Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13/03/2024, 20:00
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
c6bc872d7343ffeec96b71352192a5f4.exe
Resource
win7-20240221-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
c6bc872d7343ffeec96b71352192a5f4.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
c6bc872d7343ffeec96b71352192a5f4.exe
-
Size
512KB
-
MD5
c6bc872d7343ffeec96b71352192a5f4
-
SHA1
593040758bec6126a76b78ad661dcadf3ade869f
-
SHA256
a4c105ca89c85e54a7b0dfa1b30a7458801fe542a083a1956494eefcf107b9c2
-
SHA512
af68c0b8f537daefe1500a6f9c15c605461e1912bb447d226251fd5612dcb197b4367a859e814243bb184de36f1a86b327e38142a1df31cfac515690cb8d8293
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6v:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5E
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" bfrodadhmp.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" bfrodadhmp.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" bfrodadhmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" bfrodadhmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" bfrodadhmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" bfrodadhmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" bfrodadhmp.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bfrodadhmp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation c6bc872d7343ffeec96b71352192a5f4.exe -
Executes dropped EXE 5 IoCs
pid Process 516 bfrodadhmp.exe 5092 hfegneztfltexdf.exe 3884 jdzxaend.exe 2636 kpcbngrukpeso.exe 3460 jdzxaend.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" bfrodadhmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" bfrodadhmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" bfrodadhmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" bfrodadhmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" bfrodadhmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" bfrodadhmp.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jznnesgu = "bfrodadhmp.exe" hfegneztfltexdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qolcymdx = "hfegneztfltexdf.exe" hfegneztfltexdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "kpcbngrukpeso.exe" hfegneztfltexdf.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\b: bfrodadhmp.exe File opened (read-only) \??\b: jdzxaend.exe File opened (read-only) \??\l: jdzxaend.exe File opened (read-only) \??\o: jdzxaend.exe File opened (read-only) \??\h: jdzxaend.exe File opened (read-only) \??\j: jdzxaend.exe File opened (read-only) \??\n: bfrodadhmp.exe File opened (read-only) \??\q: bfrodadhmp.exe File opened (read-only) \??\s: jdzxaend.exe File opened (read-only) \??\t: jdzxaend.exe File opened (read-only) \??\u: jdzxaend.exe File opened (read-only) \??\w: jdzxaend.exe File opened (read-only) \??\x: jdzxaend.exe File opened (read-only) \??\z: jdzxaend.exe File opened (read-only) \??\e: bfrodadhmp.exe File opened (read-only) \??\h: jdzxaend.exe File opened (read-only) \??\j: jdzxaend.exe File opened (read-only) \??\q: jdzxaend.exe File opened (read-only) \??\s: jdzxaend.exe File opened (read-only) \??\w: bfrodadhmp.exe File opened (read-only) \??\g: jdzxaend.exe File opened (read-only) \??\t: bfrodadhmp.exe File opened (read-only) \??\y: jdzxaend.exe File opened (read-only) \??\m: bfrodadhmp.exe File opened (read-only) \??\s: bfrodadhmp.exe File opened (read-only) \??\n: jdzxaend.exe File opened (read-only) \??\x: jdzxaend.exe File opened (read-only) \??\l: bfrodadhmp.exe File opened (read-only) \??\z: bfrodadhmp.exe File opened (read-only) \??\l: jdzxaend.exe File opened (read-only) \??\m: jdzxaend.exe File opened (read-only) \??\p: bfrodadhmp.exe File opened (read-only) \??\g: jdzxaend.exe File opened (read-only) \??