Analysis
-
max time kernel
148s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
07/01/2024, 19:20
Static task
static1
Behavioral task
behavioral1
Sample
acacf07347ddcc9e387db0e4b34c443b.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
acacf07347ddcc9e387db0e4b34c443b.exe
Resource
win10v2004-20231215-en
General
-
Target
acacf07347ddcc9e387db0e4b34c443b.exe
-
Size
512KB
-
MD5
acacf07347ddcc9e387db0e4b34c443b
-
SHA1
41284991c81536b0509293b6e9e949ffce2754a3
-
SHA256
378b9ddad58713a141c9d024072c52b07d558129a576288469bd1c0fc0f8909b
-
SHA512
12f4e8ef5fa0e43ec1deb1350f95cd9a017dbc1c479be54f29eae4392f3c64ad193d0e32d136007e674a7fbf67f4f4182774271b41ab7a311e1cc3392e63723b
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6F:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5Q
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" tfhzyegewp.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" tfhzyegewp.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" tfhzyegewp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" tfhzyegewp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" tfhzyegewp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" tfhzyegewp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" tfhzyegewp.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tfhzyegewp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation acacf07347ddcc9e387db0e4b34c443b.exe -
Executes dropped EXE 5 IoCs
pid Process 3964 tfhzyegewp.exe 2772 zwxsmvdczunjwvo.exe 4776 vzmoklvn.exe 2776 swxcfvamnuxom.exe 908 vzmoklvn.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" tfhzyegewp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" tfhzyegewp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" tfhzyegewp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" tfhzyegewp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" tfhzyegewp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" tfhzyegewp.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\elxeeltg = "tfhzyegewp.exe" zwxsmvdczunjwvo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\emvgskgm = "zwxsmvdczunjwvo.exe" zwxsmvdczunjwvo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "swxcfvamnuxom.exe" zwxsmvdczunjwvo.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\x: vzmoklvn.exe File opened (read-only) \??\g: tfhzyegewp.exe File opened (read-only) \??\e: vzmoklvn.exe File opened (read-only) \??\e: vzmoklvn.exe File opened (read-only) \??\q: vzmoklvn.exe File opened (read-only) \??\l: tfhzyegewp.exe File opened (read-only) \??\z: vzmoklvn.exe File opened (read-only) \??\a: tfhzyegewp.exe File opened (read-only) \??\m: tfhzyegewp.exe File opened (read-only) \??\p: tfhzyegewp.exe File opened (read-only) \??\z: tfhzyegewp.exe File opened (read-only) \??\k: vzmoklvn.exe File opened (read-only) \??\s: vzmoklvn.exe File opened (read-only) \??\t: vzmoklvn.exe File opened (read-only) \??\u: vzmoklvn.exe File opened (read-only) \??\b: vzmoklvn.exe File opened (read-only) \??\k: vzmoklvn.exe File opened (read-only) \??\e: tfhzyegewp.exe File opened (read-only) \??\o: tfhzyegewp.exe File opened (read-only) \??\y: tfhzyegewp.exe File opened (read-only) \??\t: tfhzyegewp.exe File opened (read-only) \??\b: tfhzyegewp.exe File opened (read-only) \??\j: tfhzyegewp.exe File opened (read-only) \??\x: tfhzyegewp.exe File opened (read-only) \??\h: vzmoklvn.exe File opened (read-only) \??\s: tfhzyegewp.exe File opened (read-only) \??\a: vzmoklvn.exe File opened (read-only) \??\o: vzmoklvn.exe File opened (read-only) \??\p: vzmoklvn.exe File opened (read-only) \??\n: vzmoklvn.exe File opened (read-only) \??\t: vzmoklvn.exe File opened (read-only) \??