Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12/01/2024, 12:23
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
5673e35832ec37db9ee71760ef26bf73.exe
Resource
win7-20231215-en
windows7-x64
29 signatures
150 seconds
Behavioral task
behavioral2
Sample
5673e35832ec37db9ee71760ef26bf73.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
5673e35832ec37db9ee71760ef26bf73.exe
-
Size
512KB
-
MD5
5673e35832ec37db9ee71760ef26bf73
-
SHA1
77d214f5333054a525e25c642f5d9596061dbbdb
-
SHA256
78756bffbb2a78a1e0ae9216e718da587d602ddad1835132461fc2e98e984470
-
SHA512
82ba7d3c613ddf675bce3bbd7738cc6ca228428cd0931cfe04ffbddf5b8270420d1193386b8801238a7a7e98ae1cb492ac26747fee6509eb9508745d0bdff2c3
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6P:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5o
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" azkuadurnn.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" azkuadurnn.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" azkuadurnn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" azkuadurnn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" azkuadurnn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" azkuadurnn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" azkuadurnn.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" azkuadurnn.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation 5673e35832ec37db9ee71760ef26bf73.exe -
Executes dropped EXE 5 IoCs
pid Process 4940 azkuadurnn.exe 1688 xayqoqfkyexyhhm.exe 3664 jolsyrpb.exe 4116 vpcmferdwbhdv.exe 1992 jolsyrpb.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" azkuadurnn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" azkuadurnn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" azkuadurnn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" azkuadurnn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" azkuadurnn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" azkuadurnn.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lfrgajxb = "azkuadurnn.exe" xayqoqfkyexyhhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kdrtgynm = "xayqoqfkyexyhhm.exe" xayqoqfkyexyhhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "vpcmferdwbhdv.exe" xayqoqfkyexyhhm.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\b: jolsyrpb.exe File opened (read-only) \??\b: azkuadurnn.exe File opened (read-only) \??\p: azkuadurnn.exe File opened (read-only) \??\i: jolsyrpb.exe File opened (read-only) \??\a: azkuadurnn.exe File opened (read-only) \??\h: azkuadurnn.exe File opened (read-only) \??\b: jolsyrpb.exe File opened (read-only) \??\l: jolsyrpb.exe File opened (read-only) \??\n: jolsyrpb.exe File opened (read-only) \??\m: jolsyrpb.exe File opened (read-only) \??\m: azkuadurnn.exe File opened (read-only) \??\w: azkuadurnn.exe File opened (read-only) \??\q: jolsyrpb.exe File opened (read-only) \??\r: jolsyrpb.exe File opened (read-only) \??\v: jolsyrpb.exe File opened (read-only) \??\k: jolsyrpb.exe File opened (read-only) \??\e: jolsyrpb.exe File opened (read-only) \??\h: jolsyrpb.exe File opened (read-only) \??\y: jolsyrpb.exe File opened (read-only) \??\i: azkuadurnn.exe File opened (read-only) \??\l: azkuadurnn.exe File opened (read-only) \??\x: azkuadurnn.exe File opened (read-only) \??\a: jolsyrpb.exe File opened (read-only) \??\p: jolsyrpb.exe File opened (read-only) \??\x: jolsyrpb.exe File opened (read-only) \??\g: azkuadurnn.exe File opened (read-only) \??\r: jolsyrpb.exe File opened (read-only) \??\s: jolsyrpb.exe File opened (read-only) \??\n: azkuadurnn.exe File opened (read-only) \??\z: azkuadurnn.exe File opened (read-only) \??\z: jolsyrpb.exe File opened (read-only) \??