Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
28/01/2024, 12:10
Static task
static1
Behavioral task
behavioral1
Sample
7d172f1d232d758347932641bbbf7dcf.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
7d172f1d232d758347932641bbbf7dcf.exe
Resource
win10v2004-20231215-en
General
-
Target
7d172f1d232d758347932641bbbf7dcf.exe
-
Size
512KB
-
MD5
7d172f1d232d758347932641bbbf7dcf
-
SHA1
2256a32fd4209fc94e66b7a94c120eea6a054a3a
-
SHA256
3e359659220833717f4206c8257124ee3d5ae741ec5ee1e643c094c07f2d3d05
-
SHA512
c963c99b8914efa0020791e0ea32f4ffa714b05a92449269070a017c5d9b6b91205fca6dc051a6323c01e7c4a1780ff8523006d884888bd15c46a53e14095e40
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj69:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5O
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" vbslyndipj.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" vbslyndipj.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" vbslyndipj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" vbslyndipj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" vbslyndipj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" vbslyndipj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" vbslyndipj.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vbslyndipj.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation 7d172f1d232d758347932641bbbf7dcf.exe -
Executes dropped EXE 5 IoCs
pid Process 724 vbslyndipj.exe 516 vkweuuoomcihzfo.exe 4352 nstsbjpg.exe 3864 haxnpqxruswoq.exe 5092 nstsbjpg.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" vbslyndipj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" vbslyndipj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" vbslyndipj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" vbslyndipj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" vbslyndipj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" vbslyndipj.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\umjuehmh = "vbslyndipj.exe" vkweuuoomcihzfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sekjasvt = "vkweuuoomcihzfo.exe" vkweuuoomcihzfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "haxnpqxruswoq.exe" vkweuuoomcihzfo.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\i: nstsbjpg.exe File opened (read-only) \??\i: vbslyndipj.exe File opened (read-only) \??\g: nstsbjpg.exe File opened (read-only) \??\h: nstsbjpg.exe File opened (read-only) \??\l: nstsbjpg.exe File opened (read-only) \??\t: nstsbjpg.exe File opened (read-only) \??\q: nstsbjpg.exe File opened (read-only) \??\a: vbslyndipj.exe File opened (read-only) \??\n: nstsbjpg.exe File opened (read-only) \??\g: nstsbjpg.exe File opened (read-only) \??\g: vbslyndipj.exe File opened (read-only) \??\p: vbslyndipj.exe File opened (read-only) \??\e: nstsbjpg.exe File opened (read-only) \??\u: nstsbjpg.exe File opened (read-only) \??\l: vbslyndipj.exe File opened (read-only) \??\m: vbslyndipj.exe File opened (read-only) \??\m: nstsbjpg.exe File opened (read-only) \??\q: nstsbjpg.exe File opened (read-only) \??\w: vbslyndipj.exe File opened (read-only) \??\e: nstsbjpg.exe File opened (read-only) \??\k: nstsbjpg.exe File opened (read-only) \??\z: vbslyndipj.exe File opened (read-only) \??\o: nstsbjpg.exe File opened (read-only) \??\m: nstsbjpg.exe File opened (read-only) \??\w: nstsbjpg.exe File opened (read-only) \??\j: nstsbjpg.exe File opened (read-only) \??\v: nstsbjpg.exe File opened (read-only) \??\y: nstsbjpg.exe File opened (read-only) \??