Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2024, 19:06
Static task
static1
Behavioral task
behavioral1
Sample
7b08b4850997162cb775641f8e651d38.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral2
Sample
7b08b4850997162cb775641f8e651d38.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
General
-
Target
7b08b4850997162cb775641f8e651d38.exe
-
Size
512KB
-
MD5
7b08b4850997162cb775641f8e651d38
-
SHA1
1e6b1cda9e5485d687e0c8cbcee9e860c133ea86
-
SHA256
567f54e9750445ceee03431cf67310b5b258d25ba9ac4c686989b56b61b1118a
-
SHA512
5c2959ce5df916279ca4d3b4e35e9e89b65b0928f925c68fb5c1e1fe39a1d0e68bdf49b797e506872a0297991f8285b19ff8a675bd3612d0b4d22a82edbc6cda
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6p:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5w
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" rpkxxhxqiw.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" rpkxxhxqiw.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rpkxxhxqiw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rpkxxhxqiw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rpkxxhxqiw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rpkxxhxqiw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rpkxxhxqiw.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rpkxxhxqiw.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation 7b08b4850997162cb775641f8e651d38.exe -
Executes dropped EXE 5 IoCs
pid Process 1472 rpkxxhxqiw.exe 512 wgdjxzcqxyjxpte.exe 3108 qkhcqhrd.exe 2720 ggjdccdazibes.exe 4644 qkhcqhrd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rpkxxhxqiw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rpkxxhxqiw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" rpkxxhxqiw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rpkxxhxqiw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rpkxxhxqiw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rpkxxhxqiw.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hdseycvh = "rpkxxhxqiw.exe" wgdjxzcqxyjxpte.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pzqnczrs = "wgdjxzcqxyjxpte.exe" wgdjxzcqxyjxpte.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ggjdccdazibes.exe" wgdjxzcqxyjxpte.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\n: qkhcqhrd.exe File opened (read-only) \??\z: qkhcqhrd.exe File opened (read-only) \??\h: rpkxxhxqiw.exe File opened (read-only) \??\i: rpkxxhxqiw.exe File opened (read-only) \??\p: rpkxxhxqiw.exe File opened (read-only) \??\g: qkhcqhrd.exe File opened (read-only) \??\h: qkhcqhrd.exe File opened (read-only) \??\k: qkhcqhrd.exe File opened (read-only) \??\j: qkhcqhrd.exe File opened (read-only) \??\m: rpkxxhxqiw.exe File opened (read-only) \??\r: qkhcqhrd.exe File opened (read-only) \??\r: rpkxxhxqiw.exe File opened (read-only) \??\t: rpkxxhxqiw.exe File opened (read-only) \??\b: qkhcqhrd.exe File opened (read-only) \??\a: qkhcqhrd.exe File opened (read-only) \??\g: qkhcqhrd.exe File opened (read-only) \??\s: rpkxxhxqiw.exe File opened (read-only) \??\p: qkhcqhrd.exe File opened (read-only) \??\q: qkhcqhrd.exe File opened (read-only) \??\i: qkhcqhrd.exe File opened (read-only) \??\g: rpkxxhxqiw.exe File opened (read-only) \??\i: qkhcqhrd.exe File opened (read-only) \??\y: qkhcqhrd.exe File opened (read-only) \??\q: rpkxxhxqiw.exe File opened (read-only) \??\z: rpkxxhxqiw.exe File opened (read-only) \??\a: qkhcqhrd.exe File opened (read-only) \??