Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
07/01/2024, 19:20
Static task
static1
Behavioral task
behavioral1
Sample
ab0757415e5a33fde6893ba93d5683ff.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
ab0757415e5a33fde6893ba93d5683ff.exe
Resource
win10v2004-20231215-en
General
-
Target
ab0757415e5a33fde6893ba93d5683ff.exe
-
Size
512KB
-
MD5
ab0757415e5a33fde6893ba93d5683ff
-
SHA1
0836ceb3d65019483a8a1664a80422dffdfec99d
-
SHA256
677fc2b026079044c61098fc32986c2624095fc78d0f478e74e588a559bba8a0
-
SHA512
3c13d8a82243d85f1462ad9951abdfe4d07fe3e65e1b63c70f23aebf70a27adaab84c5dff41bcd622d04497ec5e7bb69b0cd5b0ca95e07aab1bcaea6efb63565
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6a:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5n
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" tfhzyegewp.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" tfhzyegewp.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" tfhzyegewp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" tfhzyegewp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" tfhzyegewp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" tfhzyegewp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" tfhzyegewp.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tfhzyegewp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation ab0757415e5a33fde6893ba93d5683ff.exe -
Executes dropped EXE 5 IoCs
pid Process 1820 tfhzyegewp.exe 4712 zwxsmvdczunjwvo.exe 1136 vzmoklvn.exe 3584 swxcfvamnuxom.exe 2380 vzmoklvn.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" tfhzyegewp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" tfhzyegewp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" tfhzyegewp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" tfhzyegewp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" tfhzyegewp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" tfhzyegewp.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\elxeeltg = "tfhzyegewp.exe" zwxsmvdczunjwvo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\emvgskgm = "zwxsmvdczunjwvo.exe" zwxsmvdczunjwvo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "swxcfvamnuxom.exe" zwxsmvdczunjwvo.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\e: tfhzyegewp.exe File opened (read-only) \??\p: tfhzyegewp.exe File opened (read-only) \??\u: vzmoklvn.exe File opened (read-only) \??\h: vzmoklvn.exe File opened (read-only) \??\s: vzmoklvn.exe File opened (read-only) \??\w: vzmoklvn.exe File opened (read-only) \??\g: vzmoklvn.exe File opened (read-only) \??\y: vzmoklvn.exe File opened (read-only) \??\r: tfhzyegewp.exe File opened (read-only) \??\v: vzmoklvn.exe File opened (read-only) \??\o: tfhzyegewp.exe File opened (read-only) \??\x: vzmoklvn.exe File opened (read-only) \??\p: vzmoklvn.exe File opened (read-only) \??\b: vzmoklvn.exe File opened (read-only) \??\t: vzmoklvn.exe File opened (read-only) \??\b: tfhzyegewp.exe File opened (read-only) \??\o: vzmoklvn.exe File opened (read-only) \??\m: vzmoklvn.exe File opened (read-only) \??\z: tfhzyegewp.exe File opened (read-only) \??\a: vzmoklvn.exe File opened (read-only) \??\n: tfhzyegewp.exe File opened (read-only) \??\s: tfhzyegewp.exe File opened (read-only) \??\v: tfhzyegewp.exe File opened (read-only) \??\p: vzmoklvn.exe File opened (read-only) \??