Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
03/02/2024, 22:06
Static task
static1
Behavioral task
behavioral1
Sample
8d7790b62884b7833d558c4fa2dfb11b.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
8d7790b62884b7833d558c4fa2dfb11b.exe
Resource
win10v2004-20231215-en
General
-
Target
8d7790b62884b7833d558c4fa2dfb11b.exe
-
Size
512KB
-
MD5
8d7790b62884b7833d558c4fa2dfb11b
-
SHA1
38799b1de2f350d45a83fe153fffa33f3f322733
-
SHA256
ed389d561ce8e29e7416fa3005e3bb1b27b9984389564563bb77fcaca8fcbb04
-
SHA512
e8bf0c6bd48aac54830c7909af01951fb2fd8e5ab8047a4d018d3e119723241de42f028b8936e8551db5ad1093850b5ad971f3115637b9920e1824998537c027
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6x:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5q
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ohwcwkamzh.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ohwcwkamzh.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ohwcwkamzh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ohwcwkamzh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ohwcwkamzh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ohwcwkamzh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ohwcwkamzh.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ohwcwkamzh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation 8d7790b62884b7833d558c4fa2dfb11b.exe -
Executes dropped EXE 5 IoCs
pid Process 420 ohwcwkamzh.exe 2208 esfmhfozsgpsphe.exe 3980 topounzf.exe 1032 ttnkkelpcmnrf.exe 5080 topounzf.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ohwcwkamzh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ohwcwkamzh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ohwcwkamzh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ohwcwkamzh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ohwcwkamzh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ohwcwkamzh.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gcgtxqtw = "ohwcwkamzh.exe" esfmhfozsgpsphe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pabtrclh = "esfmhfozsgpsphe.exe" esfmhfozsgpsphe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ttnkkelpcmnrf.exe" esfmhfozsgpsphe.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\r: topounzf.exe File opened (read-only) \??\x: topounzf.exe File opened (read-only) \??\a: ohwcwkamzh.exe File opened (read-only) \??\b: ohwcwkamzh.exe File opened (read-only) \??\j: ohwcwkamzh.exe File opened (read-only) \??\w: ohwcwkamzh.exe File opened (read-only) \??\b: topounzf.exe File opened (read-only) \??\r: topounzf.exe File opened (read-only) \??\m: ohwcwkamzh.exe File opened (read-only) \??\o: ohwcwkamzh.exe File opened (read-only) \??\x: ohwcwkamzh.exe File opened (read-only) \??\h: topounzf.exe File opened (read-only) \??\n: topounzf.exe File opened (read-only) \??\u: topounzf.exe File opened (read-only) \??\p: topounzf.exe File opened (read-only) \??\h: ohwcwkamzh.exe File opened (read-only) \??\p: topounzf.exe File opened (read-only) \??\v: topounzf.exe File opened (read-only) \??\k: topounzf.exe File opened (read-only) \??\i: topounzf.exe File opened (read-only) \??\q: ohwcwkamzh.exe File opened (read-only) \??\u: ohwcwkamzh.exe File opened (read-only) \??\q: topounzf.exe File opened (read-only) \??\q: topounzf.exe File opened (read-only) \??\t: topounzf.exe File opened (read-only) \??\y: topounzf.exe File opened (read-only) \??\i: topounzf.exe File opened (read-only) \??\x: topounzf.exe File opened (read-only) \??\m: topounzf.exe File opened (read-only) \??\i: ohwcwkamzh.exe File opened (read-only) \??\g: topounzf.exe File opened (read-only) \??\y: topounzf.exe File opened (read-only) \??\w: topounzf.exe File opened (read-only) \??\z: topounzf.exe File opened (read-only) \??