Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26/01/2024, 14:08
Static task
static1
Behavioral task
behavioral1
Sample
7790847622da02038ed1c4d0c7c8f607.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral2
Sample
7790847622da02038ed1c4d0c7c8f607.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
General
-
Target
7790847622da02038ed1c4d0c7c8f607.exe
-
Size
512KB
-
MD5
7790847622da02038ed1c4d0c7c8f607
-
SHA1
41e7d135f841e4746e07134225375233eb232b15
-
SHA256
41c594abb2ef12b08222e3ce8ea23c094c0e81087f2d6410ad7a231db9f69a89
-
SHA512
428131a559e51e640e5ca9763e8a2d4471be674274598dad5f09d63357c3795fbb2fcf8c85f28da5942c010952b87b9fda79aa5f7258a38920bb1132b6873092
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6s:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5L
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ssidcbqufn.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ssidcbqufn.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ssidcbqufn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ssidcbqufn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ssidcbqufn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ssidcbqufn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ssidcbqufn.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ssidcbqufn.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation 7790847622da02038ed1c4d0c7c8f607.exe -
Executes dropped EXE 5 IoCs
pid Process 3836 ssidcbqufn.exe 4628 ziyhpunalncibdn.exe 1844 kcuqynck.exe 4612 lzywhxgcrnfiq.exe 4012 kcuqynck.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ssidcbqufn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ssidcbqufn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ssidcbqufn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ssidcbqufn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ssidcbqufn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ssidcbqufn.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yibfmvsm = "ssidcbqufn.exe" ziyhpunalncibdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jjfxituy = "ziyhpunalncibdn.exe" ziyhpunalncibdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "lzywhxgcrnfiq.exe" ziyhpunalncibdn.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\g: kcuqynck.exe File opened (read-only) \??\t: kcuqynck.exe File opened (read-only) \??\w: ssidcbqufn.exe File opened (read-only) \??\r: kcuqynck.exe File opened (read-only) \??\v: ssidcbqufn.exe File opened (read-only) \??\h: kcuqynck.exe File opened (read-only) \??\a: kcuqynck.exe File opened (read-only) \??\j: kcuqynck.exe File opened (read-only) \??\x: kcuqynck.exe File opened (read-only) \??\l: ssidcbqufn.exe File opened (read-only) \??\m: ssidcbqufn.exe File opened (read-only) \??\n: ssidcbqufn.exe File opened (read-only) \??\w: kcuqynck.exe File opened (read-only) \??\x: kcuqynck.exe File opened (read-only) \??\z: kcuqynck.exe File opened (read-only) \??\g: kcuqynck.exe File opened (read-only) \??\n: kcuqynck.exe File opened (read-only) \??\g: ssidcbqufn.exe File opened (read-only) \??\u: ssidcbqufn.exe File opened (read-only) \??\b: kcuqynck.exe File opened (read-only) \??\t: ssidcbqufn.exe File opened (read-only) \??\q: kcuqynck.exe File opened (read-only) \??\b: ssidcbqufn.exe File opened (read-only) \??\z: ssidcbqufn.exe File opened (read-only) \??\i: kcuqynck.exe File opened (read-only) \??\s: kcuqynck.exe File opened (read-only) \??\u: kcuqynck.exe File opened (read-only) \??\i: kcuqynck.exe File opened (read-only) \??\a: ssidcbqufn.exe File opened (read-only) \??\i: ssidcbqufn.exe File opened (read-only) \??\o: ssidcbqufn.exe File opened (read-only) \??\m: kcuqynck.exe File opened (read-only) \??