Analysis
-
max time kernel
151s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
11-01-2024 03:19
Static task
static1
Behavioral task
behavioral1
Sample
5263ee44519d3d416ec840fd28e3757c.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral2
Sample
5263ee44519d3d416ec840fd28e3757c.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
General
-
Target
5263ee44519d3d416ec840fd28e3757c.exe
-
Size
512KB
-
MD5
5263ee44519d3d416ec840fd28e3757c
-
SHA1
b9f96e553e4e668d14d01d60ff67e4f647545906
-
SHA256
84d7ddcbfd77db7442c481199561925908aca7c30f36a28a39ceeafa0e9210ff
-
SHA512
8929f25b5a14b77f367fd52fcdce3ff915fa55b16777c2439c2452fd8d79fe33ef5a5183ca03954b7bc8d556298ecafb2634f546fcb2e4c19a1f50ac9413154b
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6W:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5r
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" asxzfnnlfb.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" asxzfnnlfb.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" asxzfnnlfb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" asxzfnnlfb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" asxzfnnlfb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" asxzfnnlfb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" asxzfnnlfb.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" asxzfnnlfb.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation 5263ee44519d3d416ec840fd28e3757c.exe -
Executes dropped EXE 5 IoCs
pid Process 4388 asxzfnnlfb.exe 2456 hniukgszznxaapo.exe 4336 rlxuuhci.exe 3232 ohuojrakpfeha.exe 1764 rlxuuhci.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" asxzfnnlfb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" asxzfnnlfb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" asxzfnnlfb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" asxzfnnlfb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" asxzfnnlfb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" asxzfnnlfb.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfqcvhmb = "asxzfnnlfb.exe" hniukgszznxaapo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dhstfxhy = "hniukgszznxaapo.exe" hniukgszznxaapo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ohuojrakpfeha.exe" hniukgszznxaapo.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\j: rlxuuhci.exe File opened (read-only) \??\o: rlxuuhci.exe File opened (read-only) \??\b: rlxuuhci.exe File opened (read-only) \??\t: asxzfnnlfb.exe File opened (read-only) \??\r: rlxuuhci.exe File opened (read-only) \??\z: rlxuuhci.exe File opened (read-only) \??\o: asxzfnnlfb.exe File opened (read-only) \??\u: asxzfnnlfb.exe File opened (read-only) \??\s: rlxuuhci.exe File opened (read-only) \??\k: asxzfnnlfb.exe File opened (read-only) \??\k: rlxuuhci.exe File opened (read-only) \??\p: rlxuuhci.exe File opened (read-only) \??\m: asxzfnnlfb.exe File opened (read-only) \??\s: asxzfnnlfb.exe File opened (read-only) \??\n: rlxuuhci.exe File opened (read-only) \??\x: rlxuuhci.exe File opened (read-only) \??\i: rlxuuhci.exe File opened (read-only) \??\o: rlxuuhci.exe File opened (read-only) \??\x: rlxuuhci.exe File opened (read-only) \??\e: asxzfnnlfb.exe File opened (read-only) \??\l: asxzfnnlfb.exe File opened (read-only) \??\q: asxzfnnlfb.exe File opened (read-only) \??\a: rlxuuhci.exe File opened (read-only) \??\s: rlxuuhci.exe File opened (read-only) \??\a: rlxuuhci.exe File opened (read-only) \??\m: rlxuuhci.exe File opened (read-only) \??\b: asxzfnnlfb.exe File opened (read-only) \??\k: rlxuuhci.exe File opened (read-only) \??\y: rlxuuhci.exe File opened (read-only) \??\j: rlxuuhci.exe File opened (read-only) \??\t: rlxuuhci.exe File opened (read-only) \??\m: rlxuuhci.exe File opened (read-only) \??