Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
07/01/2024, 19:09
Static task
static1
Behavioral task
behavioral1
Sample
a18506b622dbef775f88d8a8d3446d8b.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral2
Sample
a18506b622dbef775f88d8a8d3446d8b.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
General
-
Target
a18506b622dbef775f88d8a8d3446d8b.exe
-
Size
512KB
-
MD5
a18506b622dbef775f88d8a8d3446d8b
-
SHA1
86bd3d2ebfc928f2fb053c3a9e4765176f9b3a8c
-
SHA256
c1a0690dfbdfa9a48eaa977809e214981c5bcbbf89ba85f2092cecf0e898f78e
-
SHA512
3e4f2e25c7780052d527fc285b31ce759b04a4f078a7ff4e4f2c2af6d50af05bb1f0d4e48995b15e30656a5a64ecc58bd56bfe31a6cef78ff70e926dd960f835
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6A:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm51
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" zuaczvyacr.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" zuaczvyacr.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" zuaczvyacr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" zuaczvyacr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" zuaczvyacr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" zuaczvyacr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" zuaczvyacr.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" zuaczvyacr.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation a18506b622dbef775f88d8a8d3446d8b.exe -
Executes dropped EXE 5 IoCs
pid Process 4536 zuaczvyacr.exe 3368 mntktsirairpumx.exe 3400 rrfsvwoq.exe 4492 iniphgzhasslx.exe 4688 rrfsvwoq.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" zuaczvyacr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" zuaczvyacr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" zuaczvyacr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" zuaczvyacr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" zuaczvyacr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" zuaczvyacr.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "iniphgzhasslx.exe" mntktsirairpumx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cmucqhfq = "zuaczvyacr.exe" mntktsirairpumx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\spxwastb = "mntktsirairpumx.exe" mntktsirairpumx.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\m: rrfsvwoq.exe File opened (read-only) \??\m: zuaczvyacr.exe File opened (read-only) \??\n: zuaczvyacr.exe File opened (read-only) \??\y: zuaczvyacr.exe File opened (read-only) \??\m: rrfsvwoq.exe File opened (read-only) \??\q: rrfsvwoq.exe File opened (read-only) \??\t: rrfsvwoq.exe File opened (read-only) \??\a: rrfsvwoq.exe File opened (read-only) \??\k: rrfsvwoq.exe File opened (read-only) \??\b: rrfsvwoq.exe File opened (read-only) \??\h: rrfsvwoq.exe File opened (read-only) \??\v: rrfsvwoq.exe File opened (read-only) \??\j: rrfsvwoq.exe File opened (read-only) \??\q: rrfsvwoq.exe File opened (read-only) \??\r: rrfsvwoq.exe File opened (read-only) \??\t: rrfsvwoq.exe File opened (read-only) \??\e: zuaczvyacr.exe File opened (read-only) \??\o: zuaczvyacr.exe File opened (read-only) \??\g: rrfsvwoq.exe File opened (read-only) \??\k: rrfsvwoq.exe File opened (read-only) \??\o: rrfsvwoq.exe File opened (read-only) \??\r: rrfsvwoq.exe File opened (read-only) \??\s: rrfsvwoq.exe File opened (read-only) \??\y: rrfsvwoq.exe File opened (read-only) \??\h: zuaczvyacr.exe File opened (read-only) \??