Analysis
-
max time kernel
149s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27/02/2024, 19:42
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
aa004dee0751926cb4ba5a24246781b2.exe
Resource
win7-20240221-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
aa004dee0751926cb4ba5a24246781b2.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
aa004dee0751926cb4ba5a24246781b2.exe
-
Size
512KB
-
MD5
aa004dee0751926cb4ba5a24246781b2
-
SHA1
ac48b443f46dd2af7722b772993ffd0207ab549c
-
SHA256
ceb3b395283674b93d8ee33cca56b78d1b5cd2bc018ec78be506b193a340ac94
-
SHA512
7f7f7f2fbf1f0d9bab8be50ba6449187495f11fcb1e7348946c6737be60e1e9c0dbab96f62eeba6bf8d6214d56181dbfdc934267241ccb2f57fad08388c41378
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6M:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5p
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" emrowkzpyb.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" emrowkzpyb.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" emrowkzpyb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" emrowkzpyb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" emrowkzpyb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" emrowkzpyb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" emrowkzpyb.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" emrowkzpyb.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation aa004dee0751926cb4ba5a24246781b2.exe -
Executes dropped EXE 5 IoCs
pid Process 4092 emrowkzpyb.exe 4556 ycbtsfttyxfroir.exe 4052 wwcofryf.exe 2856 nublwxcdmajkg.exe 2188 wwcofryf.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" emrowkzpyb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" emrowkzpyb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" emrowkzpyb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" emrowkzpyb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" emrowkzpyb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" emrowkzpyb.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "nublwxcdmajkg.exe" ycbtsfttyxfroir.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ubowrwfq = "emrowkzpyb.exe" ycbtsfttyxfroir.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tlxzfmjh = "ycbtsfttyxfroir.exe" ycbtsfttyxfroir.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\w: wwcofryf.exe File opened (read-only) \??\s: wwcofryf.exe File opened (read-only) \??\w: wwcofryf.exe File opened (read-only) \??\x: wwcofryf.exe File opened (read-only) \??\v: wwcofryf.exe File opened (read-only) \??\o: wwcofryf.exe File opened (read-only) \??\i: emrowkzpyb.exe File opened (read-only) \??\k: emrowkzpyb.exe File opened (read-only) \??\l: emrowkzpyb.exe File opened (read-only) \??\e: wwcofryf.exe File opened (read-only) \??\j: emrowkzpyb.exe File opened (read-only) \??\g: wwcofryf.exe File opened (read-only) \??\p: wwcofryf.exe File opened (read-only) \??\g: wwcofryf.exe File opened (read-only) \??\b: emrowkzpyb.exe File opened (read-only) \??\r: emrowkzpyb.exe File opened (read-only) \??\j: wwcofryf.exe File opened (read-only) \??\b: wwcofryf.exe File opened (read-only) \??\n: wwcofryf.exe File opened (read-only) \??\q: wwcofryf.exe File opened (read-only) \??\y: wwcofryf.exe File opened (read-only) \??\k: wwcofryf.exe File opened (read-only) \??\j: wwcofryf.exe File opened (read-only) \??\e: emrowkzpyb.exe File opened (read-only) \??\g: emrowkzpyb.exe File opened (read-only) \??\o: emrowkzpyb.exe File opened (read-only) \??\h: wwcofryf.exe File opened (read-only) \??\i: wwcofryf.exe File opened (read-only) \??\u: wwcofryf.exe File opened (read-only) \??\t: wwcofryf.exe File opened (read-only) \??\q: emrowkzpyb.exe File opened (read-only) \??\t: emrowkzpyb.exe File opened (read-only) \??\a: wwcofryf.exe File opened (read-only) \??\k: wwcofryf.exe File opened (read-only) \??