Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12/02/2024, 09:08
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
96ca33f41cf09ab3d2e5b52919aa99e3.exe
Resource
win7-20231215-en
windows7-x64
28 signatures
150 seconds
Behavioral task
behavioral2
Sample
96ca33f41cf09ab3d2e5b52919aa99e3.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
96ca33f41cf09ab3d2e5b52919aa99e3.exe
-
Size
512KB
-
MD5
96ca33f41cf09ab3d2e5b52919aa99e3
-
SHA1
e3c4838b1e749449a17f201ecd08420215d0db3e
-
SHA256
3340480e26165e6e76e34e95d6c690861bbd725ca0148ff0d38b411ca17accea
-
SHA512
af455ad2afcdd33070282c5b9f1e4c0f9cda6a25bb257daecdc75463864ef28ec149bf6fb7c96adbe375ce0cd493b4d93a90f6c1134001bbd61c4406bc4f9620
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6W:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5Z
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" wekuhzngkq.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" wekuhzngkq.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" wekuhzngkq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" wekuhzngkq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" wekuhzngkq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" wekuhzngkq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" wekuhzngkq.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wekuhzngkq.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation 96ca33f41cf09ab3d2e5b52919aa99e3.exe -
Executes dropped EXE 5 IoCs
pid Process 1756 wekuhzngkq.exe 4848 avzviiifhtzbqbu.exe 3868 vbafgoqd.exe 800 nenfjnpdxcboa.exe 1336 vbafgoqd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" wekuhzngkq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" wekuhzngkq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" wekuhzngkq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" wekuhzngkq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" wekuhzngkq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" wekuhzngkq.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cdlfwbja = "wekuhzngkq.exe" avzviiifhtzbqbu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uvquyqrn = "avzviiifhtzbqbu.exe" avzviiifhtzbqbu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "nenfjnpdxcboa.exe" avzviiifhtzbqbu.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\w: vbafgoqd.exe File opened (read-only) \??\q: wekuhzngkq.exe File opened (read-only) \??\w: wekuhzngkq.exe File opened (read-only) \??\o: vbafgoqd.exe File opened (read-only) \??\m: wekuhzngkq.exe File opened (read-only) \??\x: vbafgoqd.exe File opened (read-only) \??\o: wekuhzngkq.exe File opened (read-only) \??\x: wekuhzngkq.exe File opened (read-only) \??\o: vbafgoqd.exe File opened (read-only) \??\s: vbafgoqd.exe File opened (read-only) \??\z: vbafgoqd.exe File opened (read-only) \??\k: vbafgoqd.exe File opened (read-only) \??\t: vbafgoqd.exe File opened (read-only) \??\n: wekuhzngkq.exe File opened (read-only) \??\z: wekuhzngkq.exe File opened (read-only) \??\g: vbafgoqd.exe File opened (read-only) \??\p: vbafgoqd.exe File opened (read-only) \??\l: vbafgoqd.exe File opened (read-only) \??\i: wekuhzngkq.exe File opened (read-only) \??\j: wekuhzngkq.exe File opened (read-only) \??\h: vbafgoqd.exe File opened (read-only) \??