Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
100s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
25/02/2024, 17:05
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
a453346112f8761afe8a9154335e17e3.exe
Resource
win7-20240221-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
a453346112f8761afe8a9154335e17e3.exe
Resource
win10v2004-20240221-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
a453346112f8761afe8a9154335e17e3.exe
-
Size
512KB
-
MD5
a453346112f8761afe8a9154335e17e3
-
SHA1
a480fd0777e4ac8bb991cb32d1c53ffb682eb25e
-
SHA256
60b95a28ffe5cafe8531fdc9bda5a47dc1cc6aeeede3aa96f492896e1d61eb6b
-
SHA512
394dd6281bf4f9d2fcddc0211cb1c56420a329cf1512c92467d0036c338ad3b50b5945089043d29c1c8e674222c855b549843c0008ca9f6ca918236bab2d1169
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj62:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm57
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" voanqsupwx.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" voanqsupwx.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" voanqsupwx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" voanqsupwx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" voanqsupwx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" voanqsupwx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" voanqsupwx.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" voanqsupwx.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\Control Panel\International\Geo\Nation a453346112f8761afe8a9154335e17e3.exe -
Executes dropped EXE 5 IoCs
pid Process 1704 voanqsupwx.exe 3112 suromtvhldzsooo.exe 3944 izyhqwac.exe 1868 rfzntzbhtzihu.exe 832 izyhqwac.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" voanqsupwx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" voanqsupwx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" voanqsupwx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" voanqsupwx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" voanqsupwx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" voanqsupwx.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pnzngjkk = "voanqsupwx.exe" suromtvhldzsooo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vlmdetvm = "suromtvhldzsooo.exe" suromtvhldzsooo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "rfzntzbhtzihu.exe" suromtvhldzsooo.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\r: izyhqwac.exe File opened (read-only) \??\v: voanqsupwx.exe File opened (read-only) \??\a: izyhqwac.exe File opened (read-only) \??\o: izyhqwac.exe File opened (read-only) \??\b: voanqsupwx.exe File opened (read-only) \??\e: voanqsupwx.exe File opened (read-only) \??\h: voanqsupwx.exe File opened (read-only) \??\r: voanqsupwx.exe File opened (read-only) \??\x: izyhqwac.exe File opened (read-only) \??\k: izyhqwac.exe File opened (read-only) \??\v: izyhqwac.exe File opened (read-only) \??\w: izyhqwac.exe File opened (read-only) \??\e: izyhqwac.exe File opened (read-only) \??\l: izyhqwac.exe File opened (read-only) \??\o: voanqsupwx.exe File opened (read-only) \??\p: izyhqwac.exe File opened (read-only) \??\w: izyhqwac.exe File opened (read-only) \??\n: voanqsupwx.exe File opened (read-only) \??\t: voanqsupwx.exe File opened (read-only) \??\h: izyhqwac.exe File opened (read-only) \??\u: izyhqwac.exe File opened (read-only) \??\q: voanqsupwx.exe File opened (read-only) \??\l: izyhqwac.exe File opened (read-only) \??\a: voanqsupwx.exe File opened (read-only) \??\u: voanqsupwx.exe File opened (read-only) \??\z: voanqsupwx.exe File opened (read-only) \??\j: izyhqwac.exe File opened (read-only) \??\s: izyhqwac.exe File opened (read-only) \??\b: izyhqwac.exe File opened (read-only) \??\g: izyhqwac.exe File opened (read-only) \??\u: izyhqwac.exe File opened (read-only) \??