Analysis
-
max time kernel
151s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19/01/2024, 20:47
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
689a9e38678a592dad3f4318de18098d.exe
Resource
win7-20231129-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
689a9e38678a592dad3f4318de18098d.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
689a9e38678a592dad3f4318de18098d.exe
-
Size
512KB
-
MD5
689a9e38678a592dad3f4318de18098d
-
SHA1
752fe166e7a6932e3ba625de77136e79db6bff10
-
SHA256
79af9b9d51f1ec9f2cb4899d7f2a601136e64c4f4af54bd80b1157c9e2c639e7
-
SHA512
850bd82581833b20f1ac972cc42d6b9f66964e5d1cb33cfcdd99fb2f5d2de62a379934eba31b1dfe47f7116bd3f315841a456aeae97c671d65e1626ba8288012
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj69:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5+
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" uuzgorcxxw.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" uuzgorcxxw.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" uuzgorcxxw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" uuzgorcxxw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" uuzgorcxxw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" uuzgorcxxw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" uuzgorcxxw.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" uuzgorcxxw.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation 689a9e38678a592dad3f4318de18098d.exe -
Executes dropped EXE 5 IoCs
pid Process 3708 uuzgorcxxw.exe 3936 dhuwhkrilffsooy.exe 3368 kxdpttxx.exe 1212 slpwvkrubrdly.exe 3388 kxdpttxx.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" uuzgorcxxw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" uuzgorcxxw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" uuzgorcxxw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" uuzgorcxxw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" uuzgorcxxw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" uuzgorcxxw.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rlgmbgen = "uuzgorcxxw.exe" dhuwhkrilffsooy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\osvcitcc = "dhuwhkrilffsooy.exe" dhuwhkrilffsooy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "slpwvkrubrdly.exe" dhuwhkrilffsooy.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\a: uuzgorcxxw.exe File opened (read-only) \??\q: uuzgorcxxw.exe File opened (read-only) \??\t: kxdpttxx.exe File opened (read-only) \??\u: kxdpttxx.exe File opened (read-only) \??\i: kxdpttxx.exe File opened (read-only) \??\y: kxdpttxx.exe File opened (read-only) \??\s: uuzgorcxxw.exe File opened (read-only) \??\y: uuzgorcxxw.exe File opened (read-only) \??\m: kxdpttxx.exe File opened (read-only) \??\w: kxdpttxx.exe File opened (read-only) \??\l: uuzgorcxxw.exe File opened (read-only) \??\i: kxdpttxx.exe File opened (read-only) \??\b: uuzgorcxxw.exe File opened (read-only) \??\z: kxdpttxx.exe File opened (read-only) \??\p: uuzgorcxxw.exe File opened (read-only) \??\w: kxdpttxx.exe File opened (read-only) \??\q: kxdpttxx.exe File opened (read-only) \??\o: kxdpttxx.exe File opened (read-only) \??\z: uuzgorcxxw.exe File opened (read-only) \??\e: uuzgorcxxw.exe File opened (read-only) \??\j: uuzgorcxxw.exe File opened (read-only) \??\g: kxdpttxx.exe File opened (read-only) \??\p: kxdpttxx.exe File opened (read-only) \??\u: kxdpttxx.exe File opened (read-only) \??\k: uuzgorcxxw.exe File opened (read-only) \??\k: kxdpttxx.exe File opened (read-only) \??\l: kxdpttxx.exe File opened (read-only) \??