Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13/03/2024, 18:27
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
c6931c7e8b35b15b7f4745f96494051e.exe
Resource
win7-20240221-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
c6931c7e8b35b15b7f4745f96494051e.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
c6931c7e8b35b15b7f4745f96494051e.exe
-
Size
512KB
-
MD5
c6931c7e8b35b15b7f4745f96494051e
-
SHA1
749e428d898dc4c43728ac1a1d9c7573e028e4ed
-
SHA256
aacbdfd9dc2795c02ae6f49f1c140886a91b45af90fabe26c80a65622f103a89
-
SHA512
d2d7c50da7840f19f9f907ac30ea15fcb633b3ad94359e72fdcaa35f7a69071d3447f889a18a64e47efc379374037601ceedce0cdb62ea8c88f2d26fea47d6aa
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6c:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5v
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" jjmcoyxdcc.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" jjmcoyxdcc.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" jjmcoyxdcc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" jjmcoyxdcc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" jjmcoyxdcc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" jjmcoyxdcc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" jjmcoyxdcc.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jjmcoyxdcc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation c6931c7e8b35b15b7f4745f96494051e.exe -
Executes dropped EXE 5 IoCs
pid Process 4688 jjmcoyxdcc.exe 4284 xgpczthlblykbsi.exe 2692 vivbbjnl.exe 4336 qcjzwtahiauhd.exe 4384 vivbbjnl.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" jjmcoyxdcc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" jjmcoyxdcc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" jjmcoyxdcc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" jjmcoyxdcc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" jjmcoyxdcc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" jjmcoyxdcc.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hucukdgp = "jjmcoyxdcc.exe" xgpczthlblykbsi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\smsmtkyn = "xgpczthlblykbsi.exe" xgpczthlblykbsi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "qcjzwtahiauhd.exe" xgpczthlblykbsi.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\j: vivbbjnl.exe File opened (read-only) \??\e: jjmcoyxdcc.exe File opened (read-only) \??\n: jjmcoyxdcc.exe File opened (read-only) \??\x: jjmcoyxdcc.exe File opened (read-only) \??\y: jjmcoyxdcc.exe File opened (read-only) \??\q: vivbbjnl.exe File opened (read-only) \??\s: vivbbjnl.exe File opened (read-only) \??\g: jjmcoyxdcc.exe File opened (read-only) \??\l: jjmcoyxdcc.exe File opened (read-only) \??\m: vivbbjnl.exe File opened (read-only) \??\t: vivbbjnl.exe File opened (read-only) \??\t: jjmcoyxdcc.exe File opened (read-only) \??\z: jjmcoyxdcc.exe File opened (read-only) \??\j: jjmcoyxdcc.exe File opened (read-only) \??\r: jjmcoyxdcc.exe File opened (read-only) \??\z: vivbbjnl.exe File opened (read-only) \??\p: jjmcoyxdcc.exe File opened (read-only) \??\o: vivbbjnl.exe File opened (read-only) \??\u: vivbbjnl.exe File opened (read-only) \??\b: vivbbjnl.exe File opened (read-only) \??\o: vivbbjnl.exe File opened (read-only) \??\y: vivbbjnl.exe File opened (read-only) \??\k: jjmcoyxdcc.exe File opened (read-only) \??\g: vivbbjnl.exe File opened (read-only) \??\n: vivbbjnl.exe File opened (read-only) \??\v: vivbbjnl.exe File opened (read-only) \??\v: vivbbjnl.exe File opened (read-only) \??