84d7ddcbfd77db7442c481199561925908aca7c30f36a28a39ceeafa0e9210ff

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
11/01/2024, 03:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5263ee44519d3d416ec840fd28e3757c.exe
Size

512KB
MD5

5263ee44519d3d416ec840fd28e3757c
SHA1

b9f96e553e4e668d14d01d60ff67e4f647545906
SHA256

84d7ddcbfd77db7442c481199561925908aca7c30f36a28a39ceeafa0e9210ff
SHA512

8929f25b5a14b77f367fd52fcdce3ff915fa55b16777c2439c2452fd8d79fe33ef5a5183ca03954b7bc8d556298ecafb2634f546fcb2e4c19a1f50ac9413154b
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6W:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5r

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	ztdcyywuec.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ztdcyywuec.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	ztdcyywuec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	ztdcyywuec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	ztdcyywuec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	ztdcyywuec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	ztdcyywuec.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ztdcyywuec.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 5 IoCs

pid	Process
2664	ztdcyywuec.exe
2788	vugbpulyscsnmbp.exe
2712	knkvosfu.exe
2084	pkviyyzhkzaaq.exe
1952	knkvosfu.exe

Loads dropped DLL 5 IoCs

pid	Process
2648	5263ee44519d3d416ec840fd28e3757c.exe
2648	5263ee44519d3d416ec840fd28e3757c.exe
2648	5263ee44519d3d416ec840fd28e3757c.exe
2648	5263ee44519d3d416ec840fd28e3757c.exe
2664	ztdcyywuec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	ztdcyywuec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	ztdcyywuec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	ztdcyywuec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	ztdcyywuec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	ztdcyywuec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	ztdcyywuec.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wymtdfxq = "ztdcyywuec.exe"	vugbpulyscsnmbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yocmfobv = "vugbpulyscsnmbp.exe"	vugbpulyscsnmbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "pkviyyzhkzaaq.exe"	vugbpulyscsnmbp.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\h:	knkvosfu.exe
File opened (read-only)	\??\n:	knkvosfu.exe
File opened (read-only)	\??\p:	knkvosfu.exe
File opened (read-only)	\??\r:	knkvosfu.exe
File opened (read-only)	\??\b:	knkvosfu.exe
File opened (read-only)	\??\k:	knkvosfu.exe
File opened (read-only)	\??\j:	knkvosfu.exe
File opened (read-only)	\??\b:	ztdcyywuec.exe
File opened (read-only)	\??\r:	ztdcyywuec.exe
File opened (read-only)	\??\p:	knkvosfu.exe
File opened (read-only)	\??\a:	knkvosfu.exe
File opened (read-only)	\??\o:	knkvosfu.exe
File opened (read-only)	\??\u:	knkvosfu.exe
File opened (read-only)	\??\l:	ztdcyywuec.exe
File opened (read-only)	\??\p:	ztdcyywuec.exe
File opened (read-only)	\??\r:	knkvosfu.exe
File opened (read-only)	\??\e:	knkvosfu.exe
File opened (read-only)	\??\q:	knkvosfu.exe
File opened (read-only)	\??\g:	ztdcyywuec.exe
File opened (read-only)	\??\m:	ztdcyywuec.exe
File opened (read-only)	\??\n:	ztdcyywuec.exe
File opened (read-only)	\??\q:	ztdcyywuec.exe
File opened (read-only)	\??\g:	knkvosfu.exe
File opened (read-only)	\??\l:	knkvosfu.exe
File opened (read-only)	\??\t:	knkvosfu.exe
File opened (read-only)	\??\u:	ztdcyywuec.exe
File opened (read-only)	\??\n:	knkvosfu.exe
File opened (read-only)	\??\k:	ztdcyywuec.exe
File opened (read-only)	\??\j:	knkvosfu.exe
File opened (read-only)	\??\s:	knkvosfu.exe
File opened (read-only)	\??\x:	knkvosfu.exe
File opened (read-only)	\??\k:	knkvosfu.exe
File opened (read-only)	\??\v:	knkvosfu.exe
File opened (read-only)	\??\x:	knkvosfu.exe
File opened (read-only)	\??\w:	ztdcyywuec.exe
File opened (read-only)	\??\o:	knkvosfu.exe
File opened (read-only)	\??\v:	knkvosfu.exe
File opened (read-only)	\??\l:	knkvosfu.exe
File opened (read-only)	\??\a:	ztdcyywuec.exe
File opened (read-only)	\??\e:	ztdcyywuec.exe
File opened (read-only)	\??\i:	ztdcyywuec.exe
File opened (read-only)	\??\j:	ztdcyywuec.exe
File opened (read-only)	\??\y:	ztdcyywuec.exe
File opened (read-only)	\??\e:	knkvosfu.exe
File opened (read-only)	\??\x:	ztdcyywuec.exe
File opened (read-only)	\??\u:	knkvosfu.exe
File opened (read-only)	\??\w:	knkvosfu.exe
File opened (read-only)	\??\z:	knkvosfu.exe
File opened (read-only)	\??\q:	knkvosfu.exe
File opened (read-only)	\??\b:	knkvosfu.exe
File opened (read-only)	\??\m:	knkvosfu.exe
File opened (read-only)	\??\z:	ztdcyywuec.exe
File opened (read-only)	\??\h:	ztdcyywuec.exe
File opened (read-only)	\??\s:	ztdcyywuec.exe
File opened (read-only)	\??\m:	knkvosfu.exe
File opened (read-only)	\??\t:	knkvosfu.exe
File opened (read-only)	\??\t:	ztdcyywuec.exe
File opened (read-only)	\??\a:	knkvosfu.exe
File opened (read-only)	\??\i:	knkvosfu.exe
File opened (read-only)	\??\o:	ztdcyywuec.exe
File opened (read-only)	\??\z:	knkvosfu.exe
File opened (read-only)	\??\s:	knkvosfu.exe
File opened (read-only)	\??\w:	knkvosfu.exe
File opened (read-only)	\??\y:	knkvosfu.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	ztdcyywuec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	ztdcyywuec.exe