\s: vbafgoqd.exe File opened (read-only) \??\u: wekuhzngkq.exe File opened (read-only) \??\b: vbafgoqd.exe File opened (read-only) \??\k: wekuhzngkq.exe File opened (read-only) \??\s: wekuhzngkq.exe File opened (read-only) \??\i: vbafgoqd.exe File opened (read-only) \??\v: vbafgoqd.exe File opened (read-only) \??\t: wekuhzngkq.exe File opened (read-only) \??\l: vbafgoqd.exe File opened (read-only) \??\m: vbafgoqd.exe File opened (read-only) \??\y: vbafgoqd.exe File opened (read-only) \??\b: vbafgoqd.exe File opened (read-only) \??\z: vbafgoqd.exe File opened (read-only) \??\q: vbafgoqd.exe File opened (read-only) \??\v: vbafgoqd.exe File opened (read-only) \??\l: wekuhzngkq.exe File opened (read-only) \??\a: vbafgoqd.exe File opened (read-only) \??\k: vbafgoqd.exe File opened (read-only) \??\n: vbafgoqd.exe File opened (read-only) \??\g: vbafgoqd.exe File opened (read-only) \??\n: vbafgoqd.exe File opened (read-only) \??\h: wekuhzngkq.exe File opened (read-only) \??\j: vbafgoqd.exe File opened (read-only) \??\r: wekuhzngkq.exe File opened (read-only) \??\y: wekuhzngkq.exe File opened (read-only) \??\q: vbafgoqd.exe File opened (read-only) \??\u: vbafgoqd.exe File opened (read-only) \??\e: vbafgoqd.exe File opened (read-only) \??\i: vbafgoqd.exe File opened (read-only) \??\e: vbafgoqd.exe File opened (read-only) \??\p: vbafgoqd.exe File opened (read-only) \??\p: wekuhzngkq.exe File opened (read-only) \??\b: wekuhzngkq.exe File opened (read-only) \??\e: wekuhzngkq.exe File opened (read-only) \??\v: wekuhzngkq.exe File opened (read-only) \??\h: vbafgoqd.exe File opened (read-only) \??\r: vbafgoqd.exe File opened (read-only) \??\m: vbafgoqd.exe File opened (read-only) \??\a: wekuhzngkq.exe File opened (read-only) \??\u: vbafgoqd.exe File opened (read-only) \??\y: vbafgoqd.exe File opened (read-only) \??\g: wekuhzngkq.exe File opened (read-only) \??\w: vbafgoqd.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" wekuhzngkq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" wekuhzngkq.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4612-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00090000000231ed-5.dat autoit_exe behavioral2/files/0x000b000000023151-18.dat autoit_exe behavioral2/files/0x00070000000231f3-27.dat autoit_exe behavioral2/files/0x00070000000231f4-31.dat autoit_exe behavioral2/files/0x000600000001d8b5-74.dat autoit_exe behavioral2/files/0x000500000001d9fa-78.dat autoit_exe behavioral2/files/0x000e00000001da95-88.dat autoit_exe behavioral2/files/0x000300000001e4d8-107.dat autoit_exe behavioral2/files/0x000300000001e4d8-112.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\wekuhzngkq.exe 96ca33f41cf09ab3d2e5b52919aa99e3.exe File opened for modification C:\Windows\SysWOW64\wekuhzngkq.exe 96ca33f41cf09ab3d2e5b52919aa99e3.exe File opened for modification C:\Windows\SysWOW64\avzviiifhtzbqbu.exe 96ca33f41cf09ab3d2e5b52919aa99e3.exe File created C:\Windows\SysWOW64\vbafgoqd.exe 96ca33f41cf09ab3d2e5b52919aa99e3.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe vbafgoqd.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe vbafgoqd.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe vbafgoqd.exe File created C:\Windows\SysWOW64\avzviiifhtzbqbu.exe 96ca33f41cf09ab3d2e5b52919aa99e3.exe File opened for modification C:\Windows\SysWOW64\vbafgoqd.exe 96ca33f41cf09ab3d2e5b52919aa99e3.exe File created C:\Windows\SysWOW64\nenfjnpdxcboa.exe 96ca33f41cf09ab3d2e5b52919aa99e3.exe File opened for modification C:\Windows\SysWOW64\nenfjnpdxcboa.exe 96ca33f41cf09ab3d2e5b52919aa99e3.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll wekuhzngkq.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe vbafgoqd.exe -