\n: kxdpttxx.exe File opened (read-only) \??\q: kxdpttxx.exe File opened (read-only) \??\j: kxdpttxx.exe File opened (read-only) \??\k: kxdpttxx.exe File opened (read-only) \??\o: kxdpttxx.exe File opened (read-only) \??\a: kxdpttxx.exe File opened (read-only) \??\b: kxdpttxx.exe File opened (read-only) \??\r: kxdpttxx.exe File opened (read-only) \??\v: kxdpttxx.exe File opened (read-only) \??\i: uuzgorcxxw.exe File opened (read-only) \??\r: kxdpttxx.exe File opened (read-only) \??\p: kxdpttxx.exe File opened (read-only) \??\o: uuzgorcxxw.exe File opened (read-only) \??\t: uuzgorcxxw.exe File opened (read-only) \??\z: kxdpttxx.exe File opened (read-only) \??\l: kxdpttxx.exe File opened (read-only) \??\v: uuzgorcxxw.exe File opened (read-only) \??\e: kxdpttxx.exe File opened (read-only) \??\y: kxdpttxx.exe File opened (read-only) \??\s: kxdpttxx.exe File opened (read-only) \??\t: kxdpttxx.exe File opened (read-only) \??\g: uuzgorcxxw.exe File opened (read-only) \??\u: uuzgorcxxw.exe File opened (read-only) \??\w: uuzgorcxxw.exe File opened (read-only) \??\e: kxdpttxx.exe File opened (read-only) \??\x: kxdpttxx.exe File opened (read-only) \??\h: uuzgorcxxw.exe File opened (read-only) \??\n: uuzgorcxxw.exe File opened (read-only) \??\h: kxdpttxx.exe File opened (read-only) \??\n: kxdpttxx.exe File opened (read-only) \??\r: uuzgorcxxw.exe File opened (read-only) \??\h: kxdpttxx.exe File opened (read-only) \??\s: kxdpttxx.exe File opened (read-only) \??\g: kxdpttxx.exe File opened (read-only) \??\x: uuzgorcxxw.exe File opened (read-only) \??\v: kxdpttxx.exe File opened (read-only) \??\m: uuzgorcxxw.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" uuzgorcxxw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" uuzgorcxxw.exe -
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2404-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0006000000023126-5.dat autoit_exe behavioral2/files/0x0006000000023125-18.dat autoit_exe behavioral2/files/0x0006000000023127-26.dat autoit_exe behavioral2/files/0x0006000000023128-31.dat autoit_exe behavioral2/files/0x000600000002312a-70.dat autoit_exe behavioral2/files/0x000200000001e2af-108.dat autoit_exe behavioral2/files/0x0003000000000713-140.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\dhuwhkrilffsooy.exe 689a9e38678a592dad3f4318de18098d.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe kxdpttxx.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe kxdpttxx.exe File opened for modification C:\Windows\SysWOW64\uuzgorcxxw.exe 689a9e38678a592dad3f4318de18098d.exe File created C:\Windows\SysWOW64\dhuwhkrilffsooy.exe 689a9e38678a592dad3f4318de18098d.exe File opened for modification C:\Windows\SysWOW64\slpwvkrubrdly.exe 689a9e38678a592dad3f4318de18098d.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe kxdpttxx.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe kxdpttxx.exe File opened for modification C:\Windows\SysWOW64\kxdpttxx.exe 689a9e38678a592dad3f4318de18098d.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll uuzgorcxxw.exe File created C:\Windows\SysWOW64\slpwvkrubrdly.exe 689a9e38678a592dad3f4318de18098d.exe File created C:\Windows\SysWOW64\uuzgorcxxw.exe 689a9e38678a592dad3f4318de18098d.exe File created C:\Windows\SysWOW64\kxdpttxx.exe 689a9e38678a592dad3f4318de18098d.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kxdpttxx.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kxdpttxx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kxdpttxx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kxdpttxx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal kxdpttxx.