Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12/03/2024, 05:05
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
c2846705938fb2f595267f5effa3b1c4.exe
Resource
win7-20240221-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
c2846705938fb2f595267f5effa3b1c4.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
c2846705938fb2f595267f5effa3b1c4.exe
-
Size
512KB
-
MD5
c2846705938fb2f595267f5effa3b1c4
-
SHA1
2d7c8740b75dc6ec3cf5a8a4968034e06cd51eee
-
SHA256
57abcac196c86e0bd3ace3fff8e9aa80d3813ac7fea30d70427a9cb6338c01e0
-
SHA512
ac21da0c96c224ff6246faae9ecf5bd441b6a339018d077b3c8e641ef573131c208f58adee917a9f87847723392980ed83cdd9a894c250f98f540423e4e5eddf
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj64:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5J
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" dfozzxdonc.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" dfozzxdonc.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" dfozzxdonc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" dfozzxdonc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" dfozzxdonc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" dfozzxdonc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" dfozzxdonc.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dfozzxdonc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation c2846705938fb2f595267f5effa3b1c4.exe -
Executes dropped EXE 5 IoCs
pid Process 1672 dfozzxdonc.exe 3552 dshusdughufpeaj.exe 4968 icdgjxcd.exe 32 tutzjdafdqcho.exe 3588 icdgjxcd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" dfozzxdonc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" dfozzxdonc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" dfozzxdonc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" dfozzxdonc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" dfozzxdonc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" dfozzxdonc.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "tutzjdafdqcho.exe" dshusdughufpeaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zavulldn = "dfozzxdonc.exe" dshusdughufpeaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lagcdimy = "dshusdughufpeaj.exe" dshusdughufpeaj.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\p: icdgjxcd.exe File opened (read-only) \??\q: icdgjxcd.exe File opened (read-only) \??\b: icdgjxcd.exe File opened (read-only) \??\r: icdgjxcd.exe File opened (read-only) \??\n: dfozzxdonc.exe File opened (read-only) \??\p: dfozzxdonc.exe File opened (read-only) \??\o: icdgjxcd.exe File opened (read-only) \??\t: icdgjxcd.exe File opened (read-only) \??\g: icdgjxcd.exe File opened (read-only) \??\y: icdgjxcd.exe File opened (read-only) \??\g: icdgjxcd.exe File opened (read-only) \??\k: icdgjxcd.exe File opened (read-only) \??\j: icdgjxcd.exe File opened (read-only) \??\o: icdgjxcd.exe File opened (read-only) \??\a: dfozzxdonc.exe File opened (read-only) \??\q: dfozzxdonc.exe File opened (read-only) \??\n: icdgjxcd.exe File opened (read-only) \??\h: dfozzxdonc.exe File opened (read-only) \??\b: icdgjxcd.exe File opened (read-only) \??\y: dfozzxdonc.exe File opened (read-only) \??\w: icdgjxcd.exe File opened (read-only) \??\n: icdgjxcd.exe File opened (read-only) \??\e: icdgjxcd.exe File opened (read-only) \??\h: icdgjxcd.exe File opened (read-only) \??\x: icdgjxcd.exe File opened (read-only) \??\o: dfozzxdonc.exe File opened (read-only) \??\x: dfozzxdonc.exe File opened (read-only) \??\a: icdgjxcd.exe File opened (read-only) \??\h: icdgjxcd.exe File opened (read-only) \??\l: icdgjxcd.exe File opened (read-only) \??\s: icdgjxcd.exe File opened (read-only) \??\g: dfozzxdonc.exe File opened (read-only) \??\u: dfozzxdonc.exe File opened (read-only) \??\v: dfozzxdonc.exe File opened (read-only) \??\z: dfozzxdonc.exe File opened (read-only) \??