Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
12/01/2024, 15:52
Static task
static1
Behavioral task
behavioral1
Sample
56e044d4c3201d7da77a8d820d7dc15b.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
56e044d4c3201d7da77a8d820d7dc15b.exe
Resource
win10v2004-20231222-en
General
-
Target
56e044d4c3201d7da77a8d820d7dc15b.exe
-
Size
512KB
-
MD5
56e044d4c3201d7da77a8d820d7dc15b
-
SHA1
8d92a2560df036f0436c0a50aa5e1be43b5328c1
-
SHA256
9334bdb6affde65f0b8a08c160bf9ddf130c80928d041efd6ce3c098ddae4eab
-
SHA512
8387f1d0447c0190ba6202795b2315515083924f955dbde6bf5bad1af4013304d96a64b83bf864c703a574154e214ae4bf817111ec24cbc6c4a8579f9ab186b2
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6L:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5e
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" rfaeqjtykv.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" rfaeqjtykv.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rfaeqjtykv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rfaeqjtykv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rfaeqjtykv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rfaeqjtykv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rfaeqjtykv.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rfaeqjtykv.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation 56e044d4c3201d7da77a8d820d7dc15b.exe -
Executes dropped EXE 5 IoCs
pid Process 1272 rfaeqjtykv.exe 1336 abwoibhhknpqdmz.exe 708 mrkdwzeo.exe 4468 fjmacwjvtntmz.exe 4476 mrkdwzeo.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" rfaeqjtykv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rfaeqjtykv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rfaeqjtykv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rfaeqjtykv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rfaeqjtykv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rfaeqjtykv.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cozvvcpk = "rfaeqjtykv.exe" abwoibhhknpqdmz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vbdfuekt = "abwoibhhknpqdmz.exe" abwoibhhknpqdmz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "fjmacwjvtntmz.exe" abwoibhhknpqdmz.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\p: rfaeqjtykv.exe File opened (read-only) \??\s: rfaeqjtykv.exe File opened (read-only) \??\b: mrkdwzeo.exe File opened (read-only) \??\g: mrkdwzeo.exe File opened (read-only) \??\l: mrkdwzeo.exe File opened (read-only) \??\i: rfaeqjtykv.exe File opened (read-only) \??\j: mrkdwzeo.exe File opened (read-only) \??\l: mrkdwzeo.exe File opened (read-only) \??\q: mrkdwzeo.exe File opened (read-only) \??\s: mrkdwzeo.exe File opened (read-only) \??\y: mrkdwzeo.exe File opened (read-only) \??\j: rfaeqjtykv.exe File opened (read-only) \??\r: rfaeqjtykv.exe File opened (read-only) \??\a: mrkdwzeo.exe File opened (read-only) \??\z: mrkdwzeo.exe File opened (read-only) \??\v: mrkdwzeo.exe File opened (read-only) \??\z: mrkdwzeo.exe File opened (read-only) \??\o: mrkdwzeo.exe File opened (read-only) \??\t: mrkdwzeo.exe File opened (read-only) \??\p: mrkdwzeo.exe File opened (read-only) \??\a: rfaeqjtykv.exe File opened (read-only) \??\e: rfaeqjtykv.exe File opened (read-only) \??\t: rfaeqjtykv.exe File opened (read-only) \??\i: mrkdwzeo.exe File opened (read-only) \??\e: mrkdwzeo.exe File opened (read-only) \??\s: mrkdwzeo.exe File opened (read-only) \??\w: rfaeqjtykv.exe File opened (read-only) \??\r: mrkdwzeo.exe File opened (read-only) \??\b: rfaeqjtykv.exe File opened (read-only) \??\k: rfaeqjtykv.exe File opened (read-only) \??\v: rfaeqjtykv.exe File opened (read-only) \??\j: mrkdwzeo.exe File opened (read-only) \??