Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22/01/2024, 16:52
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
6fd1083bf5feeb646bd239a8a746071b.exe
Resource
win7-20231215-en
windows7-x64
29 signatures
150 seconds
Behavioral task
behavioral2
Sample
6fd1083bf5feeb646bd239a8a746071b.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
6fd1083bf5feeb646bd239a8a746071b.exe
-
Size
512KB
-
MD5
6fd1083bf5feeb646bd239a8a746071b
-
SHA1
b2fa8706e82e41d761acb14bd8cb2f3f5c9297c1
-
SHA256
a52f6ab0aa9602129134aeddd524fa53ed0b02e7f2f4c6e10358f12384c4cfd2
-
SHA512
7099119882f3ed29b8e8480e946f2d8cf2ae38ab12aed10f65ae4d1beedeb99b9d1d13666f6f7c3f9f3e9a20322d57c7cd0db647869c4e5cd5103f98e9459c4a
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj65:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5S
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" lasuveljzm.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" lasuveljzm.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" lasuveljzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" lasuveljzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" lasuveljzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" lasuveljzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" lasuveljzm.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lasuveljzm.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation 6fd1083bf5feeb646bd239a8a746071b.exe -
Executes dropped EXE 5 IoCs
pid Process 3228 lasuveljzm.exe 1152 mumglfawbblvthn.exe 1176 ljvywfoc.exe 1852 fzavwmnytrgrq.exe 4820 ljvywfoc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" lasuveljzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" lasuveljzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" lasuveljzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" lasuveljzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" lasuveljzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" lasuveljzm.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wkscgajm = "lasuveljzm.exe" mumglfawbblvthn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vbwmzjni = "mumglfawbblvthn.exe" mumglfawbblvthn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "fzavwmnytrgrq.exe" mumglfawbblvthn.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\s: lasuveljzm.exe File opened (read-only) \??\y: lasuveljzm.exe File opened (read-only) \??\b: ljvywfoc.exe File opened (read-only) \??\k: lasuveljzm.exe File opened (read-only) \??\e: ljvywfoc.exe File opened (read-only) \??\u: ljvywfoc.exe File opened (read-only) \??\v: ljvywfoc.exe File opened (read-only) \??\q: lasuveljzm.exe File opened (read-only) \??\a: lasuveljzm.exe File opened (read-only) \??\w: lasuveljzm.exe File opened (read-only) \??\g: ljvywfoc.exe File opened (read-only) \??\h: ljvywfoc.exe File opened (read-only) \??\p: ljvywfoc.exe File opened (read-only) \??\z: ljvywfoc.exe File opened (read-only) \??\e: lasuveljzm.exe File opened (read-only) \??\i: lasuveljzm.exe File opened (read-only) \??\l: lasuveljzm.exe File opened (read-only) \??\n: lasuveljzm.exe File opened (read-only) \??\x: lasuveljzm.exe File opened (read-only) \??\a: ljvywfoc.exe File opened (read-only) \??\h: ljvywfoc.exe File opened (read-only) \??\s: ljvywfoc.exe File opened (read-only) \??\p: ljvywfoc.exe File opened (read-only) \??\x: ljvywfoc.exe File opened (read-only) \??\s: ljvywfoc.exe File opened (read-only) \??\p: lasuveljzm.exe File opened (read-only) \??\u: lasuveljzm.exe File opened (read-only) \??\i: ljvywfoc.exe File opened (read-only) \??\o: ljvywfoc.exe File opened (read-only) \??\y: ljvywfoc.exe File opened (read-only) \??\z: ljvywfoc.exe File opened (read-only) \??\l: ljvywfoc.exe File opened (read-only) \??\r: ljvywfoc.exe File opened (read-only) \??