Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09-03-2024 23:47
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
bd1dfe454660f2d6c0b276c6ea85a905.exe
Resource
win7-20240221-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
bd1dfe454660f2d6c0b276c6ea85a905.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
bd1dfe454660f2d6c0b276c6ea85a905.exe
-
Size
512KB
-
MD5
bd1dfe454660f2d6c0b276c6ea85a905
-
SHA1
8e0e3c6518cf76d0771b62d24fc69102a414c90d
-
SHA256
d5443762381648fdc483d3dbc594deee17d74a1b987c05e9002fd5603ab51be8
-
SHA512
02e979d868229c157c11316d0bcfde04b551d43b3cf61e656f6b2dd70b98227f4646cdc9280154761a42d6e36a17b93111133aad000ec37062e8292345e60bc7
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj61:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5+
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" mkrbnpiigq.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" mkrbnpiigq.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" mkrbnpiigq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" mkrbnpiigq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" mkrbnpiigq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" mkrbnpiigq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" mkrbnpiigq.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mkrbnpiigq.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation bd1dfe454660f2d6c0b276c6ea85a905.exe -
Executes dropped EXE 5 IoCs
pid Process 2476 mkrbnpiigq.exe 1384 lvyxssrugizcprb.exe 1668 dberrhva.exe 1552 icqxbnfipppwv.exe 4404 dberrhva.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" mkrbnpiigq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" mkrbnpiigq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" mkrbnpiigq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" mkrbnpiigq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" mkrbnpiigq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" mkrbnpiigq.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ywkhjavp = "mkrbnpiigq.exe" lvyxssrugizcprb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kccqbgno = "lvyxssrugizcprb.exe" lvyxssrugizcprb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "icqxbnfipppwv.exe" lvyxssrugizcprb.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\i: dberrhva.exe File opened (read-only) \??\s: dberrhva.exe File opened (read-only) \??\z: mkrbnpiigq.exe File opened (read-only) \??\p: dberrhva.exe File opened (read-only) \??\l: dberrhva.exe File opened (read-only) \??\r: dberrhva.exe File opened (read-only) \??\x: dberrhva.exe File opened (read-only) \??\n: dberrhva.exe File opened (read-only) \??\w: mkrbnpiigq.exe File opened (read-only) \??\i: dberrhva.exe File opened (read-only) \??\s: dberrhva.exe File opened (read-only) \??\k: dberrhva.exe File opened (read-only) \??\o: mkrbnpiigq.exe File opened (read-only) \??\p: mkrbnpiigq.exe File opened (read-only) \??\h: dberrhva.exe File opened (read-only) \??\w: dberrhva.exe File opened (read-only) \??\j: mkrbnpiigq.exe File opened (read-only) \??\b: dberrhva.exe File opened (read-only) \??\e: dberrhva.exe File opened (read-only) \??\k: dberrhva.exe File opened (read-only) \??\m: dberrhva.exe File opened (read-only) \??\r: dberrhva.exe File opened (read-only) \??\a: dberrhva.exe File opened (read-only) \??\a: mkrbnpiigq.exe File opened (read-only) \??\z: dberrhva.exe File opened (read-only) \??\b: dberrhva.exe File opened (read-only) \??\v: dberrhva.exe File opened (read-only) \??\t: dberrhva.exe File opened (read-only) \??\y: mkrbnpiigq.exe File opened (read-only) \??\j: dberrhva.exe File opened (read-only) \??\j: dberrhva.exe File opened (read-only) \??\r: mkrbnpiigq.exe File opened (read-only) \??\l: mkrbnpiigq.exe File opened (read-only) \??