\l: vivbbjnl.exe File opened (read-only) \??\r: vivbbjnl.exe File opened (read-only) \??\n: vivbbjnl.exe File opened (read-only) \??\h: vivbbjnl.exe File opened (read-only) \??\k: vivbbjnl.exe File opened (read-only) \??\t: vivbbjnl.exe File opened (read-only) \??\y: vivbbjnl.exe File opened (read-only) \??\e: vivbbjnl.exe File opened (read-only) \??\i: vivbbjnl.exe File opened (read-only) \??\z: vivbbjnl.exe File opened (read-only) \??\b: jjmcoyxdcc.exe File opened (read-only) \??\w: vivbbjnl.exe File opened (read-only) \??\l: vivbbjnl.exe File opened (read-only) \??\u: vivbbjnl.exe File opened (read-only) \??\h: jjmcoyxdcc.exe File opened (read-only) \??\u: jjmcoyxdcc.exe File opened (read-only) \??\x: vivbbjnl.exe File opened (read-only) \??\m: jjmcoyxdcc.exe File opened (read-only) \??\q: jjmcoyxdcc.exe File opened (read-only) \??\g: vivbbjnl.exe File opened (read-only) \??\v: jjmcoyxdcc.exe File opened (read-only) \??\w: jjmcoyxdcc.exe File opened (read-only) \??\a: jjmcoyxdcc.exe File opened (read-only) \??\i: jjmcoyxdcc.exe File opened (read-only) \??\o: jjmcoyxdcc.exe File opened (read-only) \??\s: jjmcoyxdcc.exe File opened (read-only) \??\m: vivbbjnl.exe File opened (read-only) \??\p: vivbbjnl.exe File opened (read-only) \??\s: vivbbjnl.exe File opened (read-only) \??\a: vivbbjnl.exe File opened (read-only) \??\k: vivbbjnl.exe File opened (read-only) \??\i: vivbbjnl.exe File opened (read-only) \??\j: vivbbjnl.exe File opened (read-only) \??\e: vivbbjnl.exe File opened (read-only) \??\q: vivbbjnl.exe File opened (read-only) \??\w: vivbbjnl.exe File opened (read-only) \??\h: vivbbjnl.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" jjmcoyxdcc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" jjmcoyxdcc.exe -
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/432-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0008000000023240-5.dat autoit_exe behavioral2/files/0x000800000002323d-18.dat autoit_exe behavioral2/files/0x0008000000023241-27.dat autoit_exe behavioral2/files/0x0008000000023243-31.dat autoit_exe behavioral2/files/0x00020000000227e5-60.dat autoit_exe behavioral2/files/0x0004000000022cfa-63.dat autoit_exe behavioral2/files/0x00060000000227ec-134.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\vivbbjnl.exe c6931c7e8b35b15b7f4745f96494051e.exe File opened for modification C:\Windows\SysWOW64\vivbbjnl.exe c6931c7e8b35b15b7f4745f96494051e.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe vivbbjnl.exe File created C:\Windows\SysWOW64\xgpczthlblykbsi.exe c6931c7e8b35b15b7f4745f96494051e.exe File opened for modification C:\Windows\SysWOW64\xgpczthlblykbsi.exe c6931c7e8b35b15b7f4745f96494051e.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll jjmcoyxdcc.exe File created C:\Windows\SysWOW64\jjmcoyxdcc.exe c6931c7e8b35b15b7f4745f96494051e.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe vivbbjnl.exe File opened for modification C:\Windows\SysWOW64\jjmcoyxdcc.exe c6931c7e8b35b15b7f4745f96494051e.exe File created C:\Windows\SysWOW64\qcjzwtahiauhd.exe c6931c7e8b35b15b7f4745f96494051e.exe File opened for modification C:\Windows\SysWOW64\qcjzwtahiauhd.exe c6931c7e8b35b15b7f4745f96494051e.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe vivbbjnl.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe vivbbjnl.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vivbbjnl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vivbbjnl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vivbbjnl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal vivbbjnl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vivbbjnl.