\r: qkhcqhrd.exe File opened (read-only) \??\t: qkhcqhrd.exe File opened (read-only) \??\t: qkhcqhrd.exe File opened (read-only) \??\a: rpkxxhxqiw.exe File opened (read-only) \??\s: qkhcqhrd.exe File opened (read-only) \??\z: qkhcqhrd.exe File opened (read-only) \??\u: rpkxxhxqiw.exe File opened (read-only) \??\o: qkhcqhrd.exe File opened (read-only) \??\q: qkhcqhrd.exe File opened (read-only) \??\s: qkhcqhrd.exe File opened (read-only) \??\p: qkhcqhrd.exe File opened (read-only) \??\y: qkhcqhrd.exe File opened (read-only) \??\j: qkhcqhrd.exe File opened (read-only) \??\v: qkhcqhrd.exe File opened (read-only) \??\k: rpkxxhxqiw.exe File opened (read-only) \??\v: rpkxxhxqiw.exe File opened (read-only) \??\x: qkhcqhrd.exe File opened (read-only) \??\w: qkhcqhrd.exe File opened (read-only) \??\m: qkhcqhrd.exe File opened (read-only) \??\k: qkhcqhrd.exe File opened (read-only) \??\n: qkhcqhrd.exe File opened (read-only) \??\b: rpkxxhxqiw.exe File opened (read-only) \??\y: rpkxxhxqiw.exe File opened (read-only) \??\l: qkhcqhrd.exe File opened (read-only) \??\v: qkhcqhrd.exe File opened (read-only) \??\x: qkhcqhrd.exe File opened (read-only) \??\n: rpkxxhxqiw.exe File opened (read-only) \??\u: qkhcqhrd.exe File opened (read-only) \??\b: qkhcqhrd.exe File opened (read-only) \??\h: qkhcqhrd.exe File opened (read-only) \??\x: rpkxxhxqiw.exe File opened (read-only) \??\e: qkhcqhrd.exe File opened (read-only) \??\l: qkhcqhrd.exe File opened (read-only) \??\o: qkhcqhrd.exe File opened (read-only) \??\w: qkhcqhrd.exe File opened (read-only) \??\u: qkhcqhrd.exe File opened (read-only) \??\l: rpkxxhxqiw.exe File opened (read-only) \??\e: rpkxxhxqiw.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" rpkxxhxqiw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" rpkxxhxqiw.exe -
AutoIT Executable 14 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1820-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0007000000023237-18.dat autoit_exe behavioral2/files/0x000600000002323c-26.dat autoit_exe behavioral2/files/0x000600000002323d-31.dat autoit_exe behavioral2/files/0x000600000002323d-32.dat autoit_exe behavioral2/files/0x000600000002323c-27.dat autoit_exe behavioral2/files/0x000600000002323b-24.dat autoit_exe behavioral2/files/0x000600000002323b-23.dat autoit_exe behavioral2/files/0x0007000000023237-19.dat autoit_exe behavioral2/files/0x000600000002323b-5.dat autoit_exe behavioral2/files/0x000600000002323c-35.dat autoit_exe behavioral2/files/0x000c00000001e0bc-82.dat autoit_exe behavioral2/files/0x000800000001e570-85.dat autoit_exe behavioral2/files/0x000800000001e570-102.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe qkhcqhrd.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe qkhcqhrd.exe File opened for modification C:\Windows\SysWOW64\rpkxxhxqiw.exe 7b08b4850997162cb775641f8e651d38.exe File created C:\Windows\SysWOW64\qkhcqhrd.exe 7b08b4850997162cb775641f8e651d38.exe File opened for modification C:\Windows\SysWOW64\ggjdccdazibes.exe 7b08b4850997162cb775641f8e651d38.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll rpkxxhxqiw.exe File created C:\Windows\SysWOW64\ggjdccdazibes.exe 7b08b4850997162cb775641f8e651d38.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe qkhcqhrd.exe File created C:\Windows\SysWOW64\rpkxxhxqiw.exe 7b08b4850997162cb775641f8e651d38.exe File created C:\Windows\SysWOW64\wgdjxzcqxyjxpte.exe 7b08b4850997162cb775641f8e651d38.exe File opened for modification C:\Windows\SysWOW64\wgdjxzcqxyjxpte.exe 7b08b4850997162cb775641f8e651d38.exe File opened for modification C:\Windows\SysWOW64\qkhcqhrd.exe 7b08b4850997162cb775641f8e651d38.