Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
07/01/2024, 19:41
Static task
static1
Behavioral task
behavioral1
Sample
aa2cab0241781a572a4dc3e33bfe73e5.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
aa2cab0241781a572a4dc3e33bfe73e5.exe
Resource
win10v2004-20231222-en
General
-
Target
aa2cab0241781a572a4dc3e33bfe73e5.exe
-
Size
512KB
-
MD5
aa2cab0241781a572a4dc3e33bfe73e5
-
SHA1
276b64512c473f9015938b249498a2635608f5d1
-
SHA256
fe77ab007c8ae2130dafffab4e8fd2545abc3736cfc028f45b573848a08051f5
-
SHA512
abf6113b00cb8ad96eace6f21bbac4644b36bbfb5090accc960d5b9c4657c910756c12b6168ecbb9b2522b48d5699b95b8d1a26010a93fe2c477f10ee797e790
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6J:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm58
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" pfbqmovuqk.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" pfbqmovuqk.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" pfbqmovuqk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" pfbqmovuqk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" pfbqmovuqk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" pfbqmovuqk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" pfbqmovuqk.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" pfbqmovuqk.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation aa2cab0241781a572a4dc3e33bfe73e5.exe -
Executes dropped EXE 5 IoCs
pid Process 1028 pfbqmovuqk.exe 1808 pzwnszxmdajorwk.exe 1384 bxniltgoijebd.exe 4372 dqhisbms.exe 4212 dqhisbms.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" pfbqmovuqk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" pfbqmovuqk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" pfbqmovuqk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" pfbqmovuqk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" pfbqmovuqk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" pfbqmovuqk.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ndikiekf = "pfbqmovuqk.exe" pzwnszxmdajorwk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lplnqjfm = "pzwnszxmdajorwk.exe" pzwnszxmdajorwk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "bxniltgoijebd.exe" pzwnszxmdajorwk.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\h: dqhisbms.exe File opened (read-only) \??\j: dqhisbms.exe File opened (read-only) \??\u: dqhisbms.exe File opened (read-only) \??\h: pfbqmovuqk.exe File opened (read-only) \??\j: pfbqmovuqk.exe File opened (read-only) \??\z: pfbqmovuqk.exe File opened (read-only) \??\l: dqhisbms.exe File opened (read-only) \??\n: pfbqmovuqk.exe File opened (read-only) \??\u: dqhisbms.exe File opened (read-only) \??\g: dqhisbms.exe File opened (read-only) \??\l: dqhisbms.exe File opened (read-only) \??\x: dqhisbms.exe File opened (read-only) \??\i: pfbqmovuqk.exe File opened (read-only) \??\q: dqhisbms.exe File opened (read-only) \??\b: dqhisbms.exe File opened (read-only) \??\o: pfbqmovuqk.exe File opened (read-only) \??\u: pfbqmovuqk.exe File opened (read-only) \??\a: dqhisbms.exe File opened (read-only) \??\o: dqhisbms.exe File opened (read-only) \??\q: dqhisbms.exe File opened (read-only) \??\s: dqhisbms.exe File opened (read-only) \??