Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11/03/2024, 15:39
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
c0f5f6ce7a241bda371348f17923016a.exe
Resource
win7-20240221-en
windows7-x64
28 signatures
150 seconds
Behavioral task
behavioral2
Sample
c0f5f6ce7a241bda371348f17923016a.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
c0f5f6ce7a241bda371348f17923016a.exe
-
Size
512KB
-
MD5
c0f5f6ce7a241bda371348f17923016a
-
SHA1
c8550edbdb6e316214dde0aa58184f78c687e59d
-
SHA256
dbdb6bc32647ab85b7ec32c6b242c13cf23108e3407f4cd4510b3f12b7ae9536
-
SHA512
24945ceadb37098bbeee2f62f12bce4e3179e6fcd71033106838dab30ca69bb269fe1b1fa4b7fa676e8f7e44ccda6b289071426e383a889a57820f8caee19335
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6I:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5f
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" vvarxanzmf.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" vvarxanzmf.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" vvarxanzmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" vvarxanzmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" vvarxanzmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" vvarxanzmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" vvarxanzmf.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vvarxanzmf.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation c0f5f6ce7a241bda371348f17923016a.exe -
Executes dropped EXE 5 IoCs
pid Process 3176 vvarxanzmf.exe 3152 leufbphksnsjqmg.exe 688 wdbhgijm.exe 4928 hkfhkcnudmldk.exe 3384 wdbhgijm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" vvarxanzmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" vvarxanzmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" vvarxanzmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" vvarxanzmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" vvarxanzmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" vvarxanzmf.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nfqktbhh = "vvarxanzmf.exe" leufbphksnsjqmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vuqttuji = "leufbphksnsjqmg.exe" leufbphksnsjqmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "hkfhkcnudmldk.exe" leufbphksnsjqmg.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\l: vvarxanzmf.exe File opened (read-only) \??\p: wdbhgijm.exe File opened (read-only) \??\s: wdbhgijm.exe File opened (read-only) \??\a: wdbhgijm.exe File opened (read-only) \??\n: wdbhgijm.exe File opened (read-only) \??\y: wdbhgijm.exe File opened (read-only) \??\a: vvarxanzmf.exe File opened (read-only) \??\v: wdbhgijm.exe File opened (read-only) \??\e: vvarxanzmf.exe File opened (read-only) \??\g: wdbhgijm.exe File opened (read-only) \??\r: wdbhgijm.exe File opened (read-only) \??\v: wdbhgijm.exe File opened (read-only) \??\g: vvarxanzmf.exe File opened (read-only) \??\n: vvarxanzmf.exe File opened (read-only) \??\a: wdbhgijm.exe File opened (read-only) \??\q: wdbhgijm.exe File opened (read-only) \??\b: wdbhgijm.exe File opened (read-only) \??\i: vvarxanzmf.exe File opened (read-only) \??\u: vvarxanzmf.exe File opened (read-only) \??\o: wdbhgijm.exe File opened (read-only) \??\k: wdbhgijm.exe File opened (read-only) \??\u: wdbhgijm.exe File opened (read-only) \??\k: wdbhgijm.exe File opened (read-only) \??\j: vvarxanzmf.exe File opened (read-only) \??\t: vvarxanzmf.exe File opened (read-only) \??\x: wdbhgijm.exe File opened (read-only) \??\j: wdbhgijm.exe File opened (read-only) \??\t: wdbhgijm.exe File opened (read-only) \??\s: vvarxanzmf.exe File opened (read-only) \??\z: vvarxanzmf.exe File opened (read-only) \??\i: wdbhgijm.exe File opened (read-only) \??