\y: izyhqwac.exe File opened (read-only) \??\z: izyhqwac.exe File opened (read-only) \??\g: izyhqwac.exe File opened (read-only) \??\q: izyhqwac.exe File opened (read-only) \??\p: izyhqwac.exe File opened (read-only) \??\x: izyhqwac.exe File opened (read-only) \??\j: voanqsupwx.exe File opened (read-only) \??\r: izyhqwac.exe File opened (read-only) \??\l: voanqsupwx.exe File opened (read-only) \??\y: voanqsupwx.exe File opened (read-only) \??\a: izyhqwac.exe File opened (read-only) \??\i: izyhqwac.exe File opened (read-only) \??\k: voanqsupwx.exe File opened (read-only) \??\x: voanqsupwx.exe File opened (read-only) \??\e: izyhqwac.exe File opened (read-only) \??\k: izyhqwac.exe File opened (read-only) \??\j: izyhqwac.exe File opened (read-only) \??\y: izyhqwac.exe File opened (read-only) \??\i: voanqsupwx.exe File opened (read-only) \??\b: izyhqwac.exe File opened (read-only) \??\n: izyhqwac.exe File opened (read-only) \??\m: izyhqwac.exe File opened (read-only) \??\q: izyhqwac.exe File opened (read-only) \??\g: voanqsupwx.exe File opened (read-only) \??\p: voanqsupwx.exe File opened (read-only) \??\n: izyhqwac.exe File opened (read-only) \??\t: izyhqwac.exe File opened (read-only) \??\m: izyhqwac.exe File opened (read-only) \??\t: izyhqwac.exe File opened (read-only) \??\i: izyhqwac.exe File opened (read-only) \??\o: izyhqwac.exe File opened (read-only) \??\m: voanqsupwx.exe File opened (read-only) \??\w: voanqsupwx.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" voanqsupwx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" voanqsupwx.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4296-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000700000002321f-9.dat autoit_exe behavioral2/files/0x0008000000023219-19.dat autoit_exe behavioral2/files/0x000700000002321c-22.dat autoit_exe behavioral2/files/0x0006000000023220-30.dat autoit_exe behavioral2/files/0x0006000000023233-70.dat autoit_exe behavioral2/files/0x0006000000023234-76.dat autoit_exe behavioral2/files/0x0009000000023211-97.dat autoit_exe behavioral2/files/0x0009000000023211-106.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\voanqsupwx.exe a453346112f8761afe8a9154335e17e3.exe File created C:\Windows\SysWOW64\suromtvhldzsooo.exe a453346112f8761afe8a9154335e17e3.exe File created C:\Windows\SysWOW64\voanqsupwx.exe a453346112f8761afe8a9154335e17e3.exe File opened for modification C:\Windows\SysWOW64\rfzntzbhtzihu.exe a453346112f8761afe8a9154335e17e3.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe izyhqwac.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe izyhqwac.exe File created C:\Windows\SysWOW64\rfzntzbhtzihu.exe a453346112f8761afe8a9154335e17e3.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll voanqsupwx.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe izyhqwac.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe izyhqwac.exe File opened for modification C:\Windows\SysWOW64\suromtvhldzsooo.exe a453346112f8761afe8a9154335e17e3.exe File created C:\Windows\SysWOW64\izyhqwac.exe a453346112f8761afe8a9154335e17e3.exe File opened for modification C:\Windows\SysWOW64\izyhqwac.exe a453346112f8761afe8a9154335e17e3.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe izyhqwac.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe izyhqwac.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe izyhqwac.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal izyhqwac.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal izyhqwac.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe izyhqwac.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal izyhqwac.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe izyhqwac.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe izyhqwac.