Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
19-01-2024 06:44
Static task
static1
Behavioral task
behavioral1
Sample
66f4ada6211466ba531559f800947aed.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral2
Sample
66f4ada6211466ba531559f800947aed.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
General
-
Target
66f4ada6211466ba531559f800947aed.exe
-
Size
512KB
-
MD5
66f4ada6211466ba531559f800947aed
-
SHA1
5c56be827ec9a7183ba3ee581a63c23e8a55441c
-
SHA256
86b99fa5ed242d31dd6253954980dba497709b58ae5202c4f7da53d66c140e3e
-
SHA512
5446beca76cf4e8491b0214a702e44625521b282c4c8f9979dc0d3e78ae94f515a98416bf52fc441fc83b7b09f4f8faf5ef8553eb6d45db96a538c87ff277d9e
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6Z:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5C
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" pejiapdtyg.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" pejiapdtyg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" pejiapdtyg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" pejiapdtyg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" pejiapdtyg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" pejiapdtyg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" pejiapdtyg.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" pejiapdtyg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation 66f4ada6211466ba531559f800947aed.exe -
Executes dropped EXE 5 IoCs
pid Process 3288 pejiapdtyg.exe 692 wqtzurnwhibrrtj.exe 720 wuofgpwr.exe 3448 nccbhyzqshipx.exe 4444 wuofgpwr.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" pejiapdtyg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" pejiapdtyg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" pejiapdtyg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" pejiapdtyg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" pejiapdtyg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" pejiapdtyg.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xzoootqt = "pejiapdtyg.exe" wqtzurnwhibrrtj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gdxxhpmi = "wqtzurnwhibrrtj.exe" wqtzurnwhibrrtj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "nccbhyzqshipx.exe" wqtzurnwhibrrtj.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\o: pejiapdtyg.exe File opened (read-only) \??\m: wuofgpwr.exe File opened (read-only) \??\v: wuofgpwr.exe File opened (read-only) \??\o: wuofgpwr.exe File opened (read-only) \??\x: wuofgpwr.exe File opened (read-only) \??\g: wuofgpwr.exe File opened (read-only) \??\p: wuofgpwr.exe File opened (read-only) \??\q: wuofgpwr.exe File opened (read-only) \??\t: wuofgpwr.exe File opened (read-only) \??\w: wuofgpwr.exe File opened (read-only) \??\z: wuofgpwr.exe File opened (read-only) \??\n: pejiapdtyg.exe File opened (read-only) \??\e: wuofgpwr.exe File opened (read-only) \??\k: wuofgpwr.exe File opened (read-only) \??\t: pejiapdtyg.exe File opened (read-only) \??\a: wuofgpwr.exe File opened (read-only) \??\h: wuofgpwr.exe File opened (read-only) \??\j: wuofgpwr.exe File opened (read-only) \??\n: wuofgpwr.exe File opened (read-only) \??\s: wuofgpwr.exe File opened (read-only) \??\v: wuofgpwr.exe File opened (read-only) \??\l: pejiapdtyg.exe File opened (read-only) \??\w: pejiapdtyg.exe File opened (read-only) \??\j: wuofgpwr.exe File opened (read-only) \??\n: wuofgpwr.exe File opened (read-only) \??\y: wuofgpwr.exe File opened (read-only) \??