\q: tfhzyegewp.exe File opened (read-only) \??\v: tfhzyegewp.exe File opened (read-only) \??\h: vzmoklvn.exe File opened (read-only) \??\v: vzmoklvn.exe File opened (read-only) \??\g: vzmoklvn.exe File opened (read-only) \??\i: vzmoklvn.exe File opened (read-only) \??\n: tfhzyegewp.exe File opened (read-only) \??\b: vzmoklvn.exe File opened (read-only) \??\g: vzmoklvn.exe File opened (read-only) \??\m: vzmoklvn.exe File opened (read-only) \??\u: vzmoklvn.exe File opened (read-only) \??\n: vzmoklvn.exe File opened (read-only) \??\q: vzmoklvn.exe File opened (read-only) \??\r: vzmoklvn.exe File opened (read-only) \??\j: vzmoklvn.exe File opened (read-only) \??\j: vzmoklvn.exe File opened (read-only) \??\m: vzmoklvn.exe File opened (read-only) \??\o: vzmoklvn.exe File opened (read-only) \??\r: vzmoklvn.exe File opened (read-only) \??\u: tfhzyegewp.exe File opened (read-only) \??\a: vzmoklvn.exe File opened (read-only) \??\y: vzmoklvn.exe File opened (read-only) \??\y: vzmoklvn.exe File opened (read-only) \??\l: vzmoklvn.exe File opened (read-only) \??\h: tfhzyegewp.exe File opened (read-only) \??\w: tfhzyegewp.exe File opened (read-only) \??\k: tfhzyegewp.exe File opened (read-only) \??\r: tfhzyegewp.exe File opened (read-only) \??\i: vzmoklvn.exe File opened (read-only) \??\w: vzmoklvn.exe File opened (read-only) \??\x: vzmoklvn.exe File opened (read-only) \??\i: tfhzyegewp.exe File opened (read-only) \??\l: vzmoklvn.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" tfhzyegewp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" tfhzyegewp.exe -
AutoIT Executable 12 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1448-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000700000002320a-23.dat autoit_exe behavioral2/files/0x000600000002320e-31.dat autoit_exe behavioral2/files/0x000600000002320e-30.dat autoit_exe behavioral2/files/0x000700000002320b-27.dat autoit_exe behavioral2/files/0x000700000002320b-26.dat autoit_exe behavioral2/files/0x000700000002320b-35.dat autoit_exe behavioral2/files/0x0003000000022505-18.dat autoit_exe behavioral2/files/0x000700000002320b-9.dat autoit_exe behavioral2/files/0x00080000000230df-64.dat autoit_exe behavioral2/files/0x000c0000000230e3-117.dat autoit_exe behavioral2/files/0x000c0000000230e3-135.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe vzmoklvn.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe vzmoklvn.exe File created C:\Windows\SysWOW64\tfhzyegewp.exe acacf07347ddcc9e387db0e4b34c443b.exe File opened for modification C:\Windows\SysWOW64\zwxsmvdczunjwvo.exe acacf07347ddcc9e387db0e4b34c443b.exe File created C:\Windows\SysWOW64\vzmoklvn.exe acacf07347ddcc9e387db0e4b34c443b.exe File created C:\Windows\SysWOW64\swxcfvamnuxom.exe acacf07347ddcc9e387db0e4b34c443b.exe File opened for modification C:\Windows\SysWOW64\swxcfvamnuxom.exe acacf07347ddcc9e387db0e4b34c443b.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll tfhzyegewp.exe File opened for modification C:\Windows\SysWOW64\tfhzyegewp.exe acacf07347ddcc9e387db0e4b34c443b.exe File created C:\Windows\SysWOW64\zwxsmvdczunjwvo.exe acacf07347ddcc9e387db0e4b34c443b.exe File opened for modification C:\Windows\SysWOW64\vzmoklvn.exe acacf07347ddcc9e387db0e4b34c443b.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe vzmoklvn.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vzmoklvn.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vzmoklvn.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vzmoklvn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vzmoklvn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vzmoklvn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal vzmoklvn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal vzmoklvn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vzmoklvn.