Analysis
-
max time kernel
152s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
13/02/2024, 10:44
Static task
static1
Behavioral task
behavioral1
Sample
99384b91caeb3db7b013c5f13f292424.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
99384b91caeb3db7b013c5f13f292424.exe
Resource
win10v2004-20231215-en
General
-
Target
99384b91caeb3db7b013c5f13f292424.exe
-
Size
512KB
-
MD5
99384b91caeb3db7b013c5f13f292424
-
SHA1
466c3070c871854cf8283bccdef2bc93bd7fa6e4
-
SHA256
21f1a55e503601078df14945d4acd57d816d8abc55d7c17d10f48d06c410e53c
-
SHA512
1702a41d75a54bcde75b45b8790ad44fa51e2e924a046898fc8d545b5add792c2f1db1e5002c07a37f683b95211b123d7bad29ce407f50d5483a4044796f816c
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6k:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5L
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" qjwalckmcd.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" qjwalckmcd.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" qjwalckmcd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" qjwalckmcd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" qjwalckmcd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" qjwalckmcd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" qjwalckmcd.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" qjwalckmcd.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation 99384b91caeb3db7b013c5f13f292424.exe -
Executes dropped EXE 5 IoCs
pid Process 2916 qjwalckmcd.exe 4140 zhgeueqoyuudvmp.exe 1776 tzjdxyny.exe 1472 jvbusbcudxwfq.exe 4740 tzjdxyny.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" qjwalckmcd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" qjwalckmcd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" qjwalckmcd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" qjwalckmcd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" qjwalckmcd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" qjwalckmcd.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "jvbusbcudxwfq.exe" zhgeueqoyuudvmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rsypgwww = "qjwalckmcd.exe" zhgeueqoyuudvmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dxgiorua = "zhgeueqoyuudvmp.exe" zhgeueqoyuudvmp.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\q: tzjdxyny.exe File opened (read-only) \??\e: qjwalckmcd.exe File opened (read-only) \??\m: tzjdxyny.exe File opened (read-only) \??\z: tzjdxyny.exe File opened (read-only) \??\q: tzjdxyny.exe File opened (read-only) \??\o: tzjdxyny.exe File opened (read-only) \??\r: tzjdxyny.exe File opened (read-only) \??\e: tzjdxyny.exe File opened (read-only) \??\n: tzjdxyny.exe File opened (read-only) \??\p: tzjdxyny.exe File opened (read-only) \??\j: tzjdxyny.exe File opened (read-only) \??\w: tzjdxyny.exe File opened (read-only) \??\j: qjwalckmcd.exe File opened (read-only) \??\v: qjwalckmcd.exe File opened (read-only) \??\h: tzjdxyny.exe File opened (read-only) \??\v: tzjdxyny.exe File opened (read-only) \??\z: tzjdxyny.exe File opened (read-only) \??\o: qjwalckmcd.exe File opened (read-only) \??\q: qjwalckmcd.exe File opened (read-only) \??\g: tzjdxyny.exe File opened (read-only) \??\o: tzjdxyny.exe File opened (read-only) \??\t: tzjdxyny.exe File opened (read-only) \??\x: tzjdxyny.exe File opened (read-only) \??\a: tzjdxyny.exe File opened (read-only) \??\p: qjwalckmcd.exe File opened (read-only) \??\l: tzjdxyny.exe File opened (read-only) \??\t: qjwalckmcd.exe File opened (read-only) \??\u: qjwalckmcd.exe File opened (read-only) \??\x: qjwalckmcd.exe File opened (read-only) \??\k: tzjdxyny.exe File opened (read-only) \??\l: qjwalckmcd.exe File opened (read-only) \??