Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
11/03/2024, 11:43
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
c082ff8af0528db66a7143e97522eeaa.exe
Resource
win7-20240215-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
c082ff8af0528db66a7143e97522eeaa.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
c082ff8af0528db66a7143e97522eeaa.exe
-
Size
512KB
-
MD5
c082ff8af0528db66a7143e97522eeaa
-
SHA1
4982f63e1a67518db09ccf4a936993375fd5b68a
-
SHA256
9d62e0190265ab56bfb4d0d581c29053455826f2f477f172f5e4baec8fdc433c
-
SHA512
2a9b6b12d92d8e86d67330631ea92ca236a14d445f9c293a5ba2062ffd16e6b69c2911bd2e236c8077016df24c3b846890c66482a94d6bf21aace8f7861a1377
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6r:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm54
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" soxaxcqgji.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" soxaxcqgji.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" soxaxcqgji.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" soxaxcqgji.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" soxaxcqgji.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" soxaxcqgji.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" soxaxcqgji.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" soxaxcqgji.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation c082ff8af0528db66a7143e97522eeaa.exe -
Executes dropped EXE 5 IoCs
pid Process 4060 soxaxcqgji.exe 64 edodevjemhtdybu.exe 368 cnzofyyv.exe 3536 jzrnyydvgeksn.exe 3228 cnzofyyv.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" soxaxcqgji.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" soxaxcqgji.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" soxaxcqgji.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" soxaxcqgji.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" soxaxcqgji.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" soxaxcqgji.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\arzwttia = "soxaxcqgji.exe" edodevjemhtdybu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xqobjzup = "edodevjemhtdybu.exe" edodevjemhtdybu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "jzrnyydvgeksn.exe" edodevjemhtdybu.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\q: cnzofyyv.exe File opened (read-only) \??\w: cnzofyyv.exe File opened (read-only) \??\y: cnzofyyv.exe File opened (read-only) \??\l: soxaxcqgji.exe File opened (read-only) \??\e: cnzofyyv.exe File opened (read-only) \??\h: cnzofyyv.exe File opened (read-only) \??\j: cnzofyyv.exe File opened (read-only) \??\b: soxaxcqgji.exe File opened (read-only) \??\h: soxaxcqgji.exe File opened (read-only) \??\y: soxaxcqgji.exe File opened (read-only) \??\z: soxaxcqgji.exe File opened (read-only) \??\r: cnzofyyv.exe File opened (read-only) \??\k: cnzofyyv.exe File opened (read-only) \??\m: cnzofyyv.exe File opened (read-only) \??\a: soxaxcqgji.exe File opened (read-only) \??\m: soxaxcqgji.exe File opened (read-only) \??\p: soxaxcqgji.exe File opened (read-only) \??\b: cnzofyyv.exe File opened (read-only) \??\k: cnzofyyv.exe File opened (read-only) \??\u: cnzofyyv.exe File opened (read-only) \??\e: cnzofyyv.exe File opened (read-only) \??\v: soxaxcqgji.exe File opened (read-only) \??\n: cnzofyyv.exe File opened (read-only) \??\q: soxaxcqgji.exe File opened (read-only) \??\m: cnzofyyv.exe File opened (read-only) \??\o: soxaxcqgji.exe File opened (read-only) \??\o: cnzofyyv.exe File opened (read-only) \??\t: cnzofyyv.exe File opened (read-only) \??\x: cnzofyyv.exe File opened (read-only) \??\n: cnzofyyv.exe File opened (read-only) \??\n: soxaxcqgji.exe File opened (read-only) \??\s: cnzofyyv.exe File opened (read-only) \??