\t: ljvywfoc.exe File opened (read-only) \??\y: ljvywfoc.exe File opened (read-only) \??\l: ljvywfoc.exe File opened (read-only) \??\n: ljvywfoc.exe File opened (read-only) \??\w: ljvywfoc.exe File opened (read-only) \??\t: lasuveljzm.exe File opened (read-only) \??\q: ljvywfoc.exe File opened (read-only) \??\r: ljvywfoc.exe File opened (read-only) \??\a: ljvywfoc.exe File opened (read-only) \??\m: ljvywfoc.exe File opened (read-only) \??\n: ljvywfoc.exe File opened (read-only) \??\t: ljvywfoc.exe File opened (read-only) \??\x: ljvywfoc.exe File opened (read-only) \??\o: ljvywfoc.exe File opened (read-only) \??\j: ljvywfoc.exe File opened (read-only) \??\k: ljvywfoc.exe File opened (read-only) \??\m: ljvywfoc.exe File opened (read-only) \??\q: ljvywfoc.exe File opened (read-only) \??\h: lasuveljzm.exe File opened (read-only) \??\k: ljvywfoc.exe File opened (read-only) \??\w: ljvywfoc.exe File opened (read-only) \??\e: ljvywfoc.exe File opened (read-only) \??\g: lasuveljzm.exe File opened (read-only) \??\j: ljvywfoc.exe File opened (read-only) \??\i: ljvywfoc.exe File opened (read-only) \??\v: lasuveljzm.exe File opened (read-only) \??\g: ljvywfoc.exe File opened (read-only) \??\b: lasuveljzm.exe File opened (read-only) \??\m: lasuveljzm.exe File opened (read-only) \??\z: lasuveljzm.exe File opened (read-only) \??\v: ljvywfoc.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" lasuveljzm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" lasuveljzm.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2240-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000600000002321d-7.dat autoit_exe behavioral2/files/0x000600000002321c-18.dat autoit_exe behavioral2/files/0x000600000002321e-26.dat autoit_exe behavioral2/files/0x000600000002321f-32.dat autoit_exe behavioral2/files/0x000400000001da38-82.dat autoit_exe behavioral2/files/0x000400000001da37-79.dat autoit_exe behavioral2/files/0x000300000001e58c-104.dat autoit_exe behavioral2/files/0x000200000001e82d-116.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ljvywfoc.exe 6fd1083bf5feeb646bd239a8a746071b.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll lasuveljzm.exe File opened for modification C:\Windows\SysWOW64\lasuveljzm.exe 6fd1083bf5feeb646bd239a8a746071b.exe File created C:\Windows\SysWOW64\mumglfawbblvthn.exe 6fd1083bf5feeb646bd239a8a746071b.exe File opened for modification C:\Windows\SysWOW64\mumglfawbblvthn.exe 6fd1083bf5feeb646bd239a8a746071b.exe File created C:\Windows\SysWOW64\lasuveljzm.exe 6fd1083bf5feeb646bd239a8a746071b.exe File created C:\Windows\SysWOW64\fzavwmnytrgrq.exe 6fd1083bf5feeb646bd239a8a746071b.exe File opened for modification C:\Windows\SysWOW64\fzavwmnytrgrq.exe 6fd1083bf5feeb646bd239a8a746071b.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ljvywfoc.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ljvywfoc.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ljvywfoc.exe File created C:\Windows\SysWOW64\ljvywfoc.exe 6fd1083bf5feeb646bd239a8a746071b.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ljvywfoc.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ljvywfoc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ljvywfoc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ljvywfoc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ljvywfoc.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ljvywfoc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ljvywfoc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ljvywfoc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ljvywfoc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ljvywfoc.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ljvywfoc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ljvywfoc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ljvywfoc.