\l: wuofgpwr.exe File opened (read-only) \??\u: wuofgpwr.exe File opened (read-only) \??\v: pejiapdtyg.exe File opened (read-only) \??\z: pejiapdtyg.exe File opened (read-only) \??\s: wuofgpwr.exe File opened (read-only) \??\i: wuofgpwr.exe File opened (read-only) \??\m: wuofgpwr.exe File opened (read-only) \??\t: wuofgpwr.exe File opened (read-only) \??\e: pejiapdtyg.exe File opened (read-only) \??\y: pejiapdtyg.exe File opened (read-only) \??\p: wuofgpwr.exe File opened (read-only) \??\q: pejiapdtyg.exe File opened (read-only) \??\s: pejiapdtyg.exe File opened (read-only) \??\x: wuofgpwr.exe File opened (read-only) \??\r: wuofgpwr.exe File opened (read-only) \??\h: pejiapdtyg.exe File opened (read-only) \??\k: pejiapdtyg.exe File opened (read-only) \??\l: wuofgpwr.exe File opened (read-only) \??\r: wuofgpwr.exe File opened (read-only) \??\k: wuofgpwr.exe File opened (read-only) \??\j: pejiapdtyg.exe File opened (read-only) \??\u: pejiapdtyg.exe File opened (read-only) \??\z: wuofgpwr.exe File opened (read-only) \??\g: wuofgpwr.exe File opened (read-only) \??\i: pejiapdtyg.exe File opened (read-only) \??\b: wuofgpwr.exe File opened (read-only) \??\q: wuofgpwr.exe File opened (read-only) \??\i: wuofgpwr.exe File opened (read-only) \??\u: wuofgpwr.exe File opened (read-only) \??\r: pejiapdtyg.exe File opened (read-only) \??\x: pejiapdtyg.exe File opened (read-only) \??\a: wuofgpwr.exe File opened (read-only) \??\e: wuofgpwr.exe File opened (read-only) \??\h: wuofgpwr.exe File opened (read-only) \??\a: pejiapdtyg.exe File opened (read-only) \??\b: pejiapdtyg.exe File opened (read-only) \??\m: pejiapdtyg.exe File opened (read-only) \??\y: wuofgpwr.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" pejiapdtyg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" pejiapdtyg.exe -
AutoIT Executable 14 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4424-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000700000002323a-5.dat autoit_exe behavioral2/files/0x0007000000023237-19.dat autoit_exe behavioral2/files/0x000700000002323a-22.dat autoit_exe behavioral2/files/0x000700000002323a-24.dat autoit_exe behavioral2/files/0x000600000002323f-32.dat autoit_exe behavioral2/files/0x000600000002323f-31.dat autoit_exe behavioral2/files/0x000600000002323e-29.dat autoit_exe behavioral2/files/0x000600000002323e-28.dat autoit_exe behavioral2/files/0x0007000000023237-18.dat autoit_exe behavioral2/files/0x000600000002323e-57.dat autoit_exe behavioral2/files/0x000600000002324c-82.dat autoit_exe behavioral2/files/0x000600000002324b-76.dat autoit_exe behavioral2/files/0x000700000002322e-108.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\wqtzurnwhibrrtj.exe 66f4ada6211466ba531559f800947aed.exe File opened for modification C:\Windows\SysWOW64\wuofgpwr.exe 66f4ada6211466ba531559f800947aed.exe File created C:\Windows\SysWOW64\pejiapdtyg.exe 66f4ada6211466ba531559f800947aed.exe File created C:\Windows\SysWOW64\nccbhyzqshipx.exe 66f4ada6211466ba531559f800947aed.exe File opened for modification C:\Windows\SysWOW64\nccbhyzqshipx.exe 66f4ada6211466ba531559f800947aed.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe wuofgpwr.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe wuofgpwr.exe File opened for modification C:\Windows\SysWOW64\wqtzurnwhibrrtj.exe 66f4ada6211466ba531559f800947aed.