Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
157s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08/03/2024, 02:51
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
b8454f9bd7d91e7b04eda20436dcebb5.exe
Resource
win7-20240221-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
b8454f9bd7d91e7b04eda20436dcebb5.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
b8454f9bd7d91e7b04eda20436dcebb5.exe
-
Size
512KB
-
MD5
b8454f9bd7d91e7b04eda20436dcebb5
-
SHA1
119374f36cd329d9ed74c44b36216056119ac9fd
-
SHA256
312d5d5661561fe40af4281524c7a872f8b3f0ff26710a52efbec4a04825cfb6
-
SHA512
07c680adfb17d7ec4da89c1560d488727a01baf107110a88cec9ec0c886fc94be0df3b589d73e723d6c286ea48fa1a99fe35eb329cc9c9e379e0516db6fe4187
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6E:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5R
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" szdhqtoxxu.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" szdhqtoxxu.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" szdhqtoxxu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" szdhqtoxxu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" szdhqtoxxu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" szdhqtoxxu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" szdhqtoxxu.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" szdhqtoxxu.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation b8454f9bd7d91e7b04eda20436dcebb5.exe -
Executes dropped EXE 5 IoCs
pid Process 3076 szdhqtoxxu.exe 1720 yxlvxpmghwrtuws.exe 4020 ltqtvzde.exe 3372 nssfifmetvqzm.exe 2980 ltqtvzde.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" szdhqtoxxu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" szdhqtoxxu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" szdhqtoxxu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" szdhqtoxxu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" szdhqtoxxu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" szdhqtoxxu.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\edbmmlvc = "szdhqtoxxu.exe" yxlvxpmghwrtuws.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hgxtfxrg = "yxlvxpmghwrtuws.exe" yxlvxpmghwrtuws.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "nssfifmetvqzm.exe" yxlvxpmghwrtuws.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\n: szdhqtoxxu.exe File opened (read-only) \??\q: szdhqtoxxu.exe File opened (read-only) \??\y: szdhqtoxxu.exe File opened (read-only) \??\w: ltqtvzde.exe File opened (read-only) \??\j: ltqtvzde.exe File opened (read-only) \??\s: ltqtvzde.exe File opened (read-only) \??\b: szdhqtoxxu.exe File opened (read-only) \??\k: ltqtvzde.exe File opened (read-only) \??\l: ltqtvzde.exe File opened (read-only) \??\l: szdhqtoxxu.exe File opened (read-only) \??\a: ltqtvzde.exe File opened (read-only) \??\e: ltqtvzde.exe File opened (read-only) \??\i: ltqtvzde.exe File opened (read-only) \??\i: szdhqtoxxu.exe File opened (read-only) \??\j: szdhqtoxxu.exe File opened (read-only) \??\m: szdhqtoxxu.exe File opened (read-only) \??\u: szdhqtoxxu.exe File opened (read-only) \??\q: ltqtvzde.exe File opened (read-only) \??\h: ltqtvzde.exe File opened (read-only) \??\o: ltqtvzde.exe File opened (read-only) \??\r: ltqtvzde.exe File opened (read-only) \??\u: ltqtvzde.exe File opened (read-only) \??\p: ltqtvzde.exe File opened (read-only) \??\i: ltqtvzde.exe File opened (read-only) \??\v: ltqtvzde.exe File opened (read-only) \??\t: ltqtvzde.exe File opened (read-only) \??\t: ltqtvzde.exe File opened (read-only) \??\g: ltqtvzde.exe File opened (read-only) \??\y: ltqtvzde.exe File opened (read-only) \??