\g: soxaxcqgji.exe File opened (read-only) \??\i: cnzofyyv.exe File opened (read-only) \??\u: cnzofyyv.exe File opened (read-only) \??\l: cnzofyyv.exe File opened (read-only) \??\l: cnzofyyv.exe File opened (read-only) \??\q: cnzofyyv.exe File opened (read-only) \??\v: cnzofyyv.exe File opened (read-only) \??\a: cnzofyyv.exe File opened (read-only) \??\x: cnzofyyv.exe File opened (read-only) \??\t: soxaxcqgji.exe File opened (read-only) \??\b: cnzofyyv.exe File opened (read-only) \??\s: soxaxcqgji.exe File opened (read-only) \??\w: soxaxcqgji.exe File opened (read-only) \??\s: cnzofyyv.exe File opened (read-only) \??\g: cnzofyyv.exe File opened (read-only) \??\z: cnzofyyv.exe File opened (read-only) \??\e: soxaxcqgji.exe File opened (read-only) \??\u: soxaxcqgji.exe File opened (read-only) \??\i: cnzofyyv.exe File opened (read-only) \??\r: cnzofyyv.exe File opened (read-only) \??\i: soxaxcqgji.exe File opened (read-only) \??\k: soxaxcqgji.exe File opened (read-only) \??\w: cnzofyyv.exe File opened (read-only) \??\h: cnzofyyv.exe File opened (read-only) \??\g: cnzofyyv.exe File opened (read-only) \??\j: cnzofyyv.exe File opened (read-only) \??\v: cnzofyyv.exe File opened (read-only) \??\r: soxaxcqgji.exe File opened (read-only) \??\x: soxaxcqgji.exe File opened (read-only) \??\a: cnzofyyv.exe File opened (read-only) \??\o: cnzofyyv.exe File opened (read-only) \??\y: cnzofyyv.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" soxaxcqgji.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" soxaxcqgji.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2428-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00080000000231f7-5.dat autoit_exe behavioral2/files/0x000a0000000231e9-18.dat autoit_exe behavioral2/files/0x0006000000023204-32.dat autoit_exe behavioral2/files/0x0006000000023203-29.dat autoit_exe behavioral2/files/0x000500000001695b-70.dat autoit_exe behavioral2/files/0x001100000001e0b1-81.dat autoit_exe behavioral2/files/0x000300000001e5a7-99.dat autoit_exe behavioral2/files/0x000300000001e5a7-104.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe cnzofyyv.exe File created C:\Windows\SysWOW64\soxaxcqgji.exe c082ff8af0528db66a7143e97522eeaa.exe File opened for modification C:\Windows\SysWOW64\edodevjemhtdybu.exe c082ff8af0528db66a7143e97522eeaa.exe File created C:\Windows\SysWOW64\cnzofyyv.exe c082ff8af0528db66a7143e97522eeaa.exe File opened for modification C:\Windows\SysWOW64\cnzofyyv.exe c082ff8af0528db66a7143e97522eeaa.exe File opened for modification C:\Windows\SysWOW64\jzrnyydvgeksn.exe c082ff8af0528db66a7143e97522eeaa.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll soxaxcqgji.exe File opened for modification C:\Windows\SysWOW64\soxaxcqgji.exe c082ff8af0528db66a7143e97522eeaa.exe File created C:\Windows\SysWOW64\edodevjemhtdybu.exe c082ff8af0528db66a7143e97522eeaa.exe File created C:\Windows\SysWOW64\jzrnyydvgeksn.exe c082ff8af0528db66a7143e97522eeaa.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe cnzofyyv.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe cnzofyyv.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal cnzofyyv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal cnzofyyv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe cnzofyyv.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe cnzofyyv.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe cnzofyyv.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe cnzofyyv.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe cnzofyyv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal cnzofyyv.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe cnzofyyv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe cnzofyyv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe cnzofyyv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe cnzofyyv.