AutoIT Executable 16 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2648-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x00100000000133bf-5.dat	autoit_exe
behavioral1/files/0x0009000000012281-17.dat	autoit_exe
behavioral1/files/0x0009000000012281-22.dat	autoit_exe
behavioral1/files/0x00100000000133bf-26.dat	autoit_exe
behavioral1/files/0x002f000000015c93-31.dat	autoit_exe
behavioral1/files/0x00100000000133bf-23.dat	autoit_exe
behavioral1/files/0x002f000000015c93-33.dat	autoit_exe
behavioral1/files/0x002f000000015c93-28.dat	autoit_exe
behavioral1/files/0x00100000000133bf-38.dat	autoit_exe
behavioral1/files/0x002f000000015c93-42.dat	autoit_exe
behavioral1/files/0x0007000000015da6-44.dat	autoit_exe
behavioral1/files/0x002f000000015c93-41.dat	autoit_exe
behavioral1/files/0x0007000000015da6-34.dat	autoit_exe
behavioral1/files/0x0007000000015da6-39.dat	autoit_exe
behavioral1/files/0x0002000000003d1e-50.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ztdcyywuec.exe	5263ee44519d3d416ec840fd28e3757c.exe
File opened for modification	C:\Windows\SysWOW64\vugbpulyscsnmbp.exe	5263ee44519d3d416ec840fd28e3757c.exe
File created	C:\Windows\SysWOW64\knkvosfu.exe	5263ee44519d3d416ec840fd28e3757c.exe
File opened for modification	C:\Windows\SysWOW64\ztdcyywuec.exe	5263ee44519d3d416ec840fd28e3757c.exe
File created	C:\Windows\SysWOW64\vugbpulyscsnmbp.exe	5263ee44519d3d416ec840fd28e3757c.exe
File opened for modification	C:\Windows\SysWOW64\knkvosfu.exe	5263ee44519d3d416ec840fd28e3757c.exe
File created	C:\Windows\SysWOW64\pkviyyzhkzaaq.exe	5263ee44519d3d416ec840fd28e3757c.exe
File opened for modification	C:\Windows\SysWOW64\pkviyyzhkzaaq.exe	5263ee44519d3d416ec840fd28e3757c.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	ztdcyywuec.exe

