Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
24-02-2024 02:37
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
a0ba7fb2c757b42e1ed67f090a947730.exe
Resource
win7-20240221-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
a0ba7fb2c757b42e1ed67f090a947730.exe
Resource
win10v2004-20240221-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
a0ba7fb2c757b42e1ed67f090a947730.exe
-
Size
512KB
-
MD5
a0ba7fb2c757b42e1ed67f090a947730
-
SHA1
cb000b47e8d1c0e2b385df33f036bfc78e9e16e7
-
SHA256
6f1ad7182dc9d655d7a549335e53bcefe214ccf50249fc7791eda57a7cc4f692
-
SHA512
7e196160dfc719ee89cea0b04506db1bfb906ea9a72238780646284956335ac8b1891f5a786ec5e522fa91a08f11824175d287fae66081dc182268f23957f694
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj61:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5Y
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" htbxvknmfk.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" htbxvknmfk.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" htbxvknmfk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" htbxvknmfk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" htbxvknmfk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" htbxvknmfk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" htbxvknmfk.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" htbxvknmfk.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation a0ba7fb2c757b42e1ed67f090a947730.exe -
Executes dropped EXE 5 IoCs
pid Process 3460 htbxvknmfk.exe 476 wqdwbinqvocvrpm.exe 3168 janpfdol.exe 4944 ncaakxawsjdew.exe 3328 janpfdol.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" htbxvknmfk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" htbxvknmfk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" htbxvknmfk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" htbxvknmfk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" htbxvknmfk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" htbxvknmfk.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rvzjszkf = "wqdwbinqvocvrpm.exe" wqdwbinqvocvrpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ncaakxawsjdew.exe" wqdwbinqvocvrpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kelhxrmw = "htbxvknmfk.exe" wqdwbinqvocvrpm.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\a: janpfdol.exe File opened (read-only) \??\t: htbxvknmfk.exe File opened (read-only) \??\r: janpfdol.exe File opened (read-only) \??\m: janpfdol.exe File opened (read-only) \??\g: htbxvknmfk.exe File opened (read-only) \??\n: htbxvknmfk.exe File opened (read-only) \??\x: janpfdol.exe File opened (read-only) \??\h: janpfdol.exe File opened (read-only) \??\i: htbxvknmfk.exe File opened (read-only) \??\g: janpfdol.exe File opened (read-only) \??\z: janpfdol.exe File opened (read-only) \??\z: janpfdol.exe File opened (read-only) \??\v: htbxvknmfk.exe File opened (read-only) \??\b: janpfdol.exe File opened (read-only) \??\t: janpfdol.exe File opened (read-only) \??\h: janpfdol.exe File opened (read-only) \??\n: janpfdol.exe File opened (read-only) \??\q: janpfdol.exe File opened (read-only) \??\r: janpfdol.exe File opened (read-only) \??\y: janpfdol.exe File opened (read-only) \??\p: htbxvknmfk.exe File opened (read-only) \??\t: janpfdol.exe File opened (read-only) \??\i: janpfdol.exe File opened (read-only) \??\o: janpfdol.exe File opened (read-only) \??\q: htbxvknmfk.exe File opened (read-only) \??\j: janpfdol.exe File opened (read-only) \??\q: janpfdol.exe File opened (read-only) \??\j: janpfdol.exe File opened (read-only) \??\k: janpfdol.exe File opened (read-only) \??\u: janpfdol.exe File opened (read-only) \??\w: janpfdol.exe File opened (read-only) \??\s: janpfdol.exe File opened (read-only) \??\a: htbxvknmfk.exe File opened (read-only) \??\k: htbxvknmfk.exe File opened (read-only) \??\k: janpfdol.exe File opened (read-only) \??