\a: dberrhva.exe File opened (read-only) \??\y: dberrhva.exe File opened (read-only) \??\b: mkrbnpiigq.exe File opened (read-only) \??\h: dberrhva.exe File opened (read-only) \??\u: dberrhva.exe File opened (read-only) \??\t: dberrhva.exe File opened (read-only) \??\u: dberrhva.exe File opened (read-only) \??\g: mkrbnpiigq.exe File opened (read-only) \??\t: mkrbnpiigq.exe File opened (read-only) \??\g: dberrhva.exe File opened (read-only) \??\w: dberrhva.exe File opened (read-only) \??\y: dberrhva.exe File opened (read-only) \??\g: dberrhva.exe File opened (read-only) \??\m: dberrhva.exe File opened (read-only) \??\k: mkrbnpiigq.exe File opened (read-only) \??\q: mkrbnpiigq.exe File opened (read-only) \??\u: mkrbnpiigq.exe File opened (read-only) \??\x: mkrbnpiigq.exe File opened (read-only) \??\l: dberrhva.exe File opened (read-only) \??\n: dberrhva.exe File opened (read-only) \??\q: dberrhva.exe File opened (read-only) \??\h: mkrbnpiigq.exe File opened (read-only) \??\x: dberrhva.exe File opened (read-only) \??\s: mkrbnpiigq.exe File opened (read-only) \??\m: mkrbnpiigq.exe File opened (read-only) \??\n: mkrbnpiigq.exe File opened (read-only) \??\v: mkrbnpiigq.exe File opened (read-only) \??\o: dberrhva.exe File opened (read-only) \??\e: dberrhva.exe File opened (read-only) \??\o: dberrhva.exe File opened (read-only) \??\z: dberrhva.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" mkrbnpiigq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" mkrbnpiigq.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3568-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000800000002320e-5.dat autoit_exe behavioral2/files/0x000a000000023207-18.dat autoit_exe behavioral2/files/0x0007000000023213-32.dat autoit_exe behavioral2/files/0x0007000000023212-28.dat autoit_exe behavioral2/files/0x0009000000022b64-84.dat autoit_exe behavioral2/files/0x000500000002303f-90.dat autoit_exe behavioral2/files/0x00090000000230e7-96.dat autoit_exe behavioral2/files/0x0007000000023236-115.dat autoit_exe behavioral2/files/0x0007000000023236-120.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\dberrhva.exe bd1dfe454660f2d6c0b276c6ea85a905.exe File opened for modification C:\Windows\SysWOW64\dberrhva.exe bd1dfe454660f2d6c0b276c6ea85a905.exe File opened for modification C:\Windows\SysWOW64\icqxbnfipppwv.exe bd1dfe454660f2d6c0b276c6ea85a905.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe dberrhva.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe dberrhva.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe dberrhva.exe File created C:\Windows\SysWOW64\mkrbnpiigq.exe bd1dfe454660f2d6c0b276c6ea85a905.exe File opened for modification C:\Windows\SysWOW64\mkrbnpiigq.exe bd1dfe454660f2d6c0b276c6ea85a905.exe File created C:\Windows\SysWOW64\lvyxssrugizcprb.exe bd1dfe454660f2d6c0b276c6ea85a905.exe File opened for modification C:\Windows\SysWOW64\lvyxssrugizcprb.exe bd1dfe454660f2d6c0b276c6ea85a905.exe File created C:\Windows\SysWOW64\icqxbnfipppwv.exe bd1dfe454660f2d6c0b276c6ea85a905.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll mkrbnpiigq.exe -
Drops file in Program Files directory 8 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal dberrhva.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dberrhva.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dberrhva.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe dberrhva.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal dberrhva.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dberrhva.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dberrhva.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe dberrhva.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf bd1dfe454660f2d6c0b276c6ea85a905.