\r: rlxuuhci.exe File opened (read-only) \??\h: asxzfnnlfb.exe File opened (read-only) \??\v: asxzfnnlfb.exe File opened (read-only) \??\a: asxzfnnlfb.exe File opened (read-only) \??\g: asxzfnnlfb.exe File opened (read-only) \??\i: rlxuuhci.exe File opened (read-only) \??\g: rlxuuhci.exe File opened (read-only) \??\h: rlxuuhci.exe File opened (read-only) \??\r: asxzfnnlfb.exe File opened (read-only) \??\w: asxzfnnlfb.exe File opened (read-only) \??\w: rlxuuhci.exe File opened (read-only) \??\p: asxzfnnlfb.exe File opened (read-only) \??\y: asxzfnnlfb.exe File opened (read-only) \??\b: rlxuuhci.exe File opened (read-only) \??\l: rlxuuhci.exe File opened (read-only) \??\z: rlxuuhci.exe File opened (read-only) \??\q: rlxuuhci.exe File opened (read-only) \??\n: asxzfnnlfb.exe File opened (read-only) \??\u: rlxuuhci.exe File opened (read-only) \??\y: rlxuuhci.exe File opened (read-only) \??\q: rlxuuhci.exe File opened (read-only) \??\g: rlxuuhci.exe File opened (read-only) \??\u: rlxuuhci.exe File opened (read-only) \??\e: rlxuuhci.exe File opened (read-only) \??\z: asxzfnnlfb.exe File opened (read-only) \??\h: rlxuuhci.exe File opened (read-only) \??\t: rlxuuhci.exe File opened (read-only) \??\j: asxzfnnlfb.exe File opened (read-only) \??\x: asxzfnnlfb.exe File opened (read-only) \??\w: rlxuuhci.exe File opened (read-only) \??\v: rlxuuhci.exe File opened (read-only) \??\p: rlxuuhci.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" asxzfnnlfb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" asxzfnnlfb.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4120-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000300000001e715-5.dat autoit_exe behavioral2/files/0x000600000001e0ce-18.dat autoit_exe behavioral2/files/0x000600000001e0ce-19.dat autoit_exe behavioral2/files/0x000300000001e7dc-26.dat autoit_exe behavioral2/files/0x000200000001e7dd-32.dat autoit_exe behavioral2/files/0x000200000001e7fb-73.dat autoit_exe behavioral2/files/0x000200000001e7fa-70.dat autoit_exe behavioral2/files/0x000400000001e9c2-100.dat autoit_exe behavioral2/files/0x000700000001e7ef-130.dat autoit_exe behavioral2/files/0x000700000001e7ef-132.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe rlxuuhci.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe rlxuuhci.exe File opened for modification C:\Windows\SysWOW64\asxzfnnlfb.exe 5263ee44519d3d416ec840fd28e3757c.exe File opened for modification C:\Windows\SysWOW64\rlxuuhci.exe 5263ee44519d3d416ec840fd28e3757c.exe File created C:\Windows\SysWOW64\ohuojrakpfeha.exe 5263ee44519d3d416ec840fd28e3757c.exe File opened for modification C:\Windows\SysWOW64\ohuojrakpfeha.exe 5263ee44519d3d416ec840fd28e3757c.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe rlxuuhci.exe File created C:\Windows\SysWOW64\rlxuuhci.exe 5263ee44519d3d416ec840fd28e3757c.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll asxzfnnlfb.exe File created C:\Windows\SysWOW64\asxzfnnlfb.exe 5263ee44519d3d416ec840fd28e3757c.exe File opened for modification C:\Windows\SysWOW64\hniukgszznxaapo.exe 5263ee44519d3d416ec840fd28e3757c.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe rlxuuhci.exe File created C:\Windows\SysWOW64\hniukgszznxaapo.exe 5263ee44519d3d416ec840fd28e3757c.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rlxuuhci.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal rlxuuhci.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rlxuuhci.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rlxuuhci.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rlxuuhci.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rlxuuhci.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal rlxuuhci.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal rlxuuhci.