\w: emrowkzpyb.exe File opened (read-only) \??\o: wwcofryf.exe File opened (read-only) \??\v: wwcofryf.exe File opened (read-only) \??\y: emrowkzpyb.exe File opened (read-only) \??\e: wwcofryf.exe File opened (read-only) \??\m: wwcofryf.exe File opened (read-only) \??\p: emrowkzpyb.exe File opened (read-only) \??\x: wwcofryf.exe File opened (read-only) \??\a: wwcofryf.exe File opened (read-only) \??\z: wwcofryf.exe File opened (read-only) \??\u: emrowkzpyb.exe File opened (read-only) \??\z: emrowkzpyb.exe File opened (read-only) \??\y: wwcofryf.exe File opened (read-only) \??\n: emrowkzpyb.exe File opened (read-only) \??\v: emrowkzpyb.exe File opened (read-only) \??\x: emrowkzpyb.exe File opened (read-only) \??\n: wwcofryf.exe File opened (read-only) \??\h: wwcofryf.exe File opened (read-only) \??\m: wwcofryf.exe File opened (read-only) \??\r: wwcofryf.exe File opened (read-only) \??\h: emrowkzpyb.exe File opened (read-only) \??\q: wwcofryf.exe File opened (read-only) \??\r: wwcofryf.exe File opened (read-only) \??\t: wwcofryf.exe File opened (read-only) \??\s: emrowkzpyb.exe File opened (read-only) \??\z: wwcofryf.exe File opened (read-only) \??\p: wwcofryf.exe File opened (read-only) \??\u: wwcofryf.exe File opened (read-only) \??\a: emrowkzpyb.exe File opened (read-only) \??\s: wwcofryf.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" emrowkzpyb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" emrowkzpyb.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2320-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00090000000224f7-5.dat autoit_exe behavioral2/files/0x000300000001e9a0-19.dat autoit_exe behavioral2/files/0x000a000000023189-27.dat autoit_exe behavioral2/files/0x00090000000231e2-32.dat autoit_exe behavioral2/files/0x00080000000231ed-74.dat autoit_exe behavioral2/files/0x00070000000231ef-76.dat autoit_exe behavioral2/files/0x00100000000230ef-96.dat autoit_exe behavioral2/files/0x00100000000230ef-102.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\emrowkzpyb.exe aa004dee0751926cb4ba5a24246781b2.exe File opened for modification C:\Windows\SysWOW64\ycbtsfttyxfroir.exe aa004dee0751926cb4ba5a24246781b2.exe File opened for modification C:\Windows\SysWOW64\wwcofryf.exe aa004dee0751926cb4ba5a24246781b2.exe File opened for modification C:\Windows\SysWOW64\nublwxcdmajkg.exe aa004dee0751926cb4ba5a24246781b2.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe wwcofryf.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe wwcofryf.exe File created C:\Windows\SysWOW64\wwcofryf.exe aa004dee0751926cb4ba5a24246781b2.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll emrowkzpyb.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe wwcofryf.exe File opened for modification C:\Windows\SysWOW64\emrowkzpyb.exe aa004dee0751926cb4ba5a24246781b2.exe File created C:\Windows\SysWOW64\ycbtsfttyxfroir.exe aa004dee0751926cb4ba5a24246781b2.exe File created C:\Windows\SysWOW64\nublwxcdmajkg.exe aa004dee0751926cb4ba5a24246781b2.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe wwcofryf.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wwcofryf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal wwcofryf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wwcofryf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wwcofryf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal wwcofryf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wwcofryf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal wwcofryf.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wwcofryf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wwcofryf.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wwcofryf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wwcofryf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal wwcofryf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wwcofryf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wwcofryf.