Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
14/02/2024, 03:20
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
9a9fcdcbf6e207f17866e5c7af7716bc.exe
Resource
win7-20231215-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
9a9fcdcbf6e207f17866e5c7af7716bc.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
9a9fcdcbf6e207f17866e5c7af7716bc.exe
-
Size
512KB
-
MD5
9a9fcdcbf6e207f17866e5c7af7716bc
-
SHA1
363dce2161d7e08b2487fa2bf9227254d286fd6f
-
SHA256
04e76c0ee7e3a943e40719b98e3202074540a4abada352d08f0b9399742884c4
-
SHA512
d8e970a8697cbbf950409841a7921755b16ddec5d607fae8f7dd59f40743c63b32d0b024793d120788fb856ffeaffc923a12494095de15588935aa94a29a59b8
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6Q:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5z
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ckvthflesz.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ckvthflesz.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ckvthflesz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ckvthflesz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ckvthflesz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ckvthflesz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ckvthflesz.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ckvthflesz.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation 9a9fcdcbf6e207f17866e5c7af7716bc.exe -
Executes dropped EXE 5 IoCs
pid Process 2964 ckvthflesz.exe 1516 jlifbaguccjglbf.exe 3244 cbxdjrcx.exe 2460 ykexgzezwqtsu.exe 4936 cbxdjrcx.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ckvthflesz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ckvthflesz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ckvthflesz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ckvthflesz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ckvthflesz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ckvthflesz.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\muofwabq = "ckvthflesz.exe" jlifbaguccjglbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jjnkihdz = "jlifbaguccjglbf.exe" jlifbaguccjglbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ykexgzezwqtsu.exe" jlifbaguccjglbf.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\r: ckvthflesz.exe File opened (read-only) \??\v: ckvthflesz.exe File opened (read-only) \??\i: cbxdjrcx.exe File opened (read-only) \??\q: cbxdjrcx.exe File opened (read-only) \??\j: cbxdjrcx.exe File opened (read-only) \??\z: cbxdjrcx.exe File opened (read-only) \??\a: ckvthflesz.exe File opened (read-only) \??\i: cbxdjrcx.exe File opened (read-only) \??\u: ckvthflesz.exe File opened (read-only) \??\g: cbxdjrcx.exe File opened (read-only) \??\u: cbxdjrcx.exe File opened (read-only) \??\y: cbxdjrcx.exe File opened (read-only) \??\j: cbxdjrcx.exe File opened (read-only) \??\u: cbxdjrcx.exe File opened (read-only) \??\z: cbxdjrcx.exe File opened (read-only) \??\e: cbxdjrcx.exe File opened (read-only) \??\t: cbxdjrcx.exe File opened (read-only) \??\s: cbxdjrcx.exe File opened (read-only) \??\x: ckvthflesz.exe File opened (read-only) \??\y: ckvthflesz.exe File opened (read-only) \??\h: cbxdjrcx.exe File opened (read-only) \??\e: cbxdjrcx.exe File opened (read-only) \??\t: cbxdjrcx.exe File opened (read-only) \??\b: ckvthflesz.exe File opened (read-only) \??\j: ckvthflesz.exe File opened (read-only) \??\a: cbxdjrcx.exe File opened (read-only) \??\m: cbxdjrcx.exe File opened (read-only) \??\y: cbxdjrcx.exe File opened (read-only) \??\b: cbxdjrcx.exe File opened (read-only) \??\l: cbxdjrcx.exe File opened (read-only) \??\x: cbxdjrcx.exe File opened (read-only) \??