\j: nstsbjpg.exe File opened (read-only) \??\l: nstsbjpg.exe File opened (read-only) \??\v: vbslyndipj.exe File opened (read-only) \??\i: nstsbjpg.exe File opened (read-only) \??\s: nstsbjpg.exe File opened (read-only) \??\a: nstsbjpg.exe File opened (read-only) \??\p: nstsbjpg.exe File opened (read-only) \??\b: vbslyndipj.exe File opened (read-only) \??\h: vbslyndipj.exe File opened (read-only) \??\x: nstsbjpg.exe File opened (read-only) \??\y: vbslyndipj.exe File opened (read-only) \??\b: nstsbjpg.exe File opened (read-only) \??\n: nstsbjpg.exe File opened (read-only) \??\z: nstsbjpg.exe File opened (read-only) \??\a: nstsbjpg.exe File opened (read-only) \??\r: nstsbjpg.exe File opened (read-only) \??\z: nstsbjpg.exe File opened (read-only) \??\h: nstsbjpg.exe File opened (read-only) \??\o: vbslyndipj.exe File opened (read-only) \??\r: vbslyndipj.exe File opened (read-only) \??\t: vbslyndipj.exe File opened (read-only) \??\x: vbslyndipj.exe File opened (read-only) \??\w: nstsbjpg.exe File opened (read-only) \??\b: nstsbjpg.exe File opened (read-only) \??\k: nstsbjpg.exe File opened (read-only) \??\o: nstsbjpg.exe File opened (read-only) \??\y: nstsbjpg.exe File opened (read-only) \??\n: vbslyndipj.exe File opened (read-only) \??\u: vbslyndipj.exe File opened (read-only) \??\r: nstsbjpg.exe File opened (read-only) \??\v: nstsbjpg.exe File opened (read-only) \??\j: vbslyndipj.exe File opened (read-only) \??\q: vbslyndipj.exe File opened (read-only) \??\p: nstsbjpg.exe File opened (read-only) \??\x: nstsbjpg.exe File opened (read-only) \??\s: nstsbjpg.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" vbslyndipj.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" vbslyndipj.exe -
AutoIT Executable 15 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3616-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0006000000023200-5.dat autoit_exe behavioral2/files/0x00070000000231fc-18.dat autoit_exe behavioral2/files/0x0006000000023200-23.dat autoit_exe behavioral2/files/0x00070000000231fc-19.dat autoit_exe behavioral2/files/0x0006000000023201-28.dat autoit_exe behavioral2/files/0x0006000000023201-27.dat autoit_exe behavioral2/files/0x0006000000023200-26.dat autoit_exe behavioral2/files/0x0006000000023202-31.dat autoit_exe behavioral2/files/0x0006000000023202-32.dat autoit_exe behavioral2/files/0x0006000000023201-35.dat autoit_exe behavioral2/files/0x000500000001d9f3-76.dat autoit_exe behavioral2/files/0x000a00000001daa3-83.dat autoit_exe behavioral2/files/0x001100000001e389-101.dat autoit_exe behavioral2/files/0x001100000001e389-106.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\haxnpqxruswoq.exe 7d172f1d232d758347932641bbbf7dcf.exe File opened for modification C:\Windows\SysWOW64\haxnpqxruswoq.exe 7d172f1d232d758347932641bbbf7dcf.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe nstsbjpg.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll vbslyndipj.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe nstsbjpg.exe File created C:\Windows\SysWOW64\vbslyndipj.exe 7d172f1d232d758347932641bbbf7dcf.exe File opened for modification C:\Windows\SysWOW64\vbslyndipj.exe 7d172f1d232d758347932641bbbf7dcf.exe File created C:\Windows\SysWOW64\vkweuuoomcihzfo.exe 7d172f1d232d758347932641bbbf7dcf.exe File opened for modification C:\Windows\SysWOW64\vkweuuoomcihzfo.exe 7d172f1d232d758347932641bbbf7dcf.exe File created C:\Windows\SysWOW64\nstsbjpg.exe 7d172f1d232d758347932641bbbf7dcf.exe File opened for modification C:\Windows\SysWOW64\nstsbjpg.exe 7d172f1d232d758347932641bbbf7dcf.