Analysis
-
max time kernel
15s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
07/01/2024, 19:20
Static task
static1
Behavioral task
behavioral1
Sample
ab0757415e5a33fde6893ba93d5683ff.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
ab0757415e5a33fde6893ba93d5683ff.exe
Resource
win10v2004-20231215-en
General
-
Target
ab0757415e5a33fde6893ba93d5683ff.exe
-
Size
512KB
-
MD5
ab0757415e5a33fde6893ba93d5683ff
-
SHA1
0836ceb3d65019483a8a1664a80422dffdfec99d
-
SHA256
677fc2b026079044c61098fc32986c2624095fc78d0f478e74e588a559bba8a0
-
SHA512
3c13d8a82243d85f1462ad9951abdfe4d07fe3e65e1b63c70f23aebf70a27adaab84c5dff41bcd622d04497ec5e7bb69b0cd5b0ca95e07aab1bcaea6efb63565
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6a:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5n
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" gawylqhsbx.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" gawylqhsbx.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" gawylqhsbx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" gawylqhsbx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" gawylqhsbx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" gawylqhsbx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" gawylqhsbx.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gawylqhsbx.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation ab0757415e5a33fde6893ba93d5683ff.exe -
Executes dropped EXE 5 IoCs
pid Process 4788 gawylqhsbx.exe 5792 qblacpivicjqwpe.exe 5280 fulfuowg.exe 4748 hpygfkhkxiscc.exe 6108 fulfuowg.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" gawylqhsbx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" gawylqhsbx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" gawylqhsbx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" gawylqhsbx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" gawylqhsbx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" gawylqhsbx.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lrxkpdim = "gawylqhsbx.exe" qblacpivicjqwpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nwtcteiq = "qblacpivicjqwpe.exe" qblacpivicjqwpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "hpygfkhkxiscc.exe" qblacpivicjqwpe.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\j: fulfuowg.exe File opened (read-only) \??\p: fulfuowg.exe File opened (read-only) \??\v: fulfuowg.exe File opened (read-only) \??\z: fulfuowg.exe File opened (read-only) \??\w: gawylqhsbx.exe File opened (read-only) \??\v: fulfuowg.exe File opened (read-only) \??\a: gawylqhsbx.exe File opened (read-only) \??\j: fulfuowg.exe File opened (read-only) \??\m: fulfuowg.exe File opened (read-only) \??\y: fulfuowg.exe File opened (read-only) \??\r: gawylqhsbx.exe File opened (read-only) \??\a: fulfuowg.exe File opened (read-only) \??\b: fulfuowg.exe File opened (read-only) \??\x: gawylqhsbx.exe File opened (read-only) \??\h: fulfuowg.exe File opened (read-only) \??\k: fulfuowg.exe File opened (read-only) \??\t: fulfuowg.exe File opened (read-only) \??\z: gawylqhsbx.exe File opened (read-only) \??\g: fulfuowg.exe File opened (read-only) \??\l: fulfuowg.exe File opened (read-only) \??\w: fulfuowg.exe File opened (read-only) \??\x: fulfuowg.exe File opened (read-only) \??\y: gawylqhsbx.exe File opened (read-only) \??\a: fulfuowg.exe File opened (read-only) \??\w: fulfuowg.exe File opened (read-only) \??\u: fulfuowg.exe File opened (read-only) \??\o: fulfuowg.exe File opened (read-only) \??\q: fulfuowg.exe File opened (read-only) \??\r: fulfuowg.exe File opened (read-only) \??\x: fulfuowg.exe File opened (read-only) \??\g: gawylqhsbx.exe File opened (read-only) \??\k: gawylqhsbx.exe File opened (read-only) \??\e: gawylqhsbx.exe File opened (read-only) \??\j: gawylqhsbx.exe File opened (read-only) \??\i: fulfuowg.exe File opened (read-only) \??\m: fulfuowg.exe File opened (read-only) \??\y: fulfuowg.exe File opened (read-only) \??\p: fulfuowg.exe File opened (read-only) \??\r: fulfuowg.exe File opened (read-only) \??