\l: kcuqynck.exe File opened (read-only) \??\e: ssidcbqufn.exe File opened (read-only) \??\j: kcuqynck.exe File opened (read-only) \??\p: kcuqynck.exe File opened (read-only) \??\u: kcuqynck.exe File opened (read-only) \??\a: kcuqynck.exe File opened (read-only) \??\k: kcuqynck.exe File opened (read-only) \??\q: kcuqynck.exe File opened (read-only) \??\b: kcuqynck.exe File opened (read-only) \??\k: kcuqynck.exe File opened (read-only) \??\m: kcuqynck.exe File opened (read-only) \??\k: ssidcbqufn.exe File opened (read-only) \??\h: ssidcbqufn.exe File opened (read-only) \??\p: ssidcbqufn.exe File opened (read-only) \??\s: ssidcbqufn.exe File opened (read-only) \??\o: kcuqynck.exe File opened (read-only) \??\e: kcuqynck.exe File opened (read-only) \??\o: kcuqynck.exe File opened (read-only) \??\r: kcuqynck.exe File opened (read-only) \??\t: kcuqynck.exe File opened (read-only) \??\j: ssidcbqufn.exe File opened (read-only) \??\q: ssidcbqufn.exe File opened (read-only) \??\h: kcuqynck.exe File opened (read-only) \??\v: kcuqynck.exe File opened (read-only) \??\y: kcuqynck.exe File opened (read-only) \??\e: kcuqynck.exe File opened (read-only) \??\l: kcuqynck.exe File opened (read-only) \??\s: kcuqynck.exe File opened (read-only) \??\r: ssidcbqufn.exe File opened (read-only) \??\n: kcuqynck.exe File opened (read-only) \??\y: kcuqynck.exe File opened (read-only) \??\p: kcuqynck.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ssidcbqufn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ssidcbqufn.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/952-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0002000000022775-5.dat autoit_exe behavioral2/files/0x0009000000022480-18.dat autoit_exe behavioral2/files/0x000a00000002301d-26.dat autoit_exe behavioral2/files/0x000900000002301f-32.dat autoit_exe behavioral2/files/0x0006000000023133-66.dat autoit_exe behavioral2/files/0x0006000000023132-60.dat autoit_exe behavioral2/files/0x000200000001e780-106.dat autoit_exe behavioral2/files/0x000200000001e780-103.dat autoit_exe behavioral2/files/0x000200000001e2af-117.dat autoit_exe behavioral2/files/0x000200000001e2af-125.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe kcuqynck.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe kcuqynck.exe File created C:\Windows\SysWOW64\ziyhpunalncibdn.exe 7790847622da02038ed1c4d0c7c8f607.exe File opened for modification C:\Windows\SysWOW64\ziyhpunalncibdn.exe 7790847622da02038ed1c4d0c7c8f607.exe File opened for modification C:\Windows\SysWOW64\kcuqynck.exe 7790847622da02038ed1c4d0c7c8f607.exe File created C:\Windows\SysWOW64\lzywhxgcrnfiq.exe 7790847622da02038ed1c4d0c7c8f607.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ssidcbqufn.exe File created C:\Windows\SysWOW64\ssidcbqufn.exe 7790847622da02038ed1c4d0c7c8f607.exe File opened for modification C:\Windows\SysWOW64\ssidcbqufn.exe 7790847622da02038ed1c4d0c7c8f607.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe kcuqynck.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe kcuqynck.exe File created C:\Windows\SysWOW64\kcuqynck.exe 7790847622da02038ed1c4d0c7c8f607.exe File opened for modification C:\Windows\SysWOW64\lzywhxgcrnfiq.exe 7790847622da02038ed1c4d0c7c8f607.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal kcuqynck.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kcuqynck.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal kcuqynck.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kcuqynck.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal kcuqynck.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kcuqynck.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal kcuqynck.