Drops file in Program Files directory 18 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vbafgoqd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal vbafgoqd.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vbafgoqd.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vbafgoqd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal vbafgoqd.exe File opened for modification C:\Program Files\CloseAssert.doc.exe vbafgoqd.exe File opened for modification C:\Program Files\CloseAssert.nal vbafgoqd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vbafgoqd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal vbafgoqd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal vbafgoqd.exe File opened for modification \??\c:\Program Files\CloseAssert.doc.exe vbafgoqd.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vbafgoqd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vbafgoqd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vbafgoqd.exe File created \??\c:\Program Files\CloseAssert.doc.exe vbafgoqd.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vbafgoqd.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vbafgoqd.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vbafgoqd.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe vbafgoqd.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe vbafgoqd.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe vbafgoqd.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe vbafgoqd.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe vbafgoqd.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe vbafgoqd.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe vbafgoqd.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe vbafgoqd.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe vbafgoqd.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe vbafgoqd.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe vbafgoqd.exe File opened for modification C:\Windows\mydoc.rtf 96ca33f41cf09ab3d2e5b52919aa99e3.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe vbafgoqd.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe vbafgoqd.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe vbafgoqd.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe vbafgoqd.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe vbafgoqd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32442C7D9C2282236A3477A170512CD97D8565D8" 96ca33f41cf09ab3d2e5b52919aa99e3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB6B12847EF399D53C9BADD33EDD7BB" 96ca33f41cf09ab3d2e5b52919aa99e3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" wekuhzngkq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc wekuhzngkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" wekuhzngkq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf wekuhzngkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB4F9C9FE67F2E483793B3186EB3997B0FE03F04262033BE2CF429B09D6" 96ca33f41cf09ab3d2e5b52919aa99e3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F26BB1FE6821DED10ED0D38A08916B" 96ca33f41cf09ab3d2e5b52919aa99e3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" wekuhzngkq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg wekuhzngkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFFFF82482E85689132D7297E95BD90E643594467456331D7EC" 96ca33f41cf09ab3d2e5b52919aa99e3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1945C70C14E3DBBEB9CD7FE5ECE734C7" 96ca33f41cf09ab3d2e5b52919aa99e3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh wekuhzngkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" wekuhzngkq.exe Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings 96ca33f41cf09ab3d2e5b52919aa99e3.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 96ca33f41cf09ab3d2e5b52919aa99e3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat wekuhzngkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" wekuhzngkq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs wekuhzngkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" wekuhzngkq.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1952 WINWORD.EXE 1952 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4612 96ca33f41cf09ab3d2e5b52919aa99e3.exe 4612 96ca33f41cf09ab3d2e5b52919aa99e3.exe 4612 96ca33f41cf09ab3d2e5b52919aa99e3.exe 4612 96ca33f41cf09ab3d2e5b52919aa99e3.exe 4612 96ca33f41cf09ab3d2e5b52919aa99e3.exe 4612 96ca33f41cf09ab3d2e5b52919aa99e3.exe 4612 96ca33f41cf09ab3d2e5b52919aa99e3.exe 4612 96ca33f41cf09ab3d2e5b52919aa99e3.exe 4612 96ca33f41cf09ab3d2e5b52919aa99e3.exe 4612 96ca33f41cf09ab3d2e5b52919aa99e3.exe 4612 96ca33f41cf09ab3d2e5b52919aa99e3.exe 4612 96ca33f41cf09ab3d2e5b52919aa99e3.exe 4612 96ca33f41cf09ab3d2e5b52919aa99e3.exe 4612 96ca33f41cf09ab3d2e5b52919aa99e3.exe 4612 96ca33f41cf09ab3d2e5b52919aa99e3.exe 4612 96ca33f41cf09ab3d2e5b52919aa99e3.exe 1756 wekuhzngkq.exe 1756 wekuhzngkq.exe 1756 wekuhzngkq.exe 1756 wekuhzngkq.exe 1756 wekuhzngkq.exe 1756 wekuhzngkq.exe 1756 wekuhzngkq.exe 1756 wekuhzngkq.exe 1756 wekuhzngkq.exe 1756 wekuhzngkq.exe 4848 avzviiifhtzbqbu.exe 4848 avzviiifhtzbqbu.exe 4848 avzviiifhtzbqbu.exe 4848 avzviiifhtzbqbu.exe 4848 avzviiifhtzbqbu.exe 4848 avzviiifhtzbqbu.exe 4848 avzviiifhtzbqbu.exe 4848 avzviiifhtzbqbu.exe 3868 vbafgoqd.exe 3868 vbafgoqd.exe 3868 vbafgoqd.exe 3868 vbafgoqd.exe 3868 vbafgoqd.exe 3868 vbafgoqd.exe 3868 vbafgoqd.exe 3868 vbafgoqd.exe 4848 avzviiifhtzbqbu.exe 4848 avzviiifhtzbqbu.exe 800 nenfjnpdxcboa.exe 800 nenfjnpdxcboa.exe 800 nenfjnpdxcboa.exe 800 nenfjnpdxcboa.exe 800 nenfjnpdxcboa.exe 800 nenfjnpdxcboa.exe 800 nenfjnpdxcboa.exe 800 nenfjnpdxcboa.exe 800 nenfjnpdxcboa.exe 800 nenfjnpdxcboa.exe 800 nenfjnpdxcboa.exe 800 nenfjnpdxcboa.exe 4848 avzviiifhtzbqbu.exe 4848 avzviiifhtzbqbu.exe 1336 vbafgoqd.exe 1336 vbafgoqd.exe 1336 vbafgoqd.exe 1336 vbafgoqd.exe 1336 vbafgoqd.exe 1336 vbafgoqd.