\a: icdgjxcd.exe File opened (read-only) \??\i: icdgjxcd.exe File opened (read-only) \??\k: icdgjxcd.exe File opened (read-only) \??\r: icdgjxcd.exe File opened (read-only) \??\e: dfozzxdonc.exe File opened (read-only) \??\m: dfozzxdonc.exe File opened (read-only) \??\t: dfozzxdonc.exe File opened (read-only) \??\u: icdgjxcd.exe File opened (read-only) \??\l: icdgjxcd.exe File opened (read-only) \??\z: icdgjxcd.exe File opened (read-only) \??\s: icdgjxcd.exe File opened (read-only) \??\v: icdgjxcd.exe File opened (read-only) \??\y: icdgjxcd.exe File opened (read-only) \??\p: icdgjxcd.exe File opened (read-only) \??\i: dfozzxdonc.exe File opened (read-only) \??\l: dfozzxdonc.exe File opened (read-only) \??\w: dfozzxdonc.exe File opened (read-only) \??\x: icdgjxcd.exe File opened (read-only) \??\z: icdgjxcd.exe File opened (read-only) \??\i: icdgjxcd.exe File opened (read-only) \??\k: dfozzxdonc.exe File opened (read-only) \??\e: icdgjxcd.exe File opened (read-only) \??\u: icdgjxcd.exe File opened (read-only) \??\j: icdgjxcd.exe File opened (read-only) \??\m: icdgjxcd.exe File opened (read-only) \??\t: icdgjxcd.exe File opened (read-only) \??\b: dfozzxdonc.exe File opened (read-only) \??\j: dfozzxdonc.exe File opened (read-only) \??\s: dfozzxdonc.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" dfozzxdonc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" dfozzxdonc.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2804-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0009000000023040-5.dat autoit_exe behavioral2/files/0x000400000001e980-18.dat autoit_exe behavioral2/files/0x0007000000023200-32.dat autoit_exe behavioral2/files/0x000d000000023194-30.dat autoit_exe behavioral2/files/0x0003000000022753-71.dat autoit_exe behavioral2/files/0x000700000002320d-74.dat autoit_exe behavioral2/files/0x000b00000002312b-85.dat autoit_exe behavioral2/files/0x0007000000023224-108.dat autoit_exe behavioral2/files/0x0007000000023224-112.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe icdgjxcd.exe File opened for modification C:\Windows\SysWOW64\dshusdughufpeaj.exe c2846705938fb2f595267f5effa3b1c4.exe File created C:\Windows\SysWOW64\icdgjxcd.exe c2846705938fb2f595267f5effa3b1c4.exe File opened for modification C:\Windows\SysWOW64\icdgjxcd.exe c2846705938fb2f595267f5effa3b1c4.exe File created C:\Windows\SysWOW64\tutzjdafdqcho.exe c2846705938fb2f595267f5effa3b1c4.exe File opened for modification C:\Windows\SysWOW64\tutzjdafdqcho.exe c2846705938fb2f595267f5effa3b1c4.exe File created C:\Windows\SysWOW64\dfozzxdonc.exe c2846705938fb2f595267f5effa3b1c4.exe File opened for modification C:\Windows\SysWOW64\dfozzxdonc.exe c2846705938fb2f595267f5effa3b1c4.exe File created C:\Windows\SysWOW64\dshusdughufpeaj.exe c2846705938fb2f595267f5effa3b1c4.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll dfozzxdonc.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe icdgjxcd.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe icdgjxcd.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe icdgjxcd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal icdgjxcd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal icdgjxcd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe icdgjxcd.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe icdgjxcd.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe icdgjxcd.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe icdgjxcd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe icdgjxcd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe icdgjxcd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal icdgjxcd.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe icdgjxcd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal icdgjxcd.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe icdgjxcd.