Drops file in Program Files directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DisconnectStart.doc.exe	knkvosfu.exe
File opened for modification	C:\Program Files\DisconnectStart.nal	knkvosfu.exe
File opened for modification	\??\c:\Program Files\SplitUnprotect.doc.exe	knkvosfu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	knkvosfu.exe
File opened for modification	C:\Program Files\SplitUnprotect.nal	knkvosfu.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	knkvosfu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	knkvosfu.exe
File opened for modification	\??\c:\Program Files\DisconnectStart.doc.exe	knkvosfu.exe
File opened for modification	C:\Program Files\SplitUnprotect.doc.exe	knkvosfu.exe
File opened for modification	\??\c:\Program Files\SplitUnprotect.doc.exe	knkvosfu.exe
File opened for modification	C:\Program Files\SplitUnprotect.nal	knkvosfu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	knkvosfu.exe
File created	\??\c:\Program Files\SplitUnprotect.doc.exe	knkvosfu.exe
File created	\??\c:\Program Files\DisconnectStart.doc.exe	knkvosfu.exe
File opened for modification	C:\Program Files\SplitUnprotect.doc.exe	knkvosfu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	knkvosfu.exe
File opened for modification	C:\Program Files\DisconnectStart.doc.exe	knkvosfu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	knkvosfu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	knkvosfu.exe
File opened for modification	\??\c:\Program Files\DisconnectStart.doc.exe	knkvosfu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	knkvosfu.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	knkvosfu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	knkvosfu.exe
File opened for modification	C:\Program Files\DisconnectStart.nal	knkvosfu.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	knkvosfu.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	knkvosfu.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	knkvosfu.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	knkvosfu.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	5263ee44519d3d416ec840fd28e3757c.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	ztdcyywuec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32302D7C9C2D83256D3577A077212DDB7DF464DA"	5263ee44519d3d416ec840fd28e3757c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCAF9B1F96AF1E084093A4486973E98B38C028C4212034EE1BA429B09D1"	5263ee44519d3d416ec840fd28e3757c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	5263ee44519d3d416ec840fd28e3757c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC0B15D47E5389D53B8B9D13293D4B8"	5263ee44519d3d416ec840fd28e3757c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8EFF8C4F2685189031D62E7EE6BDE5E14658366746633FD6EC"	5263ee44519d3d416ec840fd28e3757c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2580	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2648	5263ee44519d3d416ec840fd28e3757c.exe