\u: rrfsvwoq.exe File opened (read-only) \??\x: zuaczvyacr.exe File opened (read-only) \??\u: rrfsvwoq.exe File opened (read-only) \??\w: rrfsvwoq.exe File opened (read-only) \??\p: rrfsvwoq.exe File opened (read-only) \??\z: rrfsvwoq.exe File opened (read-only) \??\r: zuaczvyacr.exe File opened (read-only) \??\v: zuaczvyacr.exe File opened (read-only) \??\i: rrfsvwoq.exe File opened (read-only) \??\v: rrfsvwoq.exe File opened (read-only) \??\w: rrfsvwoq.exe File opened (read-only) \??\o: rrfsvwoq.exe File opened (read-only) \??\p: rrfsvwoq.exe File opened (read-only) \??\h: rrfsvwoq.exe File opened (read-only) \??\i: zuaczvyacr.exe File opened (read-only) \??\j: zuaczvyacr.exe File opened (read-only) \??\w: zuaczvyacr.exe File opened (read-only) \??\g: zuaczvyacr.exe File opened (read-only) \??\g: rrfsvwoq.exe File opened (read-only) \??\k: zuaczvyacr.exe File opened (read-only) \??\u: zuaczvyacr.exe File opened (read-only) \??\l: rrfsvwoq.exe File opened (read-only) \??\s: rrfsvwoq.exe File opened (read-only) \??\e: rrfsvwoq.exe File opened (read-only) \??\q: zuaczvyacr.exe File opened (read-only) \??\z: rrfsvwoq.exe File opened (read-only) \??\b: rrfsvwoq.exe File opened (read-only) \??\a: rrfsvwoq.exe File opened (read-only) \??\e: rrfsvwoq.exe File opened (read-only) \??\x: rrfsvwoq.exe File opened (read-only) \??\z: zuaczvyacr.exe File opened (read-only) \??\p: zuaczvyacr.exe File opened (read-only) \??\s: zuaczvyacr.exe File opened (read-only) \??\i: rrfsvwoq.exe File opened (read-only) \??\y: rrfsvwoq.exe File opened (read-only) \??\a: zuaczvyacr.exe File opened (read-only) \??\b: zuaczvyacr.exe File opened (read-only) \??\n: rrfsvwoq.exe File opened (read-only) \??\x: rrfsvwoq.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" zuaczvyacr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" zuaczvyacr.exe -
AutoIT Executable 13 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2844-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0007000000023208-32.dat autoit_exe behavioral2/files/0x0007000000023208-31.dat autoit_exe behavioral2/files/0x0009000000023202-24.dat autoit_exe behavioral2/files/0x0007000000023207-29.dat autoit_exe behavioral2/files/0x0007000000023207-28.dat autoit_exe behavioral2/files/0x0009000000023202-22.dat autoit_exe behavioral2/files/0x000e000000023168-18.dat autoit_exe behavioral2/files/0x0009000000023202-5.dat autoit_exe behavioral2/files/0x000a000000023149-80.dat autoit_exe behavioral2/files/0x0008000000023143-76.dat autoit_exe behavioral2/files/0x000700000002322e-105.dat autoit_exe behavioral2/files/0x000700000002322e-107.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\zuaczvyacr.exe a18506b622dbef775f88d8a8d3446d8b.exe File created C:\Windows\SysWOW64\mntktsirairpumx.exe a18506b622dbef775f88d8a8d3446d8b.exe File created C:\Windows\SysWOW64\iniphgzhasslx.exe a18506b622dbef775f88d8a8d3446d8b.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll zuaczvyacr.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe rrfsvwoq.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe rrfsvwoq.exe File opened for modification C:\Windows\SysWOW64\zuaczvyacr.exe a18506b622dbef775f88d8a8d3446d8b.exe File opened for modification C:\Windows\SysWOW64\mntktsirairpumx.exe a18506b622dbef775f88d8a8d3446d8b.exe File created C:\Windows\SysWOW64\rrfsvwoq.exe a18506b622dbef775f88d8a8d3446d8b.exe File opened for modification C:\Windows\SysWOW64\rrfsvwoq.exe a18506b622dbef775f88d8a8d3446d8b.exe File opened for modification C:\Windows\SysWOW64\iniphgzhasslx.exe a18506b622dbef775f88d8a8d3446d8b.