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal rlxuuhci.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rlxuuhci.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rlxuuhci.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rlxuuhci.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rlxuuhci.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rlxuuhci.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rlxuuhci.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 5263ee44519d3d416ec840fd28e3757c.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 5263ee44519d3d416ec840fd28e3757c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABDFABAF964F2E5837B3B4681983EE2B3FC02FA42600338E1CF459908A5" 5263ee44519d3d416ec840fd28e3757c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc asxzfnnlfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" asxzfnnlfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh asxzfnnlfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" asxzfnnlfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" asxzfnnlfb.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings 5263ee44519d3d416ec840fd28e3757c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33422D7B9D2182556A4376A570512CAB7DF164DB" 5263ee44519d3d416ec840fd28e3757c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1844C67914E1DBBFB8B97F95ED9637B9" 5263ee44519d3d416ec840fd28e3757c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat asxzfnnlfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" asxzfnnlfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F26BB3FF1C21DBD109D0A68A749113" 5263ee44519d3d416ec840fd28e3757c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" asxzfnnlfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf asxzfnnlfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg asxzfnnlfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB2B15F44E6389852CBBAA132EFD7CF" 5263ee44519d3d416ec840fd28e3757c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFEFF8F4F5C851E9132D65A7D94BDE6E632594167426336D7EC" 5263ee44519d3d416ec840fd28e3757c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" asxzfnnlfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs asxzfnnlfb.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3496 WINWORD.EXE 3496 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4120 5263ee44519d3d416ec840fd28e3757c.exe 4120 5263ee44519d3d416ec840fd28e3757c.exe 4120 5263ee44519d3d416ec840fd28e3757c.exe 4120 5263ee44519d3d416ec840fd28e3757c.exe 4120 5263ee44519d3d416ec840fd28e3757c.exe 4120 5263ee44519d3d416ec840fd28e3757c.exe 4120 5263ee44519d3d416ec840fd28e3757c.exe 4120 5263ee44519d3d416ec840fd28e3757c.exe 4120 5263ee44519d3d416ec840fd28e3757c.exe 4120 5263ee44519d3d416ec840fd28e3757c.exe 4120 5263ee44519d3d416ec840fd28e3757c.exe 4120 5263ee44519d3d416ec840fd28e3757c.exe 4120 5263ee44519d3d416ec840fd28e3757c.exe 4120 5263ee44519d3d416ec840fd28e3757c.exe 4120 5263ee44519d3d416ec840fd28e3757c.exe 4120 5263ee44519d3d416ec840fd28e3757c.exe 4388 asxzfnnlfb.exe 4388 asxzfnnlfb.exe 4388 asxzfnnlfb.exe 4388 asxzfnnlfb.exe 4388 asxzfnnlfb.exe 4388 asxzfnnlfb.exe 4388 asxzfnnlfb.exe 4388 asxzfnnlfb.exe 4388 asxzfnnlfb.exe 4388 asxzfnnlfb.exe 2456 hniukgszznxaapo.exe 2456 hniukgszznxaapo.exe 2456 hniukgszznxaapo.exe 2456 hniukgszznxaapo.exe 2456 hniukgszznxaapo.exe 2456 hniukgszznxaapo.exe 2456 hniukgszznxaapo.exe 2456 hniukgszznxaapo.exe 2456 hniukgszznxaapo.exe 2456 hniukgszznxaapo.exe 4336 rlxuuhci.exe 4336 rlxuuhci.exe 4336 rlxuuhci.exe 4336 rlxuuhci.exe 4336 rlxuuhci.exe 4336 rlxuuhci.exe 4336 rlxuuhci.exe 4336 rlxuuhci.exe 3232 ohuojrakpfeha.exe 3232 ohuojrakpfeha.exe 3232 ohuojrakpfeha.exe 3232 ohuojrakpfeha.exe 3232 ohuojrakpfeha.exe 3232 ohuojrakpfeha.exe 3232 ohuojrakpfeha.exe 3232 ohuojrakpfeha.exe 3232 ohuojrakpfeha.exe 3232 ohuojrakpfeha.exe 3232 ohuojrakpfeha.exe 3232 ohuojrakpfeha.exe 2456 hniukgszznxaapo.exe 2456 hniukgszznxaapo.exe 1764 rlxuuhci.exe 1764 rlxuuhci.exe 1764 rlxuuhci.exe 1764 rlxuuhci.exe 1764 rlxuuhci.exe 1764 rlxuuhci.exe -