\q: vzmoklvn.exe File opened (read-only) \??\m: tfhzyegewp.exe File opened (read-only) \??\r: vzmoklvn.exe File opened (read-only) \??\k: tfhzyegewp.exe File opened (read-only) \??\j: vzmoklvn.exe File opened (read-only) \??\k: vzmoklvn.exe File opened (read-only) \??\r: vzmoklvn.exe File opened (read-only) \??\a: vzmoklvn.exe File opened (read-only) \??\e: vzmoklvn.exe File opened (read-only) \??\i: vzmoklvn.exe File opened (read-only) \??\t: vzmoklvn.exe File opened (read-only) \??\v: vzmoklvn.exe File opened (read-only) \??\w: vzmoklvn.exe File opened (read-only) \??\u: tfhzyegewp.exe File opened (read-only) \??\e: vzmoklvn.exe File opened (read-only) \??\m: vzmoklvn.exe File opened (read-only) \??\o: vzmoklvn.exe File opened (read-only) \??\x: vzmoklvn.exe File opened (read-only) \??\t: tfhzyegewp.exe File opened (read-only) \??\h: vzmoklvn.exe File opened (read-only) \??\z: vzmoklvn.exe File opened (read-only) \??\k: vzmoklvn.exe File opened (read-only) \??\n: vzmoklvn.exe File opened (read-only) \??\i: tfhzyegewp.exe File opened (read-only) \??\g: vzmoklvn.exe File opened (read-only) \??\w: tfhzyegewp.exe File opened (read-only) \??\x: tfhzyegewp.exe File opened (read-only) \??\y: tfhzyegewp.exe File opened (read-only) \??\q: tfhzyegewp.exe File opened (read-only) \??\s: vzmoklvn.exe File opened (read-only) \??\y: vzmoklvn.exe File opened (read-only) \??\j: vzmoklvn.exe File opened (read-only) \??\h: tfhzyegewp.exe File opened (read-only) \??\l: tfhzyegewp.exe File opened (read-only) \??\u: vzmoklvn.exe File opened (read-only) \??\j: tfhzyegewp.exe File opened (read-only) \??\i: vzmoklvn.exe File opened (read-only) \??\z: vzmoklvn.exe File opened (read-only) \??\g: tfhzyegewp.exe File opened (read-only) \??\b: vzmoklvn.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" tfhzyegewp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" tfhzyegewp.exe -
AutoIT Executable 14 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/472-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000a000000023145-5.dat autoit_exe behavioral2/files/0x0003000000022763-19.dat autoit_exe behavioral2/files/0x000a000000023145-22.dat autoit_exe behavioral2/files/0x0006000000023233-32.dat autoit_exe behavioral2/files/0x0006000000023233-31.dat autoit_exe behavioral2/files/0x0007000000023230-27.dat autoit_exe behavioral2/files/0x0007000000023230-26.dat autoit_exe behavioral2/files/0x000a000000023145-23.dat autoit_exe behavioral2/files/0x0003000000022763-18.dat autoit_exe behavioral2/files/0x0007000000023230-35.dat autoit_exe behavioral2/files/0x0007000000023240-84.dat autoit_exe behavioral2/files/0x0007000000023285-109.dat autoit_exe behavioral2/files/0x0007000000023285-128.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe vzmoklvn.exe File created C:\Windows\SysWOW64\tfhzyegewp.exe ab0757415e5a33fde6893ba93d5683ff.exe File opened for modification C:\Windows\SysWOW64\tfhzyegewp.exe ab0757415e5a33fde6893ba93d5683ff.exe File created C:\Windows\SysWOW64\vzmoklvn.exe ab0757415e5a33fde6893ba93d5683ff.exe File opened for modification C:\Windows\SysWOW64\vzmoklvn.exe ab0757415e5a33fde6893ba93d5683ff.exe File opened for modification C:\Windows\SysWOW64\swxcfvamnuxom.exe ab0757415e5a33fde6893ba93d5683ff.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll tfhzyegewp.exe File created C:\Windows\SysWOW64\zwxsmvdczunjwvo.exe ab0757415e5a33fde6893ba93d5683ff.exe File opened for modification C:\Windows\SysWOW64\zwxsmvdczunjwvo.exe ab0757415e5a33fde6893ba93d5683ff.exe File created C:\Windows\SysWOW64\swxcfvamnuxom.exe ab0757415e5a33fde6893ba93d5683ff.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe vzmoklvn.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe vzmoklvn.exe -
