Analysis
-
max time kernel
151s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
03-02-2024 20:48
Static task
static1
Behavioral task
behavioral1
Sample
8d4fbe1a25eadf50288ba93dc252a158.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral2
Sample
8d4fbe1a25eadf50288ba93dc252a158.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
General
-
Target
8d4fbe1a25eadf50288ba93dc252a158.exe
-
Size
512KB
-
MD5
8d4fbe1a25eadf50288ba93dc252a158
-
SHA1
42b78dfbb389e1c5f4eea7b0882eb52de0ad3d98
-
SHA256
1a6797bccedb621919fb625812d82c95c972371c03abbff3c5d8a9ebbfa231fa
-
SHA512
ee8db62bdd41715f81175ad208eac4c02f05ae6721e97a9321d740660f75ef68cc2b3f5dd7c93e6c19ce5fe74d0b6ea0dd14c694a6eaade1b8eda9eca1f47624
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj68:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5B
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" gizayibjro.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" gizayibjro.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" gizayibjro.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" gizayibjro.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" gizayibjro.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" gizayibjro.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" gizayibjro.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gizayibjro.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation 8d4fbe1a25eadf50288ba93dc252a158.exe -
Executes dropped EXE 5 IoCs
pid Process 388 gizayibjro.exe 1520 lopalrjeyflarfk.exe 3632 rgplbcsv.exe 3704 qgrnlohrhiitp.exe 3320 rgplbcsv.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" gizayibjro.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" gizayibjro.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" gizayibjro.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" gizayibjro.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" gizayibjro.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" gizayibjro.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xiizvjhr = "gizayibjro.exe" lopalrjeyflarfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ubswrjft = "lopalrjeyflarfk.exe" lopalrjeyflarfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "qgrnlohrhiitp.exe" lopalrjeyflarfk.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\a: rgplbcsv.exe File opened (read-only) \??\p: rgplbcsv.exe File opened (read-only) \??\i: gizayibjro.exe File opened (read-only) \??\w: rgplbcsv.exe File opened (read-only) \??\r: gizayibjro.exe File opened (read-only) \??\t: gizayibjro.exe File opened (read-only) \??\w: gizayibjro.exe File opened (read-only) \??\j: rgplbcsv.exe File opened (read-only) \??\t: rgplbcsv.exe File opened (read-only) \??\s: rgplbcsv.exe File opened (read-only) \??\l: gizayibjro.exe File opened (read-only) \??\q: gizayibjro.exe File opened (read-only) \??\y: gizayibjro.exe File opened (read-only) \??\z: gizayibjro.exe File opened (read-only) \??\h: rgplbcsv.exe File opened (read-only) \??\i: rgplbcsv.exe File opened (read-only) \??\k: rgplbcsv.exe File opened (read-only) \??\z: rgplbcsv.exe File opened (read-only) \??\m: gizayibjro.exe File opened (read-only) \??\o: gizayibjro.exe File opened (read-only) \??