Analysis
-
max time kernel
154s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09/03/2024, 17:32
Behavioral task
behavioral1
Sample
026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe
Resource
win7-20240221-en
windows7-x64
27 signatures
150 seconds
General
-
Target
026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe
-
Size
255KB
-
MD5
bae00936118355f5ef9020b9d3e3b142
-
SHA1
01a69e2a9379691fcfb57c1ebda86e00cd56f1d8
-
SHA256
026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d
-
SHA512
1c742f7736e15e0d82f8d9f532bba0f4642f2c42e80a89d35810977607892d63d240a78b9f737a2ac9eba965422f18412361e1fd3a117edf57aff82348196bab
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJI:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIl
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" wcthgghaal.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" wcthgghaal.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" wcthgghaal.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" wcthgghaal.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" wcthgghaal.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" wcthgghaal.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" wcthgghaal.exe -
UPX dump on OEP (original entry point) 64 IoCs
resource yara_rule behavioral2/memory/2116-0-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/files/0x000700000002320a-5.dat UPX behavioral2/files/0x0008000000023206-18.dat UPX behavioral2/files/0x000700000002320a-23.dat UPX behavioral2/files/0x000700000002320b-26.dat UPX behavioral2/memory/2700-29-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/4824-32-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/files/0x000700000002320c-31.dat UPX behavioral2/memory/3348-33-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/3640-21-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/files/0x0008000000023206-19.dat UPX behavioral2/memory/2116-36-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/files/0x000700000002321b-79.dat UPX behavioral2/files/0x000700000002321c-88.dat UPX behavioral2/memory/3640-90-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/4824-91-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/2700-92-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/3348-93-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/232-94-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/2700-99-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/3640-98-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/files/0x0007000000023221-107.dat UPX behavioral2/memory/3640-118-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/4824-119-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/2700-120-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/3348-121-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/4824-122-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/3348-123-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/232-124-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/232-125-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/3640-129-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/4824-130-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/2700-131-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/3348-132-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/232-133-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/3640-134-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/4824-135-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/2700-136-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/3348-137-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/232-138-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/3640-139-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/4824-140-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/3348-142-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/2700-141-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/232-143-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/3640-144-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/4824-145-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/3348-147-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/files/0x0007000000023246-153.dat UPX behavioral2/files/0x0007000000023246-156.dat UPX behavioral2/memory/3640-160-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/4824-161-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/2700-162-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/3348-163-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/232-164-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/3640-167-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/4824-168-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/2700-169-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/3348-170-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/232-171-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/3640-172-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/4824-173-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/2700-174-0x0000000000400000-0x00000000004A0000-memory.dmp UPX behavioral2/memory/3348-175-0x0000000000400000-0x00000000004A0000-memory.dmp UPX -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wcthgghaal.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe -
Executes dropped EXE 5 IoCs