\t: dqhisbms.exe File opened (read-only) \??\v: dqhisbms.exe File opened (read-only) \??\e: dqhisbms.exe File opened (read-only) \??\j: dqhisbms.exe File opened (read-only) \??\z: dqhisbms.exe File opened (read-only) \??\e: dqhisbms.exe File opened (read-only) \??\b: pfbqmovuqk.exe File opened (read-only) \??\i: dqhisbms.exe File opened (read-only) \??\m: dqhisbms.exe File opened (read-only) \??\q: pfbqmovuqk.exe File opened (read-only) \??\v: dqhisbms.exe File opened (read-only) \??\y: dqhisbms.exe File opened (read-only) \??\r: dqhisbms.exe File opened (read-only) \??\z: dqhisbms.exe File opened (read-only) \??\v: pfbqmovuqk.exe File opened (read-only) \??\x: dqhisbms.exe File opened (read-only) \??\p: pfbqmovuqk.exe File opened (read-only) \??\g: dqhisbms.exe File opened (read-only) \??\h: dqhisbms.exe File opened (read-only) \??\n: dqhisbms.exe File opened (read-only) \??\o: dqhisbms.exe File opened (read-only) \??\i: dqhisbms.exe File opened (read-only) \??\m: dqhisbms.exe File opened (read-only) \??\a: pfbqmovuqk.exe File opened (read-only) \??\e: pfbqmovuqk.exe File opened (read-only) \??\x: pfbqmovuqk.exe File opened (read-only) \??\t: dqhisbms.exe File opened (read-only) \??\p: dqhisbms.exe File opened (read-only) \??\y: dqhisbms.exe File opened (read-only) \??\r: pfbqmovuqk.exe File opened (read-only) \??\s: pfbqmovuqk.exe File opened (read-only) \??\w: pfbqmovuqk.exe File opened (read-only) \??\p: dqhisbms.exe File opened (read-only) \??\y: pfbqmovuqk.exe File opened (read-only) \??\n: dqhisbms.exe File opened (read-only) \??\l: pfbqmovuqk.exe File opened (read-only) \??\m: pfbqmovuqk.exe File opened (read-only) \??\k: pfbqmovuqk.exe File opened (read-only) \??\t: pfbqmovuqk.exe File opened (read-only) \??\a: dqhisbms.exe File opened (read-only) \??\k: dqhisbms.exe File opened (read-only) \??\r: dqhisbms.exe File opened (read-only) \??\k: dqhisbms.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" pfbqmovuqk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" pfbqmovuqk.exe -
AutoIT Executable 19 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/988-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0007000000023221-5.dat autoit_exe behavioral2/files/0x000700000002321e-19.dat autoit_exe behavioral2/files/0x0007000000023221-22.dat autoit_exe behavioral2/files/0x0006000000023226-30.dat autoit_exe behavioral2/files/0x0006000000023225-32.dat autoit_exe behavioral2/files/0x0006000000023226-28.dat autoit_exe behavioral2/files/0x0006000000023225-29.dat autoit_exe behavioral2/files/0x0007000000023221-21.dat autoit_exe behavioral2/files/0x000700000002321e-18.dat autoit_exe behavioral2/files/0x0006000000023225-44.dat autoit_exe behavioral2/files/0x0006000000023231-73.dat autoit_exe behavioral2/files/0x0006000000023232-79.dat autoit_exe behavioral2/files/0x00040000000227e6-96.dat autoit_exe behavioral2/files/0x000b0000000231b5-102.dat autoit_exe behavioral2/files/0x00020000000227e5-87.dat autoit_exe behavioral2/files/0x0006000000023236-124.dat autoit_exe behavioral2/files/0x0006000000023236-128.dat autoit_exe behavioral2/files/0x0006000000023236-126.