\v: topounzf.exe File opened (read-only) \??\p: ohwcwkamzh.exe File opened (read-only) \??\s: ohwcwkamzh.exe File opened (read-only) \??\j: topounzf.exe File opened (read-only) \??\b: topounzf.exe File opened (read-only) \??\s: topounzf.exe File opened (read-only) \??\k: ohwcwkamzh.exe File opened (read-only) \??\l: ohwcwkamzh.exe File opened (read-only) \??\z: ohwcwkamzh.exe File opened (read-only) \??\a: topounzf.exe File opened (read-only) \??\g: topounzf.exe File opened (read-only) \??\u: topounzf.exe File opened (read-only) \??\z: topounzf.exe File opened (read-only) \??\n: ohwcwkamzh.exe File opened (read-only) \??\e: topounzf.exe File opened (read-only) \??\m: topounzf.exe File opened (read-only) \??\n: topounzf.exe File opened (read-only) \??\o: topounzf.exe File opened (read-only) \??\g: ohwcwkamzh.exe File opened (read-only) \??\t: ohwcwkamzh.exe File opened (read-only) \??\l: topounzf.exe File opened (read-only) \??\o: topounzf.exe File opened (read-only) \??\a: topounzf.exe File opened (read-only) \??\e: topounzf.exe File opened (read-only) \??\t: topounzf.exe File opened (read-only) \??\k: topounzf.exe File opened (read-only) \??\l: topounzf.exe File opened (read-only) \??\r: ohwcwkamzh.exe File opened (read-only) \??\v: ohwcwkamzh.exe File opened (read-only) \??\h: topounzf.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ohwcwkamzh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ohwcwkamzh.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4388-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0006000000023216-5.dat autoit_exe behavioral2/files/0x0006000000023215-19.dat autoit_exe behavioral2/files/0x0006000000023217-26.dat autoit_exe behavioral2/files/0x0006000000023218-32.dat autoit_exe behavioral2/files/0x000400000001da0c-79.dat autoit_exe behavioral2/files/0x000500000001d9bc-76.dat autoit_exe behavioral2/files/0x000c00000001e7dc-99.dat autoit_exe behavioral2/files/0x000c00000001e7dc-104.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\esfmhfozsgpsphe.exe 8d7790b62884b7833d558c4fa2dfb11b.exe File created C:\Windows\SysWOW64\topounzf.exe 8d7790b62884b7833d558c4fa2dfb11b.exe File opened for modification C:\Windows\SysWOW64\topounzf.exe 8d7790b62884b7833d558c4fa2dfb11b.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe topounzf.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe topounzf.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe topounzf.exe File created C:\Windows\SysWOW64\ohwcwkamzh.exe 8d7790b62884b7833d558c4fa2dfb11b.exe File opened for modification C:\Windows\SysWOW64\ohwcwkamzh.exe 8d7790b62884b7833d558c4fa2dfb11b.exe File opened for modification C:\Windows\SysWOW64\esfmhfozsgpsphe.exe 8d7790b62884b7833d558c4fa2dfb11b.exe File created C:\Windows\SysWOW64\ttnkkelpcmnrf.exe 8d7790b62884b7833d558c4fa2dfb11b.exe File opened for modification C:\Windows\SysWOW64\ttnkkelpcmnrf.exe 8d7790b62884b7833d558c4fa2dfb11b.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ohwcwkamzh.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe topounzf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe topounzf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe topounzf.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe topounzf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal topounzf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe topounzf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal topounzf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe topounzf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe topounzf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal topounzf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal topounzf.