Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2024, 18:39
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
7afabb44010283947b9c8b8f690e3344.exe
Resource
win7-20231129-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
7afabb44010283947b9c8b8f690e3344.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
7afabb44010283947b9c8b8f690e3344.exe
-
Size
512KB
-
MD5
7afabb44010283947b9c8b8f690e3344
-
SHA1
21802d13b61b3e210776f5464a97af2acbdbc4f6
-
SHA256
2b68f6a4fb6411293ddedd8ee49680afcb20649f57035814fd3e0e7b348adbfa
-
SHA512
3f3d380751bea3deebcff00085e18ae454a0c6b6c2df30a15b212349758856066e088ef6d25e3a6da505903d431601384bbd2cd750da570f5d9d447bc7747de3
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6v:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5s
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" dltgxlkdaq.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" dltgxlkdaq.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" dltgxlkdaq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" dltgxlkdaq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" dltgxlkdaq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" dltgxlkdaq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" dltgxlkdaq.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dltgxlkdaq.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation 7afabb44010283947b9c8b8f690e3344.exe -
Executes dropped EXE 5 IoCs
pid Process 1504 dltgxlkdaq.exe 2228 lslzqcfqrvakbak.exe 224 ubrcryeo.exe 100 xcbhhahfurlwk.exe 2340 ubrcryeo.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" dltgxlkdaq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" dltgxlkdaq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" dltgxlkdaq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" dltgxlkdaq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" dltgxlkdaq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" dltgxlkdaq.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hnhsrlhw = "dltgxlkdaq.exe" lslzqcfqrvakbak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oqpsosyn = "lslzqcfqrvakbak.exe" lslzqcfqrvakbak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "xcbhhahfurlwk.exe" lslzqcfqrvakbak.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\i: ubrcryeo.exe File opened (read-only) \??\t: ubrcryeo.exe File opened (read-only) \??\w: ubrcryeo.exe File opened (read-only) \??\g: ubrcryeo.exe File opened (read-only) \??\m: ubrcryeo.exe File opened (read-only) \??\o: ubrcryeo.exe File opened (read-only) \??\w: ubrcryeo.exe File opened (read-only) \??\g: dltgxlkdaq.exe File opened (read-only) \??\u: dltgxlkdaq.exe File opened (read-only) \??\x: ubrcryeo.exe File opened (read-only) \??\j: ubrcryeo.exe File opened (read-only) \??\e: dltgxlkdaq.exe File opened (read-only) \??\h: ubrcryeo.exe File opened (read-only) \??\i: ubrcryeo.exe File opened (read-only) \??\n: ubrcryeo.exe File opened (read-only) \??\j: ubrcryeo.exe File opened (read-only) \??\r: ubrcryeo.exe File opened (read-only) \??\s: ubrcryeo.exe File opened (read-only) \??\w: dltgxlkdaq.exe File opened (read-only) \??\g: ubrcryeo.exe File opened (read-only) \??\a: ubrcryeo.exe File opened (read-only) \??\u: ubrcryeo.exe File opened (read-only) \??\o: dltgxlkdaq.exe File opened (read-only) \??\k: ubrcryeo.exe File opened (read-only) \??\e: ubrcryeo.exe File opened (read-only) \??\x: ubrcryeo.exe File opened (read-only) \??\z: ubrcryeo.exe File opened (read-only) \??\l: dltgxlkdaq.exe File opened (read-only) \??\p: ubrcryeo.exe File opened (read-only) \??\i: dltgxlkdaq.exe File opened (read-only) \??\k: dltgxlkdaq.exe File opened (read-only) \??\b: ubrcryeo.exe File opened (read-only) \??\o: ubrcryeo.exe File opened (read-only) \??\z: ubrcryeo.exe File opened (read-only) \??