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe wwcofryf.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe wwcofryf.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe wwcofryf.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe wwcofryf.exe File opened for modification C:\Windows\mydoc.rtf aa004dee0751926cb4ba5a24246781b2.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe wwcofryf.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe wwcofryf.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe wwcofryf.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe wwcofryf.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe wwcofryf.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe wwcofryf.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe wwcofryf.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe wwcofryf.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe wwcofryf.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe wwcofryf.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe wwcofryf.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe wwcofryf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33462C0C9D5283506D4476A277552DDE7C8764DB" aa004dee0751926cb4ba5a24246781b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB5B02D479439ED53C8B9D0339CD7B9" aa004dee0751926cb4ba5a24246781b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1944C67D1493DBB1B8B97CE9ED9434BA" aa004dee0751926cb4ba5a24246781b2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg emrowkzpyb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFFFC82485D851D9046D62F7D96BD90E144594667366335D7EA" aa004dee0751926cb4ba5a24246781b2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh emrowkzpyb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc emrowkzpyb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" emrowkzpyb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf emrowkzpyb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs emrowkzpyb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" emrowkzpyb.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes aa004dee0751926cb4ba5a24246781b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F46BB7FE6B22DFD172D1A98A7F906B" aa004dee0751926cb4ba5a24246781b2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat emrowkzpyb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" emrowkzpyb.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings aa004dee0751926cb4ba5a24246781b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBCFACEF916F2E284083B47819F3E95B3FD03FC4315023BE1B842E909A8" aa004dee0751926cb4ba5a24246781b2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" emrowkzpyb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" emrowkzpyb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" emrowkzpyb.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1856 WINWORD.EXE 1856 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2320 aa004dee0751926cb4ba5a24246781b2.exe 2320 aa004dee0751926cb4ba5a24246781b2.exe 2320 aa004dee0751926cb4ba5a24246781b2.exe 2320 aa004dee0751926cb4ba5a24246781b2.exe 2320 aa004dee0751926cb4ba5a24246781b2.exe 2320 aa004dee0751926cb4ba5a24246781b2.exe 2320 aa004dee0751926cb4ba5a24246781b2.exe 2320 aa004dee0751926cb4ba5a24246781b2.exe 2320 aa004dee0751926cb4ba5a24246781b2.exe 2320 aa004dee0751926cb4ba5a24246781b2.exe 2320 aa004dee0751926cb4ba5a24246781b2.exe 2320 aa004dee0751926cb4ba5a24246781b2.exe 2320 aa004dee0751926cb4ba5a24246781b2.exe 2320 aa004dee0751926cb4ba5a24246781b2.exe 2320 aa004dee0751926cb4ba5a24246781b2.exe 2320 aa004dee0751926cb4ba5a24246781b2.exe 4092 emrowkzpyb.exe 4092 emrowkzpyb.exe 4092 emrowkzpyb.exe 4092 emrowkzpyb.exe 