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vzmoklvn.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vzmoklvn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal vzmoklvn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal vzmoklvn.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vzmoklvn.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vzmoklvn.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf acacf07347ddcc9e387db0e4b34c443b.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf tfhzyegewp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg tfhzyegewp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" tfhzyegewp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32472C7E9C2182556D3576D570212CDB7CF265D9" acacf07347ddcc9e387db0e4b34c443b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBFF9CAFE65F2E3837D3A47869F3992B3FC03F143660333E2C945E608A5" acacf07347ddcc9e387db0e4b34c443b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB6B02047E339ED53C5BAA53393D7C8" acacf07347ddcc9e387db0e4b34c443b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat tfhzyegewp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc tfhzyegewp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" tfhzyegewp.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes acacf07347ddcc9e387db0e4b34c443b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F46BB9FF6C21DDD20CD0A28B7D9114" acacf07347ddcc9e387db0e4b34c443b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1845C67C14E4DAC7B9BE7C94EDE034BD" acacf07347ddcc9e387db0e4b34c443b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs tfhzyegewp.exe Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings acacf07347ddcc9e387db0e4b34c443b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8BFCFB4F2885129145D6217D94BDE0E13C5842664F6331D799" acacf07347ddcc9e387db0e4b34c443b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" tfhzyegewp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh tfhzyegewp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" tfhzyegewp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" tfhzyegewp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" tfhzyegewp.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4720 WINWORD.EXE 4720 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1448 acacf07347ddcc9e387db0e4b34c443b.exe 1448 acacf07347ddcc9e387db0e4b34c443b.exe 1448 acacf07347ddcc9e387db0e4b34c443b.exe 1448 acacf07347ddcc9e387db0e4b34c443b.exe 1448 acacf07347ddcc9e387db0e4b34c443b.exe 1448 acacf07347ddcc9e387db0e4b34c443b.exe 1448 acacf07347ddcc9e387db0e4b34c443b.exe 1448 acacf07347ddcc9e387db0e4b34c443b.exe 1448 acacf07347ddcc9e387db0e4b34c443b.exe 1448 acacf07347ddcc9e387db0e4b34c443b.exe 1448 acacf07347ddcc9e387db0e4b34c443b.exe 1448 acacf07347ddcc9e387db0e4b34c443b.exe 1448 acacf07347ddcc9e387db0e4b34c443b.exe 1448 acacf07347ddcc9e387db0e4b34c443b.exe 1448 acacf07347ddcc9e387db0e4b34c443b.exe 1448 acacf07347ddcc9e387db0e4b34c443b.exe 3964 tfhzyegewp.exe 3964 tfhzyegewp.exe 3964 tfhzyegewp.exe 3964 tfhzyegewp.exe 3964 tfhzyegewp.exe 3964 tfhzyegewp.exe 2772 zwxsmvdczunjwvo.exe 2772 zwxsmvdczunjwvo.exe 3964 tfhzyegewp.exe 3964 tfhzyegewp.exe 2772 zwxsmvdczunjwvo.exe 2772 zwxsmvdczunjwvo.exe 3964 tfhzyegewp.exe 3964 tfhzyegewp.exe 2772 zwxsmvdczunjwvo.exe 2772 zwxsmvdczunjwvo.exe 2772 zwxsmvdczunjwvo.exe 2772 zwxsmvdczunjwvo.exe 2772 zwxsmvdczunjwvo.exe 2772 zwxsmvdczunjwvo.exe 4776 vzmoklvn.exe 4776 vzmoklvn.exe 4776 vzmoklvn.exe 4776 vzmoklvn.exe 4776 vzmoklvn.exe 4776 vzmoklvn.exe 2776 swxcfvamnuxom.exe 2776 swxcfvamnuxom.exe 4776 vzmoklvn.exe 4776 vzmoklvn.exe 2776 swxcfvamnuxom.exe 2776 swxcfvamnuxom.exe 2776 swxcfvamnuxom.exe 2776 swxcfvamnuxom.exe 2776 swxcfvamnuxom.exe 2776 swxcfvamnuxom.exe 2776 swxcfvamnuxom.exe 2776 swxcfvamnuxom.exe 2776 swxcfvamnuxom.exe 2776 swxcfvamnuxom.exe 908 vzmoklvn.exe 908 vzmoklvn.exe 908 vzmoklvn.exe 908 vzmoklvn.exe 908 vzmoklvn.exe 908 vzmoklvn.exe 908 vzmoklvn.exe 908 vzmoklvn.