\l: gawylqhsbx.exe File opened (read-only) \??\u: gawylqhsbx.exe File opened (read-only) \??\v: gawylqhsbx.exe File opened (read-only) \??\q: fulfuowg.exe File opened (read-only) \??\e: fulfuowg.exe File opened (read-only) \??\g: fulfuowg.exe File opened (read-only) \??\i: fulfuowg.exe File opened (read-only) \??\s: fulfuowg.exe File opened (read-only) \??\i: gawylqhsbx.exe File opened (read-only) \??\s: gawylqhsbx.exe File opened (read-only) \??\n: fulfuowg.exe File opened (read-only) \??\o: fulfuowg.exe File opened (read-only) \??\b: gawylqhsbx.exe File opened (read-only) \??\h: gawylqhsbx.exe File opened (read-only) \??\h: fulfuowg.exe File opened (read-only) \??\k: fulfuowg.exe File opened (read-only) \??\t: fulfuowg.exe File opened (read-only) \??\u: fulfuowg.exe File opened (read-only) \??\z: fulfuowg.exe File opened (read-only) \??\n: fulfuowg.exe File opened (read-only) \??\q: gawylqhsbx.exe File opened (read-only) \??\s: fulfuowg.exe File opened (read-only) \??\b: fulfuowg.exe File opened (read-only) \??\l: fulfuowg.exe File opened (read-only) \??\m: gawylqhsbx.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" gawylqhsbx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" gawylqhsbx.exe -
AutoIT Executable 6 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1428-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0006000000023204-29.dat autoit_exe behavioral2/files/0x0006000000023204-30.dat autoit_exe behavioral2/files/0x0006000000023203-28.dat autoit_exe behavioral2/files/0x00080000000231fe-23.dat autoit_exe behavioral2/files/0x000c000000023151-19.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe fulfuowg.exe File created C:\Windows\SysWOW64\gawylqhsbx.exe ab0757415e5a33fde6893ba93d5683ff.exe File created C:\Windows\SysWOW64\qblacpivicjqwpe.exe ab0757415e5a33fde6893ba93d5683ff.exe File opened for modification C:\Windows\SysWOW64\qblacpivicjqwpe.exe ab0757415e5a33fde6893ba93d5683ff.exe File created C:\Windows\SysWOW64\hpygfkhkxiscc.exe ab0757415e5a33fde6893ba93d5683ff.exe File opened for modification C:\Windows\SysWOW64\hpygfkhkxiscc.exe ab0757415e5a33fde6893ba93d5683ff.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll gawylqhsbx.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe fulfuowg.exe File opened for modification C:\Windows\SysWOW64\gawylqhsbx.exe ab0757415e5a33fde6893ba93d5683ff.exe File created C:\Windows\SysWOW64\fulfuowg.exe ab0757415e5a33fde6893ba93d5683ff.exe File opened for modification C:\Windows\SysWOW64\fulfuowg.exe ab0757415e5a33fde6893ba93d5683ff.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe fulfuowg.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe fulfuowg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal fulfuowg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe fulfuowg.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe fulfuowg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal fulfuowg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe fulfuowg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe fulfuowg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal fulfuowg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe fulfuowg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe fulfuowg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal fulfuowg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe fulfuowg.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe fulfuowg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe fulfuowg.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf ab0757415e5a33fde6893ba93d5683ff.