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vivbbjnl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vivbbjnl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal vivbbjnl.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vivbbjnl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe vivbbjnl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal vivbbjnl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal vivbbjnl.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vivbbjnl.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vivbbjnl.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe vivbbjnl.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf c6931c7e8b35b15b7f4745f96494051e.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat jjmcoyxdcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg jjmcoyxdcc.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings c6931c7e8b35b15b7f4745f96494051e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78668B0FE6722DDD27BD0D18A7E906A" c6931c7e8b35b15b7f4745f96494051e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBDFACAFE14F1E3847A3A4586EC39E4B08D02F842610332E1CC459C08A3" c6931c7e8b35b15b7f4745f96494051e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB6B1584493399953CCBAA7329BD7CA" c6931c7e8b35b15b7f4745f96494051e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193AC67C14E1DAB6B9C07C94EC9734C7" c6931c7e8b35b15b7f4745f96494051e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" jjmcoyxdcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh jjmcoyxdcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" jjmcoyxdcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf jjmcoyxdcc.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes c6931c7e8b35b15b7f4745f96494051e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" jjmcoyxdcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs jjmcoyxdcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" jjmcoyxdcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33302C0D9C2483256A3377A0772E2CDA7DF664DA" c6931c7e8b35b15b7f4745f96494051e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc jjmcoyxdcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" jjmcoyxdcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" jjmcoyxdcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F89FFFF482A821B9046D6587D94BDE5E140594666426336D790" c6931c7e8b35b15b7f4745f96494051e.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1564 WINWORD.EXE 1564 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 432 c6931c7e8b35b15b7f4745f96494051e.exe 432 c6931c7e8b35b15b7f4745f96494051e.exe 432 c6931c7e8b35b15b7f4745f96494051e.exe 432 c6931c7e8b35b15b7f4745f96494051e.exe 432 c6931c7e8b35b15b7f4745f96494051e.exe 432 c6931c7e8b35b15b7f4745f96494051e.exe 432 c6931c7e8b35b15b7f4745f96494051e.exe 432 c6931c7e8b35b15b7f4745f96494051e.exe 432 c6931c7e8b35b15b7f4745f96494051e.exe 432 c6931c7e8b35b15b7f4745f96494051e.exe 432 c6931c7e8b35b15b7f4745f96494051e.exe 432 c6931c7e8b35b15b7f4745f96494051e.exe 432 c6931c7e8b35b15b7f4745f96494051e.exe 432 c6931c7e8b35b15b7f4745f96494051e.exe 432 c6931c7e8b35b15b7f4745f96494051e.exe 432 c6931c7e8b35b15b7f4745f96494051e.exe 4688 jjmcoyxdcc.exe 4688 jjmcoyxdcc.exe 4688 jjmcoyxdcc.exe 4688 jjmcoyxdcc.exe 4688 jjmcoyxdcc.exe 4688 jjmcoyxdcc.exe 4688 jjmcoyxdcc.exe 4688 jjmcoyxdcc.exe 4688 jjmcoyxdcc.exe 4688 