Analysis
-
max time kernel
150s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14/03/2024, 16:36
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
c919a4c0d3a168ef0b01943276876cdd.exe
Resource
win7-20240221-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
c919a4c0d3a168ef0b01943276876cdd.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
c919a4c0d3a168ef0b01943276876cdd.exe
-
Size
512KB
-
MD5
c919a4c0d3a168ef0b01943276876cdd
-
SHA1
60b23055fbf6a1290e7b551617f29942cf347b33
-
SHA256
cadf688bb8d1c057677db0ac62a335e30257c0eb87d756cc729dc3645fa0a740
-
SHA512
b84cc2bda4f84ef7f199dcab206720321ff4c69bea253ca3b12f06059846e51c48dc5030e52ddae9cc1267982a12eeb838487155d6682102e50910971ac2af52
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6o:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm57
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" rtednxwjax.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" rtednxwjax.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rtednxwjax.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rtednxwjax.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rtednxwjax.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rtednxwjax.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rtednxwjax.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rtednxwjax.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation c919a4c0d3a168ef0b01943276876cdd.exe -
Executes dropped EXE 5 IoCs
pid Process 4440 rtednxwjax.exe 4508 jlabmunmqywsjpg.exe 4032 fhvmpobo.exe 4912 iozuhxeildgcd.exe 4980 fhvmpobo.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rtednxwjax.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rtednxwjax.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rtednxwjax.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" rtednxwjax.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rtednxwjax.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rtednxwjax.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kiokpvyz = "rtednxwjax.exe" jlabmunmqywsjpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\izppxpkg = "jlabmunmqywsjpg.exe" jlabmunmqywsjpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "iozuhxeildgcd.exe" jlabmunmqywsjpg.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\n: fhvmpobo.exe File opened (read-only) \??\p: fhvmpobo.exe File opened (read-only) \??\g: fhvmpobo.exe File opened (read-only) \??\s: rtednxwjax.exe File opened (read-only) \??\i: fhvmpobo.exe File opened (read-only) \??\x: rtednxwjax.exe File opened (read-only) \??\e: fhvmpobo.exe File opened (read-only) \??\p: fhvmpobo.exe File opened (read-only) \??\m: fhvmpobo.exe File opened (read-only) \??\t: fhvmpobo.exe File opened (read-only) \??\v: fhvmpobo.exe File opened (read-only) \??\a: rtednxwjax.exe File opened (read-only) \??\e: fhvmpobo.exe File opened (read-only) \??\x: fhvmpobo.exe File opened (read-only) \??\z: fhvmpobo.exe File opened (read-only) \??\m: rtednxwjax.exe File opened (read-only) \??\m: fhvmpobo.exe File opened (read-only) \??\j: fhvmpobo.exe File opened (read-only) \??\u: fhvmpobo.exe File opened (read-only) \??\b: fhvmpobo.exe File opened (read-only) \??\n: fhvmpobo.exe File opened (read-only) \??\y: fhvmpobo.exe File opened (read-only) \??\i: rtednxwjax.exe File opened (read-only) \??\y: fhvmpobo.exe File opened (read-only) \??\y: rtednxwjax.exe File opened (read-only) \??\g: fhvmpobo.exe File opened (read-only) \??\o: fhvmpobo.exe File opened (read-only) \??\r: fhvmpobo.exe File opened (read-only) \??\w: fhvmpobo.exe File opened (read-only) \??\b: rtednxwjax.exe File opened (read-only) \??\q: rtednxwjax.exe File opened (read-only) \??\t: fhvmpobo.exe File opened (read-only) \??\w: fhvmpobo.exe File opened (read-only) \??\g: rtednxwjax.exe File opened (read-only) \??\r: rtednxwjax.exe File opened (read-only) \??\v: rtednxwjax.exe File opened (read-only) \??\r: fhvmpobo.exe File opened (read-only) \??\z: fhvmpobo.exe File opened (read-only) \??\i: fhvmpobo.exe File opened (read-only) \??\e: rtednxwjax.exe File opened (read-only) \??\u: rtednxwjax.exe File opened (read-only) \??\o: rtednxwjax.exe File opened (read-only) \??\k: fhvmpobo.exe File opened (read-only) \??\x: fhvmpobo.exe File opened (read-only) \??\k: rtednxwjax.exe File opened (read-only) \??\n: rtednxwjax.exe File opened (read-only) \??\q: fhvmpobo.exe File opened (read-only) \??\t: rtednxwjax.exe File opened (read-only) \??\a: fhvmpobo.exe File opened (read-only) \??\q: fhvmpobo.exe File opened (read-only) \??\s: fhvmpobo.exe File opened (read-only) \??\h: rtednxwjax.exe File opened (read-only) \??\p: rtednxwjax.exe File opened (read-only) \??\h: fhvmpobo.exe File opened (read-only) \??\j: fhvmpobo.exe File opened (read-only) \??\l: fhvmpobo.exe File opened (read-only) \??\a: fhvmpobo.exe File opened (read-only) \??\h: fhvmpobo.exe File opened (read-only) \??\j: rtednxwjax.exe File opened (read-only) \??\l: rtednxwjax.exe File opened (read-only) \??\l: fhvmpobo.exe File opened (read-only) \??\w: rtednxwjax.exe File opened (read-only) \??\v: fhvmpobo.exe File opened (read-only) \??\k: fhvmpobo.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" rtednxwjax.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" rtednxwjax.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2692-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000700000002321f-9.dat autoit_exe behavioral2/files/0x000300000001e9a0-20.dat autoit_exe behavioral2/files/0x00090000000224f7-22.dat autoit_exe behavioral2/files/0x0007000000023220-32.dat autoit_exe behavioral2/files/0x000700000002322e-75.dat autoit_exe behavioral2/files/0x000700000002322d-69.dat autoit_exe behavioral2/files/0x000700000002323d-98.dat autoit_exe behavioral2/files/0x000700000002323d-101.