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\pfbqmovuqk.exe aa2cab0241781a572a4dc3e33bfe73e5.exe File opened for modification C:\Windows\SysWOW64\pzwnszxmdajorwk.exe aa2cab0241781a572a4dc3e33bfe73e5.exe File created C:\Windows\SysWOW64\dqhisbms.exe aa2cab0241781a572a4dc3e33bfe73e5.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll pfbqmovuqk.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe dqhisbms.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe dqhisbms.exe File created C:\Windows\SysWOW64\pfbqmovuqk.exe aa2cab0241781a572a4dc3e33bfe73e5.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe dqhisbms.exe File created C:\Windows\SysWOW64\bxniltgoijebd.exe aa2cab0241781a572a4dc3e33bfe73e5.exe File opened for modification C:\Windows\SysWOW64\bxniltgoijebd.exe aa2cab0241781a572a4dc3e33bfe73e5.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe dqhisbms.exe File opened for modification C:\Windows\SysWOW64\dqhisbms.exe aa2cab0241781a572a4dc3e33bfe73e5.exe File created C:\Windows\SysWOW64\pzwnszxmdajorwk.exe aa2cab0241781a572a4dc3e33bfe73e5.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dqhisbms.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal dqhisbms.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dqhisbms.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dqhisbms.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dqhisbms.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dqhisbms.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dqhisbms.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dqhisbms.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal dqhisbms.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dqhisbms.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal dqhisbms.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dqhisbms.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dqhisbms.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal dqhisbms.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dqhisbms.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe dqhisbms.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe dqhisbms.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe dqhisbms.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe dqhisbms.exe File opened for modification C:\Windows\mydoc.rtf aa2cab0241781a572a4dc3e33bfe73e5.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe dqhisbms.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe dqhisbms.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe dqhisbms.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe dqhisbms.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe dqhisbms.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe dqhisbms.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe dqhisbms.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe dqhisbms.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe dqhisbms.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe dqhisbms.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe dqhisbms.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe dqhisbms.