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1448 acacf07347ddcc9e387db0e4b34c443b.exe 1448 acacf07347ddcc9e387db0e4b34c443b.exe 1448 acacf07347ddcc9e387db0e4b34c443b.exe 3964 tfhzyegewp.exe 3964 tfhzyegewp.exe 3964 tfhzyegewp.exe 2772 zwxsmvdczunjwvo.exe 2772 zwxsmvdczunjwvo.exe 2772 zwxsmvdczunjwvo.exe 2776 swxcfvamnuxom.exe 4776 vzmoklvn.exe 2776 swxcfvamnuxom.exe 4776 vzmoklvn.exe 2776 swxcfvamnuxom.exe 4776 vzmoklvn.exe 908 vzmoklvn.exe 908 vzmoklvn.exe 908 vzmoklvn.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1448 acacf07347ddcc9e387db0e4b34c443b.exe 1448 acacf07347ddcc9e387db0e4b34c443b.exe 1448 acacf07347ddcc9e387db0e4b34c443b.exe 3964 tfhzyegewp.exe 3964 tfhzyegewp.exe 3964 tfhzyegewp.exe 2772 zwxsmvdczunjwvo.exe 2772 zwxsmvdczunjwvo.exe 2772 zwxsmvdczunjwvo.exe 2776 swxcfvamnuxom.exe 4776 vzmoklvn.exe 2776 swxcfvamnuxom.exe 4776 vzmoklvn.exe 2776 swxcfvamnuxom.exe 4776 vzmoklvn.exe 908 vzmoklvn.exe 908 vzmoklvn.exe 908 vzmoklvn.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4720 WINWORD.EXE 4720 WINWORD.EXE 4720 WINWORD.EXE 4720 WINWORD.EXE 4720 WINWORD.EXE 4720 WINWORD.EXE 4720 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1448 wrote to memory of 3964 1448 acacf07347ddcc9e387db0e4b34c443b.exe 97 PID 1448 wrote to memory of 3964 1448 acacf07347ddcc9e387db0e4b34c443b.exe 97 PID 1448 wrote to memory of 3964 1448 acacf07347ddcc9e387db0e4b34c443b.exe 97 PID 1448 wrote to memory of 2772 1448 acacf07347ddcc9e387db0e4b34c443b.exe 90 PID 1448 wrote to memory of 2772 1448 acacf07347ddcc9e387db0e4b34c443b.exe 90 PID 1448 wrote to memory of 2772 1448 acacf07347ddcc9e387db0e4b34c443b.exe 90 PID 1448 wrote to memory of 4776 1448 acacf07347ddcc9e387db0e4b34c443b.exe 92 PID 1448 wrote to memory of 4776 1448 acacf07347ddcc9e387db0e4b34c443b.exe 92 PID 1448 wrote to memory of 4776 1448 acacf07347ddcc9e387db0e4b34c443b.exe 92 PID 1448 wrote to memory of 2776 1448 acacf07347ddcc9e387db0e4b34c443b.exe 91 PID 1448 wrote to memory of 2776 1448 acacf07347ddcc9e387db0e4b34c443b.exe 91 PID 1448 wrote to memory of 2776 1448 acacf07347ddcc9e387db0e4b34c443b.exe 91 PID 3964 wrote to memory of 908 3964 tfhzyegewp.exe 95 PID 3964 wrote to memory of 908 3964 tfhzyegewp.exe 95 PID 3964 wrote to memory of 908 3964 tfhzyegewp.exe 95 PID 1448 wrote to memory of 4720 1448 acacf07347ddcc9e387db0e4b34c443b.exe 96 PID 1448 wrote to memory of 4720 1448 acacf07347ddcc9e387db0e4b34c443b.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe"C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\zwxsmvdczunjwvo.exezwxsmvdczunjwvo.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2772
-
-
C:\Windows\SysWOW64\swxcfvamnuxom.exeswxcfvamnuxom.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2776
-
-
C:\Windows\SysWOW64\vzmoklvn.exevzmoklvn.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4776
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4720
-
-
C:\Windows\SysWOW64\tfhzyegewp.exetfhzyegewp.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3964
-
-
C:\Windows\SysWOW64\vzmoklvn.exeC:\Windows\system32\vzmoklvn.exe1⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:908
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD582db9a3c76e709d475569399b2b2a782