\h: cbxdjrcx.exe File opened (read-only) \??\o: cbxdjrcx.exe File opened (read-only) \??\w: cbxdjrcx.exe File opened (read-only) \??\n: ckvthflesz.exe File opened (read-only) \??\q: ckvthflesz.exe File opened (read-only) \??\b: cbxdjrcx.exe File opened (read-only) \??\l: cbxdjrcx.exe File opened (read-only) \??\p: cbxdjrcx.exe File opened (read-only) \??\r: cbxdjrcx.exe File opened (read-only) \??\x: cbxdjrcx.exe File opened (read-only) \??\n: cbxdjrcx.exe File opened (read-only) \??\r: cbxdjrcx.exe File opened (read-only) \??\p: ckvthflesz.exe File opened (read-only) \??\h: ckvthflesz.exe File opened (read-only) \??\i: ckvthflesz.exe File opened (read-only) \??\s: ckvthflesz.exe File opened (read-only) \??\k: cbxdjrcx.exe File opened (read-only) \??\a: cbxdjrcx.exe File opened (read-only) \??\g: cbxdjrcx.exe File opened (read-only) \??\g: ckvthflesz.exe File opened (read-only) \??\p: cbxdjrcx.exe File opened (read-only) \??\m: ckvthflesz.exe File opened (read-only) \??\v: cbxdjrcx.exe File opened (read-only) \??\v: cbxdjrcx.exe File opened (read-only) \??\l: ckvthflesz.exe File opened (read-only) \??\o: ckvthflesz.exe File opened (read-only) \??\t: ckvthflesz.exe File opened (read-only) \??\w: ckvthflesz.exe File opened (read-only) \??\k: cbxdjrcx.exe File opened (read-only) \??\m: cbxdjrcx.exe File opened (read-only) \??\o: cbxdjrcx.exe File opened (read-only) \??\z: ckvthflesz.exe File opened (read-only) \??\k: ckvthflesz.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ckvthflesz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ckvthflesz.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1148-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0006000000023209-5.dat autoit_exe behavioral2/files/0x0007000000023205-18.dat autoit_exe behavioral2/files/0x000600000002320a-26.dat autoit_exe behavioral2/files/0x000600000002320b-31.dat autoit_exe behavioral2/files/0x0006000000023215-72.dat autoit_exe behavioral2/files/0x0006000000023214-66.dat autoit_exe behavioral2/files/0x000c00000001e7d8-114.dat autoit_exe behavioral2/files/0x000c00000001e7d8-122.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe cbxdjrcx.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe cbxdjrcx.exe File created C:\Windows\SysWOW64\ckvthflesz.exe 9a9fcdcbf6e207f17866e5c7af7716bc.exe File opened for modification C:\Windows\SysWOW64\cbxdjrcx.exe 9a9fcdcbf6e207f17866e5c7af7716bc.exe File created C:\Windows\SysWOW64\ykexgzezwqtsu.exe 9a9fcdcbf6e207f17866e5c7af7716bc.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ckvthflesz.exe File opened for modification C:\Windows\SysWOW64\jlifbaguccjglbf.exe 9a9fcdcbf6e207f17866e5c7af7716bc.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe cbxdjrcx.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe cbxdjrcx.exe File opened for modification C:\Windows\SysWOW64\ckvthflesz.exe 9a9fcdcbf6e207f17866e5c7af7716bc.exe File created C:\Windows\SysWOW64\jlifbaguccjglbf.exe 9a9fcdcbf6e207f17866e5c7af7716bc.exe File created C:\Windows\SysWOW64\cbxdjrcx.exe 9a9fcdcbf6e207f17866e5c7af7716bc.exe File opened for modification C:\Windows\SysWOW64\ykexgzezwqtsu.exe 9a9fcdcbf6e207f17866e5c7af7716bc.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal cbxdjrcx.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe cbxdjrcx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal cbxdjrcx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal cbxdjrcx.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe cbxdjrcx.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe cbxdjrcx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe cbxdjrcx.