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kxdpttxx.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kxdpttxx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal kxdpttxx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kxdpttxx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal kxdpttxx.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kxdpttxx.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kxdpttxx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal kxdpttxx.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kxdpttxx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kxdpttxx.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 689a9e38678a592dad3f4318de18098d.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat uuzgorcxxw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf uuzgorcxxw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" uuzgorcxxw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC0B05B479538E252CAB9D6339DD4CE" 689a9e38678a592dad3f4318de18098d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184FC70B14E4DAC3B8CD7FE0EDE434CA" 689a9e38678a592dad3f4318de18098d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc uuzgorcxxw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs uuzgorcxxw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F36BB9FE1A21ACD272D0A98A7C9164" 689a9e38678a592dad3f4318de18098d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32462D7D9D2383586A3377D270252DD67C8665DE" 689a9e38678a592dad3f4318de18098d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh uuzgorcxxw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" uuzgorcxxw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg uuzgorcxxw.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 689a9e38678a592dad3f4318de18098d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8BFF8B4F5B826F9045D72C7E97BC93E130584567436332D69D" 689a9e38678a592dad3f4318de18098d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" uuzgorcxxw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" uuzgorcxxw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" uuzgorcxxw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" uuzgorcxxw.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings 689a9e38678a592dad3f4318de18098d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AC8FABCFE13F2E783783B4A81993998B0FA028B4315023AE1B842EF09A3" 689a9e38678a592dad3f4318de18098d.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2244 WINWORD.EXE 2244 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2404 689a9e38678a592dad3f4318de18098d.exe 2404 689a9e38678a592dad3f4318de18098d.exe 2404 689a9e38678a592dad3f4318de18098d.exe 2404 689a9e38678a592dad3f4318de18098d.exe 2404 689a9e38678a592dad3f4318de18098d.exe 2404 689a9e38678a592dad3f4318de18098d.exe 2404 689a9e38678a592dad3f4318de18098d.exe 2404 689a9e38678a592dad3f4318de18098d.exe 2404 689a9e38678a592dad3f4318de18098d.exe 2404 689a9e38678a592dad3f4318de18098d.exe 2404 689a9e38678a592dad3f4318de18098d.exe 2404 689a9e38678a592dad3f4318de18098d.exe 2404 689a9e38678a592dad3f4318de18098d.exe 2404 689a9e38678a592dad3f4318de18098d.exe 2404 689a9e38678a592dad3f4318de18098d.exe 2404 689a9e38678a592dad3f4318de18098d.exe 3708 uuzgorcxxw.exe 3708 uuzgorcxxw.exe 3708 uuzgorcxxw.exe 3708 uuzgorcxxw.exe 3708 uuzgorcxxw.exe 3708 uuzgorcxxw.exe 3936 dhuwhkrilffsooy.exe 3936 