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ljvywfoc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ljvywfoc.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ljvywfoc.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ljvywfoc.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ljvywfoc.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ljvywfoc.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ljvywfoc.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ljvywfoc.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ljvywfoc.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ljvywfoc.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ljvywfoc.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ljvywfoc.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ljvywfoc.exe File opened for modification C:\Windows\mydoc.rtf 6fd1083bf5feeb646bd239a8a746071b.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ljvywfoc.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ljvywfoc.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ljvywfoc.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ljvywfoc.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ljvywfoc.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ljvywfoc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat lasuveljzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh lasuveljzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg lasuveljzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193DC60814E5DAB6B9CE7C97ED9034B9" 6fd1083bf5feeb646bd239a8a746071b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8CFC8D485882689046D72A7DE2BCE4E636584567406245D6EC" 6fd1083bf5feeb646bd239a8a746071b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F66BC5FF6721DBD20ED0D68A089167" 6fd1083bf5feeb646bd239a8a746071b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC7B120449338EB52C9BAD4329AD7C5" 6fd1083bf5feeb646bd239a8a746071b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" lasuveljzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc lasuveljzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" lasuveljzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs lasuveljzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" lasuveljzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" lasuveljzm.exe Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings 6fd1083bf5feeb646bd239a8a746071b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB8F9B1F960F1E7837C3B47869A3E96B08D028F4364023FE2CA42E808A4" 6fd1083bf5feeb646bd239a8a746071b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "334F2C799D5182236D4376D570532CAD7C8464AF" 6fd1083bf5feeb646bd239a8a746071b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" lasuveljzm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" lasuveljzm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf lasuveljzm.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 6fd1083bf5feeb646bd239a8a746071b.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 384 WINWORD.EXE 384 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2240 6fd1083bf5feeb646bd239a8a746071b.exe 2240 6fd1083bf5feeb646bd239a8a746071b.exe 2240 6fd1083bf5feeb646bd239a8a746071b.exe 2240 6fd1083bf5feeb646bd239a8a746071b.exe 2240 6fd1083bf5feeb646bd239a8a746071b.exe 2240 6fd1083bf5feeb646bd239a8a746071b.exe 2240 6fd1083bf5feeb646bd239a8a746071b.exe 2240 6fd1083bf5feeb646bd239a8a746071b.exe 2240 6fd1083bf5feeb646bd239a8a746071b.exe 2240 6fd1083bf5feeb646bd239a8a746071b.exe 2240 6fd1083bf5feeb646bd239a8a746071b.exe 2240 6fd1083bf5feeb646bd239a8a746071b.exe 2240 6fd1083bf5feeb646bd239a8a746071b.exe 2240 6fd1083bf5feeb646bd239a8a746071b.exe 2240 