Analysis
-
max time kernel
151s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
07/01/2024, 19:37
Static task
static1
Behavioral task
behavioral1
Sample
a91ea79a692b6b7cdda92c6a588386f8.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
a91ea79a692b6b7cdda92c6a588386f8.exe
Resource
win10v2004-20231215-en
General
-
Target
a91ea79a692b6b7cdda92c6a588386f8.exe
-
Size
512KB
-
MD5
a91ea79a692b6b7cdda92c6a588386f8
-
SHA1
d1acc93a5257f3c64bbec46bc923c66f78fc8353
-
SHA256
d86d042c8681af6deee373b23f0dc4b3cdcfe4775aa73da1975a7f9ae733fa3a
-
SHA512
9b440dc43a8a8c8fe82c3f2978b25af7f21fb24f21980fcdf93959d191cd562f917437c44052abb8ce2d153b56234dd4722f237f1fb7bf0223e7994a3dfff905
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6K:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5h
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" dupwvtkpgl.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" dupwvtkpgl.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" dupwvtkpgl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" dupwvtkpgl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" dupwvtkpgl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" dupwvtkpgl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" dupwvtkpgl.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dupwvtkpgl.exe -
Executes dropped EXE 5 IoCs
pid Process 1312 dupwvtkpgl.exe 1460 sigtwzommipquan.exe 1212 jadatwvj.exe 2960 szeauakyzohfa.exe 2172 jadatwvj.exe -
Loads dropped DLL 5 IoCs
pid Process 1180 a91ea79a692b6b7cdda92c6a588386f8.exe 1180 a91ea79a692b6b7cdda92c6a588386f8.exe 1180 a91ea79a692b6b7cdda92c6a588386f8.exe 1180 a91ea79a692b6b7cdda92c6a588386f8.exe 1312 dupwvtkpgl.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" dupwvtkpgl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" dupwvtkpgl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" dupwvtkpgl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" dupwvtkpgl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" dupwvtkpgl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" dupwvtkpgl.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vbrsqvvu = "dupwvtkpgl.exe" sigtwzommipquan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aovklamq = "sigtwzommipquan.exe" sigtwzommipquan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "szeauakyzohfa.exe" sigtwzommipquan.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\u: dupwvtkpgl.exe File opened (read-only) \??\u: jadatwvj.exe File opened (read-only) \??\m: dupwvtkpgl.exe File opened (read-only) \??\u: jadatwvj.exe File opened (read-only) \??\v: jadatwvj.exe File opened (read-only) \??\k: jadatwvj.exe File opened (read-only) \??\l: jadatwvj.exe File opened (read-only) \??\v: dupwvtkpgl.exe File opened (read-only) \??\m: jadatwvj.exe File opened (read-only) \??\p: jadatwvj.exe File opened (read-only) \??\e: jadatwvj.exe File opened (read-only) \??\n: jadatwvj.exe File opened (read-only) \??\k: dupwvtkpgl.exe File opened (read-only) \??\l: dupwvtkpgl.exe File opened (read-only) \??\y: dupwvtkpgl.exe File opened (read-only) \??\o: jadatwvj.exe File opened (read-only) \??\m: jadatwvj.exe File opened (read-only) \??