\p: rgplbcsv.exe File opened (read-only) \??\j: rgplbcsv.exe File opened (read-only) \??\u: rgplbcsv.exe File opened (read-only) \??\b: gizayibjro.exe File opened (read-only) \??\h: gizayibjro.exe File opened (read-only) \??\k: gizayibjro.exe File opened (read-only) \??\j: gizayibjro.exe File opened (read-only) \??\l: rgplbcsv.exe File opened (read-only) \??\k: rgplbcsv.exe File opened (read-only) \??\m: rgplbcsv.exe File opened (read-only) \??\n: rgplbcsv.exe File opened (read-only) \??\a: rgplbcsv.exe File opened (read-only) \??\b: rgplbcsv.exe File opened (read-only) \??\s: rgplbcsv.exe File opened (read-only) \??\u: rgplbcsv.exe File opened (read-only) \??\y: rgplbcsv.exe File opened (read-only) \??\u: gizayibjro.exe File opened (read-only) \??\g: rgplbcsv.exe File opened (read-only) \??\h: rgplbcsv.exe File opened (read-only) \??\n: rgplbcsv.exe File opened (read-only) \??\o: rgplbcsv.exe File opened (read-only) \??\e: rgplbcsv.exe File opened (read-only) \??\m: rgplbcsv.exe File opened (read-only) \??\e: rgplbcsv.exe File opened (read-only) \??\q: rgplbcsv.exe File opened (read-only) \??\g: gizayibjro.exe File opened (read-only) \??\q: rgplbcsv.exe File opened (read-only) \??\x: rgplbcsv.exe File opened (read-only) \??\x: gizayibjro.exe File opened (read-only) \??\r: rgplbcsv.exe File opened (read-only) \??\y: rgplbcsv.exe File opened (read-only) \??\r: rgplbcsv.exe File opened (read-only) \??\w: rgplbcsv.exe File opened (read-only) \??\a: gizayibjro.exe File opened (read-only) \??\n: gizayibjro.exe File opened (read-only) \??\p: gizayibjro.exe File opened (read-only) \??\g: rgplbcsv.exe File opened (read-only) \??\l: rgplbcsv.exe File opened (read-only) \??\v: gizayibjro.exe File opened (read-only) \??\o: rgplbcsv.exe File opened (read-only) \??\v: rgplbcsv.exe File opened (read-only) \??\i: rgplbcsv.exe File opened (read-only) \??\t: rgplbcsv.exe File opened (read-only) \??\v: rgplbcsv.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" gizayibjro.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" gizayibjro.exe -
AutoIT Executable 13 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/216-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0006000000023117-5.dat autoit_exe behavioral2/files/0x0007000000023113-18.dat autoit_exe behavioral2/files/0x0006000000023117-23.dat autoit_exe behavioral2/files/0x0006000000023118-26.dat autoit_exe behavioral2/files/0x0006000000023119-30.dat autoit_exe behavioral2/files/0x0006000000023118-29.dat autoit_exe behavioral2/files/0x0002000000022790-62.dat autoit_exe behavioral2/files/0x0007000000022c9b-65.dat autoit_exe behavioral2/files/0x000c00000001e704-98.dat autoit_exe behavioral2/files/0x000200000001e705-105.dat autoit_exe behavioral2/files/0x0003000000000715-116.dat autoit_exe behavioral2/files/0x0003000000000715-139.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\lopalrjeyflarfk.exe 8d4fbe1a25eadf50288ba93dc252a158.exe File opened for modification C:\Windows\SysWOW64\qgrnlohrhiitp.exe 8d4fbe1a25eadf50288ba93dc252a158.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll gizayibjro.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe rgplbcsv.