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe cbxdjrcx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe cbxdjrcx.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe cbxdjrcx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe cbxdjrcx.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe cbxdjrcx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal cbxdjrcx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe cbxdjrcx.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe cbxdjrcx.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe cbxdjrcx.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe cbxdjrcx.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe cbxdjrcx.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe cbxdjrcx.exe File opened for modification C:\Windows\mydoc.rtf 9a9fcdcbf6e207f17866e5c7af7716bc.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe cbxdjrcx.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe cbxdjrcx.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe cbxdjrcx.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings 9a9fcdcbf6e207f17866e5c7af7716bc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33402C0A9D5682206A3476D670532CDB7CF665AA" 9a9fcdcbf6e207f17866e5c7af7716bc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABFFAB8F964F1E4830B3B40869C3E94B08C028C4362033EE1B9429B08D3" 9a9fcdcbf6e207f17866e5c7af7716bc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF8FF8C485C82199146D62D7D90BCE7E635584666436246D691" 9a9fcdcbf6e207f17866e5c7af7716bc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh ckvthflesz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" ckvthflesz.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 9a9fcdcbf6e207f17866e5c7af7716bc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs ckvthflesz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg ckvthflesz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" ckvthflesz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7FC68B0FE6B21DED10ED0D68A7B906B" 9a9fcdcbf6e207f17866e5c7af7716bc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" ckvthflesz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc ckvthflesz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" ckvthflesz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" ckvthflesz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB1B12844E6399F53C4B9D032EFD4CE" 9a9fcdcbf6e207f17866e5c7af7716bc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184AC67B15ECDAB0B8CD7C95EDE537BC" 9a9fcdcbf6e207f17866e5c7af7716bc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat ckvthflesz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ckvthflesz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf ckvthflesz.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4520 WINWORD.EXE 4520 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1148 9a9fcdcbf6e207f17866e5c7af7716bc.exe 1148 9a9fcdcbf6e207f17866e5c7af7716bc.exe 1148 9a9fcdcbf6e207f17866e5c7af7716bc.exe 1148 9a9fcdcbf6e207f17866e5c7af7716bc.exe 1148 9a9fcdcbf6e207f17866e5c7af7716bc.exe 1148 9a9fcdcbf6e207f17866e5c7af7716bc.exe 1148 9a9fcdcbf6e207f17866e5c7af7716bc.exe 1148 9a9fcdcbf6e207f17866e5c7af7716bc.exe 1148 9a9fcdcbf6e207f17866e5c7af7716bc.exe 1148 9a9fcdcbf6e207f17866e5c7af7716bc.exe 1148 9a9fcdcbf6e207f17866e5c7af7716bc.exe 1148 9a9fcdcbf6e207f17866e5c7af7716bc.exe 1148 9a9fcdcbf6e207f17866e5c7af7716bc.exe 1148 9a9fcdcbf6e207f17866e5c7af7716bc.exe 1148 9a9fcdcbf6e207f17866e5c7af7716bc.exe 1148 9a9fcdcbf6e207f17866e5c7af7716bc.exe 2964 ckvthflesz.exe 2964 ckvthflesz.exe 2964 ckvthflesz.exe 2964 ckvthflesz.exe 2964 ckvthflesz.exe 2964 ckvthflesz.exe 