\u: janpfdol.exe File opened (read-only) \??\w: janpfdol.exe File opened (read-only) \??\y: janpfdol.exe File opened (read-only) \??\e: janpfdol.exe File opened (read-only) \??\v: janpfdol.exe File opened (read-only) \??\g: janpfdol.exe File opened (read-only) \??\n: janpfdol.exe File opened (read-only) \??\p: janpfdol.exe File opened (read-only) \??\i: janpfdol.exe File opened (read-only) \??\m: janpfdol.exe File opened (read-only) \??\x: janpfdol.exe File opened (read-only) \??\b: htbxvknmfk.exe File opened (read-only) \??\j: htbxvknmfk.exe File opened (read-only) \??\b: janpfdol.exe File opened (read-only) \??\v: janpfdol.exe File opened (read-only) \??\e: htbxvknmfk.exe File opened (read-only) \??\h: htbxvknmfk.exe File opened (read-only) \??\y: htbxvknmfk.exe File opened (read-only) \??\l: janpfdol.exe File opened (read-only) \??\s: janpfdol.exe File opened (read-only) \??\l: janpfdol.exe File opened (read-only) \??\o: htbxvknmfk.exe File opened (read-only) \??\r: htbxvknmfk.exe File opened (read-only) \??\s: htbxvknmfk.exe File opened (read-only) \??\w: htbxvknmfk.exe File opened (read-only) \??\x: htbxvknmfk.exe File opened (read-only) \??\l: htbxvknmfk.exe File opened (read-only) \??\z: htbxvknmfk.exe File opened (read-only) \??\a: janpfdol.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" htbxvknmfk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" htbxvknmfk.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/5112-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0007000000023230-5.dat autoit_exe behavioral2/files/0x000700000002322d-18.dat autoit_exe behavioral2/files/0x0006000000023234-32.dat autoit_exe behavioral2/files/0x0007000000023233-29.dat autoit_exe behavioral2/files/0x0007000000023249-77.dat autoit_exe behavioral2/files/0x000800000002324a-82.dat autoit_exe behavioral2/files/0x00090000000231c9-88.dat autoit_exe behavioral2/files/0x000700000002325a-107.dat autoit_exe behavioral2/files/0x000700000002325a-113.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll htbxvknmfk.exe File opened for modification C:\Windows\SysWOW64\janpfdol.exe a0ba7fb2c757b42e1ed67f090a947730.exe File created C:\Windows\SysWOW64\ncaakxawsjdew.exe a0ba7fb2c757b42e1ed67f090a947730.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe janpfdol.exe File opened for modification C:\Windows\SysWOW64\htbxvknmfk.exe a0ba7fb2c757b42e1ed67f090a947730.exe File created C:\Windows\SysWOW64\janpfdol.exe a0ba7fb2c757b42e1ed67f090a947730.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe janpfdol.exe File created C:\Windows\SysWOW64\htbxvknmfk.exe a0ba7fb2c757b42e1ed67f090a947730.exe File opened for modification C:\Windows\SysWOW64\ncaakxawsjdew.exe a0ba7fb2c757b42e1ed67f090a947730.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe janpfdol.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe janpfdol.exe File created C:\Windows\SysWOW64\wqdwbinqvocvrpm.exe a0ba7fb2c757b42e1ed67f090a947730.exe File opened for modification C:\Windows\SysWOW64\wqdwbinqvocvrpm.exe a0ba7fb2c757b42e1ed67f090a947730.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe janpfdol.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe janpfdol.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal janpfdol.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe janpfdol.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe janpfdol.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe janpfdol.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe janpfdol.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal janpfdol.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe janpfdol.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal janpfdol.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal janpfdol.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe janpfdol.