\n: jolsyrpb.exe File opened (read-only) \??\o: jolsyrpb.exe File opened (read-only) \??\w: jolsyrpb.exe File opened (read-only) \??\e: azkuadurnn.exe File opened (read-only) \??\w: jolsyrpb.exe File opened (read-only) \??\e: jolsyrpb.exe File opened (read-only) \??\g: jolsyrpb.exe File opened (read-only) \??\j: jolsyrpb.exe File opened (read-only) \??\l: jolsyrpb.exe File opened (read-only) \??\j: azkuadurnn.exe File opened (read-only) \??\h: jolsyrpb.exe File opened (read-only) \??\i: jolsyrpb.exe File opened (read-only) \??\o: jolsyrpb.exe File opened (read-only) \??\p: jolsyrpb.exe File opened (read-only) \??\t: jolsyrpb.exe File opened (read-only) \??\k: azkuadurnn.exe File opened (read-only) \??\x: jolsyrpb.exe File opened (read-only) \??\r: azkuadurnn.exe File opened (read-only) \??\k: jolsyrpb.exe File opened (read-only) \??\q: jolsyrpb.exe File opened (read-only) \??\v: jolsyrpb.exe File opened (read-only) \??\u: azkuadurnn.exe File opened (read-only) \??\a: jolsyrpb.exe File opened (read-only) \??\z: jolsyrpb.exe File opened (read-only) \??\s: azkuadurnn.exe File opened (read-only) \??\g: jolsyrpb.exe File opened (read-only) \??\y: jolsyrpb.exe File opened (read-only) \??\s: jolsyrpb.exe File opened (read-only) \??\o: azkuadurnn.exe File opened (read-only) \??\q: azkuadurnn.exe File opened (read-only) \??\t: azkuadurnn.exe File opened (read-only) \??\v: azkuadurnn.exe File opened (read-only) \??\y: azkuadurnn.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" azkuadurnn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" azkuadurnn.exe -
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4968-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000700000002304b-5.dat autoit_exe behavioral2/files/0x000300000001f45f-18.dat autoit_exe behavioral2/files/0x000300000001f45f-19.dat autoit_exe behavioral2/files/0x000600000002320e-31.dat autoit_exe behavioral2/files/0x000600000002320e-32.dat autoit_exe behavioral2/files/0x0007000000023226-94.dat autoit_exe behavioral2/files/0x0007000000023226-109.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe jolsyrpb.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe jolsyrpb.exe File created C:\Windows\SysWOW64\azkuadurnn.exe 5673e35832ec37db9ee71760ef26bf73.exe File created C:\Windows\SysWOW64\xayqoqfkyexyhhm.exe 5673e35832ec37db9ee71760ef26bf73.exe File opened for modification C:\Windows\SysWOW64\xayqoqfkyexyhhm.exe 5673e35832ec37db9ee71760ef26bf73.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe jolsyrpb.exe File created C:\Windows\SysWOW64\jolsyrpb.exe 5673e35832ec37db9ee71760ef26bf73.exe File created C:\Windows\SysWOW64\vpcmferdwbhdv.exe 5673e35832ec37db9ee71760ef26bf73.exe File opened for modification C:\Windows\SysWOW64\vpcmferdwbhdv.exe 5673e35832ec37db9ee71760ef26bf73.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll azkuadurnn.exe File opened for modification C:\Windows\SysWOW64\azkuadurnn.exe 5673e35832ec37db9ee71760ef26bf73.exe File opened for modification C:\Windows\SysWOW64\jolsyrpb.exe 5673e35832ec37db9ee71760ef26bf73.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe jolsyrpb.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jolsyrpb.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jolsyrpb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal jolsyrpb.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jolsyrpb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal jolsyrpb.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jolsyrpb.