Suspicious use of FindShellTrayWindow 19 IoCs
pid Process 4120 5263ee44519d3d416ec840fd28e3757c.exe 4120 5263ee44519d3d416ec840fd28e3757c.exe 4120 5263ee44519d3d416ec840fd28e3757c.exe 4120 5263ee44519d3d416ec840fd28e3757c.exe 4388 asxzfnnlfb.exe 4388 asxzfnnlfb.exe 4388 asxzfnnlfb.exe 2456 hniukgszznxaapo.exe 2456 hniukgszznxaapo.exe 2456 hniukgszznxaapo.exe 4336 rlxuuhci.exe 3232 ohuojrakpfeha.exe 4336 rlxuuhci.exe 3232 ohuojrakpfeha.exe 4336 rlxuuhci.exe 3232 ohuojrakpfeha.exe 1764 rlxuuhci.exe 1764 rlxuuhci.exe 1764 rlxuuhci.exe -
Suspicious use of SendNotifyMessage 19 IoCs
pid Process 4120 5263ee44519d3d416ec840fd28e3757c.exe 4120 5263ee44519d3d416ec840fd28e3757c.exe 4120 5263ee44519d3d416ec840fd28e3757c.exe 4120 5263ee44519d3d416ec840fd28e3757c.exe 4388 asxzfnnlfb.exe 4388 asxzfnnlfb.exe 4388 asxzfnnlfb.exe 2456 hniukgszznxaapo.exe 2456 hniukgszznxaapo.exe 2456 hniukgszznxaapo.exe 4336 rlxuuhci.exe 3232 ohuojrakpfeha.exe 4336 rlxuuhci.exe 3232 ohuojrakpfeha.exe 4336 rlxuuhci.exe 3232 ohuojrakpfeha.exe 1764 rlxuuhci.exe 1764 rlxuuhci.exe 1764 rlxuuhci.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3496 WINWORD.EXE 3496 WINWORD.EXE 3496 WINWORD.EXE 3496 WINWORD.EXE 3496 WINWORD.EXE 3496 WINWORD.EXE 3496 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4120 wrote to memory of 4388 4120 5263ee44519d3d416ec840fd28e3757c.exe 90 PID 4120 wrote to memory of 4388 4120 5263ee44519d3d416ec840fd28e3757c.exe 90 PID 4120 wrote to memory of 4388 4120 5263ee44519d3d416ec840fd28e3757c.exe 90 PID 4120 wrote to memory of 2456 4120 5263ee44519d3d416ec840fd28e3757c.exe 91 PID 4120 wrote to memory of 2456 4120 5263ee44519d3d416ec840fd28e3757c.exe 91 PID 4120 wrote to memory of 2456 4120 5263ee44519d3d416ec840fd28e3757c.exe 91 PID 4120 wrote to memory of 4336 4120 5263ee44519d3d416ec840fd28e3757c.exe 92 PID 4120 wrote to memory of 4336 4120 5263ee44519d3d416ec840fd28e3757c.exe 92 PID 4120 wrote to memory of 4336 4120 5263ee44519d3d416ec840fd28e3757c.exe 92 PID 4120 wrote to memory of 3232 4120 5263ee44519d3d416ec840fd28e3757c.exe 93 PID 4120 wrote to memory of 3232 4120 5263ee44519d3d416ec840fd28e3757c.exe 93 PID 4120 wrote to memory of 3232 4120 5263ee44519d3d416ec840fd28e3757c.exe 93 PID 4388 wrote to memory of 1764 4388 asxzfnnlfb.exe 94 PID 4388 wrote to memory of 1764 4388 asxzfnnlfb.exe 94 PID 4388 wrote to memory of 1764 4388 asxzfnnlfb.exe 94 PID 4120 wrote to memory of 3496 4120 5263ee44519d3d416ec840fd28e3757c.exe 95 PID 4120 wrote to memory of 3496 4120 5263ee44519d3d416ec840fd28e3757c.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\5263ee44519d3d416ec840fd28e3757c.exe"C:\Users\Admin\AppData\Local\Temp\5263ee44519d3d416ec840fd28e3757c.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\SysWOW64\asxzfnnlfb.exeasxzfnnlfb.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\SysWOW64\rlxuuhci.exeC:\Windows\system32\rlxuuhci.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1764
-
-
-
C:\Windows\SysWOW64\hniukgszznxaapo.exehniukgszznxaapo.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2456
-
-
C:\Windows\SysWOW64\rlxuuhci.exerlxuuhci.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4336
-
-
C:\Windows\SysWOW64\ohuojrakpfeha.exeohuojrakpfeha.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3232
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3496
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD509088518ab92493e144b652be17bfaeb