\l: ubrcryeo.exe File opened (read-only) \??\x: dltgxlkdaq.exe File opened (read-only) \??\y: dltgxlkdaq.exe File opened (read-only) \??\z: dltgxlkdaq.exe File opened (read-only) \??\a: ubrcryeo.exe File opened (read-only) \??\u: ubrcryeo.exe File opened (read-only) \??\k: ubrcryeo.exe File opened (read-only) \??\y: ubrcryeo.exe File opened (read-only) \??\n: dltgxlkdaq.exe File opened (read-only) \??\r: dltgxlkdaq.exe File opened (read-only) \??\v: dltgxlkdaq.exe File opened (read-only) \??\l: ubrcryeo.exe File opened (read-only) \??\r: ubrcryeo.exe File opened (read-only) \??\s: ubrcryeo.exe File opened (read-only) \??\a: dltgxlkdaq.exe File opened (read-only) \??\h: dltgxlkdaq.exe File opened (read-only) \??\p: dltgxlkdaq.exe File opened (read-only) \??\s: dltgxlkdaq.exe File opened (read-only) \??\m: ubrcryeo.exe File opened (read-only) \??\n: ubrcryeo.exe File opened (read-only) \??\b: ubrcryeo.exe File opened (read-only) \??\h: ubrcryeo.exe File opened (read-only) \??\v: ubrcryeo.exe File opened (read-only) \??\b: dltgxlkdaq.exe File opened (read-only) \??\v: ubrcryeo.exe File opened (read-only) \??\m: dltgxlkdaq.exe File opened (read-only) \??\q: dltgxlkdaq.exe File opened (read-only) \??\y: ubrcryeo.exe File opened (read-only) \??\q: ubrcryeo.exe File opened (read-only) \??\p: ubrcryeo.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" dltgxlkdaq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" dltgxlkdaq.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1732-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00070000000231fd-5.dat autoit_exe behavioral2/files/0x00070000000231fa-18.dat autoit_exe behavioral2/files/0x0006000000023201-27.dat autoit_exe behavioral2/files/0x0006000000023202-32.dat autoit_exe behavioral2/files/0x000700000001da31-68.dat autoit_exe behavioral2/files/0x000c00000001da42-79.dat autoit_exe behavioral2/files/0x000500000001e59b-87.dat autoit_exe behavioral2/files/0x000200000001e5f5-105.dat autoit_exe behavioral2/files/0x000200000001e5f5-107.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\xcbhhahfurlwk.exe 7afabb44010283947b9c8b8f690e3344.exe File opened for modification C:\Windows\SysWOW64\xcbhhahfurlwk.exe 7afabb44010283947b9c8b8f690e3344.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll dltgxlkdaq.exe File created C:\Windows\SysWOW64\dltgxlkdaq.exe 7afabb44010283947b9c8b8f690e3344.exe File created C:\Windows\SysWOW64\lslzqcfqrvakbak.exe 7afabb44010283947b9c8b8f690e3344.exe File created C:\Windows\SysWOW64\ubrcryeo.exe 7afabb44010283947b9c8b8f690e3344.exe File opened for modification C:\Windows\SysWOW64\ubrcryeo.exe 7afabb44010283947b9c8b8f690e3344.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ubrcryeo.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ubrcryeo.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ubrcryeo.exe File opened for modification C:\Windows\SysWOW64\dltgxlkdaq.exe 7afabb44010283947b9c8b8f690e3344.exe File opened for modification C:\Windows\SysWOW64\lslzqcfqrvakbak.exe 7afabb44010283947b9c8b8f690e3344.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ubrcryeo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ubrcryeo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ubrcryeo.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ubrcryeo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ubrcryeo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ubrcryeo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ubrcryeo.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ubrcryeo.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ubrcryeo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ubrcryeo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ubrcryeo.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ubrcryeo.