Analysis
-
max time kernel
151s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10/03/2024, 13:11
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
beb0ce0ae439be0520015a4d5360f26b.exe
Resource
win7-20231129-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
beb0ce0ae439be0520015a4d5360f26b.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
beb0ce0ae439be0520015a4d5360f26b.exe
-
Size
512KB
-
MD5
beb0ce0ae439be0520015a4d5360f26b
-
SHA1
22c23fac685196f5ce36f742542729eebd309445
-
SHA256
b0da068cbcccf587b4f6f6f7fa90e23ef7a7c559b17ca0368463fec8244ef4fe
-
SHA512
16487cca3afe3f5773c76d5c6a81f01d96c32b6fa8522644a928a0b8c5126ab9440594e37dfa723e56bade83b753eb6e9e87e16086e87d65a5df3d0f790b5ef7
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6o:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm51
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ujpgtmebeq.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ujpgtmebeq.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ujpgtmebeq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ujpgtmebeq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ujpgtmebeq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ujpgtmebeq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ujpgtmebeq.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ujpgtmebeq.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation beb0ce0ae439be0520015a4d5360f26b.exe -
Executes dropped EXE 5 IoCs
pid Process 1648 ujpgtmebeq.exe 4868 tdbkovmfazwknoy.exe 1684 oqorprjq.exe 4668 aodskcqcoxcwt.exe 1212 oqorprjq.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ujpgtmebeq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ujpgtmebeq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ujpgtmebeq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ujpgtmebeq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ujpgtmebeq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ujpgtmebeq.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wsakjhzh = "ujpgtmebeq.exe" tdbkovmfazwknoy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\opvttrbu = "tdbkovmfazwknoy.exe" tdbkovmfazwknoy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "aodskcqcoxcwt.exe" tdbkovmfazwknoy.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\b: oqorprjq.exe File opened (read-only) \??\t: oqorprjq.exe File opened (read-only) \??\v: oqorprjq.exe File opened (read-only) \??\r: ujpgtmebeq.exe File opened (read-only) \??\g: oqorprjq.exe File opened (read-only) \??\n: oqorprjq.exe File opened (read-only) \??\u: oqorprjq.exe File opened (read-only) \??\s: oqorprjq.exe File opened (read-only) \??\b: ujpgtmebeq.exe File opened (read-only) \??\i: ujpgtmebeq.exe File opened (read-only) \??\o: ujpgtmebeq.exe File opened (read-only) \??\z: oqorprjq.exe File opened (read-only) \??\a: oqorprjq.exe File opened (read-only) \??\p: ujpgtmebeq.exe File opened (read-only) \??\x: ujpgtmebeq.exe File opened (read-only) \??\g: ujpgtmebeq.exe File opened (read-only) \??\a: oqorprjq.exe File opened (read-only) \??\a: ujpgtmebeq.exe File opened (read-only) \??\m: ujpgtmebeq.exe File opened (read-only) \??\p: oqorprjq.exe File opened (read-only) \??\u: oqorprjq.exe File opened (read-only) \??\g: oqorprjq.exe File opened (read-only) \??\j: oqorprjq.exe File opened (read-only) \??\u: ujpgtmebeq.exe File opened (read-only) \??\w: ujpgtmebeq.exe File opened (read-only) \??\s: oqorprjq.exe File opened (read-only) \??\b: oqorprjq.exe File opened (read-only) \??\i: oqorprjq.exe File opened (read-only) \??\n: ujpgtmebeq.exe File opened (read-only) \??\i: oqorprjq.exe File opened (read-only) \??