pid Process 3640 wcthgghaal.exe 4824 jsfnmymbrevouxi.exe 2700 aawililx.exe 3348 ncuxxjdnxgyyp.exe 232 aawililx.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/2116-0-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000700000002320a-5.dat upx behavioral2/files/0x0008000000023206-18.dat upx behavioral2/files/0x000700000002320a-23.dat upx behavioral2/files/0x000700000002320b-26.dat upx behavioral2/memory/2700-29-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4824-32-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000700000002320c-31.dat upx behavioral2/memory/3348-33-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3640-21-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0008000000023206-19.dat upx behavioral2/memory/2116-36-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x000700000002321b-79.dat upx behavioral2/files/0x000700000002321c-88.dat upx behavioral2/memory/3640-90-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4824-91-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2700-92-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3348-93-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/232-94-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2700-99-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3640-98-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0007000000023221-107.dat upx behavioral2/memory/3640-118-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4824-119-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2700-120-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3348-121-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4824-122-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3348-123-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/232-124-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/232-125-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3640-129-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4824-130-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2700-131-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3348-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/232-133-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3640-134-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4824-135-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2700-136-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3348-137-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/232-138-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3640-139-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4824-140-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3348-142-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2700-141-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/232-143-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3640-144-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4824-145-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3348-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/files/0x0007000000023246-153.dat upx behavioral2/files/0x0007000000023246-156.dat upx behavioral2/memory/3640-160-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4824-161-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2700-162-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3348-163-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/232-164-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3640-167-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4824-168-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2700-169-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3348-170-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/232-171-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3640-172-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/4824-173-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/2700-174-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral2/memory/3348-175-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" wcthgghaal.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" wcthgghaal.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" wcthgghaal.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" wcthgghaal.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" wcthgghaal.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" wcthgghaal.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qmexsuqr = "wcthgghaal.exe" jsfnmymbrevouxi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xmzypsxg = "jsfnmymbrevouxi.exe" jsfnmymbrevouxi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ncuxxjdnxgyyp.exe" jsfnmymbrevouxi.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\r: aawililx.exe File opened (read-only) \??\y: wcthgghaal.exe File opened (read-only) \??\i: aawililx.exe File opened (read-only) \??\u: wcthgghaal.exe File opened (read-only) \??\z: aawililx.exe File opened (read-only) \??\i: wcthgghaal.exe File opened (read-only) \??\o: wcthgghaal.exe File opened (read-only) \??\t: aawililx.exe File opened (read-only) \??\e: wcthgghaal.exe File opened (read-only) \??\l: aawililx.exe File opened (read-only) \??\o: aawililx.exe File opened (read-only) \??\w: aawililx.exe File opened (read-only) \??\x: aawililx.exe File opened (read-only) \??\y: aawililx.exe File opened (read-only) \??\a: wcthgghaal.exe File opened (read-only) \??\n: wcthgghaal.exe File opened (read-only) \??\b: aawililx.exe File opened (read-only) \??\j: aawililx.exe File opened (read-only) \??\p: aawililx.exe File opened (read-only) \??\r: wcthgghaal.exe File opened (read-only) \??\x: wcthgghaal.exe File opened (read-only) \??\a: aawililx.exe File opened (read-only) \??\x: aawililx.exe File opened (read-only) \??\p: aawililx.exe File opened (read-only) \??\g: wcthgghaal.exe File opened (read-only) \??\k: aawililx.exe File opened (read-only) \??\n: aawililx.exe File opened (read-only) \??\u: aawililx.exe File opened (read-only) \??\q: aawililx.exe File opened (read-only) \??\l: wcthgghaal.exe File opened (read-only) \??\o: aawililx.exe File opened (read-only) \??\j: aawililx.exe File opened (read-only) \??\v: aawililx.exe File opened (read-only) \??\m: aawililx.exe File opened (read-only) \??\z: wcthgghaal.exe File opened (read-only) \??\v: wcthgghaal.exe File opened (read-only) \??\v: aawililx.exe File opened (read-only) \??\q: wcthgghaal.exe File opened (read-only) \??\e: aawililx.exe File opened (read-only) \??\g: aawililx.exe File opened (read-only) \??\k: wcthgghaal.exe File opened (read-only) \??\g: aawililx.exe File opened (read-only) \??\w: aawililx.exe File opened (read-only) \??\a: aawililx.exe File opened (read-only) \??\b: wcthgghaal.exe File opened (read-only) \??\r: aawililx.exe File opened (read-only) \??\m: aawililx.exe File opened (read-only) \??\n: aawililx.exe File opened (read-only) \??\u: aawililx.exe File opened (read-only) \??\h: aawililx.exe File opened (read-only) \??\l: aawililx.exe File opened (read-only) \??\z: aawililx.exe File opened (read-only) \??\e: aawililx.exe File opened (read-only) \??\s: aawililx.exe File opened (read-only) \??\s: aawililx.exe File opened (read-only) \??\t: aawililx.exe File opened (read-only) \??\p: wcthgghaal.exe File opened (read-only) \??\q: aawililx.exe File opened (read-only) \??\h: wcthgghaal.exe File opened (read-only) \??\m: wcthgghaal.exe File opened (read-only) \??\y: aawililx.exe File opened (read-only) \??\i: aawililx.exe File opened (read-only) \??\k: aawililx.exe File opened (read-only) \??\t: wcthgghaal.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" wcthgghaal.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" wcthgghaal.exe -