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4612 96ca33f41cf09ab3d2e5b52919aa99e3.exe 4612 96ca33f41cf09ab3d2e5b52919aa99e3.exe 4612 96ca33f41cf09ab3d2e5b52919aa99e3.exe 1756 wekuhzngkq.exe 1756 wekuhzngkq.exe 1756 wekuhzngkq.exe 4848 avzviiifhtzbqbu.exe 4848 avzviiifhtzbqbu.exe 4848 avzviiifhtzbqbu.exe 800 nenfjnpdxcboa.exe 3868 vbafgoqd.exe 800 nenfjnpdxcboa.exe 3868 vbafgoqd.exe 800 nenfjnpdxcboa.exe 3868 vbafgoqd.exe 1336 vbafgoqd.exe 1336 vbafgoqd.exe 1336 vbafgoqd.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4612 96ca33f41cf09ab3d2e5b52919aa99e3.exe 4612 96ca33f41cf09ab3d2e5b52919aa99e3.exe 4612 96ca33f41cf09ab3d2e5b52919aa99e3.exe 1756 wekuhzngkq.exe 1756 wekuhzngkq.exe 1756 wekuhzngkq.exe 4848 avzviiifhtzbqbu.exe 4848 avzviiifhtzbqbu.exe 4848 avzviiifhtzbqbu.exe 800 nenfjnpdxcboa.exe 3868 vbafgoqd.exe 800 nenfjnpdxcboa.exe 3868 vbafgoqd.exe 800 nenfjnpdxcboa.exe 3868 vbafgoqd.exe 1336 vbafgoqd.exe 1336 vbafgoqd.exe 1336 vbafgoqd.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1952 WINWORD.EXE 1952 WINWORD.EXE 1952 WINWORD.EXE 1952 WINWORD.EXE 1952 WINWORD.EXE 1952 WINWORD.EXE 1952 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4612 wrote to memory of 1756 4612 96ca33f41cf09ab3d2e5b52919aa99e3.exe 85 PID 4612 wrote to memory of 1756 4612 96ca33f41cf09ab3d2e5b52919aa99e3.exe 85 PID 4612 wrote to memory of 1756 4612 96ca33f41cf09ab3d2e5b52919aa99e3.exe 85 PID 4612 wrote to memory of 4848 4612 96ca33f41cf09ab3d2e5b52919aa99e3.exe 86 PID 4612 wrote to memory of 4848 4612 96ca33f41cf09ab3d2e5b52919aa99e3.exe 86 PID 4612 wrote to memory of 4848 4612 96ca33f41cf09ab3d2e5b52919aa99e3.exe 86 PID 4612 wrote to memory of 3868 4612 96ca33f41cf09ab3d2e5b52919aa99e3.exe 87 PID 4612 wrote to memory of 3868 4612 96ca33f41cf09ab3d2e5b52919aa99e3.exe 87 PID 4612 wrote to memory of 3868 4612 96ca33f41cf09ab3d2e5b52919aa99e3.exe 87 PID 4612 wrote to memory of 800 4612 96ca33f41cf09ab3d2e5b52919aa99e3.exe 88 PID 4612 wrote to memory of 800 4612 96ca33f41cf09ab3d2e5b52919aa99e3.exe 88 PID 4612 wrote to memory of 800 4612 96ca33f41cf09ab3d2e5b52919aa99e3.exe 88 PID 4612 wrote to memory of 1952 4612 96ca33f41cf09ab3d2e5b52919aa99e3.exe 89 PID 4612 wrote to memory of 1952 4612 96ca33f41cf09ab3d2e5b52919aa99e3.exe 89 PID 1756 wrote to memory of 1336 1756 wekuhzngkq.exe 91 PID 1756 wrote to memory of 1336 1756 wekuhzngkq.exe 91 PID 1756 wrote to memory of 1336 1756 wekuhzngkq.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\96ca33f41cf09ab3d2e5b52919aa99e3.exe"C:\Users\Admin\AppData\Local\Temp\96ca33f41cf09ab3d2e5b52919aa99e3.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\SysWOW64\wekuhzngkq.exewekuhzngkq.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\vbafgoqd.exeC:\Windows\system32\vbafgoqd.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1336
-
-
-
C:\Windows\SysWOW64\avzviiifhtzbqbu.exeavzviiifhtzbqbu.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4848
-
-
C:\Windows\SysWOW64\vbafgoqd.exevbafgoqd.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3868
-
-
C:\Windows\SysWOW64\nenfjnpdxcboa.exenenfjnpdxcboa.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:800
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1952
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD57e9b652d2ac03676efa108e05bbb5771
SHA199c671864d4106d6038d63ad90cc7076bfd8f7a9
SHA2564853751d128a016fe78b30c24ec7232dc95860337bddff864a39ff0d5bdd62df
