Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08/03/2024, 06:58
Behavioral task
behavioral1
Sample
bacf073e0149abfe33067464d8518405.exe
Resource
win7-20240221-en
windows7-x64
26 signatures
150 seconds
General
-
Target
bacf073e0149abfe33067464d8518405.exe
-
Size
255KB
-
MD5
bacf073e0149abfe33067464d8518405
-
SHA1
4f0b943ad5123bb76dd96c0eea7ce3f33236b2e6
-
SHA256
2e262b8d6f291f262fedfb9087eab6708028f0533f3ac4a6418233af64b58054
-
SHA512
68474d5c353e9c58f92c109c07933ae0a9c82bd15c37c2dbe8d582502bd05c7d073002cc327009a88ff9e55088c1a47a9ad51ca005f3e0bb5ed7292420e3d605
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJW:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI1
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ygvcadeeyl.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ygvcadeeyl.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ygvcadeeyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ygvcadeeyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ygvcadeeyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ygvcadeeyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ygvcadeeyl.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ygvcadeeyl.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation bacf073e0149abfe33067464d8518405.exe -
Executes dropped EXE 5 IoCs
pid Process 2816 ygvcadeeyl.exe 1936 iivtwyfdwkvpmzh.exe 3120 ieukrilz.exe 1108 xwarmlfbortoj.exe 3148 ieukrilz.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/5052-0-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000800000002321d-5.dat upx behavioral2/files/0x000200000001f656-18.dat upx behavioral2/files/0x0008000000023220-27.dat upx behavioral2/memory/1936-29-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0007000000023224-31.dat upx behavioral2/memory/1108-32-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2816-22-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3148-35-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/5052-36-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x00020000000227d3-68.dat upx behavioral2/files/0x00020000000227e7-74.dat upx behavioral2/memory/2816-88-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1936-89-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3120-90-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1108-91-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3148-92-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3120-99-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1936-100-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2816-110-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3120-112-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1936-111-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1108-113-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3148-114-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1108-115-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3148-116-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2816-120-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1936-121-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3120-122-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1108-123-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3148-124-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000800000002324f-127.dat upx behavioral2/files/0x000800000002324f-135.dat upx behavioral2/memory/2816-137-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3120-139-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1936-138-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1108-140-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3148-141-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2816-142-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1936-143-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3120-144-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1108-145-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3148-146-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2816-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1936-148-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3120-149-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1108-151-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