Analysis
-
max time kernel
149s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
28-01-2024 05:36
Static task
static1
Behavioral task
behavioral1
Sample
7c4790d5aa23778c5a38f50a3391ff96.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7c4790d5aa23778c5a38f50a3391ff96.exe
Resource
win10v2004-20231215-en
General
-
Target
7c4790d5aa23778c5a38f50a3391ff96.exe
-
Size
512KB
-
MD5
7c4790d5aa23778c5a38f50a3391ff96
-
SHA1
09ef9f6ba68b4d1ac7f4e92005950aedd3ecb81c
-
SHA256
6c775c41555e80e44d50c4cfb80dfafa477db785346b227ab5810f6fd2069fcf
-
SHA512
f02136508ec8c8bfcc47fc64b6d4ea7078958fc749ddc357bdf1cce186e1aafc2dcc8e8029958fa59acd2a8c6da5aacee12751192c28a40527e9130bd7e6fc92
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6d:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5C
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" lvmnfthyut.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" lvmnfthyut.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" lvmnfthyut.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" lvmnfthyut.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" lvmnfthyut.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" lvmnfthyut.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" lvmnfthyut.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lvmnfthyut.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation 7c4790d5aa23778c5a38f50a3391ff96.exe -
Executes dropped EXE 5 IoCs
pid Process 924 lvmnfthyut.exe 2176 czfvqwyggbnwhwf.exe 2028 sliytesiesumy.exe 3152 euybirwp.exe 1632 euybirwp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" lvmnfthyut.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" lvmnfthyut.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" lvmnfthyut.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" lvmnfthyut.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" lvmnfthyut.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" lvmnfthyut.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qevkiflo = "czfvqwyggbnwhwf.exe" czfvqwyggbnwhwf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "sliytesiesumy.exe" czfvqwyggbnwhwf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\spfspinl = "lvmnfthyut.exe" czfvqwyggbnwhwf.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\u: euybirwp.exe File opened (read-only) \??\r: euybirwp.exe File opened (read-only) \??\m: euybirwp.exe File opened (read-only) \??\t: euybirwp.exe File opened (read-only) \??\n: lvmnfthyut.exe File opened (read-only) \??\r: lvmnfthyut.exe File opened (read-only) \??\w: lvmnfthyut.exe File opened (read-only) \??\x: lvmnfthyut.exe File opened (read-only) \??\z: lvmnfthyut.exe File opened (read-only) \??\k: euybirwp.exe File opened (read-only) \??\w: euybirwp.exe File opened (read-only) \??\u: lvmnfthyut.exe File opened (read-only) \??\g: euybirwp.exe File opened (read-only) \??\j: euybirwp.exe File opened (read-only) \??\p: euybirwp.exe File opened (read-only) \??\w: euybirwp.exe File opened (read-only) \??\v: euybirwp.exe File opened (read-only) \??\q: euybirwp.exe File opened (read-only) \??\g: euybirwp.exe File opened (read-only) \??\k: lvmnfthyut.exe File opened (read-only) \??\s: lvmnfthyut.exe File opened (read-only) \??\b: euybirwp.exe File opened (read-only) \??\e: euybirwp.exe File opened (read-only) \??\t: lvmnfthyut.exe File opened (read-only) \??\q: euybirwp.exe File opened (read-only) \??\x: euybirwp.exe File opened (read-only) \??\k: euybirwp.exe File opened (read-only) \??\p: euybirwp.exe File opened (read-only) \??\t: euybirwp.exe File opened (read-only) \??\l: euybirwp.exe File opened (read-only) \??\h: euybirwp.exe File opened (read-only) \??\n: euybirwp.exe File opened (read-only) \??\v: euybirwp.exe File opened (read-only) \??