) \??\j: wygxlmdf.exe File opened (read-only) \??\k: wygxlmdf.exe File opened (read-only) \??\r: wygxlmdf.exe File opened (read-only) \??\z: wygxlmdf.exe File opened (read-only) \??\k: wygxlmdf.exe File opened (read-only) \??\r: wygxlmdf.exe File opened (read-only) \??\v: bcauizkzoa.exe File opened (read-only) \??\e: wygxlmdf.exe File opened (read-only) \??\b: bcauizkzoa.exe File opened (read-only) \??\g: bcauizkzoa.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" bcauizkzoa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" bcauizkzoa.exe -
AutoIT Executable 6 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1276-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0006000000023231-5.dat autoit_exe behavioral2/files/0x0007000000023229-18.dat autoit_exe behavioral2/files/0x0006000000023232-26.dat autoit_exe behavioral2/files/0x0006000000023233-31.dat autoit_exe behavioral2/files/0x0006000000023262-96.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll bcauizkzoa.exe File created C:\Windows\SysWOW64\bcauizkzoa.exe 492aa041e8bc85623d4ee5ca79cb4994.exe File opened for modification C:\Windows\SysWOW64\bcauizkzoa.exe 492aa041e8bc85623d4ee5ca79cb4994.exe File created C:\Windows\SysWOW64\bykzxjqvugdle.exe 492aa041e8bc85623d4ee5ca79cb4994.exe File opened for modification C:\Windows\SysWOW64\wygxlmdf.exe 492aa041e8bc85623d4ee5ca79cb4994.exe File opened for modification C:\Windows\SysWOW64\bykzxjqvugdle.exe 492aa041e8bc85623d4ee5ca79cb4994.exe File created C:\Windows\SysWOW64\htglmeffqjbbrvx.exe 492aa041e8bc85623d4ee5ca79cb4994.exe File opened for modification C:\Windows\SysWOW64\htglmeffqjbbrvx.exe 492aa041e8bc85623d4ee5ca79cb4994.exe File created C:\Windows\SysWOW64\wygxlmdf.exe 492aa041e8bc85623d4ee5ca79cb4994.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wygxlmdf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wygxlmdf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wygxlmdf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wygxlmdf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wygxlmdf.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wygxlmdf.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wygxlmdf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal wygxlmdf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wygxlmdf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal wygxlmdf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal wygxlmdf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wygxlmdf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal wygxlmdf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wygxlmdf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wygxlmdf.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 492aa041e8bc85623d4ee5ca79cb4994.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc bcauizkzoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf bcauizkzoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" bcauizkzoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" bcauizkzoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" bcauizkzoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184EC70814E5DBC0B8B97CE8ED9534C8" 492aa041e8bc85623d4ee5ca79cb4994.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh bcauizkzoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs bcauizkzoa.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 492aa041e8bc85623d4ee5ca79cb4994.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABDF9B0F96AF195837D3B44869D3997B38E02FE4311033BE2CC45E609A2" 492aa041e8bc85623d4ee5ca79cb4994.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB5B058479038EA53B9BAA632EAD7B9" 492aa041e8bc85623d4ee5ca79cb4994.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E88FC8E482B821B9030D72D7E94BC92E637594067436332D791" 492aa041e8bc85623d4ee5ca79cb4994.