\w: wdbhgijm.exe File opened (read-only) \??\l: wdbhgijm.exe File opened (read-only) \??\s: wdbhgijm.exe File opened (read-only) \??\p: vvarxanzmf.exe File opened (read-only) \??\q: vvarxanzmf.exe File opened (read-only) \??\u: wdbhgijm.exe File opened (read-only) \??\k: vvarxanzmf.exe File opened (read-only) \??\h: wdbhgijm.exe File opened (read-only) \??\l: wdbhgijm.exe File opened (read-only) \??\y: wdbhgijm.exe File opened (read-only) \??\o: vvarxanzmf.exe File opened (read-only) \??\e: wdbhgijm.exe File opened (read-only) \??\m: wdbhgijm.exe File opened (read-only) \??\n: wdbhgijm.exe File opened (read-only) \??\o: wdbhgijm.exe File opened (read-only) \??\r: wdbhgijm.exe File opened (read-only) \??\t: wdbhgijm.exe File opened (read-only) \??\z: wdbhgijm.exe File opened (read-only) \??\q: wdbhgijm.exe File opened (read-only) \??\w: wdbhgijm.exe File opened (read-only) \??\x: wdbhgijm.exe File opened (read-only) \??\h: vvarxanzmf.exe File opened (read-only) \??\j: wdbhgijm.exe File opened (read-only) \??\b: vvarxanzmf.exe File opened (read-only) \??\m: vvarxanzmf.exe File opened (read-only) \??\z: wdbhgijm.exe File opened (read-only) \??\e: wdbhgijm.exe File opened (read-only) \??\i: wdbhgijm.exe File opened (read-only) \??\r: vvarxanzmf.exe File opened (read-only) \??\y: vvarxanzmf.exe File opened (read-only) \??\m: wdbhgijm.exe File opened (read-only) \??\p: wdbhgijm.exe File opened (read-only) \??\w: vvarxanzmf.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" vvarxanzmf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" vvarxanzmf.exe -
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2824-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000a000000023038-5.dat autoit_exe behavioral2/files/0x000300000001e9a0-22.dat autoit_exe behavioral2/files/0x000a000000023150-26.dat autoit_exe behavioral2/files/0x00080000000231e4-32.dat autoit_exe behavioral2/files/0x00070000000231f2-71.dat autoit_exe behavioral2/files/0x00080000000231fb-95.dat autoit_exe behavioral2/files/0x00080000000231fb-97.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\wdbhgijm.exe c0f5f6ce7a241bda371348f17923016a.exe File opened for modification C:\Windows\SysWOW64\wdbhgijm.exe c0f5f6ce7a241bda371348f17923016a.exe File created C:\Windows\SysWOW64\hkfhkcnudmldk.exe c0f5f6ce7a241bda371348f17923016a.exe File opened for modification C:\Windows\SysWOW64\hkfhkcnudmldk.exe c0f5f6ce7a241bda371348f17923016a.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe wdbhgijm.exe File created C:\Windows\SysWOW64\vvarxanzmf.exe c0f5f6ce7a241bda371348f17923016a.exe File opened for modification C:\Windows\SysWOW64\leufbphksnsjqmg.exe c0f5f6ce7a241bda371348f17923016a.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll vvarxanzmf.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe wdbhgijm.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe wdbhgijm.exe File opened for modification C:\Windows\SysWOW64\vvarxanzmf.exe c0f5f6ce7a241bda371348f17923016a.exe File created C:\Windows\SysWOW64\leufbphksnsjqmg.exe c0f5f6ce7a241bda371348f17923016a.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wdbhgijm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal wdbhgijm.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wdbhgijm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal wdbhgijm.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wdbhgijm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wdbhgijm.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wdbhgijm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal wdbhgijm.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wdbhgijm.