3148-154-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2816-157-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1936-158-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3120-159-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1108-160-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3148-161-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2816-162-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1936-163-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3120-164-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1108-165-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3148-166-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2816-167-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1936-168-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3120-169-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/1108-170-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3148-171-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2816-185-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ygvcadeeyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ygvcadeeyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ygvcadeeyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ygvcadeeyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ygvcadeeyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ygvcadeeyl.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tifzllzp = "ygvcadeeyl.exe" iivtwyfdwkvpmzh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hbvbzakd = "iivtwyfdwkvpmzh.exe" iivtwyfdwkvpmzh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "xwarmlfbortoj.exe" iivtwyfdwkvpmzh.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\v: ieukrilz.exe File opened (read-only) \??\x: ieukrilz.exe File opened (read-only) \??\a: ygvcadeeyl.exe File opened (read-only) \??\k: ieukrilz.exe File opened (read-only) \??\w: ygvcadeeyl.exe File opened (read-only) \??\h: ieukrilz.exe File opened (read-only) \??\o: ieukrilz.exe File opened (read-only) \??\a: ieukrilz.exe File opened (read-only) \??\y: ieukrilz.exe File opened (read-only) \??\z: ieukrilz.exe File opened (read-only) \??\i: ygvcadeeyl.exe File opened (read-only) \??\s: ieukrilz.exe File opened (read-only) \??\w: ieukrilz.exe File opened (read-only) \??\v: ygvcadeeyl.exe File opened (read-only) \??\m: ieukrilz.exe File opened (read-only) \??\t: ieukrilz.exe File opened (read-only) \??\t: ieukrilz.exe File opened (read-only) \??\j: ygvcadeeyl.exe File opened (read-only) \??\m: ygvcadeeyl.exe File opened (read-only) \??\z: ygvcadeeyl.exe File opened (read-only) \??\r: ygvcadeeyl.exe File opened (read-only) \??\e: ieukrilz.exe File opened (read-only) \??\p: ygvcadeeyl.exe File opened (read-only) \??\y: ygvcadeeyl.exe File opened (read-only) \??\j: ieukrilz.exe File opened (read-only) \??\i: ieukrilz.exe File opened (read-only) \??\q: ygvcadeeyl.exe File opened (read-only) \??\e: ieukrilz.exe File opened (read-only) \??\s: ieukrilz.exe File opened (read-only) \??\g: ieukrilz.exe File opened (read-only) \??\n: ieukrilz.exe File opened (read-only) \??\x: ieukrilz.exe File opened (read-only) \??\b: ieukrilz.exe File opened (read-only) \??\j: ieukrilz.exe File opened (read-only) \??\l: ygvcadeeyl.exe File opened (read-only) \??\u: ygvcadeeyl.exe File opened (read-only) \??\h: ieukrilz.exe File opened (read-only) \??\u: ieukrilz.exe File opened (read-only) \??\g: ieukrilz.exe File opened (read-only) \??\i: ieukrilz.exe File opened (read-only) \??\l: ieukrilz.exe File opened (read-only) \??\w: ieukrilz.exe File opened (read-only) \??\g: ygvcadeeyl.exe File opened (read-only) \??\n: ygvcadeeyl.exe File opened (read-only) \??\t: ygvcadeeyl.exe File opened (read-only) \??\z: ieukrilz.exe File opened (read-only) \??\a: ieukrilz.exe File opened (read-only) \??\k: ieukrilz.exe File opened (read-only) \??\r: ieukrilz.exe File opened (read-only) \??\s: ygvcadeeyl.exe File opened (read-only) \??\x: ygvcadeeyl.exe File opened (read-only) \??\q: ieukrilz.exe File opened (read-only) \??\y: ieukrilz.exe File opened (read-only) \??\p: ieukrilz.exe File opened (read-only) \??\q: ieukrilz.exe File opened (read-only) \??\e: ygvcadeeyl.exe File opened (read-only) \??\h: ygvcadeeyl.exe File opened (read-only) \??\v: ieukrilz.exe File opened (read-only) \??\m: ieukrilz.exe File opened (read-only) \??\u: ieukrilz.exe File opened (read-only) \??\b: ieukrilz.exe File opened (read-only) \??\r: ieukrilz.exe File opened (read-only) \??\b: ygvcadeeyl.exe File opened (read-only) \??\o: ygvcadeeyl.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ygvcadeeyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ygvcadeeyl.exe -