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qkhcqhrd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal qkhcqhrd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qkhcqhrd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal qkhcqhrd.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qkhcqhrd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal qkhcqhrd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qkhcqhrd.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qkhcqhrd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qkhcqhrd.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qkhcqhrd.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qkhcqhrd.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qkhcqhrd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal qkhcqhrd.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qkhcqhrd.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe qkhcqhrd.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe qkhcqhrd.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe qkhcqhrd.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe qkhcqhrd.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe qkhcqhrd.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe qkhcqhrd.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe qkhcqhrd.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe qkhcqhrd.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe qkhcqhrd.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe qkhcqhrd.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe qkhcqhrd.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe qkhcqhrd.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe qkhcqhrd.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe qkhcqhrd.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe qkhcqhrd.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe qkhcqhrd.exe File opened for modification C:\Windows\mydoc.rtf 7b08b4850997162cb775641f8e651d38.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" rpkxxhxqiw.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings 7b08b4850997162cb775641f8e651d38.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32412D789C2282576D3476A7772E2DDF7D8765DE" 7b08b4850997162cb775641f8e651d38.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" rpkxxhxqiw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh rpkxxhxqiw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" rpkxxhxqiw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf rpkxxhxqiw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" rpkxxhxqiw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7866BB1FF6721DDD179D0D48B7F9162" 7b08b4850997162cb775641f8e651d38.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc rpkxxhxqiw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" rpkxxhxqiw.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 7b08b4850997162cb775641f8e651d38.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2ECAB12147E6399A52CFBAA133E8D7BB" 7b08b4850997162cb775641f8e651d38.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8FFFFB482A856E9142D75D7D91BD97E641593767456344D6EE" 7b08b4850997162cb775641f8e651d38.