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wdbhgijm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wdbhgijm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal wdbhgijm.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wdbhgijm.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wdbhgijm.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe wdbhgijm.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe wdbhgijm.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe wdbhgijm.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe wdbhgijm.exe File opened for modification C:\Windows\mydoc.rtf c0f5f6ce7a241bda371348f17923016a.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe wdbhgijm.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe wdbhgijm.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe wdbhgijm.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe wdbhgijm.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe wdbhgijm.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe wdbhgijm.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe wdbhgijm.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe wdbhgijm.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe wdbhgijm.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe wdbhgijm.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe wdbhgijm.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe wdbhgijm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings c0f5f6ce7a241bda371348f17923016a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf vvarxanzmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" vvarxanzmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB5B12E479739EA53C9BAA2329FD7CB" c0f5f6ce7a241bda371348f17923016a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF9FF8C482685199133D75D7DE2BC93E136594A67346343D79F" c0f5f6ce7a241bda371348f17923016a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc vvarxanzmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" vvarxanzmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" vvarxanzmf.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes c0f5f6ce7a241bda371348f17923016a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat vvarxanzmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh vvarxanzmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs vvarxanzmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32452D7E9C5782226D3476D170512DAD7D8364DF" c0f5f6ce7a241bda371348f17923016a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193DC77414E3DBBFB9C07FE1ED9434B9" c0f5f6ce7a241bda371348f17923016a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" vvarxanzmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" vvarxanzmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" vvarxanzmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg vvarxanzmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB9FAB1FE13F1E4830B3A4186EC39E1B38C02FA42120333E2CF42ED08D4" c0f5f6ce7a241bda371348f17923016a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7846BB3FF1C21AAD10FD0D38A0E9162" c0f5f6ce7a241bda371348f17923016a.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1912 WINWORD.EXE 1912 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2824 c0f5f6ce7a241bda371348f17923016a.exe 2824 c0f5f6ce7a241bda371348f17923016a.exe 2824 c0f5f6ce7a241bda371348f17923016a.exe 2824 c0f5f6ce7a241bda371348f17923016a.exe 2824 c0f5f6ce7a241bda371348f17923016a.exe 2824 c0f5f6ce7a241bda371348f17923016a.exe 2824 c0f5f6ce7a241bda371348f17923016a.exe 2824 c0f5f6ce7a241bda371348f17923016a.exe 2824 c0f5f6ce7a241bda371348f17923016a.exe 2824 c0f5f6ce7a241bda371348f17923016a.exe 2824 c0f5f6ce7a241bda371348f17923016a.exe 