\t: jadatwvj.exe File opened (read-only) \??\b: dupwvtkpgl.exe File opened (read-only) \??\x: jadatwvj.exe File opened (read-only) \??\p: dupwvtkpgl.exe File opened (read-only) \??\w: dupwvtkpgl.exe File opened (read-only) \??\x: dupwvtkpgl.exe File opened (read-only) \??\r: jadatwvj.exe File opened (read-only) \??\b: jadatwvj.exe File opened (read-only) \??\g: jadatwvj.exe File opened (read-only) \??\t: dupwvtkpgl.exe File opened (read-only) \??\j: jadatwvj.exe File opened (read-only) \??\y: jadatwvj.exe File opened (read-only) \??\z: jadatwvj.exe File opened (read-only) \??\h: jadatwvj.exe File opened (read-only) \??\k: jadatwvj.exe File opened (read-only) \??\g: dupwvtkpgl.exe File opened (read-only) \??\j: dupwvtkpgl.exe File opened (read-only) \??\q: dupwvtkpgl.exe File opened (read-only) \??\i: jadatwvj.exe File opened (read-only) \??\q: jadatwvj.exe File opened (read-only) \??\s: jadatwvj.exe File opened (read-only) \??\i: jadatwvj.exe File opened (read-only) \??\a: dupwvtkpgl.exe File opened (read-only) \??\p: jadatwvj.exe File opened (read-only) \??\z: jadatwvj.exe File opened (read-only) \??\g: jadatwvj.exe File opened (read-only) \??\a: jadatwvj.exe File opened (read-only) \??\v: jadatwvj.exe File opened (read-only) \??\x: jadatwvj.exe File opened (read-only) \??\n: dupwvtkpgl.exe File opened (read-only) \??\r: dupwvtkpgl.exe File opened (read-only) \??\s: dupwvtkpgl.exe File opened (read-only) \??\l: jadatwvj.exe File opened (read-only) \??\o: jadatwvj.exe File opened (read-only) \??\e: dupwvtkpgl.exe File opened (read-only) \??\z: dupwvtkpgl.exe File opened (read-only) \??\e: jadatwvj.exe File opened (read-only) \??\t: jadatwvj.exe File opened (read-only) \??\q: jadatwvj.exe File opened (read-only) \??\h: dupwvtkpgl.exe File opened (read-only) \??\b: jadatwvj.exe File opened (read-only) \??\n: jadatwvj.exe File opened (read-only) \??\y: jadatwvj.exe File opened (read-only) \??\a: jadatwvj.exe File opened (read-only) \??\h: jadatwvj.exe File opened (read-only) \??\j: jadatwvj.exe File opened (read-only) \??\r: jadatwvj.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" dupwvtkpgl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" dupwvtkpgl.exe -
AutoIT Executable 7 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/1180-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x000b0000000140fb-5.dat autoit_exe behavioral1/files/0x000a000000012243-17.dat autoit_exe behavioral1/files/0x00090000000167c9-28.dat autoit_exe behavioral1/files/0x0007000000016c74-33.dat autoit_exe behavioral1/files/0x0005000000019597-73.dat autoit_exe behavioral1/files/0x0005000000019599-79.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\dupwvtkpgl.exe a91ea79a692b6b7cdda92c6a588386f8.exe File created C:\Windows\SysWOW64\sigtwzommipquan.exe a91ea79a692b6b7cdda92c6a588386f8.exe File opened for modification C:\Windows\SysWOW64\sigtwzommipquan.exe a91ea79a692b6b7cdda92c6a588386f8.exe File created C:\Windows\SysWOW64\jadatwvj.exe a91ea79a692b6b7cdda92c6a588386f8.exe File opened for modification C:\Windows\SysWOW64\jadatwvj.exe a91ea79a692b6b7cdda92c6a588386f8.