\m: jdzxaend.exe File opened (read-only) \??\o: jdzxaend.exe File opened (read-only) \??\g: bfrodadhmp.exe File opened (read-only) \??\k: bfrodadhmp.exe File opened (read-only) \??\i: jdzxaend.exe File opened (read-only) \??\p: jdzxaend.exe File opened (read-only) \??\t: jdzxaend.exe File opened (read-only) \??\y: bfrodadhmp.exe File opened (read-only) \??\v: jdzxaend.exe File opened (read-only) \??\n: jdzxaend.exe File opened (read-only) \??\y: jdzxaend.exe File opened (read-only) \??\o: bfrodadhmp.exe File opened (read-only) \??\v: bfrodadhmp.exe File opened (read-only) \??\e: jdzxaend.exe File opened (read-only) \??\e: jdzxaend.exe File opened (read-only) \??\k: jdzxaend.exe File opened (read-only) \??\i: jdzxaend.exe File opened (read-only) \??\k: jdzxaend.exe File opened (read-only) \??\v: jdzxaend.exe File opened (read-only) \??\z: jdzxaend.exe File opened (read-only) \??\h: bfrodadhmp.exe File opened (read-only) \??\x: bfrodadhmp.exe File opened (read-only) \??\r: bfrodadhmp.exe File opened (read-only) \??\b: jdzxaend.exe File opened (read-only) \??\q: jdzxaend.exe File opened (read-only) \??\u: jdzxaend.exe File opened (read-only) \??\i: bfrodadhmp.exe File opened (read-only) \??\j: bfrodadhmp.exe File opened (read-only) \??\p: jdzxaend.exe File opened (read-only) \??\r: jdzxaend.exe File opened (read-only) \??\w: jdzxaend.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" bfrodadhmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" bfrodadhmp.exe -
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1476-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00090000000231fd-5.dat autoit_exe behavioral2/files/0x0007000000023204-26.dat autoit_exe behavioral2/files/0x000400000001e5eb-19.dat autoit_exe behavioral2/files/0x0007000000023205-32.dat autoit_exe behavioral2/files/0x000700000002320d-72.dat autoit_exe behavioral2/files/0x0007000000023221-97.dat autoit_exe behavioral2/files/0x0007000000023221-103.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\hfegneztfltexdf.exe c6bc872d7343ffeec96b71352192a5f4.exe File opened for modification C:\Windows\SysWOW64\kpcbngrukpeso.exe c6bc872d7343ffeec96b71352192a5f4.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll bfrodadhmp.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe jdzxaend.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe jdzxaend.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe jdzxaend.exe File created C:\Windows\SysWOW64\bfrodadhmp.exe c6bc872d7343ffeec96b71352192a5f4.exe File opened for modification C:\Windows\SysWOW64\bfrodadhmp.exe c6bc872d7343ffeec96b71352192a5f4.exe File opened for modification C:\Windows\SysWOW64\hfegneztfltexdf.exe c6bc872d7343ffeec96b71352192a5f4.exe File created C:\Windows\SysWOW64\jdzxaend.exe c6bc872d7343ffeec96b71352192a5f4.exe File opened for modification C:\Windows\SysWOW64\jdzxaend.exe c6bc872d7343ffeec96b71352192a5f4.exe File created C:\Windows\SysWOW64\kpcbngrukpeso.exe c6bc872d7343ffeec96b71352192a5f4.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jdzxaend.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jdzxaend.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jdzxaend.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal jdzxaend.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jdzxaend.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jdzxaend.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jdzxaend.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal jdzxaend.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal jdzxaend.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jdzxaend.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jdzxaend.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal jdzxaend.