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes aa2cab0241781a572a4dc3e33bfe73e5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB0B02B47E639EB52CDBAD03298D4C5" aa2cab0241781a572a4dc3e33bfe73e5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" pfbqmovuqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" pfbqmovuqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BB5F9BEFE6AF19784083A4B81EC39E3B08B028A43620349E2CC45E708A1" aa2cab0241781a572a4dc3e33bfe73e5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E88FC8F482E85189134D6587D92BDE2E140593667426345D790" aa2cab0241781a572a4dc3e33bfe73e5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat pfbqmovuqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" pfbqmovuqk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh pfbqmovuqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" pfbqmovuqk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf pfbqmovuqk.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings aa2cab0241781a572a4dc3e33bfe73e5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32432C7E9C5282276A3176A677202DDB7C8F64AD" aa2cab0241781a572a4dc3e33bfe73e5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7846BB1FE6D21AAD279D0D28A0B9117" aa2cab0241781a572a4dc3e33bfe73e5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg pfbqmovuqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184CC70E1597DAB5B9BC7C97EDE334BD" aa2cab0241781a572a4dc3e33bfe73e5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc pfbqmovuqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" pfbqmovuqk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs pfbqmovuqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" pfbqmovuqk.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4792 WINWORD.EXE 4792 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 988 aa2cab0241781a572a4dc3e33bfe73e5.exe 988 aa2cab0241781a572a4dc3e33bfe73e5.exe 988 aa2cab0241781a572a4dc3e33bfe73e5.exe 988 aa2cab0241781a572a4dc3e33bfe73e5.exe 988 aa2cab0241781a572a4dc3e33bfe73e5.exe 988 aa2cab0241781a572a4dc3e33bfe73e5.exe 988 aa2cab0241781a572a4dc3e33bfe73e5.exe 988 aa2cab0241781a572a4dc3e33bfe73e5.exe 988 aa2cab0241781a572a4dc3e33bfe73e5.exe 988 aa2cab0241781a572a4dc3e33bfe73e5.exe 988 aa2cab0241781a572a4dc3e33bfe73e5.exe 988 aa2cab0241781a572a4dc3e33bfe73e5.exe 988 aa2cab0241781a572a4dc3e33bfe73e5.exe 988 aa2cab0241781a572a4dc3e33bfe73e5.exe 988 aa2cab0241781a572a4dc3e33bfe73e5.exe 988 aa2cab0241781a572a4dc3e33bfe73e5.exe 1808 pzwnszxmdajorwk.exe 1808 pzwnszxmdajorwk.exe 1028 pfbqmovuqk.exe 1808 pzwnszxmdajorwk.exe 1028 pfbqmovuqk.exe 1808 pzwnszxmdajorwk.exe 1808 pzwnszxmdajorwk.exe 1808 pzwnszxmdajorwk.exe 1808 pzwnszxmdajorwk.exe 1808 pzwnszxmdajorwk.exe 1028 pfbqmovuqk.exe 1028 pfbqmovuqk.exe 1028 pfbqmovuqk.exe 1028 pfbqmovuqk.exe 1028 pfbqmovuqk.exe 1028 pfbqmovuqk.exe 1028 pfbqmovuqk.exe 1028 pfbqmovuqk.exe 1384 bxniltgoijebd.exe 1384 bxniltgoijebd.exe 1384 bxniltgoijebd.exe 1384 bxniltgoijebd.exe 1384 bxniltgoijebd.exe 1384 bxniltgoijebd.exe 1384 bxniltgoijebd.exe 1384 bxniltgoijebd.exe 1384 bxniltgoijebd.exe 1384 bxniltgoijebd.exe 1384 bxniltgoijebd.exe 1384 bxniltgoijebd.exe 4372 dqhisbms.exe 4372 dqhisbms.exe 4372 dqhisbms.exe 4372 dqhisbms.exe 4372 dqhisbms.exe 4372 dqhisbms.exe 1808 pzwnszxmdajorwk.exe 1808 pzwnszxmdajorwk.exe 4372 dqhisbms.exe 4372 dqhisbms.exe 1808 pzwnszxmdajorwk.exe 1808 pzwnszxmdajorwk.exe 1384 bxniltgoijebd.exe 1384 bxniltgoijebd.exe 1384 bxniltgoijebd.exe 1384 bxniltgoijebd.exe 4212 dqhisbms.exe 4212 dqhisbms.