\x: mrkdwzeo.exe File opened (read-only) \??\h: mrkdwzeo.exe File opened (read-only) \??\v: mrkdwzeo.exe File opened (read-only) \??\w: mrkdwzeo.exe File opened (read-only) \??\g: rfaeqjtykv.exe File opened (read-only) \??\y: rfaeqjtykv.exe File opened (read-only) \??\r: mrkdwzeo.exe File opened (read-only) \??\u: rfaeqjtykv.exe File opened (read-only) \??\z: rfaeqjtykv.exe File opened (read-only) \??\e: mrkdwzeo.exe File opened (read-only) \??\a: mrkdwzeo.exe File opened (read-only) \??\m: mrkdwzeo.exe File opened (read-only) \??\n: mrkdwzeo.exe File opened (read-only) \??\o: rfaeqjtykv.exe File opened (read-only) \??\k: mrkdwzeo.exe File opened (read-only) \??\o: mrkdwzeo.exe File opened (read-only) \??\q: mrkdwzeo.exe File opened (read-only) \??\x: rfaeqjtykv.exe File opened (read-only) \??\u: mrkdwzeo.exe File opened (read-only) \??\k: mrkdwzeo.exe File opened (read-only) \??\w: mrkdwzeo.exe File opened (read-only) \??\x: mrkdwzeo.exe File opened (read-only) \??\h: mrkdwzeo.exe File opened (read-only) \??\h: rfaeqjtykv.exe File opened (read-only) \??\m: rfaeqjtykv.exe File opened (read-only) \??\g: mrkdwzeo.exe File opened (read-only) \??\i: mrkdwzeo.exe File opened (read-only) \??\t: mrkdwzeo.exe File opened (read-only) \??\q: rfaeqjtykv.exe File opened (read-only) \??\u: mrkdwzeo.exe File opened (read-only) \??\l: rfaeqjtykv.exe File opened (read-only) \??\n: mrkdwzeo.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" rfaeqjtykv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" rfaeqjtykv.exe -
AutoIT Executable 6 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1768-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00060000000231f1-28.dat autoit_exe behavioral2/files/0x00060000000231f2-29.dat autoit_exe behavioral2/files/0x00070000000231ed-22.dat autoit_exe behavioral2/files/0x00070000000231ea-19.dat autoit_exe behavioral2/files/0x000b00000002311a-99.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe mrkdwzeo.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe mrkdwzeo.exe File created C:\Windows\SysWOW64\abwoibhhknpqdmz.exe 56e044d4c3201d7da77a8d820d7dc15b.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll rfaeqjtykv.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe mrkdwzeo.exe File opened for modification C:\Windows\SysWOW64\rfaeqjtykv.exe 56e044d4c3201d7da77a8d820d7dc15b.exe File created C:\Windows\SysWOW64\rfaeqjtykv.exe 56e044d4c3201d7da77a8d820d7dc15b.exe File opened for modification C:\Windows\SysWOW64\abwoibhhknpqdmz.exe 56e044d4c3201d7da77a8d820d7dc15b.exe File created C:\Windows\SysWOW64\mrkdwzeo.exe 56e044d4c3201d7da77a8d820d7dc15b.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe mrkdwzeo.exe File opened for modification C:\Windows\SysWOW64\mrkdwzeo.exe 56e044d4c3201d7da77a8d820d7dc15b.exe File created C:\Windows\SysWOW64\fjmacwjvtntmz.exe 56e044d4c3201d7da77a8d820d7dc15b.exe File opened for modification C:\Windows\SysWOW64\fjmacwjvtntmz.exe 56e044d4c3201d7da77a8d820d7dc15b.exe -
Drops file in Program Files directory 22 IoCs
description ioc Process File opened for modification C:\Program Files\ShowSuspend.doc.exe mrkdwzeo.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mrkdwzeo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal mrkdwzeo.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mrkdwzeo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mrkdwzeo.exe File opened for modification \??\c:\Program Files\ShowSuspend.doc.exe mrkdwzeo.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mrkdwzeo.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mrkdwzeo.exe File opened for modification \??\c:\Program Files\ShowSuspend.doc.exe mrkdwzeo.