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe cnzofyyv.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal cnzofyyv.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe cnzofyyv.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe cnzofyyv.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe cnzofyyv.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe cnzofyyv.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe cnzofyyv.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe cnzofyyv.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe cnzofyyv.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe cnzofyyv.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe cnzofyyv.exe File opened for modification C:\Windows\mydoc.rtf c082ff8af0528db66a7143e97522eeaa.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe cnzofyyv.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe cnzofyyv.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe cnzofyyv.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe cnzofyyv.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe cnzofyyv.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe cnzofyyv.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe cnzofyyv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc soxaxcqgji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" soxaxcqgji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32402C779D2183276D3476D377272CD97D8464AB" c082ff8af0528db66a7143e97522eeaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB1B15D44E439ED53C8B9A2339CD4B9" c082ff8af0528db66a7143e97522eeaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat soxaxcqgji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" soxaxcqgji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1948C70915EDDAC0B8CE7F97ECE237C9" c082ff8af0528db66a7143e97522eeaa.exe Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings c082ff8af0528db66a7143e97522eeaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" soxaxcqgji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh soxaxcqgji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" soxaxcqgji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" soxaxcqgji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs soxaxcqgji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg soxaxcqgji.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes c082ff8af0528db66a7143e97522eeaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACFFAB0F962F1E283753A4786EA3994B0F902FC4213033DE2BE429B09D6" c082ff8af0528db66a7143e97522eeaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFBFC8D4F5D851F9031D62E7D91BC92E135594267356246D79A" c082ff8af0528db66a7143e97522eeaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F068B7FF6E22DFD10FD1D18A09916B" c082ff8af0528db66a7143e97522eeaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" soxaxcqgji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf soxaxcqgji.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2704 WINWORD.EXE 2704 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2428 c082ff8af0528db66a7143e97522eeaa.exe 2428 c082ff8af0528db66a7143e97522eeaa.exe 2428 c082ff8af0528db66a7143e97522eeaa.exe 2428 c082ff8af0528db66a7143e97522eeaa.exe 2428 c082ff8af0528db66a7143e97522eeaa.exe 2428 c082ff8af0528db66a7143e97522eeaa.exe 2428 c082ff8af0528db66a7143e97522eeaa.exe 2428 c082ff8af0528db66a7143e97522eeaa.exe 2428 c082ff8af0528db66a7143e97522eeaa.exe 2428 c082ff8af0528db66a7143e97522eeaa.exe 2428 c082ff8af0528db66a7143e97522eeaa.exe 2428 c082ff8af0528db66a7143e97522eeaa.exe 2428 c082ff8af0528db66a7143e97522eeaa.exe 2428 c082ff8af0528db66a7143e97522eeaa.exe 