2964 ckvthflesz.exe 2964 ckvthflesz.exe 2964 ckvthflesz.exe 2964 ckvthflesz.exe 3244 cbxdjrcx.exe 3244 cbxdjrcx.exe 3244 cbxdjrcx.exe 3244 cbxdjrcx.exe 3244 cbxdjrcx.exe 3244 cbxdjrcx.exe 1516 jlifbaguccjglbf.exe 1516 jlifbaguccjglbf.exe 3244 cbxdjrcx.exe 3244 cbxdjrcx.exe 1516 jlifbaguccjglbf.exe 1516 jlifbaguccjglbf.exe 1516 jlifbaguccjglbf.exe 1516 jlifbaguccjglbf.exe 1516 jlifbaguccjglbf.exe 1516 jlifbaguccjglbf.exe 1516 jlifbaguccjglbf.exe 1516 jlifbaguccjglbf.exe 2460 ykexgzezwqtsu.exe 2460 ykexgzezwqtsu.exe 2460 ykexgzezwqtsu.exe 2460 ykexgzezwqtsu.exe 2460 ykexgzezwqtsu.exe 2460 ykexgzezwqtsu.exe 2460 ykexgzezwqtsu.exe 2460 ykexgzezwqtsu.exe 2460 ykexgzezwqtsu.exe 2460 ykexgzezwqtsu.exe 2460 ykexgzezwqtsu.exe 2460 ykexgzezwqtsu.exe 4936 cbxdjrcx.exe 4936 cbxdjrcx.exe 4936 cbxdjrcx.exe 4936 cbxdjrcx.exe 4936 cbxdjrcx.exe 4936 cbxdjrcx.exe 4936 cbxdjrcx.exe 4936 cbxdjrcx.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1148 9a9fcdcbf6e207f17866e5c7af7716bc.exe 1148 9a9fcdcbf6e207f17866e5c7af7716bc.exe 1148 9a9fcdcbf6e207f17866e5c7af7716bc.exe 2964 ckvthflesz.exe 2964 ckvthflesz.exe 2964 ckvthflesz.exe 1516 jlifbaguccjglbf.exe 1516 jlifbaguccjglbf.exe 1516 jlifbaguccjglbf.exe 3244 cbxdjrcx.exe 3244 cbxdjrcx.exe 3244 cbxdjrcx.exe 2460 ykexgzezwqtsu.exe 2460 ykexgzezwqtsu.exe 2460 ykexgzezwqtsu.exe 4936 cbxdjrcx.exe 4936 cbxdjrcx.exe 4936 cbxdjrcx.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1148 9a9fcdcbf6e207f17866e5c7af7716bc.exe 1148 9a9fcdcbf6e207f17866e5c7af7716bc.exe 1148 9a9fcdcbf6e207f17866e5c7af7716bc.exe 2964 ckvthflesz.exe 2964 ckvthflesz.exe 2964 ckvthflesz.exe 1516 jlifbaguccjglbf.exe 1516 jlifbaguccjglbf.exe 1516 jlifbaguccjglbf.exe 3244 cbxdjrcx.exe 3244 cbxdjrcx.exe 3244 cbxdjrcx.exe 2460 ykexgzezwqtsu.exe 2460 ykexgzezwqtsu.exe 2460 ykexgzezwqtsu.exe 4936 cbxdjrcx.exe 4936 cbxdjrcx.exe 4936 cbxdjrcx.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4520 WINWORD.EXE 4520 WINWORD.EXE 4520 WINWORD.EXE 4520 WINWORD.EXE 4520 WINWORD.EXE 4520 WINWORD.EXE 4520 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1148 wrote to memory of 2964 1148 9a9fcdcbf6e207f17866e5c7af7716bc.exe 83 PID 1148 wrote to memory of 2964 1148 9a9fcdcbf6e207f17866e5c7af7716bc.exe 83 PID 1148 wrote to memory of 2964 1148 9a9fcdcbf6e207f17866e5c7af7716bc.exe 83 PID 1148 wrote to memory of 1516 1148 9a9fcdcbf6e207f17866e5c7af7716bc.exe 85 PID 1148 wrote to memory of 1516 1148 9a9fcdcbf6e207f17866e5c7af7716bc.exe 85 PID 1148 wrote to memory of 1516 1148 9a9fcdcbf6e207f17866e5c7af7716bc.exe 85 PID 1148 wrote to memory of 3244 1148 9a9fcdcbf6e207f17866e5c7af7716bc.exe 84 PID 1148 wrote to memory of 3244 1148 9a9fcdcbf6e207f17866e5c7af7716bc.exe 84 PID 1148 wrote to memory of 3244 1148 9a9fcdcbf6e207f17866e5c7af7716bc.exe 84 PID 1148 wrote to memory of 2460 1148 9a9fcdcbf6e207f17866e5c7af7716bc.exe 86 PID 1148 wrote to memory of 2460 1148 9a9fcdcbf6e207f17866e5c7af7716bc.exe 86 PID 1148 wrote to memory of 2460 1148 9a9fcdcbf6e207f17866e5c7af7716bc.exe 86 PID 2964 wrote to memory of 4936 2964 ckvthflesz.exe 87 PID 2964 wrote to memory of 4936 2964 ckvthflesz.exe 87 PID 2964 wrote to memory of 4936 2964 ckvthflesz.exe 87 PID 1148 wrote to memory of 4520 1148 9a9fcdcbf6e207f17866e5c7af7716bc.exe 88 PID 1148 wrote to memory of 4520 1148 9a9fcdcbf6e207f17866e5c7af7716bc.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a9fcdcbf6e207f17866e5c7af7716bc.exe"C:\Users\Admin\AppData\Local\Temp\9a9fcdcbf6e207f17866e5c7af7716bc.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\ckvthflesz.execkvthflesz.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\cbxdjrcx.exeC:\Windows\system32\cbxdjrcx.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4936