\r: oqorprjq.exe File opened (read-only) \??\w: oqorprjq.exe File opened (read-only) \??\s: ujpgtmebeq.exe File opened (read-only) \??\z: ujpgtmebeq.exe File opened (read-only) \??\e: oqorprjq.exe File opened (read-only) \??\k: oqorprjq.exe File opened (read-only) \??\o: oqorprjq.exe File opened (read-only) \??\j: oqorprjq.exe File opened (read-only) \??\q: oqorprjq.exe File opened (read-only) \??\e: oqorprjq.exe File opened (read-only) \??\q: oqorprjq.exe File opened (read-only) \??\l: oqorprjq.exe File opened (read-only) \??\h: ujpgtmebeq.exe File opened (read-only) \??\t: ujpgtmebeq.exe File opened (read-only) \??\v: ujpgtmebeq.exe File opened (read-only) \??\m: oqorprjq.exe File opened (read-only) \??\t: oqorprjq.exe File opened (read-only) \??\m: oqorprjq.exe File opened (read-only) \??\n: oqorprjq.exe File opened (read-only) \??\p: oqorprjq.exe File opened (read-only) \??\k: ujpgtmebeq.exe File opened (read-only) \??\l: ujpgtmebeq.exe File opened (read-only) \??\q: ujpgtmebeq.exe File opened (read-only) \??\l: oqorprjq.exe File opened (read-only) \??\v: oqorprjq.exe File opened (read-only) \??\x: oqorprjq.exe File opened (read-only) \??\e: ujpgtmebeq.exe File opened (read-only) \??\y: ujpgtmebeq.exe File opened (read-only) \??\h: oqorprjq.exe File opened (read-only) \??\w: oqorprjq.exe File opened (read-only) \??\r: oqorprjq.exe File opened (read-only) \??\x: oqorprjq.exe File opened (read-only) \??\y: oqorprjq.exe File opened (read-only) \??\o: oqorprjq.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ujpgtmebeq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ujpgtmebeq.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3368-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0008000000023201-7.dat autoit_exe behavioral2/files/0x00090000000231fe-18.dat autoit_exe behavioral2/files/0x0007000000023205-29.dat autoit_exe behavioral2/files/0x0007000000023206-31.dat autoit_exe behavioral2/files/0x0007000000023218-70.dat autoit_exe behavioral2/files/0x0007000000023219-73.dat autoit_exe behavioral2/files/0x000b00000002321d-99.dat autoit_exe behavioral2/files/0x000700000002323e-102.dat autoit_exe behavioral2/files/0x000700000002323e-109.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\oqorprjq.exe beb0ce0ae439be0520015a4d5360f26b.exe File created C:\Windows\SysWOW64\ujpgtmebeq.exe beb0ce0ae439be0520015a4d5360f26b.exe File created C:\Windows\SysWOW64\tdbkovmfazwknoy.exe beb0ce0ae439be0520015a4d5360f26b.exe File opened for modification C:\Windows\SysWOW64\tdbkovmfazwknoy.exe beb0ce0ae439be0520015a4d5360f26b.exe File opened for modification C:\Windows\SysWOW64\aodskcqcoxcwt.exe beb0ce0ae439be0520015a4d5360f26b.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ujpgtmebeq.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe oqorprjq.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe oqorprjq.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe oqorprjq.exe File opened for modification C:\Windows\SysWOW64\ujpgtmebeq.exe beb0ce0ae439be0520015a4d5360f26b.exe File opened for modification C:\Windows\SysWOW64\oqorprjq.exe beb0ce0ae439be0520015a4d5360f26b.exe File created C:\Windows\SysWOW64\aodskcqcoxcwt.exe beb0ce0ae439be0520015a4d5360f26b.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe oqorprjq.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe oqorprjq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal oqorprjq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal oqorprjq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe oqorprjq.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe oqorprjq.