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe janpfdol.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe janpfdol.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe janpfdol.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe janpfdol.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe janpfdol.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe janpfdol.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe janpfdol.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe janpfdol.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe janpfdol.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe janpfdol.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe janpfdol.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe janpfdol.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe janpfdol.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe janpfdol.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe janpfdol.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe janpfdol.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf a0ba7fb2c757b42e1ed67f090a947730.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe janpfdol.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe janpfdol.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs htbxvknmfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC1B12B47E038E253C8BAD6329AD7CA" a0ba7fb2c757b42e1ed67f090a947730.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFFFFFF485885699133D62F7D94BC95E631593667436344D6EA" a0ba7fb2c757b42e1ed67f090a947730.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" htbxvknmfk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh htbxvknmfk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc htbxvknmfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" htbxvknmfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1939C70C1491DAB1B9BE7F97ED9534CF" a0ba7fb2c757b42e1ed67f090a947730.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat htbxvknmfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" htbxvknmfk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg htbxvknmfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BC9F9CCF910F2E7830B3B3186EE3E90B38902FB4312023FE2CC459908A7" a0ba7fb2c757b42e1ed67f090a947730.exe Key created \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\Local Settings a0ba7fb2c757b42e1ed67f090a947730.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" htbxvknmfk.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes a0ba7fb2c757b42e1ed67f090a947730.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33322D7C9C5282576D4376A270512CAC7DF164AD" a0ba7fb2c757b42e1ed67f090a947730.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7836BB0FE6821D0D178D1D38A749014" a0ba7fb2c757b42e1ed67f090a947730.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" htbxvknmfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" htbxvknmfk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf htbxvknmfk.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3068 WINWORD.EXE 3068 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5112 a0ba7fb2c757b42e1ed67f090a947730.exe 5112 a0ba7fb2c757b42e1ed67f090a947730.exe 5112 a0ba7fb2c757b42e1ed67f090a947730.exe 5112 a0ba7fb2c757b42e1ed67f090a947730.exe 5112 a0ba7fb2c757b42e1ed67f090a947730.exe 5112 a0ba7fb2c757b42e1ed67f090a947730.exe 5112 a0ba7fb2c757b42e1ed67f090a947730.exe 5112 a0ba7fb2c757b42e1ed67f090a947730.exe 5112 a0ba7fb2c757b42e1ed67f090a947730.exe 5112 a0ba7fb2c757b42e1ed67f090a947730.exe 5112 a0ba7fb2c757b42e1ed67f090a947730.exe 5112 a0ba7fb2c757b42e1ed67f090a947730.exe 5112 a0ba7fb2c757b42e1ed67f090a947730.exe 5112 a0ba7fb2c757b42e1ed67f090a947730.exe 5112 a0ba7fb2c757b42e1ed67f090a947730.exe 5112 a0ba7fb2c757b42e1ed67f090a947730.exe 3460 htbxvknmfk.exe 3460 htbxvknmfk.exe 3460 htbxvknmfk.exe 