\p: lvmnfthyut.exe File opened (read-only) \??\r: euybirwp.exe File opened (read-only) \??\z: euybirwp.exe File opened (read-only) \??\b: euybirwp.exe File opened (read-only) \??\i: lvmnfthyut.exe File opened (read-only) \??\i: euybirwp.exe File opened (read-only) \??\o: euybirwp.exe File opened (read-only) \??\e: lvmnfthyut.exe File opened (read-only) \??\l: euybirwp.exe File opened (read-only) \??\i: euybirwp.exe File opened (read-only) \??\m: euybirwp.exe File opened (read-only) \??\s: euybirwp.exe File opened (read-only) \??\u: euybirwp.exe File opened (read-only) \??\x: euybirwp.exe File opened (read-only) \??\y: euybirwp.exe File opened (read-only) \??\a: euybirwp.exe File opened (read-only) \??\a: lvmnfthyut.exe File opened (read-only) \??\q: lvmnfthyut.exe File opened (read-only) \??\y: euybirwp.exe File opened (read-only) \??\v: lvmnfthyut.exe File opened (read-only) \??\l: lvmnfthyut.exe File opened (read-only) \??\o: lvmnfthyut.exe File opened (read-only) \??\h: euybirwp.exe File opened (read-only) \??\s: euybirwp.exe File opened (read-only) \??\g: lvmnfthyut.exe File opened (read-only) \??\h: lvmnfthyut.exe File opened (read-only) \??\m: lvmnfthyut.exe File opened (read-only) \??\e: euybirwp.exe File opened (read-only) \??\o: euybirwp.exe File opened (read-only) \??\z: euybirwp.exe File opened (read-only) \??\b: lvmnfthyut.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" lvmnfthyut.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" lvmnfthyut.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4820-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0006000000023216-5.dat autoit_exe behavioral2/files/0x0008000000023211-18.dat autoit_exe behavioral2/files/0x0006000000023217-29.dat autoit_exe behavioral2/files/0x0006000000023218-28.dat autoit_exe behavioral2/files/0x000600000002321b-55.dat autoit_exe behavioral2/files/0x000600000002321c-61.dat autoit_exe behavioral2/files/0x000600000001db3c-99.dat autoit_exe behavioral2/files/0x000600000001db3c-101.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe euybirwp.exe File created C:\Windows\SysWOW64\lvmnfthyut.exe 7c4790d5aa23778c5a38f50a3391ff96.exe File opened for modification C:\Windows\SysWOW64\lvmnfthyut.exe 7c4790d5aa23778c5a38f50a3391ff96.exe File created C:\Windows\SysWOW64\czfvqwyggbnwhwf.exe 7c4790d5aa23778c5a38f50a3391ff96.exe File opened for modification C:\Windows\SysWOW64\czfvqwyggbnwhwf.exe 7c4790d5aa23778c5a38f50a3391ff96.exe File created C:\Windows\SysWOW64\euybirwp.exe 7c4790d5aa23778c5a38f50a3391ff96.exe File created C:\Windows\SysWOW64\sliytesiesumy.exe 7c4790d5aa23778c5a38f50a3391ff96.exe File opened for modification C:\Windows\SysWOW64\euybirwp.exe 7c4790d5aa23778c5a38f50a3391ff96.exe File opened for modification C:\Windows\SysWOW64\sliytesiesumy.exe 7c4790d5aa23778c5a38f50a3391ff96.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll lvmnfthyut.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe euybirwp.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe euybirwp.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe euybirwp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe euybirwp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal euybirwp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe euybirwp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe euybirwp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal euybirwp.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe euybirwp.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe euybirwp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal euybirwp.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe euybirwp.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe euybirwp.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal euybirwp.