\z: ltqtvzde.exe File opened (read-only) \??\z: szdhqtoxxu.exe File opened (read-only) \??\k: ltqtvzde.exe File opened (read-only) \??\p: ltqtvzde.exe File opened (read-only) \??\h: ltqtvzde.exe File opened (read-only) \??\l: ltqtvzde.exe File opened (read-only) \??\x: ltqtvzde.exe File opened (read-only) \??\g: szdhqtoxxu.exe File opened (read-only) \??\k: szdhqtoxxu.exe File opened (read-only) \??\b: ltqtvzde.exe File opened (read-only) \??\j: ltqtvzde.exe File opened (read-only) \??\m: ltqtvzde.exe File opened (read-only) \??\n: ltqtvzde.exe File opened (read-only) \??\z: ltqtvzde.exe File opened (read-only) \??\o: ltqtvzde.exe File opened (read-only) \??\b: ltqtvzde.exe File opened (read-only) \??\m: ltqtvzde.exe File opened (read-only) \??\a: szdhqtoxxu.exe File opened (read-only) \??\w: ltqtvzde.exe File opened (read-only) \??\t: szdhqtoxxu.exe File opened (read-only) \??\g: ltqtvzde.exe File opened (read-only) \??\q: ltqtvzde.exe File opened (read-only) \??\p: szdhqtoxxu.exe File opened (read-only) \??\n: ltqtvzde.exe File opened (read-only) \??\r: ltqtvzde.exe File opened (read-only) \??\y: ltqtvzde.exe File opened (read-only) \??\h: szdhqtoxxu.exe File opened (read-only) \??\o: szdhqtoxxu.exe File opened (read-only) \??\x: szdhqtoxxu.exe File opened (read-only) \??\a: ltqtvzde.exe File opened (read-only) \??\x: ltqtvzde.exe File opened (read-only) \??\e: szdhqtoxxu.exe File opened (read-only) \??\r: szdhqtoxxu.exe File opened (read-only) \??\v: szdhqtoxxu.exe File opened (read-only) \??\w: szdhqtoxxu.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" szdhqtoxxu.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" szdhqtoxxu.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3164-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0007000000023315-5.dat autoit_exe behavioral2/files/0x0008000000023313-19.dat autoit_exe behavioral2/files/0x0007000000023316-26.dat autoit_exe behavioral2/files/0x0007000000023317-31.dat autoit_exe behavioral2/files/0x0007000000023322-72.dat autoit_exe behavioral2/files/0x0007000000023323-75.dat autoit_exe behavioral2/files/0x000900000002333b-102.dat autoit_exe behavioral2/files/0x000a000000023349-113.dat autoit_exe behavioral2/files/0x000a000000023349-118.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\szdhqtoxxu.exe b8454f9bd7d91e7b04eda20436dcebb5.exe File created C:\Windows\SysWOW64\yxlvxpmghwrtuws.exe b8454f9bd7d91e7b04eda20436dcebb5.exe File opened for modification C:\Windows\SysWOW64\yxlvxpmghwrtuws.exe b8454f9bd7d91e7b04eda20436dcebb5.exe File created C:\Windows\SysWOW64\nssfifmetvqzm.exe b8454f9bd7d91e7b04eda20436dcebb5.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ltqtvzde.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ltqtvzde.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ltqtvzde.exe File created C:\Windows\SysWOW64\szdhqtoxxu.exe b8454f9bd7d91e7b04eda20436dcebb5.exe File created C:\Windows\SysWOW64\ltqtvzde.exe b8454f9bd7d91e7b04eda20436dcebb5.exe File opened for modification C:\Windows\SysWOW64\ltqtvzde.exe b8454f9bd7d91e7b04eda20436dcebb5.exe File opened for modification C:\Windows\SysWOW64\nssfifmetvqzm.exe b8454f9bd7d91e7b04eda20436dcebb5.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll szdhqtoxxu.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ltqtvzde.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ltqtvzde.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ltqtvzde.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ltqtvzde.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ltqtvzde.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ltqtvzde.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ltqtvzde.