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mrkdwzeo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal mrkdwzeo.exe File opened for modification C:\Program Files\ShowSuspend.doc.exe mrkdwzeo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mrkdwzeo.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mrkdwzeo.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mrkdwzeo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal mrkdwzeo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe mrkdwzeo.exe File opened for modification C:\Program Files\ShowSuspend.nal mrkdwzeo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe mrkdwzeo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal mrkdwzeo.exe File created \??\c:\Program Files\ShowSuspend.doc.exe mrkdwzeo.exe File opened for modification C:\Program Files\ShowSuspend.nal mrkdwzeo.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe mrkdwzeo.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe mrkdwzeo.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe mrkdwzeo.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe mrkdwzeo.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe mrkdwzeo.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe mrkdwzeo.exe File opened for modification C:\Windows\mydoc.rtf 56e044d4c3201d7da77a8d820d7dc15b.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe mrkdwzeo.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe mrkdwzeo.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe mrkdwzeo.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe mrkdwzeo.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe mrkdwzeo.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe mrkdwzeo.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe mrkdwzeo.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe mrkdwzeo.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe mrkdwzeo.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe mrkdwzeo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg rfaeqjtykv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" rfaeqjtykv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh rfaeqjtykv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" rfaeqjtykv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" rfaeqjtykv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc rfaeqjtykv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" rfaeqjtykv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs rfaeqjtykv.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 56e044d4c3201d7da77a8d820d7dc15b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8CFF8D482D85699142D6207DE6BC92E636593266436333D69E" 56e044d4c3201d7da77a8d820d7dc15b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F26BC1FF6E22DED109D0D48B799161" 56e044d4c3201d7da77a8d820d7dc15b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat rfaeqjtykv.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings 56e044d4c3201d7da77a8d820d7dc15b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32412C7E9C5783236D4676A177222DD77D8565DF" 56e044d4c3201d7da77a8d820d7dc15b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB4FACDFE6AF19683793B4386EC3999B0FB02FA42680238E1CA42ED09A0" 56e044d4c3201d7da77a8d820d7dc15b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC6B02847E5399F52C9B9A732E9D7C9" 56e044d4c3201d7da77a8d820d7dc15b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" rfaeqjtykv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193DC60815E6DAC4B9C17CE1ED9537CD" 56e044d4c3201d7da77a8d820d7dc15b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf rfaeqjtykv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" rfaeqjtykv.