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jolsyrpb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jolsyrpb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jolsyrpb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal jolsyrpb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jolsyrpb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal jolsyrpb.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jolsyrpb.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jolsyrpb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jolsyrpb.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe jolsyrpb.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe jolsyrpb.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe jolsyrpb.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe jolsyrpb.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe jolsyrpb.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe jolsyrpb.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe jolsyrpb.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe jolsyrpb.exe File opened for modification C:\Windows\mydoc.rtf 5673e35832ec37db9ee71760ef26bf73.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe jolsyrpb.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe jolsyrpb.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe jolsyrpb.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe jolsyrpb.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe jolsyrpb.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe jolsyrpb.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe jolsyrpb.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe jolsyrpb.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" azkuadurnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" azkuadurnn.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 5673e35832ec37db9ee71760ef26bf73.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8CFCFE485A851C9145D75B7E97BD90E6355945674F6343D6E9" 5673e35832ec37db9ee71760ef26bf73.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" azkuadurnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184BC67514E0DBBFB8BA7F92ED9034BD" 5673e35832ec37db9ee71760ef26bf73.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh azkuadurnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc azkuadurnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf azkuadurnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" azkuadurnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33422D0D9C2282236A4676D477232DDC7D8064D7" 5673e35832ec37db9ee71760ef26bf73.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC1B15A47E2389A52BEB9D033EED7C4" 5673e35832ec37db9ee71760ef26bf73.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7FD6BB3FF6621DFD208D0A48B0E9113" 5673e35832ec37db9ee71760ef26bf73.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" azkuadurnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs azkuadurnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg azkuadurnn.exe Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings 5673e35832ec37db9ee71760ef26bf73.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat azkuadurnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" azkuadurnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBDFACCFE64F298837F3A40869D39E1B3FD02F14260024BE1BD42E808A7" 5673e35832ec37db9ee71760ef26bf73.