2648	5263ee44519d3d416ec840fd28e3757c.exe
2648	5263ee44519d3d416ec840fd28e3757c.exe
2648	5263ee44519d3d416ec840fd28e3757c.exe
2648	5263ee44519d3d416ec840fd28e3757c.exe
2648	5263ee44519d3d416ec840fd28e3757c.exe
2648	5263ee44519d3d416ec840fd28e3757c.exe
2664	ztdcyywuec.exe
2664	ztdcyywuec.exe
2664	ztdcyywuec.exe
2664	ztdcyywuec.exe
2664	ztdcyywuec.exe
2648	5263ee44519d3d416ec840fd28e3757c.exe
2712	knkvosfu.exe
2712	knkvosfu.exe
2712	knkvosfu.exe
2712	knkvosfu.exe
2788	vugbpulyscsnmbp.exe
2788	vugbpulyscsnmbp.exe
2788	vugbpulyscsnmbp.exe
2788	vugbpulyscsnmbp.exe
2788	vugbpulyscsnmbp.exe
2084	pkviyyzhkzaaq.exe
2084	pkviyyzhkzaaq.exe
2084	pkviyyzhkzaaq.exe
2084	pkviyyzhkzaaq.exe
2084	pkviyyzhkzaaq.exe
2084	pkviyyzhkzaaq.exe
1952	knkvosfu.exe
1952	knkvosfu.exe
1952	knkvosfu.exe
1952	knkvosfu.exe
2788	vugbpulyscsnmbp.exe
2084	pkviyyzhkzaaq.exe
2084	pkviyyzhkzaaq.exe
2788	vugbpulyscsnmbp.exe
2788	vugbpulyscsnmbp.exe
2084	pkviyyzhkzaaq.exe
2084	pkviyyzhkzaaq.exe
2788	vugbpulyscsnmbp.exe
2084	pkviyyzhkzaaq.exe
2084	pkviyyzhkzaaq.exe
2788	vugbpulyscsnmbp.exe
2084	pkviyyzhkzaaq.exe
2084	pkviyyzhkzaaq.exe
2788	vugbpulyscsnmbp.exe
2084	pkviyyzhkzaaq.exe
2084	pkviyyzhkzaaq.exe
2788	vugbpulyscsnmbp.exe
2084	pkviyyzhkzaaq.exe
2084	pkviyyzhkzaaq.exe
2788	vugbpulyscsnmbp.exe
2084	pkviyyzhkzaaq.exe
2084	pkviyyzhkzaaq.exe
2788	vugbpulyscsnmbp.exe
2084	pkviyyzhkzaaq.exe
2084	pkviyyzhkzaaq.exe
2788	vugbpulyscsnmbp.exe
2084	pkviyyzhkzaaq.exe
2084	pkviyyzhkzaaq.exe
2788	vugbpulyscsnmbp.exe
2084	pkviyyzhkzaaq.exe
2084	pkviyyzhkzaaq.exe
2788	vugbpulyscsnmbp.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2472	explorer.exe
Token: SeShutdownPrivilege	2472	explorer.exe
Token: SeShutdownPrivilege	2472	explorer.exe
Token: SeShutdownPrivilege	2472	explorer.exe
Token: SeShutdownPrivilege	2472	explorer.exe
Token: SeShutdownPrivilege	2472	explorer.exe
Token: SeShutdownPrivilege	2472	explorer.exe
Token: SeShutdownPrivilege	2472	explorer.exe
Token: SeShutdownPrivilege	2472	explorer.exe
Token: SeShutdownPrivilege	2472	explorer.exe
Token: SeShutdownPrivilege	2472	explorer.exe
Token: SeShutdownPrivilege	2472	explorer.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
2648	5263ee44519d3d416ec840fd28e3757c.exe
2648	5263ee44519d3d416ec840fd28e3757c.exe
2648	5263ee44519d3d416ec840fd28e3757c.exe
2664	ztdcyywuec.exe
2664	ztdcyywuec.exe
2664	ztdcyywuec.exe
2712	knkvosfu.exe
2712	knkvosfu.exe
2712	knkvosfu.exe
2788	vugbpulyscsnmbp.exe
2788	vugbpulyscsnmbp.exe
2788	vugbpulyscsnmbp.exe
2084	pkviyyzhkzaaq.exe
2084	pkviyyzhkzaaq.exe
2084	pkviyyzhkzaaq.exe
1952	knkvosfu.exe
1952	knkvosfu.exe
1952	knkvosfu.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe

Suspicious use of SendNotifyMessage 34 IoCs

pid	Process
2648	5263ee44519d3d416ec840fd28e3757c.exe
2648	5263ee44519d3d416ec840fd28e3757c.exe
2648	5263ee44519d3d416ec840fd28e3757c.exe
2664	ztdcyywuec.exe
2664	ztdcyywuec.exe
2664	ztdcyywuec.exe
2712	knkvosfu.exe
2712	knkvosfu.exe
2712	knkvosfu.exe
2788	vugbpulyscsnmbp.exe
2788	vugbpulyscsnmbp.exe
2788	vugbpulyscsnmbp.exe
2084	pkviyyzhkzaaq.exe
2084	pkviyyzhkzaaq.exe
2084	pkviyyzhkzaaq.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe
2472	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2580	WINWORD.EXE
2580	WINWORD.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2664	2648	5263ee44519d3d416ec840fd28e3757c.exe	28
PID 2648 wrote to memory of 2664	2648	5263ee44519d3d416ec840fd28e3757c.exe	28
PID 2648 wrote to memory of 2664	2648	5263ee44519d3d416ec840fd28e3757c.exe	28
PID 2648 wrote to memory of 2664	2648	5263ee44519d3d416ec840fd28e3757c.exe	28
PID 2648 wrote to memory of 2788	2648	5263ee44519d3d416ec840fd28e3757c.exe	29
PID 2648 wrote to memory of 2788	2648	5263ee44519d3d416ec840fd28e3757c.exe	29
PID 2648 wrote to memory of 2788	2648	5263ee44519d3d416ec840fd28e3757c.exe	29
PID 2648 wrote to memory of 2788	2648	5263ee44519d3d416ec840fd28e3757c.exe	29
PID 2648 wrote to memory of 2712	2648	5263ee44519d3d416ec840fd28e3757c.exe	31
PID 2648 wrote to memory of 2712	2648	5263ee44519d3d416ec840fd28e3757c.exe	31
PID 2648 wrote to memory of 2712	2648	5263ee44519d3d416ec840fd28e3757c.exe	31
PID 2648 wrote to memory of 2712	2648	5263ee44519d3d416ec840fd28e3757c.exe	31
PID 2648 wrote to memory of 2084	2648	5263ee44519d3d416ec840fd28e3757c.exe	30
PID 2648 wrote to memory of 2084	2648	5263ee44519d3d416ec840fd28e3757c.exe	30
PID 2648 wrote to memory of 2084	2648	5263ee44519d3d416ec840fd28e3757c.exe	30
PID 2648 wrote to memory of 2084	2648	5263ee44519d3d416ec840fd28e3757c.exe	30
PID 2664 wrote to memory of 1952	2664	ztdcyywuec.exe	32
PID 2664 wrote to memory of 1952	2664	ztdcyywuec.exe	32
PID 2664 wrote to memory of 1952	2664	ztdcyywuec.exe	32
PID 2664 wrote to memory of 1952	2664	ztdcyywuec.exe	32
PID 2648 wrote to memory of 2580	2648	5263ee44519d3d416ec840fd28e3757c.exe	33
PID 2648 wrote to memory of 2580	2648	5263ee44519d3d416ec840fd28e3757c.exe	33
PID 2648 wrote to memory of 2580	2648	5263ee44519d3d416ec840fd28e3757c.exe	33
PID 2648 wrote to memory of 2580	2648	5263ee44519d3d416ec840fd28e3757c.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5263ee44519d3d416ec840fd28e3757c.exe
"C:\Users\Admin\AppData\Local\Temp\5263ee44519d3d416ec840fd28e3757c.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\SysWOW64\ztdcyywuec.exe
  ztdcyywuec.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\SysWOW64\knkvosfu.exe
    C:\Windows\system32\knkvosfu.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:1952
- C:\Windows\SysWOW64\vugbpulyscsnmbp.exe
  vugbpulyscsnmbp.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2788
- C:\Windows\SysWOW64\pkviyyzhkzaaq.exe
  pkviyyzhkzaaq.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2084
- C:\Windows\SysWOW64\knkvosfu.exe
  knkvosfu.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2712
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:2580

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\DisconnectStart.doc.exe

Filesize
337KB

MD5
3eb0a308d41f6936208559c255e8877b

SHA1
a4bac734ad29b66f009bcc65d2e558313abd11e9

SHA256
9db914eb0fa4e170ea2456f42b0514eb03ec48549c671e470ea7280dafd02bbf

SHA512
9a58ed28d2b1da8fbb617bf1d76a0ec35b9181243196f580a7c692f99d66af3cfdd9c61f4098f9680a7c3e273f14bae7b98cd0a1c3961ede4f9f97364ad65327

Download Submit
C:\Windows\SysWOW64\knkvosfu.exe

Filesize
30KB

MD5
9049e6bbc10adaa2c03d5a60e579ccf3

SHA1
e47e06c43f2ec0561483b761ae2ecccd3712ed9d

SHA256
f714cb3575b5a702f70abb9dc899cf25f279f44c01c0a3e46d74f52ce4728283

SHA512
800ff578e97ec5990c578b07aa0926c46d36683b6a49e0433e004b9f59a0e58474b3053c54258545d67c3725e1695960b0eb3fa6711dab14374bac02271c81be