2428 c082ff8af0528db66a7143e97522eeaa.exe 2428 c082ff8af0528db66a7143e97522eeaa.exe 368 cnzofyyv.exe 368 cnzofyyv.exe 368 cnzofyyv.exe 368 cnzofyyv.exe 368 cnzofyyv.exe 368 cnzofyyv.exe 368 cnzofyyv.exe 368 cnzofyyv.exe 4060 soxaxcqgji.exe 4060 soxaxcqgji.exe 4060 soxaxcqgji.exe 4060 soxaxcqgji.exe 4060 soxaxcqgji.exe 4060 soxaxcqgji.exe 4060 soxaxcqgji.exe 4060 soxaxcqgji.exe 4060 soxaxcqgji.exe 4060 soxaxcqgji.exe 64 edodevjemhtdybu.exe 64 edodevjemhtdybu.exe 64 edodevjemhtdybu.exe 64 edodevjemhtdybu.exe 64 edodevjemhtdybu.exe 64 edodevjemhtdybu.exe 64 edodevjemhtdybu.exe 64 edodevjemhtdybu.exe 3536 jzrnyydvgeksn.exe 3536 jzrnyydvgeksn.exe 3536 jzrnyydvgeksn.exe 3536 jzrnyydvgeksn.exe 3536 jzrnyydvgeksn.exe 3536 jzrnyydvgeksn.exe 3536 jzrnyydvgeksn.exe 3536 jzrnyydvgeksn.exe 3536 jzrnyydvgeksn.exe 3536 jzrnyydvgeksn.exe 3536 jzrnyydvgeksn.exe 3536 jzrnyydvgeksn.exe 64 edodevjemhtdybu.exe 64 edodevjemhtdybu.exe 64 edodevjemhtdybu.exe 64 edodevjemhtdybu.exe 3228 cnzofyyv.exe 3228 cnzofyyv.exe 3228 cnzofyyv.exe 3228 cnzofyyv.exe 3228 cnzofyyv.exe 3228 cnzofyyv.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2428 c082ff8af0528db66a7143e97522eeaa.exe 2428 c082ff8af0528db66a7143e97522eeaa.exe 2428 c082ff8af0528db66a7143e97522eeaa.exe 368 cnzofyyv.exe 368 cnzofyyv.exe 368 cnzofyyv.exe 4060 soxaxcqgji.exe 64 edodevjemhtdybu.exe 3536 jzrnyydvgeksn.exe 4060 soxaxcqgji.exe 64 edodevjemhtdybu.exe 3536 jzrnyydvgeksn.exe 4060 soxaxcqgji.exe 64 edodevjemhtdybu.exe 3536 jzrnyydvgeksn.exe 3228 cnzofyyv.exe 3228 cnzofyyv.exe 3228 cnzofyyv.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2428 c082ff8af0528db66a7143e97522eeaa.exe 2428 c082ff8af0528db66a7143e97522eeaa.exe 2428 c082ff8af0528db66a7143e97522eeaa.exe 368 cnzofyyv.exe 368 cnzofyyv.exe 368 cnzofyyv.exe 4060 soxaxcqgji.exe 64 edodevjemhtdybu.exe 3536 jzrnyydvgeksn.exe 4060 soxaxcqgji.exe 64 edodevjemhtdybu.exe 3536 jzrnyydvgeksn.exe 4060 soxaxcqgji.exe 64 edodevjemhtdybu.exe 3536 jzrnyydvgeksn.exe 3228 cnzofyyv.exe 3228 cnzofyyv.exe 3228 cnzofyyv.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2704 WINWORD.EXE 2704 WINWORD.EXE 2704 WINWORD.EXE 2704 WINWORD.EXE 2704 WINWORD.EXE 2704 WINWORD.EXE 2704 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2428 wrote to memory of 4060 2428 c082ff8af0528db66a7143e97522eeaa.exe 87 PID 2428 wrote to memory of 4060 2428 c082ff8af0528db66a7143e97522eeaa.exe 87 PID 2428 wrote to memory of 4060 2428 c082ff8af0528db66a7143e97522eeaa.exe 87 PID 2428 wrote to memory of 64 2428 c082ff8af0528db66a7143e97522eeaa.exe 88 PID 2428 wrote to memory of 64 2428 c082ff8af0528db66a7143e97522eeaa.exe 88 PID 2428 wrote to memory of 64 2428 c082ff8af0528db66a7143e97522eeaa.exe 88 PID 2428 wrote to memory of 368 2428 c082ff8af0528db66a7143e97522eeaa.exe 89 PID 2428 wrote to memory of 368 2428 c082ff8af0528db66a7143e97522eeaa.exe 89 PID 2428 wrote to memory of 368 2428 c082ff8af0528db66a7143e97522eeaa.exe 89 PID 2428 wrote to memory of 3536 2428 c082ff8af0528db66a7143e97522eeaa.exe 90 PID 2428 wrote to memory of 3536 2428 c082ff8af0528db66a7143e97522eeaa.exe 90 PID 2428 wrote to memory of 3536 2428 c082ff8af0528db66a7143e97522eeaa.exe 90 PID 2428 wrote to memory of 2704 2428 c082ff8af0528db66a7143e97522eeaa.exe 91 PID 2428 wrote to memory of 2704 2428 c082ff8af0528db66a7143e97522eeaa.exe 91 PID 4060 wrote to memory of 3228 4060 soxaxcqgji.exe 93 PID 4060 wrote to memory of 3228 4060 soxaxcqgji.exe 93 PID 4060 wrote to memory of 3228 4060 soxaxcqgji.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\c082ff8af0528db66a7143e97522eeaa.exe"C:\Users\Admin\AppData\Local\Temp\c082ff8af0528db66a7143e97522eeaa.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\soxaxcqgji.exesoxaxcqgji.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\SysWOW64\cnzofyyv.exeC:\Windows\system32\cnzofyyv.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3228