AutoIT Executable 57 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1936-29-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2816-22-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3148-35-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/5052-36-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2816-88-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1936-89-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3120-90-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1108-91-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3148-92-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3120-99-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1936-100-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2816-110-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3120-112-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1936-111-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1108-113-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3148-114-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1108-115-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3148-116-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2816-120-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1936-121-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3120-122-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1108-123-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3148-124-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2816-137-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3120-139-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1936-138-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1108-140-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3148-141-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2816-142-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1936-143-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3120-144-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1108-145-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3148-146-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2816-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1936-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3120-149-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1108-151-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3148-154-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2816-157-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1936-158-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3120-159-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1108-160-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3148-161-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2816-162-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1936-163-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3120-164-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1108-165-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3148-166-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2816-167-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1936-168-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3120-169-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1108-170-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3148-171-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2816-185-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1936-186-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3120-187-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/1108-188-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\iivtwyfdwkvpmzh.exe bacf073e0149abfe33067464d8518405.exe File opened for modification C:\Windows\SysWOW64\ieukrilz.exe bacf073e0149abfe33067464d8518405.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ieukrilz.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ieukrilz.exe File created C:\Windows\SysWOW64\ygvcadeeyl.exe bacf073e0149abfe33067464d8518405.exe File created C:\Windows\SysWOW64\iivtwyfdwkvpmzh.exe bacf073e0149abfe33067464d8518405.exe File opened for modification C:\Windows\SysWOW64\xwarmlfbortoj.exe bacf073e0149abfe33067464d8518405.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ieukrilz.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ieukrilz.exe File opened for modification C:\Windows\SysWOW64\ygvcadeeyl.exe bacf073e0149abfe33067464d8518405.exe File created C:\Windows\SysWOW64\xwarmlfbortoj.exe bacf073e0149abfe33067464d8518405.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ygvcadeeyl.exe File created C:\Windows\SysWOW64\ieukrilz.exe bacf073e0149abfe33067464d8518405.exe -
Drops file in Program Files directory 21 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ieukrilz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ieukrilz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ieukrilz.exe File opened for modification \??\c:\Program Files\LockSend.doc.exe ieukrilz.exe File opened for modification C:\Program Files\LockSend.nal ieukrilz.exe File opened for modification \??\c:\Program Files\LockSend.doc.exe ieukrilz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ieukrilz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ieukrilz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ieukrilz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ieukrilz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ieukrilz.exe File created \??\c:\Program Files\LockSend.doc.exe ieukrilz.exe File opened for modification C:\Program Files\LockSend.doc.exe ieukrilz.exe File opened for modification C:\Program Files\LockSend.doc.exe ieukrilz.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ieukrilz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ieukrilz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ieukrilz.exe File opened for modification C:\Program Files\LockSend.nal ieukrilz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ieukrilz.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ieukrilz.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ieukrilz.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ieukrilz.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ieukrilz.exe File opened for modification C:\Windows\mydoc.rtf bacf073e0149abfe33067464d8518405.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ieukrilz.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ieukrilz.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ieukrilz.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ieukrilz.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ieukrilz.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ieukrilz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" ygvcadeeyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32352C7F9D5683256A4676D470232CDB7C8764AC" bacf073e0149abfe33067464d8518405.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABCFABDFE6BF2E2840C3A31869D3995B38802FF42150239E1BA45EA08A2" bacf073e0149abfe33067464d8518405.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC2B12F449239E952CCBAA23299D4CC" bacf073e0149abfe33067464d8518405.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1848C60814E4DAC0B9CE7CE5ED9534CD" bacf073e0149abfe33067464d8518405.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh ygvcadeeyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg ygvcadeeyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" ygvcadeeyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF9FCFB485882139135D72B7D93BDEFE13D584566436331D79E" bacf073e0149abfe33067464d8518405.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F56BC3FE1D22A9D27CD0A28B08906A" bacf073e0149abfe33067464d8518405.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat ygvcadeeyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" ygvcadeeyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf ygvcadeeyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" ygvcadeeyl.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes bacf073e0149abfe33067464d8518405.