-
-
-
C:\Windows\SysWOW64\cbxdjrcx.execbxdjrcx.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3244
-
-
C:\Windows\SysWOW64\jlifbaguccjglbf.exejlifbaguccjglbf.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1516
-
-
C:\Windows\SysWOW64\ykexgzezwqtsu.exeykexgzezwqtsu.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2460
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4520
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5d8e52464fbc5d164d6960dec3aa09d15
SHA15aa9f59328457bc6ba7f0b82db17117f0b1fe4b2
SHA2564efbd39cd48cf33daa45e4aae1e7ec13dd8dbec9467e1783935789ccfb2936cd
SHA5124e1b782eb1a062a432f2b7bd38e493b492a566dc4a75e50d3d1d47550f635ec2e24897b83dd863cb099583bdbbaa9dfe7b48f585d71212453429750069353303
-
Filesize
512KB
MD5dde8af8ba2ecff20efbb8d26b2a64e34
SHA1660216462c46e0f012d72bfb36e3afb083fa730b
SHA2569bca584b84d965e2760976d6c091ad51704405a8a0ab207a7d1d390a37374fc1
SHA512d53160cadb91dfcbc803e28849cb1234e7a8e52ea1aabd68ee2f45b80f1894d76616e0dc9be23579f1d8d09a6ebc594d31905a3cf361fb59a519c368b99a9648
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD576a4c94fe5003ca87be714e53491f172
SHA10f562eda13672756e02fdf7e9c6288d0decaef0c
SHA256bb30830b2a037a5743affea8a6cbcfa161795c90c8221fe7354b64fa54896720
SHA5125dd8fa6dde6f1f3d12e10cc1c9fddf2c6c15f04b61dc7011fc0ddfa91ec250c917ed7536fe7c0d367fb1cf73b65a3e2f72cf3ced0196f94c96ed1df393aac200
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD548c1c408d4d1727462bc434c0f340057
SHA1fca5c5cbd9f0cd864401107dbc5a4875b8a9797e
SHA256e97825548a61dccc641da25f5b6969e17615edba7a52fb6cf2cfa82046a9da51
SHA51258926c4d2408b9af5878f681a37a27a1c98a11a5703ee8494717e2d69f228cfd913a7de2268423e170b34c6bb39a3fb22755fbe1b1897a17a8af49f6241bac0f
-
Filesize
512KB
MD511ea1c5845613172ad5243337852ef8c
SHA1d952e724e3938e7254696a4b9ba6ab477390ddd4
SHA256b023d3eff5c0f0172aa0ea275cceb304aba8666e089b8ae77085b37619372732
SHA512ab67722586f4d88a8743fa79edc56fd350d062358a0e4070cb73a906d37ca8cad40bd1097debb4bdf56aa536a5fb2231f75974e819205fc55c906b3d0e51603b
-
Filesize
512KB
MD590aa413a27ab6bc41cf353f342b875a7
SHA17cc3ebd2c648eebd85939f51b4310af813aea5b3
SHA256c272c3e008889ec36e1928f5cd1f6a174d74676cab31a2e40b60bfac3d5f37ef
SHA51291181d3dc21700b1b22d8b8fb1e8e161128e2ac63daf27874b7b67213ad0f22acf9b9c952feef95f4d7701f24f4aa1c235ea19c34955786bcdc726ec72e714f3
-
Filesize
512KB
MD539a2c33b5e85415f6b8ee2cc7a84a2ed
SHA124418d618e451b30d4253e7ad7c6f14f592f3574
SHA2565b6ef0f6c800d25638c1265959d64a5a6aa5e007a6581a78d87d38c5aa31d42c
SHA51203077b7da3520cf38512c2ccf1a9343f37d49b31d6daab440a937b9d674635f93b41c6bd950b562ff6af1a5d625900409720f0f1f989f02c8ac66e2d62d9b1e2
-
Filesize
512KB
MD5374b281697bd729e1ef6664c2f20cfe5
SHA1b8e360a5004cdef4d9d22f60dafdbb7692fa3861
SHA2569779f75d249679725baac2d919a86f0d26261d04c8a56140230e2dcbb0b94059
SHA5127dd85f1633f4731e06ff05f3fb94e839e95480cc4db70834074d7a2e4fffff4b2096c6c24305d54c699d0bf06a4a45423f1e9c18bf882076394ef18089b37dbd
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5129bef3ddcdda4f708bc99914a6a3b4d
SHA1a79590075e9fb15f4377fb34db134604ec158c53
SHA256a5192d201f357b7d52c2a72d7ebf1c96ea7f18f4b04ad17742e18445916189a8
SHA5124b76f392757ec2d6dba0bf99d9d810193b43ee2866692485b42dc183ed12f91f49bdfa8a8e5da854663db898189a69e5e2c693f4dd84af535e0f7cbea27dc74d
-
Filesize
512KB
MD5dc295d99196b2ec1909973572279a009
SHA1a1391cb72afcf579ac44f65189cede1945b681d5
SHA256612c40120ec6e3fd05e4d9d8e074a1293a04c12fc7e89a2477ef354939f7c3a8
SHA512b65db42538da4992979f115e793845e96de2cb63410f17451308578d6ee8e8dce9d6c7f518a97290ec7939392750650a01d009fc739f171f0c2d636bd55c1c3a