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ltqtvzde.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ltqtvzde.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ltqtvzde.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ltqtvzde.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ltqtvzde.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ltqtvzde.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ltqtvzde.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf b8454f9bd7d91e7b04eda20436dcebb5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F46BB1FE6621ACD27DD0A28B7F9110" b8454f9bd7d91e7b04eda20436dcebb5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat szdhqtoxxu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" szdhqtoxxu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" szdhqtoxxu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf szdhqtoxxu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg szdhqtoxxu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBCF9BCF961F2E484783A4186963996B0FE03884211023DE2CB45E709A9" b8454f9bd7d91e7b04eda20436dcebb5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC7B02E44EF389F52C8B9A732EAD7B8" b8454f9bd7d91e7b04eda20436dcebb5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1848C60F1493DBBFB8B97F95ECE734CE" b8454f9bd7d91e7b04eda20436dcebb5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc szdhqtoxxu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" szdhqtoxxu.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes b8454f9bd7d91e7b04eda20436dcebb5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32402D0D9C2D83576D4677D470522DD67C8665DC" b8454f9bd7d91e7b04eda20436dcebb5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFFFCFF4F5A85689131D7217DE7BD93E636584166466234D799" b8454f9bd7d91e7b04eda20436dcebb5.exe Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings b8454f9bd7d91e7b04eda20436dcebb5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh szdhqtoxxu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" szdhqtoxxu.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs szdhqtoxxu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" szdhqtoxxu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" szdhqtoxxu.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3540 WINWORD.EXE 3540 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3164 b8454f9bd7d91e7b04eda20436dcebb5.exe 3164 b8454f9bd7d91e7b04eda20436dcebb5.exe 3164 b8454f9bd7d91e7b04eda20436dcebb5.exe 3164 b8454f9bd7d91e7b04eda20436dcebb5.exe 3164 b8454f9bd7d91e7b04eda20436dcebb5.exe 3164 b8454f9bd7d91e7b04eda20436dcebb5.exe 3164 b8454f9bd7d91e7b04eda20436dcebb5.exe 3164 b8454f9bd7d91e7b04eda20436dcebb5.exe 3164 b8454f9bd7d91e7b04eda20436dcebb5.exe 3164 b8454f9bd7d91e7b04eda20436dcebb5.exe 3164 b8454f9bd7d91e7b04eda20436dcebb5.exe 3164 b8454f9bd7d91e7b04eda20436dcebb5.exe 3164 b8454f9bd7d91e7b04eda20436dcebb5.exe 3164 b8454f9bd7d91e7b04eda20436dcebb5.exe 3164 b8454f9bd7d91e7b04eda20436dcebb5.exe 3164 b8454f9bd7d91e7b04eda20436dcebb5.exe 3076 szdhqtoxxu.exe 3076 szdhqtoxxu.exe 3076 szdhqtoxxu.exe 3076 szdhqtoxxu.exe 3076 szdhqtoxxu.exe 3076 szdhqtoxxu.exe 3076 szdhqtoxxu.exe 3076 szdhqtoxxu.exe 3076 szdhqtoxxu.exe 3076 szdhqtoxxu.exe 1720 yxlvxpmghwrtuws.exe 1720 yxlvxpmghwrtuws.exe 1720 yxlvxpmghwrtuws.exe 4020 ltqtvzde.exe 1720 yxlvxpmghwrtuws.exe 4020 ltqtvzde.exe 1720 yxlvxpmghwrtuws.exe 4020 ltqtvzde.exe 1720 yxlvxpmghwrtuws.exe 4020 ltqtvzde.exe 1720 yxlvxpmghwrtuws.exe 1720 yxlvxpmghwrtuws.exe 4020 ltqtvzde.exe 4020 ltqtvzde.exe 4020 ltqtvzde.exe 4020 ltqtvzde.exe 3372 nssfifmetvqzm.exe 3372 nssfifmetvqzm.exe 1720 yxlvxpmghwrtuws.exe 1720 yxlvxpmghwrtuws.exe 3372 nssfifmetvqzm.exe 3372 nssfifmetvqzm.exe 3372 nssfifmetvqzm.exe 3372 nssfifmetvqzm.exe 3372 nssfifmetvqzm.exe 3372 nssfifmetvqzm.exe 3372 nssfifmetvqzm.exe 3372 nssfifmetvqzm.exe 3372 nssfifmetvqzm.exe 3372 nssfifmetvqzm.exe 1720 yxlvxpmghwrtuws.exe 1720 yxlvxpmghwrtuws.exe 3372 nssfifmetvqzm.exe 3372 nssfifmetvqzm.exe 3372 nssfifmetvqzm.exe 3372 nssfifmetvqzm.exe 1720 yxlvxpmghwrtuws.exe 1720 yxlvxpmghwrtuws.