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ubrcryeo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ubrcryeo.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ubrcryeo.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ubrcryeo.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ubrcryeo.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ubrcryeo.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ubrcryeo.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ubrcryeo.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ubrcryeo.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ubrcryeo.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ubrcryeo.exe File opened for modification C:\Windows\mydoc.rtf 7afabb44010283947b9c8b8f690e3344.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ubrcryeo.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ubrcryeo.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ubrcryeo.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ubrcryeo.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ubrcryeo.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ubrcryeo.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ubrcryeo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" dltgxlkdaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB7B1284497399A52CCB9A232E9D7C9" 7afabb44010283947b9c8b8f690e3344.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184FC70914E2DBC3B8CB7FE7EC9734C7" 7afabb44010283947b9c8b8f690e3344.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat dltgxlkdaq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf dltgxlkdaq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs dltgxlkdaq.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings 7afabb44010283947b9c8b8f690e3344.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 7afabb44010283947b9c8b8f690e3344.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh dltgxlkdaq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc dltgxlkdaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" dltgxlkdaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" dltgxlkdaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" dltgxlkdaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" dltgxlkdaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33472C0F9D2D83586D3476DC70562CDA7D8F65D8" 7afabb44010283947b9c8b8f690e3344.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB9F9CEF961F293840E3B42869D3E90B38D038B43690332E1CC429A08A1" 7afabb44010283947b9c8b8f690e3344.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF9FFFF485D85199130D75F7D9DBD92E637584567346242D79F" 7afabb44010283947b9c8b8f690e3344.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7866BC2FE6C22DBD172D0A28A0E9014" 7afabb44010283947b9c8b8f690e3344.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" dltgxlkdaq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg dltgxlkdaq.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2868 WINWORD.EXE 2868 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1732 7afabb44010283947b9c8b8f690e3344.exe 1732 7afabb44010283947b9c8b8f690e3344.exe 1732 7afabb44010283947b9c8b8f690e3344.exe 1732 7afabb44010283947b9c8b8f690e3344.exe 1732 7afabb44010283947b9c8b8f690e3344.exe 1732 7afabb44010283947b9c8b8f690e3344.exe 1732 7afabb44010283947b9c8b8f690e3344.exe 1732 7afabb44010283947b9c8b8f690e3344.exe 1732 7afabb44010283947b9c8b8f690e3344.exe 1732 7afabb44010283947b9c8b8f690e3344.exe 1732 7afabb44010283947b9c8b8f690e3344.exe 1732 7afabb44010283947b9c8b8f690e3344.exe 1732 7afabb44010283947b9c8b8f690e3344.exe 1732 7afabb44010283947b9c8b8f690e3344.exe 1732 7afabb44010283947b9c8b8f690e3344.exe 1732 7afabb44010283947b9c8b8f690e3344.exe 1504 dltgxlkdaq.exe 1504 dltgxlkdaq.exe 1504 dltgxlkdaq.exe 1504 dltgxlkdaq.exe 1504 