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe nstsbjpg.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe nstsbjpg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe nstsbjpg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe nstsbjpg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal nstsbjpg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe nstsbjpg.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe nstsbjpg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe nstsbjpg.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe nstsbjpg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe nstsbjpg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe nstsbjpg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal nstsbjpg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal nstsbjpg.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe nstsbjpg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal nstsbjpg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe nstsbjpg.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe nstsbjpg.exe File opened for modification C:\Windows\mydoc.rtf 7d172f1d232d758347932641bbbf7dcf.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe nstsbjpg.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe nstsbjpg.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe nstsbjpg.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe nstsbjpg.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe nstsbjpg.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe nstsbjpg.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe nstsbjpg.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe nstsbjpg.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe nstsbjpg.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe nstsbjpg.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe nstsbjpg.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe nstsbjpg.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe nstsbjpg.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe nstsbjpg.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe nstsbjpg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" vbslyndipj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" vbslyndipj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" vbslyndipj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs vbslyndipj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" vbslyndipj.exe Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings 7d172f1d232d758347932641bbbf7dcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF9FFF94F28851F9047D65F7E9DBCEFE637584466406331D6EC" 7d172f1d232d758347932641bbbf7dcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc vbslyndipj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf vbslyndipj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCAFABFFE6AF1E584753A4486ED39E5B0F9028C43610348E2C442E608A5" 7d172f1d232d758347932641bbbf7dcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F46BB8FE6E22DDD20CD0A68A749162" 7d172f1d232d758347932641bbbf7dcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat vbslyndipj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh vbslyndipj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" vbslyndipj.