SHA1d3122c057104a3447ecb97f0e9c3ea8f7b4de7c8
SHA25650c51d26600b58781f947c68247bb2d1532ebc87709dc76f749fc5cc7d86436f
SHA5128bc9609ea0709c704ebf128ba0f09b6eafc967b565573408790411f37c1daf2b64497ab7d7bd53eb2e988879cddeb3b3041300258ef9b35284b798d6685357c5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5b5c8b01ee73872254587327734b4f9f6
SHA1c2305198ef4e46cc61aef2cc044ea155d0b34fcf
SHA2566d1ecc503df4fe8fcf81c48405c59acda6335a11882edd80fed3449d65484c3b
SHA5124be3e14b6d9d99dffffa4a7b95c2c7b233b3c7df92864ee0716e7d2d987566859a384dacb70cd70e4182c3a550f0cb2cc7c1d110fbe30331a335e2b68bd317bb
-
Filesize
98KB
MD5cb805bee7aa75216b1dc9bf8b25203b6
SHA14a1c472f868bcdf1ec39761803dbf866671f46e4
SHA256e3b0ed66e55f593d46c401f53591cfa841ca6c9a2afec3f7a6e1054fa6dc5ca8
SHA512bf28a632b7873bba4ec5283226d4dd3610329d7991c7985c8c6923d7fe601bb71cb00141927c262d4a7ac3fa3301dbbb9bf549993056189232af01b334710494
-
Filesize
28KB
MD59a551f812d86cdf6514c532573e24a34
SHA10bbf3e67c933fe68a10a1cfbb96aef18ddbc3e47
SHA256cc548ea3528e81d9bc974e7d05b6c627687dc34727ebf03ac826bd2895cbd198
SHA512d1652fdebf7a4d4c5a1212311809062af7d29ad656e88a8597b6ed0cfae404138a1e61ebc45eb2589a99481345eeb73c9926293d9b3208907f12bb934ef9a63b
-
Filesize
34KB
MD570cfea252d7cac8082d131bae5959fd1
SHA1dd62afa324658aa084979551bea0724a947442f9
SHA256d9f8dd447cf16dbf9b3105b3afbdff7112c50de20dcfcd9e1641617b9c9dfc53
SHA512a2299c97a1f52ed54f11eb10151751a96b7c9879408e936fec4e14a334e56c9780006cb00dc36473ee9252d267f0de5af939b3a09b8c6c2c20e80f4510ffe9d3
-
Filesize
92KB
MD56662b185f19fbf697c56a25c92de7961
SHA10df0c0df0de3724258df2549c583e3c934aca726
SHA256c11edb9e97848e20319fba876d9382c7193f68323eff1f7ed805bb04303bdc86
SHA512c6e2cb83f68a63ca299dae843d2697d41dab8b565fb4005755b0d255b388779b6c1dad97375009c995f0a3d2e0acb4cc820090ca5dc24ee11e1a3de5b1a4921f
-
Filesize
214KB
MD5d507eb337c9bf257f9eb8c3a4faee017
SHA1fcc9f8cd78a76e6758339535fccc00f1a934d6fb
SHA2569bd91befd894bb56cbc1a0ac877b9c6cb0e90249be52847ec82c76075f84c459
SHA5124774252e6028d0523759f2eab457257f42d5999f91734d325b3727bbdd3b6de5ff200863074b1fb31388d84afbafd0413788f0d28291bb3366b88c27e99cd2f4
-
Filesize
8KB
MD5cc56a59cd2a1fc7d095803278309e94f
SHA1474703365c3835f10baf6cbd62c2e35345b294af
SHA25657053ed6659115a8e42516bcba357af0fa18bac4662f9f89b20acb64668f6238
SHA512dc1843e3d5094a06256b349378a629820a79358f46c95ba05a6cce9d485598dd7a693ffceedc6921f51c97007c0fa495a744f770045112ecf9ca0cb69e353c6d
-
Filesize
96KB
MD5cc727bf87e75e50d52a07aae13046485
SHA11e3f482c3e5ce033458667b8600f90037a39f88c
SHA256a030d652d6e7aa73d0ee0f3cdc1c4c4de60b34c67e8ad81e9dccaf28e833871b
SHA512a724410143e813afcfba5b3033840a919bc1205f8a9cfbcfc8191d241051f10fa3d11bbaa5beabadb9b4456c717ec541013d42e125216620f2988a0f6acee44e
-
Filesize
48KB
MD579c1e3941bc14172199525e8d6583096
SHA179de7a0f6d6498c7246091bb1e6f66951ef912b0
SHA256dce49360f7198cd87c7f32ea2504a27fceefd591f31c2b230d33c5485711b4be
SHA512909a47fb9b39cacd26369f4dda1104d2b370e750337cd88dd36380e42719369e86548fab256a9da72b2bdf2b92742ac223f7bb1751617fb180abe6fe4199b6db
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5e4220ac6b1db6808586fe75f2acfae7f
SHA127fd4c22b66808397f70c7d5d743540a4bd15574
SHA2565c361372c53eb817170fb78a18d3c5775cf60e7f5ea095441a62b4220ac9b242
SHA5125766e5e9b484288992cb935f9d9e05f62c7d196d2e6c072c5cd12f0b809f8cb53cfb19f0962ecfe419db3f8ebabf48d2110557db2cb864b7de142343e860a8d0
-
Filesize
512KB
MD58db9b7c35708c23a8581cb4c242fdcae
SHA1965958feb7aab118f7ba2ca1dcef8d73eddbbde9
SHA2569f4854b746995fb8cece0b8a11c33d97b4543e32bc3e0e5fb46e9c2e8378398c
SHA512b0bfe295751221540131831406cb0ca30f8a9e0f98aa07c26fb39386036d9f8e9ac5f1f35a0f9f15ffc6c4b5f9b98e08d9345e532571b85125e2a948afd9b072