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 988 aa2cab0241781a572a4dc3e33bfe73e5.exe 988 aa2cab0241781a572a4dc3e33bfe73e5.exe 988 aa2cab0241781a572a4dc3e33bfe73e5.exe 1028 pfbqmovuqk.exe 1028 pfbqmovuqk.exe 1028 pfbqmovuqk.exe 1808 pzwnszxmdajorwk.exe 1808 pzwnszxmdajorwk.exe 1808 pzwnszxmdajorwk.exe 1384 bxniltgoijebd.exe 1384 bxniltgoijebd.exe 1384 bxniltgoijebd.exe 4372 dqhisbms.exe 4372 dqhisbms.exe 4372 dqhisbms.exe 4212 dqhisbms.exe 4212 dqhisbms.exe 4212 dqhisbms.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 988 aa2cab0241781a572a4dc3e33bfe73e5.exe 988 aa2cab0241781a572a4dc3e33bfe73e5.exe 988 aa2cab0241781a572a4dc3e33bfe73e5.exe 1028 pfbqmovuqk.exe 1028 pfbqmovuqk.exe 1028 pfbqmovuqk.exe 1808 pzwnszxmdajorwk.exe 1808 pzwnszxmdajorwk.exe 1808 pzwnszxmdajorwk.exe 1384 bxniltgoijebd.exe 1384 bxniltgoijebd.exe 1384 bxniltgoijebd.exe 4372 dqhisbms.exe 4372 dqhisbms.exe 4372 dqhisbms.exe 4212 dqhisbms.exe 4212 dqhisbms.exe 4212 dqhisbms.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4792 WINWORD.EXE 4792 WINWORD.EXE 4792 WINWORD.EXE 4792 WINWORD.EXE 4792 WINWORD.EXE 4792 WINWORD.EXE 4792 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 988 wrote to memory of 1028 988 aa2cab0241781a572a4dc3e33bfe73e5.exe 93 PID 988 wrote to memory of 1028 988 aa2cab0241781a572a4dc3e33bfe73e5.exe 93 PID 988 wrote to memory of 1028 988 aa2cab0241781a572a4dc3e33bfe73e5.exe 93 PID 988 wrote to memory of 1808 988 aa2cab0241781a572a4dc3e33bfe73e5.exe 90 PID 988 wrote to memory of 1808 988 aa2cab0241781a572a4dc3e33bfe73e5.exe 90 PID 988 wrote to memory of 1808 988 aa2cab0241781a572a4dc3e33bfe73e5.exe 90 PID 988 wrote to memory of 4372 988 aa2cab0241781a572a4dc3e33bfe73e5.exe 92 PID 988 wrote to memory of 4372 988 aa2cab0241781a572a4dc3e33bfe73e5.exe 92 PID 988 wrote to memory of 4372 988 aa2cab0241781a572a4dc3e33bfe73e5.exe 92 PID 988 wrote to memory of 1384 988 aa2cab0241781a572a4dc3e33bfe73e5.exe 91 PID 988 wrote to memory of 1384 988 aa2cab0241781a572a4dc3e33bfe73e5.exe 91 PID 988 wrote to memory of 1384 988 aa2cab0241781a572a4dc3e33bfe73e5.exe 91 PID 988 wrote to memory of 4792 988 aa2cab0241781a572a4dc3e33bfe73e5.exe 95 PID 988 wrote to memory of 4792 988 aa2cab0241781a572a4dc3e33bfe73e5.exe 95 PID 1028 wrote to memory of 4212 1028 pfbqmovuqk.exe 97 PID 1028 wrote to memory of 4212 1028 pfbqmovuqk.exe 97 PID 1028 wrote to memory of 4212 1028 pfbqmovuqk.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa2cab0241781a572a4dc3e33bfe73e5.exe"C:\Users\Admin\AppData\Local\Temp\aa2cab0241781a572a4dc3e33bfe73e5.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:988 -
C:\Windows\SysWOW64\pzwnszxmdajorwk.exepzwnszxmdajorwk.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1808
-
-
C:\Windows\SysWOW64\bxniltgoijebd.exebxniltgoijebd.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1384
-
-
C:\Windows\SysWOW64\dqhisbms.exedqhisbms.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4372
-
-