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" bcauizkzoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" bcauizkzoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg bcauizkzoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33412C7B9C5782236A3577A170562DAD7D8164D8" 492aa041e8bc85623d4ee5ca79cb4994.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F36BC4FE6722D9D173D0D38A7C916B" 492aa041e8bc85623d4ee5ca79cb4994.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat bcauizkzoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" bcauizkzoa.exe Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings 492aa041e8bc85623d4ee5ca79cb4994.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3960 WINWORD.EXE 3960 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1276 492aa041e8bc85623d4ee5ca79cb4994.exe 1276 492aa041e8bc85623d4ee5ca79cb4994.exe 1276 492aa041e8bc85623d4ee5ca79cb4994.exe 1276 492aa041e8bc85623d4ee5ca79cb4994.exe 1276 492aa041e8bc85623d4ee5ca79cb4994.exe 1276 492aa041e8bc85623d4ee5ca79cb4994.exe 1276 492aa041e8bc85623d4ee5ca79cb4994.exe 1276 492aa041e8bc85623d4ee5ca79cb4994.exe 1276 492aa041e8bc85623d4ee5ca79cb4994.exe 1276 492aa041e8bc85623d4ee5ca79cb4994.exe 1276 492aa041e8bc85623d4ee5ca79cb4994.exe 1276 492aa041e8bc85623d4ee5ca79cb4994.exe 568 bcauizkzoa.exe 568 bcauizkzoa.exe 568 bcauizkzoa.exe 568 bcauizkzoa.exe 568 bcauizkzoa.exe 568 bcauizkzoa.exe 568 bcauizkzoa.exe 568 bcauizkzoa.exe 568 bcauizkzoa.exe 568 bcauizkzoa.exe 1276 492aa041e8bc85623d4ee5ca79cb4994.exe 1276 492aa041e8bc85623d4ee5ca79cb4994.exe 1276 492aa041e8bc85623d4ee5ca79cb4994.exe 1276 492aa041e8bc85623d4ee5ca79cb4994.exe 4156 wygxlmdf.exe 4156 wygxlmdf.exe 4156 wygxlmdf.exe 4156 wygxlmdf.exe 4156 wygxlmdf.exe 4156 wygxlmdf.exe 4156 wygxlmdf.exe 4156 wygxlmdf.exe 1960 htglmeffqjbbrvx.exe 1960 htglmeffqjbbrvx.exe 1960 htglmeffqjbbrvx.exe 1960 htglmeffqjbbrvx.exe 1960 htglmeffqjbbrvx.exe 1960 htglmeffqjbbrvx.exe 1960 htglmeffqjbbrvx.exe 1960 htglmeffqjbbrvx.exe 1960 htglmeffqjbbrvx.exe 1960 htglmeffqjbbrvx.exe 1512 bykzxjqvugdle.exe 1512 bykzxjqvugdle.exe 1512 bykzxjqvugdle.exe 1512 bykzxjqvugdle.exe 1512 bykzxjqvugdle.exe 1512 bykzxjqvugdle.exe 1512 bykzxjqvugdle.exe 1512 bykzxjqvugdle.exe 1512 bykzxjqvugdle.exe 1512 bykzxjqvugdle.exe 1512 bykzxjqvugdle.exe 1512 bykzxjqvugdle.exe 4828 wygxlmdf.exe 4828 wygxlmdf.exe 4828 wygxlmdf.exe 4828 wygxlmdf.exe 4828 wygxlmdf.exe 4828 wygxlmdf.exe 4828 wygxlmdf.exe 4828 wygxlmdf.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1276 492aa041e8bc85623d4ee5ca79cb4994.exe 1276 492aa041e8bc85623d4ee5ca79cb4994.exe 1276 492aa041e8bc85623d4ee5ca79cb4994.exe 568 bcauizkzoa.exe 568 bcauizkzoa.exe 568 bcauizkzoa.exe 4156 wygxlmdf.exe 4156 wygxlmdf.exe 1960 htglmeffqjbbrvx.exe 4156 wygxlmdf.exe 1960 htglmeffqjbbrvx.exe 1960 htglmeffqjbbrvx.exe 1512 bykzxjqvugdle.exe 1512 bykzxjqvugdle.exe 1512 bykzxjqvugdle.exe 4828 wygxlmdf.exe 4828 wygxlmdf.exe 4828 wygxlmdf.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1276 492aa041e8bc85623d4ee5ca79cb4994.exe 1276 492aa041e8bc85623d4ee5ca79cb4994.exe 1276 492aa041e8bc85623d4ee5ca79cb4994.exe 568 bcauizkzoa.exe 568 bcauizkzoa.exe 568 bcauizkzoa.exe 4156 wygxlmdf.exe 4156 wygxlmdf.exe 4156 wygxlmdf.exe 1960 htglmeffqjbbrvx.exe 1960 htglmeffqjbbrvx.exe 1960 htglmeffqjbbrvx.exe 1512 bykzxjqvugdle.exe 1512 bykzxjqvugdle.exe 1512 bykzxjqvugdle.exe 4828 wygxlmdf.exe 4828 wygxlmdf.exe 4828 wygxlmdf.