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe izyhqwac.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe izyhqwac.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe izyhqwac.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe izyhqwac.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal izyhqwac.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe izyhqwac.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe izyhqwac.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe izyhqwac.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe izyhqwac.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe izyhqwac.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe izyhqwac.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe izyhqwac.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe izyhqwac.exe File opened for modification C:\Windows\mydoc.rtf a453346112f8761afe8a9154335e17e3.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe izyhqwac.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe izyhqwac.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe izyhqwac.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe izyhqwac.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe izyhqwac.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe izyhqwac.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe izyhqwac.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe izyhqwac.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193DC67D1594DABFB8C17FE0ECE334BD" a453346112f8761afe8a9154335e17e3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" voanqsupwx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh voanqsupwx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" voanqsupwx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc voanqsupwx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf voanqsupwx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" voanqsupwx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32452C779C5783516D4677D377232DDE7CF265A8" a453346112f8761afe8a9154335e17e3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat voanqsupwx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" voanqsupwx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs voanqsupwx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" voanqsupwx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg voanqsupwx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F88FFF84F2A851F903CD62D7D97BDE5E6365836674E6336D691" a453346112f8761afe8a9154335e17e3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCDF9B1FE16F196837D3A45819D3999B0FA02F04262023AE1B842EF08A5" a453346112f8761afe8a9154335e17e3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F16BC2FF6E21ADD20ED0A48A0B9161" a453346112f8761afe8a9154335e17e3.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes a453346112f8761afe8a9154335e17e3.exe Key created \REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\Local Settings a453346112f8761afe8a9154335e17e3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" voanqsupwx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC2B02044E739EA52CFB9D532EDD7C5" a453346112f8761afe8a9154335e17e3.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2856 WINWORD.EXE 2856 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4296 a453346112f8761afe8a9154335e17e3.exe 4296 a453346112f8761afe8a9154335e17e3.exe 4296 a453346112f8761afe8a9154335e17e3.exe 4296 a453346112f8761afe8a9154335e17e3.exe 4296 a453346112f8761afe8a9154335e17e3.exe 4296 a453346112f8761afe8a9154335e17e3.exe 4296 a453346112f8761afe8a9154335e17e3.exe 4296 a453346112f8761afe8a9154335e17e3.exe 4296 a453346112f8761afe8a9154335e17e3.exe 4296 a453346112f8761afe8a9154335e17e3.exe 4296 a453346112f8761afe8a9154335e17e3.exe 4296 a453346112f8761afe8a9154335e17e3.exe 