Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
13/02/2024, 12:55
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
9979990796f726c6b774050e751de9cf.exe
Resource
win7-20231215-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
9979990796f726c6b774050e751de9cf.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
9979990796f726c6b774050e751de9cf.exe
-
Size
512KB
-
MD5
9979990796f726c6b774050e751de9cf
-
SHA1
e966489ecbf81a37ec929d03808cb4626ab30ca3
-
SHA256
903f8b9955f71d8ddd20873a85fef3e7e9433c32ba6acea02e4035d33c6c2caf
-
SHA512
b0a0fc6c06fac4901eb130cbca91dc8b679b92f32a6368447710ec983f494613c2c9becb932c90500bdf1fbc4549d8502218e62680a005abdaf2c652562d9949
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj63:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5w
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" zsotccjoet.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" zsotccjoet.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" zsotccjoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" zsotccjoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" zsotccjoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" zsotccjoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" zsotccjoet.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" zsotccjoet.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation 9979990796f726c6b774050e751de9cf.exe -
Executes dropped EXE 5 IoCs
pid Process 2840 zsotccjoet.exe 992 alhzzkgkqpenvua.exe 2500 jljlymjdwqdgt.exe 5108 lxfkuxxl.exe 4156 lxfkuxxl.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" zsotccjoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" zsotccjoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" zsotccjoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" zsotccjoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" zsotccjoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" zsotccjoet.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hlxhscye = "zsotccjoet.exe" alhzzkgkqpenvua.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jjefvgxa = "alhzzkgkqpenvua.exe" alhzzkgkqpenvua.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "jljlymjdwqdgt.exe" alhzzkgkqpenvua.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\u: zsotccjoet.exe File opened (read-only) \??\v: zsotccjoet.exe File opened (read-only) \??\i: lxfkuxxl.exe File opened (read-only) \??\r: lxfkuxxl.exe File opened (read-only) \??\x: lxfkuxxl.exe File opened (read-only) \??\m: lxfkuxxl.exe File opened (read-only) \??\i: zsotccjoet.exe File opened (read-only) \??\o: zsotccjoet.exe File opened (read-only) \??\h: lxfkuxxl.exe File opened (read-only) \??\u: lxfkuxxl.exe File opened (read-only) \??\e: zsotccjoet.exe File opened (read-only) \??\t: zsotccjoet.exe File opened (read-only) \??\p: lxfkuxxl.exe File opened (read-only) \??\q: lxfkuxxl.exe File opened (read-only) \??\t: lxfkuxxl.exe File opened (read-only) \??\h: lxfkuxxl.exe File opened (read-only) \??\j: lxfkuxxl.exe File opened (read-only) \??\k: zsotccjoet.exe File opened (read-only) \??\q: zsotccjoet.exe File opened (read-only) \??\a: lxfkuxxl.exe File opened (read-only) \??\v: lxfkuxxl.exe File opened (read-only) \??\y: lxfkuxxl.exe File opened (read-only) \??\y: lxfkuxxl.exe File opened (read-only) \??\m: zsotccjoet.exe File opened (read-only) \??\p: zsotccjoet.exe File opened (read-only) \??\x: zsotccjoet.exe File opened (read-only) \??\b: lxfkuxxl.exe File opened (read-only) \??\j: lxfkuxxl.exe File opened (read-only) \??\p: lxfkuxxl.exe File opened (read-only) \??\s: zsotccjoet.exe File opened (read-only) \??\y: zsotccjoet.exe File opened (read-only) \??\n: lxfkuxxl.exe File opened (read-only) \??\w: zsotccjoet.exe File opened (read-only) \??\k: lxfkuxxl.exe File opened (read-only) \??