Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28/02/2024, 05:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ab1d873d92302df9cdbe1bbb67f4c9f1.exe
Resource
win7-20240221-en
windows7-x64
20 signatures
150 seconds
Behavioral task
behavioral2
Sample
ab1d873d92302df9cdbe1bbb67f4c9f1.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
0 signatures
150 seconds
General
-
Target
ab1d873d92302df9cdbe1bbb67f4c9f1.exe
-
Size
485KB
-
MD5
ab1d873d92302df9cdbe1bbb67f4c9f1
-
SHA1
7985c9cbb9c1b84b910f47b2096fd5f02ca97829
-
SHA256
9ad94c700902f2b8987a61d65cf57169a6720eac234a2bee2a252192ee798bff
-
SHA512
7140d51c26430d0f1b37110575944d62c8e52a6aea0169ca728bfe430d5a61dae542e3b8a28cae0fd82b2fbba985fd636b9cffd78e5af61bc36c6f9e76b0290d
-
SSDEEP
12288:nbaOt4cDU+iTDwZGdXbL3JTdofqNLHagw8Dw0/kU1j31:bDDsm+rL5TRNL6iwiku
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" VkNulndOvnOg.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
pid Process 2208 VkNulndOvnOg.exe -
Loads dropped DLL 2 IoCs
pid Process 2868 ab1d873d92302df9cdbe1bbb67f4c9f1.exe 2868 ab1d873d92302df9cdbe1bbb67f4c9f1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VkNulndOvnOg.exe = "C:\\ProgramData\\VkNulndOvnOg.exe" ab1d873d92302df9cdbe1bbb67f4c9f1.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI attrib.exe File opened for modification C:\Windows\Fonts\desktop.ini attrib.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 ab1d873d92302df9cdbe1bbb67f4c9f1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum VkNulndOvnOg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 VkNulndOvnOg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum ab1d873d92302df9cdbe1bbb67f4c9f1.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\ShapeCollector.exe.mui attrib.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\ShapeCollector.exe.mui attrib.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_SelectionSubpicture.png attrib.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_h.png attrib.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.ja_5.5.0.165303.jar attrib.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\currency.css attrib.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02265_.WMF attrib.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png attrib.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo attrib.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libfilesystem_plugin.dll attrib.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099197.GIF attrib.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\localizedStrings.js attrib.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libscte27_plugin.dll attrib.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19827_.WMF attrib.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK_COL.HXC attrib.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\MENU.DPV attrib.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Tehran attrib.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Roses.htm attrib.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\VelvetRose.css attrib.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages attrib.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml attrib.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libspdif_plugin.dll attrib.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\IconImagesMask.bmp attrib.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\SettingsInternal.zip attrib.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget attrib.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EXPLR_01.MID attrib.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0213449.WMF attrib.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01740_.GIF attrib.exe File opened for modification C:\Program Files (x86)\Windows Media Player\Media Renderer\DMR_48.png attrib.