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1844 WINWORD.EXE 1844 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1768 56e044d4c3201d7da77a8d820d7dc15b.exe 1768 56e044d4c3201d7da77a8d820d7dc15b.exe 1768 56e044d4c3201d7da77a8d820d7dc15b.exe 1768 56e044d4c3201d7da77a8d820d7dc15b.exe 1768 56e044d4c3201d7da77a8d820d7dc15b.exe 1768 56e044d4c3201d7da77a8d820d7dc15b.exe 1768 56e044d4c3201d7da77a8d820d7dc15b.exe 1768 56e044d4c3201d7da77a8d820d7dc15b.exe 1768 56e044d4c3201d7da77a8d820d7dc15b.exe 1768 56e044d4c3201d7da77a8d820d7dc15b.exe 1768 56e044d4c3201d7da77a8d820d7dc15b.exe 1768 56e044d4c3201d7da77a8d820d7dc15b.exe 1768 56e044d4c3201d7da77a8d820d7dc15b.exe 1768 56e044d4c3201d7da77a8d820d7dc15b.exe 1768 56e044d4c3201d7da77a8d820d7dc15b.exe 1768 56e044d4c3201d7da77a8d820d7dc15b.exe 1336 abwoibhhknpqdmz.exe 1336 abwoibhhknpqdmz.exe 1336 abwoibhhknpqdmz.exe 1336 abwoibhhknpqdmz.exe 1336 abwoibhhknpqdmz.exe 1336 abwoibhhknpqdmz.exe 1336 abwoibhhknpqdmz.exe 1336 abwoibhhknpqdmz.exe 1272 rfaeqjtykv.exe 1272 rfaeqjtykv.exe 1272 rfaeqjtykv.exe 1272 rfaeqjtykv.exe 1272 rfaeqjtykv.exe 1272 rfaeqjtykv.exe 1272 rfaeqjtykv.exe 1272 rfaeqjtykv.exe 1272 rfaeqjtykv.exe 1272 rfaeqjtykv.exe 708 mrkdwzeo.exe 708 mrkdwzeo.exe 708 mrkdwzeo.exe 708 mrkdwzeo.exe 708 mrkdwzeo.exe 708 mrkdwzeo.exe 708 mrkdwzeo.exe 708 mrkdwzeo.exe 1336 abwoibhhknpqdmz.exe 1336 abwoibhhknpqdmz.exe 4468 fjmacwjvtntmz.exe 4468 fjmacwjvtntmz.exe 4468 fjmacwjvtntmz.exe 4468 fjmacwjvtntmz.exe 4468 fjmacwjvtntmz.exe 4468 fjmacwjvtntmz.exe 4468 fjmacwjvtntmz.exe 4468 fjmacwjvtntmz.exe 4468 fjmacwjvtntmz.exe 4468 fjmacwjvtntmz.exe 4468 fjmacwjvtntmz.exe 4468 fjmacwjvtntmz.exe 1336 abwoibhhknpqdmz.exe 1336 abwoibhhknpqdmz.exe 4476 mrkdwzeo.exe 4476 mrkdwzeo.exe 4476 mrkdwzeo.exe 4476 mrkdwzeo.exe 4476 mrkdwzeo.exe 4476 mrkdwzeo.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1768 56e044d4c3201d7da77a8d820d7dc15b.exe 1768 56e044d4c3201d7da77a8d820d7dc15b.exe 1768 56e044d4c3201d7da77a8d820d7dc15b.exe 1272 rfaeqjtykv.exe 1272 rfaeqjtykv.exe 1272 rfaeqjtykv.exe 1336 abwoibhhknpqdmz.exe 1336 abwoibhhknpqdmz.exe 1336 abwoibhhknpqdmz.exe 708 mrkdwzeo.exe 708 mrkdwzeo.exe 708 mrkdwzeo.exe 4468 fjmacwjvtntmz.exe 4468 fjmacwjvtntmz.exe 4468 fjmacwjvtntmz.exe 4476 mrkdwzeo.exe 4476 mrkdwzeo.exe 4476 mrkdwzeo.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1768 56e044d4c3201d7da77a8d820d7dc15b.exe 1768 56e044d4c3201d7da77a8d820d7dc15b.exe 1768 56e044d4c3201d7da77a8d820d7dc15b.exe 1272 rfaeqjtykv.exe 1272 rfaeqjtykv.exe 1272 rfaeqjtykv.exe 1336 abwoibhhknpqdmz.exe 1336 abwoibhhknpqdmz.exe 1336 abwoibhhknpqdmz.exe 708 mrkdwzeo.exe 708 mrkdwzeo.exe 708 mrkdwzeo.exe 4468 fjmacwjvtntmz.exe 4468 fjmacwjvtntmz.exe 4468 fjmacwjvtntmz.exe 4476 mrkdwzeo.exe 4476 mrkdwzeo.exe 4476 mrkdwzeo.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1844 WINWORD.EXE 1844 WINWORD.EXE 1844 WINWORD.EXE 1844 WINWORD.EXE 1844 WINWORD.EXE 1844 WINWORD.EXE 1844 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1768 wrote to memory of 1272 1768 56e044d4c3201d7da77a8d820d7dc15b.exe 32 PID 1768 wrote to memory of 1272 1768 56e044d4c3201d7da77a8d820d7dc15b.exe 32 PID 1768 wrote to memory of 1272 1768 56e044d4c3201d7da77a8d820d7dc15b.exe 32 PID 1768 wrote to memory of 1336 1768 56e044d4c3201d7da77a8d820d7dc15b.exe 31 PID 1768 wrote to memory of 1336 1768 56e044d4c3201d7da77a8d820d7dc15b.exe 31 PID 1768 wrote to memory of 1336 1768 56e044d4c3201d7da77a8d820d7dc15b.exe 31 PID 1768 wrote to memory of 708 1768 56e044d4c3201d7da77a8d820d7dc15b.exe 22 PID 1768 wrote to memory of 708 1768 56e044d4c3201d7da77a8d820d7dc15b.exe 