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 3164 b8454f9bd7d91e7b04eda20436dcebb5.exe 3164 b8454f9bd7d91e7b04eda20436dcebb5.exe 3164 b8454f9bd7d91e7b04eda20436dcebb5.exe 3076 szdhqtoxxu.exe 3076 szdhqtoxxu.exe 3076 szdhqtoxxu.exe 1720 yxlvxpmghwrtuws.exe 1720 yxlvxpmghwrtuws.exe 1720 yxlvxpmghwrtuws.exe 4020 ltqtvzde.exe 4020 ltqtvzde.exe 4020 ltqtvzde.exe 3372 nssfifmetvqzm.exe 3372 nssfifmetvqzm.exe 3372 nssfifmetvqzm.exe 2980 ltqtvzde.exe 2980 ltqtvzde.exe 2980 ltqtvzde.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 3164 b8454f9bd7d91e7b04eda20436dcebb5.exe 3164 b8454f9bd7d91e7b04eda20436dcebb5.exe 3164 b8454f9bd7d91e7b04eda20436dcebb5.exe 3076 szdhqtoxxu.exe 3076 szdhqtoxxu.exe 3076 szdhqtoxxu.exe 1720 yxlvxpmghwrtuws.exe 1720 yxlvxpmghwrtuws.exe 1720 yxlvxpmghwrtuws.exe 4020 ltqtvzde.exe 4020 ltqtvzde.exe 4020 ltqtvzde.exe 3372 nssfifmetvqzm.exe 3372 nssfifmetvqzm.exe 3372 nssfifmetvqzm.exe 2980 ltqtvzde.exe 2980 ltqtvzde.exe 2980 ltqtvzde.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3540 WINWORD.EXE 3540 WINWORD.EXE 3540 WINWORD.EXE 3540 WINWORD.EXE 3540 WINWORD.EXE 3540 WINWORD.EXE 3540 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3164 wrote to memory of 3076 3164 b8454f9bd7d91e7b04eda20436dcebb5.exe 95 PID 3164 wrote to memory of 3076 3164 b8454f9bd7d91e7b04eda20436dcebb5.exe 95 PID 3164 wrote to memory of 3076 3164 b8454f9bd7d91e7b04eda20436dcebb5.exe 95 PID 3164 wrote to memory of 1720 3164 b8454f9bd7d91e7b04eda20436dcebb5.exe 96 PID 3164 wrote to memory of 1720 3164 b8454f9bd7d91e7b04eda20436dcebb5.exe 96 PID 3164 wrote to memory of 1720 3164 b8454f9bd7d91e7b04eda20436dcebb5.exe 96 PID 3164 wrote to memory of 4020 3164 b8454f9bd7d91e7b04eda20436dcebb5.exe 97 PID 3164 wrote to memory of 4020 3164 b8454f9bd7d91e7b04eda20436dcebb5.exe 97 PID 3164 wrote to memory of 4020 3164 b8454f9bd7d91e7b04eda20436dcebb5.exe 97 PID 3164 wrote to memory of 3372 3164 b8454f9bd7d91e7b04eda20436dcebb5.exe 98 PID 3164 wrote to memory of 3372 3164 b8454f9bd7d91e7b04eda20436dcebb5.exe 98 PID 3164 wrote to memory of 3372 3164 b8454f9bd7d91e7b04eda20436dcebb5.exe 98 PID 3164 wrote to memory of 3540 3164 b8454f9bd7d91e7b04eda20436dcebb5.exe 99 PID 3164 wrote to memory of 3540 3164 b8454f9bd7d91e7b04eda20436dcebb5.exe 99 PID 3076 wrote to memory of 2980 3076 szdhqtoxxu.exe 102 PID 3076 wrote to memory of 2980 3076 szdhqtoxxu.exe 102 PID 3076 wrote to memory of 2980 3076 szdhqtoxxu.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8454f9bd7d91e7b04eda20436dcebb5.exe"C:\Users\Admin\AppData\Local\Temp\b8454f9bd7d91e7b04eda20436dcebb5.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\SysWOW64\szdhqtoxxu.exeszdhqtoxxu.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\SysWOW64\ltqtvzde.exeC:\Windows\system32\ltqtvzde.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2980
-
-
-
C:\Windows\SysWOW64\yxlvxpmghwrtuws.exeyxlvxpmghwrtuws.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1720
-
-
C:\Windows\SysWOW64\ltqtvzde.exeltqtvzde.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4020
-
-
C:\Windows\SysWOW64\nssfifmetvqzm.exenssfifmetvqzm.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3372