Drops file in Program Files directory 21 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vzmoklvn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vzmoklvn.exe File opened for modification C:\Program Files\TestRestart.nal vzmoklvn.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vzmoklvn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vzmoklvn.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vzmoklvn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vzmoklvn.exe File opened for modification \??\c:\Program Files\TestRestart.doc.exe vzmoklvn.exe File opened for modification C:\Program Files\TestRestart.doc.exe vzmoklvn.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vzmoklvn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal vzmoklvn.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vzmoklvn.exe File created \??\c:\Program Files\TestRestart.doc.exe vzmoklvn.exe File opened for modification \??\c:\Program Files\TestRestart.doc.exe vzmoklvn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vzmoklvn.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vzmoklvn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal vzmoklvn.exe File opened for modification C:\Program Files\TestRestart.doc.exe vzmoklvn.exe File opened for modification C:\Program Files\TestRestart.nal vzmoklvn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal vzmoklvn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal vzmoklvn.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf ab0757415e5a33fde6893ba93d5683ff.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh tfhzyegewp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" tfhzyegewp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf tfhzyegewp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg tfhzyegewp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBFF9CAFE65F2E3837D3A47869F3992B3FC03F143660333E2C945E608A5" ab0757415e5a33fde6893ba93d5683ff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB6B02047E339ED53C5BAA53393D7C8" ab0757415e5a33fde6893ba93d5683ff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8BFCFB4F2885129145D6217D94BDE0E13C5842664F6331D799" ab0757415e5a33fde6893ba93d5683ff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F46BB9FF6C21DDD20CD0A28B7D9114" ab0757415e5a33fde6893ba93d5683ff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1845C67C14E4DAC7B9BE7C94EDE034BD" ab0757415e5a33fde6893ba93d5683ff.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes ab0757415e5a33fde6893ba93d5683ff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" tfhzyegewp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc tfhzyegewp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" tfhzyegewp.exe Key created \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings ab0757415e5a33fde6893ba93d5683ff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" tfhzyegewp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32472C7E9C2182556D3576D570212CDB7CF265D9" ab0757415e5a33fde6893ba93d5683ff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat tfhzyegewp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" tfhzyegewp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" tfhzyegewp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs tfhzyegewp.