AutoIT Executable 58 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2700-29-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4824-32-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3348-33-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2116-36-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3640-90-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4824-91-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2700-92-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3348-93-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/232-94-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2700-99-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3640-98-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3640-118-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4824-119-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2700-120-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3348-121-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4824-122-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3348-123-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/232-124-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/232-125-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3640-129-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4824-130-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2700-131-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3348-132-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/232-133-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3640-134-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4824-135-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2700-136-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3348-137-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/232-138-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3640-139-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4824-140-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3348-142-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2700-141-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/232-143-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3640-144-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4824-145-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3348-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3640-160-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4824-161-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2700-162-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3348-163-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/232-164-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3640-167-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4824-168-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2700-169-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3348-170-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/232-171-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3640-172-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4824-173-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2700-174-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3348-175-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/232-176-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3640-190-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/4824-191-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/2700-192-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3348-193-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/232-194-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral2/memory/3640-205-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll wcthgghaal.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe aawililx.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe aawililx.exe File created C:\Windows\SysWOW64\aawililx.exe 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe File opened for modification C:\Windows\SysWOW64\aawililx.exe 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe File opened for modification C:\Windows\SysWOW64\ncuxxjdnxgyyp.exe 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe File opened for modification C:\Windows\SysWOW64\jsfnmymbrevouxi.exe 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe File created C:\Windows\SysWOW64\ncuxxjdnxgyyp.exe 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe aawililx.exe File created C:\Windows\SysWOW64\wcthgghaal.exe 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe File opened for modification C:\Windows\SysWOW64\wcthgghaal.exe 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe File created C:\Windows\SysWOW64\jsfnmymbrevouxi.exe 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe aawililx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal aawililx.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe aawililx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe aawililx.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe aawililx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal aawililx.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe aawililx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe aawililx.