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jdzxaend.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jdzxaend.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe jdzxaend.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe jdzxaend.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe jdzxaend.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe jdzxaend.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe jdzxaend.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe jdzxaend.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe jdzxaend.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe jdzxaend.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe jdzxaend.exe File opened for modification C:\Windows\mydoc.rtf c6bc872d7343ffeec96b71352192a5f4.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe jdzxaend.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe jdzxaend.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe jdzxaend.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe jdzxaend.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe jdzxaend.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe jdzxaend.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe jdzxaend.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1938C67E1597DAC3B9CD7CE9EDE537BA" c6bc872d7343ffeec96b71352192a5f4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" bfrodadhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" bfrodadhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" bfrodadhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABDFAC9F913F1E7837E3B4481EA3E95B08902F84213033CE2BD429D08D3" c6bc872d7343ffeec96b71352192a5f4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33412C7E9D5283506A4176D170222CD67D8365D9" c6bc872d7343ffeec96b71352192a5f4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc bfrodadhmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf bfrodadhmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs bfrodadhmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg bfrodadhmp.exe Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings c6bc872d7343ffeec96b71352192a5f4.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes c6bc872d7343ffeec96b71352192a5f4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" bfrodadhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" bfrodadhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFAFCFE485A85139136D7207E97BC93E146584767426246D79B" c6bc872d7343ffeec96b71352192a5f4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78068C6FE6A21ADD20CD1D48A7E9016" c6bc872d7343ffeec96b71352192a5f4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat bfrodadhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" bfrodadhmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh bfrodadhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC1B12E44E438EA53CFBAD7329BD7BB" c6bc872d7343ffeec96b71352192a5f4.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1644 WINWORD.EXE 1644 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1476 c6bc872d7343ffeec96b71352192a5f4.exe 1476 c6bc872d7343ffeec96b71352192a5f4.exe 1476 c6bc872d7343ffeec96b71352192a5f4.exe 1476 c6bc872d7343ffeec96b71352192a5f4.exe 1476 c6bc872d7343ffeec96b71352192a5f4.exe 1476 c6bc872d7343ffeec96b71352192a5f4.exe 1476 c6bc872d7343ffeec96b71352192a5f4.exe 1476 c6bc872d7343ffeec96b71352192a5f4.exe 1476 c6bc872d7343ffeec96b71352192a5f4.exe 1476 c6bc872d7343ffeec96b71352192a5f4.exe 1476 c6bc872d7343ffeec96b71352192a5f4.exe 1476 c6bc872d7343ffeec96b71352192a5f4.exe 1476 c6bc872d7343ffeec96b71352192a5f4.exe 1476 c6bc872d7343ffeec96b71352192a5f4.exe 1476 c6bc872d7343ffeec96b71352192a5f4.exe 