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_floating.png attrib.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\vlc.mo attrib.exe File opened for modification C:\Program Files\Windows Media Player\WMPDMC.exe attrib.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Anadyr attrib.exe File opened for modification C:\Program Files\Java\jre7\bin\awt.dll attrib.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099192.GIF attrib.exe File opened for modification C:\Program Files\Mozilla Firefox\nssckbi.dll attrib.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18209_.WMF attrib.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME39.CSS attrib.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107712.WMF attrib.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01130_.WMF attrib.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0214098.WAV attrib.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.HK.XML attrib.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\WindowsAccessBridge-64.dll attrib.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Kaliningrad attrib.exe File opened for modification C:\Program Files\Microsoft Games\More Games\it-IT\MoreGames.dll.mui attrib.exe File opened for modification C:\Program Files\Mozilla Firefox\IA2Marshal.dll attrib.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCDDSF.DLL attrib.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Barbados attrib.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REPORT.CFG attrib.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\BG_ADOBE.GIF attrib.exe File opened for modification C:\Program Files\Common Files\System\msadc\msadcor.dll attrib.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_buttongraphic.png attrib.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240811.profile.gz attrib.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\gui\libqt_plugin.dll attrib.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00633_.WMF attrib.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipRes.dll.mui attrib.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Seyes.emf attrib.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\te attrib.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\logo.png attrib.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\hxdsui.dll attrib.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_ja.jar attrib.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\TOC98.POC attrib.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_snow.png attrib.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\settings.js attrib.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\assembly\GAC_64\naphlpr attrib.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Ink.Resources\6.1.0.0_de_31bf3856ad364e35\Microsoft.Ink.Resources.dll attrib.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Editor.Resources\1.0.0.0_es_31bf3856ad364e35 attrib.exe File opened for modification C:\Windows\assembly\GAC_MSIL\policy.3.5.System.Data.SqlServerCe\3.5.0.0__89845dcd8080cc91\publisher.config attrib.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.SDHost.Resources attrib.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatio080b339b#\90abc5cbe9278d9a7b334ab3375b4fa0 attrib.exe File opened for modification C:\Windows\Fonts\consola.ttf attrib.exe File opened for modification C:\Windows\Help\Windows\en-US\artcon.h1s attrib.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Excel.AddInProxy.v9.0\9.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.Tools.Office.Excel.AddInProxy.v9.0.dll attrib.