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1532 WINWORD.EXE 1532 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 472 ab0757415e5a33fde6893ba93d5683ff.exe 472 ab0757415e5a33fde6893ba93d5683ff.exe 472 ab0757415e5a33fde6893ba93d5683ff.exe 472 ab0757415e5a33fde6893ba93d5683ff.exe 472 ab0757415e5a33fde6893ba93d5683ff.exe 472 ab0757415e5a33fde6893ba93d5683ff.exe 472 ab0757415e5a33fde6893ba93d5683ff.exe 472 ab0757415e5a33fde6893ba93d5683ff.exe 472 ab0757415e5a33fde6893ba93d5683ff.exe 472 ab0757415e5a33fde6893ba93d5683ff.exe 472 ab0757415e5a33fde6893ba93d5683ff.exe 472 ab0757415e5a33fde6893ba93d5683ff.exe 472 ab0757415e5a33fde6893ba93d5683ff.exe 472 ab0757415e5a33fde6893ba93d5683ff.exe 472 ab0757415e5a33fde6893ba93d5683ff.exe 472 ab0757415e5a33fde6893ba93d5683ff.exe 4712 zwxsmvdczunjwvo.exe 4712 zwxsmvdczunjwvo.exe 1136 vzmoklvn.exe 1136 vzmoklvn.exe 4712 zwxsmvdczunjwvo.exe 4712 zwxsmvdczunjwvo.exe 1136 vzmoklvn.exe 1136 vzmoklvn.exe 4712 zwxsmvdczunjwvo.exe 1136 vzmoklvn.exe 4712 zwxsmvdczunjwvo.exe 1136 vzmoklvn.exe 4712 zwxsmvdczunjwvo.exe 1136 vzmoklvn.exe 4712 zwxsmvdczunjwvo.exe 1136 vzmoklvn.exe 3584 swxcfvamnuxom.exe 4712 zwxsmvdczunjwvo.exe 4712 zwxsmvdczunjwvo.exe 3584 swxcfvamnuxom.exe 3584 swxcfvamnuxom.exe 3584 swxcfvamnuxom.exe 3584 swxcfvamnuxom.exe 3584 swxcfvamnuxom.exe 3584 swxcfvamnuxom.exe 3584 swxcfvamnuxom.exe 3584 swxcfvamnuxom.exe 3584 swxcfvamnuxom.exe 3584 swxcfvamnuxom.exe 3584 swxcfvamnuxom.exe 1820 tfhzyegewp.exe 1820 tfhzyegewp.exe 1820 tfhzyegewp.exe 1820 tfhzyegewp.exe 1820 tfhzyegewp.exe 1820 tfhzyegewp.exe 1820 tfhzyegewp.exe 1820 tfhzyegewp.exe 1820 tfhzyegewp.exe 1820 tfhzyegewp.exe 4712 zwxsmvdczunjwvo.exe 4712 zwxsmvdczunjwvo.exe 2380 vzmoklvn.exe 2380 vzmoklvn.exe 2380 vzmoklvn.exe 2380 vzmoklvn.exe 2380 vzmoklvn.exe 2380 vzmoklvn.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 472 ab0757415e5a33fde6893ba93d5683ff.exe 472 ab0757415e5a33fde6893ba93d5683ff.exe 472 ab0757415e5a33fde6893ba93d5683ff.exe 1820 tfhzyegewp.exe 1820 tfhzyegewp.exe 1820 tfhzyegewp.exe 4712 zwxsmvdczunjwvo.exe 4712 zwxsmvdczunjwvo.exe 4712 zwxsmvdczunjwvo.exe 1136 vzmoklvn.exe 1136 vzmoklvn.exe 1136 vzmoklvn.exe 3584 swxcfvamnuxom.exe 3584 swxcfvamnuxom.exe 3584 swxcfvamnuxom.exe 2380 vzmoklvn.exe 2380 vzmoklvn.exe 2380 vzmoklvn.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 472 ab0757415e5a33fde6893ba93d5683ff.exe 472 ab0757415e5a33fde6893ba93d5683ff.exe 472 ab0757415e5a33fde6893ba93d5683ff.exe 1820 tfhzyegewp.exe 1820 tfhzyegewp.exe 1820 tfhzyegewp.exe 4712 zwxsmvdczunjwvo.exe 4712 zwxsmvdczunjwvo.exe 4712 zwxsmvdczunjwvo.exe 1136 vzmoklvn.exe 1136 vzmoklvn.exe 1136 vzmoklvn.exe 3584 swxcfvamnuxom.exe 3584 swxcfvamnuxom.exe 3584 swxcfvamnuxom.exe 2380 vzmoklvn.exe 2380 vzmoklvn.exe 2380 vzmoklvn.