Download Submit
C:\Windows\SysWOW64\knkvosfu.exe

Filesize
345KB

MD5
34bdbe55c7eb68b4aea144e2ccadabe8

SHA1
34b8fe6e7573a61f9704732b7671957b4214aaa7

SHA256
83e7f5d2420849eadf2e9d703bbd0cac012e6d5cf43ec19a75c626f53005fd89

SHA512
47f2a805bd367e6eb508cff044bfbcc32f4e34a71c5486b8bfc9840306a6551376eb4af25842c213b9c08634f6d3a45cec312dff56bd8f68d4b65e90c842de54

Download Submit
C:\Windows\SysWOW64\knkvosfu.exe

Filesize
381KB

MD5
9995d2f692a7f3e60a4351dc09ec453a

SHA1
33fdc4cfe7ff49bde1159a522dcab09c7ca462a2

SHA256
c00a5fccf496864b0af740e8aa89ebc17eeaf4165f81f533bc84925eb7960e41

SHA512
f714de63f93ba68964d33ad047aec87fafa9639602b3bb118ddaec45e5a65d78d7925cd8204fa4d673b401a7f4cda193950394e546453ce17299decde5423945

Download Submit
C:\Windows\SysWOW64\pkviyyzhkzaaq.exe

Filesize
466KB

MD5
5c8978da67f66039c809318729728cbc

SHA1
8f553268746d0636d169c5b9dd85d4debced348a

SHA256
146a4be9bca65ceafb21462979bac37b882d7ef40d799b1f7cbfb6abe7643b29

SHA512
07c70e9063802ab62e73681b0a3b7d50ac4e7fd35d00c699bc549a5b4d43b65e89a37b4d69d1c41a4ea2df6cb84945469ca2914cf88202325373490c01940b94

Download Submit
C:\Windows\SysWOW64\pkviyyzhkzaaq.exe

Filesize
385KB

MD5
1af7e0b81936176869fc12e85f954d2b

SHA1
d32dd2ec067c6b4cdbab051ae8489bf883fc1d02

SHA256
ba65ea9edce23dadc4744b353e238001829e6d5cdd50efa76e5e8cf4aa13e0df

SHA512
62e595ab43b0772695e2174db8a442969f5b1c83763a39f97bd73178a949a4fda09b562eedc9d3c046db72ee2e1ca025bbd9d07e4fa56ab681f664a4067d0c29

Download Submit
C:\Windows\SysWOW64\vugbpulyscsnmbp.exe

Filesize
24KB

MD5
3853d8b90f81d232abcf861600e5c17c

SHA1
dff05514421858dcf8382d0501779c452efcba31

SHA256
84c06b69e9531d6e2473b11ad5e83dabbec3fd500bb9e2c54a29a1a1d27abacf

SHA512
56bacb24be4fb31048a476baab034a4fb299bd3eb3e63e62191d19abbca6af369a835f89beb1893ca0780ec6a04bb97449aecc23c776c8491888f7c07ef6c027

Download Submit
C:\Windows\SysWOW64\vugbpulyscsnmbp.exe

Filesize
410KB

MD5
32298f5f131ff4e4d0847331f113aba6

SHA1
c8ae57715477b340c543aeca6c85cc2b7556a634

SHA256
dbef92936a0ca30ed1e46536f22db3d70ccb448eb63ab01b8d2b10953bfda559

SHA512
2a2fc47a638ab2041532a5798d257f8abfb0f389cbf46ab397edb593b57d0484ba2f71b0b3b48fb3f91efca357f36da85bb37c84a0beaf51b61559fe5c797b81

Download Submit
C:\Windows\SysWOW64\vugbpulyscsnmbp.exe

Filesize
512KB

MD5
ce762988d8809c3c94c9cfcd8ab23702

SHA1
3c412852377fd5583c2e127df1553f938579238a

SHA256
ec80302fe06b760dcdfd825ef4528c5048fe06385263c62cfedf5f974cc849ff

SHA512
7f6405f428cff482d74575769e7127c7dbcddca861aacafaa310e6a48484779fa9709e56af68e4508c8b0534bbb6d907a7f729b22e8f9d984565d59022f985e4