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe rrfsvwoq.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rrfsvwoq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rrfsvwoq.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rrfsvwoq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal rrfsvwoq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rrfsvwoq.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rrfsvwoq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal rrfsvwoq.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rrfsvwoq.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rrfsvwoq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal rrfsvwoq.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rrfsvwoq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal rrfsvwoq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rrfsvwoq.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rrfsvwoq.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe rrfsvwoq.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe rrfsvwoq.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe rrfsvwoq.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe rrfsvwoq.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe rrfsvwoq.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe rrfsvwoq.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe rrfsvwoq.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe rrfsvwoq.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe rrfsvwoq.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe rrfsvwoq.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe rrfsvwoq.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe rrfsvwoq.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe rrfsvwoq.exe File opened for modification C:\Windows\mydoc.rtf a18506b622dbef775f88d8a8d3446d8b.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe rrfsvwoq.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe rrfsvwoq.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe rrfsvwoq.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB2B0284793389A52C8B9D5329AD4BC" a18506b622dbef775f88d8a8d3446d8b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc zuaczvyacr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf zuaczvyacr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg zuaczvyacr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" zuaczvyacr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF8FF894829826A9130D7207EE6BDE5E133584466446332D69C" a18506b622dbef775f88d8a8d3446d8b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" zuaczvyacr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh zuaczvyacr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" zuaczvyacr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" zuaczvyacr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" zuaczvyacr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs zuaczvyacr.