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll dupwvtkpgl.exe File created C:\Windows\SysWOW64\dupwvtkpgl.exe a91ea79a692b6b7cdda92c6a588386f8.exe File created C:\Windows\SysWOW64\szeauakyzohfa.exe a91ea79a692b6b7cdda92c6a588386f8.exe File opened for modification C:\Windows\SysWOW64\szeauakyzohfa.exe a91ea79a692b6b7cdda92c6a588386f8.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe jadatwvj.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe jadatwvj.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal jadatwvj.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe jadatwvj.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal jadatwvj.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe jadatwvj.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal jadatwvj.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal jadatwvj.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe jadatwvj.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe jadatwvj.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe jadatwvj.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe jadatwvj.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe jadatwvj.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe jadatwvj.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf a91ea79a692b6b7cdda92c6a588386f8.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" dupwvtkpgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" dupwvtkpgl.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg dupwvtkpgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh dupwvtkpgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" dupwvtkpgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCDFABDF96AF2E2840C3A4B86ED39E3B0F902FD42680238E2CB429A08A4" a91ea79a692b6b7cdda92c6a588386f8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs dupwvtkpgl.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2628 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1180 a91ea79a692b6b7cdda92c6a588386f8.exe 1180 a91ea79a692b6b7cdda92c6a588386f8.exe 1180 a91ea79a692b6b7cdda92c6a588386f8.exe 1180 a91ea79a692b6b7cdda92c6a588386f8.exe 1180 a91ea79a692b6b7cdda92c6a588386f8.exe 1180 a91ea79a692b6b7cdda92c6a588386f8.exe 1180 a91ea79a692b6b7cdda92c6a588386f8.exe 1312 dupwvtkpgl.exe 1312 dupwvtkpgl.exe 1312 dupwvtkpgl.exe 1312 dupwvtkpgl.exe 1312 dupwvtkpgl.exe 1180 a91ea79a692b6b7cdda92c6a588386f8.exe 1212 jadatwvj.exe 1212 jadatwvj.exe 1212 jadatwvj.exe 1212 jadatwvj.exe 2960 szeauakyzohfa.exe 2960 szeauakyzohfa.exe 2960 szeauakyzohfa.exe 2960 szeauakyzohfa.exe 2960 szeauakyzohfa.exe 2960 szeauakyzohfa.exe 1460 sigtwzommipquan.exe 1460 sigtwzommipquan.exe 1460 sigtwzommipquan.exe 1460 sigtwzommipquan.exe 1460 sigtwzommipquan.exe 2172 jadatwvj.exe 2172 jadatwvj.exe 2172 jadatwvj.exe 2172 jadatwvj.exe 1460 sigtwzommipquan.exe 2960 szeauakyzohfa.exe 2960 szeauakyzohfa.exe 1460 sigtwzommipquan.exe 2960 szeauakyzohfa.exe 2960 szeauakyzohfa.exe 1460 sigtwzommipquan.exe 2960 szeauakyzohfa.exe 2960 szeauakyzohfa.exe 1460 sigtwzommipquan.exe 2960 szeauakyzohfa.exe 2960 szeauakyzohfa.exe 1460 sigtwzommipquan.exe 2960 szeauakyzohfa.exe 2960 szeauakyzohfa.exe 1460 sigtwzommipquan.exe 2960 szeauakyzohfa.exe 2960 szeauakyzohfa.exe 1460 sigtwzommipquan.exe 2960 szeauakyzohfa.exe 2960 szeauakyzohfa.exe 1460 sigtwzommipquan.exe 2960 szeauakyzohfa.exe 2960 szeauakyzohfa.exe 1460 sigtwzommipquan.exe 2960 szeauakyzohfa.exe 2960 szeauakyzohfa.exe 1460 sigtwzommipquan.exe 2960 szeauakyzohfa.exe 2960 szeauakyzohfa.exe 1460 sigtwzommipquan.exe 2960 szeauakyzohfa.