SHA16902c633c10f380201fc55bdea2996fc4a586ee1
SHA256a3a02b1b7ca6d8b1a37c4a726ccdacdd64e1b7f592ed8bd80943cc44a81be37d
SHA5123957711f7356380eba884e5ccf8874ae2a39c9dc7cb34517049983a1d4de995c39b3a0036ba0d10e2e473e2ed4545713b27fd9af58960be3f5892bde2e7eba1f
-
Filesize
512KB
MD54a4486e14afc42afc3c299bab4629efa
SHA19263539e78edb53e6ca462c6e732066daa9d19cd
SHA256c03c7a715ffd3e8ada7d184c638e9fbe8e5197a5979995fb9bcc7787faeb0ae8
SHA5126839469bdaae9310acf32177c9a150db9facca625f9055ffa3301e6c3b801f0814d63188f228d29141b347a395b966eb3cd28e168d10a376b7deae6d35421df4
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5bf2e0d8c3f8afc2aecd15c0fc0ef869d
SHA17607db2ef5456a006355a29bbf3043fc742c3d6c
SHA256ea8e6f56583fc431f4fe6ac4f5b4c01f6c2207ac7b38dd6fa95d5bb666697d5b
SHA512257a28ad3f53db34cf5750d5c2cc96dcf69c97762da533e831739a64bc990704c9819d5c28badab1ab8352a954246effa1c89674663236e6bedc160091543762
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD59ebbe3e021a37a954e255f41bda52624
SHA11ce68509950cd40adb209eeb518096446c127b31
SHA256b5afde919803f1f6de5ed2e63df5275babb83d5182fac182b3c25314ed5491e1
SHA5120f252462ecbac00f7e4e1a4f93a5b21576a760a26e14eb84cce03e0c6b8b94607389628cdd4af3ba528e02e2f9e2a33ac90a74d581037153f483332abeb66a97
-
Filesize
512KB
MD5a0e3c26d0e528781059a538a7b9ee02f
SHA1cc052120bb2be3647b9870f31f1d23829d93e0b9
SHA2566ab35c20ff965f4b8ab321d0598091d6e79365a302e037b3583d27c59a1d8c3f
SHA5125f5319e0fe1314901dcac0e27c4f19279450f275caf44d617bb008e039bf0e2ce5363f536f7a570a93e6c2513fe3bbc945c17575a313cd5e3f76f34734cf61f6
-
Filesize
512KB
MD5ba4b27a8e1e4d2e2af5ad8214fca62e4
SHA1fb98c6e66f5b130dbe123c0e6861873c9418d824
SHA256d9ee2924fb9ed907fb94dbc7cab20ba6418b8385405a6f1b7535e9b076ec3d69
SHA512fd1dc06a3f988d44909bcaf382e71204e98eaff5126dc5499a6d9c7e5a320b90c632b843dd9507c2e5eb9036e070c64b37af449a99966ca47ef4ee263291c47c
-
Filesize
64KB
MD5d76d22b81130bc9206c7c947d7a9ea5e
SHA15956e88a6ec7949ce5a350e21703307d855f34b1
SHA256b96acd28ea28c51de470bf63ebbc33a346440fe63e236ab9f092e0cb3035b870
SHA512112f4f23127929556f27e12a7979ebd1536af790c92f8ff7870a5b39470bd02d83fbf1697e7ab3eccebd71c44ae7bfbd1dac9c39fefa6e15a488baf840b8aaf1
-
Filesize
512KB
MD503224af7f1b6148db659d0d4909f083a
SHA1b57cb42d301a2b5b5384d6d2d5322759a3b51134
SHA256e608279fa452e3e18c9a7624d5bc5f1417be9430efb41b8a7d1e93375b66b6d3
SHA5129d04f0c20b8fc6bf685ddaba106c0d8792f29975f9b153f12eecdc8afeadae042f3309c00650b00d01b37fa1e4865bba8a201cb996b87aacd1155bfc0e7a04eb
-
Filesize
512KB
MD5e226a051bdd4cb9858e125a7a6bb1441
SHA17efc186f31364766f625c068bb20e7b963fe87b6
SHA256011257d82ef4d2d3605ec9ef97a11800dec103b86cefa5709d1c1a3283c2fae4
SHA51262a24175ee5add59fffb7c50345f55c664d2bc2058e74e66d590b67ab480793b6740694366970ad4cc662db7a6cf0ae8121aa44e07f9492c07f7e3b59cd88302
-
Filesize
512KB
MD5ee1299277308f46be89903e37bdc9e71
SHA1557f8ab4b7a56ae86eb0887ce4cfae5f967c1995
SHA256b7d3d1b1d6830a57cf8903eb01935fe7a3d4707595e0ff380216689d398fbc3e
SHA512a810936c67c7da64de4f38cf909a7178d0cd98fd3a4063cd8e8a6127f3a522181c1111442102e0424b210fd713e62dd9f5fdeedb16090c543cca466d72f67848
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD58094041a812f66bde6a5efbbddd46f40
SHA1be9ee3b6fbce1ffe1c70f396db0bf6256428491b
SHA256e95467335e7804339ec4fb444712ab9c84d652f713c5bebf6c5fab0e2cbac6a0
SHA51237c823cd479899ceec871516be04f7f995e5b31132a2ed895ca7418c41d65f53c683bdda029e8cd23b5b36158b72b5779ec9a3ff087c323c38811c268a2ac30e
-
Filesize
512KB
MD5f3a92558e7038b84567c44d5c4e18d4f
SHA14c19a145a981b93515016d2f98196bce5c59c1c4
SHA2569c2f609ce83c1a78bcf59d22545f2575e3d78adc78edbf20fffdaba4c049ab6a
SHA512f7e214be2d73d95506fb992501d7f27888cb9551406343424de5b57d8735f0c72ab20a3189f97278dc66119751038d0b746b6d7a86f76667020af206c272c9e2