\t: tzjdxyny.exe File opened (read-only) \??\h: qjwalckmcd.exe File opened (read-only) \??\r: qjwalckmcd.exe File opened (read-only) \??\u: tzjdxyny.exe File opened (read-only) \??\b: tzjdxyny.exe File opened (read-only) \??\s: tzjdxyny.exe File opened (read-only) \??\u: tzjdxyny.exe File opened (read-only) \??\b: qjwalckmcd.exe File opened (read-only) \??\y: tzjdxyny.exe File opened (read-only) \??\w: qjwalckmcd.exe File opened (read-only) \??\a: tzjdxyny.exe File opened (read-only) \??\y: tzjdxyny.exe File opened (read-only) \??\n: tzjdxyny.exe File opened (read-only) \??\i: tzjdxyny.exe File opened (read-only) \??\r: tzjdxyny.exe File opened (read-only) \??\a: qjwalckmcd.exe File opened (read-only) \??\n: qjwalckmcd.exe File opened (read-only) \??\x: tzjdxyny.exe File opened (read-only) \??\m: tzjdxyny.exe File opened (read-only) \??\w: tzjdxyny.exe File opened (read-only) \??\m: qjwalckmcd.exe File opened (read-only) \??\i: tzjdxyny.exe File opened (read-only) \??\z: qjwalckmcd.exe File opened (read-only) \??\g: tzjdxyny.exe File opened (read-only) \??\k: tzjdxyny.exe File opened (read-only) \??\h: tzjdxyny.exe File opened (read-only) \??\v: tzjdxyny.exe File opened (read-only) \??\i: qjwalckmcd.exe File opened (read-only) \??\k: qjwalckmcd.exe File opened (read-only) \??\g: qjwalckmcd.exe File opened (read-only) \??\y: qjwalckmcd.exe File opened (read-only) \??\p: tzjdxyny.exe File opened (read-only) \??\l: tzjdxyny.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" qjwalckmcd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" qjwalckmcd.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1936-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000600000002323b-5.dat autoit_exe behavioral2/files/0x0007000000023237-18.dat autoit_exe behavioral2/files/0x000600000002323c-24.dat autoit_exe behavioral2/files/0x000600000002323d-32.dat autoit_exe behavioral2/files/0x000400000001da79-84.dat autoit_exe behavioral2/files/0x000200000001e72b-106.dat autoit_exe behavioral2/files/0x000700000002047e-115.dat autoit_exe behavioral2/files/0x000700000002047e-123.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\zhgeueqoyuudvmp.exe 99384b91caeb3db7b013c5f13f292424.exe File opened for modification C:\Windows\SysWOW64\tzjdxyny.exe 99384b91caeb3db7b013c5f13f292424.exe File created C:\Windows\SysWOW64\jvbusbcudxwfq.exe 99384b91caeb3db7b013c5f13f292424.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe tzjdxyny.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe tzjdxyny.exe File created C:\Windows\SysWOW64\qjwalckmcd.exe 99384b91caeb3db7b013c5f13f292424.exe File opened for modification C:\Windows\SysWOW64\qjwalckmcd.exe 99384b91caeb3db7b013c5f13f292424.exe File opened for modification C:\Windows\SysWOW64\zhgeueqoyuudvmp.exe 99384b91caeb3db7b013c5f13f292424.exe File created C:\Windows\SysWOW64\tzjdxyny.exe 99384b91caeb3db7b013c5f13f292424.exe File opened for modification C:\Windows\SysWOW64\jvbusbcudxwfq.exe 99384b91caeb3db7b013c5f13f292424.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll qjwalckmcd.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe tzjdxyny.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe tzjdxyny.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal tzjdxyny.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe tzjdxyny.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe tzjdxyny.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe tzjdxyny.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe tzjdxyny.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe tzjdxyny.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe tzjdxyny.