C:\Windows\SysWOW64\pfbqmovuqk.exepfbqmovuqk.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\dqhisbms.exeC:\Windows\system32\dqhisbms.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4212
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4792
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
22KB
MD5d396bafcd991e8f0c30c9494d5c2a468
SHA13446b621be6db90124a6a9a231e7d02cda9a9b0c
SHA2566d802668a69425f210297eb1fe46fc7105aeb07d09a982bcfce891a670440ed4
SHA51288cbfc330851c1c294e4f6eba8cf82c8ee477a2cd8529e61431e7f13c26a1d1752322bb2699c6185b6c985795c25dd1dd30b74256aa58c54bacaaee4a59c104e
-
Filesize
31KB
MD5e35e129647c372c443909d11239fdad3
SHA15795d9ede0c5712e9f104218f34702e1f45bbf3c
SHA2566c3344e867c0ce6e2380887802cee0be426f5f603545d138c4cd3e70ccea505b
SHA51272b1cd681c31aba0d053339187258bbb6c0e5f3e2d62c66e2f11f6019c2909d8b6d3f8f414a5cc3ad9aa082446aa121877c0b94336678964c976593a0edcc5e8
-
Filesize
239B
MD50c59a5f4b604bdb95d678de25e7be485
SHA1b2f63dc74e24096cfaec01add4039bb6b4221650
SHA2564f67992a112a96b5f8fee2357028d149d02be8c07cfff8b729fc33ad27ab5561
SHA5129e31d6948d8d5d1ad4b8ec7ee4910eebda596ca73fd23dd72401e400c661b993b04ce907aa796597773feb9ef6f598b0c852b091996ec03d6bf69b74d5054e4b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD526aa7c68475db4700c78551920ee0eee
SHA16950d51f2c5eddba6431f3540bbe3fd18e687788
SHA256dd1c141331dfa094513ac96152318f56b4632ef4077136f2a8d8a7a242d1b475
SHA512b323ebe5ff07c16c0ad96c122f4be2099bb760342f209e3ef654c1ee8fbbf2a949c151fecdd7204012c9d5702386ce257361e21e2fe6fc4a85df351bf45e35ab
-
Filesize
12KB
MD52526980684884c9627a06a267c12ff10
SHA1918584e64576e6a41b11e9c66681131c38b981c4
SHA2567e553dace34f2f3d7c05398976fe2dc00e15ef193ade36461f1aa22df7c6db59
SHA512a4e97cdca62a1e1cbfda6ca70dc3f084ac7220d58919b320095774f971b54856112be66841bc3a01fe1ed2db077930ea84f5e528bac8c5e40e892ce57fb01f85
-
Filesize
57KB
MD53a81bb7f89fff51fd80d1e9e1e60471f
SHA17c04e73b47855108f7cb0f1f8e76b71078d74158
SHA2567afee2b09ec479879bca80da134ceff2df40ad8eff99ed5b1461e6b64e3c474e
SHA512d8500626b99b14b8e441c88b9a8431db9188b5dea17610b1d5ff35a199195026f6c9961281e7c3a4babe8c88b1a949a03a42c6872e2eb0ec1761f65095f777cc
-
Filesize
89KB
MD5189db9979f8404849f77cbdd6926c32b
SHA11cf79dd909df2343dcbb27764d33532f403ecc46
SHA2561d7c69e288621a0a6f480924b369812faff78d58733a06b84d3fa06898ca5aa2
SHA51206a7aea437a97e1da9f7778e4040ed3cf46e2f8038341855e0fa303cf1fb14c0b4698b297230566a7f74c6518ebe585f715d2dbe3d229debf73cd4c8e89314e3
-
Filesize
118KB
MD523428d64ca2901494df6e7db7992835b
SHA1054a2db21b9e223104180835b89c45e186aae426
SHA2569899bc4778c18600c2eb25ba04a534d938bb904573e72cdd2d2f35fb8c758550
SHA51202fc64d40ef108f4edafa5159c7c00a132d4b97fdf57b7c72989d43538771f982257aeb52cba88ed7685ba8c3fac098cf37be79b07106f47b7ebd0caedeaf5cc
-
Filesize
99KB
MD59bce0d8644b72c862c07071d7901d27f
SHA1cc2ed2c78814f90a3f405ea1789c3be8d2b165f2
SHA2561b3975cafa8859c8ebef939b0808f246ff57d8793921a7a7aab3968c729e257c
SHA512a8543e0de4759c7e858ca5c94a621f7453bf7517853be1bc57f1756f37a6beec482b9a08a01fc14727c6815d7c11e40ab82a60a6fde4541c1b52a215e29cb6ba
-
Filesize
109KB
MD526c33fc2aed7c132b6b532cb70f28e5b
SHA15935442f649091fbe1ae97a0b368b4a6269f963b
SHA2568b8b81bcb840a3a398580b8a3eb51f072fa9b7dcd507b83bba9741508dcb410d