jjmcoyxdcc.exe 4284 xgpczthlblykbsi.exe 4284 xgpczthlblykbsi.exe 4284 xgpczthlblykbsi.exe 4284 xgpczthlblykbsi.exe 4284 xgpczthlblykbsi.exe 4284 xgpczthlblykbsi.exe 4284 xgpczthlblykbsi.exe 4284 xgpczthlblykbsi.exe 2692 vivbbjnl.exe 2692 vivbbjnl.exe 2692 vivbbjnl.exe 2692 vivbbjnl.exe 2692 vivbbjnl.exe 2692 vivbbjnl.exe 2692 vivbbjnl.exe 2692 vivbbjnl.exe 4284 xgpczthlblykbsi.exe 4284 xgpczthlblykbsi.exe 4336 qcjzwtahiauhd.exe 4336 qcjzwtahiauhd.exe 4336 qcjzwtahiauhd.exe 4336 qcjzwtahiauhd.exe 4336 qcjzwtahiauhd.exe 4336 qcjzwtahiauhd.exe 4336 qcjzwtahiauhd.exe 4336 qcjzwtahiauhd.exe 4336 qcjzwtahiauhd.exe 4336 qcjzwtahiauhd.exe 4336 qcjzwtahiauhd.exe 4336 qcjzwtahiauhd.exe 4284 xgpczthlblykbsi.exe 4284 xgpczthlblykbsi.exe 4336 qcjzwtahiauhd.exe 4336 qcjzwtahiauhd.exe 4336 qcjzwtahiauhd.exe 4336 qcjzwtahiauhd.exe 4284 xgpczthlblykbsi.exe 4284 xgpczthlblykbsi.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 432 c6931c7e8b35b15b7f4745f96494051e.exe 432 c6931c7e8b35b15b7f4745f96494051e.exe 432 c6931c7e8b35b15b7f4745f96494051e.exe 4688 jjmcoyxdcc.exe 4688 jjmcoyxdcc.exe 4688 jjmcoyxdcc.exe 4284 xgpczthlblykbsi.exe 2692 vivbbjnl.exe 4284 xgpczthlblykbsi.exe 2692 vivbbjnl.exe 4284 xgpczthlblykbsi.exe 2692 vivbbjnl.exe 4336 qcjzwtahiauhd.exe 4336 qcjzwtahiauhd.exe 4336 qcjzwtahiauhd.exe 4384 vivbbjnl.exe 4384 vivbbjnl.exe 4384 vivbbjnl.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 432 c6931c7e8b35b15b7f4745f96494051e.exe 432 c6931c7e8b35b15b7f4745f96494051e.exe 432 c6931c7e8b35b15b7f4745f96494051e.exe 4688 jjmcoyxdcc.exe 4688 jjmcoyxdcc.exe 4688 jjmcoyxdcc.exe 4284 xgpczthlblykbsi.exe 2692 vivbbjnl.exe 4284 xgpczthlblykbsi.exe 2692 vivbbjnl.exe 4284 xgpczthlblykbsi.exe 2692 vivbbjnl.exe 4336 qcjzwtahiauhd.exe 4336 qcjzwtahiauhd.exe 4336 qcjzwtahiauhd.exe 4384 vivbbjnl.exe 4384 vivbbjnl.exe 4384 vivbbjnl.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1564 WINWORD.EXE 1564 WINWORD.EXE 1564 WINWORD.EXE 1564 WINWORD.EXE 1564 WINWORD.EXE 1564 WINWORD.EXE 1564 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 432 wrote to memory of 4688 432 c6931c7e8b35b15b7f4745f96494051e.exe 98 PID 432 wrote to memory of 4688 432 c6931c7e8b35b15b7f4745f96494051e.exe 98 PID 432 wrote to memory of 4688 432 c6931c7e8b35b15b7f4745f96494051e.exe 98 PID 432 wrote to memory of 4284 432 c6931c7e8b35b15b7f4745f96494051e.exe 99 PID 432 wrote to memory of 4284 432 c6931c7e8b35b15b7f4745f96494051e.exe 99 PID 432 wrote to memory of 4284 432 c6931c7e8b35b15b7f4745f96494051e.exe 99 PID 432 wrote to memory of 2692 432 c6931c7e8b35b15b7f4745f96494051e.exe 100 PID 432 wrote to memory of 2692 432 c6931c7e8b35b15b7f4745f96494051e.exe 100 PID 432 wrote to memory of 2692 432 c6931c7e8b35b15b7f4745f96494051e.exe 100 PID 432 wrote to memory of 4336 432 c6931c7e8b35b15b7f4745f96494051e.exe 101 PID 432 wrote to memory of 4336 432 c6931c7e8b35b15b7f4745f96494051e.exe 101 PID 432 wrote to memory of 4336 432 c6931c7e8b35b15b7f4745f96494051e.exe 101 PID 4688 wrote to memory of 4384 4688 jjmcoyxdcc.exe 102 PID 4688 wrote to memory of 4384 4688 jjmcoyxdcc.exe 102 PID 4688 wrote to memory of 4384 4688 jjmcoyxdcc.exe 102 PID 432 wrote to memory of 1564 432 c6931c7e8b35b15b7f4745f96494051e.exe 103 PID 432 wrote to memory of 1564 432 c6931c7e8b35b15b7f4745f96494051e.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6931c7e8b35b15b7f4745f96494051e.exe"C:\Users\Admin\AppData\Local\Temp\c6931c7e8b35b15b7f4745f96494051e.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\jjmcoyxdcc.exejjmcoyxdcc.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\SysWOW64\vivbbjnl.exeC:\Windows\system32\vivbbjnl.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4384