3460 htbxvknmfk.exe 3460 htbxvknmfk.exe 3460 htbxvknmfk.exe 3460 htbxvknmfk.exe 3460 htbxvknmfk.exe 3460 htbxvknmfk.exe 3460 htbxvknmfk.exe 476 wqdwbinqvocvrpm.exe 476 wqdwbinqvocvrpm.exe 476 wqdwbinqvocvrpm.exe 476 wqdwbinqvocvrpm.exe 476 wqdwbinqvocvrpm.exe 476 wqdwbinqvocvrpm.exe 476 wqdwbinqvocvrpm.exe 476 wqdwbinqvocvrpm.exe 476 wqdwbinqvocvrpm.exe 476 wqdwbinqvocvrpm.exe 4944 ncaakxawsjdew.exe 4944 ncaakxawsjdew.exe 4944 ncaakxawsjdew.exe 4944 ncaakxawsjdew.exe 4944 ncaakxawsjdew.exe 4944 ncaakxawsjdew.exe 4944 ncaakxawsjdew.exe 4944 ncaakxawsjdew.exe 4944 ncaakxawsjdew.exe 4944 ncaakxawsjdew.exe 4944 ncaakxawsjdew.exe 4944 ncaakxawsjdew.exe 3168 janpfdol.exe 3168 janpfdol.exe 3168 janpfdol.exe 3168 janpfdol.exe 3168 janpfdol.exe 3168 janpfdol.exe 3168 janpfdol.exe 3168 janpfdol.exe 476 wqdwbinqvocvrpm.exe 476 wqdwbinqvocvrpm.exe 4944 ncaakxawsjdew.exe 4944 ncaakxawsjdew.exe 4944 ncaakxawsjdew.exe 4944 ncaakxawsjdew.exe 476 wqdwbinqvocvrpm.exe 476 wqdwbinqvocvrpm.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 5112 a0ba7fb2c757b42e1ed67f090a947730.exe 5112 a0ba7fb2c757b42e1ed67f090a947730.exe 5112 a0ba7fb2c757b42e1ed67f090a947730.exe 3460 htbxvknmfk.exe 3460 htbxvknmfk.exe 3460 htbxvknmfk.exe 476 wqdwbinqvocvrpm.exe 476 wqdwbinqvocvrpm.exe 476 wqdwbinqvocvrpm.exe 3168 janpfdol.exe 4944 ncaakxawsjdew.exe 3168 janpfdol.exe 4944 ncaakxawsjdew.exe 3168 janpfdol.exe 4944 ncaakxawsjdew.exe 3328 janpfdol.exe 3328 janpfdol.exe 3328 janpfdol.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 5112 a0ba7fb2c757b42e1ed67f090a947730.exe 5112 a0ba7fb2c757b42e1ed67f090a947730.exe 5112 a0ba7fb2c757b42e1ed67f090a947730.exe 3460 htbxvknmfk.exe 3460 htbxvknmfk.exe 3460 htbxvknmfk.exe 476 wqdwbinqvocvrpm.exe 476 wqdwbinqvocvrpm.exe 476 wqdwbinqvocvrpm.exe 3168 janpfdol.exe 4944 ncaakxawsjdew.exe 3168 janpfdol.exe 4944 ncaakxawsjdew.exe 3168 janpfdol.exe 4944 ncaakxawsjdew.exe 3328 janpfdol.exe 3328 janpfdol.exe 3328 janpfdol.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3068 WINWORD.EXE 3068 WINWORD.EXE 3068 WINWORD.EXE 3068 WINWORD.EXE 3068 WINWORD.EXE 3068 WINWORD.EXE 3068 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 5112 wrote to memory of 3460 5112 a0ba7fb2c757b42e1ed67f090a947730.exe 86 PID 5112 wrote to memory of 3460 5112 a0ba7fb2c757b42e1ed67f090a947730.exe 86 PID 5112 wrote to memory of 3460 5112 a0ba7fb2c757b42e1ed67f090a947730.exe 86 PID 5112 wrote to memory of 476 5112 a0ba7fb2c757b42e1ed67f090a947730.exe 88 PID 5112 wrote to memory of 476 5112 a0ba7fb2c757b42e1ed67f090a947730.exe 88 PID 5112 wrote to memory of 476 5112 a0ba7fb2c757b42e1ed67f090a947730.exe 88 PID 5112 wrote to memory of 3168 5112 a0ba7fb2c757b42e1ed67f090a947730.exe 89 PID 5112 wrote to memory of 3168 5112 a0ba7fb2c757b42e1ed67f090a947730.exe 89 PID 5112 wrote to memory of 3168 5112 a0ba7fb2c757b42e1ed67f090a947730.exe 89 PID 5112 wrote to memory of 4944 5112 a0ba7fb2c757b42e1ed67f090a947730.exe 90 PID 5112 wrote to memory of 4944 5112 a0ba7fb2c757b42e1ed67f090a947730.exe 90 PID 5112 wrote to memory of 4944 5112 a0ba7fb2c757b42e1ed67f090a947730.exe 90 PID 5112 wrote to memory of 3068 5112 a0ba7fb2c757b42e1ed67f090a947730.exe 91 PID 5112 wrote to memory of 3068 5112 a0ba7fb2c757b42e1ed67f090a947730.exe 91 PID 3460 wrote to memory of 3328 3460 htbxvknmfk.exe 93 PID 3460 wrote to memory of 3328 3460 htbxvknmfk.exe 93 PID 3460 wrote to memory of 3328 3460 htbxvknmfk.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0ba7fb2c757b42e1ed67f090a947730.exe"C:\Users\Admin\AppData\Local\Temp\a0ba7fb2c757b42e1ed67f090a947730.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\SysWOW64\htbxvknmfk.exehtbxvknmfk.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\SysWOW64\janpfdol.exeC:\Windows\system32\janpfdol.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3328
-
-
-