SHA5120b6687d418ac3c42ebac5674d4cd56255dc3cbb2a95b1b9406fee39461bed04479c7cee9be97e1f2923292f3831118d8023cd5e7bd184f321d972aa9915f4dce
-
Filesize
512KB
MD5dcbefc250964ca496f097b5583debb74
SHA1369c44188a5b61447750469a180649f2ab0bb643
SHA256cad83262136bd6ed0bff6aa886e46d58dde4849a2ab0f5e3f46804675e9df566
SHA512db8d0157372bc099a89b45b5b4291b893dde90a17cbc747ee7c3d376c43c666d439a67e519d990d80581b48690fe529824031ca9ce3c29ae469206decc01041e
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD51874b92cdc40f2f57bf2e490521bdb26
SHA1796de77a9641e2ea6db788a65700b6ddf8cf0e56
SHA256fec639fed90856f1fee7d5b23352641c00f6e80120534b359f3ee2ad6a62734b
SHA512dda79f3c85bbb8db02478ddc4f234fb6070fde66fd989f187a474b46df2bb8166d4f58d1881b17a45e6dbc850a43bab14a83798c7d8b6fc68f931fceb3cd395b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD558d604e6c464b99540265ca1552b850e
SHA1569cf219fd7bb040b6349d7f480a59d2b0e69a25
SHA2563407d9eac827925dfd7d44a322e0a96949ec59fdce256a474730c605877478f8
SHA512f0a3208a9317cc87ff95263ae8d3b847dc77320fd81b99312b3cae1a95f117cfd940cfae12760e65d57e63658779b64757cafc3fd7b87859863f2c8001df398d
-
Filesize
512KB
MD5a469389f9b5f5563e2f2294412fe5b37
SHA1de52d11dddac4bbe1b64e6b6873ca9ab51275d25
SHA256b019277a128f84b5b05078bd718df99dc964a209e878abdbfa57631e9a56dd8d
SHA51225d173ed14a2218cf395c2121b6b237f0e66efe71103b7710d4ecdf757d36d6a61aa870732784818e547385c6e7f9c7c560a502a0811ff36d607f91337c35a86
-
Filesize
512KB
MD5adb5d5aa8fd6f0e28acbd490a4b690f4
SHA1cbaec5cd090cdb3f9cd6c2e99ebea7e767fdd8f4
SHA256d5bb752709c3ea7866a0f75484581a9047c49476bf8b877575a4c5ed562184f2
SHA5124b2eeb42deae55b93fdd63582e6d55d910688029e6a7b8dfbdc40476954f98c5d6ac6631ae1c276e5d3ce8b5377b08c650dff3ebcbd7bd92ee1f456f058de622
-
Filesize
512KB
MD5731a8ff3852a410987c4ba240d23c1f9
SHA110d6151823e77a92b427d812f9810af2b0322ec4
SHA256cbf45f5cd738fe0a9c7cd425ccb896f18f15e38c4044d1861f415a2cef22dd78
SHA51299896cccc1e9874dc757233027bd2e7deb94db0cfcd86c83f0223e6a22740b8cdccc10a4fcdab27a8fbdd3cd33ceea2b0f13c740d9658a477509438f3f995a61
-
Filesize
512KB
MD5d67747ed485f134c943d7d9559294524
SHA1e94f9d00a5d167ff006b9dd82670f3662ca37055
SHA2567bc90291ca95e8351cd6b056126a30d7819221cd0328934fac3e2a2e9967e60a
SHA51249f7d48f988c0b9d84a87c2aafdf560adf64d1a4e2df3f1748713ecfbe2e1133dc05a48d81da8d8fd767e0b0c1f99af3633d2b89669613b7982c5d76e652a9c8
-
Filesize
512KB
MD5b31f3600d2b23794b24237c3561ec029
SHA1eb6dbefcbb1a02531937d5bf797f9064036c69bf
SHA256034a155e4c83fadd80da9c71b40b20dda8f0887056dc3fcac25ec9ae64316035
SHA512315bed3e25783eba3d4dbed536fa4c772407008c630b94a343f2dbd549bfce746d53baf0f5c1efb60b518edfb958f9810a79cacfa713a56cd86f42ba277ae4b9
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5dbefd04285b1215ceed09db8a9210002
SHA13515cdc50819e92cceac49443a387124681d314c
SHA2562efa0cfce0a59a9a55c74ceb696c4c953c90339db7b83ca2ac0a401b0999edd4
SHA51287296cc575179790754a120f8e5fd4f3a220b8ddaadac5f16e70b1854c5ab234d78db25d90fc80e0c7449a66fd9e148e9939b081d90a7210adc99bd15b7e6636
-
Filesize
512KB
MD5a3b53a7be7fd07414daf366c4720b4ca
SHA1628b1652be805b1180be5d5021431134cbba2302
SHA256b3aee623cb276ca97f45676e4d4bf784a5ddefe44b84de0eec01c78f3420aa45
SHA512367398b95f45fabeba89562ed004789e396814d58ff750f00f650714027c280e6999d5e01e5d123810284415c459376ed102e67ed240af9c58f041cb65e99d60