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3960 WINWORD.EXE 3960 WINWORD.EXE 3960 WINWORD.EXE 3960 WINWORD.EXE 3960 WINWORD.EXE 3960 WINWORD.EXE 3960 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1276 wrote to memory of 568 1276 492aa041e8bc85623d4ee5ca79cb4994.exe 91 PID 1276 wrote to memory of 568 1276 492aa041e8bc85623d4ee5ca79cb4994.exe 91 PID 1276 wrote to memory of 568 1276 492aa041e8bc85623d4ee5ca79cb4994.exe 91 PID 1276 wrote to memory of 1960 1276 492aa041e8bc85623d4ee5ca79cb4994.exe 92 PID 1276 wrote to memory of 1960 1276 492aa041e8bc85623d4ee5ca79cb4994.exe 92 PID 1276 wrote to memory of 1960 1276 492aa041e8bc85623d4ee5ca79cb4994.exe 92 PID 1276 wrote to memory of 4156 1276 492aa041e8bc85623d4ee5ca79cb4994.exe 93 PID 1276 wrote to memory of 4156 1276 492aa041e8bc85623d4ee5ca79cb4994.exe 93 PID 1276 wrote to memory of 4156 1276 492aa041e8bc85623d4ee5ca79cb4994.exe 93 PID 1276 wrote to memory of 1512 1276 492aa041e8bc85623d4ee5ca79cb4994.exe 94 PID 1276 wrote to memory of 1512 1276 492aa041e8bc85623d4ee5ca79cb4994.exe 94 PID 1276 wrote to memory of 1512 1276 492aa041e8bc85623d4ee5ca79cb4994.exe 94 PID 568 wrote to memory of 4828 568 bcauizkzoa.exe 96 PID 568 wrote to memory of 4828 568 bcauizkzoa.exe 96 PID 568 wrote to memory of 4828 568 bcauizkzoa.exe 96 PID 1276 wrote to memory of 3960 1276 492aa041e8bc85623d4ee5ca79cb4994.exe 97 PID 1276 wrote to memory of 3960 1276 492aa041e8bc85623d4ee5ca79cb4994.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe"C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\bcauizkzoa.exebcauizkzoa.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\SysWOW64\wygxlmdf.exeC:\Windows\system32\wygxlmdf.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4828
-
-
-
C:\Windows\SysWOW64\htglmeffqjbbrvx.exehtglmeffqjbbrvx.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1960
-
-
C:\Windows\SysWOW64\wygxlmdf.exewygxlmdf.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4156
-
-
C:\Windows\SysWOW64\bykzxjqvugdle.exebykzxjqvugdle.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1512
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3960
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5f071bcef3a9f74d6df4579db773c7a9f
SHA1342414a6cbc209b4ca92ea7e36a09b2d97e18cfc
SHA256b32c1862274aa9dabeefd45cef4b22fae763c165da5047ff5749a97f784511e5
SHA5129b6d466159767ba011d988602521b49c035cdc4dc196900feaad4619690e3e392c12cceb44c28a3b42175f17ada27a573d76b43fd6eb4c80cb7e9903f6c0aaf0
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD578bc718335bc9dee926ed73f8bfda012
SHA1b00817ac3121974e734aeb741305069e6f6e65e9
SHA2562057e3818453a592136c19330f35e9830e831b5ec4c6e109a384e3493f81904a
SHA5127447c9e358745a89a284970df49cdefdc92f5193e777d15e2d188b2450dad8d9a475e3a3bcec29edf102fae6ee99daba2acac0a95ee2e75c5ccd5725a86b704d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD52d775732ecf46801a7ebc3eefc894acc
SHA1c358b3f73c58622c52290432f68d1a7c02bdf470
SHA256f02425424edd668f657000e053b49ddf9b2b92132927ca28fed3774425313dc6
SHA512fb1da7d5e7d32fe4851f02c06d92bd780ac19a0e49b882007e578f3391e1c78013222f49dac4060e68e177d7260a27ed7b68e79bc57c79e2ca92ec3f2cd9623b
-
Filesize
512KB
MD5b2fdd5ca36c2ba36c56cfa1f85d3d4a9
SHA173c6a70f063be782c79c5a566c594197fbeb2724
SHA256dae3b6d2be57d568cac77d957b877ddcfa5fb5ae7add5add0ebe8bca5ef3843b
SHA51297e1a8bc6fb8979543258c73d7b2e62313a1de44c71083e804e8499145787b2d3dc1bb96f70894f36281bfecc143290110c3212f0d9951dd7b83cc82ad2c7000
-
Filesize
512KB
MD5091ead7fc5857cbb866a9edc33469da4
SHA1ccfb742c7005e06a3fbd0b6477315d5f9e144406
SHA2569de7c17176eccc969eb4c6327216a34f3ba9d0c0978416b3a0818fb7c31a3dae
SHA51279ed703b3f8c15206b446b0038976d8e91384147707df18cc8c46f5b591b24db45262482533fa9cdf76b8223c7f86c250a84dd03be8810bb3ba1eabe2c16b51b
-
Filesize
512KB
MD5c2326ab69d0fd8555e3e4d400151e565
SHA1ffaf83d0c9ec98116e85f71595c23a0f96fb8c40
SHA256243ae8e2f8c392c2f331a54a95bf062b7748fb5b57d5b35f7f5df341dc068c0d
SHA512fc218d8f161d3cea68030ca550710d32fac132bb2c9948811fe017e629e9d26e926ed8581c59fd742defbde7754e7d39857c629eae7038af4601f41ec6d3c470
-
Filesize
512KB
MD55af76e7cbcf94f3a857e009365c02be9
SHA12cc921abfb05c798ed843c54f09f03ee2851367e
SHA2562e77414ec9b6a38359945da72ed19f7dc4e04bd518c92c2dbad48076b64e3adf
SHA5121b2a9faa825c130c73b545710dc42818a3ac81e3188171d3a6cbc3f56aa3ed211a63252ab1470f9f184c7beae702d88f1e9ef3dabb439b81df4dce90c5afeae7
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7