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1532 WINWORD.EXE 1532 WINWORD.EXE 1532 WINWORD.EXE 1532 WINWORD.EXE 1532 WINWORD.EXE 1532 WINWORD.EXE 1532 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 472 wrote to memory of 1820 472 ab0757415e5a33fde6893ba93d5683ff.exe 96 PID 472 wrote to memory of 1820 472 ab0757415e5a33fde6893ba93d5683ff.exe 96 PID 472 wrote to memory of 1820 472 ab0757415e5a33fde6893ba93d5683ff.exe 96 PID 472 wrote to memory of 4712 472 ab0757415e5a33fde6893ba93d5683ff.exe 92 PID 472 wrote to memory of 4712 472 ab0757415e5a33fde6893ba93d5683ff.exe 92 PID 472 wrote to memory of 4712 472 ab0757415e5a33fde6893ba93d5683ff.exe 92 PID 472 wrote to memory of 1136 472 ab0757415e5a33fde6893ba93d5683ff.exe 94 PID 472 wrote to memory of 1136 472 ab0757415e5a33fde6893ba93d5683ff.exe 94 PID 472 wrote to memory of 1136 472 ab0757415e5a33fde6893ba93d5683ff.exe 94 PID 472 wrote to memory of 3584 472 ab0757415e5a33fde6893ba93d5683ff.exe 93 PID 472 wrote to memory of 3584 472 ab0757415e5a33fde6893ba93d5683ff.exe 93 PID 472 wrote to memory of 3584 472 ab0757415e5a33fde6893ba93d5683ff.exe 93 PID 472 wrote to memory of 1532 472 ab0757415e5a33fde6893ba93d5683ff.exe 97 PID 472 wrote to memory of 1532 472 ab0757415e5a33fde6893ba93d5683ff.exe 97 PID 1820 wrote to memory of 2380 1820 tfhzyegewp.exe 99 PID 1820 wrote to memory of 2380 1820 tfhzyegewp.exe 99 PID 1820 wrote to memory of 2380 1820 tfhzyegewp.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab0757415e5a33fde6893ba93d5683ff.exe"C:\Users\Admin\AppData\Local\Temp\ab0757415e5a33fde6893ba93d5683ff.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:472 -
C:\Windows\SysWOW64\zwxsmvdczunjwvo.exezwxsmvdczunjwvo.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4712
-
-
C:\Windows\SysWOW64\swxcfvamnuxom.exeswxcfvamnuxom.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3584
-
-
C:\Windows\SysWOW64\vzmoklvn.exevzmoklvn.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1136
-
-
C:\Windows\SysWOW64\tfhzyegewp.exetfhzyegewp.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\vzmoklvn.exeC:\Windows\system32\vzmoklvn.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2380
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1532
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD56662b185f19fbf697c56a25c92de7961
SHA10df0c0df0de3724258df2549c583e3c934aca726
SHA256c11edb9e97848e20319fba876d9382c7193f68323eff1f7ed805bb04303bdc86
SHA512c6e2cb83f68a63ca299dae843d2697d41dab8b565fb4005755b0d255b388779b6c1dad97375009c995f0a3d2e0acb4cc820090ca5dc24ee11e1a3de5b1a4921f
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5cbe8e58ef10a2f15c0c5c3e0ae84073a
SHA16ec662aca33da72547decff0ede38b904a0b78d8
SHA256327e02bd880c89fe1b6d06950c373e13ce03e93ec6701488fd6093d27cf667c5
SHA512bd5830fd8557bf883439c8987024b839b7513b3b7912351234281c1d94d2d58ceeb2d108b30cd424462a5afbfa46d06964cc9349ac46e09222d76ec7dc478fe1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5e893ec3d72480ae864ab86b06e9b481e
SHA18e684285b2d061911681fad25678e2ee612c096b
SHA256f6a174e4b409bab117bca668fe4fd7c3a795dfe05705bc6642a394d947b655bc
SHA51218c9b7a662d9f83cc2f324283914efe2280558d1681c4390e5d9b42ed04f236c28b506ccfa14c8b28c17d22b417d80b675f8531f7d64ddb1c5ef6b57761efe7e
-
Filesize
213KB
MD5db33817d93722f19d6d4333d3629e2c5
SHA141cf81c964ebac3d3a28066060e900f50454e2f5
SHA256ad3e74d472acef9e84b0432d706084c1f5b58443d7b7443b27306c652e937e22
SHA5127a93d3fe2ea2cd9697d0ca831a40c033f9c0c6dabfaf95aeefe1ddfd870b8390d8cffb37ad587921fdb4a15de9103a3a979b7a6978bbcf05aeaf1ffc88175eec
-
Filesize
178KB
MD57dbdcbe747b80791f0f6aec3abe3c5d4