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe dberrhva.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe dberrhva.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe dberrhva.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe dberrhva.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe dberrhva.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe dberrhva.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe dberrhva.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe dberrhva.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe dberrhva.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe dberrhva.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe dberrhva.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe dberrhva.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe dberrhva.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe dberrhva.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe dberrhva.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe dberrhva.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB0B1284792389952CCBAA13393D7BC" bd1dfe454660f2d6c0b276c6ea85a905.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF8FFFF4F5882199141D7297D93BDE4E632584766476242D6E9" bd1dfe454660f2d6c0b276c6ea85a905.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184BC60B15E1DBC5B8BD7CE3ED9034C6" bd1dfe454660f2d6c0b276c6ea85a905.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc mkrbnpiigq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" mkrbnpiigq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg mkrbnpiigq.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes bd1dfe454660f2d6c0b276c6ea85a905.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB9F9C9FE64F29184083A4281993E94B08802FD4262033AE2CE459B08A8" bd1dfe454660f2d6c0b276c6ea85a905.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" mkrbnpiigq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" mkrbnpiigq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs mkrbnpiigq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" mkrbnpiigq.exe Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings bd1dfe454660f2d6c0b276c6ea85a905.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" mkrbnpiigq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" mkrbnpiigq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf mkrbnpiigq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "334E2C0A9D5283226A3277D0702F2CD77DF265D8" bd1dfe454660f2d6c0b276c6ea85a905.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E08168B2FE6F21D0D27AD0D68B7F906A" bd1dfe454660f2d6c0b276c6ea85a905.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat mkrbnpiigq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh mkrbnpiigq.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1080 WINWORD.EXE 1080 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3568 bd1dfe454660f2d6c0b276c6ea85a905.exe 3568 bd1dfe454660f2d6c0b276c6ea85a905.exe 3568 bd1dfe454660f2d6c0b276c6ea85a905.exe 3568 bd1dfe454660f2d6c0b276c6ea85a905.exe 3568 bd1dfe454660f2d6c0b276c6ea85a905.exe 3568 bd1dfe454660f2d6c0b276c6ea85a905.exe 3568 bd1dfe454660f2d6c0b276c6ea85a905.exe 3568 bd1dfe454660f2d6c0b276c6ea85a905.exe 3568 bd1dfe454660f2d6c0b276c6ea85a905.exe 3568 bd1dfe454660f2d6c0b276c6ea85a905.exe 3568 bd1dfe454660f2d6c0b276c6ea85a905.exe 3568 bd1dfe454660f2d6c0b276c6ea85a905.exe 3568 bd1dfe454660f2d6c0b276c6ea85a905.exe 3568 bd1dfe454660f2d6c0b276c6ea85a905.exe 3568 bd1dfe454660f2d6c0b276c6ea85a905.exe 3568 bd1dfe454660f2d6c0b276c6ea85a905.exe 2476 mkrbnpiigq.exe 2476 mkrbnpiigq.exe 2476 mkrbnpiigq.exe 2476 mkrbnpiigq.exe 2476 mkrbnpiigq.exe 2476 mkrbnpiigq.exe 2476 mkrbnpiigq.exe 2476 mkrbnpiigq.exe 2476 mkrbnpiigq.exe 2476 mkrbnpiigq.exe 