dhuwhkrilffsooy.exe 3708 uuzgorcxxw.exe 3708 uuzgorcxxw.exe 3708 uuzgorcxxw.exe 3708 uuzgorcxxw.exe 3936 dhuwhkrilffsooy.exe 3936 dhuwhkrilffsooy.exe 3936 dhuwhkrilffsooy.exe 3936 dhuwhkrilffsooy.exe 3936 dhuwhkrilffsooy.exe 3936 dhuwhkrilffsooy.exe 3936 dhuwhkrilffsooy.exe 3936 dhuwhkrilffsooy.exe 3368 kxdpttxx.exe 3368 kxdpttxx.exe 3368 kxdpttxx.exe 3368 kxdpttxx.exe 3368 kxdpttxx.exe 3368 kxdpttxx.exe 3368 kxdpttxx.exe 3368 kxdpttxx.exe 1212 slpwvkrubrdly.exe 1212 slpwvkrubrdly.exe 1212 slpwvkrubrdly.exe 1212 slpwvkrubrdly.exe 1212 slpwvkrubrdly.exe 1212 slpwvkrubrdly.exe 1212 slpwvkrubrdly.exe 1212 slpwvkrubrdly.exe 1212 slpwvkrubrdly.exe 1212 slpwvkrubrdly.exe 1212 slpwvkrubrdly.exe 1212 slpwvkrubrdly.exe 3936 dhuwhkrilffsooy.exe 3936 dhuwhkrilffsooy.exe 1212 slpwvkrubrdly.exe 1212 slpwvkrubrdly.exe 1212 slpwvkrubrdly.exe 1212 slpwvkrubrdly.exe 3936 dhuwhkrilffsooy.exe 3936 dhuwhkrilffsooy.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2404 689a9e38678a592dad3f4318de18098d.exe 2404 689a9e38678a592dad3f4318de18098d.exe 2404 689a9e38678a592dad3f4318de18098d.exe 3708 uuzgorcxxw.exe 3708 uuzgorcxxw.exe 3708 uuzgorcxxw.exe 3936 dhuwhkrilffsooy.exe 3936 dhuwhkrilffsooy.exe 3936 dhuwhkrilffsooy.exe 3368 kxdpttxx.exe 3368 kxdpttxx.exe 3368 kxdpttxx.exe 1212 slpwvkrubrdly.exe 1212 slpwvkrubrdly.exe 1212 slpwvkrubrdly.exe 3388 kxdpttxx.exe 3388 kxdpttxx.exe 3388 kxdpttxx.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2404 689a9e38678a592dad3f4318de18098d.exe 2404 689a9e38678a592dad3f4318de18098d.exe 2404 689a9e38678a592dad3f4318de18098d.exe 3708 uuzgorcxxw.exe 3708 uuzgorcxxw.exe 3708 uuzgorcxxw.exe 3936 dhuwhkrilffsooy.exe 3936 dhuwhkrilffsooy.exe 3936 dhuwhkrilffsooy.exe 3368 kxdpttxx.exe 3368 kxdpttxx.exe 3368 kxdpttxx.exe 1212 slpwvkrubrdly.exe 1212 slpwvkrubrdly.exe 1212 slpwvkrubrdly.exe 3388 kxdpttxx.exe 3388 kxdpttxx.exe 3388 kxdpttxx.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2244 WINWORD.EXE 2244 WINWORD.EXE 2244 WINWORD.EXE 2244 WINWORD.EXE 2244 WINWORD.EXE 2244 WINWORD.EXE 2244 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2404 wrote to memory of 3708 2404 689a9e38678a592dad3f4318de18098d.exe 88 PID 2404 wrote to memory of 3708 2404 689a9e38678a592dad3f4318de18098d.exe 88 PID 2404 wrote to memory of 3708 2404 689a9e38678a592dad3f4318de18098d.exe 88 PID 2404 wrote to memory of 3936 2404 689a9e38678a592dad3f4318de18098d.exe 89 PID 2404 wrote to memory of 3936 2404 689a9e38678a592dad3f4318de18098d.exe 89 PID 2404 wrote to memory of 3936 2404 689a9e38678a592dad3f4318de18098d.exe 89 PID 2404 wrote to memory of 3368 2404 689a9e38678a592dad3f4318de18098d.exe 90 PID 2404 wrote to memory of 3368 2404 689a9e38678a592dad3f4318de18098d.exe 90 PID 2404 wrote to memory of 3368 2404 689a9e38678a592dad3f4318de18098d.exe 90 PID 2404 wrote to memory of 1212 2404 689a9e38678a592dad3f4318de18098d.exe 91 PID 2404 wrote to memory of 1212 2404 689a9e38678a592dad3f4318de18098d.exe 91 PID 2404 wrote to memory of 1212 2404 689a9e38678a592dad3f4318de18098d.exe 91 PID 3708 wrote to memory of 3388 3708 uuzgorcxxw.exe 92 PID 3708 wrote to memory of 3388 3708 uuzgorcxxw.exe 92 PID 3708 wrote to memory of 3388 3708 uuzgorcxxw.exe 92 PID 2404 wrote to memory of 2244 2404 689a9e38678a592dad3f4318de18098d.exe 93 PID 2404 wrote to memory of 2244 2404 689a9e38678a592dad3f4318de18098d.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\689a9e38678a592dad3f4318de18098d.exe"C:\Users\Admin\AppData\Local\Temp\689a9e38678a592dad3f4318de18098d.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\uuzgorcxxw.exeuuzgorcxxw.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\SysWOW64\kxdpttxx.exeC:\Windows\system32\kxdpttxx.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3388