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 7d172f1d232d758347932641bbbf7dcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32452C7A9D5183536D3576A570222CD77C8E64AA" 7d172f1d232d758347932641bbbf7dcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC5B0294495389A53CCBAA733EED7BE" 7d172f1d232d758347932641bbbf7dcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193AC6741596DAB1B8BC7FE7ECE337CD" 7d172f1d232d758347932641bbbf7dcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" vbslyndipj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg vbslyndipj.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4988 WINWORD.EXE 4988 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3616 7d172f1d232d758347932641bbbf7dcf.exe 3616 7d172f1d232d758347932641bbbf7dcf.exe 3616 7d172f1d232d758347932641bbbf7dcf.exe 3616 7d172f1d232d758347932641bbbf7dcf.exe 3616 7d172f1d232d758347932641bbbf7dcf.exe 3616 7d172f1d232d758347932641bbbf7dcf.exe 3616 7d172f1d232d758347932641bbbf7dcf.exe 3616 7d172f1d232d758347932641bbbf7dcf.exe 3616 7d172f1d232d758347932641bbbf7dcf.exe 3616 7d172f1d232d758347932641bbbf7dcf.exe 3616 7d172f1d232d758347932641bbbf7dcf.exe 3616 7d172f1d232d758347932641bbbf7dcf.exe 3616 7d172f1d232d758347932641bbbf7dcf.exe 3616 7d172f1d232d758347932641bbbf7dcf.exe 3616 7d172f1d232d758347932641bbbf7dcf.exe 3616 7d172f1d232d758347932641bbbf7dcf.exe 724 vbslyndipj.exe 724 vbslyndipj.exe 724 vbslyndipj.exe 724 vbslyndipj.exe 724 vbslyndipj.exe 724 vbslyndipj.exe 724 vbslyndipj.exe 724 vbslyndipj.exe 724 vbslyndipj.exe 724 vbslyndipj.exe 4352 nstsbjpg.exe 4352 nstsbjpg.exe 4352 nstsbjpg.exe 4352 nstsbjpg.exe 4352 nstsbjpg.exe 4352 nstsbjpg.exe 4352 nstsbjpg.exe 4352 nstsbjpg.exe 516 vkweuuoomcihzfo.exe 516 vkweuuoomcihzfo.exe 516 vkweuuoomcihzfo.exe 516 vkweuuoomcihzfo.exe 516 vkweuuoomcihzfo.exe 516 vkweuuoomcihzfo.exe 516 vkweuuoomcihzfo.exe 516 vkweuuoomcihzfo.exe 3864 haxnpqxruswoq.exe 3864 haxnpqxruswoq.exe 3864 haxnpqxruswoq.exe 3864 haxnpqxruswoq.exe 3864 haxnpqxruswoq.exe 3864 haxnpqxruswoq.exe 3864 haxnpqxruswoq.exe 3864 haxnpqxruswoq.exe 3864 haxnpqxruswoq.exe 3864 haxnpqxruswoq.exe 3864 haxnpqxruswoq.exe 3864 haxnpqxruswoq.exe 516 vkweuuoomcihzfo.exe 516 vkweuuoomcihzfo.exe 5092 nstsbjpg.exe 5092 nstsbjpg.exe 5092 nstsbjpg.exe 5092 nstsbjpg.exe 5092 nstsbjpg.exe 5092 nstsbjpg.exe 5092 nstsbjpg.exe 5092 nstsbjpg.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 3616 7d172f1d232d758347932641bbbf7dcf.exe 3616 7d172f1d232d758347932641bbbf7dcf.exe 3616 7d172f1d232d758347932641bbbf7dcf.exe 724 vbslyndipj.exe 4352 nstsbjpg.exe 724 vbslyndipj.exe 4352 nstsbjpg.exe 724 vbslyndipj.exe 4352 nstsbjpg.exe 516 vkweuuoomcihzfo.exe 3864 haxnpqxruswoq.exe 516 vkweuuoomcihzfo.exe 3864 haxnpqxruswoq.exe 516 vkweuuoomcihzfo.exe 3864 haxnpqxruswoq.exe 5092 nstsbjpg.exe 5092 nstsbjpg.exe 5092 nstsbjpg.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 3616 7d172f1d232d758347932641bbbf7dcf.exe 3616 7d172f1d232d758347932641bbbf7dcf.exe 3616 7d172f1d232d758347932641bbbf7dcf.exe 724 vbslyndipj.exe 4352 nstsbjpg.exe 724 vbslyndipj.exe 4352 nstsbjpg.exe 724 vbslyndipj.exe 4352 nstsbjpg.exe 516 vkweuuoomcihzfo.exe 3864 haxnpqxruswoq.exe 516 vkweuuoomcihzfo.exe 3864 haxnpqxruswoq.exe 516 vkweuuoomcihzfo.exe 3864 haxnpqxruswoq.exe 5092 nstsbjpg.exe 5092 nstsbjpg.exe 5092 nstsbjpg.