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes a18506b622dbef775f88d8a8d3446d8b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32302D7D9C5783256D3677D6772F2CDF7DF665DB" a18506b622dbef775f88d8a8d3446d8b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F26BB8FF1821DBD108D0A68A7F906B" a18506b622dbef775f88d8a8d3446d8b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193AC70E1493DBC7B8BC7FE7ECE534CB" a18506b622dbef775f88d8a8d3446d8b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB8FABAFE10F19284743A4286EB3E93B08E02FD42110239E2CB42ED09A2" a18506b622dbef775f88d8a8d3446d8b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat zuaczvyacr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" zuaczvyacr.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings a18506b622dbef775f88d8a8d3446d8b.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 632 WINWORD.EXE 632 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2844 a18506b622dbef775f88d8a8d3446d8b.exe 2844 a18506b622dbef775f88d8a8d3446d8b.exe 2844 a18506b622dbef775f88d8a8d3446d8b.exe 2844 a18506b622dbef775f88d8a8d3446d8b.exe 2844 a18506b622dbef775f88d8a8d3446d8b.exe 2844 a18506b622dbef775f88d8a8d3446d8b.exe 2844 a18506b622dbef775f88d8a8d3446d8b.exe 2844 a18506b622dbef775f88d8a8d3446d8b.exe 2844 a18506b622dbef775f88d8a8d3446d8b.exe 2844 a18506b622dbef775f88d8a8d3446d8b.exe 2844 a18506b622dbef775f88d8a8d3446d8b.exe 2844 a18506b622dbef775f88d8a8d3446d8b.exe 2844 a18506b622dbef775f88d8a8d3446d8b.exe 2844 a18506b622dbef775f88d8a8d3446d8b.exe 2844 a18506b622dbef775f88d8a8d3446d8b.exe 2844 a18506b622dbef775f88d8a8d3446d8b.exe 4536 zuaczvyacr.exe 3400 rrfsvwoq.exe 3400 rrfsvwoq.exe 3400 rrfsvwoq.exe 3400 rrfsvwoq.exe 4536 zuaczvyacr.exe 3400 rrfsvwoq.exe 3400 rrfsvwoq.exe 4536 zuaczvyacr.exe 4536 zuaczvyacr.exe 3400 rrfsvwoq.exe 3400 rrfsvwoq.exe 4536 zuaczvyacr.exe 4536 zuaczvyacr.exe 4536 zuaczvyacr.exe 4536 zuaczvyacr.exe 4536 zuaczvyacr.exe 4536 zuaczvyacr.exe 4492 iniphgzhasslx.exe 4492 iniphgzhasslx.exe 4492 iniphgzhasslx.exe 4492 iniphgzhasslx.exe 4492 iniphgzhasslx.exe 4492 iniphgzhasslx.exe 4492 iniphgzhasslx.exe 4492 iniphgzhasslx.exe 4492 iniphgzhasslx.exe 4492 iniphgzhasslx.exe 4492 iniphgzhasslx.exe 4492 iniphgzhasslx.exe 3368 mntktsirairpumx.exe 3368 mntktsirairpumx.exe 3368 mntktsirairpumx.exe 3368 mntktsirairpumx.exe 3368 mntktsirairpumx.exe 3368 mntktsirairpumx.exe 3368 mntktsirairpumx.exe 3368 mntktsirairpumx.exe 3368 mntktsirairpumx.exe 3368 mntktsirairpumx.exe 3368 mntktsirairpumx.exe 3368 mntktsirairpumx.exe 4492 iniphgzhasslx.exe 4492 iniphgzhasslx.exe 4492 iniphgzhasslx.exe 4492 iniphgzhasslx.exe 4688 rrfsvwoq.exe 4688 rrfsvwoq.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2844 a18506b622dbef775f88d8a8d3446d8b.exe 2844 a18506b622dbef775f88d8a8d3446d8b.exe 2844 a18506b622dbef775f88d8a8d3446d8b.exe 3400 rrfsvwoq.exe 4536 zuaczvyacr.exe 4492 iniphgzhasslx.exe 3368 mntktsirairpumx.exe 3400 rrfsvwoq.exe 4536 zuaczvyacr.exe 4492 iniphgzhasslx.exe 3368 mntktsirairpumx.exe 3400 rrfsvwoq.exe 4536 zuaczvyacr.exe 4492 iniphgzhasslx.exe 3368 mntktsirairpumx.exe 4688 rrfsvwoq.exe 4688 rrfsvwoq.exe 4688 rrfsvwoq.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2844 a18506b622dbef775f88d8a8d3446d8b.exe 2844 a18506b622dbef775f88d8a8d3446d8b.exe 2844 a18506b622dbef775f88d8a8d3446d8b.exe 3400 rrfsvwoq.exe 4536 zuaczvyacr.exe 4492 iniphgzhasslx.exe 3368 mntktsirairpumx.exe 3400 rrfsvwoq.exe 4536 zuaczvyacr.exe 4492 iniphgzhasslx.exe 3368 mntktsirairpumx.exe 3400 rrfsvwoq.exe 4536 zuaczvyacr.exe 4492 iniphgzhasslx.exe 3368 mntktsirairpumx.exe 4688 rrfsvwoq.exe 4688 rrfsvwoq.exe 4688 rrfsvwoq.