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll pejiapdtyg.exe File opened for modification C:\Windows\SysWOW64\pejiapdtyg.exe 66f4ada6211466ba531559f800947aed.exe File created C:\Windows\SysWOW64\wuofgpwr.exe 66f4ada6211466ba531559f800947aed.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe wuofgpwr.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe wuofgpwr.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wuofgpwr.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wuofgpwr.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wuofgpwr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal wuofgpwr.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wuofgpwr.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wuofgpwr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wuofgpwr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wuofgpwr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal wuofgpwr.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wuofgpwr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal wuofgpwr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wuofgpwr.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wuofgpwr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal wuofgpwr.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe wuofgpwr.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe wuofgpwr.exe File opened for modification C:\Windows\mydoc.rtf 66f4ada6211466ba531559f800947aed.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe wuofgpwr.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe wuofgpwr.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe wuofgpwr.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe wuofgpwr.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe wuofgpwr.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe wuofgpwr.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe wuofgpwr.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe wuofgpwr.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe wuofgpwr.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe wuofgpwr.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe wuofgpwr.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe wuofgpwr.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe wuofgpwr.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe wuofgpwr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32432C7D9C2383566A4677D070222DDA7C8764DE" 66f4ada6211466ba531559f800947aed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BC9F9CCFE10F29384753A4386EE3E96B0FE02FD4311023BE2CC459D08A0" 66f4ada6211466ba531559f800947aed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB5B02F47E1399D53C9B9D23392D4C4" 66f4ada6211466ba531559f800947aed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat pejiapdtyg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" pejiapdtyg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc pejiapdtyg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" pejiapdtyg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf pejiapdtyg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" pejiapdtyg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" pejiapdtyg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg pejiapdtyg.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 66f4ada6211466ba531559f800947aed.