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe oqorprjq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal oqorprjq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal oqorprjq.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe oqorprjq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe oqorprjq.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe oqorprjq.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe oqorprjq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe oqorprjq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe oqorprjq.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf beb0ce0ae439be0520015a4d5360f26b.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" ujpgtmebeq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf ujpgtmebeq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs ujpgtmebeq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg ujpgtmebeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" ujpgtmebeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" ujpgtmebeq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh ujpgtmebeq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc ujpgtmebeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" ujpgtmebeq.exe Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings beb0ce0ae439be0520015a4d5360f26b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32462C0D9D5083586D4176DD70232CDC7DF465D8" beb0ce0ae439be0520015a4d5360f26b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F668B6FE1C21AAD27AD0A68B089162" beb0ce0ae439be0520015a4d5360f26b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat ujpgtmebeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ujpgtmebeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" ujpgtmebeq.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes beb0ce0ae439be0520015a4d5360f26b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC4B02B47E1389952CEB9D0329FD4BC" beb0ce0ae439be0520015a4d5360f26b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E89FF88485F82129133D75D7E94BDEEE13D583067446242D690" beb0ce0ae439be0520015a4d5360f26b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184FC70E14E4DBBFB9C07FE6EDE737CC" beb0ce0ae439be0520015a4d5360f26b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BC8FAB0F916F192837F3A4786963997B08E03FE42160332E1BF42EF09A3" beb0ce0ae439be0520015a4d5360f26b.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2308 WINWORD.EXE 2308 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3368 beb0ce0ae439be0520015a4d5360f26b.exe 3368 beb0ce0ae439be0520015a4d5360f26b.exe 3368 beb0ce0ae439be0520015a4d5360f26b.exe 3368 beb0ce0ae439be0520015a4d5360f26b.exe 3368 beb0ce0ae439be0520015a4d5360f26b.exe 3368 beb0ce0ae439be0520015a4d5360f26b.exe 3368 beb0ce0ae439be0520015a4d5360f26b.exe 3368 beb0ce0ae439be0520015a4d5360f26b.exe 3368 beb0ce0ae439be0520015a4d5360f26b.exe 3368 beb0ce0ae439be0520015a4d5360f26b.exe 3368 beb0ce0ae439be0520015a4d5360f26b.exe 3368 beb0ce0ae439be0520015a4d5360f26b.exe 3368 beb0ce0ae439be0520015a4d5360f26b.exe 3368 beb0ce0ae439be0520015a4d5360f26b.exe 3368 beb0ce0ae439be0520015a4d5360f26b.exe 3368 beb0ce0ae439be0520015a4d5360f26b.exe 1648 ujpgtmebeq.exe 1648 ujpgtmebeq.exe 1648 ujpgtmebeq.exe 1648 ujpgtmebeq.exe 1648 ujpgtmebeq.exe 1648 ujpgtmebeq.exe 1648 ujpgtmebeq.exe 1648 ujpgtmebeq.exe 1648 ujpgtmebeq.exe 1648 ujpgtmebeq.exe 4868 tdbkovmfazwknoy.exe 4868 tdbkovmfazwknoy.exe 4868 tdbkovmfazwknoy.exe 4868 tdbkovmfazwknoy.exe 4868 tdbkovmfazwknoy.exe 4868 tdbkovmfazwknoy.exe 4868 tdbkovmfazwknoy.exe 4868 tdbkovmfazwknoy.exe 4868 tdbkovmfazwknoy.exe 4868 tdbkovmfazwknoy.exe 4668 aodskcqcoxcwt.exe 4668 aodskcqcoxcwt.exe 4668 aodskcqcoxcwt.exe 4668 aodskcqcoxcwt.exe 4668 aodskcqcoxcwt.exe 4668 aodskcqcoxcwt.exe 4668 aodskcqcoxcwt.exe 4668 aodskcqcoxcwt.exe 4668 aodskcqcoxcwt.exe 4668 aodskcqcoxcwt.exe 4668 aodskcqcoxcwt.exe 4668 aodskcqcoxcwt.exe 1684 oqorprjq.exe 1684 oqorprjq.exe 1684 oqorprjq.exe 1684 oqorprjq.exe 1684 oqorprjq.exe 1684 oqorprjq.exe 1684 oqorprjq.exe 1684 oqorprjq.exe 4868 tdbkovmfazwknoy.exe 4868 tdbkovmfazwknoy.exe 1212 oqorprjq.exe 1212 oqorprjq.exe 1212 oqorprjq.exe 1212 oqorprjq.exe 1212 oqorprjq.exe 1212 oqorprjq.