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal tzjdxyny.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe tzjdxyny.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal tzjdxyny.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe tzjdxyny.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe tzjdxyny.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal tzjdxyny.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe tzjdxyny.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe tzjdxyny.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe tzjdxyny.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe tzjdxyny.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe tzjdxyny.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe tzjdxyny.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe tzjdxyny.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe tzjdxyny.exe File opened for modification C:\Windows\mydoc.rtf 99384b91caeb3db7b013c5f13f292424.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F368B6FF6D22D8D20ED1A98B7E9014" 99384b91caeb3db7b013c5f13f292424.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" qjwalckmcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" qjwalckmcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" qjwalckmcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf qjwalckmcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs qjwalckmcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg qjwalckmcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32422C0D9D5583276A3076D370562CAC7DF664DD" 99384b91caeb3db7b013c5f13f292424.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBFFABCF96AF1E584753B44819A39E5B3FD03F14214033DE2C842ED09D1" 99384b91caeb3db7b013c5f13f292424.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB0B02047E4399F52BDB9A2329BD4CF" 99384b91caeb3db7b013c5f13f292424.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFBFCF8485D826D9042D75A7D96BC93E136583066406341D6EC" 99384b91caeb3db7b013c5f13f292424.exe Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings 99384b91caeb3db7b013c5f13f292424.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 99384b91caeb3db7b013c5f13f292424.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" qjwalckmcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" qjwalckmcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" qjwalckmcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1844C77915E5DAB2B8CB7FE6ECE234C8" 99384b91caeb3db7b013c5f13f292424.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat qjwalckmcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh qjwalckmcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc qjwalckmcd.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2276 WINWORD.EXE 2276 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1936 99384b91caeb3db7b013c5f13f292424.exe 1936 99384b91caeb3db7b013c5f13f292424.exe 1936 99384b91caeb3db7b013c5f13f292424.exe 1936 99384b91caeb3db7b013c5f13f292424.exe 1936 99384b91caeb3db7b013c5f13f292424.exe 1936 99384b91caeb3db7b013c5f13f292424.exe 1936 99384b91caeb3db7b013c5f13f292424.exe 1936 99384b91caeb3db7b013c5f13f292424.exe 1936 99384b91caeb3db7b013c5f13f292424.exe 1936 99384b91caeb3db7b013c5f13f292424.exe 1936 99384b91caeb3db7b013c5f13f292424.exe 1936 99384b91caeb3db7b013c5f13f292424.exe 1936 99384b91caeb3db7b013c5f13f292424.exe 1936 99384b91caeb3db7b013c5f13f292424.exe 1936 99384b91caeb3db7b013c5f13f292424.exe 1936 99384b91caeb3db7b013c5f13f292424.exe 2916 qjwalckmcd.exe 2916 qjwalckmcd.exe 2916 qjwalckmcd.exe 2916 qjwalckmcd.exe 2916 qjwalckmcd.exe 2916 qjwalckmcd.exe 2916 qjwalckmcd.exe 2916 