Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
12s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
13/02/2024, 04:08
Static task
static1
Behavioral task
behavioral1
Sample
98705b5a907f1a691359259b19b16d3d.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
98705b5a907f1a691359259b19b16d3d.exe
Resource
win10v2004-20231222-en
General
-
Target
98705b5a907f1a691359259b19b16d3d.exe
-
Size
512KB
-
MD5
98705b5a907f1a691359259b19b16d3d
-
SHA1
baef9e414aa721ec9c310a32c78b1160ab99f48b
-
SHA256
69347a80b962904a59cc1114412832f2449c79f5601468d5e424dda355aa2296
-
SHA512
44d4b37bd5d1d2da6065e062f7b549c966d177e960358ed46caee459d1df7ad954b4ae04fa8affdba0a5713e926d5a21847ace76af08a0683c334e6b20949598
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj66:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5F
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" bouiajcukk.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" bouiajcukk.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" bouiajcukk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" bouiajcukk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" bouiajcukk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" bouiajcukk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" bouiajcukk.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bouiajcukk.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation 98705b5a907f1a691359259b19b16d3d.exe -
Executes dropped EXE 5 IoCs
pid Process 2000 bouiajcukk.exe 2472 xozupjreolixhwn.exe 4580 uiqnmbiq.exe 404 cwodpaymwhzzn.exe 3568 uiqnmbiq.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" bouiajcukk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" bouiajcukk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" bouiajcukk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" bouiajcukk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" bouiajcukk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" bouiajcukk.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kkxlvawl = "bouiajcukk.exe" xozupjreolixhwn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gwchercr = "xozupjreolixhwn.exe" xozupjreolixhwn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "cwodpaymwhzzn.exe" xozupjreolixhwn.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\j: uiqnmbiq.exe File opened (read-only) \??\n: uiqnmbiq.exe File opened (read-only) \??\v: uiqnmbiq.exe File opened (read-only) \??\z: uiqnmbiq.exe File opened (read-only) \??\h: uiqnmbiq.exe File opened (read-only) \??\q: uiqnmbiq.exe File opened (read-only) \??\m: uiqnmbiq.exe File opened (read-only) \??\q: uiqnmbiq.exe File opened (read-only) \??\s: uiqnmbiq.exe File opened (read-only) \??\a: bouiajcukk.exe File opened (read-only) \??\n: bouiajcukk.exe File opened (read-only) \??\q: bouiajcukk.exe File opened (read-only) \??\b: bouiajcukk.exe File opened (read-only) \??\k: bouiajcukk.exe File opened (read-only) \??\z: bouiajcukk.exe File opened (read-only) \??\k: uiqnmbiq.exe File opened (read-only) \??\t: bouiajcukk.exe File opened (read-only) \??\m: uiqnmbiq.exe File opened (read-only) \??\u: uiqnmbiq.exe File opened (read-only) \??\z: uiqnmbiq.exe File opened (read-only) \??\r: uiqnmbiq.exe File opened (read-only) \??\y: uiqnmbiq.exe File opened (read-only) \??\i: uiqnmbiq.exe File opened (read-only) \??\n: uiqnmbiq.exe File opened (read-only) \??\o: uiqnmbiq.exe File opened (read-only) \??