6fd1083bf5feeb646bd239a8a746071b.exe 2240 6fd1083bf5feeb646bd239a8a746071b.exe 3228 lasuveljzm.exe 3228 lasuveljzm.exe 3228 lasuveljzm.exe 3228 lasuveljzm.exe 3228 lasuveljzm.exe 3228 lasuveljzm.exe 3228 lasuveljzm.exe 3228 lasuveljzm.exe 3228 lasuveljzm.exe 3228 lasuveljzm.exe 1152 mumglfawbblvthn.exe 1152 mumglfawbblvthn.exe 1152 mumglfawbblvthn.exe 1152 mumglfawbblvthn.exe 1152 mumglfawbblvthn.exe 1152 mumglfawbblvthn.exe 1152 mumglfawbblvthn.exe 1152 mumglfawbblvthn.exe 1152 mumglfawbblvthn.exe 1152 mumglfawbblvthn.exe 1176 ljvywfoc.exe 1176 ljvywfoc.exe 1176 ljvywfoc.exe 1176 ljvywfoc.exe 1176 ljvywfoc.exe 1176 ljvywfoc.exe 1176 ljvywfoc.exe 1176 ljvywfoc.exe 1852 fzavwmnytrgrq.exe 1852 fzavwmnytrgrq.exe 1852 fzavwmnytrgrq.exe 1852 fzavwmnytrgrq.exe 1852 fzavwmnytrgrq.exe 1852 fzavwmnytrgrq.exe 1852 fzavwmnytrgrq.exe 1852 fzavwmnytrgrq.exe 1852 fzavwmnytrgrq.exe 1852 fzavwmnytrgrq.exe 1852 fzavwmnytrgrq.exe 1852 fzavwmnytrgrq.exe 1152 mumglfawbblvthn.exe 1152 mumglfawbblvthn.exe 1852 fzavwmnytrgrq.exe 1852 fzavwmnytrgrq.exe 1852 fzavwmnytrgrq.exe 1852 fzavwmnytrgrq.exe 1152 mumglfawbblvthn.exe 1152 mumglfawbblvthn.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2240 6fd1083bf5feeb646bd239a8a746071b.exe 2240 6fd1083bf5feeb646bd239a8a746071b.exe 2240 6fd1083bf5feeb646bd239a8a746071b.exe 1152 mumglfawbblvthn.exe 1152 mumglfawbblvthn.exe 1152 mumglfawbblvthn.exe 3228 lasuveljzm.exe 1176 ljvywfoc.exe 3228 lasuveljzm.exe 1176 ljvywfoc.exe 3228 lasuveljzm.exe 1176 ljvywfoc.exe 1852 fzavwmnytrgrq.exe 1852 fzavwmnytrgrq.exe 1852 fzavwmnytrgrq.exe 4820 ljvywfoc.exe 4820 ljvywfoc.exe 4820 ljvywfoc.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2240 6fd1083bf5feeb646bd239a8a746071b.exe 2240 6fd1083bf5feeb646bd239a8a746071b.exe 2240 6fd1083bf5feeb646bd239a8a746071b.exe 1152 mumglfawbblvthn.exe 1152 mumglfawbblvthn.exe 1152 mumglfawbblvthn.exe 3228 lasuveljzm.exe 1176 ljvywfoc.exe 3228 lasuveljzm.exe 1176 ljvywfoc.exe 3228 lasuveljzm.exe 1176 ljvywfoc.exe 1852 fzavwmnytrgrq.exe 1852 fzavwmnytrgrq.exe 1852 fzavwmnytrgrq.exe 4820 ljvywfoc.exe 4820 ljvywfoc.exe 4820 ljvywfoc.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 384 WINWORD.EXE 384 WINWORD.EXE 384 WINWORD.EXE 384 WINWORD.EXE 384 WINWORD.EXE 384 WINWORD.EXE 384 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2240 wrote to memory of 3228 2240 6fd1083bf5feeb646bd239a8a746071b.exe 87 PID 2240 wrote to memory of 3228 2240 6fd1083bf5feeb646bd239a8a746071b.exe 87 PID 2240 wrote to memory of 3228 2240 6fd1083bf5feeb646bd239a8a746071b.exe 87 PID 2240 wrote to memory of 1152 2240 6fd1083bf5feeb646bd239a8a746071b.exe 88 PID 2240 wrote to memory of 1152 2240 6fd1083bf5feeb646bd239a8a746071b.exe 88 PID 2240 wrote to memory of 1152 2240 6fd1083bf5feeb646bd239a8a746071b.exe 88 PID 2240 wrote to memory of 1176 2240 6fd1083bf5feeb646bd239a8a746071b.exe 90 PID 2240 wrote to memory of 1176 2240 6fd1083bf5feeb646bd239a8a746071b.exe 90 PID 2240 wrote to memory of 1176 2240 6fd1083bf5feeb646bd239a8a746071b.exe 90 PID 2240 wrote to memory of 1852 2240 6fd1083bf5feeb646bd239a8a746071b.exe 89 PID 2240 wrote to memory of 1852 2240 6fd1083bf5feeb646bd239a8a746071b.exe 89 PID 2240 wrote to memory of 1852 2240 6fd1083bf5feeb646bd239a8a746071b.exe 89 PID 2240 wrote to memory of 384 2240 6fd1083bf5feeb646bd239a8a746071b.exe 92 PID 2240 wrote to memory of 384 2240 6fd1083bf5feeb646bd239a8a746071b.exe 92 PID 3228 wrote to memory of 4820 3228 lasuveljzm.exe 94 PID 3228 wrote to memory of 4820 3228 lasuveljzm.exe 94 PID 3228 wrote to memory of 4820 3228 lasuveljzm.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\6fd1083bf5feeb646bd239a8a746071b.exe"C:\Users\Admin\AppData\Local\Temp\6fd1083bf5feeb646bd239a8a746071b.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\lasuveljzm.exelasuveljzm.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\SysWOW64\ljvywfoc.exeC:\Windows\system32\ljvywfoc.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4820