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4988 WINWORD.EXE 4988 WINWORD.EXE 4988 WINWORD.EXE 4988 WINWORD.EXE 4988 WINWORD.EXE 4988 WINWORD.EXE 4988 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3616 wrote to memory of 724 3616 7d172f1d232d758347932641bbbf7dcf.exe 88 PID 3616 wrote to memory of 724 3616 7d172f1d232d758347932641bbbf7dcf.exe 88 PID 3616 wrote to memory of 724 3616 7d172f1d232d758347932641bbbf7dcf.exe 88 PID 3616 wrote to memory of 516 3616 7d172f1d232d758347932641bbbf7dcf.exe 90 PID 3616 wrote to memory of 516 3616 7d172f1d232d758347932641bbbf7dcf.exe 90 PID 3616 wrote to memory of 516 3616 7d172f1d232d758347932641bbbf7dcf.exe 90 PID 3616 wrote to memory of 4352 3616 7d172f1d232d758347932641bbbf7dcf.exe 89 PID 3616 wrote to memory of 4352 3616 7d172f1d232d758347932641bbbf7dcf.exe 89 PID 3616 wrote to memory of 4352 3616 7d172f1d232d758347932641bbbf7dcf.exe 89 PID 3616 wrote to memory of 3864 3616 7d172f1d232d758347932641bbbf7dcf.exe 91 PID 3616 wrote to memory of 3864 3616 7d172f1d232d758347932641bbbf7dcf.exe 91 PID 3616 wrote to memory of 3864 3616 7d172f1d232d758347932641bbbf7dcf.exe 91 PID 3616 wrote to memory of 4988 3616 7d172f1d232d758347932641bbbf7dcf.exe 92 PID 3616 wrote to memory of 4988 3616 7d172f1d232d758347932641bbbf7dcf.exe 92 PID 724 wrote to memory of 5092 724 vbslyndipj.exe 94 PID 724 wrote to memory of 5092 724 vbslyndipj.exe 94 PID 724 wrote to memory of 5092 724 vbslyndipj.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d172f1d232d758347932641bbbf7dcf.exe"C:\Users\Admin\AppData\Local\Temp\7d172f1d232d758347932641bbbf7dcf.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\SysWOW64\vbslyndipj.exevbslyndipj.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Windows\SysWOW64\nstsbjpg.exeC:\Windows\system32\nstsbjpg.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5092
-
-
-
C:\Windows\SysWOW64\nstsbjpg.exenstsbjpg.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4352
-
-
C:\Windows\SysWOW64\vkweuuoomcihzfo.exevkweuuoomcihzfo.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:516
-
-
C:\Windows\SysWOW64\haxnpqxruswoq.exehaxnpqxruswoq.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3864
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4988
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5669f1206ccb61ec03b1e157b4475a0a6
SHA19127d1d32e349fffa2830677df0444dedf783d58
SHA256af7778e0ce6672a676a8e9fa000a186b308f7632506571798f436c0ca08f5b9e
SHA512d1eb101fe1911ca1408620d1a0046ebf55e9fbf4c9f2d0793f0271a8d920b91115928eb719f9c1f91f57a7e87a26d5ef6146158d9ca95fcd6db25063028ea2ce
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD592ebe2a901b6991414ecca3754376545
SHA19d2ff2b2bd7b57bd5e64dc152476143e7586580a
SHA256de2e22e4462f9e4077d3a0fa357e21ba98463c326688c9e095858b6483744a61
SHA5126d72f8158cc47462145a72780e5fba5fb42de0bc808bd515601d57309c3c159bcda15bbfab4410566815bb7bda8411ec97d427c5df8fb245c44db1a83b4eced9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5bbc27d8100a0fb847abfa983789a653b
SHA1c0310fb4fc6a1b2de1a795ff93932d43b37d483c
SHA25696c6e294065fc2be44352f7606a6cd946cd2a8ef5b4757eec75c983aa631a348
SHA51254d27104b0b08fd588c1df4f2a458fca339d1af3a2dbd312d478984fc0944d34e5e4b42952b66df0116bd9fbe396bb356497fdc4c9668475a985e5e8f2a08468
-
Filesize
512KB
MD5949cdefa3d58486bb8f71105eba01f21
SHA1b6a689e36fdede0f72a4b511a3739b9d59f641f2
SHA256156fa1fda77c2617cbdddefcf112b1e96aaf5dd8a58c6f3b752603f33d0e9133
SHA5124cd40758857aa154f33b227abc4ab99d9b41ffd80b98b93167481d28ad4b006127702f85ae4c484507e1362911255e5c49f1bd0f217c40fe141e07904a0d1eed
-
Filesize
33KB
MD50ba4af2bd70d9b2fa2e8d257296bfa96
SHA13b521ddfda77a4a8c16dcef492944250ce3325a5
SHA256083a51e27572e824f72deb0a21eed98ed8f5e64bc70b727a0656249fb3f65a4c