SHA51288a95b26a943242ae6f0982f9017b272fb6ea66116c99ee62008e6b1305ab5da03111936699bc69970eec5f0aa99f2bfa21e9888427a9e34775080c7d080477b
-
Filesize
5KB
MD53601637820e14acd7e2416ebd0a8b4e2
SHA1ca8f9fecad119786d854dece99a9fef6863206a2
SHA256b5fab74ba597f213400a36cd7d59b59f2834b1c8049a9f709d10e3a01e80b7da
SHA51290c620ef358c6183473fe3d5781200c9053be3411167310ec65956173054b77964119b7d1f7c9c5f2e77c56dd29f7ab0a1ba72dfaaf9252bc1c2ec5e2cb82997
-
Filesize
107KB
MD5a6148729747d82d1ac71701d71153543
SHA127e0b70e9379682436b7fea03cdb65f70bc41120
SHA256596398c335fc4f20995a800b091b7c236ac206781df6cba06516e11c29efddd8
SHA512b872ebc08bef8c15d2f3e276587415ed071b669ee06e7f11fb71ff6dabf46e0e64b25c50a4d195cc0e8bb9c14a9ad228ba5ec193aebe3323f223ece41dad9d1d
-
Filesize
94KB
MD556a8016bcafb1aaac26e641b848e2c3a
SHA143e05081463aa7d4b7d3d1795d437e5cdd1675b0
SHA256353a22a8c5594d278da619d691e267a2c74e83e9be8c1c2f4949b3f84d3244c6
SHA5128e9e4eb2802a4d8fef2c87eb63483da8cd0088e0a47db44a6258192fb890855cf20cb807e19f43db5c0faa52ead4752ac75d7ab20dddfbe52f2c0fb190971832
-
Filesize
105KB
MD5d26aa2d8a525542e3b8aec65cb9c3327
SHA1f85b77d8221bfdd3ed5b5625cf60c5dbf5295a1d
SHA256f21210aeb390605db42c887a5d430ec0029f24c77209596dcf9fe673ecb322a9
SHA512e8c9705441dd6caf279c00a582589b6993f1fe9233c29d6457960a6f99f6480ecf80af922cc1aad510bc96a9266e563e16b0179760a408959c891254d434c7c7
-
Filesize
107KB
MD52ee12f1b4a274f92006f9f4ad95a3cee
SHA1452079404908796ac32cc0e4c318b214dea1fb0d
SHA2566b59967a8ba23a7e283cdb8c7adfaa010944bd031dd4ec3d99028d3722eea9f6
SHA5127df3dadf6bb09cc867833d46c540c25d03beeb9479bdae1a07a0ea5cc4251f9728aa10cda0cf108e46c9bbf30315c54571d0bf59832b263b763f09cfb0ff6744
-
Filesize
151KB
MD55444e63d802cb5629598c260905d5505
SHA18b082a66349dfe903acab3828b24d1f8de7ec9c6
SHA2561fa572bc62eb7b27a87b5604bf3813ce3947aed2b1980dc37940cbcf79e14558
SHA512486f0021b574e7c80eeb74f1a683718a44598194d3054176f0b268ff1e71b8803865f623d66a88d73160963c140d71baaa6b035cbf1dbc53b2d5d836578537ca
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
39KB
MD59e1ac8bb7df86e9f6f120b439daf35f9
SHA12d5ab6b65fac35f5c20da55616868cf181c6d24e
SHA256becd8faeaa233f7e8c66998413299414180e10aba06fb0d7a329ef0897a4e097
SHA51224d644cc85b9a56d99100523f406951dabf6ab21862d9dbaa5dfaa20a5e483abeae491af325eaf2d9092dcd78cdb3238ff324d57f8ddcaccf332c7b1cbe1a6bf
-
Filesize
251KB
MD50539f4d632179be94cd284a9d13af823
SHA11cad898b18b02605f8e5c69df4ca77bd221a62ca
SHA256173dc3355953db71f18655bbcc8464e383684a815fa518eb6e57f1e4d943e03a
SHA51286d909f6548cd03b1bee2cdb5ee72396d27657fd4d31867bc8e2d81a276e8877a6d88d13643812c886870ceea23cf633c1c839bffc417f1f4eb4d26e6c3bc0e4
-
Filesize
140KB
MD546483b729cc7663748a9fd4697973291
SHA1174c0b742470e3c644cd7b19fe48141be023c4c7
SHA256c88c54371e4fd228abc56aaa163ea689e1ce6a4bc03dc9894cccc208b486f1a2
SHA512f4cdcc36fb58b7f161f54f22015f38f9fc4ee1d98371aa85036718dd20091684a6ca1d2204fc20bb60882290b8cc26c65b1061ca522f8eb8c6d7559560ac0168
-
Filesize
153KB
MD53ce0263ec22d797ca5e15a7bee7b7d04
SHA1bcaecb2bbb9d5b63aebfed9435331adf0396e28c
SHA256042b6012dd3e28dc08f094e89d36883bde97e88e124f75b19a874501dbe58b02
SHA512b9fb8b6922afbd617b40f0af8fe7e4f1f48640773982142d99380d220c8c246f51374d16ed482de42c4bfa3fe1e32a5f85a2484270dcc93f12a485bb08045445