4296 a453346112f8761afe8a9154335e17e3.exe 4296 a453346112f8761afe8a9154335e17e3.exe 4296 a453346112f8761afe8a9154335e17e3.exe 4296 a453346112f8761afe8a9154335e17e3.exe 3944 izyhqwac.exe 3944 izyhqwac.exe 3944 izyhqwac.exe 3944 izyhqwac.exe 3944 izyhqwac.exe 3944 izyhqwac.exe 3944 izyhqwac.exe 3944 izyhqwac.exe 3112 suromtvhldzsooo.exe 3112 suromtvhldzsooo.exe 3112 suromtvhldzsooo.exe 3112 suromtvhldzsooo.exe 3112 suromtvhldzsooo.exe 3112 suromtvhldzsooo.exe 3112 suromtvhldzsooo.exe 3112 suromtvhldzsooo.exe 1704 voanqsupwx.exe 1704 voanqsupwx.exe 1704 voanqsupwx.exe 1704 voanqsupwx.exe 1704 voanqsupwx.exe 1704 voanqsupwx.exe 1704 voanqsupwx.exe 1704 voanqsupwx.exe 1704 voanqsupwx.exe 1704 voanqsupwx.exe 3112 suromtvhldzsooo.exe 3112 suromtvhldzsooo.exe 1868 rfzntzbhtzihu.exe 1868 rfzntzbhtzihu.exe 1868 rfzntzbhtzihu.exe 1868 rfzntzbhtzihu.exe 1868 rfzntzbhtzihu.exe 1868 rfzntzbhtzihu.exe 1868 rfzntzbhtzihu.exe 1868 rfzntzbhtzihu.exe 1868 rfzntzbhtzihu.exe 1868 rfzntzbhtzihu.exe 1868 rfzntzbhtzihu.exe 1868 rfzntzbhtzihu.exe 3112 suromtvhldzsooo.exe 3112 suromtvhldzsooo.exe 832 izyhqwac.exe 832 izyhqwac.exe 832 izyhqwac.exe 832 izyhqwac.exe 832 izyhqwac.exe 832 izyhqwac.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4296 a453346112f8761afe8a9154335e17e3.exe 4296 a453346112f8761afe8a9154335e17e3.exe 4296 a453346112f8761afe8a9154335e17e3.exe 3944 izyhqwac.exe 3112 suromtvhldzsooo.exe 3944 izyhqwac.exe 1704 voanqsupwx.exe 3112 suromtvhldzsooo.exe 3944 izyhqwac.exe 1704 voanqsupwx.exe 3112 suromtvhldzsooo.exe 1704 voanqsupwx.exe 1868 rfzntzbhtzihu.exe 1868 rfzntzbhtzihu.exe 1868 rfzntzbhtzihu.exe 832 izyhqwac.exe 832 izyhqwac.exe 832 izyhqwac.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4296 a453346112f8761afe8a9154335e17e3.exe 4296 a453346112f8761afe8a9154335e17e3.exe 4296 a453346112f8761afe8a9154335e17e3.exe 3944 izyhqwac.exe 3112 suromtvhldzsooo.exe 3944 izyhqwac.exe 1704 voanqsupwx.exe 3112 suromtvhldzsooo.exe 3944 izyhqwac.exe 1704 voanqsupwx.exe 3112 suromtvhldzsooo.exe 1704 voanqsupwx.exe 1868 rfzntzbhtzihu.exe 1868 rfzntzbhtzihu.exe 1868 rfzntzbhtzihu.exe 832 izyhqwac.exe 832 izyhqwac.exe 832 izyhqwac.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2856 WINWORD.EXE 2856 WINWORD.EXE 2856 WINWORD.EXE 2856 WINWORD.EXE 2856 WINWORD.EXE 2856 WINWORD.EXE 2856 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4296 wrote to memory of 1704 4296 a453346112f8761afe8a9154335e17e3.exe 87 PID 4296 wrote to memory of 1704 4296 a453346112f8761afe8a9154335e17e3.exe 87 PID 4296 wrote to memory of 1704 4296 a453346112f8761afe8a9154335e17e3.exe 87 PID 4296 wrote to memory of 3112 4296 a453346112f8761afe8a9154335e17e3.exe 90 PID 4296 wrote to memory of 3112 4296 a453346112f8761afe8a9154335e17e3.exe 90 PID 4296 wrote to memory of 3112 4296 a453346112f8761afe8a9154335e17e3.exe 90 PID 4296 wrote to memory of 3944 4296 a453346112f8761afe8a9154335e17e3.exe 89 PID 4296 wrote to memory of 3944 4296 a453346112f8761afe8a9154335e17e3.exe 89 PID 4296 wrote to memory of 3944 4296 a453346112f8761afe8a9154335e17e3.exe 89 PID 4296 wrote to memory of 1868 4296 a453346112f8761afe8a9154335e17e3.exe 88 PID 4296 wrote to memory of 1868 4296 a453346112f8761afe8a9154335e17e3.exe 88 PID 4296 wrote to memory of 1868 4296 a453346112f8761afe8a9154335e17e3.exe 88 PID 4296 wrote to memory of 2856 4296 a453346112f8761afe8a9154335e17e3.exe 91 PID 4296 wrote to memory of 2856 4296 a453346112f8761afe8a9154335e17e3.exe 91 PID 1704 wrote to memory of 832 1704 voanqsupwx.exe 93 PID 1704 wrote to memory of 832 1704 voanqsupwx.exe 93 PID 1704 wrote to memory of 832 1704 voanqsupwx.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\a453346112f8761afe8a9154335e17e3.exe"C:\Users\Admin\AppData\Local\Temp\a453346112f8761afe8a9154335e17e3.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\voanqsupwx.exevoanqsupwx.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\izyhqwac.exeC:\Windows\system32\izyhqwac.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:832