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings 66f4ada6211466ba531559f800947aed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh pejiapdtyg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" pejiapdtyg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs pejiapdtyg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFFFFFF485A85139130D62E7EE6BC97E6315930674E623ED69C" 66f4ada6211466ba531559f800947aed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E08668C6FE6B21AED27FD1D18B789011" 66f4ada6211466ba531559f800947aed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183EC6751493DBB3B8CC7FE4ED9334B9" 66f4ada6211466ba531559f800947aed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" pejiapdtyg.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 5092 WINWORD.EXE 5092 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4424 66f4ada6211466ba531559f800947aed.exe 4424 66f4ada6211466ba531559f800947aed.exe 4424 66f4ada6211466ba531559f800947aed.exe 4424 66f4ada6211466ba531559f800947aed.exe 4424 66f4ada6211466ba531559f800947aed.exe 4424 66f4ada6211466ba531559f800947aed.exe 4424 66f4ada6211466ba531559f800947aed.exe 4424 66f4ada6211466ba531559f800947aed.exe 4424 66f4ada6211466ba531559f800947aed.exe 4424 66f4ada6211466ba531559f800947aed.exe 4424 66f4ada6211466ba531559f800947aed.exe 4424 66f4ada6211466ba531559f800947aed.exe 4424 66f4ada6211466ba531559f800947aed.exe 4424 66f4ada6211466ba531559f800947aed.exe 4424 66f4ada6211466ba531559f800947aed.exe 4424 66f4ada6211466ba531559f800947aed.exe 692 wqtzurnwhibrrtj.exe 692 wqtzurnwhibrrtj.exe 692 wqtzurnwhibrrtj.exe 692 wqtzurnwhibrrtj.exe 692 wqtzurnwhibrrtj.exe 692 wqtzurnwhibrrtj.exe 692 wqtzurnwhibrrtj.exe 692 wqtzurnwhibrrtj.exe 692 wqtzurnwhibrrtj.exe 692 wqtzurnwhibrrtj.exe 720 wuofgpwr.exe 720 wuofgpwr.exe 720 wuofgpwr.exe 720 wuofgpwr.exe 720 wuofgpwr.exe 720 wuofgpwr.exe 720 wuofgpwr.exe 720 wuofgpwr.exe 3288 pejiapdtyg.exe 3288 pejiapdtyg.exe 3288 pejiapdtyg.exe 3288 pejiapdtyg.exe 3288 pejiapdtyg.exe 3288 pejiapdtyg.exe 3288 pejiapdtyg.exe 3288 pejiapdtyg.exe 3288 pejiapdtyg.exe 3288 pejiapdtyg.exe 3448 nccbhyzqshipx.exe 3448 nccbhyzqshipx.exe 3448 nccbhyzqshipx.exe 3448 nccbhyzqshipx.exe 3448 nccbhyzqshipx.exe 3448 nccbhyzqshipx.exe 3448 nccbhyzqshipx.exe 3448 nccbhyzqshipx.exe 3448 nccbhyzqshipx.exe 3448 nccbhyzqshipx.exe 3448 nccbhyzqshipx.exe 3448 nccbhyzqshipx.exe 692 wqtzurnwhibrrtj.exe 692 wqtzurnwhibrrtj.exe 692 wqtzurnwhibrrtj.exe 692 wqtzurnwhibrrtj.exe 4444 wuofgpwr.exe 4444 wuofgpwr.exe 4444 wuofgpwr.exe 4444 wuofgpwr.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4424 66f4ada6211466ba531559f800947aed.exe 4424 66f4ada6211466ba531559f800947aed.exe 4424 66f4ada6211466ba531559f800947aed.exe 692 wqtzurnwhibrrtj.exe 3288 pejiapdtyg.exe 692 wqtzurnwhibrrtj.exe 3288 pejiapdtyg.exe 720 wuofgpwr.exe 692 wqtzurnwhibrrtj.exe 3288 pejiapdtyg.exe 3448 nccbhyzqshipx.exe 720 wuofgpwr.exe 3448 nccbhyzqshipx.exe 720 wuofgpwr.exe 3448 nccbhyzqshipx.exe 4444 wuofgpwr.exe 4444 wuofgpwr.exe 4444 wuofgpwr.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4424 66f4ada6211466ba531559f800947aed.exe 4424 66f4ada6211466ba531559f800947aed.exe 4424 66f4ada6211466ba531559f800947aed.exe 692 wqtzurnwhibrrtj.exe 3288 pejiapdtyg.exe 692 wqtzurnwhibrrtj.exe 3288 pejiapdtyg.exe 692 wqtzurnwhibrrtj.exe 720 wuofgpwr.exe 3288 pejiapdtyg.exe 3448 nccbhyzqshipx.exe 720 wuofgpwr.exe 3448 nccbhyzqshipx.exe 720 wuofgpwr.exe 3448 nccbhyzqshipx.exe 4444 wuofgpwr.exe 4444 wuofgpwr.exe 4444 wuofgpwr.