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1180 a91ea79a692b6b7cdda92c6a588386f8.exe 1180 a91ea79a692b6b7cdda92c6a588386f8.exe 1180 a91ea79a692b6b7cdda92c6a588386f8.exe 1312 dupwvtkpgl.exe 1312 dupwvtkpgl.exe 1312 dupwvtkpgl.exe 1460 sigtwzommipquan.exe 1460 sigtwzommipquan.exe 1460 sigtwzommipquan.exe 1212 jadatwvj.exe 1212 jadatwvj.exe 1212 jadatwvj.exe 2960 szeauakyzohfa.exe 2960 szeauakyzohfa.exe 2960 szeauakyzohfa.exe 2172 jadatwvj.exe 2172 jadatwvj.exe 2172 jadatwvj.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1180 a91ea79a692b6b7cdda92c6a588386f8.exe 1180 a91ea79a692b6b7cdda92c6a588386f8.exe 1180 a91ea79a692b6b7cdda92c6a588386f8.exe 1312 dupwvtkpgl.exe 1312 dupwvtkpgl.exe 1312 dupwvtkpgl.exe 1460 sigtwzommipquan.exe 1460 sigtwzommipquan.exe 1460 sigtwzommipquan.exe 1212 jadatwvj.exe 1212 jadatwvj.exe 1212 jadatwvj.exe 2960 szeauakyzohfa.exe 2960 szeauakyzohfa.exe 2960 szeauakyzohfa.exe 2172 jadatwvj.exe 2172 jadatwvj.exe 2172 jadatwvj.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2628 WINWORD.EXE 2628 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1180 wrote to memory of 1312 1180 a91ea79a692b6b7cdda92c6a588386f8.exe 28 PID 1180 wrote to memory of 1312 1180 a91ea79a692b6b7cdda92c6a588386f8.exe 28 PID 1180 wrote to memory of 1312 1180 a91ea79a692b6b7cdda92c6a588386f8.exe 28 PID 1180 wrote to memory of 1312 1180 a91ea79a692b6b7cdda92c6a588386f8.exe 28 PID 1180 wrote to memory of 1460 1180 a91ea79a692b6b7cdda92c6a588386f8.exe 29 PID 1180 wrote to memory of 1460 1180 a91ea79a692b6b7cdda92c6a588386f8.exe 29 PID 1180 wrote to memory of 1460 1180 a91ea79a692b6b7cdda92c6a588386f8.exe 29 PID 1180 wrote to memory of 1460 1180 a91ea79a692b6b7cdda92c6a588386f8.exe 29 PID 1180 wrote to memory of 1212 1180 a91ea79a692b6b7cdda92c6a588386f8.exe 30 PID 1180 wrote to memory of 1212 1180 a91ea79a692b6b7cdda92c6a588386f8.exe 30 PID 1180 wrote to memory of 1212 1180 a91ea79a692b6b7cdda92c6a588386f8.exe 30 PID 1180 wrote to memory of 1212 1180 a91ea79a692b6b7cdda92c6a588386f8.exe 30 PID 1180 wrote to memory of 2960 1180 a91ea79a692b6b7cdda92c6a588386f8.exe 31 PID 1180 wrote to memory of 2960 1180 a91ea79a692b6b7cdda92c6a588386f8.exe 31 PID 1180 wrote to memory of 2960 1180 a91ea79a692b6b7cdda92c6a588386f8.exe 31 PID 1180 wrote to memory of 2960 1180 a91ea79a692b6b7cdda92c6a588386f8.exe 31 PID 1312 wrote to memory of 2172 1312 dupwvtkpgl.exe 32 PID 1312 wrote to memory of 2172 1312 dupwvtkpgl.exe 32 PID 1312 wrote to memory of 2172 1312 dupwvtkpgl.exe 32 PID 1312 wrote to memory of 2172 1312 dupwvtkpgl.exe 32 PID 1180 wrote to memory of 2628 1180 a91ea79a692b6b7cdda92c6a588386f8.exe 33 PID 1180 wrote to memory of 2628 1180 a91ea79a692b6b7cdda92c6a588386f8.exe 33 PID 1180 wrote to memory of 2628 1180 a91ea79a692b6b7cdda92c6a588386f8.exe 33 PID 1180 wrote to memory of 2628 1180 a91ea79a692b6b7cdda92c6a588386f8.exe 33 PID 2628 wrote to memory of 2176 2628 WINWORD.EXE 36 PID 2628 wrote to memory of 2176 2628 WINWORD.EXE 36 PID 2628 wrote to memory of 2176 2628 WINWORD.EXE 36 PID 2628 wrote to memory of 2176 2628 WINWORD.EXE 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe"C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\dupwvtkpgl.exedupwvtkpgl.