Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
12-03-2024 17:17
Behavioral task
behavioral1
Sample
c3eb8a33e7bdf419663cd467e6f04937.exe
Resource
win7-20240221-en
windows7-x64
29 signatures
150 seconds
General
-
Target
c3eb8a33e7bdf419663cd467e6f04937.exe
-
Size
255KB
-
MD5
c3eb8a33e7bdf419663cd467e6f04937
-
SHA1
d4204e50d64fa8b2114c7d23ea2371e03dae3f4b
-
SHA256
74e60ce82bd43e7e8d23339ab30c8ebd8588f96cfa471d18de662b07495e5ec7
-
SHA512
9b9c944caa0b43a49c0f4797c981fc70f121fe22a8f0b56693dbbc466b692b4b4e7c80c4d40a0133a4453e1bf285df89414ff6fb876ba0363a1fb1107b1fd20d
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJu:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIL
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" npirxzufwv.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" npirxzufwv.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" npirxzufwv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" npirxzufwv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" npirxzufwv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" npirxzufwv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" npirxzufwv.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" npirxzufwv.exe -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 5 IoCs
pid Process 2592 npirxzufwv.exe 2680 nkuwlvotczfhlrm.exe 2512 vrtswhpt.exe 2648 wdkejivzyjttk.exe 2476 vrtswhpt.exe -
Loads dropped DLL 5 IoCs
pid Process 1524 c3eb8a33e7bdf419663cd467e6f04937.exe 1524 c3eb8a33e7bdf419663cd467e6f04937.exe 1524 c3eb8a33e7bdf419663cd467e6f04937.exe 1524 c3eb8a33e7bdf419663cd467e6f04937.exe 2592 npirxzufwv.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/1524-0-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x000c0000000132c6-5.dat upx behavioral1/files/0x000b00000001224c-17.dat upx behavioral1/memory/1524-18-0x0000000002EF0000-0x0000000002F90000-memory.dmp upx behavioral1/files/0x002d0000000134ad-27.dat upx behavioral1/memory/2680-42-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x00080000000139e8-43.dat upx behavioral1/memory/2648-41-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2512-39-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2592-26-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x002d0000000134ad-44.dat upx behavioral1/files/0x002d0000000134ad-45.dat upx behavioral1/memory/2476-46-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1524-47-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x0002000000003d1e-53.dat upx behavioral1/files/0x0006000000015e6f-75.dat upx behavioral1/files/0x0006000000015e7c-79.dat upx behavioral1/memory/2592-82-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2592-84-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2680-85-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2512-86-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2648-87-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2476-88-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2512-89-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2680-91-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2476-93-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2680-95-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2512-96-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2476-98-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2648-97-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2592-94-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2648-103-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2512-102-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2680-101-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2592-100-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2476-105-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2592-107-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2680-108-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2512-109-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2476-111-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2648-110-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2592-112-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2476-116-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2648-115-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2512-114-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2680-113