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.Bu#\dc575bdefe4a3442f165f8418535d9af\Microsoft.Office.BusinessApplications.Runtime.ni.dll attrib.exe File opened for modification C:\Windows\assembly\GAC_MSIL\ReachFramework.resources\3.0.0.0_de_31bf3856ad364e35 attrib.exe File opened for modification C:\Windows\Cursors\busy_il.cur attrib.exe File opened for modification C:\Windows\assembly\GAC_32\Policy.6.0.Microsoft.Ink attrib.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll attrib.exe File opened for modification C:\Windows\Help\Help\de-DE\Help_BestBet.H1K attrib.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Web.DynamicData.resources\3.5.0.0_es_31bf3856ad364e35\System.Web.DynamicData.Resources.dll attrib.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\ce17670e5d6d33a85e64766e340a2176\Microsoft.MediaCenter.Playback.ni.dll attrib.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Transacti# attrib.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Deployment attrib.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Web.Routing.resources\3.5.0.0_de_31bf3856ad364e35 attrib.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Office.BusinessApplications.SyncServices attrib.exe File opened for modification C:\Windows\diagnostics\system\WindowsUpdate\de-DE attrib.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Data.resources\2.0.0.0_es_b77a5c561934e089\System.Data.Resources.dll attrib.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Data.Services.Client\3.5.0.0__b77a5c561934e089 attrib.exe File opened for modification C:\Windows\diagnostics\system\AERO\TS_PowerPolicySetting.ps1 attrib.exe File opened for modification C:\Windows\Fonts\BOD_BLAR.TTF attrib.exe File opened for modification C:\Windows\assembly\GAC_MSIL\microsoft.transactions.bridge.dtc.resources\3.0.0.0_es_b03f5f7f11d50a3a attrib.exe File opened for modification C:\Windows\assembly\GAC_MSIL\office\14.0.0.0__71e9bce111e9429c attrib.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.In#\ff7aa68fbf75e4b7ca80813225c3db01\Microsoft.Office.Interop.InfoPath.ni.dll attrib.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Entity\831aa231315a31ed3efeba1feb3bb936 attrib.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Wind0de890be# attrib.exe File opened for modification C:\Windows\diagnostics\system\HomeGroup\en-US\DiagPackage.dll.mui attrib.exe File opened for modification C:\Windows\Help\Help\de-DE\Help_AssetId.H1K attrib.exe File opened for modification C:\Windows\Help\mui\0C0A\resmon.CHM attrib.exe File opened for modification C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_it_31bf3856ad364e35 attrib.exe File opened for modification C:\Windows\assembly\GAC_64\mcstoredb attrib.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.DirectoryServices.resources\2.0.0.0_es_b03f5f7f11d50a3a attrib.exe File opened for modification C:\Windows\diagnostics\system\WindowsMediaPlayerPlayDVD\fr-FR\DiagPackage.dll.mui attrib.exe File opened for modification C:\Windows\Help\Windows\fr-FR\fax.h1s attrib.exe File opened for modification C:\Windows\Help\Windows\fr-FR\multimon.h1s attrib.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\System.WorkflowServ# attrib.exe File opened for modification C:\Windows\ehome\en-US\ehrec.exe.mui attrib.exe File opened for modification C:\Windows\ehome\ehskb.dll attrib.exe File opened for modification C:\Windows\Fonts\ega40866.fon attrib.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Data.SqlServerCe\3.5.0.0__89845dcd8080cc91\System.Data.SqlServerCe.dll attrib.exe File opened for modification C:\Windows\Fonts\mriam.ttf attrib.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.OutlookViewCtl\14.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Office.Interop.OutlookViewCtl.dll attrib.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Datab086ae17#\9c8de58d3f31e68eee4f90023d7ae37c\System.Data.Entity.Design.ni.dll attrib.