\z: lxfkuxxl.exe File opened (read-only) \??\k: lxfkuxxl.exe File opened (read-only) \??\s: lxfkuxxl.exe File opened (read-only) \??\g: lxfkuxxl.exe File opened (read-only) \??\i: lxfkuxxl.exe File opened (read-only) \??\l: lxfkuxxl.exe File opened (read-only) \??\v: lxfkuxxl.exe File opened (read-only) \??\j: zsotccjoet.exe File opened (read-only) \??\l: zsotccjoet.exe File opened (read-only) \??\e: lxfkuxxl.exe File opened (read-only) \??\g: lxfkuxxl.exe File opened (read-only) \??\o: lxfkuxxl.exe File opened (read-only) \??\o: lxfkuxxl.exe File opened (read-only) \??\a: zsotccjoet.exe File opened (read-only) \??\n: lxfkuxxl.exe File opened (read-only) \??\b: zsotccjoet.exe File opened (read-only) \??\z: zsotccjoet.exe File opened (read-only) \??\a: lxfkuxxl.exe File opened (read-only) \??\b: lxfkuxxl.exe File opened (read-only) \??\g: zsotccjoet.exe File opened (read-only) \??\l: lxfkuxxl.exe File opened (read-only) \??\u: lxfkuxxl.exe File opened (read-only) \??\r: lxfkuxxl.exe File opened (read-only) \??\x: lxfkuxxl.exe File opened (read-only) \??\n: zsotccjoet.exe File opened (read-only) \??\t: lxfkuxxl.exe File opened (read-only) \??\w: lxfkuxxl.exe File opened (read-only) \??\e: lxfkuxxl.exe File opened (read-only) \??\w: lxfkuxxl.exe File opened (read-only) \??\h: zsotccjoet.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" zsotccjoet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" zsotccjoet.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4256-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000600000002323a-6.dat autoit_exe behavioral2/files/0x0009000000023221-18.dat autoit_exe behavioral2/files/0x000600000002323b-29.dat autoit_exe behavioral2/files/0x000600000002323c-28.dat autoit_exe behavioral2/files/0x000400000001da0e-74.dat autoit_exe behavioral2/files/0x000400000001da1e-80.dat autoit_exe behavioral2/files/0x0009000000000753-90.dat autoit_exe behavioral2/files/0x000d00000001e587-111.dat autoit_exe behavioral2/files/0x000d00000001e587-115.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe lxfkuxxl.exe File created C:\Windows\SysWOW64\zsotccjoet.exe 9979990796f726c6b774050e751de9cf.exe File created C:\Windows\SysWOW64\alhzzkgkqpenvua.exe 9979990796f726c6b774050e751de9cf.exe File opened for modification C:\Windows\SysWOW64\alhzzkgkqpenvua.exe 9979990796f726c6b774050e751de9cf.exe File created C:\Windows\SysWOW64\lxfkuxxl.exe 9979990796f726c6b774050e751de9cf.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll zsotccjoet.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe lxfkuxxl.exe File opened for modification C:\Windows\SysWOW64\zsotccjoet.exe 9979990796f726c6b774050e751de9cf.exe File opened for modification C:\Windows\SysWOW64\lxfkuxxl.exe 9979990796f726c6b774050e751de9cf.exe File created C:\Windows\SysWOW64\jljlymjdwqdgt.exe 9979990796f726c6b774050e751de9cf.exe File opened for modification C:\Windows\SysWOW64\jljlymjdwqdgt.exe 9979990796f726c6b774050e751de9cf.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe lxfkuxxl.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal lxfkuxxl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lxfkuxxl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lxfkuxxl.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lxfkuxxl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal lxfkuxxl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal lxfkuxxl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lxfkuxxl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lxfkuxxl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lxfkuxxl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lxfkuxxl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lxfkuxxl.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe lxfkuxxl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe lxfkuxxl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal lxfkuxxl.