1476 c6bc872d7343ffeec96b71352192a5f4.exe 516 bfrodadhmp.exe 516 bfrodadhmp.exe 516 bfrodadhmp.exe 516 bfrodadhmp.exe 516 bfrodadhmp.exe 516 bfrodadhmp.exe 516 bfrodadhmp.exe 516 bfrodadhmp.exe 516 bfrodadhmp.exe 516 bfrodadhmp.exe 5092 hfegneztfltexdf.exe 5092 hfegneztfltexdf.exe 5092 hfegneztfltexdf.exe 5092 hfegneztfltexdf.exe 5092 hfegneztfltexdf.exe 5092 hfegneztfltexdf.exe 5092 hfegneztfltexdf.exe 5092 hfegneztfltexdf.exe 5092 hfegneztfltexdf.exe 5092 hfegneztfltexdf.exe 3884 jdzxaend.exe 3884 jdzxaend.exe 3884 jdzxaend.exe 3884 jdzxaend.exe 3884 jdzxaend.exe 3884 jdzxaend.exe 3884 jdzxaend.exe 3884 jdzxaend.exe 2636 kpcbngrukpeso.exe 2636 kpcbngrukpeso.exe 2636 kpcbngrukpeso.exe 2636 kpcbngrukpeso.exe 2636 kpcbngrukpeso.exe 2636 kpcbngrukpeso.exe 2636 kpcbngrukpeso.exe 2636 kpcbngrukpeso.exe 2636 kpcbngrukpeso.exe 2636 kpcbngrukpeso.exe 2636 kpcbngrukpeso.exe 2636 kpcbngrukpeso.exe 5092 hfegneztfltexdf.exe 5092 hfegneztfltexdf.exe 3460 jdzxaend.exe 3460 jdzxaend.exe 3460 jdzxaend.exe 3460 jdzxaend.exe 3460 jdzxaend.exe 3460 jdzxaend.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1476 c6bc872d7343ffeec96b71352192a5f4.exe 1476 c6bc872d7343ffeec96b71352192a5f4.exe 1476 c6bc872d7343ffeec96b71352192a5f4.exe 516 bfrodadhmp.exe 516 bfrodadhmp.exe 516 bfrodadhmp.exe 5092 hfegneztfltexdf.exe 5092 hfegneztfltexdf.exe 5092 hfegneztfltexdf.exe 3884 jdzxaend.exe 3884 jdzxaend.exe 3884 jdzxaend.exe 2636 kpcbngrukpeso.exe 2636 kpcbngrukpeso.exe 2636 kpcbngrukpeso.exe 3460 jdzxaend.exe 3460 jdzxaend.exe 3460 jdzxaend.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1476 c6bc872d7343ffeec96b71352192a5f4.exe 1476 c6bc872d7343ffeec96b71352192a5f4.exe 1476 c6bc872d7343ffeec96b71352192a5f4.exe 516 bfrodadhmp.exe 516 bfrodadhmp.exe 516 bfrodadhmp.exe 5092 hfegneztfltexdf.exe 5092 hfegneztfltexdf.exe 5092 hfegneztfltexdf.exe 3884 jdzxaend.exe 3884 jdzxaend.exe 3884 jdzxaend.exe 2636 kpcbngrukpeso.exe 2636 kpcbngrukpeso.exe 2636 kpcbngrukpeso.exe 3460 jdzxaend.exe 3460 jdzxaend.exe 3460 jdzxaend.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1644 WINWORD.EXE 1644 WINWORD.EXE 1644 WINWORD.EXE 1644 WINWORD.EXE 1644 WINWORD.EXE 1644 WINWORD.EXE 1644 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1476 wrote to memory of 516 1476 c6bc872d7343ffeec96b71352192a5f4.exe 90 PID 1476 wrote to memory of 516 1476 c6bc872d7343ffeec96b71352192a5f4.exe 90 PID 1476 wrote to memory of 516 1476 c6bc872d7343ffeec96b71352192a5f4.exe 90 PID 1476 wrote to memory of 5092 1476 c6bc872d7343ffeec96b71352192a5f4.exe 91 PID 1476 wrote to memory of 5092 1476 c6bc872d7343ffeec96b71352192a5f4.exe 91 PID 1476 wrote to memory of 5092 1476 c6bc872d7343ffeec96b71352192a5f4.exe 91 PID 1476 wrote to memory of 3884 1476 c6bc872d7343ffeec96b71352192a5f4.exe 92 PID 1476 wrote to memory of 3884 1476 c6bc872d7343ffeec96b71352192a5f4.exe 92 PID 1476 wrote to memory of 3884 1476 c6bc872d7343ffeec96b71352192a5f4.exe 92 PID 1476 wrote to memory of 2636 1476 c6bc872d7343ffeec96b71352192a5f4.exe 93 PID 1476 wrote to memory of 2636 1476 c6bc872d7343ffeec96b71352192a5f4.exe 93 PID 1476 wrote to memory of 2636 1476 c6bc872d7343ffeec96b71352192a5f4.exe 93 PID 1476 wrote to memory of 1644 1476 c6bc872d7343ffeec96b71352192a5f4.exe 94 PID 1476 wrote to memory of 1644 1476 c6bc872d7343ffeec96b71352192a5f4.exe 94 PID 516 wrote to memory of 3460 516 bfrodadhmp.exe 96 PID 516 wrote to memory of 3460 516 bfrodadhmp.exe 96 PID 516 wrote to memory of 3460 516 bfrodadhmp.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6bc872d7343ffeec96b71352192a5f4.exe"C:\Users\Admin\AppData\Local\Temp\c6bc872d7343ffeec96b71352192a5f4.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\bfrodadhmp.exebfrodadhmp.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Windows\SysWOW64\jdzxaend.exeC:\Windows\system32\jdzxaend.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3460