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Speech\fc1f3019656958a501eb5e410c498d1f attrib.exe File opened for modification C:\Windows\ehome\ehRec.exe.config attrib.exe File opened for modification C:\Windows\Fonts\vgafixr.fon attrib.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.SmartTag\14.0.0.0__71e9bce111e9429c attrib.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Office.Interop.Publisher\14.0.0.0__71e9bce111e9429c attrib.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Servb00a6512#\3e65afc81140fdfd07b463a7225acf3a\System.ServiceModel.ServiceMoniker40.ni.dll.aux attrib.exe File opened for modification C:\Windows\ehome\ehsched.exe attrib.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll attrib.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.ApplicationId.RuleWizard attrib.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Wind74b7bf4b#\d0cb27e1e133fe7ce60f172daa0b473d\System.Windows.Input.Manipulations.ni.dll attrib.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatio84a7b877#\91455adf73fa60d1eaaf928ed1e0bdb5 attrib.exe File opened for modification C:\Windows\Fonts\consolai.ttf attrib.exe File opened for modification C:\Windows\assembly\GAC_MSIL\System.Workflow.Activities attrib.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\7a9c26f21641112fcacd6f087b42133a attrib.exe File opened for modification C:\Windows\diagnostics\system\Search\TS_FilterHostCrashing.ps1 attrib.exe File opened for modification C:\Windows\ehome\de-DE\ehchhime.dll.mui attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\7f6b3266-31c5-43a8-9547-e7911ad6fb33 VkNulndOvnOg.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\nsreg = "1709098183" VkNulndOvnOg.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Download ab1d873d92302df9cdbe1bbb67f4c9f1.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" ab1d873d92302df9cdbe1bbb67f4c9f1.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2868 ab1d873d92302df9cdbe1bbb67f4c9f1.exe 2868 ab1d873d92302df9cdbe1bbb67f4c9f1.exe 2868 ab1d873d92302df9cdbe1bbb67f4c9f1.exe 2868 ab1d873d92302df9cdbe1bbb67f4c9f1.exe 2868 ab1d873d92302df9cdbe1bbb67f4c9f1.exe 2868 ab1d873d92302df9cdbe1bbb67f4c9f1.exe 2868 ab1d873d92302df9cdbe1bbb67f4c9f1.exe 2868 ab1d873d92302df9cdbe1bbb67f4c9f1.exe 2868 ab1d873d92302df9cdbe1bbb67f4c9f1.exe 2868 ab1d873d92302df9cdbe1bbb67f4c9f1.exe 2208 VkNulndOvnOg.exe 2208 VkNulndOvnOg.exe 2208 VkNulndOvnOg.exe 2208 VkNulndOvnOg.exe 2868 ab1d873d92302df9cdbe1bbb67f4c9f1.exe 2208 VkNulndOvnOg.exe 2868 ab1d873d92302df9cdbe1bbb67f4c9f1.exe 2208 VkNulndOvnOg.exe 2868 ab1d873d92302df9cdbe1bbb67f4c9f1.exe 2208 VkNulndOvnOg.exe 2868 ab1d873d92302df9cdbe1bbb67f4c9f1.exe 2208 VkNulndOvnOg.exe 2868 ab1d873d92302df9cdbe1bbb67f4c9f1.exe 2208 VkNulndOvnOg.exe 2868 ab1d873d92302df9cdbe1bbb67f4c9f1.exe 2208 VkNulndOvnOg.exe 2868 ab1d873d92302df9cdbe1bbb67f4c9f1.exe 2208 VkNulndOvnOg.exe 2868 ab1d873d92302df9cdbe1bbb67f4c9f1.exe 2208 VkNulndOvnOg.exe 2208 VkNulndOvnOg.exe 2208 VkNulndOvnOg.exe 2208 VkNulndOvnOg.exe 2208 VkNulndOvnOg.exe 2208 VkNulndOvnOg.exe 2208 VkNulndOvnOg.exe 2208 VkNulndOvnOg.exe 2208 VkNulndOvnOg.exe 2208 VkNulndOvnOg.exe 2208 VkNulndOvnOg.exe 2208 VkNulndOvnOg.exe 2208 VkNulndOvnOg.exe 2208 VkNulndOvnOg.exe 2208 VkNulndOvnOg.exe 2208 VkNulndOvnOg.exe 2208 VkNulndOvnOg.exe 2208 VkNulndOvnOg.exe 2208 VkNulndOvnOg.exe 2208 VkNulndOvnOg.exe 2208 VkNulndOvnOg.exe 2208 VkNulndOvnOg.exe 2208 VkNulndOvnOg.exe 2208 VkNulndOvnOg.exe 2208 VkNulndOvnOg.exe 2208 VkNulndOvnOg.exe 2208 VkNulndOvnOg.exe 2208 VkNulndOvnOg.exe 2208 VkNulndOvnOg.exe 2208 VkNulndOvnOg.exe 2208 VkNulndOvnOg.exe 2208 VkNulndOvnOg.exe 2208 VkNulndOvnOg.exe 2208 VkNulndOvnOg.exe 2208 VkNulndOvnOg.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2208 VkNulndOvnOg.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2868 ab1d873d92302df9cdbe1bbb67f4c9f1.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2208 VkNulndOvnOg.