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193FC77B14E3DAB5B8BE7F97ECE737CA" 7b08b4850997162cb775641f8e651d38.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg rpkxxhxqiw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BC9FACAF910F19384783A4B86983E90B3FE03FD43620248E2CE459D08D6" 7b08b4850997162cb775641f8e651d38.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat rpkxxhxqiw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" rpkxxhxqiw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs rpkxxhxqiw.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3164 WINWORD.EXE 3164 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1820 7b08b4850997162cb775641f8e651d38.exe 1820 7b08b4850997162cb775641f8e651d38.exe 1820 7b08b4850997162cb775641f8e651d38.exe 1820 7b08b4850997162cb775641f8e651d38.exe 1820 7b08b4850997162cb775641f8e651d38.exe 1820 7b08b4850997162cb775641f8e651d38.exe 1820 7b08b4850997162cb775641f8e651d38.exe 1820 7b08b4850997162cb775641f8e651d38.exe 1820 7b08b4850997162cb775641f8e651d38.exe 1820 7b08b4850997162cb775641f8e651d38.exe 1820 7b08b4850997162cb775641f8e651d38.exe 1820 7b08b4850997162cb775641f8e651d38.exe 1820 7b08b4850997162cb775641f8e651d38.exe 1820 7b08b4850997162cb775641f8e651d38.exe 1820 7b08b4850997162cb775641f8e651d38.exe 1820 7b08b4850997162cb775641f8e651d38.exe 512 wgdjxzcqxyjxpte.exe 512 wgdjxzcqxyjxpte.exe 512 wgdjxzcqxyjxpte.exe 512 wgdjxzcqxyjxpte.exe 512 wgdjxzcqxyjxpte.exe 512 wgdjxzcqxyjxpte.exe 512 wgdjxzcqxyjxpte.exe 512 wgdjxzcqxyjxpte.exe 512 wgdjxzcqxyjxpte.exe 512 wgdjxzcqxyjxpte.exe 1472 rpkxxhxqiw.exe 1472 rpkxxhxqiw.exe 1472 rpkxxhxqiw.exe 1472 rpkxxhxqiw.exe 1472 rpkxxhxqiw.exe 1472 rpkxxhxqiw.exe 1472 rpkxxhxqiw.exe 1472 rpkxxhxqiw.exe 1472 rpkxxhxqiw.exe 1472 rpkxxhxqiw.exe 3108 qkhcqhrd.exe 3108 qkhcqhrd.exe 3108 qkhcqhrd.exe 3108 qkhcqhrd.exe 3108 qkhcqhrd.exe 3108 qkhcqhrd.exe 3108 qkhcqhrd.exe 3108 qkhcqhrd.exe 2720 ggjdccdazibes.exe 2720 ggjdccdazibes.exe 2720 ggjdccdazibes.exe 2720 ggjdccdazibes.exe 2720 ggjdccdazibes.exe 2720 ggjdccdazibes.exe 2720 ggjdccdazibes.exe 2720 ggjdccdazibes.exe 2720 ggjdccdazibes.exe 2720 ggjdccdazibes.exe 2720 ggjdccdazibes.exe 2720 ggjdccdazibes.exe 512 wgdjxzcqxyjxpte.exe 512 wgdjxzcqxyjxpte.exe 4644 qkhcqhrd.exe 4644 qkhcqhrd.exe 4644 qkhcqhrd.exe 4644 qkhcqhrd.exe 4644 qkhcqhrd.exe 4644 qkhcqhrd.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1820 7b08b4850997162cb775641f8e651d38.exe 1820 7b08b4850997162cb775641f8e651d38.exe 1820 7b08b4850997162cb775641f8e651d38.exe 512 wgdjxzcqxyjxpte.exe 512 wgdjxzcqxyjxpte.exe 512 wgdjxzcqxyjxpte.exe 1472 rpkxxhxqiw.exe 3108 qkhcqhrd.exe 1472 rpkxxhxqiw.exe 3108 qkhcqhrd.exe 1472 rpkxxhxqiw.exe 3108 qkhcqhrd.exe 2720 ggjdccdazibes.exe 2720 ggjdccdazibes.exe 2720 ggjdccdazibes.exe 4644 qkhcqhrd.exe 4644 qkhcqhrd.exe 4644 qkhcqhrd.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1820 7b08b4850997162cb775641f8e651d38.exe 1820 7b08b4850997162cb775641f8e651d38.exe 1820 7b08b4850997162cb775641f8e651d38.exe 512 wgdjxzcqxyjxpte.exe 512 wgdjxzcqxyjxpte.exe 512 wgdjxzcqxyjxpte.exe 1472 rpkxxhxqiw.exe 3108 qkhcqhrd.exe 1472 rpkxxhxqiw.exe 3108 qkhcqhrd.exe 1472 rpkxxhxqiw.exe 3108 qkhcqhrd.exe 2720 ggjdccdazibes.exe 2720 ggjdccdazibes.exe 2720 ggjdccdazibes.exe 4644 qkhcqhrd.exe 4644 qkhcqhrd.exe 4644 qkhcqhrd.