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe icdgjxcd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe icdgjxcd.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe icdgjxcd.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe icdgjxcd.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe icdgjxcd.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe icdgjxcd.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe icdgjxcd.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe icdgjxcd.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe icdgjxcd.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe icdgjxcd.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe icdgjxcd.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe icdgjxcd.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe icdgjxcd.exe File opened for modification C:\Windows\mydoc.rtf c2846705938fb2f595267f5effa3b1c4.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe icdgjxcd.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe icdgjxcd.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe icdgjxcd.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe icdgjxcd.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe icdgjxcd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" dfozzxdonc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf dfozzxdonc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" dfozzxdonc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh dfozzxdonc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc dfozzxdonc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg dfozzxdonc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" dfozzxdonc.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes c2846705938fb2f595267f5effa3b1c4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33472C7E9C2682556D3677A770222CAA7D8064DA" c2846705938fb2f595267f5effa3b1c4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0806BB4FF1D22DDD27CD0A28A7D9164" c2846705938fb2f595267f5effa3b1c4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" dfozzxdonc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" dfozzxdonc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" dfozzxdonc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC2B1294795399E53C4B9A132EFD7BB" c2846705938fb2f595267f5effa3b1c4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF5FC824F5F821B9132D7587D94BD92E136584667446336D79B" c2846705938fb2f595267f5effa3b1c4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184CC60915E5DAC3B8C07C92ED9337B9" c2846705938fb2f595267f5effa3b1c4.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings c2846705938fb2f595267f5effa3b1c4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AC8F9CEF965F2E584083B45819E3996B0FE03F143150239E1CB429A08A0" c2846705938fb2f595267f5effa3b1c4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat dfozzxdonc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs dfozzxdonc.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4240 WINWORD.EXE 4240 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2804 c2846705938fb2f595267f5effa3b1c4.exe 2804 c2846705938fb2f595267f5effa3b1c4.exe 2804 c2846705938fb2f595267f5effa3b1c4.exe 2804 c2846705938fb2f595267f5effa3b1c4.exe 2804 c2846705938fb2f595267f5effa3b1c4.exe 2804 c2846705938fb2f595267f5effa3b1c4.exe 2804 c2846705938fb2f595267f5effa3b1c4.exe 2804 c2846705938fb2f595267f5effa3b1c4.exe 2804 c2846705938fb2f595267f5effa3b1c4.exe 2804 c2846705938fb2f595267f5effa3b1c4.exe 2804 c2846705938fb2f595267f5effa3b1c4.exe 2804 c2846705938fb2f595267f5effa3b1c4.exe 2804 c2846705938fb2f595267f5effa3b1c4.exe 2804 c2846705938fb2f595267f5effa3b1c4.exe 2804 c2846705938fb2f595267f5effa3b1c4.exe 2804 c2846705938fb2f595267f5effa3b1c4.exe 1672 dfozzxdonc.exe 1672 dfozzxdonc.exe 