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe rgplbcsv.exe File created C:\Windows\SysWOW64\gizayibjro.exe 8d4fbe1a25eadf50288ba93dc252a158.exe File opened for modification C:\Windows\SysWOW64\gizayibjro.exe 8d4fbe1a25eadf50288ba93dc252a158.exe File opened for modification C:\Windows\SysWOW64\rgplbcsv.exe 8d4fbe1a25eadf50288ba93dc252a158.exe File created C:\Windows\SysWOW64\qgrnlohrhiitp.exe 8d4fbe1a25eadf50288ba93dc252a158.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe rgplbcsv.exe File opened for modification C:\Windows\SysWOW64\lopalrjeyflarfk.exe 8d4fbe1a25eadf50288ba93dc252a158.exe File created C:\Windows\SysWOW64\rgplbcsv.exe 8d4fbe1a25eadf50288ba93dc252a158.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rgplbcsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rgplbcsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal rgplbcsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rgplbcsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal rgplbcsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rgplbcsv.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rgplbcsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rgplbcsv.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rgplbcsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal rgplbcsv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal rgplbcsv.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rgplbcsv.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rgplbcsv.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rgplbcsv.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rgplbcsv.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 8d4fbe1a25eadf50288ba93dc252a158.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33442C089D2383276D3576A070242CAD7CF564D6" 8d4fbe1a25eadf50288ba93dc252a158.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0866BC3FE6D22A9D109D0A48A0E9013" 8d4fbe1a25eadf50288ba93dc252a158.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" gizayibjro.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf gizayibjro.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" gizayibjro.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg gizayibjro.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F89FFFB4F5D851F9134D7287D9DBCEFE1435937674E6243D6EB" 8d4fbe1a25eadf50288ba93dc252a158.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1945C60814E1DBC7B9BD7C97EDE337CD" 8d4fbe1a25eadf50288ba93dc252a158.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh gizayibjro.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" gizayibjro.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat gizayibjro.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" gizayibjro.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc gizayibjro.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" gizayibjro.exe Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings 8d4fbe1a25eadf50288ba93dc252a158.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 8d4fbe1a25eadf50288ba93dc252a158.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB9FABBFE14F198837C3A4386EA3994B3FD028B43640338E2CC42E608A1" 8d4fbe1a25eadf50288ba93dc252a158.