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ygvcadeeyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc ygvcadeeyl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" ygvcadeeyl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs ygvcadeeyl.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings bacf073e0149abfe33067464d8518405.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1452 WINWORD.EXE 1452 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5052 bacf073e0149abfe33067464d8518405.exe 5052 bacf073e0149abfe33067464d8518405.exe 5052 bacf073e0149abfe33067464d8518405.exe 5052 bacf073e0149abfe33067464d8518405.exe 5052 bacf073e0149abfe33067464d8518405.exe 5052 bacf073e0149abfe33067464d8518405.exe 5052 bacf073e0149abfe33067464d8518405.exe 5052 bacf073e0149abfe33067464d8518405.exe 5052 bacf073e0149abfe33067464d8518405.exe 5052 bacf073e0149abfe33067464d8518405.exe 5052 bacf073e0149abfe33067464d8518405.exe 5052 bacf073e0149abfe33067464d8518405.exe 5052 bacf073e0149abfe33067464d8518405.exe 5052 bacf073e0149abfe33067464d8518405.exe 5052 bacf073e0149abfe33067464d8518405.exe 5052 bacf073e0149abfe33067464d8518405.exe 2816 ygvcadeeyl.exe 2816 ygvcadeeyl.exe 2816 ygvcadeeyl.exe 2816 ygvcadeeyl.exe 2816 ygvcadeeyl.exe 2816 ygvcadeeyl.exe 2816 ygvcadeeyl.exe 2816 ygvcadeeyl.exe 2816 ygvcadeeyl.exe 2816 ygvcadeeyl.exe 1936 iivtwyfdwkvpmzh.exe 3120 ieukrilz.exe 1936 iivtwyfdwkvpmzh.exe 3120 ieukrilz.exe 3120 ieukrilz.exe 3120 ieukrilz.exe 3120 ieukrilz.exe 3120 ieukrilz.exe 3120 ieukrilz.exe 3120 ieukrilz.exe 1936 iivtwyfdwkvpmzh.exe 1936 iivtwyfdwkvpmzh.exe 1936 iivtwyfdwkvpmzh.exe 1936 iivtwyfdwkvpmzh.exe 1936 iivtwyfdwkvpmzh.exe 1936 iivtwyfdwkvpmzh.exe 1936 iivtwyfdwkvpmzh.exe 1936 iivtwyfdwkvpmzh.exe 1108 xwarmlfbortoj.exe 1108 xwarmlfbortoj.exe 1108 xwarmlfbortoj.exe 1108 xwarmlfbortoj.exe 1108 xwarmlfbortoj.exe 1108 xwarmlfbortoj.exe 1108 xwarmlfbortoj.exe 1108 xwarmlfbortoj.exe 1108 xwarmlfbortoj.exe 1108 xwarmlfbortoj.exe 1108 xwarmlfbortoj.exe 1108 xwarmlfbortoj.exe 1936 iivtwyfdwkvpmzh.exe 1936 iivtwyfdwkvpmzh.exe 1936 iivtwyfdwkvpmzh.exe 1936 iivtwyfdwkvpmzh.exe 1108 xwarmlfbortoj.exe 1108 xwarmlfbortoj.exe 1108 xwarmlfbortoj.exe 1108 xwarmlfbortoj.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 5052 bacf073e0149abfe33067464d8518405.exe 5052 bacf073e0149abfe33067464d8518405.exe 5052 bacf073e0149abfe33067464d8518405.exe 2816 ygvcadeeyl.exe 2816 ygvcadeeyl.exe 2816 ygvcadeeyl.exe 1936 iivtwyfdwkvpmzh.exe 1936 iivtwyfdwkvpmzh.exe 1936 iivtwyfdwkvpmzh.exe 3120 ieukrilz.exe 3120 ieukrilz.exe 3120 ieukrilz.exe 1108 xwarmlfbortoj.exe 1108 xwarmlfbortoj.exe 1108 xwarmlfbortoj.exe 3148 ieukrilz.exe 3148 ieukrilz.exe 3148 ieukrilz.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 5052 bacf073e0149abfe33067464d8518405.exe 5052 bacf073e0149abfe33067464d8518405.exe 5052 bacf073e0149abfe33067464d8518405.exe 2816 ygvcadeeyl.exe 2816 ygvcadeeyl.exe 2816 ygvcadeeyl.exe 1936 iivtwyfdwkvpmzh.exe 1936 iivtwyfdwkvpmzh.exe 1936 iivtwyfdwkvpmzh.exe 3120 ieukrilz.exe 3120 ieukrilz.exe 3120 ieukrilz.exe 1108 xwarmlfbortoj.exe 1108 xwarmlfbortoj.exe 1108 xwarmlfbortoj.exe 3148 ieukrilz.exe 3148 ieukrilz.exe 3148 ieukrilz.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1452 WINWORD.EXE 1452 WINWORD.EXE 1452 WINWORD.EXE 1452 WINWORD.EXE 1452 WINWORD.EXE 1452 WINWORD.EXE 1452 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 5052 wrote to memory of 2816 5052 bacf073e0149abfe33067464d8518405.exe 88 PID 5052 wrote to memory of 2816 5052 bacf073e0149abfe33067464d8518405.exe 88 PID 5052 wrote to memory of 2816 5052 bacf073e0149abfe33067464d8518405.exe 88 PID 5052 wrote to memory of 1936 5052 bacf073e0149abfe33067464d8518405.exe 89 PID 5052 wrote to memory of 1936 5052 bacf073e0149abfe33067464d8518405.exe 89 PID 5052 wrote to memory of 1936 5052 bacf073e0149abfe33067464d8518405.exe 89 PID 5052 wrote to memory of 3120 5052 bacf073e0149abfe33067464d8518405.exe 90 PID 5052 wrote to memory of 3120 5052 bacf073e0149abfe33067464d8518405.exe 90 PID 5052 wrote to memory of 3120 5052 bacf073e0149abfe33067464d8518405.exe 90 PID 5052 wrote to memory of 1108 5052 bacf073e0149abfe33067464d8518405.exe 91 PID 5052 wrote to memory of 1108 5052 bacf073e0149abfe33067464d8518405.exe 91 PID 5052 wrote to memory of 1108 5052 bacf073e0149abfe33067464d8518405.exe 91 PID 5052 wrote to memory of 1452 5052 bacf073e0149abfe33067464d8518405.exe 93 PID 5052 wrote to memory of 1452 5052 bacf073e0149abfe33067464d8518405.exe 93 PID 2816 wrote to memory of 3148 2816 ygvcadeeyl.exe 95 PID 2816 wrote to memory of 3148 2816 ygvcadeeyl.exe 95 PID 2816 wrote to memory of 3148 2816 ygvcadeeyl.