\k: uiqnmbiq.exe File opened (read-only) \??\m: bouiajcukk.exe File opened (read-only) \??\w: bouiajcukk.exe File opened (read-only) \??\p: uiqnmbiq.exe File opened (read-only) \??\t: uiqnmbiq.exe File opened (read-only) \??\a: uiqnmbiq.exe File opened (read-only) \??\h: uiqnmbiq.exe File opened (read-only) \??\i: uiqnmbiq.exe File opened (read-only) \??\u: uiqnmbiq.exe File opened (read-only) \??\w: uiqnmbiq.exe File opened (read-only) \??\j: bouiajcukk.exe File opened (read-only) \??\o: bouiajcukk.exe File opened (read-only) \??\x: bouiajcukk.exe File opened (read-only) \??\b: uiqnmbiq.exe File opened (read-only) \??\v: uiqnmbiq.exe File opened (read-only) \??\l: uiqnmbiq.exe File opened (read-only) \??\x: uiqnmbiq.exe File opened (read-only) \??\u: bouiajcukk.exe File opened (read-only) \??\j: uiqnmbiq.exe File opened (read-only) \??\r: uiqnmbiq.exe File opened (read-only) \??\p: uiqnmbiq.exe File opened (read-only) \??\s: bouiajcukk.exe File opened (read-only) \??\w: uiqnmbiq.exe File opened (read-only) \??\i: bouiajcukk.exe File opened (read-only) \??\v: bouiajcukk.exe File opened (read-only) \??\g: uiqnmbiq.exe File opened (read-only) \??\s: uiqnmbiq.exe File opened (read-only) \??\e: uiqnmbiq.exe File opened (read-only) \??\g: uiqnmbiq.exe File opened (read-only) \??\e: uiqnmbiq.exe File opened (read-only) \??\b: uiqnmbiq.exe File opened (read-only) \??\t: uiqnmbiq.exe File opened (read-only) \??\g: bouiajcukk.exe File opened (read-only) \??\h: bouiajcukk.exe File opened (read-only) \??\l: bouiajcukk.exe File opened (read-only) \??\r: bouiajcukk.exe File opened (read-only) \??\y: bouiajcukk.exe File opened (read-only) \??\a: uiqnmbiq.exe File opened (read-only) \??\l: uiqnmbiq.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" bouiajcukk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" bouiajcukk.exe -
AutoIT Executable 16 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/680-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0006000000023229-5.dat autoit_exe behavioral2/files/0x0007000000023225-19.dat autoit_exe behavioral2/files/0x000600000002322a-28.dat autoit_exe behavioral2/files/0x0006000000023229-22.dat autoit_exe behavioral2/files/0x000600000002322b-32.dat autoit_exe behavioral2/files/0x000600000002322b-30.dat autoit_exe behavioral2/files/0x000600000002322a-29.dat autoit_exe behavioral2/files/0x0006000000023229-24.dat autoit_exe behavioral2/files/0x0007000000023225-18.dat autoit_exe behavioral2/files/0x000600000002322a-35.dat autoit_exe behavioral2/files/0x000700000001d8a3-77.dat autoit_exe behavioral2/files/0x000700000001da31-80.dat autoit_exe behavioral2/files/0x000600000001e59b-90.dat autoit_exe behavioral2/files/0x000500000001e59c-94.dat autoit_exe behavioral2/files/0x000500000001e59c-111.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\xozupjreolixhwn.exe 98705b5a907f1a691359259b19b16d3d.exe File created C:\Windows\SysWOW64\uiqnmbiq.exe 98705b5a907f1a691359259b19b16d3d.exe File opened for modification C:\Windows\SysWOW64\uiqnmbiq.exe 98705b5a907f1a691359259b19b16d3d.exe File created C:\Windows\SysWOW64\bouiajcukk.exe 98705b5a907f1a691359259b19b16d3d.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll bouiajcukk.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe uiqnmbiq.