-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2592-117-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2680-118-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2648-120-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2512-119-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2476-122-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2592-126-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2680-127-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2512-128-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2648-129-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2476-130-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2592-131-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2680-132-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2512-133-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2476-135-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2648-134-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2512-137-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2476-136-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2592-138-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" npirxzufwv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" npirxzufwv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" npirxzufwv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" npirxzufwv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" npirxzufwv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" npirxzufwv.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "wdkejivzyjttk.exe" nkuwlvotczfhlrm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qpnxabky = "npirxzufwv.exe" nkuwlvotczfhlrm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nmrluugj = "nkuwlvotczfhlrm.exe" nkuwlvotczfhlrm.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\m: vrtswhpt.exe File opened (read-only) \??\w: vrtswhpt.exe File opened (read-only) \??\e: npirxzufwv.exe File opened (read-only) \??\l: npirxzufwv.exe File opened (read-only) \??\g: vrtswhpt.exe File opened (read-only) \??\u: npirxzufwv.exe File opened (read-only) \??\k: vrtswhpt.exe File opened (read-only) \??\l: vrtswhpt.exe File opened (read-only) \??\n: vrtswhpt.exe File opened (read-only) \??\o: vrtswhpt.exe File opened (read-only) \??\s: vrtswhpt.exe File opened (read-only) \??\m: npirxzufwv.exe File opened (read-only) \??\p: npirxzufwv.exe File opened (read-only) \??\o: vrtswhpt.exe File opened (read-only) \??\p: vrtswhpt.exe File opened (read-only) \??\j: vrtswhpt.exe File opened (read-only) \??\o: npirxzufwv.exe File opened (read-only) \??\y: npirxzufwv.exe File opened (read-only) \??\q: npirxzufwv.exe File opened (read-only) \??\p: vrtswhpt.exe File opened (read-only) \??\r: vrtswhpt.exe File opened (read-only) \??\u: vrtswhpt.exe File opened (read-only) \??\g: npirxzufwv.exe File opened (read-only) \??\a: vrtswhpt.exe File opened (read-only) \??\n: vrtswhpt.exe File opened (read-only) \??\y: vrtswhpt.exe File opened (read-only) \??\k: npirxzufwv.exe File opened (read-only) \??\j: npirxzufwv.exe File opened (read-only) \??\w: npirxzufwv.exe File opened (read-only) \??\e: vrtswhpt.exe File opened (read-only) \??\i: vrtswhpt.exe File opened (read-only) \??\r: vrtswhpt.exe File opened (read-only) \??\w: vrtswhpt.exe File opened (read-only) \??\k: vrtswhpt.exe File opened (read-only) \??\b: npirxzufwv.exe File opened (read-only) \??\z: npirxzufwv.exe File opened (read-only) \??\j: vrtswhpt.exe File opened (read-only) \??\e: vrtswhpt.exe File opened (read-only) \??\i: vrtswhpt.exe File opened (read-only) \??\v: npirxzufwv.exe File opened (read-only) \??\x: npirxzufwv.exe File opened (read-only) \??\h: vrtswhpt.exe File opened (read-only) \??\a: npirxzufwv.exe File opened (read-only) \??\u: vrtswhpt.exe File opened (read-only) \??\h: npirxzufwv.exe File opened (read-only) \??\t: vrtswhpt.exe File opened (read-only) \??\t: vrtswhpt.exe File opened (read-only) \??\a: vrtswhpt.exe File opened (read-only) \??\y: vrtswhpt.exe File opened (read-only) \??\g: vrtswhpt.exe File opened (read-only) \??\z: vrtswhpt.exe File opened (read-only) \??\i: npirxzufwv.exe File opened (read-only) \??\s: vrtswhpt.exe File opened (read-only) \??\q: vrtswhpt.exe File opened (read-only) \??\x: vrtswhpt.exe File opened (read-only) \??\q: vrtswhpt.exe File opened (read-only) \??\n: npirxzufwv.exe File opened (read-only) \??\s: npirxzufwv.exe File opened (read-only) \??\b: vrtswhpt.exe File opened (read-only) \??\l: vrtswhpt.exe File opened (read-only) \??\v: vrtswhpt.exe File opened (read-only) \??\x: vrtswhpt.exe File opened (read-only) \??\h: vrtswhpt.exe File opened (read-only) \??\b: vrtswhpt.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" npirxzufwv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" npirxzufwv.exe -