4092 emrowkzpyb.exe 4092 emrowkzpyb.exe 4092 emrowkzpyb.exe 4092 emrowkzpyb.exe 4092 emrowkzpyb.exe 4092 emrowkzpyb.exe 4052 wwcofryf.exe 4052 wwcofryf.exe 4052 wwcofryf.exe 4052 wwcofryf.exe 4052 wwcofryf.exe 4052 wwcofryf.exe 4052 wwcofryf.exe 4052 wwcofryf.exe 4556 ycbtsfttyxfroir.exe 4556 ycbtsfttyxfroir.exe 4556 ycbtsfttyxfroir.exe 4556 ycbtsfttyxfroir.exe 4556 ycbtsfttyxfroir.exe 4556 ycbtsfttyxfroir.exe 4556 ycbtsfttyxfroir.exe 4556 ycbtsfttyxfroir.exe 4556 ycbtsfttyxfroir.exe 4556 ycbtsfttyxfroir.exe 2856 nublwxcdmajkg.exe 2856 nublwxcdmajkg.exe 2856 nublwxcdmajkg.exe 2856 nublwxcdmajkg.exe 2856 nublwxcdmajkg.exe 2856 nublwxcdmajkg.exe 2856 nublwxcdmajkg.exe 2856 nublwxcdmajkg.exe 2856 nublwxcdmajkg.exe 2856 nublwxcdmajkg.exe 2856 nublwxcdmajkg.exe 2856 nublwxcdmajkg.exe 2188 wwcofryf.exe 2188 wwcofryf.exe 2188 wwcofryf.exe 2188 wwcofryf.exe 2188 wwcofryf.exe 2188 wwcofryf.exe 2188 wwcofryf.exe 2188 wwcofryf.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2320 aa004dee0751926cb4ba5a24246781b2.exe 2320 aa004dee0751926cb4ba5a24246781b2.exe 2320 aa004dee0751926cb4ba5a24246781b2.exe 4092 emrowkzpyb.exe 4092 emrowkzpyb.exe 4092 emrowkzpyb.exe 4052 wwcofryf.exe 4052 wwcofryf.exe 4052 wwcofryf.exe 4556 ycbtsfttyxfroir.exe 4556 ycbtsfttyxfroir.exe 4556 ycbtsfttyxfroir.exe 2856 nublwxcdmajkg.exe 2856 nublwxcdmajkg.exe 2856 nublwxcdmajkg.exe 2188 wwcofryf.exe 2188 wwcofryf.exe 2188 wwcofryf.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2320 aa004dee0751926cb4ba5a24246781b2.exe 2320 aa004dee0751926cb4ba5a24246781b2.exe 2320 aa004dee0751926cb4ba5a24246781b2.exe 4092 emrowkzpyb.exe 4092 emrowkzpyb.exe 4092 emrowkzpyb.exe 4052 wwcofryf.exe 4052 wwcofryf.exe 4052 wwcofryf.exe 4556 ycbtsfttyxfroir.exe 4556 ycbtsfttyxfroir.exe 4556 ycbtsfttyxfroir.exe 2856 nublwxcdmajkg.exe 2856 nublwxcdmajkg.exe 2856 nublwxcdmajkg.exe 2188 wwcofryf.exe 2188 wwcofryf.exe 2188 wwcofryf.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1856 WINWORD.EXE 1856 WINWORD.EXE 1856 WINWORD.EXE 1856 WINWORD.EXE 1856 WINWORD.EXE 1856 WINWORD.EXE 1856 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2320 wrote to memory of 4092 2320 aa004dee0751926cb4ba5a24246781b2.exe 89 PID 2320 wrote to memory of 4092 2320 aa004dee0751926cb4ba5a24246781b2.exe 89 PID 2320 wrote to memory of 4092 2320 aa004dee0751926cb4ba5a24246781b2.exe 89 PID 2320 wrote to memory of 4556 2320 aa004dee0751926cb4ba5a24246781b2.exe 91 PID 2320 wrote to memory of 4556 2320 aa004dee0751926cb4ba5a24246781b2.exe 91 PID 2320 wrote to memory of 4556 2320 aa004dee0751926cb4ba5a24246781b2.exe 91 PID 2320 wrote to memory of 4052 2320 aa004dee0751926cb4ba5a24246781b2.exe 90 PID 2320 wrote to memory of 4052 2320 aa004dee0751926cb4ba5a24246781b2.exe 90 PID 2320 wrote to memory of 4052 2320 aa004dee0751926cb4ba5a24246781b2.exe 90 PID 2320 wrote to memory of 2856 2320 aa004dee0751926cb4ba5a24246781b2.exe 92 PID 2320 wrote to memory of 2856 2320 aa004dee0751926cb4ba5a24246781b2.exe 92 PID 2320 wrote to memory of 2856 2320 aa004dee0751926cb4ba5a24246781b2.exe 92 PID 4092 wrote to memory of 2188 4092 emrowkzpyb.exe 93 PID 4092 wrote to memory of 2188 4092 emrowkzpyb.exe 93 PID 4092 wrote to memory of 2188 4092 emrowkzpyb.exe 93 PID 2320 wrote to memory of 1856 2320 aa004dee0751926cb4ba5a24246781b2.exe 94 PID 2320 wrote to memory of 1856 2320 aa004dee0751926cb4ba5a24246781b2.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa004dee0751926cb4ba5a24246781b2.exe"C:\Users\Admin\AppData\Local\Temp\aa004dee0751926cb4ba5a24246781b2.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\emrowkzpyb.exeemrowkzpyb.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\SysWOW64\wwcofryf.exeC:\Windows\system32\wwcofryf.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2188
-
-
-