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe euybirwp.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe euybirwp.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe euybirwp.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe euybirwp.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe euybirwp.exe File opened for modification C:\Windows\mydoc.rtf 7c4790d5aa23778c5a38f50a3391ff96.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe euybirwp.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe euybirwp.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe euybirwp.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe euybirwp.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe euybirwp.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe euybirwp.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe euybirwp.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe euybirwp.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe euybirwp.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe euybirwp.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe euybirwp.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe euybirwp.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe euybirwp.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe euybirwp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc lvmnfthyut.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat lvmnfthyut.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" lvmnfthyut.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs lvmnfthyut.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg lvmnfthyut.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" lvmnfthyut.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings 7c4790d5aa23778c5a38f50a3391ff96.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB7B02F44E7399953BEB9D03392D4BF" 7c4790d5aa23778c5a38f50a3391ff96.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "334F2D7E9C2483516A4377D4702E2DD77CF465DD" 7c4790d5aa23778c5a38f50a3391ff96.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACDF9BEF96BF2E4840E3A4681EB3996B088028F4366023EE1BD45E708D3" 7c4790d5aa23778c5a38f50a3391ff96.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8BFF8B48298218903CD75B7E96BDE4E137584466426333D69D" 7c4790d5aa23778c5a38f50a3391ff96.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1938C67414E4DAB0B8CD7CE2ED9234C6" 7c4790d5aa23778c5a38f50a3391ff96.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" lvmnfthyut.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh lvmnfthyut.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf lvmnfthyut.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 7c4790d5aa23778c5a38f50a3391ff96.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" lvmnfthyut.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" lvmnfthyut.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" lvmnfthyut.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F268B5FE1D22DBD10BD0A78A0C9166" 7c4790d5aa23778c5a38f50a3391ff96.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 5104 WINWORD.EXE 5104 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4820 7c4790d5aa23778c5a38f50a3391ff96.exe 4820 7c4790d5aa23778c5a38f50a3391ff96.exe 4820 7c4790d5aa23778c5a38f50a3391ff96.exe 4820 7c4790d5aa23778c5a38f50a3391ff96.exe 4820 7c4790d5aa23778c5a38f50a3391ff96.exe 4820 7c4790d5aa23778c5a38f50a3391ff96.exe 4820 7c4790d5aa23778c5a38f50a3391ff96.exe 4820 7c4790d5aa23778c5a38f50a3391ff96.exe 4820 7c4790d5aa23778c5a38f50a3391ff96.exe 4820 7c4790d5aa23778c5a38f50a3391ff96.exe 4820 7c4790d5aa23778c5a38f50a3391ff96.exe 4820 7c4790d5aa23778c5a38f50a3391ff96.exe 4820 7c4790d5aa23778c5a38f50a3391ff96.exe 4820 