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe topounzf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe topounzf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe topounzf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe topounzf.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe topounzf.exe File opened for modification C:\Windows\mydoc.rtf 8d7790b62884b7833d558c4fa2dfb11b.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe topounzf.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe topounzf.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe topounzf.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe topounzf.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe topounzf.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe topounzf.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe topounzf.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe topounzf.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe topounzf.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe topounzf.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe topounzf.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe topounzf.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe topounzf.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe topounzf.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe topounzf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg ohwcwkamzh.exe Key created \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings 8d7790b62884b7833d558c4fa2dfb11b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" ohwcwkamzh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" ohwcwkamzh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACFF9CEF96BF19483783B4786ED3EE2B38C02884268023AE2CE42E808D6" 8d7790b62884b7833d558c4fa2dfb11b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF5FC83482E851A9133D75B7DE0BC94E131594A67326245D7E9" 8d7790b62884b7833d558c4fa2dfb11b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F66BB6FE1A22DCD178D1D68B7D9014" 8d7790b62884b7833d558c4fa2dfb11b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" ohwcwkamzh.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 8d7790b62884b7833d558c4fa2dfb11b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33372C0B9D5583256D4476A270272CAC7C8464A8" 8d7790b62884b7833d558c4fa2dfb11b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" ohwcwkamzh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193FC60915E0DBBFB9BD7CE7ED9234BA" 8d7790b62884b7833d558c4fa2dfb11b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc ohwcwkamzh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh ohwcwkamzh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ohwcwkamzh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf ohwcwkamzh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs ohwcwkamzh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" ohwcwkamzh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB0B15A44EE39ED52CBBADC339FD7B9" 8d7790b62884b7833d558c4fa2dfb11b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat ohwcwkamzh.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3376 WINWORD.EXE 3376 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4388 8d7790b62884b7833d558c4fa2dfb11b.exe 4388 8d7790b62884b7833d558c4fa2dfb11b.exe 4388 8d7790b62884b7833d558c4fa2dfb11b.exe 4388 8d7790b62884b7833d558c4fa2dfb11b.exe 4388 8d7790b62884b7833d558c4fa2dfb11b.exe 4388 8d7790b62884b7833d558c4fa2dfb11b.exe 4388 8d7790b62884b7833d558c4fa2dfb11b.exe 4388 8d7790b62884b7833d558c4fa2dfb11b.exe 4388 8d7790b62884b7833d558c4fa2dfb11b.exe 4388 8d7790b62884b7833d558c4fa2dfb11b.exe 4388 8d7790b62884b7833d558c4fa2dfb11b.exe 4388 8d7790b62884b7833d558c4fa2dfb11b.exe 4388 8d7790b62884b7833d558c4fa2dfb11b.exe 4388 8d7790b62884b7833d558c4fa2dfb11b.exe 4388 8d7790b62884b7833d558c4fa2dfb11b.exe 