dltgxlkdaq.exe 1504 dltgxlkdaq.exe 1504 dltgxlkdaq.exe 1504 dltgxlkdaq.exe 1504 dltgxlkdaq.exe 1504 dltgxlkdaq.exe 224 ubrcryeo.exe 224 ubrcryeo.exe 224 ubrcryeo.exe 224 ubrcryeo.exe 224 ubrcryeo.exe 224 ubrcryeo.exe 224 ubrcryeo.exe 224 ubrcryeo.exe 2228 lslzqcfqrvakbak.exe 2228 lslzqcfqrvakbak.exe 2228 lslzqcfqrvakbak.exe 2228 lslzqcfqrvakbak.exe 2228 lslzqcfqrvakbak.exe 2228 lslzqcfqrvakbak.exe 2228 lslzqcfqrvakbak.exe 2228 lslzqcfqrvakbak.exe 2228 lslzqcfqrvakbak.exe 2228 lslzqcfqrvakbak.exe 100 xcbhhahfurlwk.exe 100 xcbhhahfurlwk.exe 100 xcbhhahfurlwk.exe 100 xcbhhahfurlwk.exe 100 xcbhhahfurlwk.exe 100 xcbhhahfurlwk.exe 100 xcbhhahfurlwk.exe 100 xcbhhahfurlwk.exe 100 xcbhhahfurlwk.exe 100 xcbhhahfurlwk.exe 100 xcbhhahfurlwk.exe 100 xcbhhahfurlwk.exe 2340 ubrcryeo.exe 2340 ubrcryeo.exe 2340 ubrcryeo.exe 2340 ubrcryeo.exe 2340 ubrcryeo.exe 2340 ubrcryeo.exe 2340 ubrcryeo.exe 2340 ubrcryeo.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1732 7afabb44010283947b9c8b8f690e3344.exe 1732 7afabb44010283947b9c8b8f690e3344.exe 1732 7afabb44010283947b9c8b8f690e3344.exe 224 ubrcryeo.exe 1504 dltgxlkdaq.exe 224 ubrcryeo.exe 224 ubrcryeo.exe 1504 dltgxlkdaq.exe 1504 dltgxlkdaq.exe 2228 lslzqcfqrvakbak.exe 100 xcbhhahfurlwk.exe 2228 lslzqcfqrvakbak.exe 100 xcbhhahfurlwk.exe 2228 lslzqcfqrvakbak.exe 100 xcbhhahfurlwk.exe 2340 ubrcryeo.exe 2340 ubrcryeo.exe 2340 ubrcryeo.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1732 7afabb44010283947b9c8b8f690e3344.exe 1732 7afabb44010283947b9c8b8f690e3344.exe 1732 7afabb44010283947b9c8b8f690e3344.exe 224 ubrcryeo.exe 1504 dltgxlkdaq.exe 224 ubrcryeo.exe 224 ubrcryeo.exe 1504 dltgxlkdaq.exe 1504 dltgxlkdaq.exe 2228 lslzqcfqrvakbak.exe 100 xcbhhahfurlwk.exe 2228 lslzqcfqrvakbak.exe 100 xcbhhahfurlwk.exe 2228 lslzqcfqrvakbak.exe 100 xcbhhahfurlwk.exe 2340 ubrcryeo.exe 2340 ubrcryeo.exe 2340 ubrcryeo.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2868 WINWORD.EXE 2868 WINWORD.EXE 2868 WINWORD.EXE 2868 WINWORD.EXE 2868 WINWORD.EXE 2868 WINWORD.EXE 2868 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1732 wrote to memory of 1504 1732 7afabb44010283947b9c8b8f690e3344.exe 87 PID 1732 wrote to memory of 1504 1732 7afabb44010283947b9c8b8f690e3344.exe 87 PID 1732 wrote to memory of 1504 1732 7afabb44010283947b9c8b8f690e3344.exe 87 PID 1732 wrote to memory of 2228 1732 7afabb44010283947b9c8b8f690e3344.exe 88 PID 1732 wrote to memory of 2228 1732 7afabb44010283947b9c8b8f690e3344.exe 88 PID 1732 wrote to memory of 2228 1732 7afabb44010283947b9c8b8f690e3344.exe 88 PID 1732 wrote to memory of 224 1732 7afabb44010283947b9c8b8f690e3344.exe 89 PID 1732 wrote to memory of 224 1732 7afabb44010283947b9c8b8f690e3344.exe 89 PID 1732 wrote to memory of 224 1732 7afabb44010283947b9c8b8f690e3344.exe 89 PID 1732 wrote to memory of 100 1732 7afabb44010283947b9c8b8f690e3344.exe 90 PID 1732 wrote to memory of 100 1732 7afabb44010283947b9c8b8f690e3344.exe 90 PID 1732 wrote to memory of 100 1732 7afabb44010283947b9c8b8f690e3344.exe 90 PID 1732 wrote to memory of 2868 1732 7afabb44010283947b9c8b8f690e3344.exe 91 PID 1732 wrote to memory of 2868 1732 7afabb44010283947b9c8b8f690e3344.exe 91 PID 1504 wrote to memory of 2340 1504 dltgxlkdaq.exe 93 PID 1504 wrote to memory of 2340 1504 dltgxlkdaq.exe 93 PID 1504 wrote to memory of 2340 1504 dltgxlkdaq.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\7afabb44010283947b9c8b8f690e3344.exe"C:\Users\Admin\AppData\Local\Temp\7afabb44010283947b9c8b8f690e3344.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\dltgxlkdaq.exedltgxlkdaq.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\ubrcryeo.exeC:\Windows\system32\ubrcryeo.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2340
-
-
-
C:\Windows\SysWOW64\lslzqcfqrvakbak.exelslzqcfqrvakbak.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2228