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB2B12D44EE39EE53CCBAD133EFD4B9" 8d4fbe1a25eadf50288ba93dc252a158.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs gizayibjro.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" gizayibjro.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3752 WINWORD.EXE 3752 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 216 8d4fbe1a25eadf50288ba93dc252a158.exe 216 8d4fbe1a25eadf50288ba93dc252a158.exe 216 8d4fbe1a25eadf50288ba93dc252a158.exe 216 8d4fbe1a25eadf50288ba93dc252a158.exe 216 8d4fbe1a25eadf50288ba93dc252a158.exe 216 8d4fbe1a25eadf50288ba93dc252a158.exe 216 8d4fbe1a25eadf50288ba93dc252a158.exe 216 8d4fbe1a25eadf50288ba93dc252a158.exe 216 8d4fbe1a25eadf50288ba93dc252a158.exe 216 8d4fbe1a25eadf50288ba93dc252a158.exe 216 8d4fbe1a25eadf50288ba93dc252a158.exe 216 8d4fbe1a25eadf50288ba93dc252a158.exe 216 8d4fbe1a25eadf50288ba93dc252a158.exe 216 8d4fbe1a25eadf50288ba93dc252a158.exe 216 8d4fbe1a25eadf50288ba93dc252a158.exe 216 8d4fbe1a25eadf50288ba93dc252a158.exe 388 gizayibjro.exe 388 gizayibjro.exe 388 gizayibjro.exe 388 gizayibjro.exe 388 gizayibjro.exe 388 gizayibjro.exe 388 gizayibjro.exe 388 gizayibjro.exe 388 gizayibjro.exe 388 gizayibjro.exe 1520 lopalrjeyflarfk.exe 1520 lopalrjeyflarfk.exe 1520 lopalrjeyflarfk.exe 1520 lopalrjeyflarfk.exe 3632 rgplbcsv.exe 3632 rgplbcsv.exe 1520 lopalrjeyflarfk.exe 1520 lopalrjeyflarfk.exe 3632 rgplbcsv.exe 3632 rgplbcsv.exe 1520 lopalrjeyflarfk.exe 1520 lopalrjeyflarfk.exe 3632 rgplbcsv.exe 3632 rgplbcsv.exe 3632 rgplbcsv.exe 3632 rgplbcsv.exe 1520 lopalrjeyflarfk.exe 1520 lopalrjeyflarfk.exe 3704 qgrnlohrhiitp.exe 3704 qgrnlohrhiitp.exe 3704 qgrnlohrhiitp.exe 3704 qgrnlohrhiitp.exe 3704 qgrnlohrhiitp.exe 3704 qgrnlohrhiitp.exe 3704 qgrnlohrhiitp.exe 3704 qgrnlohrhiitp.exe 3704 qgrnlohrhiitp.exe 3704 qgrnlohrhiitp.exe 3704 qgrnlohrhiitp.exe 3704 qgrnlohrhiitp.exe 1520 lopalrjeyflarfk.exe 1520 lopalrjeyflarfk.exe 3704 qgrnlohrhiitp.exe 3704 qgrnlohrhiitp.exe 3704 qgrnlohrhiitp.exe 3704 qgrnlohrhiitp.exe 1520 lopalrjeyflarfk.exe 1520 lopalrjeyflarfk.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 216 8d4fbe1a25eadf50288ba93dc252a158.exe 216 8d4fbe1a25eadf50288ba93dc252a158.exe 216 8d4fbe1a25eadf50288ba93dc252a158.exe 388 gizayibjro.exe 388 gizayibjro.exe 388 gizayibjro.exe 3632 rgplbcsv.exe 1520 lopalrjeyflarfk.exe 3632 rgplbcsv.exe 3632 rgplbcsv.exe 1520 lopalrjeyflarfk.exe 1520 lopalrjeyflarfk.exe 3704 qgrnlohrhiitp.exe 3704 qgrnlohrhiitp.exe 3704 qgrnlohrhiitp.exe 3320 rgplbcsv.exe 3320 rgplbcsv.exe 3320 rgplbcsv.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 216 8d4fbe1a25eadf50288ba93dc252a158.exe 216 8d4fbe1a25eadf50288ba93dc252a158.exe 216 8d4fbe1a25eadf50288ba93dc252a158.exe 388 gizayibjro.exe 388 gizayibjro.exe 388 gizayibjro.exe 3632 rgplbcsv.exe 3632 rgplbcsv.exe 3632 rgplbcsv.exe 1520 lopalrjeyflarfk.exe 1520 lopalrjeyflarfk.exe 1520 lopalrjeyflarfk.exe 3704 qgrnlohrhiitp.exe 3704 qgrnlohrhiitp.exe 3704 qgrnlohrhiitp.exe 3320 rgplbcsv.exe 3320 rgplbcsv.exe 3320 rgplbcsv.