-
-
-
C:\Windows\SysWOW64\edodevjemhtdybu.exeedodevjemhtdybu.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:64
-
-
C:\Windows\SysWOW64\cnzofyyv.execnzofyyv.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:368
-
-
C:\Windows\SysWOW64\jzrnyydvgeksn.exejzrnyydvgeksn.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3536
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2704
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD54e69cd2917728aedf0083a6f18457a49
SHA14de7e4c2839878c065fab7b00b16a3fcdc3ba61c
SHA2567548020fbe74f99c2f2e1e70c0b13bfa6b8a00c6fe89fe9abeb64c3f9db6a24e
SHA5121c1211cdcfacc76d561d930aa38ec6c901281bd09ae6963b414a8a8492afe99963da9bef0353d9ae5d974e7c8b9778b15848246319bd3734e13a1b69bf427c60
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5c1234c91eabf7f73fde0f75671d77e10
SHA145198f244e54090889c648f6a9161f6919f2fc48
SHA256e5d6795b60e222e710232a0cb30351ea81d34569a5369a02bafbcae7ffb0df24
SHA512c9190ad46ba31074508b561c7ce5b164b11bedf5b9535504434fc5c7b52cddd7eb26f0f3f0e5103225f00bafb3acbfd03a44face3ea94f86d51bdd14339befee
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5790d48227aad1f4193bb49a1aeef47e6
SHA107938c47f9ede3fdf65a55dc38943fc74622dcd0
SHA256d26a59dbc0cdd89b223845df458c02ba4d4b12de6adbed2e95607cd4c862a41f
SHA512852c08d3a6954e9e18306567932584030d03011dcd03bdc7834a9fc52df68b54e49220c0516d2d58d7dea5842efbb5534714cb9bb56b7dbdd969a2ce32f20b82
-
Filesize
512KB
MD5ca16bf20a6b81cd267b38c091a636374
SHA1f954e5136aa858508cba1263f4103fca2fe84c44
SHA25668ba9e6b3683305aa54ffe2b9bdd4ed1ea3d1713c1f4d404c817b97e726de746
SHA512ba5ea7f26226b2d28b9ad5e5ae782511ec8de84c06f1254e154bccdf55f89b304726e5d8e00baf3b294e7ed9585ea9772b29e9ef5f9a21cfe0e9fa22337a1ef9
-
Filesize
512KB
MD5357be39b4bf8b808402876df63323336
SHA14ecda976df213b8404469aadbd21f3ea36498a11
SHA2564c5c64bd509698b066c3c36b17bbf43090b5b1b88bb6ea0c289b5ebb1a50826c
SHA512017c6ed3e74eb58f1e6931264243de3d0ba69eb134d7a21a6f06b14bcf4dc7c4f09250c00de6f2d034153b89f8f464bec5bd4fe170c5a1dcaa9f748aa6b922b9
-
Filesize
512KB
MD5a38a5865cd5b29a7c9b84a9202b3636c
SHA1cd23cf6ca25f3423c6a8bd26b153e80a3c97a8d3
SHA2563cbdfc871fde691103b1e8d62f2b0abe5d0eba6b2bd235bcfd5a8a7c30883a3c
SHA512098de6dff2343308534c4e1203fdc85c81184f6736db19c59b1218011215ef819bac03265e492188d84f9994f6f03b7191737d306d93ea878411685093c3e4a7
-
Filesize
512KB
MD5e9f891d4c230d0ef0425bb7df89555cf
SHA130043642195717ea463e56bff7e63823bc79370b
SHA256d31a58c2c736ca7dbd6a98ef0733c1e27b6da2378b1020e8e987c3b941cde2c3
SHA51212606d1710743defff59a978efc4ee9cc68ff2ec5b2daadecf9e41a3fd826522f04dcb1a4d919655c374c6aee78e804d45552a2bf0d9ca28cd321fe0b3a6e03c
-
Filesize
512KB
MD5841748bd5e63eafcc71ba03e20c7d8a9
SHA1271b84961996884d52e9a1bddf31db417db3c378
SHA256ca2e26eeeeead92d36ffa912f276e518f86331814277bc68b39c0a24653c7684
SHA512385e3747bfbb5a0a61d3e58bca85c1c5a55bc272e9c8be9ddde3428c671015004370a71b4e32d637f1bf9a9fdb0389abb97d4b09c7197bbccb40efbb6207e41a
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5147074d6a0e08064c33a0fde2f36c0ac
SHA1120e4e935e8fb6544939af6d7ebeffebaa26f6e4
SHA2565f73841cfc1a5e36aaeb791e9ca29e8225ba23d1caaf45eef441eae3feaa81ac
SHA5129fdbafa24b690bd8438facd20d436ebe88e4d7354d791bfc795696f4eaa23834475415ba8a41472066cee3afa8a047e0ec3eedae3148149a750a94452b70e826
-
Filesize
512KB
MD55951746d7363d9254b632947a92731c1
SHA1582cb981f4634801d4686d872aab9ab198636ee6
SHA2569bebf229304676172a00d2dd4c6b2d71d5332d8f25c08b7e7b8ebfc0e24c07d9
SHA51218a1963d0187632466f1c47d704d07e94cd28f06e936476c9cf64b0f78acc52fc3610b576c265ecc8627b819982cb48b5e910043bb7a9d677f170dd0238613b6