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3952 WINWORD.EXE 3952 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4968 5673e35832ec37db9ee71760ef26bf73.exe 4968 5673e35832ec37db9ee71760ef26bf73.exe 4968 5673e35832ec37db9ee71760ef26bf73.exe 4968 5673e35832ec37db9ee71760ef26bf73.exe 4968 5673e35832ec37db9ee71760ef26bf73.exe 4968 5673e35832ec37db9ee71760ef26bf73.exe 4968 5673e35832ec37db9ee71760ef26bf73.exe 4968 5673e35832ec37db9ee71760ef26bf73.exe 4968 5673e35832ec37db9ee71760ef26bf73.exe 4968 5673e35832ec37db9ee71760ef26bf73.exe 4968 5673e35832ec37db9ee71760ef26bf73.exe 4968 5673e35832ec37db9ee71760ef26bf73.exe 4968 5673e35832ec37db9ee71760ef26bf73.exe 4968 5673e35832ec37db9ee71760ef26bf73.exe 4968 5673e35832ec37db9ee71760ef26bf73.exe 4968 5673e35832ec37db9ee71760ef26bf73.exe 4116 vpcmferdwbhdv.exe 4116 vpcmferdwbhdv.exe 4116 vpcmferdwbhdv.exe 4116 vpcmferdwbhdv.exe 4116 vpcmferdwbhdv.exe 4116 vpcmferdwbhdv.exe 4116 vpcmferdwbhdv.exe 4116 vpcmferdwbhdv.exe 4116 vpcmferdwbhdv.exe 4116 vpcmferdwbhdv.exe 4116 vpcmferdwbhdv.exe 4116 vpcmferdwbhdv.exe 3664 jolsyrpb.exe 3664 jolsyrpb.exe 3664 jolsyrpb.exe 3664 jolsyrpb.exe 3664 jolsyrpb.exe 3664 jolsyrpb.exe 3664 jolsyrpb.exe 3664 jolsyrpb.exe 1688 xayqoqfkyexyhhm.exe 1688 xayqoqfkyexyhhm.exe 1688 xayqoqfkyexyhhm.exe 1688 xayqoqfkyexyhhm.exe 1688 xayqoqfkyexyhhm.exe 1688 xayqoqfkyexyhhm.exe 1688 xayqoqfkyexyhhm.exe 1688 xayqoqfkyexyhhm.exe 1688 xayqoqfkyexyhhm.exe 1688 xayqoqfkyexyhhm.exe 4940 azkuadurnn.exe 4940 azkuadurnn.exe 4940 azkuadurnn.exe 4940 azkuadurnn.exe 4940 azkuadurnn.exe 4940 azkuadurnn.exe 4940 azkuadurnn.exe 4940 azkuadurnn.exe 4940 azkuadurnn.exe 4940 azkuadurnn.exe 1688 xayqoqfkyexyhhm.exe 1688 xayqoqfkyexyhhm.exe 1992 jolsyrpb.exe 1992 jolsyrpb.exe 1992 jolsyrpb.exe 1992 jolsyrpb.exe 1992 jolsyrpb.exe 1992 jolsyrpb.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4968 5673e35832ec37db9ee71760ef26bf73.exe 4968 5673e35832ec37db9ee71760ef26bf73.exe 4968 5673e35832ec37db9ee71760ef26bf73.exe 4116 vpcmferdwbhdv.exe 4116 vpcmferdwbhdv.exe 4116 vpcmferdwbhdv.exe 3664 jolsyrpb.exe 1688 xayqoqfkyexyhhm.exe 4940 azkuadurnn.exe 3664 jolsyrpb.exe 1688 xayqoqfkyexyhhm.exe 4940 azkuadurnn.exe 3664 jolsyrpb.exe 1688 xayqoqfkyexyhhm.exe 4940 azkuadurnn.exe 1992 jolsyrpb.exe 1992 jolsyrpb.exe 1992 jolsyrpb.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4968 5673e35832ec37db9ee71760ef26bf73.exe 4968 5673e35832ec37db9ee71760ef26bf73.exe 4968 5673e35832ec37db9ee71760ef26bf73.exe 4116 vpcmferdwbhdv.exe 4116 vpcmferdwbhdv.exe 4116 vpcmferdwbhdv.exe 3664 jolsyrpb.exe 1688 xayqoqfkyexyhhm.exe 4940 azkuadurnn.exe 3664 jolsyrpb.exe 1688 xayqoqfkyexyhhm.exe 4940 azkuadurnn.exe 3664 jolsyrpb.exe 1688 xayqoqfkyexyhhm.exe 4940 azkuadurnn.exe 1992 jolsyrpb.exe 1992 jolsyrpb.exe 1992 jolsyrpb.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3952 WINWORD.EXE 3952 WINWORD.EXE 3952 WINWORD.EXE 3952 WINWORD.EXE 3952 WINWORD.EXE 3952 WINWORD.EXE 3952 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4968 wrote to memory of 4940 4968 5673e35832ec37db9ee71760ef26bf73.exe 89 PID 4968 wrote to memory of 4940 4968 5673e35832ec37db9ee71760ef26bf73.exe 89 PID 4968 wrote to memory of 4940 4968 5673e35832ec37db9ee71760ef26bf73.exe 89 PID 4968 wrote to memory of 1688 4968 5673e35832ec37db9ee71760ef26bf73.exe 90 PID 4968 wrote to memory of 1688 4968 5673e35832ec37db9ee71760ef26bf73.exe 90 PID 4968 wrote to memory of 1688 4968 5673e35832ec37db9ee71760ef26bf73.exe 90 PID 4968 wrote to memory of 3664 4968 5673e35832ec37db9ee71760ef26bf73.exe 92 PID 4968 wrote to memory of 3664 4968 5673e35832ec37db9ee71760ef26bf73.exe 92 PID 4968 wrote to memory of 3664 4968 5673e35832ec37db9ee71760ef26bf73.exe 92 PID 4968 wrote to memory of 4116 4968 5673e35832ec37db9ee71760ef26bf73.exe 91 PID 4968 wrote to memory of 4116 4968 5673e35832ec37db9ee71760ef26bf73.exe 91 PID 4968 wrote to memory of 4116 4968 5673e35832ec37db9ee71760ef26bf73.exe 91 PID 4968 wrote to memory of 3952 4968 5673e35832ec37db9ee71760ef26bf73.exe 94 PID 4968 wrote to memory of 3952 4968 5673e35832ec37db9ee71760ef26bf73.exe 94 PID 4940 wrote to memory of 1992 4940 azkuadurnn.exe 96 PID 4940 wrote to memory of 1992 4940 azkuadurnn.exe 96 PID 4940 wrote to memory of 1992 4940 azkuadurnn.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\5673e35832ec37db9ee71760ef26bf73.exe"C:\Users\Admin\AppData\Local\Temp\5673e35832ec37db9ee71760ef26bf73.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\azkuadurnn.exeazkuadurnn.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\jolsyrpb.exeC:\Windows\system32\jolsyrpb.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1992