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3164 WINWORD.EXE 3164 WINWORD.EXE 3164 WINWORD.EXE 3164 WINWORD.EXE 3164 WINWORD.EXE 3164 WINWORD.EXE 3164 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1820 wrote to memory of 1472 1820 7b08b4850997162cb775641f8e651d38.exe 92 PID 1820 wrote to memory of 1472 1820 7b08b4850997162cb775641f8e651d38.exe 92 PID 1820 wrote to memory of 1472 1820 7b08b4850997162cb775641f8e651d38.exe 92 PID 1820 wrote to memory of 512 1820 7b08b4850997162cb775641f8e651d38.exe 91 PID 1820 wrote to memory of 512 1820 7b08b4850997162cb775641f8e651d38.exe 91 PID 1820 wrote to memory of 512 1820 7b08b4850997162cb775641f8e651d38.exe 91 PID 1820 wrote to memory of 3108 1820 7b08b4850997162cb775641f8e651d38.exe 89 PID 1820 wrote to memory of 3108 1820 7b08b4850997162cb775641f8e651d38.exe 89 PID 1820 wrote to memory of 3108 1820 7b08b4850997162cb775641f8e651d38.exe 89 PID 1820 wrote to memory of 2720 1820 7b08b4850997162cb775641f8e651d38.exe 90 PID 1820 wrote to memory of 2720 1820 7b08b4850997162cb775641f8e651d38.exe 90 PID 1820 wrote to memory of 2720 1820 7b08b4850997162cb775641f8e651d38.exe 90 PID 1820 wrote to memory of 3164 1820 7b08b4850997162cb775641f8e651d38.exe 93 PID 1820 wrote to memory of 3164 1820 7b08b4850997162cb775641f8e651d38.exe 93 PID 1472 wrote to memory of 4644 1472 rpkxxhxqiw.exe 95 PID 1472 wrote to memory of 4644 1472 rpkxxhxqiw.exe 95 PID 1472 wrote to memory of 4644 1472 rpkxxhxqiw.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b08b4850997162cb775641f8e651d38.exe"C:\Users\Admin\AppData\Local\Temp\7b08b4850997162cb775641f8e651d38.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\qkhcqhrd.exeqkhcqhrd.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3108
-
-
C:\Windows\SysWOW64\ggjdccdazibes.exeggjdccdazibes.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2720
-
-
C:\Windows\SysWOW64\wgdjxzcqxyjxpte.exewgdjxzcqxyjxpte.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:512
-
-
C:\Windows\SysWOW64\rpkxxhxqiw.exerpkxxhxqiw.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\qkhcqhrd.exeC:\Windows\system32\qkhcqhrd.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4644
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3164
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
241KB
MD52f1beaa723a50338d3e6e3766fe66da0
SHA136192b22b85ab03b5b4f696aa0140e6375782d96
SHA25683b1eb960adde2a7e9a5d3de3ce9950f0d64ef7d42241d2854f3526fe08dfe5f
SHA512622c0ef15fdb97794ae53faa78d312bef6ff4fe9741aa8f12fda6fa6ace3a3bc49f08109b4bb027d77b38618c6c0a109037e1ddf72cbda1592eb9923a8c5fadd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD58eb15fa77124e5b3a06e949b66c3f47c
SHA1b7870f4c744c3753614eea9a1b12d5f0d144f680
SHA2569fed5ead0040bcd2bdc3b7ff5ed4a1e096bfb545c2ab0953393a31f7fc8bd3d7
SHA512e32445ad95e32e4498e418be0c8f9f9bff163df00e326ac6b86d2c9d4298353b4dcfa03323d815fd7d9ac74727776b7aab6b8744ed73999035d9b2176982efca
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD51c1949bfcb2b73e2ee8f1a8724021771
SHA1472bf121349b58633b73b5d77a570c86a9a4f043
SHA256d3e79e896275d0b3a018121316abbc58b673a5ea4d995bf9e43eb06f37dc0969
SHA5123f20d50335fe367d68ca82851f145939282ba4973c6feceeff382b124b2eed70e263e50378a17ec8fa4099734d0836b170701e03ffeec79efc265ad8d31484b3
-
Filesize
322KB
MD5abb2a86945c4e328e20397d795be4234
SHA1e91614f7953e294ceaceeacf43ef6fba4b446f00
SHA256d420524d462492e3b2948f0eb5a20b6b0070f3d8aee38d3f8b92ce69cacdf37c
SHA5124f27da8bc5f8c5721f526f0afd7b672f4451c4f6a334f268293bed80e742a63534ea9ebd0e19aaf8cf2efec393331625d458da7d290e25d18ba0a9827ddc212f