SHA14135a59cabf3d3b2c9b83df2b1a40a1c61cf6728
SHA2560032043dd23eeb1b00f954ed084e14fb706fcf1f7b210086e4d2b38fadc779ad
SHA512605698eb7d445c4adc8dd528e0d4e26788ad393a2a0ccc42ae7f24f6694faae11747cc50845416dd6c7b5388dfea25705231e7928f71a10a75a54ce9711a9651
-
Filesize
438KB
MD56269d949df79ef193df2dadd5f2e72cf
SHA17764496fa553027add89141d33ac0a553fcbb36e
SHA256d42f6a835ba7a91662ededb28cdd918fb4d80a0b428bf47a357abcda23307417
SHA5121bb841bc71ed349aa8dc82e98c7f51cacefafcff000fab964644192db0d2db748f6ef9182e37e8c03b4f496fc71bb939ff6608139a278137c5c9266ae28df23c
-
Filesize
512KB
MD515a3d2b3724e4136732800ffc95cfff4
SHA1208b934db770942aa6f144d13dd4f22b109f1183
SHA256350ab509dc64fff82357289a63ea774736c37c59496c96b8c6dff3a0d4a8f79f
SHA5124254a66404eb7226afe5e841064e40b58240836c85cd8f99173f257c593482859dd141c72e7d79124799daa696374188967df630937450046151e67f28e16ae2
-
Filesize
227KB
MD5d3d0372cd3ebd4ef83f58d32ff8c237f
SHA1d06eb030cbe907be0d216c84713ec55ff999c2ee
SHA256ff25434b189c3a1bb93e4df47696321a8208a7d2f84cae89d064794a26bf40d4
SHA512f19f75f4b8137fe49496e9c9be9382ad99d37f9231fda2a477b79c874b7cb25605a823b792135dc44c07aa4d254de7ba00d7a12b5f824cd87d4c02ebece392d1
-
Filesize
385KB
MD502ed63381b80fe5bf2b9989f9ec52bfa
SHA1dc674c87ecc8a5262d3d3cc13ff1d16287673217
SHA25613f57c059208d36284bf51352e7ef19b11ba6d96c3c72401e342237e36949383
SHA51223c73106c98f023f4e764be2095743a8ec2b276ea117c9618a23433414877cab5056cdad6e6ff56cf30aa2e3eaaad9fbf5d04b287dd475fa512d0c20c67ba8ab
-
Filesize
86KB
MD5d8766c0ed9e611d21eb2e7654b07ff9d
SHA11a47cf93f09a8da5f75ed9b2a00feb120087ede1
SHA2569afd8cb37b32badcb61a97f5e2a7b18b146a8090b7cf69a5b40b3ac9be99e479
SHA512c10620d5f1d34ce180de52f0222bc869baf8dad5f5c7a46ef75d56b5693fc0106ff4d6b5840d74a9f4f49cbf194478e58b7aa5e382163710a816b4dc0b18a9bd
-
Filesize
312KB
MD5188a2cb1a83217d3ef1dcaedd499ae04
SHA1d766646ffdf7464a806c97e8f2a0bfcb683c637a
SHA256236974f313405232bcae5759fc51b6dff856be0a75c881d79aef1e1360177e8b
SHA5121831ee0991aca1845c1df686c91a34f3cad7d565c60439fb2f29ca0ab8a42e09d9d12648058fc2559b4065beadb838eab4f0e0c450b9e0f8711f7e520e8601f4
-
Filesize
174KB
MD57bc574f523387fc2297dbb9b74441f30
SHA109fc48885420776c7e201dc65d3d37b41e1735ae
SHA25671816cec8e7caea90b17cc2ba923c9c074b8847f919a978ed235131fea186425
SHA512ac4e18057b1c6eda27c793023b0623fb91343fd9997c28018c165a1578d97442c7df07228bbc914e45ad365f5b999878e19d8b23ff8048337b8478e714539727
-
Filesize
397KB
MD59e97238a4b66b97f7641432d70271214
SHA12e44909e0fbfcd7cf6efde896cdbb1f9849c0f40
SHA25682ba1b4758777c22a0db08f573802e59a32ccb9664755f4ee3bb25563b16bcf3
SHA5126f8b897a7065e049254d7f8b6562dc0953da2a99be6bc9b02d1b23daafcc4d861f830e5b34dcaefb2d1ca9b490378de3d8d024dbed7bc5d0797b615750a63a51
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD58fc27978ff544392eb5f47efb9bceac3
SHA1ef87caedbeb42db84ffb9fc70df969d060f86ce4
SHA256bbe15f65397492bba09930622ee9f6bf01bc7ed7c3ca9089bd59bd0a96a93596
SHA5120fbc6e29cb34d1c54dc7b5ec61d4187949d6fa5b836ef35a013dc87a7f4e77ccaa92fa356d5041a1d851938a0b2fe4f2460f3ec9d9c7dd0075bf34ec106ea6a2
-
Filesize
512KB
MD5d48a60d58828217bc6257427cb4a4f80
SHA13bb0ac15c22bee189190e33e9c2247443805b158
SHA2567455997a91d7e5e97915c31abe46455095929fce14cad9c21916bafae85cb66c
SHA5122be96375e619b0c430b73aadd7492e65cf8429f3a7e3c04e716c1bc328a5756b969e919719c0d94fe03d32b0a7c54192ee69d3221dacf659282fe333443946fb