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 632 WINWORD.EXE 632 WINWORD.EXE 632 WINWORD.EXE 632 WINWORD.EXE 632 WINWORD.EXE 632 WINWORD.EXE 632 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2844 wrote to memory of 4536 2844 a18506b622dbef775f88d8a8d3446d8b.exe 31 PID 2844 wrote to memory of 4536 2844 a18506b622dbef775f88d8a8d3446d8b.exe 31 PID 2844 wrote to memory of 4536 2844 a18506b622dbef775f88d8a8d3446d8b.exe 31 PID 2844 wrote to memory of 3368 2844 a18506b622dbef775f88d8a8d3446d8b.exe 30 PID 2844 wrote to memory of 3368 2844 a18506b622dbef775f88d8a8d3446d8b.exe 30 PID 2844 wrote to memory of 3368 2844 a18506b622dbef775f88d8a8d3446d8b.exe 30 PID 2844 wrote to memory of 3400 2844 a18506b622dbef775f88d8a8d3446d8b.exe 29 PID 2844 wrote to memory of 3400 2844 a18506b622dbef775f88d8a8d3446d8b.exe 29 PID 2844 wrote to memory of 3400 2844 a18506b622dbef775f88d8a8d3446d8b.exe 29 PID 2844 wrote to memory of 4492 2844 a18506b622dbef775f88d8a8d3446d8b.exe 23 PID 2844 wrote to memory of 4492 2844 a18506b622dbef775f88d8a8d3446d8b.exe 23 PID 2844 wrote to memory of 4492 2844 a18506b622dbef775f88d8a8d3446d8b.exe 23 PID 2844 wrote to memory of 632 2844 a18506b622dbef775f88d8a8d3446d8b.exe 24 PID 2844 wrote to memory of 632 2844 a18506b622dbef775f88d8a8d3446d8b.exe 24 PID 4536 wrote to memory of 4688 4536 zuaczvyacr.exe 26 PID 4536 wrote to memory of 4688 4536 zuaczvyacr.exe 26 PID 4536 wrote to memory of 4688 4536 zuaczvyacr.exe 26
Processes
-
C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b.exe"C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\iniphgzhasslx.exeiniphgzhasslx.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4492
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:632
-
-
C:\Windows\SysWOW64\rrfsvwoq.exerrfsvwoq.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3400
-
-
C:\Windows\SysWOW64\mntktsirairpumx.exemntktsirairpumx.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3368
-
-
C:\Windows\SysWOW64\zuaczvyacr.exezuaczvyacr.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4536
-
-
C:\Windows\SysWOW64\rrfsvwoq.exeC:\Windows\system32\rrfsvwoq.exe1⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4688
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
147KB
MD5dd4d5f1efa20b26b94b03090e12fb571
SHA1ecf6e9e684315e5f3467eaeb37f2ce54b1a5b05c
SHA2560371728f2568e94ca8af40c7b5d36bf02277ea6284e3168fb2699c685def47a6
SHA5124a7f899a81a81ec7126c8367ed5c0bb62079cdabc6f21c6b3424e690bf7bfef6c39b905124240ffdc0e7805d72336f104557fc4f8dd2f8c15ed13f855e4729c2
-
Filesize
71KB
MD5528725c5f1fdc2a1706529e540c45924
SHA141e9dd34b1f97e00299612c4de82b6e4c739f7c7
SHA2560a2d17fb3da150a1ae73015c1265dde9db1df44b9233e80cad9f16a7bda91a16
SHA512efe5edb6cec5435aaf8b73386456cfc451a3cd3a0fd6208d0bc8a7c66e5459daa81a4671012488305dc9f4d4334703017b139d2f3aeaf300217bd963dd0c5229
-
Filesize
239B
MD59d1490d78fec79e68dec164995d21035
SHA1e3b45d6d7ec7a844673bbc7f80d8ebd0023c7eac
SHA256c633273805e0407089f16bc65a897a987040b9a4802e48762ecfdd6e7cf2bf5f
SHA512da7b0e9be355714fb014a3447d2e363039d335e78f98d697024b5c9277b748fa1e90223e10fcc73ed4e39d1c6b49ba60978ad54366990d1fa904846a9f857703
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD5199c7bac5b9e897c973ea36bf8f150e9
SHA1a563a4202cd844a457ba936dbe39dcad0c4f9405
SHA25671fa6d25123401d9b8c3553706f824908853e3c7d8b1b5680aa09c37a54edc8c
SHA512ec0b9eabc07d1ba8d56c56be5363e67bcfa3084533ffb39224e627580d1eb9627efaf0047ff991bf3ca569002e1290881b035e17df1e6babcd4bd7130d96db4a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5046aeb6dd9d206681f3784437cf92bde