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kcuqynck.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kcuqynck.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kcuqynck.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kcuqynck.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kcuqynck.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe kcuqynck.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe kcuqynck.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 7790847622da02038ed1c4d0c7c8f607.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" ssidcbqufn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ssidcbqufn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf ssidcbqufn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" ssidcbqufn.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 7790847622da02038ed1c4d0c7c8f607.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat ssidcbqufn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh ssidcbqufn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" ssidcbqufn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFDFC8D4F29826F9130D62F7D92BDEEE630593267416337D6EC" 7790847622da02038ed1c4d0c7c8f607.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0816BC3FE6621DED27DD1A88B7A9167" 7790847622da02038ed1c4d0c7c8f607.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184AC67B15E4DBB3B8CD7FE0ECE237B9" 7790847622da02038ed1c4d0c7c8f607.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc ssidcbqufn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" ssidcbqufn.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings 7790847622da02038ed1c4d0c7c8f607.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBFFABDFE64F19184093A4486EE3990B0FA02FA4312034BE1CC429D08A4" 7790847622da02038ed1c4d0c7c8f607.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC0B129449238E352BEBADC32EFD7CD" 7790847622da02038ed1c4d0c7c8f607.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" ssidcbqufn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs ssidcbqufn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg ssidcbqufn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32402D7B9C2083206A3F76D277272DDB7DF164D7" 7790847622da02038ed1c4d0c7c8f607.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1236 WINWORD.EXE 1236 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 952 7790847622da02038ed1c4d0c7c8f607.exe 952 7790847622da02038ed1c4d0c7c8f607.exe 952 7790847622da02038ed1c4d0c7c8f607.exe 952 7790847622da02038ed1c4d0c7c8f607.exe 952 7790847622da02038ed1c4d0c7c8f607.exe 952 7790847622da02038ed1c4d0c7c8f607.exe 952 7790847622da02038ed1c4d0c7c8f607.exe 952 7790847622da02038ed1c4d0c7c8f607.exe 952 7790847622da02038ed1c4d0c7c8f607.exe 952 7790847622da02038ed1c4d0c7c8f607.exe 952 7790847622da02038ed1c4d0c7c8f607.exe 952 7790847622da02038ed1c4d0c7c8f607.exe 952 7790847622da02038ed1c4d0c7c8f607.exe 952 7790847622da02038ed1c4d0c7c8f607.exe 952 7790847622da02038ed1c4d0c7c8f607.exe 952 7790847622da02038ed1c4d0c7c8f607.exe 3836 ssidcbqufn.exe 3836 ssidcbqufn.exe 3836 ssidcbqufn.exe 3836 ssidcbqufn.exe 3836 ssidcbqufn.exe 3836 ssidcbqufn.exe 3836 ssidcbqufn.exe 3836 ssidcbqufn.exe 3836 ssidcbqufn.exe 3836 ssidcbqufn.exe 4628 ziyhpunalncibdn.exe 4628 ziyhpunalncibdn.exe 4628 ziyhpunalncibdn.exe 4628 ziyhpunalncibdn.exe 4628 ziyhpunalncibdn.exe 4628 ziyhpunalncibdn.exe 4628 ziyhpunalncibdn.exe 4628 ziyhpunalncibdn.exe 4628 ziyhpunalncibdn.exe 4628 ziyhpunalncibdn.exe 1844 kcuqynck.exe 1844 kcuqynck.exe 1844 kcuqynck.exe 1844 kcuqynck.exe 1844 kcuqynck.exe 1844 kcuqynck.exe 1844 kcuqynck.exe 1844 kcuqynck.exe 4612 lzywhxgcrnfiq.exe 4612 lzywhxgcrnfiq.exe 4612 lzywhxgcrnfiq.exe 4612 lzywhxgcrnfiq.exe 4612 lzywhxgcrnfiq.exe 4612 lzywhxgcrnfiq.exe 4612 lzywhxgcrnfiq.exe 4612 lzywhxgcrnfiq.exe 4612 lzywhxgcrnfiq.exe 4612 lzywhxgcrnfiq.exe 4612 lzywhxgcrnfiq.exe 4612 lzywhxgcrnfiq.exe 4628 ziyhpunalncibdn.exe 4628 ziyhpunalncibdn.exe 4612 lzywhxgcrnfiq.exe 4612 lzywhxgcrnfiq.exe 4612 lzywhxgcrnfiq.exe 4612 lzywhxgcrnfiq.exe 4628 ziyhpunalncibdn.exe 4628 ziyhpunalncibdn.