7c4790d5aa23778c5a38f50a3391ff96.exe 4820 7c4790d5aa23778c5a38f50a3391ff96.exe 4820 7c4790d5aa23778c5a38f50a3391ff96.exe 2176 czfvqwyggbnwhwf.exe 2176 czfvqwyggbnwhwf.exe 2176 czfvqwyggbnwhwf.exe 2176 czfvqwyggbnwhwf.exe 2176 czfvqwyggbnwhwf.exe 2176 czfvqwyggbnwhwf.exe 2176 czfvqwyggbnwhwf.exe 2176 czfvqwyggbnwhwf.exe 2176 czfvqwyggbnwhwf.exe 2176 czfvqwyggbnwhwf.exe 2028 sliytesiesumy.exe 2028 sliytesiesumy.exe 2028 sliytesiesumy.exe 2028 sliytesiesumy.exe 2028 sliytesiesumy.exe 2028 sliytesiesumy.exe 2028 sliytesiesumy.exe 2028 sliytesiesumy.exe 2028 sliytesiesumy.exe 2028 sliytesiesumy.exe 2028 sliytesiesumy.exe 2028 sliytesiesumy.exe 3152 euybirwp.exe 924 lvmnfthyut.exe 924 lvmnfthyut.exe 3152 euybirwp.exe 924 lvmnfthyut.exe 3152 euybirwp.exe 924 lvmnfthyut.exe 3152 euybirwp.exe 924 lvmnfthyut.exe 3152 euybirwp.exe 924 lvmnfthyut.exe 3152 euybirwp.exe 924 lvmnfthyut.exe 924 lvmnfthyut.exe 3152 euybirwp.exe 3152 euybirwp.exe 924 lvmnfthyut.exe 924 lvmnfthyut.exe 2176 czfvqwyggbnwhwf.exe 2176 czfvqwyggbnwhwf.exe 1632 euybirwp.exe 1632 euybirwp.exe 1632 euybirwp.exe 1632 euybirwp.exe 1632 euybirwp.exe 1632 euybirwp.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4820 7c4790d5aa23778c5a38f50a3391ff96.exe 4820 7c4790d5aa23778c5a38f50a3391ff96.exe 4820 7c4790d5aa23778c5a38f50a3391ff96.exe 2176 czfvqwyggbnwhwf.exe 2176 czfvqwyggbnwhwf.exe 2176 czfvqwyggbnwhwf.exe 2028 sliytesiesumy.exe 2028 sliytesiesumy.exe 2028 sliytesiesumy.exe 3152 euybirwp.exe 924 lvmnfthyut.exe 3152 euybirwp.exe 924 lvmnfthyut.exe 3152 euybirwp.exe 924 lvmnfthyut.exe 1632 euybirwp.exe 1632 euybirwp.exe 1632 euybirwp.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4820 7c4790d5aa23778c5a38f50a3391ff96.exe 4820 7c4790d5aa23778c5a38f50a3391ff96.exe 4820 7c4790d5aa23778c5a38f50a3391ff96.exe 2176 czfvqwyggbnwhwf.exe 2176 czfvqwyggbnwhwf.exe 2176 czfvqwyggbnwhwf.exe 2028 sliytesiesumy.exe 2028 sliytesiesumy.exe 2028 sliytesiesumy.exe 3152 euybirwp.exe 924 lvmnfthyut.exe 3152 euybirwp.exe 924 lvmnfthyut.exe 3152 euybirwp.exe 924 lvmnfthyut.exe 1632 euybirwp.exe 1632 euybirwp.exe 1632 euybirwp.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 5104 WINWORD.EXE 5104 WINWORD.EXE 5104 WINWORD.EXE 5104 WINWORD.EXE 5104 WINWORD.EXE 5104 WINWORD.EXE 5104 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4820 wrote to memory of 924 4820 7c4790d5aa23778c5a38f50a3391ff96.exe 88 PID 4820 wrote to memory of 924 4820 7c4790d5aa23778c5a38f50a3391ff96.exe 88 PID 4820 wrote to memory of 924 4820 7c4790d5aa23778c5a38f50a3391ff96.exe 88 PID 4820 wrote to memory of 2176 4820 7c4790d5aa23778c5a38f50a3391ff96.exe 89 PID 4820 wrote to memory of 2176 4820 7c4790d5aa23778c5a38f50a3391ff96.exe 89 PID 4820 wrote to memory of 2176 4820 7c4790d5aa23778c5a38f50a3391ff96.exe 89 PID 4820 wrote to memory of 3152 4820 7c4790d5aa23778c5a38f50a3391ff96.exe 90 PID 4820 wrote to memory of 3152 4820 7c4790d5aa23778c5a38f50a3391ff96.exe 90 PID 4820 wrote to memory of 3152 4820 7c4790d5aa23778c5a38f50a3391ff96.exe 90 PID 4820 wrote to memory of 2028 4820 7c4790d5aa23778c5a38f50a3391ff96.exe 91 PID 4820 wrote to memory of 2028 4820 7c4790d5aa23778c5a38f50a3391ff96.exe 91 PID 4820 wrote to memory of 2028 4820 7c4790d5aa23778c5a38f50a3391ff96.exe 91 PID 4820 wrote to memory of 5104 4820 7c4790d5aa23778c5a38f50a3391ff96.exe 92 PID 4820 wrote to memory of 5104 4820 7c4790d5aa23778c5a38f50a3391ff96.exe 92 PID 924 wrote to memory of 1632 924 lvmnfthyut.exe 94 PID 924 wrote to memory of 1632 924 lvmnfthyut.exe 94 PID 924 wrote to memory of 1632 924 lvmnfthyut.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c4790d5aa23778c5a38f50a3391ff96.exe"C:\Users\Admin\AppData\Local\Temp\7c4790d5aa23778c5a38f50a3391ff96.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\lvmnfthyut.exelvmnfthyut.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Windows\SysWOW64\euybirwp.exeC:\Windows\system32\euybirwp.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1632