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe lxfkuxxl.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe lxfkuxxl.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe lxfkuxxl.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe lxfkuxxl.exe File opened for modification C:\Windows\mydoc.rtf 9979990796f726c6b774050e751de9cf.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe lxfkuxxl.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe lxfkuxxl.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe lxfkuxxl.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe lxfkuxxl.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe lxfkuxxl.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe lxfkuxxl.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe lxfkuxxl.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe lxfkuxxl.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe lxfkuxxl.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe lxfkuxxl.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe lxfkuxxl.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe lxfkuxxl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 9979990796f726c6b774050e751de9cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB4FAB8F965F293847A3B4A869C39E1B38E038D4314034EE2C8459E08D2" 9979990796f726c6b774050e751de9cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC7B05B479339E952CBB9A1339DD7CA" 9979990796f726c6b774050e751de9cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFBFF8B482A851D9031D72A7DE6BD90E635584667436342D690" 9979990796f726c6b774050e751de9cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" zsotccjoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32302D7B9C2682206A3F76D370552CAA7DF465DD" 9979990796f726c6b774050e751de9cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" zsotccjoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc zsotccjoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf zsotccjoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" zsotccjoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" zsotccjoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" zsotccjoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs zsotccjoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg zsotccjoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7866BB9FF6C21D0D173D0D48B099116" 9979990796f726c6b774050e751de9cf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184AC67B15E7DAC4B9B97CE3EC9634C8" 9979990796f726c6b774050e751de9cf.exe Key created \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings 9979990796f726c6b774050e751de9cf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat zsotccjoet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh zsotccjoet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" zsotccjoet.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1540 WINWORD.EXE 1540 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4256 9979990796f726c6b774050e751de9cf.exe 4256 9979990796f726c6b774050e751de9cf.exe 4256 9979990796f726c6b774050e751de9cf.exe 4256 9979990796f726c6b774050e751de9cf.exe 4256 9979990796f726c6b774050e751de9cf.exe 4256 9979990796f726c6b774050e751de9cf.exe 4256 9979990796f726c6b774050e751de9cf.exe 4256 9979990796f726c6b774050e751de9cf.exe 4256 9979990796f726c6b774050e751de9cf.exe 4256 9979990796f726c6b774050e751de9cf.exe 4256 9979990796f726c6b774050e751de9cf.exe 4256 9979990796f726c6b774050e751de9cf.exe 4256 9979990796f726c6b774050e751de9cf.exe 4256 9979990796f726c6b774050e751de9cf.exe 4256 9979990796f726c6b774050e751de9cf.exe 4256 9979990796f726c6b774050e751de9cf.exe 2840 zsotccjoet.exe 2840 zsotccjoet.exe 2840 zsotccjoet.exe 2840 zsotccjoet.exe 2840 zsotccjoet.exe 