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 952 7790847622da02038ed1c4d0c7c8f607.exe 952 7790847622da02038ed1c4d0c7c8f607.exe 952 7790847622da02038ed1c4d0c7c8f607.exe 3836 ssidcbqufn.exe 3836 ssidcbqufn.exe 3836 ssidcbqufn.exe 4628 ziyhpunalncibdn.exe 4628 ziyhpunalncibdn.exe 4628 ziyhpunalncibdn.exe 1844 kcuqynck.exe 1844 kcuqynck.exe 1844 kcuqynck.exe 4612 lzywhxgcrnfiq.exe 4612 lzywhxgcrnfiq.exe 4612 lzywhxgcrnfiq.exe 4012 kcuqynck.exe 4012 kcuqynck.exe 4012 kcuqynck.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 952 7790847622da02038ed1c4d0c7c8f607.exe 952 7790847622da02038ed1c4d0c7c8f607.exe 952 7790847622da02038ed1c4d0c7c8f607.exe 3836 ssidcbqufn.exe 3836 ssidcbqufn.exe 3836 ssidcbqufn.exe 4628 ziyhpunalncibdn.exe 4628 ziyhpunalncibdn.exe 4628 ziyhpunalncibdn.exe 1844 kcuqynck.exe 1844 kcuqynck.exe 1844 kcuqynck.exe 4612 lzywhxgcrnfiq.exe 4612 lzywhxgcrnfiq.exe 4612 lzywhxgcrnfiq.exe 4012 kcuqynck.exe 4012 kcuqynck.exe 4012 kcuqynck.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1236 WINWORD.EXE 1236 WINWORD.EXE 1236 WINWORD.EXE 1236 WINWORD.EXE 1236 WINWORD.EXE 1236 WINWORD.EXE 1236 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 952 wrote to memory of 3836 952 7790847622da02038ed1c4d0c7c8f607.exe 89 PID 952 wrote to memory of 3836 952 7790847622da02038ed1c4d0c7c8f607.exe 89 PID 952 wrote to memory of 3836 952 7790847622da02038ed1c4d0c7c8f607.exe 89 PID 952 wrote to memory of 4628 952 7790847622da02038ed1c4d0c7c8f607.exe 90 PID 952 wrote to memory of 4628 952 7790847622da02038ed1c4d0c7c8f607.exe 90 PID 952 wrote to memory of 4628 952 7790847622da02038ed1c4d0c7c8f607.exe 90 PID 952 wrote to memory of 1844 952 7790847622da02038ed1c4d0c7c8f607.exe 91 PID 952 wrote to memory of 1844 952 7790847622da02038ed1c4d0c7c8f607.exe 91 PID 952 wrote to memory of 1844 952 7790847622da02038ed1c4d0c7c8f607.exe 91 PID 952 wrote to memory of 4612 952 7790847622da02038ed1c4d0c7c8f607.exe 92 PID 952 wrote to memory of 4612 952 7790847622da02038ed1c4d0c7c8f607.exe 92 PID 952 wrote to memory of 4612 952 7790847622da02038ed1c4d0c7c8f607.exe 92 PID 3836 wrote to memory of 4012 3836 ssidcbqufn.exe 93 PID 3836 wrote to memory of 4012 3836 ssidcbqufn.exe 93 PID 3836 wrote to memory of 4012 3836 ssidcbqufn.exe 93 PID 952 wrote to memory of 1236 952 7790847622da02038ed1c4d0c7c8f607.exe 94 PID 952 wrote to memory of 1236 952 7790847622da02038ed1c4d0c7c8f607.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\7790847622da02038ed1c4d0c7c8f607.exe"C:\Users\Admin\AppData\Local\Temp\7790847622da02038ed1c4d0c7c8f607.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\ssidcbqufn.exessidcbqufn.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\SysWOW64\kcuqynck.exeC:\Windows\system32\kcuqynck.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4012
-
-
-
C:\Windows\SysWOW64\ziyhpunalncibdn.exeziyhpunalncibdn.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4628
-
-
C:\Windows\SysWOW64\kcuqynck.exekcuqynck.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1844
-
-
C:\Windows\SysWOW64\lzywhxgcrnfiq.exelzywhxgcrnfiq.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4612
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1236
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD53d643b5534707af1fcb96e4620662f6a