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe aawililx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal aawililx.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe aawililx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe aawililx.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe aawililx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal aawililx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe aawililx.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe aawililx.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe aawililx.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe aawililx.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe aawililx.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe aawililx.exe File opened for modification C:\Windows\mydoc.rtf 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe aawililx.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe aawililx.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe aawililx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFFFFFF4F5C82199030D72D7D91BDE3E6435940664E6237D6EB" 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" wcthgghaal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32442C7B9D2D83576A4476D7702E2CDF7D8F64AC" 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg wcthgghaal.exe Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1948C67C1491DBB2B9BB7FE7EC9634CE" 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh wcthgghaal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" wcthgghaal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc wcthgghaal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" wcthgghaal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABFF9CEF96BF197837D3A3186963993B38D02F142150349E2CB45E808A3" 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FCAB12B449039EB53B9BAA23299D4CE" 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F06BB8FE1822D0D173D1D28B789013" 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" wcthgghaal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs wcthgghaal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" wcthgghaal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat wcthgghaal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf wcthgghaal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" wcthgghaal.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1636 WINWORD.EXE 1636 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2116 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe 2116 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe 2116 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe 2116 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe 2116 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe 2116 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe 2116 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe 2116 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe 2116 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe 2116 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe 2116 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe 2116 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe 2116 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe 2116 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe 2116 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe 2116 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe 3640 wcthgghaal.exe 3640 wcthgghaal.exe 4824 jsfnmymbrevouxi.exe 3640 wcthgghaal.exe 4824 jsfnmymbrevouxi.exe 3640 wcthgghaal.exe 3640 wcthgghaal.exe 3640 wcthgghaal.exe 4824 jsfnmymbrevouxi.exe 4824 jsfnmymbrevouxi.exe 4824 jsfnmymbrevouxi.exe 4824 jsfnmymbrevouxi.exe 4824 jsfnmymbrevouxi.exe 4824 jsfnmymbrevouxi.exe 3640 wcthgghaal.exe 3640 wcthgghaal.exe 3640 wcthgghaal.exe 3640 wcthgghaal.exe 4824 jsfnmymbrevouxi.exe 4824 jsfnmymbrevouxi.exe 3348 ncuxxjdnxgyyp.exe 3348 ncuxxjdnxgyyp.exe 3348 ncuxxjdnxgyyp.exe 3348 ncuxxjdnxgyyp.exe 3348 ncuxxjdnxgyyp.exe 3348 ncuxxjdnxgyyp.exe 2700 aawililx.exe 2700 aawililx.exe 3348 ncuxxjdnxgyyp.exe 3348 ncuxxjdnxgyyp.exe 3348 ncuxxjdnxgyyp.exe 3348 ncuxxjdnxgyyp.exe 3348 ncuxxjdnxgyyp.exe 3348 ncuxxjdnxgyyp.exe 2700 aawililx.exe 2700 aawililx.exe 2700 aawililx.exe 2700 aawililx.exe 2700 aawililx.exe 2700 aawililx.exe 4824 jsfnmymbrevouxi.exe 4824 jsfnmymbrevouxi.exe 232 aawililx.exe 232 aawililx.exe 232 aawililx.exe 232 aawililx.exe 232 aawililx.exe 232 aawililx.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2116 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe 2116 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe 2116 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe 3640 wcthgghaal.exe 3640 wcthgghaal.exe 3640 wcthgghaal.exe 4824 jsfnmymbrevouxi.exe 4824 jsfnmymbrevouxi.exe 4824 jsfnmymbrevouxi.exe 3348 ncuxxjdnxgyyp.exe 3348 ncuxxjdnxgyyp.exe 3348 ncuxxjdnxgyyp.exe 2700 aawililx.exe 2700 aawililx.exe 2700 aawililx.exe 232 aawililx.exe 232 aawililx.exe 232 aawililx.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2116 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe 2116 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe 2116 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe 3640 wcthgghaal.exe 3640 wcthgghaal.exe 3640 wcthgghaal.exe 4824 jsfnmymbrevouxi.exe 4824 jsfnmymbrevouxi.exe 4824 jsfnmymbrevouxi.exe 3348 ncuxxjdnxgyyp.exe 3348 ncuxxjdnxgyyp.exe 3348 ncuxxjdnxgyyp.exe 2700 aawililx.exe 2700 aawililx.exe 2700 aawililx.exe 232 aawililx.exe 232 aawililx.exe 232 aawililx.