22 PID 1768 wrote to memory of 708 1768 56e044d4c3201d7da77a8d820d7dc15b.exe 22 PID 1768 wrote to memory of 4468 1768 56e044d4c3201d7da77a8d820d7dc15b.exe 29 PID 1768 wrote to memory of 4468 1768 56e044d4c3201d7da77a8d820d7dc15b.exe 29 PID 1768 wrote to memory of 4468 1768 56e044d4c3201d7da77a8d820d7dc15b.exe 29 PID 1768 wrote to memory of 1844 1768 56e044d4c3201d7da77a8d820d7dc15b.exe 24 PID 1768 wrote to memory of 1844 1768 56e044d4c3201d7da77a8d820d7dc15b.exe 24 PID 1272 wrote to memory of 4476 1272 rfaeqjtykv.exe 27 PID 1272 wrote to memory of 4476 1272 rfaeqjtykv.exe 27 PID 1272 wrote to memory of 4476 1272 rfaeqjtykv.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\56e044d4c3201d7da77a8d820d7dc15b.exe"C:\Users\Admin\AppData\Local\Temp\56e044d4c3201d7da77a8d820d7dc15b.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\mrkdwzeo.exemrkdwzeo.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:708
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1844
-
-
C:\Windows\SysWOW64\fjmacwjvtntmz.exefjmacwjvtntmz.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4468
-
-
C:\Windows\SysWOW64\abwoibhhknpqdmz.exeabwoibhhknpqdmz.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1336
-
-
C:\Windows\SysWOW64\rfaeqjtykv.exerfaeqjtykv.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1272
-
-
C:\Windows\SysWOW64\mrkdwzeo.exeC:\Windows\system32\mrkdwzeo.exe1⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4476
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD54d5e789a8ce0ee3c8033e90e69c0be29
SHA16628d01709ad1ba9f440650d376318fccfdecd87
SHA2560b19b4ae46bf4134aacad2013d62dbde8fb5cfd8191cb9da4d3b1bdd708a3a9b
SHA512edeb697d03f39b6767b5bab45abf7c6df5d4e7b4adadb149692bf0a35d6c62d49ba21efd5beb3c835f34d5ef8d3033e0352afc21724320ffbbd458e7c8bcd919
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD586dbb253af166b20ee086edfd53b0358
SHA19f3146190e43993093b84bcc7754b5e1f1fc60b3
SHA256a3562dbefde74bdfeb16fc84de36bd24514b3f285828608cff819a213f5c93df
SHA512a9060c5b14880f7064a4bbf40b7384b616cfa30bf8d211e75054c3e0fb7c419a9112710c3512019668c5bfd7f84ef942e44a62a4b2d5cb30883b4d95bad1a60f
-
Filesize
512KB
MD5029c2ba59f312fd4c89ff2ab61eed9df
SHA1ebdfcbdde00f68ced140ac511f55906ae740f3d2
SHA256ea32699898a28cda33a81f8f1864b50be2411b2938ca4766b0ef2c0e6cce3b7c
SHA512c51d3e5c7eeb5b37c4f51446ca7096579d40ec0fe9efb14b14e9f9d05e48e6ea082caf16eab9142be0bfd33bf7b65f9d51ec2910b9286eb24356dd9629ddec83
-
Filesize
512KB
MD539fbc9b1ee9dcb8aa3cfe4a300159f9e
SHA14bbd87b59d35e4ddba19e38a4c3e4264fdd84777
SHA2564c653311f9ae9d557c9dc080333ff5545c5eb2b866870f6637386ea8d91cabfd
SHA512dab1a3cefc85895eec379c44ac8dba8842c5007903c6a82a835140e0db9c06bc8e208ad08a419273e917a0b519872fb54dbbb6bb2311a49a5402ef0c5961a5a2
-
Filesize
512KB
MD5f50287209c27e3c6911279e65acd653b
SHA1f4803c042447f6db5c0bfb3b540866378b4cfb82
SHA25629268533f77c8bc868819b4c252b81400c4ed92ca1fb01e3142577f8c186611c
SHA5122eb09f3e7a01741edd0a5bd7a3afe69779786c430309dce6f45eba731019542daf3cc7b18699693f95922fd37a1dd7f937b70be205cb4a09a1bca38657399c91
-
Filesize
512KB
MD5f1e97ba21bbb3d3bc95868024158fff1
SHA120a0893f7b258eb13009e36ba561c9eff7382b90
SHA2564b8cab00f5210d3b58c67eb12b8b0fa8270fdffd6e8df65ab2594118516600b9
SHA512b1a35ad220fe3121db0fc77dc946bdef929315abcbba4b4c525079e2649e99a418ffdaedd115e1c4835d7c2f9960310eac001235cfd95aec96bf92e18a1ee453
-
Filesize
512KB
MD52f540aa8da11a1dbd058c0855bfb6b18
SHA10b4a57b18277e4ffbc7c19a40b62adc8b25b36b7
SHA256bf34255e48edc28d8f60902fa7f0f14f8ea094ec1916fae502b7a3c701b44086
SHA5126083d61a7191b5b1121a79b8de5d1970dc9db819248e46df03bb2b9f41c33304f3e6a1d133118d8fc8fa9088ac36c9f9b0386f114cb797e2a8272db6daad1829