AutoIT Executable 64 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2680-42-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2648-41-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2512-39-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2592-26-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1524-47-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2592-82-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2592-84-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2680-85-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2512-86-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2648-87-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2476-88-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2512-89-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2680-91-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2476-93-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2680-95-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2512-96-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2476-98-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2648-97-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2592-94-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2648-103-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2512-102-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2680-101-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2592-100-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2476-105-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2592-107-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2680-108-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2512-109-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2476-111-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2648-110-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2592-112-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2476-116-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2648-115-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2512-114-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2680-113-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2592-117-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2680-118-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2648-120-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2512-119-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2476-122-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2592-126-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2680-127-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2512-128-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2648-129-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2476-130-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2592-131-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2680-132-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2512-133-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2476-135-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2648-134-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2512-137-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2476-136-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2592-138-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2680-139-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2648-140-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2592-141-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2648-143-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2680-142-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2592-144-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2648-146-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2680-145-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2592-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2648-149-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2680-148-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2592-150-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\nkuwlvotczfhlrm.exe c3eb8a33e7bdf419663cd467e6f04937.exe File opened for modification C:\Windows\SysWOW64\vrtswhpt.exe c3eb8a33e7bdf419663cd467e6f04937.exe File created C:\Windows\SysWOW64\wdkejivzyjttk.exe c3eb8a33e7bdf419663cd467e6f04937.exe File opened for modification C:\Windows\SysWOW64\wdkejivzyjttk.exe c3eb8a33e7bdf419663cd467e6f04937.exe File created C:\Windows\SysWOW64\npirxzufwv.exe c3eb8a33e7bdf419663cd467e6f04937.exe File opened for modification C:\Windows\SysWOW64\npirxzufwv.exe c3eb8a33e7bdf419663cd467e6f04937.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll npirxzufwv.exe File opened for modification C:\Windows\SysWOW64\nkuwlvotczfhlrm.exe c3eb8a33e7bdf419663cd467e6f04937.exe File created C:\Windows\SysWOW64\vrtswhpt.exe c3eb8a33e7bdf419663cd467e6f04937.exe -
Drops file in Program Files directory 21 IoCs
description ioc Process File opened for modification C:\Program Files\GroupRevoke.doc.exe vrtswhpt.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe vrtswhpt.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe vrtswhpt.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal vrtswhpt.exe File created \??\c:\Program Files\GroupRevoke.doc.exe vrtswhpt.exe File opened for modification \??\c:\Program Files\GroupRevoke.doc.exe vrtswhpt.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe vrtswhpt.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe vrtswhpt.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe vrtswhpt.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe vrtswhpt.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal vrtswhpt.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe vrtswhpt.exe File opened for modification C:\Program Files\GroupRevoke.nal vrtswhpt.exe File opened for modification C:\Program Files\GroupRevoke.nal vrtswhpt.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe vrtswhpt.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal vrtswhpt.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal vrtswhpt.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe vrtswhpt.exe File opened for modification C:\Program Files\GroupRevoke.doc.exe vrtswhpt.exe File opened for modification \??\c:\Program Files\GroupRevoke.doc.exe vrtswhpt.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe vrtswhpt.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf c3eb8a33e7bdf419663cd467e6f04937.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABBFABFFE13F2E7837C3A4786ED3E95B08C03FE43150348E1B9459B08A7" c3eb8a33e7bdf419663cd467e6f04937.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33342D789C2082226D3477A177232CD87CF265DF" c3eb8a33e7bdf419663cd467e6f04937.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes c3eb8a33e7bdf419663cd467e6f04937.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf npirxzufwv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184EC67C14E0DAB7B9C17FE1EDE034BC" c3eb8a33e7bdf419663cd467e6f04937.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" npirxzufwv.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2876 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1524 c3eb8a33e7bdf419663cd467e6f04937.exe 1524 c3eb8a33e7bdf419663cd467e6f04937.exe 1524 c3eb8a33e7bdf419663cd467e6f04937.exe 1524 c3eb8a33e7bdf419663cd467e6f04937.exe 1524 c3eb8a33e7bdf419663cd467e6f04937.exe 1524 c3eb8a33e7bdf419663cd467e6f04937.exe 1524 c3eb8a33e7bdf419663cd467e6f04937.exe 1524 c3eb8a33e7bdf419663cd467e6f04937.exe 2680 nkuwlvotczfhlrm.exe 2680 nkuwlvotczfhlrm.exe 2680 nkuwlvotczfhlrm.exe 2680 nkuwlvotczfhlrm.exe 2680 nkuwlvotczfhlrm.exe 2592 npirxzufwv.exe 2592 npirxzufwv.exe 2592 npirxzufwv.exe 2592 npirxzufwv.exe 2592 npirxzufwv.exe 2512 vrtswhpt.exe 2512 vrtswhpt.exe 2512 vrtswhpt.exe 2512 vrtswhpt.exe 2648 wdkejivzyjttk.exe 2648 wdkejivzyjttk.exe 2648 wdkejivzyjttk.exe 2648 wdkejivzyjttk.exe 2648 wdkejivzyjttk.exe 2648 wdkejivzyjttk.exe 2680 nkuwlvotczfhlrm.exe 2476 vrtswhpt.exe 2476 vrtswhpt.exe 2476 vrtswhpt.exe 2476 vrtswhpt.exe 2648 wdkejivzyjttk.exe 2648 wdkejivzyjttk.exe 2680 nkuwlvotczfhlrm.exe 2680 nkuwlvotczfhlrm.exe 2648 wdkejivzyjttk.exe 2648 wdkejivzyjttk.exe 2680 nkuwlvotczfhlrm.exe 2648 wdkejivzyjttk.exe 2648 wdkejivzyjttk.exe 2680 nkuwlvotczfhlrm.exe 2648 wdkejivzyjttk.exe 2648 wdkejivzyjttk.exe 2680 nkuwlvotczfhlrm.exe 2648 wdkejivzyjttk.exe 2648 wdkejivzyjttk.exe 2680 nkuwlvotczfhlrm.exe 2648 wdkejivzyjttk.exe 2648 wdkejivzyjttk.exe 2680 nkuwlvotczfhlrm.exe 2648 wdkejivzyjttk.exe 2648 wdkejivzyjttk.exe 2680 nkuwlvotczfhlrm.exe 2648 wdkejivzyjttk.exe 2648 wdkejivzyjttk.exe 2680 nkuwlvotczfhlrm.exe 2648 wdkejivzyjttk.exe 2648 wdkejivzyjttk.exe 2680 nkuwlvotczfhlrm.exe 2648 wdkejivzyjttk.exe 2648 wdkejivzyjttk.exe 2680 nkuwlvotczfhlrm.