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2208 VkNulndOvnOg.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2868 wrote to memory of 2208 2868 ab1d873d92302df9cdbe1bbb67f4c9f1.exe 28 PID 2868 wrote to memory of 2208 2868 ab1d873d92302df9cdbe1bbb67f4c9f1.exe 28 PID 2868 wrote to memory of 2208 2868 ab1d873d92302df9cdbe1bbb67f4c9f1.exe 28 PID 2868 wrote to memory of 2208 2868 ab1d873d92302df9cdbe1bbb67f4c9f1.exe 28 PID 2208 wrote to memory of 1428 2208 VkNulndOvnOg.exe 32 PID 2208 wrote to memory of 1428 2208 VkNulndOvnOg.exe 32 PID 2208 wrote to memory of 1428 2208 VkNulndOvnOg.exe 32 PID 2208 wrote to memory of 1428 2208 VkNulndOvnOg.exe 32 PID 2208 wrote to memory of 3000 2208 VkNulndOvnOg.exe 34 PID 2208 wrote to memory of 3000 2208 VkNulndOvnOg.exe 34 PID 2208 wrote to memory of 3000 2208 VkNulndOvnOg.exe 34 PID 2208 wrote to memory of 3000 2208 VkNulndOvnOg.exe 34 PID 2208 wrote to memory of 1332 2208 VkNulndOvnOg.exe 36 PID 2208 wrote to memory of 1332 2208 VkNulndOvnOg.exe 36 PID 2208 wrote to memory of 1332 2208 VkNulndOvnOg.exe 36 PID 2208 wrote to memory of 1332 2208 VkNulndOvnOg.exe 36 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ab1d873d92302df9cdbe1bbb67f4c9f1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" ab1d873d92302df9cdbe1bbb67f4c9f1.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 1428 attrib.exe 3000 attrib.exe 1332 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab1d873d92302df9cdbe1bbb67f4c9f1.exe"C:\Users\Admin\AppData\Local\Temp\ab1d873d92302df9cdbe1bbb67f4c9f1.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Maps connected drives based on registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2868 -
C:\ProgramData\VkNulndOvnOg.exeC:\ProgramData\VkNulndOvnOg.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Maps connected drives based on registry
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Users\Admin\*.* " /s /d3⤵
- Views/modifies file attributes
PID:1428
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\ProgramData\Microsoft\Windows\Start Menu\*.* " /s /d3⤵
- Views/modifies file attributes
PID:3000
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\*.*" /s /d3⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Views/modifies file attributes
PID:1332
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
485KB
MD5ab1d873d92302df9cdbe1bbb67f4c9f1
SHA17985c9cbb9c1b84b910f47b2096fd5f02ca97829
SHA2569ad94c700902f2b8987a61d65cf57169a6720eac234a2bee2a252192ee798bff
SHA5127140d51c26430d0f1b37110575944d62c8e52a6aea0169ca728bfe430d5a61dae542e3b8a28cae0fd82b2fbba985fd636b9cffd78e5af61bc36c6f9e76b0290d
-
Filesize
455KB
MD5c6c4d95559606e45f7b508d4c383aa60
SHA18a3a6424cfc9255e9b5e52574a391a251b3e9661
SHA256b8515a56b6fa559f52346ce194e1e0b41711ed86511a3316c7498cdd2984b822
SHA512d5394df7ab5eae2e6005d7eec805f2858fd6ae0b049b4f343e9546799703b09b4cd8d20c529f2a7f324fae32794360d05a3bdab03ce4a25eb47a3f514ef62c0d
-
Filesize
112B
MD542b1e03403c5509dc806f7f21c72d5bc
SHA1a4187e2a360558045738f5f4b1407f3e47d53c47
SHA256eb779235cda57d10c7210c02934d06ce95c148a5deee0b58922fce973ce62fa6
SHA5126d9efffac132d88c3f0520a7a7bf2366a0fa1123c7ab6146dfdaa73ab68f937d24574cd3f1ae1580a40194bc28409576413bd2305a7688128582d2837f00134d
-
Filesize
315KB
MD5fdd833b9e6c5d5e5b58aa884f2ed03c7
SHA10a8556ad7959fdb1d62ade4771dc7be6eb99b309
SHA256e86486224c9e23dbf8642c0e03d372f129d8f521ff5ae771885c9664d62156d7
SHA512d259d33da716b68e0e8e1683075f17cbecc28b067f294633271f3f95177360bc46cd4651c55047fba56dcb727e106218169021375475ada7003b242a280179d1
-
Filesize
412KB
MD588ec193704bc9c961c61220123ded62e
SHA137a69ba1507d6be0129ba5aa5fdf1167e504b14b
SHA2560b70827583b35efbdcc7e0391e9997be604cfb1102d17accdf812c6b0da0f563
SHA512a3dbda9e9560beb9aa75233bde5cf72083f7c4f37ed197d186b9d45c26a6b22e99d898015efed742520de1a2b63c518f827b0776ff57e2a21055ec88f24e1ede