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe uiqnmbiq.exe File opened for modification C:\Windows\SysWOW64\bouiajcukk.exe 98705b5a907f1a691359259b19b16d3d.exe File created C:\Windows\SysWOW64\xozupjreolixhwn.exe 98705b5a907f1a691359259b19b16d3d.exe File created C:\Windows\SysWOW64\cwodpaymwhzzn.exe 98705b5a907f1a691359259b19b16d3d.exe File opened for modification C:\Windows\SysWOW64\cwodpaymwhzzn.exe 98705b5a907f1a691359259b19b16d3d.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe uiqnmbiq.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe uiqnmbiq.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe uiqnmbiq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal uiqnmbiq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal uiqnmbiq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe uiqnmbiq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal uiqnmbiq.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe uiqnmbiq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe uiqnmbiq.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe uiqnmbiq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal uiqnmbiq.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe uiqnmbiq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe uiqnmbiq.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe uiqnmbiq.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe uiqnmbiq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe uiqnmbiq.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 98705b5a907f1a691359259b19b16d3d.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 98705b5a907f1a691359259b19b16d3d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB7B15844EF39EC53BABAD0329CD4BC" 98705b5a907f1a691359259b19b16d3d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7836BC5FF6C21ABD109D0D68B7E9166" 98705b5a907f1a691359259b19b16d3d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat bouiajcukk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh bouiajcukk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs bouiajcukk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" bouiajcukk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf bouiajcukk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" bouiajcukk.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings 98705b5a907f1a691359259b19b16d3d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33412C779D2C83566A4676A170252DDB7D8564AD" 98705b5a907f1a691359259b19b16d3d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBDFABBFE67F2E584093B4B81993994B08002F843610248E1BD45E708A4" 98705b5a907f1a691359259b19b16d3d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" bouiajcukk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" bouiajcukk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" bouiajcukk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8BFCFB482F856E9047D75F7E9CBDE0E635593066366234D79A" 98705b5a907f1a691359259b19b16d3d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183EC70F15E1DAB3B8C17FE6EDE437CB" 98705b5a907f1a691359259b19b16d3d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc bouiajcukk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" bouiajcukk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg bouiajcukk.