C:\Windows\SysWOW64\wwcofryf.exewwcofryf.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4052
-
-
C:\Windows\SysWOW64\ycbtsfttyxfroir.exeycbtsfttyxfroir.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4556
-
-
C:\Windows\SysWOW64\nublwxcdmajkg.exenublwxcdmajkg.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2856
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1856
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5f6bafb76377641e0293eb7d9581ba7ff
SHA1ee483109614ce4126c6250f8f7b5ef7bb37841ff
SHA256231a91ada93e316d0bcff9be4668fbb03e98ac48cd29ff3a7ffced320c50c49c
SHA512a8710b039e1ad1359d124e2680a7b022031dae4d43ec0b71a9755ee77612d2ab6e2db5e6299a2d493d8adfcbd5cf18f930b1ca8361e66d7154d22914628de424
-
Filesize
512KB
MD574e618437f3617d942575c2d807dc491
SHA1992fc4f72e341461211da5e2c04fdcf2a615476e
SHA2565e807eae2b1d8b6e1ac76f45677b4fc6d56715f9a639a7e0c5e49a4d79de7d27
SHA512b1f464d6fea0e29b0d32c7206aefb59284418c9d7300a0136eee2d7964ede512adc47e14d6c5df453234c4ea6e72268d797d153657f10ab147619bdf6f11ce17
-
Filesize
239B
MD52fae0fe44fb67ed515b21a2b6fba40e3
SHA1d39c4cb134c596851c157406149129a69844613b
SHA256bd528b67c4e7b5924426cb6edc6bd85896db3a43e596bc76d32632d33eccc2b1
SHA5129902e514810847d11b83ceb64209c7a363f3b482f5444474673988fa0729295d8612ae6aa0d81a09d9adeb958f7e0251b414ef808f82f279df504bc04a347087
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD53ce0da6686ba034d5741b835f65593e9
SHA149a176c40e3c7c1fcd5464a22b9ccdf4b32345cc
SHA256719a65f770da7639bfe94ea7dc549ca3deb80b8c5d7a5046be3e8d858a11c802
SHA51293aba6b699da4ae9e0a08c047661dcca2f08fa5ec7752eff61633a0269dbeb13fc23b64b0a959ab442def5364056aba021e603d288775ccbdd059d7c979ffd49
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD58199f0138d19de7ffb4d2a2d9a0496a5
SHA17ada8395460399a92a5fe71c2ac0fa3c5a1f9ad5
SHA25660389d668e97c86dedadf4e5ee89017874c0a48f58dd50249703529ac8ea3870
SHA512861011d8fafd2583cf38f68e7387c04a98f1a14cd8e76b4e9d51009767c832e180cfaca36277acc978a2c06a3602b036e1fda3b4686770d9b6aa31ce271cdb11
-
Filesize
512KB
MD5c5d95ddae27522f8ea3b779f819e77ad
SHA1d821876ca6028df48a6a4db7ada353f2131d7bf5
SHA256831b459c97d669623ed5494bcd57c216560f5a42e6897e63e6ae47deab664d4d
SHA51239ea3a4aba4deaba2cb852fc3d6da8d9fc2a7a86bb4362a494c386a04615d1b92c0ea9b87993f26b14fb5cdf0f38d1b888682380668410331c8227fa247e64e0
-
Filesize
512KB
MD5f1e42f3bea0b8b3c74cb8d6254a4cfd9
SHA1a2ae439e95194c5fb1edecd581e2f636aaa2f0f0
SHA256ce3de855e5aa097b824637ccb380011aca619b909d8f61cdac620c8f2c1dcf19
SHA512af9a0461ae0a992810a2d5a402ee565e9b3d516b6c3bc66d570a526c2bb795510748439826fd48264e16dce44e9a3631f0403d6ec65fea6684f4272577f49cfe
-
Filesize
512KB
MD57e4db07479b4ed3f3d255e87dca0e513
SHA121e83bc6e097b40a6681d4884c525734c8407439
SHA25650eb1b64998d1a8b41c89b4f368512368a9385751af1caa01a487eb8ba6cca0a
SHA5123f442de7075568f2710c6c2c7c511925b54c95ebee5ceae85674b58778fedfcca5048b71483736a6ccc9936b6b81c7eaedd4bc0a33566e99583b7324af9426cb
-
Filesize
512KB
MD5591c81ffbd8ea20197f851e224b37ee0
SHA158506dcb96650afaf137bbd1346a01ad693b6a80
SHA25677e4920c700f4741477975737692b92d7c455cfa49b59d82beccf78d68a8df90
SHA512ddf32c84d6c724785fb10ceedc46ffc8d54b3c935774ba67049994e5f50af40aec9468702f032ddb097636e61a12c466d1077f844ee449fd6d681524f5a764de
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5702d3bfe201d1ee22acc1bea28c73d57
SHA13d513a92810cbf358d624e484d9e1f2a2fbb89a2
SHA25614f047d9c926978e4365e81906adab822e4cf467a1ffdb433b14f7c835d42411
SHA5124e738c47d97d16c66269c8e78c89146f6e15339ae16ea7d5254b0b9c65665534fab755ca93f58e82f2d5f7ddaeca62ca1d77a279d0cfa3d01c37dc9500a32182
-
Filesize
512KB
MD5dad8399e6f156be180e203c3116b68c2
SHA13bb3a18e2804cfc0eac43c8620a05c1f8f89c9c5
SHA256e041db545dfa6ed0fea3cd01bf8291353bcc701df0073f36584f2a02d4461324
SHA512ddb4d56e8ea4ac3da8e31116aabd915d4bbc6e845bdda600fc6061c886c20dad5a0efaffc25f4a629f985f60235092d3cae3facdb4f042069c607a9e7a032821