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeShutdownPrivilege 1664 explorer.exe Token: SeShutdownPrivilege 1664 explorer.exe Token: SeShutdownPrivilege 1664 explorer.exe Token: SeShutdownPrivilege 1664 explorer.exe Token: SeShutdownPrivilege 1664 explorer.exe Token: SeShutdownPrivilege 1664 explorer.exe Token: SeShutdownPrivilege 1664 explorer.exe Token: SeShutdownPrivilege 1664 explorer.exe Token: SeShutdownPrivilege 1664 explorer.exe Token: SeShutdownPrivilege 1664 explorer.exe Token: SeShutdownPrivilege 1664 explorer.exe Token: SeShutdownPrivilege 1664 explorer.exe -
Suspicious use of FindShellTrayWindow 47 IoCs
pid Process 1524 c3eb8a33e7bdf419663cd467e6f04937.exe 1524 c3eb8a33e7bdf419663cd467e6f04937.exe 1524 c3eb8a33e7bdf419663cd467e6f04937.exe 2592 npirxzufwv.exe 2592 npirxzufwv.exe 2592 npirxzufwv.exe 2512 vrtswhpt.exe 2512 vrtswhpt.exe 2512 vrtswhpt.exe 2680 nkuwlvotczfhlrm.exe 2680 nkuwlvotczfhlrm.exe 2680 nkuwlvotczfhlrm.exe 2648 wdkejivzyjttk.exe 2648 wdkejivzyjttk.exe 2648 wdkejivzyjttk.exe 2476 vrtswhpt.exe 2476 vrtswhpt.exe 2476 vrtswhpt.exe 1664 explorer.exe 1664 explorer.exe 1664 explorer.exe 1664 explorer.exe 1664 explorer.exe 1664 explorer.exe 1664 explorer.exe 1664 explorer.exe 1664 explorer.exe 1664 explorer.exe 1664 explorer.exe 1664 explorer.exe 1664 explorer.exe 1664 explorer.exe 1664 explorer.exe 1664 explorer.exe 1664 explorer.exe 1664 explorer.exe 1664 explorer.exe 1664 explorer.exe 1664 explorer.exe 1664 explorer.exe 1664 explorer.exe 1664 explorer.exe 1664 explorer.exe 1664 explorer.exe 1664 explorer.exe 1664 explorer.exe 1664 explorer.exe -
Suspicious use of SendNotifyMessage 34 IoCs
pid Process 1524 c3eb8a33e7bdf419663cd467e6f04937.exe 1524 c3eb8a33e7bdf419663cd467e6f04937.exe 1524 c3eb8a33e7bdf419663cd467e6f04937.exe 2592 npirxzufwv.exe 2592 npirxzufwv.exe 2592 npirxzufwv.exe 2512 vrtswhpt.exe 2512 vrtswhpt.exe 2512 vrtswhpt.exe 2680 nkuwlvotczfhlrm.exe 2680 nkuwlvotczfhlrm.exe 2680 nkuwlvotczfhlrm.exe 2648 wdkejivzyjttk.exe 2648 wdkejivzyjttk.exe 2648 wdkejivzyjttk.exe 1664 explorer.exe 1664 explorer.exe 1664 explorer.exe 1664 explorer.exe 1664 explorer.exe 1664 explorer.exe 1664 explorer.exe 1664 explorer.exe 1664 explorer.exe 1664 explorer.exe 1664 explorer.exe 1664 explorer.exe 1664 explorer.exe 1664 explorer.exe 1664 explorer.exe 1664 explorer.exe 1664 explorer.exe 1664 explorer.exe 1664 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2876 WINWORD.EXE 2876 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1524 wrote to memory of 2592 1524 c3eb8a33e7bdf419663cd467e6f04937.exe 28 PID 1524 wrote to memory of 2592 1524 c3eb8a33e7bdf419663cd467e6f04937.exe 28 PID 1524 wrote to memory of 2592 1524 c3eb8a33e7bdf419663cd467e6f04937.exe 28 PID 1524 wrote to memory of 2592 1524 c3eb8a33e7bdf419663cd467e6f04937.exe 28 PID 1524 wrote to memory of 2680 1524 c3eb8a33e7bdf419663cd467e6f04937.exe 29 PID 1524 wrote to memory of 2680 1524 c3eb8a33e7bdf419663cd467e6f04937.exe 29 PID 1524 wrote to memory of 2680 1524 c3eb8a33e7bdf419663cd467e6f04937.exe 29 PID 1524 wrote to memory of 2680 1524 c3eb8a33e7bdf419663cd467e6f04937.exe 29 PID 1524 wrote to memory of 2512 1524 c3eb8a33e7bdf419663cd467e6f04937.exe 30 PID 1524 wrote to memory of 2512 1524 c3eb8a33e7bdf419663cd467e6f04937.exe 30 PID 1524 wrote to memory of 2512 1524 c3eb8a33e7bdf419663cd467e6f04937.exe 30 PID 1524 wrote to memory of 2512 1524 c3eb8a33e7bdf419663cd467e6f04937.exe 30 PID 1524 wrote to memory of 2648 1524 c3eb8a33e7bdf419663cd467e6f04937.exe 31 PID 1524 wrote to memory of 2648 1524 c3eb8a33e7bdf419663cd467e6f04937.exe 31 PID 1524 wrote to memory of 2648 1524 c3eb8a33e7bdf419663cd467e6f04937.exe 31 PID 1524 wrote to memory of 2648 1524 c3eb8a33e7bdf419663cd467e6f04937.exe 31 PID 2592 wrote to memory of 2476 2592 npirxzufwv.exe 32 