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" gawylqhsbx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BB4FACDF961F19883083A4186EB3E97B0FD028C43620238E2C9459908D6" ab0757415e5a33fde6893ba93d5683ff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF9FCFE4F29856F9145D72C7D9DBDE6E643593766446346D7EE" ab0757415e5a33fde6893ba93d5683ff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7FD68B7FF6C21AAD10BD0D18A099167" ab0757415e5a33fde6893ba93d5683ff.exe Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings ab0757415e5a33fde6893ba93d5683ff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc gawylqhsbx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs gawylqhsbx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33442C799D5582566A3077D1702E2DDD7DF565A8" ab0757415e5a33fde6893ba93d5683ff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat gawylqhsbx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" gawylqhsbx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" gawylqhsbx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" gawylqhsbx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg gawylqhsbx.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes ab0757415e5a33fde6893ba93d5683ff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB6B02F47E2399D52CBBADD3392D7BE" ab0757415e5a33fde6893ba93d5683ff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh gawylqhsbx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" gawylqhsbx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf gawylqhsbx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" gawylqhsbx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184EC70F14E6DAC3B9C07CE1ED9737C8" ab0757415e5a33fde6893ba93d5683ff.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4632 WINWORD.EXE 4632 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1428 ab0757415e5a33fde6893ba93d5683ff.exe 1428 ab0757415e5a33fde6893ba93d5683ff.exe 1428 ab0757415e5a33fde6893ba93d5683ff.exe 1428 ab0757415e5a33fde6893ba93d5683ff.exe 1428 ab0757415e5a33fde6893ba93d5683ff.exe 1428 ab0757415e5a33fde6893ba93d5683ff.exe 1428 ab0757415e5a33fde6893ba93d5683ff.exe 1428 ab0757415e5a33fde6893ba93d5683ff.exe 1428 ab0757415e5a33fde6893ba93d5683ff.exe 1428 ab0757415e5a33fde6893ba93d5683ff.exe 1428 ab0757415e5a33fde6893ba93d5683ff.exe 1428 ab0757415e5a33fde6893ba93d5683ff.exe 1428 ab0757415e5a33fde6893ba93d5683ff.exe 1428 ab0757415e5a33fde6893ba93d5683ff.exe 1428 ab0757415e5a33fde6893ba93d5683ff.exe 1428 ab0757415e5a33fde6893ba93d5683ff.exe 5280 fulfuowg.exe 5280 fulfuowg.exe 5280 fulfuowg.exe 5280 fulfuowg.exe 5280 fulfuowg.exe 5280 fulfuowg.exe 5280 fulfuowg.exe 5280 fulfuowg.exe 5792 qblacpivicjqwpe.exe 5792 qblacpivicjqwpe.exe 5792 qblacpivicjqwpe.exe 5792 qblacpivicjqwpe.exe 5792 qblacpivicjqwpe.exe 5792 qblacpivicjqwpe.exe 5792 qblacpivicjqwpe.exe 5792 qblacpivicjqwpe.exe 4748 hpygfkhkxiscc.exe 4748 hpygfkhkxiscc.exe 4748 hpygfkhkxiscc.exe 4748 hpygfkhkxiscc.exe 4748 hpygfkhkxiscc.exe 4748 hpygfkhkxiscc.exe 5792 qblacpivicjqwpe.exe 5792 qblacpivicjqwpe.exe 4748 hpygfkhkxiscc.exe 4748 hpygfkhkxiscc.exe 4748 hpygfkhkxiscc.exe 4748 hpygfkhkxiscc.exe 4748 hpygfkhkxiscc.exe 4748 hpygfkhkxiscc.exe 4788 gawylqhsbx.exe 4788 gawylqhsbx.exe 4788 gawylqhsbx.exe 4788 gawylqhsbx.exe 4788 gawylqhsbx.exe 4788 gawylqhsbx.exe 4788 gawylqhsbx.exe 4788 gawylqhsbx.exe 4788 gawylqhsbx.exe 4788 gawylqhsbx.exe 5792 qblacpivicjqwpe.exe 5792 qblacpivicjqwpe.exe 4748 hpygfkhkxiscc.exe 4748 hpygfkhkxiscc.exe 4748 hpygfkhkxiscc.exe 4748 hpygfkhkxiscc.exe 6108 fulfuowg.exe 6108 fulfuowg.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1428 ab0757415e5a33fde6893ba93d5683ff.exe 1428 ab0757415e5a33fde6893ba93d5683ff.exe 1428 ab0757415e5a33fde6893ba93d5683ff.exe 5280 fulfuowg.exe 5280 fulfuowg.exe 5280 fulfuowg.exe 5792 qblacpivicjqwpe.exe 4748 hpygfkhkxiscc.exe 5792 qblacpivicjqwpe.exe 4748 hpygfkhkxiscc.exe 5792 qblacpivicjqwpe.exe 4748 hpygfkhkxiscc.exe 4788 gawylqhsbx.exe 4788 gawylqhsbx.exe 4788 gawylqhsbx.exe 6108 fulfuowg.exe 6108 fulfuowg.exe 6108 fulfuowg.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1428 ab0757415e5a33fde6893ba93d5683ff.exe 1428 ab0757415e5a33fde6893ba93d5683ff.exe 1428 ab0757415e5a33fde6893ba93d5683ff.exe 5280 fulfuowg.exe 5280 fulfuowg.exe 5280 fulfuowg.exe 5792 qblacpivicjqwpe.exe 4748 hpygfkhkxiscc.exe 5792 qblacpivicjqwpe.exe 4748 hpygfkhkxiscc.exe 5792 qblacpivicjqwpe.exe 4748 hpygfkhkxiscc.exe 4788 gawylqhsbx.exe 4788 gawylqhsbx.exe 4788 gawylqhsbx.exe 6108 fulfuowg.exe 6108 fulfuowg.exe 6108 fulfuowg.