-
-
-
C:\Windows\SysWOW64\czfvqwyggbnwhwf.execzfvqwyggbnwhwf.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2176
-
-
C:\Windows\SysWOW64\euybirwp.exeeuybirwp.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3152
-
-
C:\Windows\SysWOW64\sliytesiesumy.exesliytesiesumy.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2028
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5104
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
259KB
MD5f10dc6f4ece29f057646de18064cd41e
SHA18c6affffdce52d7c3d54dca9b49629c4887c0738
SHA2563845c007ae673dbc86a372a5363e459049a7856c86f17be3f9442b174235dc7b
SHA5126b0e227b07d82f9322fa73a66dbbc89ff94ea29b173deb4e2a72e9564ef3fa2fe00ec7e67e756883ed996d4a17ac16e6075a238ef690ecd6411030020c87a25f
-
Filesize
394KB
MD5db206cedb519c75b780449ca319d1439
SHA17bb2aa353c0007cbf59428d5c6784f3f8c860f57
SHA256e9e48bb94df8cd58895fcbf08f4f7e1691d99a534410934ee1d6c60fa7324ca5
SHA51266272572d5ccc6ea47f9227907b565912e9021f641f9ca959aa5c2b9b6ed6bce650babe06926dab0bb8aa9526bc533e57cf6911400132f80c23e59c508c50c61
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5f7f01241208393e368ad05092c441805
SHA1c4ddaa56b833fbebada0456a3f625a07e1ac04eb
SHA256a3520db9c8ee3d00ea1a34a7e1b5da5b62999090778eecb3544021e4e69aed56
SHA51206c2c1659c06077bc0eed40d5698b0d95dcae616854791ffde7e8551f8b903c216e790c90a01368872e23c3ca7d3b673a6e4b8faff652cacad5fadea78249732
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD545f756acd366e8a4f0e6f1382cdb27c6
SHA1d788a6193f2c65fa927f473e1275a8523e776bd7
SHA256af6b9bfbb54204eb5da03e2492b53cbb8743897402f97c2700c9801c1e71c1ab
SHA512cf4c881be6d120ccbff4ea6d4b851ce3c4873fff7166adf96aa92ead56b1de6032c045a75624a5f966d94a9cfc964a022aedf11e31c92b20e7583a1334f0d62d
-
Filesize
512KB
MD551360519dbbe0cbf1414610581163f74
SHA1a8300ae91f9988d6e1eec36b222d39a85e2b9d47
SHA2561d9f556978a3ca7d912195bbc2682c3f6ab7f64870a935002f1dac4061b72d66
SHA5126b24b291533c4daeae2e9d62665b384cc0d747e863c1b665e226a8124ad8a0200d0ba0aad960e60ffb6412da9ac79d3b576e0ba239de140b9f545f22a95e3436
-
Filesize
512KB
MD5d50c9a632577f5281b110f860eaf5b78
SHA130bc2bac42362355b85a51315437341d0e709018
SHA256c3e878e0ca1587ef56b0b5c95efbbdcee817a14c8a504eff2aa98392d4ae230d
SHA5125e230f269f04540ee042091bc6e9fdd0f4c7a62c3ffcc6ab5243c4a50cccf644e956b8cb8d3a7e7463e4ae53b9a1580c17f6e25be452213bf0f40f2dcea82da9
-
Filesize
512KB
MD53cbc437299ee379b49b0f31979c540af
SHA1920db98e899b3136b2d14f7ae82393e98d73bc8b
SHA256886465d7dcff34788bc7b57b83f4db8525fe033049331741618713ae4b44e16c
SHA512c317e13fe71d8180e1c1a7b5bdf2a9f3b44348d6002ad6595d4b705298200978dc8d3fbfd9a60fb71cc5da1ebfacc5ef98a0a56401e0242428de0ee3ce7e7705
-
Filesize
512KB
MD553f6cf774fd273aba16e7e7f454a4d0c
SHA121dab09a902ccdcfc7ad18e8e2099e65a56f4163
SHA2566939e425b7af08db89f852838e319468544d0e7fc9b849b0a383a576af5ffc73
SHA512d3e0618257cd6d059ecdccbe5cb66cb64b5a3260d8d657341fc4dab384b071270917e83fd140904f6dcbce77ff38a30ca9008e30bbfb619f00c5c174c86ab05e
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD55bed35f532634aee55036440f42b6979
SHA1c1b35b35c47e57b476f70d0ece0cf94494c29fd3
SHA25608383ac982b62be9bf89bb1e9b894b1c708c0d10a1ab8752d835ea574026f5d0
SHA5124dff496e5121a85956e05cddf7bea6940f19eda1b8aa8d62584af6df5053dc60ef2f1af43e3894ae34217abc0f91dbe6cdb4376cd7fe72916b29e5de905e45d1
-
Filesize
512KB
MD5ecfbd2564c9ad304bad4572278e32edd
SHA1b6c110020b524cb00661f3241c5a6a6206ae0ba1
SHA2560c1ff94861355f8a38a60cb960f0f8e66466f84ef8ad6f9d409dd1342e2290c2
SHA5128440c502bdf02e3ef4a450f6436823e2d55caddf345156d66f27c92fd8bb13937928d36fea25c34c388cda46ff940f276724de45b1e2fca84401cdd1c90a75bb