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1636 WINWORD.EXE 1636 WINWORD.EXE 1636 WINWORD.EXE 1636 WINWORD.EXE 1636 WINWORD.EXE 1636 WINWORD.EXE 1636 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2116 wrote to memory of 3640 2116 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe 87 PID 2116 wrote to memory of 3640 2116 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe 87 PID 2116 wrote to memory of 3640 2116 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe 87 PID 2116 wrote to memory of 4824 2116 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe 88 PID 2116 wrote to memory of 4824 2116 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe 88 PID 2116 wrote to memory of 4824 2116 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe 88 PID 2116 wrote to memory of 2700 2116 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe 89 PID 2116 wrote to memory of 2700 2116 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe 89 PID 2116 wrote to memory of 2700 2116 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe 89 PID 2116 wrote to memory of 3348 2116 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe 90 PID 2116 wrote to memory of 3348 2116 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe 90 PID 2116 wrote to memory of 3348 2116 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe 90 PID 2116 wrote to memory of 1636 2116 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe 91 PID 2116 wrote to memory of 1636 2116 026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe 91 PID 3640 wrote to memory of 232 3640 wcthgghaal.exe 93 PID 3640 wrote to memory of 232 3640 wcthgghaal.exe 93 PID 3640 wrote to memory of 232 3640 wcthgghaal.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe"C:\Users\Admin\AppData\Local\Temp\026776da8d8f38b8ba2e3277afde6ca6517e6374f28c9bda3b6cbc97f1db023d.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\wcthgghaal.exewcthgghaal.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\SysWOW64\aawililx.exeC:\Windows\system32\aawililx.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:232
-
-
-
C:\Windows\SysWOW64\jsfnmymbrevouxi.exejsfnmymbrevouxi.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4824
-
-
C:\Windows\SysWOW64\aawililx.exeaawililx.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2700
-
-
C:\Windows\SysWOW64\ncuxxjdnxgyyp.exencuxxjdnxgyyp.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3348
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1636
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5a2dc063f11a5ccf7467dfac24c8147e7
SHA1293917ef9409bd068e9e7aa8999ee41a1e10f5a1
SHA25676b90d1fb35b8012ce4d94cb37d2a47b47acb4badc42bc60287b5697b929b6fd
SHA512947a2ab08abb9f1926eb7ce49f15693b3be0dcab327de0bc0d178d2d3af7b23da7052ee7221741cd84e05d1b852b08fa7590f1ff55fbe6a4728dfb4606a6752a
-
Filesize
239B
MD5a2f476fb970ff4f078a53f0164f2b959
SHA1531f3f100f11ff07c32df8d88038f4d5da7a58c3
SHA256f35b49bd36bf81dbce2df6540b03155ca43ef30609b3ae1d947a62eaf289d2c9
SHA512f3187e9e0465b004e3eb6320dfd1b75b37b79ff0240d989bd15cacc547a97d0a38a3b73deba81a824e71a2ae3306aab32cb692bde594dca3c2328eda16defe79
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD571131c5845128e6acfb1bdca14879609
SHA19efac0373a910144bd21ac3c27e6b2bc6e56ef31
SHA256114e4475d63f40e52abc9d8acaf24aeed5372c445f574ed293cbc8606a917d6f
SHA512af0cc5e39bfdf66b6a7498731420d74a2dcec1fc3c2f4573495c600871daa90d1c34e051b2b07cd6a856c9a7b69525fbe6e11239f5c1e9dbcd238776fa5ba1d5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5ac577a39e23fdb534e56813307d83035
SHA14578e5094e1da778a6a799df4f51a09e74b1d70f
SHA256eed034f15f4beb4b4ed83221b5b26acb740c4588c4417c607caa62ee3cc32f21
SHA512cfe0c2407f99c9e66c4a5ef2c8a46d57e8cef1600b63e0d55094cb288ae4b8cc11ffb2ce038a1e63b00a13870c44fd7cdfa344b19b9c207ed3db04793bd4c4fb
-
Filesize
255KB
MD5016f78cf58f67165a7a43836d97ee64c
SHA11f32755f605cf3534177ea7214f9e4bb8dfc878a
SHA256b8738873503e78a72e4df298cda059718277d7051f0b8dfca310605eba7e4249
SHA5125bbefd272ea776c5a6bdc1e84899d34d6518e39a7c9e501924e5f91db9ea2ef3009064ffefcb27b30e2ece560310d52e266f5b68fbe915edc8a63108715ae45c
-
Filesize
255KB
MD58ec05dcd6a345b15d75094cdd662a4b7
SHA1fea0b3a5c6e418716fc01f332332c3f0fad40e73
SHA25632903ddf76b047fdd54d429bd8dfb3d69868384f68a9b12b7a13dec0f51d8a25
SHA512029cb81e40a431ec39b4e8cd9213b755471cda5c224cfab39e7f10359226326c6a7a65bb61e6d85f0cd8ca3f785b6542c5bf9159bdbdd657d4c832db96c93901
-
Filesize
255KB
MD5d81400e2082ff64e1e30ff52b43f1882
SHA165b60a7c487736762f36f8ca95d153ec4af838cf
SHA256c9f2ed3bfc8fd2ecbd238c983accbbbe477c53695aaa4772df209e22d5af3537
SHA512660a9e21ad9a254f47571fc3c5efefe75a21692d2e3801f5e4b78e39f211390480b033e28b2aeea160be6f41ddc301317ae9ed917dbb45a98355435db14d151a
-
Filesize
255KB
MD55818ee591accc669d6290a5b49fcad61
SHA1fd592ee5bf10541aca35f455ffec6fac3f9e1ead
SHA256bd3ce4c5a4bd1d71e17207425ff756d21eeae244a4d89131360270250c0dbbab
SHA512f267fe4c07513cc9c3e51eb3d21f40a79d6deec5d03a73b1dbe5b0b5ea741355b5daa566b5d7d2d2c98e27ad9d7358ba88f2c6f9660de13afd8fb29aeb6234d8
-
Filesize
249KB
MD5a97937bd4ab2ac69163b49cfd0d3f33a
SHA1e8a26e8e5666fd9ec81029035735d858819c9e08
SHA256999886e695310f4a87d757ceeae2a5e326ffab5c30057b502df1fc81a5a79b70
SHA512a3c7276e888ae2338d2956ce1c6490a1959626dce03058d231de52bc3784f587288fd32d97fe9cf5eefc51cc4268dc203db6e0967a12ffef8a2093d9fea92552
-
Filesize
255KB
MD5c405ec86c8bf39103a9fd58e121fd52e
SHA100c444758da9fe6bca9c84c6425f53c519865407
SHA256654a608c7bde442f77485e01fdeb1ea13feaa7d2068f7c80b4bd00c9189b5181
SHA512df1be70d7da4530e90bf033ed7051a25e140ee9b3265990b0d4b6058fcf24defdde01a2f4ca503771cc32759ef1343d1da778e413e4ceaea152a5a8bff9b314c
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD59e30fc4904cc859aa9607b07d5cb2b48
SHA1d224ce0b4449e4ac940197380cbb94b72b4ba021
SHA256464590f8fab71587674ee818feb59ce7c0c6ea85b6570f90f73fbf0efb361857
SHA5122d13c5595030158b81838f0d08a334edc699fa35801c054b77167767311beb7a64f91901840ff2f097f025625fdefc790bbf4d80d66a19f0f4e97b51305cc00d
-
Filesize
255KB
MD5956e030ca937ba88c43088b4db09ce74
SHA167fe4d4e635ea97ca561c7c7e84258b660b89b9b
SHA256e85e9b32e1eb7a11372121287f696f0f5c81487011f404321b6972da004d0fae
SHA512646c4f57b4007428a663b1ad518e484fc0b89f5e127f175de501ccd45f4fa3f508830ad16cda1983c89d692ede13a3c9793660911a2652e99886f4a6a8a49920
-
Filesize
255KB
MD567533a89edc84f932a2223a37bdbd373
SHA1fca075bb24264bc4ff4adf0ec1ed3ffe939838b4
SHA256fd8081053635f63e22ea5777635d7078527fd07835038fe4f7c4720849e5e495
SHA512958f8cd4d1b078b0b0191c89c547fdbb6fb30b71e8a5a2f89160a33114ad2c777dd57b0eafdd7fe52f80353dcc7c917a523d1bd5074cc6e6419fc90b03646275