-
-
C:\Windows\SysWOW64\ubrcryeo.exeubrcryeo.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:224
-
-
C:\Windows\SysWOW64\xcbhhahfurlwk.exexcbhhahfurlwk.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:100
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2868
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5d36f2c6d96d6265e3e742314c47e2617
SHA1c75f625f2496389decddf0c1893ce7fcb5452c80
SHA2561f80487e1232e84ee2e0ab3e22b9f557326bf801dc26cd5b17141a004cf234a6
SHA5126bec56b97e2cf60d86d7826adf225be33552f5608f16108d8e1737457d7a8d108d3cad55cde478e1a599603aa4fd283c6f48f3d3ffe0a6a52a75e25e614ef240
-
Filesize
512KB
MD52f59d65b8cc62950e2eca12f97e7aea5
SHA170425546b3d2727662186375a6530e21d530fe98
SHA2566e54136b68b1e75504c72dc2071d2abb45d736bcceafebdf85366a828c2773bb
SHA512da752bc91e61706f9687cebc246de04145faab9864ed99f17a9210831527e85e2abf03796d669d41b61b84b8d1110952cdf459fb10a8329f693874bd23424bd8
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5b15ecd3d0ef1516eed2d17af50060903
SHA1735806023f6c2329f8bbcd156ad28fde592cfd3b
SHA2563f09008f007ab79fd07f6bfaa0e93e374a2f325924e61ba8102b4e80afdc7661
SHA512bfbf102dc6214135de217b1651aab45aacbf400b5335b79e9a0d1835878b78d25b4e880295860b053023cf5782f843401f07f380fbf9e183a4435f636ba571e6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5c3e091582c2285b57c52bfe239239096
SHA14a02d633ec9eb568ca55282c4c1a1f1c6d50ecbf
SHA2560978aa2305a0f3ffa05f08f5826b04759dd0ece17534d60f49b07e5b55be0364
SHA512e19959413ebe5af1a8d2563834c8dc4d5bcc38d7d8914410d81618e4dbc3028bf9e8cc2132f41e6d1f8385d6d2c7880c68e33442c59378578e4fa7c98ac570d9
-
Filesize
512KB
MD5475441fbacffce27251428ced91d0270
SHA1a423e6dff9178cd8cef781bb8cb7b0702a3fcb7f
SHA256e1b6c7c5dde2c580a0244f5c28bf908f6b399fea98f3b58689a0b8314c77dd39
SHA5121a83cefba0aaa070410b5590565aced6fa7b363d5745b46ba99f4010d0cb34da6ab851eb8ea862e0ec39f2f4f934f85e82b28dfd3af7d78864254d56fe7fa30a
-
Filesize
512KB
MD55da24f952c0416af68c7e0aa204ac1e8
SHA13d1849e54a890683772280e75da0c0c77327fe24
SHA2569b66394ddafd475e1da0b59f5fa06c6fe83ada2a352b942d74ea59144ce3b9b6
SHA5126fed35949a3c84ecd9dcbcbede932c1b065b7a56c680a7921d007b58355ce91d1656ff88294c6fead2fbae8620381ca1bd2ed7b3d263db7fb71102399a8475df
-
Filesize
512KB
MD533cf227a9e4131a1214ac21a5ef7c2b8
SHA1b21bf49f8e3e9e1bbbd72d70ff629ef1677f9108
SHA2562dee1a6442d38a7a3d451834295c5ba3ae631e6e523286b48775bcabc7608511
SHA5128de9c8158f827d36a51c13c0419c8b5cb3ba69ba15fa14698b7dccbbb0028dc5dd576c8e6aa343a81a699d748a60cd7e763c12e0fb86599820a6bb4b19c54b2f
-
Filesize
512KB
MD538990487607a6a73e0308f6f3ce3e745
SHA112478632b7b936c3a43ae188bc291cfc525be976
SHA25632d942b4b6fe7af40ec5aa8adcdd03b2ce5bb40632ecc0e288ac286fdb407689
SHA51288cff8922d126e6d11cd0f3ecd444b579ec9650a3739c9b9e01883b849cc6dbfc1a2e526ca8f3f551849b9d406e12da419b298eeba40fa96fcacb439a15f4ae1
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD59347e074f0e27913b088d2121388dc61
SHA1db7e102b6b5a6f9b992085161eaf53d25acf10cc
SHA256380fd17beb0ab20f3f0447ed3404188cd48a0aea7e9296be42357fbc62f2b54e
SHA5121ff534efa2b744f87019306f191a022e42493bc204dc8695518aaaf043e29e3e01f69d5f51f03c87871bfa3446fd1ee5cb7b29304b2e17e98706479618d3f394
-
Filesize
512KB
MD54cf6beb7406b7aa2c1f722ec24f0c611
SHA1d00c80d17c979164a0b45e38b18819cb13e2d85d
SHA256f8705d8859979a8b6bdfc6d78741641afe2e9b171aba545b2e8bd88cffd30568
SHA51291d2c8a80bad8d500d439da44b660629d728da1c3bea24880d89839f71ab3d5b1ee21eddff4d30d28c9b5506574d5b939e0f10d84615ad48b77ca0afe66d8dc2
-
Filesize
512KB
MD54f0aca6a1ec6f96ed742f1522ccf5dca
SHA1f0cc34300ea1d481cf7b21e0b4714805581fb686
SHA2568db7ce159a4d341b9ddbbe5957888923b601f2e2087b5f3b028a6993128f06e0
SHA51232fbbae5fff12fbf61e0437ab5eb1d37fffaec592f7298b648d9da41fd3e5e1df4837aee0227763191899275ee1a2d5664548d9a254390382e243e81e0b89f0d