Download Submit
C:\Windows\SysWOW64\ztdcyywuec.exe

Filesize
381KB

MD5
6b4db2d51a6d07abb195937bd9f737c0

SHA1
50332fe1f7a59d3e57fbb1cd7e6e7eae68f61a4b

SHA256
370bbbe0b65ceeabb7f27fc734efdc19aaad52252d2608e2ca22790de76cc3a3

SHA512
6d50a59a932e00fa276cccb6fa3945f7c8f419fed7f44aac41cef2cfa650a97e79dc233c3402a95c7cf49ff28b82cdf50a3dc55480d4363dc2147918f43a6a83

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\knkvosfu.exe

Filesize
512KB

MD5
6783c156f9e774efd715396c3938fe9d

SHA1
1f4c3a4940ee490522b0dd7c1aff3352708e9d8c

SHA256
53b38f59859e615926a292b8f8be42350fe867c238e56a2169e275ce887a7aa1

SHA512
0b0b6765c0c465f45a6e776d2de802dfd97b4a2e76164f1446b8ede42ea60a5ab4a61e916a460bdd73d64c778938f652a8bb1d09cdfc076ccd19b4ce85c63149

Download Submit
\Windows\SysWOW64\knkvosfu.exe

Filesize
383KB

MD5
f2da9014910be9007ba05c55c80af761

SHA1
50be8400869b37a586679bb7d808f82e83a3861c

SHA256
65ac234b58eff0259f20e56ee412763df36a46cbe7275139f6f1b2bb1f94dfa5

SHA512
85c6c394768e0f1f99ea8c8fea5c1f5e90c96d41fe5a9ee4e90aa66f3c7d532197ddcac19b64c452a172f0ec6c6cdd6b07add00defaf26204a65297f1dbe5646

Download Submit
\Windows\SysWOW64\pkviyyzhkzaaq.exe

Filesize
406KB

MD5
0b844d949ac46f910ef4aa1642b6b3be

SHA1
78840733e1a849c0ca97f11340707d81d1eaa1f4

SHA256
b735b0f17607e3ccf1d1b69f3c7b4adf9b5951eeefaa85dfed4e3a2722e81599

SHA512
c240c5a797ed52c60dd40ff0d061b220b8aea5755db5d42ce3a4373a3f276f146c5a1fc32cb4fef9030d54cdbe46b2a7f0dfd0f09577f2b61e50bac6a2b7a171

Download Submit
\Windows\SysWOW64\vugbpulyscsnmbp.exe

Filesize
61KB

MD5
410bbed7f087c0724804ea84d51385e4

SHA1
4b40bcf8504b2085704484095a8dfd6c20435197

SHA256
cc17fac3ea58993d999a130172f661c795aa7b4ecd596b8b4ab4e3cd8c981cd4

SHA512
d4af28748c442b1fea3b832e4cd03f44cf153fd07ffd4357018cd233a359412b854a8877e7b4226f2f5832fc4d12c68aa1b29b65028593df1f774691146d6892

Download Submit
\Windows\SysWOW64\ztdcyywuec.exe

Filesize
512KB

MD5
e7f891b01a9a9da2e401eb0939d37657

SHA1
55ddb4217a41cf40a7fc29f7bb347a5acc845785

SHA256
0eb3708944aafa1c46deb6cb8f7383c1e2ebc94e71110c1f3c98a08ce1378a18

SHA512
1923c8170f1585f9f2f66b876585524f21feb1cabbf13fdb3a29f4c29503ac2583b3c19274a8b9690b2845e38c4b42a51ad8c55ae2c0e3f0363a621095a050f3

Download Submit
memory/2472-83-0x0000000003F60000-0x0000000003F61000-memory.dmp

Filesize
4KB

Download
memory/2472-86-0x0000000003F60000-0x0000000003F61000-memory.dmp

Filesize
4KB

Download
memory/2472-91-0x0000000002700000-0x0000000002710000-memory.dmp

Filesize
64KB

Download
memory/2580-45-0x000000002F661000-0x000000002F662000-memory.dmp

Filesize
4KB

Download
memory/2580-52-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2580-53-0x00000000717BD000-0x00000000717C8000-memory.dmp

Filesize
44KB

Download
memory/2580-84-0x00000000717BD000-0x00000000717C8000-memory.dmp

Filesize
44KB

Download
memory/2648-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download