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 5092 WINWORD.EXE 5092 WINWORD.EXE 5092 WINWORD.EXE 5092 WINWORD.EXE 5092 WINWORD.EXE 5092 WINWORD.EXE 5092 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4424 wrote to memory of 3288 4424 66f4ada6211466ba531559f800947aed.exe 89 PID 4424 wrote to memory of 3288 4424 66f4ada6211466ba531559f800947aed.exe 89 PID 4424 wrote to memory of 3288 4424 66f4ada6211466ba531559f800947aed.exe 89 PID 4424 wrote to memory of 692 4424 66f4ada6211466ba531559f800947aed.exe 90 PID 4424 wrote to memory of 692 4424 66f4ada6211466ba531559f800947aed.exe 90 PID 4424 wrote to memory of 692 4424 66f4ada6211466ba531559f800947aed.exe 90 PID 4424 wrote to memory of 720 4424 66f4ada6211466ba531559f800947aed.exe 92 PID 4424 wrote to memory of 720 4424 66f4ada6211466ba531559f800947aed.exe 92 PID 4424 wrote to memory of 720 4424 66f4ada6211466ba531559f800947aed.exe 92 PID 4424 wrote to memory of 3448 4424 66f4ada6211466ba531559f800947aed.exe 91 PID 4424 wrote to memory of 3448 4424 66f4ada6211466ba531559f800947aed.exe 91 PID 4424 wrote to memory of 3448 4424 66f4ada6211466ba531559f800947aed.exe 91 PID 4424 wrote to memory of 5092 4424 66f4ada6211466ba531559f800947aed.exe 94 PID 4424 wrote to memory of 5092 4424 66f4ada6211466ba531559f800947aed.exe 94 PID 3288 wrote to memory of 4444 3288 pejiapdtyg.exe 95 PID 3288 wrote to memory of 4444 3288 pejiapdtyg.exe 95 PID 3288 wrote to memory of 4444 3288 pejiapdtyg.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\66f4ada6211466ba531559f800947aed.exe"C:\Users\Admin\AppData\Local\Temp\66f4ada6211466ba531559f800947aed.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\pejiapdtyg.exepejiapdtyg.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Windows\SysWOW64\wuofgpwr.exeC:\Windows\system32\wuofgpwr.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4444
-
-
-
C:\Windows\SysWOW64\wqtzurnwhibrrtj.exewqtzurnwhibrrtj.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:692
-
-
C:\Windows\SysWOW64\nccbhyzqshipx.exenccbhyzqshipx.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3448
-
-
C:\Windows\SysWOW64\wuofgpwr.exewuofgpwr.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:720
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5092
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
418KB
MD50d0ab02e37cb109125748a04f7385251
SHA152b4cbd6daa8db70ac9a8c6240345a1a1b69189c
SHA2569257aa2c073aed4ebda3c07b8489b269549d11dd38063743e596bdae6ebdc95c
SHA512d624ed66b8d795d51d41a982edfd3382f64524f6a8962eb95d6ff0820e02ff803b76279e5ec2cfb180806045595ab78db6d6a30ceead0ee0a0a65853cd045e59
-
Filesize
393KB
MD5abc9403ac943318bd54c2614e1421491
SHA1135da7cc0b2757699da5b5d3d072443197d4a22b
SHA2565a7818d8fb7438ca77cbf33425c7aeb93bde026990ce8543ca70a9ac4e09b37d
SHA5121517a9d6a85deb4e698e771452b83dd2d35d93759abe6a95479c1945025c4af2dd812bb4a924cedbbce87ec87d18792b3efec527e19c08d71404850924a3b431
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5860968886b45c3bd7a9f35c8eb7c1426
SHA15e3867896d45743d0f568aacdf0bdf6e3ed074c4
SHA2562649e03b0dfe80ddf983ad2a05c99390cf2e656aa8a0b819cdeb3509cd6a7cbb
SHA512c98459f1f6ebf673b8e0eb8decf4ff8d0f86995f64c22c185a60395d179ee64129eea28798ca43fbe9c9d6958ef3895587eb4f83e22e45a670238cfc1511cd44
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD51871860c8558d0c3c3de322ade4d27c2
SHA1c27f8c0c1cf23808eb52ce71c2a89886226ce208
SHA25672cfa083cecc35a665a0bd31e835be45eef47451d1e0bf551a97aa6baf945e46
SHA5124085b52ed5f6904983a55c1e459b3b637e02e8a908bd6670c6444902ca49eeea178f44ae23cda4348c934a6a98c93c7dbe33b74dfb8d87ee13abd66b122d31c7