1384 lvyxssrugizcprb.exe 1384 lvyxssrugizcprb.exe 1384 lvyxssrugizcprb.exe 1384 lvyxssrugizcprb.exe 1384 lvyxssrugizcprb.exe 1384 lvyxssrugizcprb.exe 1384 lvyxssrugizcprb.exe 1384 lvyxssrugizcprb.exe 1668 dberrhva.exe 1668 dberrhva.exe 1668 dberrhva.exe 1668 dberrhva.exe 1668 dberrhva.exe 1668 dberrhva.exe 1668 dberrhva.exe 1668 dberrhva.exe 1552 icqxbnfipppwv.exe 1552 icqxbnfipppwv.exe 1552 icqxbnfipppwv.exe 1552 icqxbnfipppwv.exe 1552 icqxbnfipppwv.exe 1552 icqxbnfipppwv.exe 1552 icqxbnfipppwv.exe 1552 icqxbnfipppwv.exe 1552 icqxbnfipppwv.exe 1552 icqxbnfipppwv.exe 1552 icqxbnfipppwv.exe 1552 icqxbnfipppwv.exe 1384 lvyxssrugizcprb.exe 1384 lvyxssrugizcprb.exe 4404 dberrhva.exe 4404 dberrhva.exe 4404 dberrhva.exe 4404 dberrhva.exe 4404 dberrhva.exe 4404 dberrhva.exe 4404 dberrhva.exe 4404 dberrhva.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 3568 bd1dfe454660f2d6c0b276c6ea85a905.exe 3568 bd1dfe454660f2d6c0b276c6ea85a905.exe 3568 bd1dfe454660f2d6c0b276c6ea85a905.exe 2476 mkrbnpiigq.exe 2476 mkrbnpiigq.exe 2476 mkrbnpiigq.exe 1384 lvyxssrugizcprb.exe 1668 dberrhva.exe 1552 icqxbnfipppwv.exe 1384 lvyxssrugizcprb.exe 1668 dberrhva.exe 1552 icqxbnfipppwv.exe 1384 lvyxssrugizcprb.exe 1668 dberrhva.exe 1552 icqxbnfipppwv.exe 4404 dberrhva.exe 4404 dberrhva.exe 4404 dberrhva.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 3568 bd1dfe454660f2d6c0b276c6ea85a905.exe 3568 bd1dfe454660f2d6c0b276c6ea85a905.exe 3568 bd1dfe454660f2d6c0b276c6ea85a905.exe 2476 mkrbnpiigq.exe 2476 mkrbnpiigq.exe 2476 mkrbnpiigq.exe 1384 lvyxssrugizcprb.exe 1668 dberrhva.exe 1552 icqxbnfipppwv.exe 1384 lvyxssrugizcprb.exe 1668 dberrhva.exe 1552 icqxbnfipppwv.exe 1384 lvyxssrugizcprb.exe 1668 dberrhva.exe 1552 icqxbnfipppwv.exe 4404 dberrhva.exe 4404 dberrhva.exe 4404 dberrhva.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1080 WINWORD.EXE 1080 WINWORD.EXE 1080 WINWORD.EXE 1080 WINWORD.EXE 1080 WINWORD.EXE 1080 WINWORD.EXE 1080 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3568 wrote to memory of 2476 3568 bd1dfe454660f2d6c0b276c6ea85a905.exe 87 PID 3568 wrote to memory of 2476 3568 bd1dfe454660f2d6c0b276c6ea85a905.exe 87 PID 3568 wrote to memory of 2476 3568 bd1dfe454660f2d6c0b276c6ea85a905.exe 87 PID 3568 wrote to memory of 1384 3568 bd1dfe454660f2d6c0b276c6ea85a905.exe 88 PID 3568 wrote to memory of 1384 3568 bd1dfe454660f2d6c0b276c6ea85a905.exe 88 PID 3568 wrote to memory of 1384 3568 bd1dfe454660f2d6c0b276c6ea85a905.exe 88 PID 3568 wrote to memory of 1668 3568 bd1dfe454660f2d6c0b276c6ea85a905.exe 89 PID 3568 wrote to memory of 1668 3568 bd1dfe454660f2d6c0b276c6ea85a905.exe 89 PID 3568 wrote to memory of 1668 3568 bd1dfe454660f2d6c0b276c6ea85a905.exe 89 PID 3568 wrote to memory of 1552 3568 bd1dfe454660f2d6c0b276c6ea85a905.exe 90 PID 3568 wrote to memory of 1552 3568 bd1dfe454660f2d6c0b276c6ea85a905.exe 90 PID 3568 wrote to memory of 1552 3568 bd1dfe454660f2d6c0b276c6ea85a905.exe 90 PID 3568 wrote to memory of 1080 3568 bd1dfe454660f2d6c0b276c6ea85a905.exe 92 PID 3568 wrote to memory of 1080 3568 bd1dfe454660f2d6c0b276c6ea85a905.exe 92 PID 2476 wrote to memory of 4404 2476 mkrbnpiigq.exe 94 PID 2476 wrote to memory of 4404 2476 mkrbnpiigq.exe 94 PID 2476 wrote to memory of 4404 2476 mkrbnpiigq.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd1dfe454660f2d6c0b276c6ea85a905.exe"C:\Users\Admin\AppData\Local\Temp\bd1dfe454660f2d6c0b276c6ea85a905.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\SysWOW64\mkrbnpiigq.exemkrbnpiigq.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\dberrhva.exeC:\Windows\system32\dberrhva.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4404
-
-
-
C:\Windows\SysWOW64\lvyxssrugizcprb.exelvyxssrugizcprb.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1384