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4632 WINWORD.EXE 4632 WINWORD.EXE 4632 WINWORD.EXE 4632 WINWORD.EXE 4632 WINWORD.EXE 4632 WINWORD.EXE 4632 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1428 wrote to memory of 4788 1428 ab0757415e5a33fde6893ba93d5683ff.exe 33 PID 1428 wrote to memory of 4788 1428 ab0757415e5a33fde6893ba93d5683ff.exe 33 PID 1428 wrote to memory of 4788 1428 ab0757415e5a33fde6893ba93d5683ff.exe 33 PID 1428 wrote to memory of 5792 1428 ab0757415e5a33fde6893ba93d5683ff.exe 32 PID 1428 wrote to memory of 5792 1428 ab0757415e5a33fde6893ba93d5683ff.exe 32 PID 1428 wrote to memory of 5792 1428 ab0757415e5a33fde6893ba93d5683ff.exe 32 PID 1428 wrote to memory of 5280 1428 ab0757415e5a33fde6893ba93d5683ff.exe 31 PID 1428 wrote to memory of 5280 1428 ab0757415e5a33fde6893ba93d5683ff.exe 31 PID 1428 wrote to memory of 5280 1428 ab0757415e5a33fde6893ba93d5683ff.exe 31 PID 1428 wrote to memory of 4748 1428 ab0757415e5a33fde6893ba93d5683ff.exe 23 PID 1428 wrote to memory of 4748 1428 ab0757415e5a33fde6893ba93d5683ff.exe 23 PID 1428 wrote to memory of 4748 1428 ab0757415e5a33fde6893ba93d5683ff.exe 23 PID 1428 wrote to memory of 4632 1428 ab0757415e5a33fde6893ba93d5683ff.exe 26 PID 1428 wrote to memory of 4632 1428 ab0757415e5a33fde6893ba93d5683ff.exe 26 PID 4788 wrote to memory of 6108 4788 gawylqhsbx.exe 27 PID 4788 wrote to memory of 6108 4788 gawylqhsbx.exe 27 PID 4788 wrote to memory of 6108 4788 gawylqhsbx.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab0757415e5a33fde6893ba93d5683ff.exe"C:\Users\Admin\AppData\Local\Temp\ab0757415e5a33fde6893ba93d5683ff.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\hpygfkhkxiscc.exehpygfkhkxiscc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4748
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4632
-
-
C:\Windows\SysWOW64\fulfuowg.exefulfuowg.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5280
-
-
C:\Windows\SysWOW64\qblacpivicjqwpe.exeqblacpivicjqwpe.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5792
-
-
C:\Windows\SysWOW64\gawylqhsbx.exegawylqhsbx.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4788
-
-
C:\Windows\SysWOW64\fulfuowg.exeC:\Windows\system32\fulfuowg.exe1⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6108
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD52e73167ffce3c1ee795e93fc9b460ca2
SHA15ebb82f6de975fa39c7ed214442ae33b4238d029
SHA256e16775b1861ab14d9d612b7750ace346043d904b1e687ddcf0b27134e8b1eec2
SHA512d9e1947a79b14bc2accfd9592cc25b826b4c20b6fe8b13274021e4569550fff2f821e9f4639c3e0d45f24f601ad8c8a9190ee00879defef866f32a8d390e1d7a
-
Filesize
512KB
MD54c39755139839cc3c5a61103b12041e8
SHA17b71900958e4115d7bb407f8958300ee1b63d4a8
SHA2560dc85a2f12c0d4533a1dfadb5684bafc47f35a9177df1c55403b7f4674b26215
SHA512226fbc3887bcddacf038e58aab5306bcc0dd4247e2bc1f568ec808d535d6635b5b9f6e74ce35dd8c5a836488517aa05bf5fe142fbd18e43c29f294e86a3d00a5
-
Filesize
92KB
MD56662b185f19fbf697c56a25c92de7961
SHA10df0c0df0de3724258df2549c583e3c934aca726
SHA256c11edb9e97848e20319fba876d9382c7193f68323eff1f7ed805bb04303bdc86
SHA512c6e2cb83f68a63ca299dae843d2697d41dab8b565fb4005755b0d255b388779b6c1dad97375009c995f0a3d2e0acb4cc820090ca5dc24ee11e1a3de5b1a4921f
-
Filesize
93KB
MD5257f28bd5bdc2b725434b7ab570814e7
SHA1972446e0f8d210c5d6f42a57a921391a236d564d
SHA256d80f45a5995ba038d69dbe87f7c12827ffa2b53e79beedb0bc6ee91c10a61688
SHA512c27aa91c3c3605941a1a121021c840fc7886cf27d43e9d6b2c371888a276d9dfd39135600a4f933f62dfa3d46cb6e12de6e31b3f8b939676701ff37f8cc61575
-
Filesize
512KB
MD5ea2f51ea6ef99570e8f39c0f89affea8
SHA1b690bd9ddc3e7e85f8dd20972644037e3e38a920
SHA2562249319cce3c8c3591c7ca920083609665f3205765f583fb3e5ba7353a1c00ed
SHA512d70c931d905fa688081e120aee903c102cb477bf535fe8690dd1225b36fc3bb7d0bd589a70ccfc87f8cf8287d93b182c36d0d0388ad4f2121197b39b054ce1f7