-
-
-
C:\Windows\SysWOW64\rfzntzbhtzihu.exerfzntzbhtzihu.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1868
-
-
C:\Windows\SysWOW64\izyhqwac.exeizyhqwac.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3944
-
-
C:\Windows\SysWOW64\suromtvhldzsooo.exesuromtvhldzsooo.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3112
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2856
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD596ce11139edd1e8c0694333da7cec04b
SHA1100abe6f4d68614fd73b21a1ce06feb4b59521d7
SHA256752c54417b74eba23acef9952e9c08c36939449b05d6812a2bca24de099fec64
SHA5129c2812c5f5ffe9b72781d3c6bccd224d3afa6a5a2462da7cd8a66e44fc87487be1b98a3fa485ccdfc00eaa0767413c18b8aefc8918dc14b0c30e07689c81250c
-
Filesize
512KB
MD5f70aa649586529c178cf93aa9b857d62
SHA1cfde48c6070fc4ac4f86022ff9c4a5cf98a02dd8
SHA25672961097f0003d9f540c4fd9f64bac50ee9f177cdf9fe5066894a96c70010d2f
SHA512aff9ef77f192ef2ee24a4362c8188bd8af89756d74572a6d09a22a46a4776a7281ddcfffdc8b76876680d72ec67b133f6ac2f15d0bece7337c5a8bcc85c99b23
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5a0fdfab67f240aa416061d2e57476cdf
SHA102ec8f686f62decb4757e44a9cb11229862faf6c
SHA25659dd19d3b6df9bf9c6cd15de9eb52ca4726567764ffad8af62a83be2c7e582b4
SHA5120bf665a5388cf7ecbc84fc1a3a227cdc0f882083baa495b499790081fce6c4bfe76ba9e8ab1a0be681402f23c64c3f419ef0c4962ec61a53685245a4e241cdcd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD56f7b4c69962b32440ba291c29fadcdf8
SHA159136ca20a55a00af6c896cb3cd95a1f1968d4be
SHA2560fdab1033c57ab53a38fd279ad18009d98a0514d4e3b0cbac714b437ebae8cd4
SHA512b4a43e9589646d921829c2898a12b6b88ec357d18fccf9c34cd172d7b7643068e484db2c18525934d5f23a4fb3510e301b34843086c4a8867676193f2b96e319
-
Filesize
512KB
MD575446507987487896f18ab623510ab7f
SHA1c1df89fa9ecdf499bb8edcd2e0c298a2e09dd4ee
SHA256d7b87f1da6da84f5b1ebca42c0fc659f78fd69fa4dcf72c899e4d72666bd2f5f
SHA512fc8a054c03697606ac25dc2c56961e00c5c4a88c24466cc7d897752306a672852001dc7413c8a2cd7c22078dd9d49a336051e37b5a9364fb9c86b286c8c3c1c7
-
Filesize
512KB
MD51dc6cf1038706ca1e2941c4399045b1a
SHA177b88a9decaca47430ad4d6c1ac695c6cf84b441
SHA256a671df8d3dca18cc9c4a08ae2fcd7fa0ff5c4fb46eb4e2d8b28408cc21b63ade
SHA5124e9caeaee3de5ec45ed3bae9d994760653a2728ac84b8adb6d3b07aed881c8df92382efb953f536a2d66d9223008323d6c7bf29c30f9ced2f5bb1873a9ead283
-
Filesize
512KB
MD52a2b5b707f6e14253a979a72211aee05
SHA19a9c68316a1d1dc554133d6c0a7c605a254b4a5e
SHA25608db04cc297fde89b836541a8691689a3ca9ed452af45a132c5cc627addcc510
SHA512c18148324cc3180813574e9c7e2989ce884f918bff759fc3bfd21cb57a0a742b82130373993c63c2944b230da35028e9d6ec8d86c3a48cfccc9ec2f042a82027
-
Filesize
512KB
MD591a9dc144ffaba3876e1ba5c0cd0b9ea
SHA1eab18844843a7a07ffe4a90a42e0054bc1f42db9
SHA256dc9defe94e5c892715a40736cd1cd577f0eae31dfd3a38152e77e84e46b4be05
SHA512033bcbdda981d0212852c249133a33dfb75636b99fb14b2fc246e994399c1b679cdedc09c3c6732079a46a9c652d4480ffa59d8852ce58a9fe7266a6e4f52f2c
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5d9707dc1bc4bbbb7aeb53c259ead0b14
SHA121861e52bec3ba03427afe396d9259dab09d24f7
SHA256fa909eed178ad2d5f32b55305fa57361376f59547b5914dcef57298c286d4a82
SHA5120eab9a287f825b237afe6b13a841707040a86fca64ff82803bf9a2e54e2619f65fb256c2e3fd4edf87270518ce8b4e207847d58061548a0d0f43d07dd39c8094
-
Filesize
512KB
MD58ca5ebbf7c0599bc7930e74dc51a4704
SHA1a2d2c79273bb0aaa943e6a617ceafd08cef99ac2
SHA256804839663bb036dc8b159c9e84cf56ca2a1f17448f8531afd255253aa2e4d21f
SHA5124b18470323ade2a6d92f2b5fd7025990cb5358f65b19e752f9f309461f7e5bfc07fdcc3fb780cfd9c74dc503d3fef8cf39edc666a669fb1eac70c06fe0bf6731