SHA51226d748e53ad4100d11b336aabd040854f9f37608644f22dbc20e9a19b027004d26436e77811d9861514d01809c8b4fe74c003d0e9a15c0f9063f859357a04c9b
-
Filesize
74KB
MD5c039b5309c455f463d4fd7e78ffbaec0
SHA1666b5456365443c4dc07fd0d31111403f6321e80
SHA25680af5aed689bdbaff54fbf406d1eb6ce015731515d7341ff326524d0eeaf992c
SHA512eca135f5ef6dc11b2b0ab9ae66ee5c729f148b5b234b03941a4bbd975056780f92aaa27d1ce39e8402fadb3a03684eb76ce5ffe61f987b2c622102be91a3740c
-
Filesize
70KB
MD59e4f0c94c9fae9bf2364952b547b2505
SHA133159deb648e9494d10aba96ce61536a35da78e1
SHA256534aa9e2e5f5097ce60ed2b83fbfae8d7fe86487cb48a7a4931fa190f7029f9e
SHA5120b1b3d20f9f9dd59301fe7c0337d8d68191877e049a0596fcbddfb137f659eabde56d6987a8c21af2a7f0f9dce4ab2115b425b3b75a1049feaa16eea5dbf74fb
-
Filesize
65KB
MD56b2d87c29e03c1669c86b13f0e329f27
SHA1fc01a8091ad1488013e09ecabcbb34ebb2729a38
SHA2566cb9102f5b672aa60bab941d44dfac6baa33354a6dbff3a6cf1b7e16f4e1c61c
SHA51262a6d356d9d1393f780e7ebef155962a8261e76e5c6df375d5d35484702607996e9334a0a3788cde9ee44d7d6cbfbd284c2163ff4e9837884a0ae5712b1e0272
-
Filesize
512KB
MD55d8ff8268feba5bd14d7ed7f5d38811b
SHA1174011699090c02911e758312fdd68e77d9ae02b
SHA256729eaec19821361f7e6f87d1d5140292515f0c6f81fd3a7dd5e2d4ecd412d5d2
SHA51241740518661fc4ed0ecc0f38458f928bb9d0a73a73d6ca11348c8a9ff6c7ea0fff3ff0ab526eeb0c34cb27f52b8ffc89e0f0d957ea6d271d72ae6501eea8b773
-
Filesize
512KB
MD55289f314969c98fef4989747501cc467
SHA16d8932e6fdc50e21a106f92b212da137cbc8c308
SHA256bcd8472a992b704218189deeea3f9631bfd2ca0a434031e3b734d91050640471
SHA512343817e5ee6ee993d3b5e55fead7eba875e719992d0ffb80bc73e6bc4c1c11ec4783ca7a84432f6ceae6d93f1db3f49b67cec30890e665521e2a3e600a6e9746
-
Filesize
448KB
MD5ea3453e14e3dc290437a8a81d7186966
SHA16966041e94344c696e91811eff994de0a2cd9be6
SHA2560717eb7fe95703addd2899bd92cda76a9bd9c4970e9f2af81e760a207e745b90
SHA512f698bc87d1346a484ef4d194e0c697ba46fb5c1c79d5f00b345cb51ccfcb36928286b8dd5aec53daf173a4a1445e7dd2cfbc6c136e45ad1e23192f75818ed201
-
Filesize
448KB
MD59728739f509ce0f3b3b073c945c208bf
SHA131bf207a650a7f1bbb8e90552891f1a6f4e4783b
SHA256f252517c755af447fe73347dd23cd133e28c7a203d01382306a195c8ddda3dba
SHA51276e963f4d1b88528ebbdbc375372889efffba4768f6a99bccce4c1faa730e9515f93fa74bd10bb61c0034f2ceb9ef85ee8234f9d13df183ffc7e163ae3dd38e7
-
Filesize
119KB
MD56fcfdb89b52fe7a3eebfaa8dcd40c842
SHA18d25d76b60b0d013cc2ea073c1dcdd32176a97bf
SHA2566810d8a00109fa0754d3679fa3536e7826693f6f14861be411352ce8f60304d4
SHA5123da91dffeadd1d12f838e2a02c555af61b79be2483583a4556a891aad38299c30a365aea140539aab757c33b8198f74aed3672fef73b5513dec1a58e01cfd8d4
-
Filesize
512KB
MD5e9e540bbbfb26bafb3929bf543380b3f
SHA1b246a8f0896258ea45b49d6f18fc3bbbde612197
SHA2567a8fcef877e9c0e8c58b0b9e40c588ab0788cdac9ffc7ae096fc338a1ae7fb93
SHA5123a9ed7ba2995dcd33846a1353f117c4201d265790e3c3589786ac3513bb3ec95c7f2c5fef8329513b874f8fc59ffb9810dd86e92087d622471d54ccfd3dd7307
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5ee7ca57bb804b17e99ca221ca1811608
SHA1cf42bb09fca0428c19e478f7e12a6ff52464c2ec
SHA2560da59a3f4f4c63a0fec733de768eb8e69a99ae579c60cd719257469ff9bf50ac
SHA512c433ac237bbf6f8ef3107829adb5d2756088b70f0108a46a8fc3cf3d947e212ec9658b99402ee9a46bd4916143c7f859f56b2b1640dee7ef21cf242a3fc18bf4
-
Filesize
512KB
MD552b74e32d0b7c1f4cb28057f6a445c59
SHA1c5343166a4ffa36d8d29309b4132f3eda94fb29a
SHA2569dfd3cb9ba8d7f72520a8b04f5e9532dd966ea907d7d2731ad9c403309629588
SHA512fb78106cc142c5919408a69614fbf22974c22cb0cec1fe2039acfd8df0de22c045398271f845ff29f3a6c7fa5aad40800fe110126b60377aab461346d25bae58