PID 2592 wrote to memory of 2476 2592 npirxzufwv.exe 32 PID 2592 wrote to memory of 2476 2592 npirxzufwv.exe 32 PID 2592 wrote to memory of 2476 2592 npirxzufwv.exe 32 PID 1524 wrote to memory of 2876 1524 c3eb8a33e7bdf419663cd467e6f04937.exe 33 PID 1524 wrote to memory of 2876 1524 c3eb8a33e7bdf419663cd467e6f04937.exe 33 PID 1524 wrote to memory of 2876 1524 c3eb8a33e7bdf419663cd467e6f04937.exe 33 PID 1524 wrote to memory of 2876 1524 c3eb8a33e7bdf419663cd467e6f04937.exe 33 PID 2876 wrote to memory of 812 2876 WINWORD.EXE 37 PID 2876 wrote to memory of 812 2876 WINWORD.EXE 37 PID 2876 wrote to memory of 812 2876 WINWORD.EXE 37 PID 2876 wrote to memory of 812 2876 WINWORD.EXE 37 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c3eb8a33e7bdf419663cd467e6f04937.exe"C:\Users\Admin\AppData\Local\Temp\c3eb8a33e7bdf419663cd467e6f04937.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\npirxzufwv.exenpirxzufwv.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\vrtswhpt.exeC:\Windows\system32\vrtswhpt.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2476
-
-
-
C:\Windows\SysWOW64\nkuwlvotczfhlrm.exenkuwlvotczfhlrm.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2680
-
-
C:\Windows\SysWOW64\vrtswhpt.exevrtswhpt.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2512
-
-
C:\Windows\SysWOW64\wdkejivzyjttk.exewdkejivzyjttk.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2648
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:812
-
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1664
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD539fd73597489b5aaf9da9dc622f72bc6
SHA1e4820b1d3f0a83bfd46c3f1814da4a7c92aed3ee
SHA256623fbaea198b8d97b70108863b3d6b1502ab1f13928d6db3b21fa650429b8ab0
SHA5128f4c478493fd6e3e7284a59dbb4ad3405008b74b03556bd95d896cb2905a978e6501ff3b060fce6b2e52e5a1ef3b258568d21bbc9651a0d7059802dfa07532d1
-
Filesize
255KB
MD526b314edf352264c9e7087f45b60e592
SHA1b94089a1c3a401401e3b7e1107fe579557dfbc81
SHA2565c2c5fdbb6842ce691921f89ee6852a602f7ecf9765be02b3e38749ffbf11b18
SHA51260f7d83a78d187adc8f7ff148e95a5c5739cc5d3d44386aca26ad6839c4208abfb6c5fad3753d10de51f4d170b09cb2a66e0acda66ecc9ef397c3156be6b237f
-
Filesize
255KB
MD50e0dcd8b530a471a30c31f535a237934
SHA1265aad52174f6ef68e2e5b0e1db0ed98e12f105e
SHA256ffd0fc1fea701bb51c3a30a51618ab4ab474e3e9471f0acf5db3338c36e84777
SHA5122eafe2cd67ce922a82784da251dfda87266ec3080dffe78bd2f0282355578dd7ec7af3ae9cdf29ab0aced957b96caa88165005175cee1729b02053cbac51b738
-
Filesize
255KB
MD5a59fbcbfc22ea899056e4a0789f0ec91
SHA16eafbb1912ea1d3d5ddcd58c8e70ae18a1b47b0b
SHA256411cb57eed2d290a71f306c662126dd7168bc08d6ba1920a815e334de1098415
SHA512ec34d412964bc859150931c1d07dac3ea59f85c77521447f4d5ab607f6842cc180ee280271f57aaf21350e97a9e3888a39846e3646e78602453800ed8b25d828
-
Filesize
122KB
MD5c67f82f47714e146e424015f30010905
SHA109e50b705446c7462831dee79e189f571f57338f
SHA25675208f4ac29c373486add5c376ae349f9630aff0ed6535732ef08b44e31a8e6b
SHA512d5c5a983ab2c797591d1c08484d2d06aca4b5943358ec992998f4651d6a76af17c72cfe17778667ad69c6aa43837af87856446c45f33e9ac7019d4422810efff
-
Filesize
255KB
MD58aea8d92b4ef2271b6e8d97a9f230eac
SHA11c7574a586632ede1c4c9c6c06aa63c1408cce84
SHA2565fd57494f7c471c64d1c7e03b7397e48c35d9ca5a24af115b579c24f75e9578f
SHA51270cf4dae324bfff81fff3ce78f3a16671d33b0774ca3e864c12ab20ba73d92c86d405254401115988ff26068f9ddf244098136d7e084a675218973e98f917c60
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD5ee1817ef87434cdcc65ae3113e6998ee
SHA1c67f360c7e175e0ac18f30664b124f1a56df08da
SHA256cb444e45cc097226bc6f1cb0c71faddc326b78bcf56f9ce57e3fbc12e175d34b
SHA512980be038fba40e5a7e81dd5c5a0b06b3952f871e59d23bd9aa1fc4e4b0a93cd678a3f9da17da8b6e0d059306e82cf963cb88a7043818576151b62bd5fa8534dd
-
Filesize
255KB
MD586af962d51feb2d0bac26973a6e12fe9
SHA11e36d23e485ae60ffa1d569777450d8c4c0adbeb
SHA2562b1a992dbe3dda21400db857c9581004f2f6624dde80f206c007c7f2fd53183a
SHA512d8166ebc1682ed27324c67f89e0845f3bc9e68d86e50e45e80b45bcdcdf7ce0270ba4aacab268cf6b32b93535ab90ee8516dd69330b82da981a4e106e58bcbb0
-
Filesize
189KB
MD527457b4eac49115788912d2530836669
SHA156541cc2573661332717df70459140352fc8073e
SHA256c37b90e380227b1bc18c74b58351b9b4f586c685962494f7b34cc334bf29e766
SHA512e57fa167d661dfe4e0c9deed02ffadc8b5ec920111a20cf594b24ed1c427bfbd363c70d74c1197110c8b1fc422dec224d0ed4b7c29b8a9f1383720747dcbfffe