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\jadatwvj.exeC:\Windows\system32\jadatwvj.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2172
-
-
-
C:\Windows\SysWOW64\sigtwzommipquan.exesigtwzommipquan.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1460
-
-
C:\Windows\SysWOW64\jadatwvj.exejadatwvj.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1212
-
-
C:\Windows\SysWOW64\szeauakyzohfa.exeszeauakyzohfa.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2960
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2176
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD56eea7f31a600911c7815ba48142bd2c8
SHA1b4df559594445dcd6427639984f74f6ab6b12e94
SHA25695642b59ccd3ec2a3d302340d942795859607ff9441e74992cbe97afa17df9f4
SHA51251b56c53843447afd4774459cbfd983fc087d29c04c10f92178ef7f9855e9078461a6c094b86a1b983eb7063b0235c5813adc81185b1f87c203918e614d9d256
-
Filesize
20KB
MD573e9f0d4fbad95d409437bd37e431931
SHA1bce799d523dbe19d3ad15dc0f36bee8b613802ed
SHA256fea042645b5918f0ab3091e24ce962c4f9b8474dca344b03e960e3b5f4840fde
SHA5123eec9a6aa6e67ed3f002199a683d79f6a8bff9065b800530a02a04045f02ad5d1011b014ef674d3d689da6b92d6b10f6d862d2e8d49106e6d2aefac0d035b6de
-
Filesize
512KB
MD5abf67e55313251022e001a397e96e435
SHA1c32eabfa28e7ab157644e1b232141f6e3f02b679
SHA256e70315cf5e3384474eff686b90e8db1e71f7bd0f52eb365cf734a5743387885d
SHA512659cb8b8dc7dda21514a6fea26b51875bb6474c6f44d2b99eabcce2e162762241efeee43f16855ed2907fb1207d83d500f71624bdfb27cd5f98429b30cc74eb4
-
Filesize
512KB
MD5671d5447bbcc8d8fd781259309c657bb
SHA1cf9c35705d68952be42d5719e6b22b5d0bef7ba5
SHA256423bd936ebb93c7c01752cd691737c538731102ddc07d51bf1aeae3c0eb45365
SHA5128cbe169fac544689c8e815108f7b0ed9ffd314c873590669b6e06d0214e9e011dfd2b4ba0615a4ba87d227445f4ef211020205343d89237eb9355618b78938fc
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5adfa23b90f169f7c82d2ed47ef5ab266
SHA15cacfd4c413664fd18f39e9bad4a59fdc59aed03
SHA2566a54fc65ce0d9abc620ce0afac439fddbda85b7d4573414a29aa0a1e78ae10f2
SHA51271697e13b5d5baa71fc91ab4e00ed4ba147edf8bcf00c1234849d2c67be1c97f761fa4f856a9b6ebae2290cfac24ae12551687483b59057357e685a7b341a21f
-
Filesize
512KB
MD5bb78b8f8859cdc6ea0616178df9d0c10
SHA17f8d7e0906ee5a68cfee55c6dc9f408b406c8f03
SHA2563c5740c4ed4af7eeac476a83c4ae33dd32ce3ae53ca9ffd5418e996e3145e0c2
SHA512124f261207cd72a82499d9dcac8a0254d7c8616d723864c59589504607f78d0fb7cfe7d7847e3ee9939eabbc704b6b7ea183a245757b7733b4e2e363c58b0b64
-
Filesize
512KB
MD5390ff42e081bbfc323a0f522d31aee44
SHA12d87ee39e5ed9d85180695092bee312f4be81470
SHA256d302261d61e7f788400a5c16e8b0190b6ab9bec47dc738b1182d5c0f0d949960
SHA512386d9d2451c6b298d4ffcdb31162c405519f4ad3f5a324e4371e9155728611cd1af444e27bae08d763f7e10b0f3c89a9314a0198c0b4fcedecfcf55de73adc05