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 3368 beb0ce0ae439be0520015a4d5360f26b.exe 3368 beb0ce0ae439be0520015a4d5360f26b.exe 3368 beb0ce0ae439be0520015a4d5360f26b.exe 1648 ujpgtmebeq.exe 1648 ujpgtmebeq.exe 1648 ujpgtmebeq.exe 4868 tdbkovmfazwknoy.exe 4868 tdbkovmfazwknoy.exe 4868 tdbkovmfazwknoy.exe 1684 oqorprjq.exe 4668 aodskcqcoxcwt.exe 1684 oqorprjq.exe 4668 aodskcqcoxcwt.exe 1684 oqorprjq.exe 4668 aodskcqcoxcwt.exe 1212 oqorprjq.exe 1212 oqorprjq.exe 1212 oqorprjq.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 3368 beb0ce0ae439be0520015a4d5360f26b.exe 3368 beb0ce0ae439be0520015a4d5360f26b.exe 3368 beb0ce0ae439be0520015a4d5360f26b.exe 1648 ujpgtmebeq.exe 1648 ujpgtmebeq.exe 1648 ujpgtmebeq.exe 4868 tdbkovmfazwknoy.exe 4868 tdbkovmfazwknoy.exe 4868 tdbkovmfazwknoy.exe 1684 oqorprjq.exe 4668 aodskcqcoxcwt.exe 1684 oqorprjq.exe 4668 aodskcqcoxcwt.exe 1684 oqorprjq.exe 4668 aodskcqcoxcwt.exe 1212 oqorprjq.exe 1212 oqorprjq.exe 1212 oqorprjq.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2308 WINWORD.EXE 2308 WINWORD.EXE 2308 WINWORD.EXE 2308 WINWORD.EXE 2308 WINWORD.EXE 2308 WINWORD.EXE 2308 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3368 wrote to memory of 1648 3368 beb0ce0ae439be0520015a4d5360f26b.exe 89 PID 3368 wrote to memory of 1648 3368 beb0ce0ae439be0520015a4d5360f26b.exe 89 PID 3368 wrote to memory of 1648 3368 beb0ce0ae439be0520015a4d5360f26b.exe 89 PID 3368 wrote to memory of 4868 3368 beb0ce0ae439be0520015a4d5360f26b.exe 90 PID 3368 wrote to memory of 4868 3368 beb0ce0ae439be0520015a4d5360f26b.exe 90 PID 3368 wrote to memory of 4868 3368 beb0ce0ae439be0520015a4d5360f26b.exe 90 PID 3368 wrote to memory of 1684 3368 beb0ce0ae439be0520015a4d5360f26b.exe 91 PID 3368 wrote to memory of 1684 3368 beb0ce0ae439be0520015a4d5360f26b.exe 91 PID 3368 wrote to memory of 1684 3368 beb0ce0ae439be0520015a4d5360f26b.exe 91 PID 3368 wrote to memory of 4668 3368 beb0ce0ae439be0520015a4d5360f26b.exe 92 PID 3368 wrote to memory of 4668 3368 beb0ce0ae439be0520015a4d5360f26b.exe 92 PID 3368 wrote to memory of 4668 3368 beb0ce0ae439be0520015a4d5360f26b.exe 92 PID 1648 wrote to memory of 1212 1648 ujpgtmebeq.exe 93 PID 1648 wrote to memory of 1212 1648 ujpgtmebeq.exe 93 PID 1648 wrote to memory of 1212 1648 ujpgtmebeq.exe 93 PID 3368 wrote to memory of 2308 3368 beb0ce0ae439be0520015a4d5360f26b.exe 94 PID 3368 wrote to memory of 2308 3368 beb0ce0ae439be0520015a4d5360f26b.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\beb0ce0ae439be0520015a4d5360f26b.exe"C:\Users\Admin\AppData\Local\Temp\beb0ce0ae439be0520015a4d5360f26b.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Windows\SysWOW64\ujpgtmebeq.exeujpgtmebeq.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\oqorprjq.exeC:\Windows\system32\oqorprjq.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1212
-
-
-
C:\Windows\SysWOW64\tdbkovmfazwknoy.exetdbkovmfazwknoy.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4868
-
-
C:\Windows\SysWOW64\oqorprjq.exeoqorprjq.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1684
-
-