qjwalckmcd.exe 2916 qjwalckmcd.exe 2916 qjwalckmcd.exe 1776 tzjdxyny.exe 1776 tzjdxyny.exe 1776 tzjdxyny.exe 1776 tzjdxyny.exe 1776 tzjdxyny.exe 1776 tzjdxyny.exe 1776 tzjdxyny.exe 1776 tzjdxyny.exe 4140 zhgeueqoyuudvmp.exe 4140 zhgeueqoyuudvmp.exe 4140 zhgeueqoyuudvmp.exe 4140 zhgeueqoyuudvmp.exe 4140 zhgeueqoyuudvmp.exe 4140 zhgeueqoyuudvmp.exe 4140 zhgeueqoyuudvmp.exe 4140 zhgeueqoyuudvmp.exe 4140 zhgeueqoyuudvmp.exe 4140 zhgeueqoyuudvmp.exe 1472 jvbusbcudxwfq.exe 1472 jvbusbcudxwfq.exe 1472 jvbusbcudxwfq.exe 1472 jvbusbcudxwfq.exe 1472 jvbusbcudxwfq.exe 1472 jvbusbcudxwfq.exe 1472 jvbusbcudxwfq.exe 1472 jvbusbcudxwfq.exe 1472 jvbusbcudxwfq.exe 1472 jvbusbcudxwfq.exe 1472 jvbusbcudxwfq.exe 1472 jvbusbcudxwfq.exe 4140 zhgeueqoyuudvmp.exe 4140 zhgeueqoyuudvmp.exe 1472 jvbusbcudxwfq.exe 1472 jvbusbcudxwfq.exe 1472 jvbusbcudxwfq.exe 1472 jvbusbcudxwfq.exe 4140 zhgeueqoyuudvmp.exe 4140 zhgeueqoyuudvmp.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1936 99384b91caeb3db7b013c5f13f292424.exe 1936 99384b91caeb3db7b013c5f13f292424.exe 1936 99384b91caeb3db7b013c5f13f292424.exe 2916 qjwalckmcd.exe 2916 qjwalckmcd.exe 2916 qjwalckmcd.exe 1776 tzjdxyny.exe 1776 tzjdxyny.exe 1776 tzjdxyny.exe 4140 zhgeueqoyuudvmp.exe 4140 zhgeueqoyuudvmp.exe 4140 zhgeueqoyuudvmp.exe 1472 jvbusbcudxwfq.exe 1472 jvbusbcudxwfq.exe 1472 jvbusbcudxwfq.exe 4740 tzjdxyny.exe 4740 tzjdxyny.exe 4740 tzjdxyny.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1936 99384b91caeb3db7b013c5f13f292424.exe 1936 99384b91caeb3db7b013c5f13f292424.exe 1936 99384b91caeb3db7b013c5f13f292424.exe 2916 qjwalckmcd.exe 2916 qjwalckmcd.exe 2916 qjwalckmcd.exe 1776 tzjdxyny.exe 1776 tzjdxyny.exe 1776 tzjdxyny.exe 4140 zhgeueqoyuudvmp.exe 4140 zhgeueqoyuudvmp.exe 4140 zhgeueqoyuudvmp.exe 1472 jvbusbcudxwfq.exe 1472 jvbusbcudxwfq.exe 1472 jvbusbcudxwfq.exe 4740 tzjdxyny.exe 4740 tzjdxyny.exe 4740 tzjdxyny.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2276 WINWORD.EXE 2276 WINWORD.EXE 2276 WINWORD.EXE 2276 WINWORD.EXE 2276 WINWORD.EXE 2276 WINWORD.EXE 2276 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1936 wrote to memory of 2916 1936 99384b91caeb3db7b013c5f13f292424.exe 83 PID 1936 wrote to memory of 2916 1936 99384b91caeb3db7b013c5f13f292424.exe 83 PID 1936 wrote to memory of 2916 1936 99384b91caeb3db7b013c5f13f292424.exe 83 PID 1936 wrote to memory of 4140 1936 99384b91caeb3db7b013c5f13f292424.exe 84 PID 1936 wrote to memory of 4140 1936 99384b91caeb3db7b013c5f13f292424.exe 84 PID 1936 wrote to memory of 4140 1936 99384b91caeb3db7b013c5f13f292424.exe 84 PID 1936 wrote to memory of 1776 1936 99384b91caeb3db7b013c5f13f292424.exe 85 PID 1936 wrote to memory of 1776 1936 99384b91caeb3db7b013c5f13f292424.exe 85 PID 1936 wrote to memory of 1776 1936 99384b91caeb3db7b013c5f13f292424.exe 85 PID 1936 wrote to memory of 1472 1936 99384b91caeb3db7b013c5f13f292424.exe 86 PID 1936 wrote to memory of 1472 1936 99384b91caeb3db7b013c5f13f292424.exe 86 PID 1936 wrote to memory of 1472 1936 99384b91caeb3db7b013c5f13f292424.exe 86 PID 2916 wrote to memory of 4740 2916 qjwalckmcd.exe 87 PID 2916 wrote to memory of 4740 2916 qjwalckmcd.exe 87 PID 2916 wrote to memory of 4740 2916 qjwalckmcd.exe 87 PID 1936 wrote to memory of 2276 1936 99384b91caeb3db7b013c5f13f292424.exe 88 PID 1936 wrote to memory of 2276 1936 99384b91caeb3db7b013c5f13f292424.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\99384b91caeb3db7b013c5f13f292424.exe"C:\Users\Admin\AppData\Local\Temp\99384b91caeb3db7b013c5f13f292424.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\qjwalckmcd.exeqjwalckmcd.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\tzjdxyny.exeC:\Windows\system32\tzjdxyny.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4740