-
-
-
C:\Windows\SysWOW64\xgpczthlblykbsi.exexgpczthlblykbsi.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4284
-
-
C:\Windows\SysWOW64\vivbbjnl.exevivbbjnl.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2692
-
-
C:\Windows\SysWOW64\qcjzwtahiauhd.exeqcjzwtahiauhd.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4336
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=940 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:81⤵PID:4860
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD52202ef81704fe9b71eed97e9192d6201
SHA12ce921e12002ed6974d2b6ea1474796ef5bcf8e5
SHA256329162786626589eae3ede33a41ce4b96bbdcebc7c33976203a8cf750ae11c56
SHA512e91bac3e85c091ed62800cfbc2bb793d850c43e4b9d390d7289416c63b8969c049930637f281ace6d1ab9f3b2c167a57fd7060e73ec59f498a7327bac3033ca0
-
Filesize
512KB
MD5d5a96e36692de5e286a073cc88019798
SHA11f431e8e97b7d370899e676f42dda6c496c88e6d
SHA256be93bb87baaaf6a9072a8cacc681246ccdd67bee02ee3ad17b2a387a9f51f76e
SHA512b0b7a7fdeadbafd767ec2e9b40fc37bfa0efb996134d293a90620146f4e33a588d8fb83c537c60432ea9067ca7e317917bfd1122e6dc92b7a5d6b061ad6837b3
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD599cda853b8c88978fe5d3b457cf52d1f
SHA10f0a64d61129047b3606f9c436b12f1cdeebabe0
SHA256800dffd6a3c22d394e82a1e4d4b914617d8ccddc8289ed09f127326393b04023
SHA5129802174de5e4f33603ed21f2f3228ee304fc2362d0a7053356bcec967a4cb0b17ec4cba36cc690ea655ea3ee71169b378fedd29843134ce4641f5a5babc8bc57
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5461bbb97d3ab841905b5410995e6566b
SHA1ba6d86fcc88b5805e71387ec0f0025a172b36a63
SHA2562ba693efb9be6b3133ec9d6207ebcf61938884ac0f15c87cfe7f85a6b58168f4
SHA51262cdd2b9e1e976bf8901554eb64be954c6f4a67d7e789c94f67ce6ab32a2e91ebb3aa65859e7942b2bd8c91c4e6a3064db78d5789b98b1f6d6b7b6fd2f64eb30
-
Filesize
512KB
MD5f83339315ab85faad6404a9ffcae9c28
SHA13d1872c0a7ecdbcf3d5fffc4c93913cf3f0701f5
SHA256aa2bdafe85de758a5e8a53510d0cd641acf4fa677fea0ac0a68e55868fbb17f4
SHA51299fbd577e9b05847ff66e747dff4d21ae7d187df8201c08785feb3e3912694537d89ccf387a241a8690277026072d00b305318be54708c2de9b484af4513aded
-
Filesize
512KB
MD593fe6d9a7a542b8d584d6757b2591bd4
SHA1d8af6ec2ee5a178992ca946f18aab1aa391a8c10
SHA256e447a9c031f44a7b6f6fd5b6d4c33d7cc145688a686adf530911c010dd5c6701
SHA5122fcd71990ec37e6e48fcde4fafca467a3f200da4dc44535b91fce54c982c3a3a6819374386dc497aa7fe6a369a88315125ecb6ca634a59425a845748db8ccf86
-
Filesize
512KB
MD53dad1c0a09f97eff0e5faa3a5e28fd47
SHA1112d87a5007c9804cd87a7a9cf81c7f60dd7793a
SHA2561021dbde39f7ddaed266102e59bf7f386f371a576218980c1123378708e511fa
SHA512497da0cd4d88b3fdf6464de18c4ad736e489e180d84e4023d4edf7a21ef357db87981bc04b367c3137151cc18efdbe2f399ee95e2e17c2f12f5afb5b0e58657b
-
Filesize
512KB
MD5b8e9c5ead7197aca6a826d063fa65f39
SHA1fae3b33b4714b5dce7fb14f486c5df19f95e7ff3
SHA2567bf38f6ae6dbdbb5206c99f03f1f3b0d68079f5ef0c78bd3913964b75de87610
SHA512d0a116cdd44188b2e59af55ad7869b9ba98433bf31d30e52b1876fd2b87b7fe00347b9e6b65bf6fc1f6edf1d621343ba10601dd680b1aa2a75ebe2c92eaa518c
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5806748ba524a7799b7a25eb26683e5fb
SHA102ce5c56da369a89467cf127d92f7d92fcf2ab84
SHA256f7fe5ef12bd162c782fc4e2ae60db7baec9c89005b929dc03ddc179e1b373c1b
SHA512b944f27f876cdecf914295eed322915e58e87103aa3cedf53af68271670ecff478c6276ea8822ee81aaefb711e5fca35ff7fcb6e82f8ea47bb057b667093a936