-
-
C:\Windows\SysWOW64\dberrhva.exedberrhva.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1668
-
-
C:\Windows\SysWOW64\icqxbnfipppwv.exeicqxbnfipppwv.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1552
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1080
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5e0bb36cf6bf5637524b83e5fec303d1e
SHA1a6bfe712fcfcf77d503b64a238aa66a0e5fca58b
SHA2569f9eca5a4cc1ce991707aa2d98277f9be37517ff147ec9d0da18a6dd706955ae
SHA512c4355d3aef69f1c178731c5d110ca0cade1866270b7fb141647e12301466111bdde09423259b6ec64e528ff4a3f53dd95ba868902b3ada8a57b649a52a512a32
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD53410a750517f26ce003da22c25d20f99
SHA16ef4a4faae5f43f44757b01363eaf4ba3c63aac6
SHA256e8de6467ecae2593cd0bf34ed8ef0f89018f263a2530186c22735be3e4d0a29d
SHA512341c6115e254d512d762c7997b8bb8c9d897e7e8a80cab289f519c9739a6544e36683ce76b2bbee6848b10b12de149e7d5dd808058717f500b13bbb60a7fccf4
-
Filesize
512KB
MD512a3bc5ed8c546cc98ba1bcc7772890a
SHA1045f833c527d666f520e5d7273aa163365691689
SHA256671efa7dd341796a2f563c0743a324c273c70cb678bbdcfd330122508c0ca99b
SHA512277a9ae84520125383e0b753de8e68040dc29878825fb111bbae67da1acfd08635d7cbde9027fb7d399b3c9e150c6d816b68b4fba9f1126b73f4716a331e8ac5
-
Filesize
512KB
MD5db36cdcb6ec01f7e8b0925b46185778e
SHA16eaa765cbaf622cd1e723c447125585be154ffd0
SHA25694a225fcbd19f606c22eb9fb0aa5749ca8c294e3d43f2173ebce8ddab4b14766
SHA512a5c826f974584f50aaa11d676f0d0784d97171753b03b2f070d327bcc0b48da61d3bffc1cc0d15a3493ba147d156722c268defbda106c2b83cb247e6a607faf4
-
Filesize
512KB
MD5d6ff95a14eb7f9165c572be9f5c6bed2
SHA19ebb378956e6860f9c1d196483c1b46b772895b6
SHA256ec6ae0b1b00c19d17db543023e451ecb1682cbe089f9188b37b13122a6c08fc1
SHA5127e76c48b1b3d561bd88102ec9de246d391c325a6897c3e168d25a634a0a28fb2a381ea5173a70fe9b60721ab6fcc74356afd18574327701a74fa0e363790dcf3
-
Filesize
512KB
MD5d7bd2ce4ed688fa3f37e411232a118c8
SHA11b8a68d589e964e5eedd1540eb5ad8a090453e8f
SHA25646025cc524a7b8cd1d85fa8b264df24d272bc4a8ec567c9e9f2ac3ff025e0e9f
SHA512cfdb7df1eb4d1bc84a7c80721904dd760c0e4cda109cb4b83de3041b300e4993999304c7a425798f7e2fb96284f7cec8f2d8d4a09a235f2276558b4e5f7ac2a9
-
Filesize
512KB
MD540742c80e4795bcc87960a4f058e7405
SHA130ed6fbc29635c33c994fc37a2158a7289b19c78
SHA2569525952265e9eee7660bda9c11c81bb045e1fb6739e552962443529e282a0c06
SHA512025d9976e6834b49231229b3ae0bb8cc32ed28720bd8086f677b0518dce2c797d11d86fa41c790fb263e0e906bf561503fd18888bb6abdbdc80881c9a94761fb
-
Filesize
512KB
MD515fcfe0d0e4ee2aa01aec0d3cbb57aa8
SHA198811c80c2d109f4c660e93bace0d6cffe3bc8ad
SHA25652361994a0d0abd5dca4bc8787d19e4b87823dfd39cbedd31e3c5dc1ff0b9fef
SHA512e9afc23a9dd3a91dd54c0bbeedf19d3519f6c998f9b5da97eda4542f8f36724f2e47f4f96028f60f2e0fec68e4b0e5b874023f947dd43a6c88b35cb83e3708dd
-
Filesize
512KB
MD5c9152a4a31f2c4c6be9a23599d90c30b
SHA1c53fb59950c6176ff17f9c995cb34b302974c500
SHA256863db7f58767a4d8ade65c64ff02a37547e21ea12fc14aab3f28d5b5c93e4285
SHA51244c8196355aaf7be528c6eea89919a5aea6526f2be1c7ab2ba4b7f21c12bd6d84abc0ee2770b54b23e39d7bdf03e755b99921f75998484305adee1201ac7395f
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD57eeca33960bafb74ed699587753d3320
SHA1a7cd1b221eaa22efd021464c73d6e5718aaeb4fd
SHA25601637edd1413aa0eb8de86f3a9ef446fc736fae861f49586784c3118b8c73575
SHA512dd242e988000572e21cf11aecf85262dfaa1810b4ab5e8cfb79c8847f61175e31c3fa76308e9868d0ea44e395b219b79e2c9aeda004f11df67fa8f9cec1fe7b5
-
Filesize
512KB
MD55c02aa8da8b436d95d38f118ddfd1d0d
SHA1f24a19d98c3c54c47f289c8ee60e2ed6b2241c4b
SHA2564d69b34ffb296986207e9e88ea4ce3a41c8ebbba4b729d357d7149df5791703a
SHA512107dc575d1d7b061451e14d8fae33d653ba2b99577aeed9ab639c875c9a18834375099622d716d19d90a965d9b45877186e89f5c48951adccff0fff74149890d