-
-
-
C:\Windows\SysWOW64\hfegneztfltexdf.exehfegneztfltexdf.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5092
-
-
C:\Windows\SysWOW64\jdzxaend.exejdzxaend.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3884
-
-
C:\Windows\SysWOW64\kpcbngrukpeso.exekpcbngrukpeso.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2636
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1644
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5b396f7dd35d9c45a4e3951401e9ea9f5
SHA19411746a198d2dcbf9674a46a9c325a4be829461
SHA256c675828217649a0364817a1fc6933d873b20861c2ec8a6e2398d9b5e801274f8
SHA51246db3905631a8eeb262ec1af5465db5f2b5a3932a23748c126387ec150827a7c8d5eeeadb057700a39211ecb013bd5e645e3628bd9f007e9cefc117ceae67c75
-
Filesize
239B
MD5602dad6ee0e60cde6698692534ef100b
SHA1c3e20be4cf62746964ff865964f4f354d412bfac
SHA256596069f7c5d4c9cea8266af60fcc730fbaec42eb5dd0c6f4203e463b742fb598
SHA512bc1fdcc479d9d46977847557985ca1744f1d4f135da27d82dd2f131419c16fbc70968eb27458a1769e59a9a166847be39aa81b82936e39e753d578ee13df8669
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5566ded98fd6dffcde521a4efa1932fde
SHA1d19a741f44127974096ee37e43d1f2fe8de7541e
SHA2562a2245de67e27cfb77d06e0d0f4ef14d6f618aa96f7afb180de2ef91bc12422f
SHA512f5272717310df5bd24b9cd3197331ad77b4b07289f6bd056329e0c3ddad753d856330d9ff3148a70d7038daffbe28e25f27d37ac8e09f498c4718ed03f75db7d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5c1980ee080e2ecf51ef26f31cd29f65d
SHA19490f81c6a45852adbd69c2f8ee9a7634eeaed96
SHA2567c815cba74c1022a22d3c594c0fc7c5ac44b204b7392fc8ef844f75266f89f80
SHA5123227ffbda4232802560b543d9f24df3cb353c29f1b22d5061a9f3854e533375635104aae37cdf52a5be8310f6391b39662ce8bc6533f85007eff0baf6ba01465
-
Filesize
512KB
MD548fc862545c8598c50cca05b11b00e50
SHA17256ee8f58e44c7158188fc68ed0c2eaa5d23509
SHA256d4462a0833537cfc8baa3f1597c011be4a01e51eb91537d75e9a53bbd1a5ce4c
SHA512dd9edff26b577e1ed54227cd728e044f4739f755634085b449c1fed8e2b4da1aa402a10e799e97aaa9190adda4df6e3b2c5711534266b7308488cf390ca20649
-
Filesize
512KB
MD5ca24dcf73c9b5e01b1f42d6c5853b544
SHA1c46017ec3da6089f7011e01c9dc9b0e74a9b491f
SHA2569e3d273b24bb609d8b44a363bb9cb44e356ff91cc121e862a9e42b9df5904ebe
SHA51268736910336d0c1ced78f8a3b9dc6dc8d74575c86b7f39e30c1fb80583dd834cf40fa7e97913a219352053e0b19fd71c44e788b874705edef47d65029d54a142
-
Filesize
512KB
MD56091c4f25ec254010c451c79d6527a30
SHA16253934f9fd665c641ce7451e24dabf628ab4478
SHA256e27a793f31903e2fc8f75ee8ae7b3c4e8b937097f8045804fa93fe90c5170524
SHA512a2c1fb34e23b709abfd9516c6c9b91325e0689c880ded55180253e8fbf33b81058041e1154854dff58f62dc1a1afcb513d2c59c617e70ef8d3f89aebd9212f5c
-
Filesize
512KB
MD5c2a5b05a8a467fe2afd672ba94e1d85a
SHA16f5d8f09bf77918db1d680a86406c6a1db52dfdb
SHA256f949f930b760a762ef51a8481b2f60a8f52f4e3dc897e2c3168547b58e2ee306
SHA5129d5240b76366788b1e31dda8a751543d2d57c0ef295c827ab0161420509f15d4cc708457b1cc8b15dfd23cfb8add72e8519da4a2fcbab2b4dc7c12f517db56d9
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD51058c477408fb5074faf404795263d0b
SHA116b7509dd2cfdb8d425c6fd19013b8f76fb7c316
SHA256f379371e55a4acc9b4de45a930d70145cced07ceb2396359637f8ecbcb96bae9
SHA512af1e11b7aeda9079feb3e5ccc18b8a59186584c163c2d49d429c6f9fade672ce655148ee3e73fe5fe72abe3bea131c53642eac079695900a53d2fcb6b2be6e61
-
Filesize
512KB
MD5020faac39d38f066fbd3051edaff2a17
SHA14a9ea89ae66138980776fdc5deae5cd0d896a8f8
SHA25634b3fbfc2c0a7fc3f54d0aaadeb9dc27b0b00d9b0e3bffcb7f721098a8c0ae93
SHA5128d411d8fecb18b948ece3dfd65bb93005247db66c8f8f8b59ca169c76a84a6ec3f387df0cfb22dab0850484297f7b07fa316d31b5a76279373af60f0f15f2ca7