-
Filesize
278KB
MD56c4c3f1eaeaf8afbf0ef92d134cec511
SHA16062699b9c9d28a3cb484c2ba3b345e189682a5b
SHA2560a0085a8311ab8fa356f7968169957ab77dcde77903b57abe791182f117ce7a8
SHA5124cb1c1957053540a9f35e883df33a13e66744585d82a4c60eb5ffddbf840b0916ebbf3e2db6ced31ed5453e84cfae8104703a9319f31607dab9e780d45c1f5a7
-
Filesize
200KB
MD5ea7c1c9c0a31dbf813d7c0cb9a7b7810
SHA1f2fdd69417d3fd8229f0fa21adb030b024e19529
SHA256156a7cf9624262c2c7c6d71d33964f7fb8b66ae3bed11d093921827f4e5287c9
SHA51219a080ab415c032a91556f202a16af5d585a90f896ccd2f8daf34aa9fe98c0b492f56bf5c4c69748f3ad8f3f7d0605ce112f1e56e13e5180b5f4cb2bb840bd56
-
Filesize
368KB
MD5f227be5b27260d6085bf895b370b5614
SHA12f9206f71bd602d0481e61171ad904a833e75dbd
SHA256653b23fb25464cfa9686321280aa3939435461c88d3b6236419d3e9fb00c1a60
SHA512be3f53b2199d940280f26e32b8aea648c48581dc9eda6092e5fb4f2a1de48edcb87e177307e023e5e3a55c57791335fe2901375ef9c2685d6b1c55f540e53624
-
Filesize
143KB
MD506b699aee2ee91242a10e9f3193143ae
SHA18ad02369beb34c9c7784594dfd569e0378c3237c
SHA256944c134743a9db4f4ff39ede6a80bce4e3cba19c2a10ec065949433d16dfdca8
SHA512f5211ca3d56c80d3a9979f3e5df93088ad7b07ecd758ac162cbecfe3af2edc8b253bfc26f6a12ac70595d2c15a48f362a2521ea7a3b51cf705ac00591862e30a
-
Filesize
356KB
MD52a8ba7440eecdf09ea2f6d9acf5c0e91
SHA14074cc55e3da679e04819d0b631c9b518b7f68c6
SHA2563526a4de60eed5680d62ddc690738160a596855fbb5615b64eb367b076523d96
SHA51256f5fd6acb8cb6458f2ccf334f9fee93eb5e04a94945bb07e8ee2d64679e0945541fab2054c7699d6115ab6c4913768bda92fbb1b7495392abe86a701c3febbc
-
Filesize
338KB
MD52cd38696b8e60f666d63ddd71249f428
SHA1108d3b4f0e5aff73ccb6f49d799da1404bc4d4b1
SHA2561ec2c9614a521404cd65767f0eab79c8d0639b79f57ef171c3afac0e9c22cfed
SHA512fc345d253c2827668becd1ffbd0eade1c977221c1038f24f2f6991b4bb873231d99a6aa28e5e5c3bb9f72468d245f8b51b26bd9b9c9c26abe07716116f1341c5
-
Filesize
276KB
MD5e6844422b6061da0fa919ce9353f209c
SHA121b22283ff2636b510b4151a96d75c2f10fd91a6
SHA256daed3082354eb4816ef1c087d6b371e80c78006d25f18312578c29d70163f878
SHA512eb5a57d9ed6fdb3b5a1f13f29bbf76ae720344daf30f2c74f4df5e338145dbe2934e982bc372febd96f232173bad2b2cb9091a8b6af2b958966578e9c32b042a
-
Filesize
246KB
MD50da7fdadeb7400bf0c51193959312626
SHA1c25f0044010bf54c67dc63a8ceb7767402d3ff7d
SHA2560409aa648f9ec9b27c589cb5d09d453e077eba8bd4b3c246494d37a4eee6896a
SHA5127bb29ba783e929e6d43cfe88c57b9b276de76ebd9a7ce0c00d5970ef7c720044edd8731809db5263c1a89da7ce1f83546b73308c7c150ddb9f0c46762dba7957
-
Filesize
431KB
MD5426bf5fb1f9c4d49ec7fcd4a2f0a0593
SHA1572ec933859679ac5031ccb11218756fc05ecb83
SHA256d35d84c5c3a6f7f59d016e3a9e3666835769df62c08625ff75756f0ce6a926ab
SHA512339a7cdb38ae33b2e91c0eafcf33a38b4e24c9ac7b5243e8f768cb6ba8595add056f0cb5e0e19a93a1a4905ab352f28eea8d09e9e3d910f74554ef64b9bede7e
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD570a3978b8722589e124aaa13f4bfd15f
SHA165206d909b91e418e59bb443b9d3f5574bec39a1
SHA256c231ddab24f2e6a0c74e8c9ae92b7e6d582f7c8f1b4009c20caf4cb65c504c85
SHA512fdeeb1e2c598062666e93f099b2ea8316570a42a6d51f381c04cc1718f8fa864ed79e449a1f49f149911ffffac5b0c58114c951eede7a940609ce5b6538f0039
-
Filesize
512KB
MD509a22217537e8dc6e5112371dd2e7b3f
SHA1b51be7d82923c3beec820e827cd269e50fec73e8
SHA25658cdfe94f6d3caae147799e6318fdb8160e71b16d2fe58a2719f096ec5ac6999
SHA512770582f21084f3785e4ebf9baf77164acd0fa1ff2db58ab1cd9cda956d69d285643c70849b6fcb5a458fc345e8df1b15fa58cf1cd20ea15f8aa0d6229c8df908