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4624 WINWORD.EXE 4624 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 680 98705b5a907f1a691359259b19b16d3d.exe 680 98705b5a907f1a691359259b19b16d3d.exe 680 98705b5a907f1a691359259b19b16d3d.exe 680 98705b5a907f1a691359259b19b16d3d.exe 680 98705b5a907f1a691359259b19b16d3d.exe 680 98705b5a907f1a691359259b19b16d3d.exe 680 98705b5a907f1a691359259b19b16d3d.exe 680 98705b5a907f1a691359259b19b16d3d.exe 680 98705b5a907f1a691359259b19b16d3d.exe 680 98705b5a907f1a691359259b19b16d3d.exe 680 98705b5a907f1a691359259b19b16d3d.exe 680 98705b5a907f1a691359259b19b16d3d.exe 680 98705b5a907f1a691359259b19b16d3d.exe 680 98705b5a907f1a691359259b19b16d3d.exe 680 98705b5a907f1a691359259b19b16d3d.exe 680 98705b5a907f1a691359259b19b16d3d.exe 4580 uiqnmbiq.exe 4580 uiqnmbiq.exe 4580 uiqnmbiq.exe 4580 uiqnmbiq.exe 4580 uiqnmbiq.exe 4580 uiqnmbiq.exe 4580 uiqnmbiq.exe 4580 uiqnmbiq.exe 2000 bouiajcukk.exe 2000 bouiajcukk.exe 2000 bouiajcukk.exe 2000 bouiajcukk.exe 2000 bouiajcukk.exe 2000 bouiajcukk.exe 2000 bouiajcukk.exe 2000 bouiajcukk.exe 2000 bouiajcukk.exe 2000 bouiajcukk.exe 2472 xozupjreolixhwn.exe 2472 xozupjreolixhwn.exe 2472 xozupjreolixhwn.exe 2472 xozupjreolixhwn.exe 2472 xozupjreolixhwn.exe 2472 xozupjreolixhwn.exe 2472 xozupjreolixhwn.exe 2472 xozupjreolixhwn.exe 404 cwodpaymwhzzn.exe 404 cwodpaymwhzzn.exe 404 cwodpaymwhzzn.exe 404 cwodpaymwhzzn.exe 404 cwodpaymwhzzn.exe 404 cwodpaymwhzzn.exe 404 cwodpaymwhzzn.exe 404 cwodpaymwhzzn.exe 404 cwodpaymwhzzn.exe 404 cwodpaymwhzzn.exe 404 cwodpaymwhzzn.exe 404 cwodpaymwhzzn.exe 2472 xozupjreolixhwn.exe 2472 xozupjreolixhwn.exe 2472 xozupjreolixhwn.exe 2472 xozupjreolixhwn.exe 404 cwodpaymwhzzn.exe 404 cwodpaymwhzzn.exe 404 cwodpaymwhzzn.exe 404 cwodpaymwhzzn.exe 3568 uiqnmbiq.exe 3568 uiqnmbiq.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 680 98705b5a907f1a691359259b19b16d3d.exe 680 98705b5a907f1a691359259b19b16d3d.exe 680 98705b5a907f1a691359259b19b16d3d.exe 4580 uiqnmbiq.exe 2000 bouiajcukk.exe 2472 xozupjreolixhwn.exe 404 cwodpaymwhzzn.exe 4580 uiqnmbiq.exe 2000 bouiajcukk.exe 2472 xozupjreolixhwn.exe 404 cwodpaymwhzzn.exe 4580 uiqnmbiq.exe 2000 bouiajcukk.exe 2472 xozupjreolixhwn.exe 404 cwodpaymwhzzn.exe 3568 uiqnmbiq.exe 3568 uiqnmbiq.exe 3568 uiqnmbiq.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 680 98705b5a907f1a691359259b19b16d3d.exe 680 98705b5a907f1a691359259b19b16d3d.exe 680 98705b5a907f1a691359259b19b16d3d.exe 4580 uiqnmbiq.exe 2000 bouiajcukk.exe 2472 xozupjreolixhwn.exe 404 cwodpaymwhzzn.exe 4580 uiqnmbiq.exe 2000 bouiajcukk.exe 2472 xozupjreolixhwn.exe 404 cwodpaymwhzzn.exe 4580 uiqnmbiq.exe 2000 bouiajcukk.exe 2472 xozupjreolixhwn.exe 404 cwodpaymwhzzn.exe 3568 uiqnmbiq.exe 3568 uiqnmbiq.exe 3568 uiqnmbiq.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4624 WINWORD.EXE 4624 WINWORD.EXE 4624 WINWORD.EXE 4624 WINWORD.EXE 4624 WINWORD.EXE 4624 WINWORD.EXE 4624 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 680 wrote to memory of 2000 680 98705b5a907f1a691359259b19b16d3d.exe 23 PID 680 wrote to memory of 2000 680 98705b5a907f1a691359259b19b16d3d.exe 23 PID 680 wrote to memory of 2000 680 98705b5a907f1a691359259b19b16d3d.exe 23 PID 680 wrote to memory of 2472 680 98705b5a907f1a691359259b19b16d3d.exe 33 PID 680 wrote to memory of 2472 680 98705b5a907f1a691359259b19b16d3d.exe 33 PID 680 wrote to memory of 2472 680 98705b5a907f1a691359259b19b16d3d.exe 33 PID 680 wrote to memory of 4580 680 98705b5a907f1a691359259b19b16d3d.exe 32 PID 680 wrote to memory of 4580 680 98705b5a907f1a691359259b19b16d3d.exe 32 PID 680 wrote to memory of 4580 680 98705b5a907f1a691359259b19b16d3d.exe 32 PID 680 wrote to memory of 404 680 98705b5a907f1a691359259b19b16d3d.exe 31 PID 680 wrote to memory of 404 680 98705b5a907f1a691359259b19b16d3d.exe 31 PID 680 wrote to memory of 404 680 98705b5a907f1a691359259b19b16d3d.exe 31 PID 680 wrote to memory of 4624 680 98705b5a907f1a691359259b19b16d3d.exe 35 PID 680 wrote to memory of 4624 680 98705b5a907f1a691359259b19b16d3d.exe 35 PID 2000 wrote to memory of 3568 2000 bouiajcukk.exe 39 PID 2000 wrote to memory of 3568 2000 bouiajcukk.exe 39 PID 2000 wrote to memory of 3568 2000 bouiajcukk.