-
-
-
C:\Windows\SysWOW64\dhuwhkrilffsooy.exedhuwhkrilffsooy.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3936
-
-
C:\Windows\SysWOW64\kxdpttxx.exekxdpttxx.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3368
-
-
C:\Windows\SysWOW64\slpwvkrubrdly.exeslpwvkrubrdly.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1212
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2244
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD57ffe0abd5a972fe48450a56c70ad022a
SHA126fc025ecbff1cee740c6830c0a9b2e6f750969e
SHA256c8833a267afa9459c0b157dd3eb7fa9195532541a53a8f78d0b9d9bf629d9971
SHA5127876e7e6d98f6fce8b9e0a49a0f99593c724e599e82a1a576e1fdc2b25f479a8b832f805696363d45a45fcb594aa46b5dbf3855919e84de08240a6c00192aa91
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD59d5a21b2569ae1f938a78c79774babeb
SHA17e585ab88024511c48f039325a2c42f65092298f
SHA256239749b1a9dcd29ad6ca876afe0c800e5799ec396c5f446ecc9b35a0c8425299
SHA512552857757fe1cd642345147815b1940ee186d7fe1ee877d4334c64ffbfde452384de6cf6e47124a467f1b166ff2f88156f276a690d174974836a82023b18051a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD574597344a587f27bd097c87432e0f18e
SHA1bf4bde60c5e06f5004e329d9e69492a6f3b04b84
SHA25686f2b03b81281c4c065c3f825fd1596b2c4e329181916946c855f54a61289db7
SHA5123948fc38db6f683a11bbdd3492023e7af3f74b5bd24166a057278857f65e4b83811d6559e956ce14eae36180136209c323d7465215879d09c50c13490efc84b6
-
Filesize
512KB
MD5d9228ea31fea86d442c650b764294b14
SHA131723015b984a93d240fa3da8b2f5f0f5103dd56
SHA25639100844587b77ce84443106d4af63469d7d2c0b4baf2fb27826c8439210b215
SHA512594e734cbdae70fae25a8184b65009a082a2ba3ae02327590b7313d523a256c893efa42e20cc8af71cedc3fe4cf19f408d16ca334d366288eb777268153806f3
-
Filesize
512KB
MD5e351877150c33fae6f751d39580c6d3c
SHA15da89f3e9e5250acc5955c6bee1fd0062f8ad4a6
SHA256022ddb5e440a7fb11932e7e8c07116d1c9a673c7b4668a668d4eb338fa30d804
SHA5120ef41c9569e7425437ffaf0c57053d0fd0eada2076d172b522f302f4013244714d3f0dc26922504ea109797fd52b5f756f7fbd9e50eb8206f2db45c68107f6c0
-
Filesize
512KB
MD52fa81fcc44d8b1258e97922a652654db
SHA14a801b8e7914fd3762402d7bde0879a1491206dd
SHA256b3a21acc12128626cc3e11bf973488a119d8a4593e50e614263b1fd5fd4cd566
SHA5129300cafc861e2c5779be7c334355a97dd46aa57a8eb632d2210aad135031655c78bac988d0fc746e303537e69c42983635f56ffa7287a927c88df9670122b447
-
Filesize
512KB
MD5f54295a48de254fdba4ab53a25e39283
SHA1a2953b00228d60d8906a46ab0d429750fe558da5
SHA2568ec28070fa5a527ad2bbf1b67baf035b3323a9379ec2b8cc563e2056d41c394e
SHA51222cc4ed366eee010aa7338eaad3970192dc52858d49c4dc49da4bf1e6de204d547c089620d0d1a8d6d3dc531ff623f91cb0adcafd7a0862f0e911fac511e9e6f
-
Filesize
512KB
MD53955fbb2105900e7a28fded2b1872392
SHA1ddd34ccf70d9ecdd838de1e0f6beee39cc6b6559
SHA2568e2f804261cc788dc039711fac492759182532692f3f2b11380c39a10bd9076d
SHA512729ed149db70d5fe17aa5dd29e61c8f20b2330c1032acfc1a6c7ec72fda88fb773fb783aa73e94fa136eefc2d32467cf4371c62b0a8f5b0e71770b39559bb4f6
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD50ac6584b8f122815b7f8596fbb48e401
SHA12fa87ff16f585b59bd13b79f97513351c8c6c6ad
SHA2560061d6894906bb51c83d772b5f0948b4b329e7e5d49463c24735f2d59927e712
SHA512d64236d0f673df7c5cdbf1baf1977d191ebde8bc14496ea45a951a0c11cbabe668a9b1bdd5ebac0c18d3f29103a34cd99cbb08881490bca37975827ae681a18e