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\bacf073e0149abfe33067464d8518405.exe"C:\Users\Admin\AppData\Local\Temp\bacf073e0149abfe33067464d8518405.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\ygvcadeeyl.exeygvcadeeyl.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\ieukrilz.exeC:\Windows\system32\ieukrilz.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3148
-
-
-
C:\Windows\SysWOW64\iivtwyfdwkvpmzh.exeiivtwyfdwkvpmzh.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1936
-
-
C:\Windows\SysWOW64\ieukrilz.exeieukrilz.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3120
-
-
C:\Windows\SysWOW64\xwarmlfbortoj.exexwarmlfbortoj.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1108
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1452
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5f4c7db31d9b6137c80a577f6d8768ca2
SHA19ce05dc1925759aff85c19f936a51f43c7a23876
SHA256c3cb8fa74720726c2f6f68daec6e9701db409fd629145c9c0d9a0b0829c5ef5a
SHA512aad6208961e20ab5a0ded98d459aec2f8fcd1e972f96fabb21b7112d685bf5a2522f08454407f55c05f7e82d26e496048822b4f76ec4704e3843ad2ec492bf7a
-
Filesize
255KB
MD5a735fd77ba5b290343b200318b81acf8
SHA1f2bf7cd0f5a4138c7110ccb6d6d6f97a48d31f5c
SHA256450e532532b981fc71c5926c6953f1831f307bcacde1ccd672e025211e9854ad
SHA512dcdee2474c3cbacd7e50ce5df5ca2667fcb4b4e147dc7fa0bd99c5e3028a11ba5078c4f6ae3624a00415314b059f3dc080b0911b3631c75fdeb2d6af301fd40d
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5a71e760d84bc23079da31043dbaab7b8
SHA1155b6a31dc8fa2408e09a433de4211c67da10d2f
SHA256635647c8abfaa74742718aa57decc0448e758d6c94a19833a264534c97a780e2
SHA51257a6a7c872014169f50b6e2aa069b072747b73dd939b5a52fd95a5cb47cc03799892e012fba9014b7dbd5747665719b187cabe13a4b51a6f2bd4c8177039662f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD514d52bbb4ca01dfc910cdc70dd214b2d
SHA18ba330dda928493792760853e438c018585d4a85
SHA2567ac52d2a8e182093d0f27b79076be45dc79a7f9cf17bd7540a8aed07abe1a774
SHA512ee61ee1783bf5665714785daa4c69eeb577d695303a6ffdb73fc4f5fe47dd3f8330bcedbc8aa28760a79abcf158d8a7ce4677bf80a95f1ec724bbeef17b34bd3
-
Filesize
255KB
MD50fb94a3d3f3d8070722b254d097e0123
SHA1e23021a79c84aad7d5b8146772c9a67b4fcc372b
SHA256cc4d40de2f18bd0e077f48521f60c9b6effdc066f7de563c7154bb5fb16b74b6
SHA5128fed66f750206a314cc2c3368e5bcbf950781faf463d4c848dacc26cfe313f20065dbd28b9379d1e489b0ce84e8cc212cd494d5d2167f0e3949cdfd57ce09400
-
Filesize
255KB
MD5e762c9501b89d584dd0352f5c1434752
SHA1134841f601a1fac341a45f93442590c91640e37e
SHA256892092295d237d7def93a19f6fd17f03397c108795b2e8fc889c67dbd6829c1a
SHA5127e2e7abc335c725aa901505bbc3237a0f44159cb6d4afec9fac4243013aa23df7a805434394a3807ed7d92d402f1a6b95ceff72ba239d522be6416ba3f0a9456
-
Filesize
255KB
MD5166ae8116e0e87f82f977ca1dce573b8
SHA1c2cd1996ebfa7ddbac1d6984f56173257c16ce64
SHA256bfeeae9bbaa2dc516818e6a0a529c7d8bd7ceff9a8e94dd62203a29079d605c7
SHA512f4e09a684037499d9eed00ef9644157d4f29baa0208f41924628c1effb4439549e6e500f32d431d68a4b1122443e8f022acfe239802c22729dc8d422def44778
-
Filesize
255KB
MD5c7186913c581ae4341dac72815742275
SHA11aeada359919d177746d699df5684eae15cced19
SHA2566a83faba8e326ac8818861bcdc702d24329f174b8bfb6e8b0ea22b1ee7a534ad
SHA512c9b7742e9da6a6c933d24080f83b7e7a79509cc32b0880301bd368415d4e672a706484e3d56a000d89533702820522f2b765eccfcfd16c4160e70e170187b7c2
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD526afcaec18de51eb2035c52b9c858cce
SHA181155f1d97fcf8b4455b09c9d3b6106f2b97020c
SHA256132e3f1bcce3cdf3d652a0a3ad4138dbf1551083c1c6d6c453df9e26703935ab
SHA5123f68f09e5c616909ce225d5cb548b2f23b2035c066ad0534564196b45bbb7eed9d46ac5abab29b1e6d7647ec9be644a99ce811f9e3b9ec5790e73979282305b6
-
Filesize
255KB
MD5d6353c59909eb38c6f5810b752357163
SHA19f01da1c19e2096733595a20b23b035055d32714
SHA256cfdef5766873fb82107f1e7412deaa87440f36ee97931ee5adf3461b1d15735c
SHA512708e18cff04e38fa04e8259dd0164c8ad897bf17bb096f1f1eff8e0eea724f973ea4e90215c2be77c05300a1b7eca1046f0224fb12d8a3ecc9f72ecd5488059a