C:\Windows\SysWOW64\wqdwbinqvocvrpm.exewqdwbinqvocvrpm.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:476
-
-
C:\Windows\SysWOW64\janpfdol.exejanpfdol.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3168
-
-
C:\Windows\SysWOW64\ncaakxawsjdew.exencaakxawsjdew.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4944
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3068
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5c0d0e510c46147ac0b0ad24adadcdd85
SHA107a4508526d822f9398130e561517c1ba0506ef2
SHA256d0d7fd7227b45da6e82cc14cf4965c4a62209ba00e835a90fd77f45d4afa4618
SHA512e1a9b2275ccb93b81850ae5dd4cbf447df3d36a67b46b0807ac5931dd7aa0ab9e45804d69b9ef5e67205518be3d79c572a46b758c85f00bf25185f594832a7c1
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD577e5b641e85b19fef3c5b027125a7415
SHA10aeb1151f7cce5056e29d0835f68811dd560ff49
SHA256799a6397b9148ad3cd0bc96f4e51e162d673dad3db7db0268e2548482c4e3602
SHA5123b54028e8cdad0a601a7e703f40a43ef535fa78de387b9743a7d5251c9dcddc23a9b10999b60d00f126a07e165526735a12bc2f3b3c6f59e3f1af93786da36cd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD50d11d8199bf78135ac7dc8b3c8850f1a
SHA1803fb73b67b3dc6eb8f4d5566a173cfcf6517234
SHA256c6bfc77327b8236d138a810d7b8becbde5fc8b0ed62f8001c0598ad12097c80e
SHA51215d0098aaa6ce81aeb4fa27cfe5aa2e2d8f5a22ec793ab678123dd2fa5069fd72b8316b175cd72af4c1c04003cba908549c0524dce1df56176b49fc3afce9913
-
Filesize
512KB
MD58811d15ead25d5a1300687244b55f56c
SHA14acf4cba0b44d58b961601d6e424ede96daf1cc6
SHA256b0df52d15f69052f79f114548bc0d04858a7ebac2eae0eb1b777f04a2e89dff1
SHA5127525c44c985d28f8d57e22d46f2c4b20bfb99041beb17a1e5a453e979f131a805887aef8438cb2d546a17f1a3691d857231de823c4d242f4f0dcc6a6a0b31ebf
-
Filesize
512KB
MD535827a32e73ef975d1d365a10f930967
SHA1145369a04e8648633fc1fd992f4fef8f9dffeb67
SHA2561aa37b35b4fdf0b70b55fd6126782c384aca75104eb28009c45542eb7ce77cce
SHA5124d000c17284ada40e8e9e0dd145b36817c0db21e62a04817064354d96b904d78fead80dc9797a213c5cbd40f3cd63d78a3d3c21f53e789aa5d1bd0b63544f1c0
-
Filesize
512KB
MD51aba02b10c7aeffd67e62d3800ce368e
SHA1f4f473f7a0f438a3302bb200a97d54dcd3a24195
SHA256ab18dd3869758dc54b9eb3042428fc271f3f1217792a0e60e9f706190161b128
SHA512ad3434f11fda95c36dccab065bb59f4e799ead4e74bf74364392a9a8222d987a8d86449ea162ae3a7e22b4ad06508bf4bad49ba50d0171d0b8342199104bf78e
-
Filesize
512KB
MD58b517b35bce3f85ee9379e94f5f1b5e8
SHA16c5e909eabc1dd92579309990d0ea73aa20d96ee
SHA256e7d25d25ee30e4874713b9ae6d79f805e85db28c98f4ebbaa7089b182a647bde
SHA512e99a3ca90f5a951b915e1a360fd2654384232f68588246ab7694e7d715604412f827b4aaae65a6652ef92b2f8cc2d0ce61c6c4f3620672a135a68177b8adf734
-
Filesize
512KB
MD559fedff451558e5b455d1ab1d1ec1d5c
SHA1d80afd673c487ab674fac580a7dde21747f7071c
SHA25648fcea6add7cbef78d5fc2769c1d3aae6059e07ea98fd3f97e67d8a8872ab07c
SHA51260b78810a83e010c76283ba6431962e05db582c70fa3bdbc0f06ccd792269eaf7d657f5e89fc12da1c1d8c39fcf8e0265f900789b5f40c25ad634862de5fb44e
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD55ae75e801bb049f11c456dc3407a4e1c
SHA13e7d0575c2bc4da86c462ac44050d7f47156c98f
SHA2566ba50a906e0caedf89b27b3102da7ce1155388accde5a2ea2b7509dfc676e2fb
SHA51272a3daebf7c6f676a4d1854c021eec29597256e6cd1ba7182ae6c9e1e4df62358a3491c611ec0da6c080d3c5cfe60ffb27014e8977f10bcce2de54a8765abd57
-
Filesize
512KB
MD524efab51a95e32bff5ccf081a9f63045
SHA18a88371eb64d245455163f37f0f19d0b614c90de
SHA2569b0b8d81fc153f9e49894fd04901f4c4c125705ffd19a8df2963bbd31fb0b206
SHA512cc4b3d0b5d3beb8a6c779adfd1e0f3c04260ecaa5202898a09b7b1b699d5800958595544fde34fd0dd902e685a55168009429ee545aaff5ec15f9ea6998d1947
-
Filesize
512KB
MD5ef97a8e848b6e447fcde63cdcf613c53
SHA174d1b530e1bad257f7e9831b262bb576f7b81373
SHA256f6fc1a41cdd48cd83092e4f46f313ec9e20c16673c4ca855933152bd337827f6
SHA5126fb39ecd1da83893e0dfaa8d289090abfa9649b0dec8176ca39cf1b74986c12867e64189468683830185127ea965e9647165aa767e3cadcb5d834aa6c6d210c8