2824 c0f5f6ce7a241bda371348f17923016a.exe 2824 c0f5f6ce7a241bda371348f17923016a.exe 2824 c0f5f6ce7a241bda371348f17923016a.exe 2824 c0f5f6ce7a241bda371348f17923016a.exe 2824 c0f5f6ce7a241bda371348f17923016a.exe 3152 leufbphksnsjqmg.exe 3152 leufbphksnsjqmg.exe 3152 leufbphksnsjqmg.exe 3152 leufbphksnsjqmg.exe 3152 leufbphksnsjqmg.exe 3152 leufbphksnsjqmg.exe 3152 leufbphksnsjqmg.exe 3152 leufbphksnsjqmg.exe 688 wdbhgijm.exe 688 wdbhgijm.exe 688 wdbhgijm.exe 688 wdbhgijm.exe 688 wdbhgijm.exe 688 wdbhgijm.exe 688 wdbhgijm.exe 688 wdbhgijm.exe 3152 leufbphksnsjqmg.exe 3152 leufbphksnsjqmg.exe 3176 vvarxanzmf.exe 3176 vvarxanzmf.exe 3176 vvarxanzmf.exe 3176 vvarxanzmf.exe 3176 vvarxanzmf.exe 3176 vvarxanzmf.exe 3176 vvarxanzmf.exe 3176 vvarxanzmf.exe 3176 vvarxanzmf.exe 3176 vvarxanzmf.exe 4928 hkfhkcnudmldk.exe 4928 hkfhkcnudmldk.exe 4928 hkfhkcnudmldk.exe 4928 hkfhkcnudmldk.exe 4928 hkfhkcnudmldk.exe 4928 hkfhkcnudmldk.exe 4928 hkfhkcnudmldk.exe 4928 hkfhkcnudmldk.exe 4928 hkfhkcnudmldk.exe 4928 hkfhkcnudmldk.exe 4928 hkfhkcnudmldk.exe 4928 hkfhkcnudmldk.exe 3152 leufbphksnsjqmg.exe 3152 leufbphksnsjqmg.exe 3152 leufbphksnsjqmg.exe 3152 leufbphksnsjqmg.exe 4928 hkfhkcnudmldk.exe 4928 hkfhkcnudmldk.exe 4928 hkfhkcnudmldk.exe 4928 hkfhkcnudmldk.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2824 c0f5f6ce7a241bda371348f17923016a.exe 2824 c0f5f6ce7a241bda371348f17923016a.exe 2824 c0f5f6ce7a241bda371348f17923016a.exe 3152 leufbphksnsjqmg.exe 688 wdbhgijm.exe 3152 leufbphksnsjqmg.exe 688 wdbhgijm.exe 688 wdbhgijm.exe 3152 leufbphksnsjqmg.exe 3176 vvarxanzmf.exe 3176 vvarxanzmf.exe 3176 vvarxanzmf.exe 4928 hkfhkcnudmldk.exe 4928 hkfhkcnudmldk.exe 4928 hkfhkcnudmldk.exe 3384 wdbhgijm.exe 3384 wdbhgijm.exe 3384 wdbhgijm.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2824 c0f5f6ce7a241bda371348f17923016a.exe 2824 c0f5f6ce7a241bda371348f17923016a.exe 2824 c0f5f6ce7a241bda371348f17923016a.exe 3152 leufbphksnsjqmg.exe 688 wdbhgijm.exe 3152 leufbphksnsjqmg.exe 688 wdbhgijm.exe 688 wdbhgijm.exe 3152 leufbphksnsjqmg.exe 3176 vvarxanzmf.exe 3176 vvarxanzmf.exe 3176 vvarxanzmf.exe 4928 hkfhkcnudmldk.exe 4928 hkfhkcnudmldk.exe 4928 hkfhkcnudmldk.exe 3384 wdbhgijm.exe 3384 wdbhgijm.exe 3384 wdbhgijm.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1912 WINWORD.EXE 1912 WINWORD.EXE 1912 WINWORD.EXE 1912 WINWORD.EXE 1912 WINWORD.EXE 1912 WINWORD.EXE 1912 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2824 wrote to memory of 3176 2824 c0f5f6ce7a241bda371348f17923016a.exe 90 PID 2824 wrote to memory of 3176 2824 c0f5f6ce7a241bda371348f17923016a.exe 90 PID 2824 wrote to memory of 3176 2824 c0f5f6ce7a241bda371348f17923016a.exe 90 PID 2824 wrote to memory of 3152 2824 c0f5f6ce7a241bda371348f17923016a.exe 91 PID 2824 wrote to memory of 3152 2824 c0f5f6ce7a241bda371348f17923016a.exe 91 PID 2824 wrote to memory of 3152 2824 c0f5f6ce7a241bda371348f17923016a.exe 91 PID 2824 wrote to memory of 688 2824 c0f5f6ce7a241bda371348f17923016a.exe 92 PID 2824 wrote to memory of 688 2824 c0f5f6ce7a241bda371348f17923016a.exe 92 PID 2824 wrote to memory of 688 2824 c0f5f6ce7a241bda371348f17923016a.exe 92 PID 2824 wrote to memory of 4928 2824 c0f5f6ce7a241bda371348f17923016a.exe 93 PID 2824 wrote to memory of 4928 2824 c0f5f6ce7a241bda371348f17923016a.exe 93 PID 2824 wrote to memory of 4928 2824 c0f5f6ce7a241bda371348f17923016a.exe 93 PID 2824 wrote to memory of 1912 2824 c0f5f6ce7a241bda371348f17923016a.exe 94 PID 2824 wrote to memory of 1912 2824 c0f5f6ce7a241bda371348f17923016a.exe 94 PID 3176 wrote to memory of 3384 3176 vvarxanzmf.exe 96 PID 3176 wrote to memory of 3384 3176 vvarxanzmf.exe 96 PID 3176 wrote to memory of 3384 3176 vvarxanzmf.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0f5f6ce7a241bda371348f17923016a.exe"C:\Users\Admin\AppData\Local\Temp\c0f5f6ce7a241bda371348f17923016a.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\vvarxanzmf.exevvarxanzmf.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\SysWOW64\wdbhgijm.exeC:\Windows\system32\wdbhgijm.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3384