SHA16d4d7bbd8b030fb59f0317e7ce7f06e5eae2b1c5
SHA2567e765b0070af5e0e01d756586d07b5270d93b8d310b5f47cfa602964d0b6ee68
SHA512add2ed17fa4fb18802acd877516a794a7d788b94416fc92fdd6e239f5546907f4d9d86f1449c538940a5726c2c256f7ac097e47ee7e05fbcd4b601385fa94d98
-
Filesize
65KB
MD56b2d87c29e03c1669c86b13f0e329f27
SHA1fc01a8091ad1488013e09ecabcbb34ebb2729a38
SHA2566cb9102f5b672aa60bab941d44dfac6baa33354a6dbff3a6cf1b7e16f4e1c61c
SHA51262a6d356d9d1393f780e7ebef155962a8261e76e5c6df375d5d35484702607996e9334a0a3788cde9ee44d7d6cbfbd284c2163ff4e9837884a0ae5712b1e0272
-
Filesize
34KB
MD512a7d8da18cfbdc6fef635500ba4494e
SHA10157a5913ffb95338d4d25a92f640e1bb268182b
SHA25649276e546c130f6597afd681f82371054098b4b0c3d913252a98248b35df1e7c
SHA5124a356261ca4d95438b3ee12f3ffaee8e27c483d40c0155ad994760a737bc1f5465edbc2ea87511b09053ab625a4b2162460a977b8a55b6f3fe9eb69013b37c3b
-
Filesize
60KB
MD5d40c047cb94289e74f670657d2f7df68
SHA1b3e1a5c35db03f629ababf189fad4b6440122934
SHA256a989b0ef4d19807887c6a2d846d948ea449aba4f30cc8d915bc1b1f69f540693
SHA5129718552463d43e52f89fd11f3edc3fc2c15eab058d144f2a6c9967627f33e0acfd57efe0b12394815101639daaaea8e449a2ac87ecf5fcc79d10ddeb49a120ba
-
Filesize
64KB
MD5d76d22b81130bc9206c7c947d7a9ea5e
SHA15956e88a6ec7949ce5a350e21703307d855f34b1
SHA256b96acd28ea28c51de470bf63ebbc33a346440fe63e236ab9f092e0cb3035b870
SHA512112f4f23127929556f27e12a7979ebd1536af790c92f8ff7870a5b39470bd02d83fbf1697e7ab3eccebd71c44ae7bfbd1dac9c39fefa6e15a488baf840b8aaf1
-
Filesize
43KB
MD55143b43de6e29647a0ca761aa7558986
SHA1e51a776dcbc53c72aca065612385d283512c16f9
SHA25600ce07dd119139cfdc546ffa95c5664e504cf192ea97d45567e5ab1897e56052
SHA51263f7f7810b3a256ec5168f988a31878a0b88976ab1c1a7b0783f2aa5258034f9997704f8b748d7246ab4da7edf7cc18845847424bcffbdbc169d5a1beb75b0f3
-
Filesize
48KB
MD5529cee90494d45bffafd9415bc04e980
SHA1144320428e40aaa45b7d7e0381591ca572981d64
SHA2567ef356922331a188f4fc070293c700899c9b4b9bed9b6da2c7e8d779b59ecd83
SHA512000d57fd23401ba660b6d0d71cdb81f82c408008c50ef774287c0c6884f623b9ca9b7580fe8fe98d9db3ae3935c0a4ae1bdda7e2b4f925e1e897a56e7f62328c
-
Filesize
23KB
MD512c601b5f2e87dba6a20f7b73a0ce260
SHA1d187da79afc9cd5f39b5d700941c9d67e49a7086
SHA256844bdcfa4c70b404bdefdbdba9c5a52c771aa51bcc8ab89eced76144dfde0264
SHA5123556028ad9aeab812b974c9272cb251801227a41e33bc42750966f9f2aefc3248b4d3dc12cc3eef6b543dfbd9dc96d1ab5ffd5e254ef6277c8ddb0b4af868f21
-
Filesize
183KB
MD5157eca07c5826f74ef4f63dfa6e1d367
SHA1bf47f83de56674963e6b41cd75a7e116847638a9
SHA256b732c90a29e737004fce32e57f832e18c23ea0a95e08befbf56a05b8dd636870
SHA512f5a835d22f435493300145f9834b0798fc641e387b8734c92999dc62e7ab082b1adef7b251017ee3e9761b5dc9f800c3da67b83be90c1239d6f57d84b37ed6d9
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
124KB
MD5de83bfac85a2c62d0cb12eb47652d5dc
SHA11990b0d527e8ea6e7503d0084dced33b9ffce8a6
SHA2565d14fa9e8658105bdf0715b3de050ea871e8b3aceb585810c35435c966aed51c
SHA512fee49bcb9c25cce746b005724afca9832b0b74b422569a441bb521bec8d31bca3f286c599b8822e7926cae1d0866a27215be6baf8b285356cd1a0bdf4f5da51e
-
Filesize
25KB
MD50b958ad37a449fd885c61ba4a7de5839
SHA1db6d2ff5391fc3acf98c28fdc96ef80a00263c9d
SHA256af77fed054555424c6d5f72ceb9d740c70c9e47eff3b37536c2a33dc71b6f86a
SHA51211f743aa50d59d7e5030d95a8245698caeeead7b13a29deb9106df130e9dafc0f8b21ed6a9bcdeb8ff2c0693c723451801946124f55059dc4a92160dad48de5f