1672 dfozzxdonc.exe 1672 dfozzxdonc.exe 1672 dfozzxdonc.exe 1672 dfozzxdonc.exe 1672 dfozzxdonc.exe 1672 dfozzxdonc.exe 1672 dfozzxdonc.exe 1672 dfozzxdonc.exe 32 tutzjdafdqcho.exe 32 tutzjdafdqcho.exe 32 tutzjdafdqcho.exe 32 tutzjdafdqcho.exe 32 tutzjdafdqcho.exe 32 tutzjdafdqcho.exe 32 tutzjdafdqcho.exe 32 tutzjdafdqcho.exe 32 tutzjdafdqcho.exe 32 tutzjdafdqcho.exe 32 tutzjdafdqcho.exe 32 tutzjdafdqcho.exe 3552 dshusdughufpeaj.exe 3552 dshusdughufpeaj.exe 3552 dshusdughufpeaj.exe 3552 dshusdughufpeaj.exe 3552 dshusdughufpeaj.exe 3552 dshusdughufpeaj.exe 3552 dshusdughufpeaj.exe 3552 dshusdughufpeaj.exe 4968 icdgjxcd.exe 4968 icdgjxcd.exe 4968 icdgjxcd.exe 4968 icdgjxcd.exe 4968 icdgjxcd.exe 4968 icdgjxcd.exe 4968 icdgjxcd.exe 4968 icdgjxcd.exe 3552 dshusdughufpeaj.exe 3552 dshusdughufpeaj.exe 3588 icdgjxcd.exe 3588 icdgjxcd.exe 3588 icdgjxcd.exe 3588 icdgjxcd.exe 3588 icdgjxcd.exe 3588 icdgjxcd.exe 3588 icdgjxcd.exe 3588 icdgjxcd.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2804 c2846705938fb2f595267f5effa3b1c4.exe 2804 c2846705938fb2f595267f5effa3b1c4.exe 2804 c2846705938fb2f595267f5effa3b1c4.exe 1672 dfozzxdonc.exe 1672 dfozzxdonc.exe 1672 dfozzxdonc.exe 32 tutzjdafdqcho.exe 32 tutzjdafdqcho.exe 32 tutzjdafdqcho.exe 3552 dshusdughufpeaj.exe 4968 icdgjxcd.exe 3552 dshusdughufpeaj.exe 4968 icdgjxcd.exe 3552 dshusdughufpeaj.exe 4968 icdgjxcd.exe 3588 icdgjxcd.exe 3588 icdgjxcd.exe 3588 icdgjxcd.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2804 c2846705938fb2f595267f5effa3b1c4.exe 2804 c2846705938fb2f595267f5effa3b1c4.exe 2804 c2846705938fb2f595267f5effa3b1c4.exe 1672 dfozzxdonc.exe 1672 dfozzxdonc.exe 1672 dfozzxdonc.exe 32 tutzjdafdqcho.exe 32 tutzjdafdqcho.exe 32 tutzjdafdqcho.exe 3552 dshusdughufpeaj.exe 4968 icdgjxcd.exe 3552 dshusdughufpeaj.exe 4968 icdgjxcd.exe 3552 dshusdughufpeaj.exe 4968 icdgjxcd.exe 3588 icdgjxcd.exe 3588 icdgjxcd.exe 3588 icdgjxcd.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4240 WINWORD.EXE 4240 WINWORD.EXE 4240 WINWORD.EXE 4240 WINWORD.EXE 4240 WINWORD.EXE 4240 WINWORD.EXE 4240 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2804 wrote to memory of 1672 2804 c2846705938fb2f595267f5effa3b1c4.exe 89 PID 2804 wrote to memory of 1672 2804 c2846705938fb2f595267f5effa3b1c4.exe 89 PID 2804 wrote to memory of 1672 2804 c2846705938fb2f595267f5effa3b1c4.exe 89 PID 2804 wrote to memory of 3552 2804 c2846705938fb2f595267f5effa3b1c4.exe 90 PID 2804 wrote to memory of 3552 2804 c2846705938fb2f595267f5effa3b1c4.exe 90 PID 2804 wrote to memory of 3552 2804 c2846705938fb2f595267f5effa3b1c4.exe 90 PID 2804 wrote to memory of 4968 2804 c2846705938fb2f595267f5effa3b1c4.exe 91 PID 2804 wrote to memory of 4968 2804 c2846705938fb2f595267f5effa3b1c4.exe 91 PID 2804 wrote to memory of 4968 2804 c2846705938fb2f595267f5effa3b1c4.exe 91 PID 2804 wrote to memory of 32 2804 c2846705938fb2f595267f5effa3b1c4.exe 92 PID 2804 wrote to memory of 32 2804 c2846705938fb2f595267f5effa3b1c4.exe 92 PID 2804 wrote to memory of 32 2804 c2846705938fb2f595267f5effa3b1c4.exe 92 PID 1672 wrote to memory of 3588 1672 dfozzxdonc.exe 93 PID 1672 wrote to memory of 3588 1672 dfozzxdonc.exe 93 PID 1672 wrote to memory of 3588 1672 dfozzxdonc.exe 93 PID 2804 wrote to memory of 4240 2804 c2846705938fb2f595267f5effa3b1c4.exe 94 PID 2804 wrote to memory of 4240 2804 c2846705938fb2f595267f5effa3b1c4.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\c2846705938fb2f595267f5effa3b1c4.exe"C:\Users\Admin\AppData\Local\Temp\c2846705938fb2f595267f5effa3b1c4.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\dfozzxdonc.exedfozzxdonc.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\icdgjxcd.exeC:\Windows\system32\icdgjxcd.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3588
-
-
-