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3752 WINWORD.EXE 3752 WINWORD.EXE 3752 WINWORD.EXE 3752 WINWORD.EXE 3752 WINWORD.EXE 3752 WINWORD.EXE 3752 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 216 wrote to memory of 388 216 8d4fbe1a25eadf50288ba93dc252a158.exe 86 PID 216 wrote to memory of 388 216 8d4fbe1a25eadf50288ba93dc252a158.exe 86 PID 216 wrote to memory of 388 216 8d4fbe1a25eadf50288ba93dc252a158.exe 86 PID 216 wrote to memory of 1520 216 8d4fbe1a25eadf50288ba93dc252a158.exe 87 PID 216 wrote to memory of 1520 216 8d4fbe1a25eadf50288ba93dc252a158.exe 87 PID 216 wrote to memory of 1520 216 8d4fbe1a25eadf50288ba93dc252a158.exe 87 PID 216 wrote to memory of 3632 216 8d4fbe1a25eadf50288ba93dc252a158.exe 88 PID 216 wrote to memory of 3632 216 8d4fbe1a25eadf50288ba93dc252a158.exe 88 PID 216 wrote to memory of 3632 216 8d4fbe1a25eadf50288ba93dc252a158.exe 88 PID 216 wrote to memory of 3704 216 8d4fbe1a25eadf50288ba93dc252a158.exe 89 PID 216 wrote to memory of 3704 216 8d4fbe1a25eadf50288ba93dc252a158.exe 89 PID 216 wrote to memory of 3704 216 8d4fbe1a25eadf50288ba93dc252a158.exe 89 PID 388 wrote to memory of 3320 388 gizayibjro.exe 90 PID 388 wrote to memory of 3320 388 gizayibjro.exe 90 PID 388 wrote to memory of 3320 388 gizayibjro.exe 90 PID 216 wrote to memory of 3752 216 8d4fbe1a25eadf50288ba93dc252a158.exe 91 PID 216 wrote to memory of 3752 216 8d4fbe1a25eadf50288ba93dc252a158.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d4fbe1a25eadf50288ba93dc252a158.exe"C:\Users\Admin\AppData\Local\Temp\8d4fbe1a25eadf50288ba93dc252a158.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\SysWOW64\gizayibjro.exegizayibjro.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Windows\SysWOW64\rgplbcsv.exeC:\Windows\system32\rgplbcsv.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3320
-
-
-
C:\Windows\SysWOW64\lopalrjeyflarfk.exelopalrjeyflarfk.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1520
-
-
C:\Windows\SysWOW64\rgplbcsv.exergplbcsv.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3632
-
-
C:\Windows\SysWOW64\qgrnlohrhiitp.exeqgrnlohrhiitp.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3704
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3752
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD531cdf00c497357946de841bc968cbd70
SHA19b6b4e3cf138a13b42243ddd6f384f489077060b
SHA2564dd65df5281f5ec557b0a5abce30f004a79eb69f83960c9edb35e4a3b06398bf
SHA5128a14d2c9528782930c07ec28ed905d911fdd9795905291d079e8d609f3b0b81ab045f1f1f07e55fab864f31c93337f605e74b924b2784bfefad727c01fb25c67
-
Filesize
512KB
MD5558a665cb45507cba74c1b29710c566d
SHA184b089124283cbf4897cb39254f506de1cdd3bea
SHA256375c96558cfbb49402093364286293ea9b18085cefeca209866fc17904230c91
SHA512e8859bf8b6b74e229edcfc1ba66c85a41b60b737b7817ec9f73c07dc79b1b2b03bc0a2875fc343079b5cc378b95c1fdf53ae312e701002eed72bb45f640d58ec
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD549dfb7e5233d9655bad600e7878590f7
SHA18bf1a02cf77e0cebc29e91f0ab7669a3b866c2e7
SHA256f7f864a00122f7f25117c863b8b42dc39f4a7ea16763ba2813d55fe3ad51c8f2
SHA512a2d172f5a4a279d08de9bbba00997f621b8c47deb66495d14a30c9de6e36d201da7e146121061b4c91f92422ddf4bc829034a3aa196a2f3375285ee80a395fc6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5ecbe2c54c296d76adcec38f5570273e3
SHA193cbc9883af703fa5921844449d784931531f807
SHA256283395c2d31e55fe46b10eb01d1ee5c9755f4506f3bdeb5be5b7e457eacdb140