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\98705b5a907f1a691359259b19b16d3d.exe"C:\Users\Admin\AppData\Local\Temp\98705b5a907f1a691359259b19b16d3d.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Windows\SysWOW64\bouiajcukk.exebouiajcukk.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\uiqnmbiq.exeC:\Windows\system32\uiqnmbiq.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3568
-
-
-
C:\Windows\SysWOW64\cwodpaymwhzzn.execwodpaymwhzzn.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:404
-
-
C:\Windows\SysWOW64\uiqnmbiq.exeuiqnmbiq.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4580
-
-
C:\Windows\SysWOW64\xozupjreolixhwn.exexozupjreolixhwn.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2472
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4624
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
120KB
MD5681fedf0b68c6169bc76c7271f48a8ed
SHA18f169f275c0dd73f4c9e8664b0120afded816a0c
SHA256193ce321e01ea39adebc944607f19593ffd0ab2248a0964a39bd8d0138a595f0
SHA5126002296429d820f3d3ab0cfa142cf481602df44a0059041f8df21d4963f7f3a1234f869d706bdc5bca757c0359a20d5c4ce6ba8a3a1eb56173d35658c4ed2b0e
-
Filesize
170KB
MD52d519645be98d0362ec41dacf59bf070
SHA1e79c9c40ecc77b3d77211b5e0d36d14abe3bc235
SHA25611f12c2d58cb8ff5c73acc4f33b32ca747de315734b1a6155a64536e391f14dc
SHA512661f5e84d34965546941bda3bc2a2f33b02ab2fce33ffe84dc58f5e05b2b3b173427f6a49f3b131540f35f4aaffab392f1a503f38d168b556c74043714990070
-
Filesize
239B
MD5361ba5cdfe246f4303b0a1638e0daf43
SHA1eced7199b1af3c8e92209a68cb9a925ff3f369a3
SHA256507143acb38e64408d03a0dd98e16bd34ca557294c466ae8ec9c7c763eb3a2a5
SHA51281b9d124396d138717aea4dc71cec59426a3b65b47eaa0d13523adf030c5e3df9fa670ed48f7634d0301812d4b546dd43bc5bf863b58112570a2ab049bc7ab54
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD58208798c6cf37631099038b1adf51794
SHA19e2c3aa23074a5c31369f9dea737e37ce55f7a73
SHA2564a54bcb566cfcb244806b476a938fc3d4512fe8bb4ed8a15550c4bc2a075d1d5
SHA512110ef5d39c550bda60f1ab19d618c00a1e2418069fbda657ef13cede2ce9881470e4d720afad65ea1c5b8c4f9be2291aeb94ede28331f030c5ec2ef3f6cad2ca
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5011650e66a42e970a1bd630ac98c5355
SHA1e4fdc89d3b23051fc55f851c72fd078940a45436
SHA2563c4fb92b2e16d7597f86fdcbe4cc78beb21f2ef5106f40ed3a797b7655758e27
SHA51227930d39189b16e1d456225bca5882b26bd6f4a02616842f2d55fdd8b596995a41c5959aac17641103cde8d0490e44c5e66f78460b3c763a7fe84b2cdeb900c0
-
Filesize
172KB
MD5489c382f47d723b3d33a1ebbafc20c07
SHA1ab85f5dd3cab9b8cdf431fffe6908ff3be0508ee
SHA256120f5cae967c36205259b2d20620f8812a6071c299b9396537af86cb871302bc
SHA512978e2a0ea66fd15811d4518d5f1bd0db0d950cf7e357ed4404d54cdb188c700b93ecd5f5c2b18aa25a213cf44e2bd09a99c5d4c0a571c3299d737c880b1e9b8a
-
Filesize
265KB
MD5fc6744d0cbcc4a525b11bf73e3929fad
SHA17a506f1a874a95341bdea7306e4d75295f173016
SHA2562df6c224fc6bc4a48611ef4137215a35479e7e273c31a41978a8db3a4d7085fc