C:\Windows\SysWOW64\aodskcqcoxcwt.exeaodskcqcoxcwt.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4668
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2308
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD598071a33196b196d3a35b4d2633988e8
SHA1e8a9a47f2cc7a7e300c2fe77a94d5574b0799ec7
SHA2563cc23cdc7ea4f89f155fe7a1ee820a708009fd196da082b7d320be32658ed92d
SHA51245a5da1d76b6458ea74d9e0436ab7fcfc998a62e8b05e55038a56256fa8af106b0c461e75c655e3f219a211690ea719c0a859c8c97665c15d0c0db0db6ea0d6c
-
Filesize
512KB
MD55abe2d497b6ea2607b7749b739571762
SHA15ed80e9e57f74c95378918304bc147e755d66f25
SHA25618f28e9f5253e8e061310a68298fe1cee0845e6a81748d8444bbf0264f86bd9d
SHA5125c4c71eacbf40d0e5270e7433470c46db51bdf572fdab491047cf614ffd1bc22584d54d84130669754deecbb73d3874e02a42ef6b744d1f676792a826b4b2f90
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD569193eff06eb5adabff293d9db42d29f
SHA1df6153211f6dd3e55616b0ee2ba187ce64e65b5b
SHA256692cf8d9c810987e617c58f2a9c55e325e78fdda889a5047fd16dc219793cc16
SHA512119ab7605f500abc9cdb85ecd59faba14a1105b8d537f990d54f8eda78e46b1e2fc46d554a5223ff4448c61938ec59c16a3d4b49f809847268f2bce083c3f48d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5234b35c45a8315f29f92e6db304fd0ea
SHA1277a25366b5e66cea33fcf910e4f5f103fc5d2dd
SHA2563bfd89a5c30b14e671cd4fe44b783d13d8e617276c5315b5da6392d4062fc296
SHA512cfb194c304fee77742ac023ad3492a4e8e0a565d508dfca6c1358be5d345cb8e502c98845e1ae9b9221b52882477bec582c9d437dc5422f8caf5978d2266d899
-
Filesize
512KB
MD51e8c1028324325234723a2df4836c35f
SHA17261decf53ec43912fef3255153b471f3f71a062
SHA2566eba194b4f2f3660bcc27e1feb27e220830da551e157bf3b43b7fb9a1de76b7f
SHA51220879870f330348a5dccaec5f93cc0b6448f2ba3febe99b78d1648e176b9142271785450b92c27786335e69a5dde831bee0e2977b1f443a959770647e2f39e83
-
Filesize
512KB
MD5b292579415d4c54421297d04707b3e50
SHA129d04bfa5d9670dc89d91499bb3d7543cd7e2c37
SHA2566390e67f164858e0c2a803246c67618575e60fe3b4b053eea2aa235aba03a773
SHA51237cbbf6668e8ca8c5ebed0c2fe4701995c688f627711561d87f0320bfdc77b41cef4ba00f5bda7b013ac6f299d48b389fc5fa0ec781c6bf146ebf32b0f4906f7
-
Filesize
512KB
MD5330fc9ecb4bc62287b64caa7b81dccfe
SHA15a6f4d0ba6f9645b32c1a379d0210fc81e86105f
SHA2569fd3cd085daccde17f7829c09a2e9e42f39336df9bb40db2e2415a6004bb8c36
SHA512c58fbd1e65e2b3182e7c0504c94a69384a33ea7af43c351aed1af2d760c31a93f4c939c15e0b3d6143e4876157166f52f1f8cb4660521741b8f5bae6b24565ab
-
Filesize
512KB
MD57433ea05fe908a8608317b4cfd2f1a2e
SHA1bdf4db4b7d1e389f8dfd873e36f55dbe8a4f9cd5
SHA2567623232b02d8a9b1d7485efbbb52f707ee16a020e421d76832e2da6888102159
SHA51238db6b6035a9b4ae56ad37e170fb934431128a2f6667e29d57368d893cda4c5d131bcfc270bf277a92372b564599118ad38eeb5e7b05a34c6d85556f0a89f60b
-
Filesize
512KB
MD541a092ae4979a9317aa0f9d9951c23d9
SHA15993aca7bbd72c8dcb73e3dad68ab5273efab95a
SHA2560fb8039633839ae5de4ee60deea831047f1709d00722aa4bbd4fa127edc8aea0
SHA512f3b85ca7abe805ce80dad13c781ae1288c7839b4cd984bff2ab72a21b8dac6a53f75f70edde879d1fb8dbb33366c56d5a1e0b650af07af0dcf79f5880474f746
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5e398d9a9f48d5f5422e7bae41871e41b
SHA15ff40bc9965d22f54b1afb1a546992ee399ec281
SHA25662033730b2b4f9130946967569db029e25e44979fddd03aff86f2b5fb8d6513a
SHA5124cb75e4f8a04bedfe0b9cb2a76a53e023768412fbb4c1d7b6a4d609923ae8ddbf13d85e0689d275b08f6f64b5e40e8f1de830fe1a207090958dcd433f91308fd
-
Filesize
512KB
MD5293d40a7084021dc4883863139aebd2e
SHA13c2653eed2f070dce932b304db504341297feccf
SHA2564784a4b46d7612523777db23a0263be3654c20b77c61ca7516d9625899d84e05
SHA512be8f32e522d0b4149300ba3a6238e35aecdf02ce6cbfe1e5ab20e27cdc805ff81ea1a97a52b60e517c87b63f7d3897dae8e5a3b2797b44c85501a88a4a512099