SHA5127f48597d37736a65eae29e3895070cc81cdfad8411584b58fd2e6aa32ce877bae24ac8de7749fd7eee124fbeb861b73b05865e6b7ad60eb4608c413375d22543
-
Filesize
512KB
MD53ac640227447ed99c158d24c91d4ee9e
SHA1bee346d46d5e80887fcab59d193f4296f69168c6
SHA2568ca4710ead9df3f01b253567e19d82e0efe1b615d9fd5be1420f2363f8d2a3a9
SHA51218040a6056e2b588879f60eb52eb2c9dc30c00bac0ce265c2588c6f84604bb45c70bc5d47b088c81c15fd9d68c0c6156ffb53704ae56be45fb2285d3029f6a1b
-
Filesize
512KB
MD5a31d05f2447b79e3462bae6e8de6006c
SHA198672dd1d18ff3b2c9eb376403f313a465e7d069
SHA256751d9115c71694d84bb6356d4f060dc43d9ea17ad884b33c142e65fcdf5b3a3d
SHA512e0f2948da8b6fd439df94e234acf6d95abc1442ddbb6e21e05e078418bf0238c32feadd56d2e5817442b55c480fb07234ddd103a9e8238b98aa1bdfe69060b8b
-
Filesize
512KB
MD506d9f56d7cc8bf4abf2aec4153e6a39b
SHA1160bdc296441573d5075ee1bcc79268365a50e38
SHA256af63b6890487747eeab517ff18c976bd5fc681e97c497269ca02c7ab6c0513a0
SHA512c325e81a5dfcd11d00d8bab092e4e9db25646df3dddca167f09b09cb9f6d58c7b3c566b83eb6d24c4820c96cfa201df58da1d9ffd5cca6382e363aea29759cd6
-
Filesize
512KB
MD55421cb1cbba708b4ea0c07a64e19ffed
SHA19667419b526c83905b2456a5cc3b17cb320ba48c
SHA256d3ff18b4c4808393aaed293e30733cb03eab694e34439d82e77b5cc9e9c16cad
SHA512f89a18405de14bb7d0da267798935e952f29d6161e007c7f298976e9099ab72217eeca283032818d8cf764efe4bc1c9e86c722b1c192e5050fff5e1f8e1d075d
-
Filesize
512KB
MD58bc1179a6b08ad16b7dfda74de1438eb
SHA1ba9c7dac33bf04c999f1d09a5cd0ab30d0bc881d
SHA2565f9a0318dc560f3faa16ef43199c060eeafce494cbe364d89a28a1d54161ecb1
SHA512827e3ba86463dfdcc4940e356ea1608a297e319d0da6701e3f65df797a74dc6c8e8aa25d3fe0bf04a00225af231123d3405481bd2a602c739fbcddb75f8fc20c
-
Filesize
512KB
MD5d9fb2cb0106e9ece13fe0333e0f1f851
SHA18bfb8f0df8edbb89279a2dac8909feae75efed04
SHA2561180d4c0dd41133b917c2f0a74f06524fe3dc581831a52b6ddff9b60791e4023
SHA5125e24bd8e85a5550c17c4feebf28e54755ef0a70b5112693d225e53957128e51227a14534c1a5a315f5390b8f854703c976dfe9a03b7477ef39c654f43abcd9fd
-
Filesize
448KB
MD59728739f509ce0f3b3b073c945c208bf
SHA131bf207a650a7f1bbb8e90552891f1a6f4e4783b
SHA256f252517c755af447fe73347dd23cd133e28c7a203d01382306a195c8ddda3dba
SHA51276e963f4d1b88528ebbdbc375372889efffba4768f6a99bccce4c1faa730e9515f93fa74bd10bb61c0034f2ceb9ef85ee8234f9d13df183ffc7e163ae3dd38e7
-
Filesize
512KB
MD5586c26624750ab86ab4a2e892da333d3
SHA161de3ed95b2bcc1d78029e2c3266ec8243353003
SHA2566ba55897f2d4104cdb91b8c65236ecba5e5bf38ddeb78a5248b99486e8b4668a
SHA51243439bfbcd8e3311946e66cf6eefd87941cf5b74841981dd3e90192c9db94a2630a094bf2052b5a166d873ee6c6a488c70d67733a643162837a378cc505e5f8f
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD56288bbac3c0179596e8e88e4c0b8e64c
SHA1fec92929cd61eb8ee355c27d1d5adc9acedcad2a
SHA2561aeec12a89b2359e221fd3b11be239fb22edfad444bceca613d52e15e3277fd6
SHA5123b0e19919a8c687f775fbcb458428d11c22070e0894cfb7d31c10f59b9b845b29722b63ca567db33e2c94f39bb86b165e9494e1a98a9d77ef8081b18e455e6fc
-
Filesize
512KB
MD5ecae45bb5255001ae98fb0e41d51509c
SHA115b88fe6f73ba83d53b48a9f95a6a4cdca1815f9
SHA2562c16b858ff456ccbc1109c2bcd78be6eb81d3ebc21ae9c3e41a39bd613e38f04
SHA51267bff8d617dec94e6b9f974b84f7cd24f0c9f99f6948306fdc965f2e743017768615f51e14c0cb7b70dff82e9edd7b83e1b329edebb8b345066878afc97c546d