-
-
-
C:\Windows\SysWOW64\zhgeueqoyuudvmp.exezhgeueqoyuudvmp.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4140
-
-
C:\Windows\SysWOW64\tzjdxyny.exetzjdxyny.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1776
-
-
C:\Windows\SysWOW64\jvbusbcudxwfq.exejvbusbcudxwfq.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1472
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2276
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5dd59bf58083f1057b451c0b63c64e4b3
SHA1987b390b42f476aaa866c0aa9c24653a123ec4ed
SHA25618e55639c63a74903cdef6eca1533a8a988a78a03a40cac391aa5f0d1b796eed
SHA512030bbee8926a1c853ebfe9a32b641c508bf6d3286939ca3d629a2b9ea339bca27dece03f87d3053652872db5a54c7943f80d47bfc6395202237aeeec5cec904b
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5ceaf3d2cafc024dcb23df4cbbfd96148
SHA143e79bf3f623bf329cd7713db00d7f4b7f7d71ab
SHA256bc759d04049543a46706fc107953e52aa2da21d0180bb09f4949e46205ee1e86
SHA512385729f308e4769681f90be3401ce85aeca0a6ba23088d08f70a62c3aea3e0fce920d690de749d4ff4359bf3804ea9d589943342f5fe3437affb78656f542310
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD582b20ba35713730ffad5d31418b11139
SHA15b45760bf816e8270e1ff64187c95868119445ea
SHA256d84e13d7c63101c8e68038bd7d45a04a0f549141c5224b3ef6bdef6cd88821bc
SHA5127afb3ea057a9db529e8f4fb442bb8b20099964068dc8cfca75c1734f97df0fba930bbeb4014518d7be227336e2d44e3b5c322ca6d3dd5fdd7aa9f7ae7cb1dc91
-
Filesize
512KB
MD50f04a993912358352323cf94a3bbcc7e
SHA142ed909fad64abeee66401453ccfade439996af5
SHA256b225dadeb85e5940b94081b36d0337b093b7c1fd2e7c6f12b1a0a1b4bfd58c76
SHA512ecbb6e6b4f59b0fad3bb848512d32a331bcbfb351e1cb9cb099c39f3bdec8722b2feede7ba9f5de40f357068fba3f9b63fe30ac06f212359f4f2f55abff65419
-
Filesize
512KB
MD58d7e598aa9ddfe9b9fe05e55d5e18357
SHA1b66d1b27fd8779941ed0d0bcc724dcd9e4e29f22
SHA2565ed8c15a29c206ac894454b6317698f8e0c2c17a9a3b686736659759b3ec30e7
SHA51226183ccea5bd898aade8fa87bd6b3d49a623e9343e8c336cf3a9b66bcfcc90f44f2bdedceeef632876af333441dab645ecac69e499b9d42973c685c5d22b2dab
-
Filesize
512KB
MD574a7988956cccbcf2669ac39d6c284f1
SHA11e5b4be87859f76ba80909351fc3f5ce2cf47afd
SHA25612d5d6a91cd48c5b25218e98192194955d89e8c4062a0a7fc9383fea09866e21
SHA512559847b69fb3e41ad6667b4ae1664f9dc1a4581364f7e2ef1fb97faad07676b0947becc4f86ab0e468d621437d03bea4040d76c5d409ac8c7209f430e9ef7c4b
-
Filesize
512KB
MD55fc4c50e163d612158bd571693547182
SHA1ba06cdbb7b13151c6dc0540d0914eb558298e8ad
SHA2564590920f0e48d8b51c7614382c6b9920ce93945a82562ed3cc81a931f0dde150
SHA5120cd43df3457712b91dd33b0021344b8a77bd58128d479a9d03631cf03e00874af42cfd57bbad751c5aa2b4d1a2616d1cbaa41cacff3ab969efaa1b8c102acf0e
-
Filesize
512KB
MD5b697e423d77e784a86ca865e4619b7fd
SHA1f925b507aa253b7fab04beb088bac428aadd26f2
SHA256bafbeb629e21c735371d5f28f83f833823e000434e6687fa59e17a1e62f855c0
SHA512cb75eeefa0335edd2901700d811f0efeae54ccda763e07f7fe5ce0088426612c4193df70e1dba5088ba2a4ee544a4bb5a45242aa1166e020414c8daea1f4fe1e
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD59db885e8dd2d3c5d73c48b9470c20ccb
SHA197c09249cd53cb3ae76ac676b1e9e356cde036fe
SHA2561c439917fd164af31c5e0a69a1414d0f815b77d2904f3c908dbf63ce3c20471b
SHA512e441f10f9ac984fd1660c4c43d92aa2b7c7c571f69a9aece8418a72dc50cc22619800a02213044748b3c3c3d46e762393c16886a0b7ff55b8ba2c60941379fc0
-
Filesize
512KB
MD5feaf8526a86d1690f97c50bf7ca33a4a
SHA10023291ab45947cdccb93761141fe5f65350952e
SHA2561f8ee1672b6062234f0298f1319e3003eada5bbe50d5e940fa7d465751883d8e
SHA512ec281fb90af3b6bc561b6a38a6c39c29741681e598797c3da6e7ddd6dee114a5e4cc88e524d8b18283ffcd1e3c5496642f02f488104dc6c8baf015cbbae73cf2