-
-
-
C:\Windows\SysWOW64\mumglfawbblvthn.exemumglfawbblvthn.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1152
-
-
C:\Windows\SysWOW64\fzavwmnytrgrq.exefzavwmnytrgrq.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1852
-
-
C:\Windows\SysWOW64\ljvywfoc.exeljvywfoc.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1176
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:384
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5210adc886fea702519614508785fee5a
SHA1922e0ce85629b5ae721e7cc0d4154f95f479f905
SHA2563bf0e380e1abf65be7a2a0c91bb317fe6e8381d77a7630039e22b2d8778a7428
SHA512ac31f2b931540d16a1066e612dbd86af708478c65c380636bcba9338aa7b6a420cbe3429051a2687e931a2f91b2e44eb8873a144d90c13cd1d2df1836b74d340
-
Filesize
512KB
MD5b4dae28eb12e03e4003f3083e8d5724f
SHA1f1d6c21241a8d542590862cc4286db7b327ca2dc
SHA256f4b0006915827ae0219ecc7ed37ae0d906c6889de5ed0d638ccb20e71bb818db
SHA51270725032ae0756b3c387e5c8ced7e507d9b4ac8b1333cd8c9be626dd338c9b67e9a597dc1a0c1a88db306014f01468b6230e37495374a496f881f597533ca18f
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD57653177be72e436fb3d6c076619937fd
SHA1450fbffce5fa91627cdea62c4e35d9a4a0df518b
SHA256c88f70e8dd2bbd2aa600d20762abaecbd98dbdeb0896af86357f760d4270716b
SHA512f0ad7bd08549e5d58c8eb556772176fe57e8cccf24e59b627fb340c0c6d3b6d324004d8504850ccef48ac21e641ebef9eb3bc0f440ad910a1a4e4edc7f3a18a1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD56239ff66cd6616977d9ef5976982270f
SHA1e55bf3904acb3400f177011c824e999a0fcf68a1
SHA256311c97bcf97451f82d00d0695be9b8f4cd83e291f2261669829f19760ef23b36
SHA51280df484f62fceb1c5755f146c237ac83330498c22933abe65c811b115f5b72ba11c16ce166d8534b2195a1a940103b534fb95eefc23c2a7c5832590055f34e84
-
Filesize
512KB
MD50a4d1aa32668b8f8e41c22912fd86102
SHA1543d2cbff1861653b603f91788b1b1954cf9b6e5
SHA256fb183b617360a592aedb3e769102728d7933221e53b3666d60b262b679123065
SHA51299ce257c492024492fdb6b2ce4897d75d8660b4e072f00ebaf21c0d1f2ed0c8db785964dd354cd1a4c60ea386c245091310b2bccc680110850b4e92eb5047384
-
Filesize
512KB
MD5386ca312b115f373d586b56430508d6f
SHA19eb08cd7cbab21ac4d1b668057c2bb3be7950491
SHA25642f665c455ed41c7bad29b4f8f557a31cc9347abcd4f4aecae8056cea3d4b727
SHA5120133c6e64c0d764ffc4fa2759b0f3b96b38d18229e0d7a9269a2b545bcf560c3877e082d1ffb863a40e9a0c9e7d6c59ed0d3c8651e9251f564fd665512042045
-
Filesize
512KB
MD5111b01276d8dfe5972f645191ed8a9b3
SHA13f746e1e2eb7f6cfa06aa8d42beabb3f67a0b8a8
SHA256db866babf1c97b91fd1b60ee0c68b780376feec80581c76f294cfcf0ead48221
SHA51216eada0d35af3f8fd23a0f138f9eab1384922fb6c32c04553e715ba6a8ef2aa7201e0941ddc339c04356b51e8454ff152bed4df82bb161bec1012d6f42d11446
-
Filesize
512KB
MD5cbc95e39fd2986388364d978b11a7345
SHA1a8b7d37f91bc97367f222b660e7fd5d6c6be562b
SHA2567e23c109e94a6e794b0631194e8a76d09755c3e29d135cfffe9a9a5abb63d98f
SHA512419bcb5ce0162e1745965804a97d97b8d4e96047a53d04b7507af92e13bcf20bbce4d8bff86ba52b0b0051068afb005fc3edfe22a8c8b6fb8180176fc1fe9bc6
-
Filesize
512KB
MD537c810c3b33beacb0b80f8c071ae2549
SHA1c8e04aef3201a7f0c3e733f5a8fa323be4ca6be8
SHA25643d678c0c796969b7c486b140092af46f79548bc2f1abe5449cb27af27b34ee2
SHA512c70adf8595d6f885dc548d8a95c2b7b52cc402b348aa75757fc29078e37296b03f25e11f4c441ea4a537d446312a36cd96a1f6cd850da053410585cf5cc946d5
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD568d30566ba113db13c03e0817a350c32
SHA1e40299d85f1d6459c2b28fcbcecdecd12cec22fd
SHA256e58916e31a7222ca04cc8f65590fd8c60b6b0ad87018e5dd5d6e3480b485996e
SHA51243b16aa8b499554dd3381092652e59769c4561a3b8ebc3d1d35a5f5e4907343fe751d07ec30033abd5b53679d98630eb49b7a2be4344283f9653daea5043c668