4388 8d7790b62884b7833d558c4fa2dfb11b.exe 2208 esfmhfozsgpsphe.exe 420 ohwcwkamzh.exe 2208 esfmhfozsgpsphe.exe 420 ohwcwkamzh.exe 2208 esfmhfozsgpsphe.exe 2208 esfmhfozsgpsphe.exe 420 ohwcwkamzh.exe 420 ohwcwkamzh.exe 2208 esfmhfozsgpsphe.exe 2208 esfmhfozsgpsphe.exe 420 ohwcwkamzh.exe 420 ohwcwkamzh.exe 2208 esfmhfozsgpsphe.exe 2208 esfmhfozsgpsphe.exe 420 ohwcwkamzh.exe 420 ohwcwkamzh.exe 420 ohwcwkamzh.exe 420 ohwcwkamzh.exe 2208 esfmhfozsgpsphe.exe 2208 esfmhfozsgpsphe.exe 3980 topounzf.exe 3980 topounzf.exe 3980 topounzf.exe 3980 topounzf.exe 3980 topounzf.exe 3980 topounzf.exe 3980 topounzf.exe 3980 topounzf.exe 1032 ttnkkelpcmnrf.exe 1032 ttnkkelpcmnrf.exe 1032 ttnkkelpcmnrf.exe 1032 ttnkkelpcmnrf.exe 1032 ttnkkelpcmnrf.exe 1032 ttnkkelpcmnrf.exe 1032 ttnkkelpcmnrf.exe 1032 ttnkkelpcmnrf.exe 1032 ttnkkelpcmnrf.exe 1032 ttnkkelpcmnrf.exe 1032 ttnkkelpcmnrf.exe 1032 ttnkkelpcmnrf.exe 2208 esfmhfozsgpsphe.exe 2208 esfmhfozsgpsphe.exe 1032 ttnkkelpcmnrf.exe 1032 ttnkkelpcmnrf.exe 1032 ttnkkelpcmnrf.exe 1032 ttnkkelpcmnrf.exe 2208 esfmhfozsgpsphe.exe 2208 esfmhfozsgpsphe.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4388 8d7790b62884b7833d558c4fa2dfb11b.exe 4388 8d7790b62884b7833d558c4fa2dfb11b.exe 4388 8d7790b62884b7833d558c4fa2dfb11b.exe 2208 esfmhfozsgpsphe.exe 420 ohwcwkamzh.exe 2208 esfmhfozsgpsphe.exe 2208 esfmhfozsgpsphe.exe 420 ohwcwkamzh.exe 420 ohwcwkamzh.exe 3980 topounzf.exe 3980 topounzf.exe 3980 topounzf.exe 1032 ttnkkelpcmnrf.exe 1032 ttnkkelpcmnrf.exe 1032 ttnkkelpcmnrf.exe 5080 topounzf.exe 5080 topounzf.exe 5080 topounzf.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4388 8d7790b62884b7833d558c4fa2dfb11b.exe 4388 8d7790b62884b7833d558c4fa2dfb11b.exe 4388 8d7790b62884b7833d558c4fa2dfb11b.exe 2208 esfmhfozsgpsphe.exe 420 ohwcwkamzh.exe 2208 esfmhfozsgpsphe.exe 2208 esfmhfozsgpsphe.exe 420 ohwcwkamzh.exe 420 ohwcwkamzh.exe 3980 topounzf.exe 3980 topounzf.exe 3980 topounzf.exe 1032 ttnkkelpcmnrf.exe 1032 ttnkkelpcmnrf.exe 1032 ttnkkelpcmnrf.exe 5080 topounzf.exe 5080 topounzf.exe 5080 topounzf.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3376 WINWORD.EXE 3376 WINWORD.EXE 3376 WINWORD.EXE 3376 WINWORD.EXE 3376 WINWORD.EXE 3376 WINWORD.EXE 3376 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4388 wrote to memory of 420 4388 8d7790b62884b7833d558c4fa2dfb11b.exe 84 PID 4388 wrote to memory of 420 4388 8d7790b62884b7833d558c4fa2dfb11b.exe 84 PID 4388 wrote to memory of 420 4388 8d7790b62884b7833d558c4fa2dfb11b.exe 84 PID 4388 wrote to memory of 2208 4388 8d7790b62884b7833d558c4fa2dfb11b.exe 85 PID 4388 wrote to memory of 2208 4388 8d7790b62884b7833d558c4fa2dfb11b.exe 85 PID 4388 wrote to memory of 2208 4388 8d7790b62884b7833d558c4fa2dfb11b.exe 85 PID 4388 wrote to memory of 3980 4388 8d7790b62884b7833d558c4fa2dfb11b.exe 86 PID 4388 wrote to memory of 3980 4388 8d7790b62884b7833d558c4fa2dfb11b.exe 86 PID 4388 wrote to memory of 3980 4388 8d7790b62884b7833d558c4fa2dfb11b.exe 86 PID 4388 wrote to memory of 1032 4388 8d7790b62884b7833d558c4fa2dfb11b.exe 87 PID 4388 wrote to memory of 1032 4388 8d7790b62884b7833d558c4fa2dfb11b.exe 87 PID 4388 wrote to memory of 1032 4388 8d7790b62884b7833d558c4fa2dfb11b.exe 87 PID 4388 wrote to memory of 3376 4388 8d7790b62884b7833d558c4fa2dfb11b.exe 88 PID 4388 wrote to memory of 3376 4388 8d7790b62884b7833d558c4fa2dfb11b.exe 88 PID 420 wrote to memory of 5080 420 ohwcwkamzh.exe 90 PID 420 wrote to memory of 5080 420 ohwcwkamzh.exe 90 PID 420 wrote to memory of 5080 420 ohwcwkamzh.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d7790b62884b7833d558c4fa2dfb11b.exe"C:\Users\Admin\AppData\Local\Temp\8d7790b62884b7833d558c4fa2dfb11b.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\SysWOW64\ohwcwkamzh.exeohwcwkamzh.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:420 -