-
-
-
C:\Windows\SysWOW64\leufbphksnsjqmg.exeleufbphksnsjqmg.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3152
-
-
C:\Windows\SysWOW64\wdbhgijm.exewdbhgijm.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:688
-
-
C:\Windows\SysWOW64\hkfhkcnudmldk.exehkfhkcnudmldk.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4928
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1912
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5d43b1506a5ec519c646c1fc851ad43b1
SHA1480ed525287c1295498d917cf84270859365deec
SHA2567fe840942c090b767243d8f41f099841663a917bc57ba3a99d4f9b02ba8dcf44
SHA5128eacf47be087d9b4f90d6f50f9123614764618f8580cfe9f9fa9afdb0db38f4277e3e3d2e2b39b3a4a5ed6337139f1f9a12e69180788d14a850c24a723dc2915
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5d43df5847bd7beddbe56dbfe03411185
SHA1d3ee9309c10279b1a0bb5195826595ed110b7df9
SHA256a11e34371c4dcdb1906ce7e6b6d126e08509c3357b384c7a7867c17bab02b7df
SHA512ad0d6db7da984929041f7e2852ac1f52a6775d2dd3c662d8d07a269af9615559c01ab8e5c155302b81d3eb6aeb786ccc4751fd02feff78fe69354536cb6839cb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5de412aa781c2ad013c3fbddd181c040b
SHA1e569084a9f63e980b7863cd5eed349194f8dde06
SHA256bb59adb62870b25ca850b717ecdb85dfe657d8a963ed9c3b8b175bc8b86ed624
SHA5121cf477b0cd243a2e309ced4f1bfadbe8cfc269c3bd515ba4ed5eb30141804d6fecf0fdc7cd748d7ab4e7f637a8172a6e06c0f714bb3dbbd7000762191dbc0734
-
Filesize
512KB
MD573fc2bae12e40e87475a656f34e31155
SHA1caecc0398847c84c3a9cbeca853841190ca15363
SHA25620a835fbcce4010b1cde2c220a9d0ae79bd922943349c8aa2082fd2e3b8f75e5
SHA512c5cc38c173fbbfedd56ed573914f96a62ec54c75155a704c9fbd077113766077e77ca66360ba893af8f47fcc84c07a1b7440c15112a531af9c82d77681894f96
-
Filesize
512KB
MD583ff6359861692fb468c2ef9885efc61
SHA1d498f94320a023789d18cccd23086e9445388b4e
SHA256794692d4869ad5ef06354b8e406dbbee06bfe4c19bdfcb34aa7e6e6ee8537687
SHA51200a231acb178deaca52a012e5608f0abb7ff3eb16856e0edb0b10f983bc2cc3e8435c58708693cc7319fd7a395cafef613b38868e3debd385514cc5431c9f1cd
-
Filesize
512KB
MD55967ba3a7e4cf2b19af6672de96cc625
SHA13568cbf534702d4e38acb4e9accd81f79574c1fe
SHA256f6539ab7f82d9d14a4828590daf0448a6f289e80600d265c1e00dba0346a7855
SHA512601a5d41c303d5681a1dc9f694d6b7d2276c5750ea2f21014fabe815ecaec7da856302c157c8b1ffd818f473170392155a648f809119ecda5f48fdceb04a783f
-
Filesize
512KB
MD5c9a74d57900e8ac9ab40f7438d877f83
SHA1f8fbcf66fcf3f6837e6cbc226bbf39ee3eb7fe3c
SHA256e8c1a60756ed2682007c58191a3448a12bbd9782863c8eb3f924a9ec489e6774
SHA512d2733cfea9c4903296ae5cc2bd7f5049d9dc7bc252f536f4d8d070afc54b345028939bdc1f2481fec0ab98c87f65fe67b8e6126dd37c808049258f3ab5871e51
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD58fe7acdf2dde6c8bdf7039567d423210
SHA117595cf304d74e5635ad4d7c14c78188e7cac331
SHA2567a67a71bdb4f352c5efe87d23a176cdbf980bed0b8a48c207c6554ef6031ef59
SHA512c743657249fb98a87ae7da5d2bbebbb0b8fb3985ad085dd5465faf414beef00848ea2476ff1ff21f24b750f02d90790c465b00ed023363ecb640b1c88e5861e8
-
Filesize
512KB
MD5211bab3da602011e75bb00021d2737a0
SHA1e093d6957e157c2c3490d5225b7c7bf68dde2024
SHA2560d767552ab01da7a3efb3c60a6c77e2b4d1b91ba9295e4b20c936214b6d67fed
SHA5122ba49660eb751765580e5c89c365cad15ac22c3f66b7312ba772687dbe6cf65b7147a00bbb0604cfda030fb1d6c21daec8ba0eda954825333e5bc011d17ee793