C:\Windows\SysWOW64\dshusdughufpeaj.exedshusdughufpeaj.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3552
-
-
C:\Windows\SysWOW64\icdgjxcd.exeicdgjxcd.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4968
-
-
C:\Windows\SysWOW64\tutzjdafdqcho.exetutzjdafdqcho.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:32
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4240
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5e94aae94100f5276e9184f22eb1bf9d5
SHA1fc7fc21ec2d94df4320435af754521c465b269fa
SHA2567780b1d61f491a201165ab65a90e1e676cf44537c63ea1c7698fbb6177d8441b
SHA51286cd7108aa4f73a02283804b4cc47589d4d6fa7eadb208e67074ffcd77b0450572a23ff3a4fe3acd79a63cfb810a01bf168525ab3f0ed58d235552fd62a91518
-
Filesize
512KB
MD501a4fd000650d81b41c18ea1bd8c1a76
SHA13bef83275b34a98f28770aa13ffd120f223b0efd
SHA256d399dcb9845ff7c8063f693067e83bb1661be057bfb526e2803558c170bea971
SHA512ed7d9d048397e952d86d56b70aa5daf09bd3a32b92bd921dca63a3f521067b90122813615cd467f4c38eb200547b2034299224517e7e7c43dfe2377f82d5e34c
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5f5f051e4491d9985f7871eeacf80e73e
SHA1dd4757634d3b47b4a3c18cdfa4cd5ee80d937321
SHA25617ec267449605770ce92bde8b32474163f39d639cb40960d8596f652db6da19e
SHA512f582dd99cfa43ec52275866a7530f0b858137be49fcd7f865cc9260171b2bdbd1cb5ef2044e6e3b904773e46ce6e6cc3ff71ff7ba138ac99a8c1b66569cfdf18
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5add27e3a83719cbb7d273e9c21727f33
SHA187c4c7ca59bfe3e0792109982d9492a783c3dc73
SHA256c39747bbb01a13280f2cc57819011b9357064289c157f0eb4a96d5f1de48a531
SHA512bffc30a8cbbe5acbb944563666f257235db896843c4bf0f947f9b898761fa4f4ec3160b64960d40f143831966da294172dc4203c05483cfc3af614a39f8312e3
-
Filesize
512KB
MD54221034cbce03ea99f90887f8a812e67
SHA1c79cbdeb49e78f9bbea4aaf4cf3697aa82196114
SHA256a193d11dd8a2272677958e91938d669f6d68257ef337f4b746004027f2e43b12
SHA51247d8ca067691f0c740334ddca612099e4e7a316451bb1bf21c10a4a1a8e70056631b66f822bff5884738f6b78a1d7969483bb665fb7083012cba42d1c5b2e72a
-
Filesize
512KB
MD53203b73d0de974ad41f6c877a8e148a5
SHA1dd2cf17a06a15957b194a87db23e66aadf2412b6
SHA256b2fb62dac87cf3f555d5464f9f08c895fce94f1479529cdbc55796e257200be4
SHA512eadfb37da0a7c041f37c818f1ddcc5539d5b0a3006ae8eeeb1609b0d61e28f945ab897d15548d7eaffd1f9ae43d7b88e5e70f76959b797e558dce1ffb24c38b9
-
Filesize
512KB
MD5baa9e7aca04d2ade11587a3cb4710db3
SHA1df298bd8e69f6240982f19c674311e37598ebebc
SHA2563c5f60c8e29fee9259bad3240586783648297dd4ec078d0feb9814afeba86bd6
SHA512950f78d5d1b4b7846b396d03f276dde53d1be39bd4036fe0a4aec2c2e1b7e402df2dd284f0830795387568f6500dd5d3b5fcfa52067cd8d47dece78928c8953e
-
Filesize
512KB
MD5ba7a29a6d8c60317d2e5cc313cd997cf
SHA1b94e69b77c509c4c7e601e4ca79d31dfdc3fc1b4
SHA2564be4a274056dda37d33777f52bcc2c03992aefba2cbfcc84f77b3f9118e9616a
SHA512b09a7ecd7e2c9da63fce1e27279b7fc551e5b6ff2ce2592e077b6afd8848f9a4594eeba5bd7abe45a985669d7b2df1583be271786da2e8f27927c390a94a0c13
-
Filesize
512KB
MD5a2b3c4e7db2c93c357ef85fc154a297c
SHA1d9acdaab6f60fc2a003bd8905d2d185e577e954c
SHA256d7e50a2e97ff38e7bf4adc62ea04d55a2234403caa6335401739ebd45b351c06
SHA512b0cf43888c99c51e60056f82772dab756f134c859bb401c4bc861a637f980ab56e7d023b336e5d0ce6a707df893748a95b6d7477ee605844a7de745f7e232c59
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5c7ab0e1ba6181f557fdf977e80a90f59
SHA141694011b377c48dbad58003ecf79dafe2dac802
SHA256ba823fe3cc53fdc91201b552690ba1ed87c6e58c849df1b8a14c7e7889fed167
SHA5129fed48e11735ca114185d5df342243badb49d1185dabfd95b75d55f2383415dccbed74b90d5ae3ca43037fb6a7e7fc646a0a447eee9732781340c2a0b832a3ea
-
Filesize
512KB
MD52b2a047908f9ca66c1f73d80ab6f6ca7
SHA1dc5dbe3d0df024d9acb73d9e7a995b032c76d592
SHA256cd9ba4b475559367466e5ead05712d571539de45b1dd7339195883fa9f9275b2
SHA512699716ae56e005ab249b54a59ffce2b0b631b349a1275c2c325717baac7e9e87a81c00ff230bbbe4635c96db054608cd6c77ddadb4e9367816f38ef6d3ef3e78