SHA512030632abf6895362af8ed6292af5cf0d3e4f293d763aa1b8e33d9e8fcd8fd27248454da71f0cd536887d5e6b4270e3ec2a941ff256b624f80a9244ada5fe8951
-
Filesize
236KB
MD53c0a51c27c233d681812c344463f0e0f
SHA194ce91126beb72d64492bdc516f0fd8bfe0003db
SHA25670c3263fb1ae3ac409481ab0e6b4c6cfc462c9848093044e8c0fb36e8255ab2b
SHA51224517716a0fc9dbf0f0a1e821e399a6c7fc8b258145d06fad3c1c5ef4db7f2ab32f23ff731af25a978fec042949d98134c529038258a070bad1bf36b4e2167db
-
Filesize
228KB
MD51c3d964e4976c45f9ba8885a68dec8ca
SHA1af19241fb66a27d741a33e61520948b3710b7671
SHA2569d4e7c0351f6463b14ac2c516d040bb73b0a60cba093fb2098a32cb317e240e3
SHA5128e68e27e5b84fa6731c557c6bf7aee22972c2437ad34b31c54112194a164242343dfa0baa111c69ac81eca7105eb191f12bc58db22a0808078461151039ecae5
-
Filesize
190KB
MD5410be96e6dfc52d37e89da2638252ea0
SHA13ae7c1abdcc6fd7815eaefd9cb7698deb8c52807
SHA2566e232cc4be80e3c81a50b6acfee7b11edf428d8d281377394af3a771c324072a
SHA5126e72bf0729ea637718538c5a57a9e17cc32ffc366889cde6b45e06d09ce7de5c34f7a68c25a697035d4064ebca8154993c8d8994dcef332c9d510c4ee391704a
-
Filesize
209KB
MD53e3fb6af93dc3818da0a82772009c825
SHA1c25cfb264481022916e12ac1f2f38346b7df0192
SHA2567f794964e3cdba4143f74a9a1f6a4357666b574c31e44bc1991befac963fbc93
SHA512cc7a276b36fc1620d999ea117a64439398318f90b78a6cddfa69383fdf2787138a731a8fa7468769050cbee6952b4b9cf5f3acfa8ca19d4ebfe5c83bda9a3cf5
-
Filesize
315KB
MD5750129771b9ac77aa3e325d21ef2187c
SHA137ed086d2bf255b3f8f13e135ed9eedb5267fcc9
SHA256e4f0c4403e356dc179f4ca38daf9df6f3f8a45b5abbc191050ec7ebdbe50965c
SHA512f8b70a4fa8aa64c4c959e09f5b9b8cfc3fb2f8e570840ca39cd0752e4d41b8474280cce00d67c257338206f5fa540449c91386997f7d599cc7337cb8b7332f46
-
Filesize
123KB
MD5b9db33c66c316d298ea9f9b70550ad54
SHA1a8b495e6a7af953793e2cf9ade48f8041a37f4b0
SHA256f9efd8dee97c671c6097adaa89911146ff6d97bb46703789a9e41f4287f9cd04
SHA512d672da6beac64fbd79d4632135781859e66e788b782bd07017c420ff331800b8354718c56cd1600fd9addd65af29d879467e16fddac1c3200af2b3c3b77e6de0
-
Filesize
267KB
MD5677dbf144502c516f24cc8129cde78d0
SHA148076eb466c8c3e53d32f8e08a3f2be7e5dade13
SHA2566e3a37cc4e79df96c39186b13eef985d1f547c18a876382cdd4727e91fca2307
SHA5128857ed99eebfb9c719dd685772e15eb66e8fc51305fe14554ee9f66f7466f941a3cd36d431a2348d678ab7874a365137d1c95d6fbab3f47d15d1d658293f2f26
-
Filesize
335KB
MD57ae872399675c7de388dc07e01767ec1
SHA1b6eb40f3321b8e5baa53476c7ac2f41caaff24ea
SHA25662f1cadf0b8df875a19f202d0b0fe51dfd3e03fcd1a6abeadba51c47cf5c1d61
SHA51271aec8ec6e88c19582da8316c8ea507c1bb119e4f9569ab50ae8c63e5903c2050178df6fffad45586b67aa38e801ccd93389c8ac06d1cc982f70984b6e95a178
-
Filesize
232KB
MD5d61734c683b3e2a72e841a88a4bfc6f9
SHA1f3834d0f6ad22d51fe2c6c350c2c966be18a3b07
SHA256e02fa9cbf4b9a5d59c4f741fadb8de6ba7d56c4374dc818275482f6892e3bd73
SHA51251d1e75569af44e7ec7400e991d57a09cd5063e784adcf4fd7fb34f1ce9f9feb7d04d18c1b2eab4282b87e7f55c90aa1e2b0df9ea0e73456e3ea6181b140d437
-
Filesize
322KB
MD552ee4382162db5df198c7d9578e3b959
SHA11f58806c065b995a6d49dbfef12d861a6a735c27
SHA25680751551a010ab7db00e225a26845109a8636b012ff619a580202e480dda0806
SHA51229f40950c130d52dbc1d3cf28a2f17d789b52cf0b10660be6fe9b18d7c6c8e8d8293618605e595f12add49c92a351cd8399411a91b706ae6530b3f2d5ee05760
-
Filesize
66KB
MD50d3a9d7f81f48e108ed3f6912a394ac4
SHA10a88f553d8df87930ceb2146c6072086dad155b5
SHA256c0cef10be6bc60087a3f4529b1495deae319e5e2473a369ab73efc28b5881490
SHA512d28dca4c4080e7cda6d2c15c2b5635da299c3f1e13f635015ab3a72319f2591e3115ed288640b0f90bc3271ba169494e3f750235d4653aec222235768d56d9bb