-
-
-
C:\Windows\SysWOW64\xayqoqfkyexyhhm.exexayqoqfkyexyhhm.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1688
-
-
C:\Windows\SysWOW64\vpcmferdwbhdv.exevpcmferdwbhdv.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4116
-
-
C:\Windows\SysWOW64\jolsyrpb.exejolsyrpb.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3664
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3952
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD57fd18fc57da6e0bc397c711101cb2577
SHA16e9b551813cfbab17a8e60b58b07c7043156743e
SHA25667f43cb6e0064fb2141d9578ed5781b512e67eb17b27a606543e825a5e9a0642
SHA512a8155af01f90e07beda53adb944ec9f7a4f489937282208e672a1bafdc3b75d5ef57899bfdd6abe9a71e84e6fd6a04822ff03a6c9b1cbcda4bc48cdbb82d74e9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5a5ac7cb4fa725bf08ee14bb750486a36
SHA1410a788c6f99e7fe4e7b95930f90f76e4eadb2f7
SHA256c3f4e2f6b17dbd07a83e374249b172668f7ac237fee7216de6d7f922f6847894
SHA512e3062636418cb946c73fe51c8c97b67e9f41398c3c0456870ef55127dee5efc8eec38a3bb83d6f593181c97822a2325e67ede4d99398c396926f915661c91395
-
Filesize
321KB
MD56a96c8888754261f96df8e4a2cda7b7b
SHA13227d04cd2b4d6fd96b627df23dbbfc274a36648
SHA256cd05f27a9dfa7f68c94d30e0d8db4fe5a01da1620e4909eeee131752d53f7623
SHA512c79124e3726cae6620cb2b433d25c146ec20d066bc0c1c424d2e7cff10b8e1aa6c99bf583c8d0f4cc3039f0b042fcaa3fc9e9bdc0457e9a2408367e3aed404f0
-
Filesize
512KB
MD544968529463e766e92d004125e4ab25d
SHA1aaf21981a845d7defe05828087e0004f3110a656
SHA256c7bfa460772e8a032c4353b3024f4e4181cdd5bb8dc40b5521cb264af36259e5
SHA512c63141d4802a6220a362f93d59893e93af9037384987125ed27aefb1c33c726e1a26914fe71528291602619f5ca3465afb2b815d714ea1b7855a5a54cb4c2d80
-
Filesize
512KB
MD554e8836579d3df28910874a47615622e
SHA1dd2f5aa03a3888fb6be929c5e7a5259912807a76
SHA256891baa3bf63202378e7e77b9257aea87be88fc43d7e466f93314625a1323f4fe
SHA512e9dad5bbc38e0b081138cd6cfe831a55c1658b74a1e347ecb364d4efefded0f0df1ee983dd91422458aa6dcb2f057ed48ca79d6b86876827f276af65b48084be
-
Filesize
93KB
MD5257f28bd5bdc2b725434b7ab570814e7
SHA1972446e0f8d210c5d6f42a57a921391a236d564d
SHA256d80f45a5995ba038d69dbe87f7c12827ffa2b53e79beedb0bc6ee91c10a61688
SHA512c27aa91c3c3605941a1a121021c840fc7886cf27d43e9d6b2c371888a276d9dfd39135600a4f933f62dfa3d46cb6e12de6e31b3f8b939676701ff37f8cc61575
-
Filesize
512KB
MD57c586ce1023f15912316c8ae37269efa
SHA117c6fee4a7fbee8c250ecd9a25ba78f927c1508f
SHA256face78c8a9a5eb9c5bc0052f7a8d7c8fa7555541dd4311346a7a10c5c7fca27f
SHA512ec8c6998427d6fa574905188335014b61387b58a6c0f7352e92b4b1745bcf136be88892701215da1633bdde1987c26940fc93cd5ae0fda18aa23510842ca1192
-
Filesize
512KB
MD57b3d1b1537d6af8a2a631f6fb3d9ebe0
SHA16c42820c2dfe773f3c496a6c8b4186d7a5c883ab
SHA2561ec99d92fc005f36928fc7c539298c02c9c4a7166036203d2c6e13349d306e67
SHA51207deb4e3b24509cbfd5c93827371e7318f32285e5682bf2a37d959a554378a710b80dcd236a4bbc54f35d405b1666d22a491d30506e1eca34ef35521ea756b9e
-
Filesize
512KB
MD5efcb42f18da6bda6db9b3e9acd6b36c4
SHA150ffbfd5697cc7468901ada0331f9375dcc2e645
SHA2560287168753213fde78a0d3350dcfd92fef4deed347c701b71cb2068d445469e8
SHA512ffdb3c2b19bf2dfaaad990d1f7e1f6b6bd7f345e60adf4e49c1a4ec597bb476d82b53d1d4c71271775d9cfe427bbc78eff1377a8fa7caca775391001fb941f30