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1344 --field-trial-handle=2240,i,16875000905773190493,11379096115878622792,262144 --variations-seed-version /prefetch:81⤵PID:3976
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD595e006cb61513e35f10b3426d262ec0d
SHA16f01f072bde839df3bc7b6d2e993d4e89a2e823a
SHA256b3f830dc3e2f161d52257240075702ce122c40d99b38e7c39732d5791a106de5
SHA5124672311fbab7657a32328017a02fd672be11fc8071f85351f3f9f64967b8fc7dbbe9725399ba27b9dd49c767446647d5555c6aaebee32dcbfad37c2335f7a2f1
-
Filesize
512KB
MD542e4bf03d037ed082160ea0e92d8daf6
SHA1515db8beb6326f1121a88c7d173a546a5b018492
SHA2560e3d4ceba641a79187b89737820a732ef56a87ba36692f0899c3cd84470608a3
SHA5126d2dc1f7c45b35e3b7807306a22b54ba1db0353e4996cbba28a908b5aec483224750c2bc46267e44ad95ef4456cdf80a83c582b6a82f549cdf1d32e87de2fa85
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD513a266d88a988a7b4c5e1fb80862ceaf
SHA18fba7fb9725307d16a77e039beb4bd9093e43362
SHA2567ea273cfc8b82f8983ba6f807aecbc34023ae7a60f0c040141da409a754fc6cd
SHA51230fc0d57ecf21e3d11f4eee6f46cd0142794acdb9c2318f23578049d2830eb9beb402981a70ce7086e257bcb94097fc0aa063cc078d53c61232a96eaa42311d6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5d334aeec7622f8a583ec8872cf207d56
SHA196e42e8b594f37cf76333e63b9276c60c23bc4e6
SHA256fe91887637d5b27cc846e9458721e8ffc4078927447e39b7b1f2be8226b17d46
SHA512d2203b97dc1a70f37bd77d67a11b7c60fa25a9e2a90c2f5e6470481d6b50a9635cf9fdc557e2462b4046a0b0105e13d8c150ddc76c911c3a0b217a3ed866d6d7
-
Filesize
512KB
MD501f406ca97b35d3f8c2e8082be61e04f
SHA16947c2061d51ae421f702acde85a16a1a9696372
SHA256eb944d588a44141a5c3d9cf1b8b06a530c880ce3fb5c29253507cccbe3ad60e4
SHA51220d27b9d6adeb1b0741c999347a8d57f2d3c38122221aea1fc478268dacbf4ea580770be959e2a8ec48ae8048ea193125db2e1f0ddcfb0903370d204810f7068
-
Filesize
512KB
MD5e76fd408dc8947eb4eece5cc20022e47
SHA185e3bdc0c52469afbe3f5946d0cf88945255592f
SHA2567fc4ce6f22b366e5c19d9a55a70f1be47265a9859e5c715bd32f0a68056161d4
SHA512bec0d48738e9ed075ef0f091595a47195e54e9280cae50b6f738dc8d20513e2934cd37f2d4af1f84e87cff186746e0a3640a2886cd8294b57d47b0bb55b7378b
-
Filesize
512KB
MD5bdbe3757b5834abd418a5c1dfb4124b2
SHA1beb5f50c7f7911c8eca329d0c8e74d572d11dc37
SHA256da171507e034dea4f2cf89b37c03cf4ed285c60b0780cdb73877eba52b1bff60
SHA512bdcbca20c1b8fcd0395d36047c9024fc42c8c08621250fe694c4025c7a2f55ece9c604af5ce431c5737f3c0b307de24eecbb8bd23edd417b58f5424e020a1940
-
Filesize
512KB
MD561ba3208aeb2549037e4989b4fc01362
SHA135aa93b62a01ea2c40161bea7a1ad0a7ea839efd
SHA256bf9d36ff311747909dbad0927402bf6f5e9c0dff0f580ab5051402ce75345ae1
SHA51231a16b92463a74aa18011b261eb348664b3c86bfdf4e53cbc5a99aad136c90ce86837f40fb0f3202d17c512e2a5937fcb4960bbfd6383297a0ddaf02f6484d8e
-
Filesize
512KB
MD5f985394266bd714c8d582f3af268d326
SHA184193597f05d03cae5ae83281574980fcf321868
SHA256ac471799fe3f83c5e0f02a43eaaba9c3369afe706c683353327d2ebcd822e8b0
SHA512b60e8e72d7b14b3da2304e21db800846ffc9386d33bae6d40c21881ae03296100cf4d4bc94e5296221a6f65b6818ce7249341e35721c8c31eca36bc95353faa3
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD57a4e1b8036065ac994dd48ff3a0a10af
SHA1c89f26d905afeed5e409f060e99880532e6cc4a7
SHA256bceeb73d980acb964e73ab84b27d3ac14bef840ca32a90fc6de3f2e21859a22e
SHA5124e0b3df7e5ebc5bacb89e61e591593f4a95b35b1897acdcda626b6ea6232f1c178e623baa41972f3426f8d9bb43ebefbc61641e2ed24270d3a10724164f8a202
-
Filesize
512KB
MD521ecf4cc226b208132d7dcf68a1c29d1
SHA1134facff94f93dd24a8af7272c208d73a42c6252
SHA2567baa2a19154b7c3958de68afc78b626294e0f587ef6b7aec0cc82285c9fc9674
SHA512e149679cd64acbcf50ec7bbd579cdeb18c25e08dd67b9987aa5661fe0f646714a26b233dc7a885c72e5334d9f740fcaeafeee7551950c3354fc991d11cb5a2be