C:\Windows\SysWOW64\topounzf.exeC:\Windows\system32\topounzf.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5080
-
-
-
C:\Windows\SysWOW64\esfmhfozsgpsphe.exeesfmhfozsgpsphe.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2208
-
-
C:\Windows\SysWOW64\topounzf.exetopounzf.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3980
-
-
C:\Windows\SysWOW64\ttnkkelpcmnrf.exettnkkelpcmnrf.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1032
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3376
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
47KB
MD591c66c803004e3d079a353fd932ef6e4
SHA17b67437de285766302b7f441a0ced597d833798d
SHA2566890b99afda6ca444d56184380d4f69e38e5c821a23be7b56a90b34dc7be2e54
SHA512bb7f3b8d832c8c054af62f6ea30424d7c5ef947983229429698087bf11c0cfc972d8031a13b741980710327019437c6183ca6f946922b2cd417fe2dbf6117967
-
Filesize
65KB
MD5e06da98b99eea99e5b9ff387bda58251
SHA1d0ebb81193dd6961f5e37029a43a4f00a96926d9
SHA256780d3f8989472906c48444f1c055c45ceee217ced4ce4cc91abb3759be683b7a
SHA5125af727a2e9181f9a614d21ea5f2396678e3acfdddfd45240f54b414e3adb80b79b05c62a28c218305e00d98f566e7a98741506a7e863b371d967ed79b04d8281
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD512c12dea3fafdb2d9cd2317289193769
SHA1b581f65536f444a30fb108c3ad254978a9904be3
SHA256932acfb2903749c6b8d153f12440b4b6aa793f942b1f118e471b88e4e1d9c9c4
SHA5121468035dc6e4a72298542665f01599cf694b2036afce07f2d2935ca69d5ef65cefe514a62433c22e05f80b4573c7c6d66ae6a3264559198f5eabe6b5d24f2910
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD508ad70f711ff572711e938c7a39b5b3f
SHA1c0e84dc2b3a901f21b0f0336ec431196f3f439f3
SHA2567e3a6f12dae128e824e6438ee2578f1482d8cdba479c731d1dd8c03b284fb921
SHA5122ab0f93755fe4b55067b546a2561d01b5b654bbf170df5b215f5807b741eaa5b49587b789bedc44acf837cf0fed50c907555ff7232e59602034ee889ee10fabb
-
Filesize
512KB
MD591d965d767eb9dc4059bf2419d7b4b1d
SHA1d06b31b327c9711ba694972fb635003ae848f254
SHA2563279d9f639412de7491474bf61897fb997757cd9f076f3db36b37153dc24f7e5
SHA51290483fbacda68b9dacfe57d31657fe13aafe782b65c30b92d461c9a82045ba13fcd912249b737307670ff57e09f1e7796bc8c1490f1ec3216db0f55c1facda38
-
Filesize
512KB
MD5d9899eb75ed029ae83ffd71fbce28bc6
SHA19581aedd270e1b96dacb867f46d58279db442589
SHA256b92972f9281c89d2715ec81796cb0a1b9d4b5652d1cc5d2e80e1f6665b46b3a2
SHA512ab9395097c624d28997312326b06e4e9123791cc833640d678e122637d362289148b2a72a9dda9e865eb3881144c30335a8da9be088aabddd21d67d2a99c45ce
-
Filesize
512KB
MD56a75e9d8bca53d9e13d3a8e021a9d810
SHA1cf8d826786776616a6e875e6d6a9728e0c1d0510
SHA256cd2862c9fa9241ad7a173d6e424bd6826da58eb3b95da88b0dfd059ec6eb4047
SHA5122ef055668751b0dbcfe7ecae0fc36a9a790100a42986d54480cbe0ff3e6af456d66755426c5dbb677c2ed2307955b7960f5a4ca6e45aeb5c565dd7e0895250ed
-
Filesize
512KB
MD522174aac8be5552f0f26071358ccff74
SHA1f826082ca15e361a25b2fc1f8db6fda8f9d65d41
SHA256d18fb511c17c8adc6c09b1c098180cd92ba3bfea0fd049f1c8b017a8eb70722d
SHA5121e0024399521d94de37cf66fa62c536f4821bbe44a2d40ac8f3f28c1940f113062de7433edf820ed7d1c7e6dea61c88f29f2879bf9f299573d6a823976089985
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5b7b7020ea90bee1c2a882a6b0781139e
SHA1243fc5411c3e79e34e2a7cd67d492eb2d8d63093
SHA256f77f4410653dd2c7e70406e6973130d9b99da116e1ed76ec1cfc86569f7dcaf1
SHA5125057e500852360661253f3a8a2f8a461ac8abd446264dcb35027a5ee4d18bece163b717717b6bc5a2ad803aa4281cb38433a7a5d41745da4c88278ee898d9047
-
Filesize
512KB
MD5c020ab5b7cc052d13a515ca6d928b928
SHA11d305111d078f6a6c42852098cd7df1efc17f4da
SHA2568040dbfc337106ff8082b642c6e4e139da6d72094ed2c038efda2ba2ea4f3656
SHA512ff2ec05065512c81605a33122aebc85d664de1cb7a08c87a3c65c0ca128e4a1f214a1a3ef9526f7c2bc5cf30ce0a75f960bdebd345dfafc529e1e485293753d7