-
Filesize
57KB
MD53a81bb7f89fff51fd80d1e9e1e60471f
SHA17c04e73b47855108f7cb0f1f8e76b71078d74158
SHA2567afee2b09ec479879bca80da134ceff2df40ad8eff99ed5b1461e6b64e3c474e
SHA512d8500626b99b14b8e441c88b9a8431db9188b5dea17610b1d5ff35a199195026f6c9961281e7c3a4babe8c88b1a949a03a42c6872e2eb0ec1761f65095f777cc
-
Filesize
12KB
MD5c5069d67dbc788cc6221ae2642ce4944
SHA13ce79f390a31e97c4e3797732949844a1748f450
SHA25688585bdeb224abf279d13e22cfd6341a441e16049f83bb6e6dca11bed70e1730
SHA5122399d9e6cb3a9cb759fb4000ffb5a43759e58a1108e510692cf9aede2a3bb622df8cd605e336a03293618b7b2c0be87f562a5cc22043afe36b6d42904a66757a
-
Filesize
283KB
MD5b2661ef7054b1218c969e400be697566
SHA1a28ae64b5e2f1355b7f6ebace76cbf581d5a026e
SHA256e5a4f02ec36fb412b27806d6404eb5b14a10c58e87bee93cc072fa81013d4032
SHA512bce59af2df2472153bd13ea88639a8408723576bf5510643c79d27e6fe9ee9cb1f1809c2ed3423113e053a3074b7db9522b6c1fbfd2d64aea63d15d607578588
-
Filesize
222KB
MD56adf09ad9b4bd10eba63f7b6e613f929
SHA1b5986838db5a89972a99931184b9f25260c09b6a
SHA2566a50900e6f8240b9d342601a23d447c8a57693ba54611427ba2276d0a9d39522
SHA5129f5ea753bdb2d6512b082064cdb440a7d539594943a9f009d3861a04bef3a6b06d25d39a539c7dfdb42eebf2da19326aeeb1ba3e098c0a1ea73b1b9772eca15a
-
Filesize
46KB
MD578b26a21ffc5e8dd9cbfab320d10d0a8
SHA190dae6cb79f75118918685d5c0a02a65a48de820
SHA256cc936b7028a506fa760ceaa4369e1178ade0e79114b09f766592027021ca1607
SHA512bf8bc14028bdcd3b09e71321de198d05cbabf27e850976260a8452083df45730aed98de8c43406d4bfcdcae07e7133f940d679008054e8c773ed8f69eccd757a
-
Filesize
131KB
MD5cd0ef21e3cea98f9806b9a4087aea48c
SHA1f869016dba463d8e30c10ee0c65615b30249898d
SHA256c0a118af8ae2e46cb15517398d30997bde23d28aaab6cbf7f602f6858584e34d
SHA512c262654d69d8cc2d29fa1ac88b071ebc773c19b4436a37fdf6904a7525dfe7f5f92d4a287adbad154e5b51ef17587906a35231678368f4dac2fe7922633ff3b2
-
Filesize
199KB
MD5e7501b78874eafa9eb7c7d9694602d71
SHA143bf8790f238872a03518ab49f5b29a35d95f91a
SHA2563b5835774ca744f60de5729ca1d23c2f4377f5d72ef5bbfabd5a14fd8fdd752e
SHA512bfa2acd2bd804c47a890ae2a1f7367d7bd9876a71dcc6120d9b2fbba292a63e5af8913d25022935a8b61e925fb90f14e16fe679882ccc2562857a9e2d2e9bb59
-
Filesize
97KB
MD58f5f07fc16166a74bd5f7d8aa330026c
SHA11dee45ab58b5c96207eb41fae663af0ec3e61be0
SHA2568ba80c8ed67ea9990ea4c82b5d9ef8a74350fbfe0675f903388bf17c56d30450
SHA5127a11e546304a00543143759101e4211c2b73ef395678bd9dfb03fa80a4fb259ce4bfd087651be11c0c9bac2e71cd3f8f79133b51fb4006a7ec5902a9b10aa8a7
-
Filesize
37KB
MD5a7c2eb2f173500a117961030503493ab
SHA1c6d3cb35921890e7d98c975a2622174e6f845722
SHA25684cc286464b2bfbeaa0cf1182ceef85cdeb504715b9af8f2fc579d579eb787cc
SHA51270ce72d6140c77060514692b5a14543219749835bf124e5fa556e9559ac8ed44679fee114052064e272b27bb66ff85e69630e8f70f75433d9444ca3b998cb45f
-
Filesize
329KB
MD521761281b0e41efa5938fb34bb2a15d5
SHA11f4cbdbcae61d80593de6ff91f70fbeba87d9b16
SHA256738c6f9f7d408f564fd2218347317eefa9e1c69e4a83d4503cb6c82dadd66104
SHA512c6c89e6a18cbfad5f372d3f13f90d2953ef9e25de1f86ea8a07de9383040280f9ab2483f0941c394b2a240c83338865bae11c8372f19903fedeaade963b4dc07
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD56eec5c61aa9b7676b335769d8c5664b8
SHA1d1fa0c6f4b55347011004ae837f528f5b36a35ab
SHA256fd994d3f575da504c69bb930df05f54f61e16e634f6a3c76d70dd52324f7fdef
SHA512f23327e5bec42f86886ff95707a0bfceac96b8b7d3e93958fb9031c9e090a5e39b45ad84957f8cf335432b7886abb0f74c59c74bc4ea562f1ee73c283508351c