2840 zsotccjoet.exe 2840 zsotccjoet.exe 2840 zsotccjoet.exe 2840 zsotccjoet.exe 2840 zsotccjoet.exe 2500 jljlymjdwqdgt.exe 2500 jljlymjdwqdgt.exe 2500 jljlymjdwqdgt.exe 2500 jljlymjdwqdgt.exe 2500 jljlymjdwqdgt.exe 2500 jljlymjdwqdgt.exe 2500 jljlymjdwqdgt.exe 2500 jljlymjdwqdgt.exe 2500 jljlymjdwqdgt.exe 2500 jljlymjdwqdgt.exe 2500 jljlymjdwqdgt.exe 2500 jljlymjdwqdgt.exe 992 alhzzkgkqpenvua.exe 992 alhzzkgkqpenvua.exe 992 alhzzkgkqpenvua.exe 992 alhzzkgkqpenvua.exe 992 alhzzkgkqpenvua.exe 992 alhzzkgkqpenvua.exe 992 alhzzkgkqpenvua.exe 992 alhzzkgkqpenvua.exe 992 alhzzkgkqpenvua.exe 992 alhzzkgkqpenvua.exe 5108 lxfkuxxl.exe 5108 lxfkuxxl.exe 5108 lxfkuxxl.exe 5108 lxfkuxxl.exe 5108 lxfkuxxl.exe 5108 lxfkuxxl.exe 5108 lxfkuxxl.exe 5108 lxfkuxxl.exe 4156 lxfkuxxl.exe 4156 lxfkuxxl.exe 4156 lxfkuxxl.exe 4156 lxfkuxxl.exe 4156 lxfkuxxl.exe 4156 lxfkuxxl.exe 4156 lxfkuxxl.exe 4156 lxfkuxxl.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4256 9979990796f726c6b774050e751de9cf.exe 4256 9979990796f726c6b774050e751de9cf.exe 4256 9979990796f726c6b774050e751de9cf.exe 2840 zsotccjoet.exe 2840 zsotccjoet.exe 2840 zsotccjoet.exe 992 alhzzkgkqpenvua.exe 2500 jljlymjdwqdgt.exe 5108 lxfkuxxl.exe 992 alhzzkgkqpenvua.exe 2500 jljlymjdwqdgt.exe 5108 lxfkuxxl.exe 992 alhzzkgkqpenvua.exe 2500 jljlymjdwqdgt.exe 5108 lxfkuxxl.exe 4156 lxfkuxxl.exe 4156 lxfkuxxl.exe 4156 lxfkuxxl.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4256 9979990796f726c6b774050e751de9cf.exe 4256 9979990796f726c6b774050e751de9cf.exe 4256 9979990796f726c6b774050e751de9cf.exe 2840 zsotccjoet.exe 2840 zsotccjoet.exe 2840 zsotccjoet.exe 992 alhzzkgkqpenvua.exe 2500 jljlymjdwqdgt.exe 5108 lxfkuxxl.exe 992 alhzzkgkqpenvua.exe 2500 jljlymjdwqdgt.exe 5108 lxfkuxxl.exe 992 alhzzkgkqpenvua.exe 2500 jljlymjdwqdgt.exe 5108 lxfkuxxl.exe 4156 lxfkuxxl.exe 4156 lxfkuxxl.exe 4156 lxfkuxxl.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1540 WINWORD.EXE 1540 WINWORD.EXE 1540 WINWORD.EXE 1540 WINWORD.EXE 1540 WINWORD.EXE 1540 WINWORD.EXE 1540 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4256 wrote to memory of 2840 4256 9979990796f726c6b774050e751de9cf.exe 87 PID 4256 wrote to memory of 2840 4256 9979990796f726c6b774050e751de9cf.exe 87 PID 4256 wrote to memory of 2840 4256 9979990796f726c6b774050e751de9cf.exe 87 PID 4256 wrote to memory of 992 4256 9979990796f726c6b774050e751de9cf.exe 88 PID 4256 wrote to memory of 992 4256 9979990796f726c6b774050e751de9cf.exe 88 PID 4256 wrote to memory of 992 4256 9979990796f726c6b774050e751de9cf.exe 88 PID 4256 wrote to memory of 5108 4256 9979990796f726c6b774050e751de9cf.exe 90 PID 4256 wrote to memory of 5108 4256 9979990796f726c6b774050e751de9cf.exe 90 PID 4256 wrote to memory of 5108 4256 9979990796f726c6b774050e751de9cf.exe 90 PID 4256 wrote to memory of 2500 4256 9979990796f726c6b774050e751de9cf.exe 89 PID 4256 wrote to memory of 2500 4256 9979990796f726c6b774050e751de9cf.exe 89 PID 4256 wrote to memory of 2500 4256 9979990796f726c6b774050e751de9cf.exe 89 PID 4256 wrote to memory of 1540 4256 9979990796f726c6b774050e751de9cf.exe 91 PID 4256 wrote to memory of 1540 4256 9979990796f726c6b774050e751de9cf.exe 91 PID 2840 wrote to memory of 4156 2840 zsotccjoet.exe 93 PID 2840 wrote to memory of 4156 2840 zsotccjoet.exe 93 PID 2840 wrote to memory of 4156 2840 zsotccjoet.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\9979990796f726c6b774050e751de9cf.exe"C:\Users\Admin\AppData\Local\Temp\9979990796f726c6b774050e751de9cf.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\SysWOW64\zsotccjoet.exezsotccjoet.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\lxfkuxxl.exeC:\Windows\system32\lxfkuxxl.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4156
-
-
-
C:\Windows\SysWOW64\alhzzkgkqpenvua.exealhzzkgkqpenvua.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:992