SHA1d1bddeb69eba26aade2323143dc85a3dc94f3851
SHA2561877af24015ae54e8cd3b59738a7a651ca20effbd86471552059d446e4c447d5
SHA51280b2e22acd35087d47de8b30b8f032b0c51f7699232dfd64421697a7fb7db39e8d8cab1275a21873a3b801b27ca2628e830174a69d62c8ea344c52a1c87f76cc
-
Filesize
512KB
MD560fd28506caf2649b5ee46b7b73ac6f9
SHA153684388c2081e10b73f84d86c31ce775b464745
SHA256db1ab405a136d5e2dd93b6f339923515117aa154ec7e4b08a8bd84f6d749a837
SHA512c2a46775b4adb83081457d5d4eb1edd086fb7054c1727f05e629c37a1ecf427565363f57e436db438f08242a9acdd6eaf0b7a35b7eb0f832592787f77e6b4884
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD51a281209f418ad2e4d9a277a700e79f3
SHA16a526127645756b8f5deb8cd4f9e8214725893c2
SHA2565954ab971d840b3b864a39bc4f3790e3d19b0c9390c29ca5810a436d85016b63
SHA51290f8a1c4863892bb66499010d3e7e3301437e1c3a102a7533e734f526ea5e53381506bab960336af193392cf9b8338802e619d1f0ba6581ef7a6c4148e7c8217
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5c75a140c650cc9bc496bca917bef2ac8
SHA16833e36c9d8f38032b7013a3c1a8292a27015bbe
SHA25646532bdbff76ca022a94c4c547f8f079f0c2afdae731da1a3ad4e9a011e6ee10
SHA51231bcbf8dac7c290fd9b38f91e0c4732853da08cb33c07058111cd820ee3e28914341cc7b3ffc28fba54b3de23462bdef4691fb79a4310713340b75c8356085e9
-
Filesize
386KB
MD5d867a655ae492b330d5de03a1a554ca7
SHA1ed3013d39ff6fe5e8431a2b229becd2e04926e61
SHA256542bf8c10a61473225004305bf2a49d8ef5106f4ef0c62af504926db90c0edd1
SHA5120b692aaa4d2d1d8b7ea6ac2e5b5b41884744a7bda3102634e5bb73b6a725caadada5f94b2759826e3dc354824055b183ecd35d47c0e9578082d3a05148f533dc
-
Filesize
512KB
MD594759b78f48403b14ab09bdb8c5b68db
SHA1b1bf8ce9b5a9d7dd5ea813eab2d129e92fc05529
SHA256b32292be8075b525d7fd00e0ad74cad9e036f3c75f309e556bc862aaa04100c6
SHA512c0c8de7a112e0ac84bf23bce7c36fd300837475fa7d7639ae344dd21f7e1f5cdc8b8b26763042751d2a4cfdf9c94cd1f388e76e8eec98edf5cc392f525901a85
-
Filesize
512KB
MD59a881482f285f9edb5a3a1837fc06df8
SHA10a1c6a2b3e6ba0676713d894ec698022e14ae7e8
SHA256cea3b7109748fb2e745a21e4c55a081ca85d861898ebf7931070431bedba7e5b
SHA5127ca17a8de0e0b7401f8c282c0771a6afb1f2623c19890d681b2caa45f375407985150758cc7a2cc891a503844ceba4e6b48f3a719835773cde5df177444f2500
-
Filesize
512KB
MD5a5e132efa6b18773468796ee20a1a908
SHA193cb3e39a82461f3b7a3a8fc2ef691a8204cbf61
SHA2565061bfc3877c50f71e16f8955c47e98a2cd2116f05f6d5b923d8b19ac63dc9fd
SHA5120c0457db8108a1f611cbeac3bd9805e56bc3abf1f829a68bda01f9bcdf6395b733c911b0fd2a021323c79db23b861e5dc11eb9ac337a219c1b6966f55ef10d0e
-
Filesize
512KB
MD5073d18f4e1e4dcccdcc6f62c0538659a
SHA134422fdc4da451da1dc8f2470707107cbf55094d
SHA2561353b0ad879d5ce09833e94b08452ab9b301f4b8e397771844b4c7842229b388
SHA512abbe4da2f4f2aa4fec76e6b24edeff46e1f5ae1c29ca988a6f6a8338cfdc0f8a448ebbff5ae7ec80b146b776570b7ba0815162fda76245a05d6dfcbf56126720
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
45KB
MD5e8d0a210a7de9cb675e1378280b0b6de
SHA1c2ab939a2766a03bf6c24459cd935c2d580f220d
SHA256c7c4be5ef5432feb35d5b82dadc75a8e6292be3f6630a23c22c1b66957344d0b
SHA512e3aed655216ba65313dfc649215cb55b215aa5a3bccb14598d335ada70f6b0d02cc0133b02e755ae53f6e3983c19366dda6364ca91976fb07def3f5eaeb54fb5
-
Filesize
512KB
MD5e175c96602bd99699feb20e014668d55
SHA1d3752257f88e9f5b62dca7a5f9802b3d361c3343
SHA256e4a86346768326ab17ee17c71308bb855625bb42a96f5236cedea0458c3de9ae
SHA512f950b30b05db0facad7dc7796d93292a9e4b4f6f6de486d9702a78b7bf11d3ece78b2f59568d4814a3040a42c6a2304f6b8a9fe3de469f67321fdd2da69b0c91
-
Filesize
512KB
MD5925478bf0dd5a4fccac30234cbfa61f2
SHA1de52d1672b8e5c52a4b431daf49de1e12f337a37
SHA25668de3498f32cc775a1f2a87282eb9e9bb438cd2d6119036b6cf2442de84c02c6
SHA51263ce39cfd09f62ac0f6bf731d271a0bfd038e555b1e62c7781fca6a9529dc2d7ae8d8a6d8922fe164a9e81728525513162fbb0aa94bbb1efa5f0fe8f3d8980cb