-
-
C:\Windows\SysWOW64\jljlymjdwqdgt.exejljlymjdwqdgt.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2500
-
-
C:\Windows\SysWOW64\lxfkuxxl.exelxfkuxxl.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5108
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1540
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD522d2035f8018fb496acd374fc541b265
SHA140482801a2ca8ae320fcdae6a3b8de2e9b87f83f
SHA25645338a8656bf7daf4a4260a30da52e0250dc645ff931050b0a61b17d6c7931de
SHA512b264ecb341e0b36806e5a775c924b8e24c46d5c1fa6e71223909a8babe46f3a26bdc5dd4830185d9d014a5a9acc65ef0ec8324db885aa88ec72447e3f7a2a5c5
-
Filesize
512KB
MD513473f23c7d86327132708ff4be48d3d
SHA1c127612e822922d4c8d73e0672beabf0d0f14fd2
SHA25665e83aa11bee4ed2d286da2c953cab306e9ec8d1b588ace7103f267c38e5d578
SHA512c52781bdcd4523bbe103fbdf9ff5ada3963c54eefa675228677b512a1c2c9d2770de8754ad697dffdd1bf010c322189c68e9574d64157b93c9f39ee9425d670c
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5f69d0d02a864263feeafdc656107607d
SHA11a20b07f9a1e5959ecbb45501dca8ed0e0ee78d2
SHA256ad5b5d92892d6cf4055cfdd6d97aebee0c87c6f7c7fed80aa2048e36e87b4ca2
SHA512daef725dc0b9f06ebedbb59dcdcaf26b35d6eef6425dd0e67b59712a9da9952583f9e368571bf161951e2ef67262b7b2124d50d68495203ec49ea8aaaa41bff7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5c73630972e17acfd35f11acf96cc48e1
SHA12b03e5adeb77ba01de6af23a3934d64436ff0625
SHA25660ebe97cf3649089e324c3ff70e43ea44470e938a54c2d0c560dc2be3428c6ef
SHA512bf36c0f1307d2269be44d1668c3447f8edf0aa9ec0b3def45a8994ee05374b883a2e5d118393e00be728274c3cf5e94a49ff582cb4592f3f58725ac6cc523aa9
-
Filesize
512KB
MD54bccee9b7840bde168e626c18c5cc3a9
SHA1dcf0f50ce2233b45dd246a2557038afe31543a85
SHA256f46898337816b6e8befe8bb0d69afc0f0baee7bf35f6faccb5c36e435a300457
SHA512d74b5330624f23cd1987391dc8a13ad7ea4309d01d7bf3cee0672ba72fb891a0f1a0f8fff9f876e49b47d3750687d31f27dcbcac5c0f2a727356ec6891615a3f
-
Filesize
512KB
MD54108cc67824d2df04c899dcf957b5d3e
SHA1b4f802b4747f0b13e05dc82afa0b9d8375a6b9a0
SHA2565a57a08586eb8588cb4693450cc318b4efbe9384a257e33b47026b202720bfbd
SHA512fb70052e22aaab982c522267ee6de4ab8c05667c1745007644b1dedbac173af7c6c729541c342eac1ada0ecf316902f6b0f1698af4437ca1ae82e1e8e3c27a39
-
Filesize
512KB
MD5e01326837eb20a41bad8ad88b6a1136c
SHA125abf6696ce85038ebf70a135be5249a943edf20
SHA25696d274886bef6b74087b707a90dda44b46b6cadabeaa43f7ba28dea794f058c2
SHA5126d200eebe73d0d10f3529be898de8bccf632dc680d8fbd7bb0cd521ed238b8e3969beea6ff0e1765569b5c175d5a7034d2578099198043cf2e9c1b88c0e68baa
-
Filesize
512KB
MD55162e6a9633295a9481a043bb0100fa2
SHA1a2cf181f9622566d06e3fea50b1a0a66650c2178
SHA256568030b147e1882531e5d79dd4add9faf8b163abd2a0a2bd87bf8e7261aa17cd
SHA51293d081db6ce3fa268edfb6ab014201deebdd90289e2a67af1a18daa64c5586bcd19c7bd5dcd65d15365ccee1fed3aee64d8ef5f8ffac39a501ee9a1843cca904
-
Filesize
512KB
MD54d6ab623cc7ac7b2f8999646729a99bd
SHA149a604545e82dcacf7101577c270aed2bd17a487
SHA256396ac380ae79ab417fa7d7fb4c6b29f50fd4ca60c22026f98f60117b9087c20e
SHA512ff6346c332856813dabe5df8a0b726d2b7b1947b5dd55a4d9e8ab973b8d67a73f56c50a60e668560ced2af3385a73834574709686e58abe5c85efe430d15243d
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5b19d21f65e9c7be987fbf24e06b32831
SHA17947ac75a2c9df18024cce848f50836001d693a3
SHA25651b9ab33d1d69ba66d50a00d8b1ed8009933d5760f5662dd94d1b986501874b4
SHA51294c6fb6598a449820afcc943aca1ec672399bb51e67bf1c0fdd38da3a2dcf9e1fd30e20b5ee80835346d8566508638b65e1a0c189698ce9228ee708ed4e098c8
-
Filesize
512KB
MD5f0c4d8731984b0334d342293cafcd353
SHA1343ed3f6ac88936b1053c539c6508921e7dbf0c3
SHA2560ac3c19caaa5b26457a7ee45f15c2632d2de96a226f4fc0ade99a30356054824
SHA51267041d42083692afb0863eec0d4a67c57e8f80be018df31b1218dd3fd75aa2696fb6a850786e4202b7260fb9a6b384666336cae35992c3acbb2773abf8c7e586