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\rtednxwjax.exe c919a4c0d3a168ef0b01943276876cdd.exe File opened for modification C:\Windows\SysWOW64\fhvmpobo.exe c919a4c0d3a168ef0b01943276876cdd.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe fhvmpobo.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe fhvmpobo.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe fhvmpobo.exe File opened for modification C:\Windows\SysWOW64\jlabmunmqywsjpg.exe c919a4c0d3a168ef0b01943276876cdd.exe File created C:\Windows\SysWOW64\iozuhxeildgcd.exe c919a4c0d3a168ef0b01943276876cdd.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe fhvmpobo.exe File created C:\Windows\SysWOW64\jlabmunmqywsjpg.exe c919a4c0d3a168ef0b01943276876cdd.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll rtednxwjax.exe File created C:\Windows\SysWOW64\rtednxwjax.exe c919a4c0d3a168ef0b01943276876cdd.exe File created C:\Windows\SysWOW64\fhvmpobo.exe c919a4c0d3a168ef0b01943276876cdd.exe File opened for modification C:\Windows\SysWOW64\iozuhxeildgcd.exe c919a4c0d3a168ef0b01943276876cdd.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe fhvmpobo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal fhvmpobo.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe fhvmpobo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal fhvmpobo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal fhvmpobo.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe fhvmpobo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal fhvmpobo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe fhvmpobo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe fhvmpobo.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe fhvmpobo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe fhvmpobo.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe fhvmpobo.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe fhvmpobo.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe fhvmpobo.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe fhvmpobo.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe fhvmpobo.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe fhvmpobo.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe fhvmpobo.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe fhvmpobo.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe fhvmpobo.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe fhvmpobo.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe fhvmpobo.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe fhvmpobo.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe fhvmpobo.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe fhvmpobo.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe fhvmpobo.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe fhvmpobo.exe File opened for modification C:\Windows\mydoc.rtf c919a4c0d3a168ef0b01943276876cdd.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe fhvmpobo.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe fhvmpobo.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe fhvmpobo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes c919a4c0d3a168ef0b01943276876cdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat rtednxwjax.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh rtednxwjax.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs rtednxwjax.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABFFAB8F917F1E0837D3A4486EE39E3B38E03FD4216023AE1C4459908D4" c919a4c0d3a168ef0b01943276876cdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc rtednxwjax.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" rtednxwjax.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" rtednxwjax.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg rtednxwjax.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" rtednxwjax.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings c919a4c0d3a168ef0b01943276876cdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB6B15B449339EF52CEBADD32E8D7C9" c919a4c0d3a168ef0b01943276876cdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1849C77B14E2DBC2B9CC7FE4ED9534CE" c919a4c0d3a168ef0b01943276876cdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" rtednxwjax.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" rtednxwjax.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" rtednxwjax.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32412D7C9C2C83206A3277A777212CAD7D8F65A8" c919a4c0d3a168ef0b01943276876cdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF8FF884F2A826D9130D62F7D90BDE4E147594367406346D790" c919a4c0d3a168ef0b01943276876cdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7836BC3FE6B21AAD10BD1A88B099060" c919a4c0d3a168ef0b01943276876cdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf rtednxwjax.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3908 WINWORD.EXE 3908 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2692 c919a4c0d3a168ef0b01943276876cdd.exe 2692 c919a4c0d3a168ef0b01943276876cdd.exe 2692 c919a4c0d3a168ef0b01943276876cdd.exe 2692 c919a4c0d3a168ef0b01943276876cdd.exe 2692 c919a4c0d3a168ef0b01943276876cdd.exe 2692 c919a4c0d3a168ef0b01943276876cdd.exe 2692 c919a4c0d3a168ef0b01943276876cdd.exe 2692 c919a4c0d3a168ef0b01943276876cdd.exe 2692 c919a4c0d3a168ef0b01943276876cdd.exe 2692 c919a4c0d3a168ef0b01943276876cdd.exe 2692 c919a4c0d3a168ef0b01943276876cdd.exe 2692 c919a4c0d3a168ef0b01943276876cdd.exe 2692 c919a4c0d3a168ef0b01943276876cdd.exe 2692 c919a4c0d3a168ef0b01943276876cdd.exe 2692 c919a4c0d3a168ef0b01943276876cdd.exe 2692 c919a4c0d3a168ef0b01943276876cdd.exe 4440 rtednxwjax.exe 4440 rtednxwjax.exe 4440 rtednxwjax.exe 4440 rtednxwjax.exe 4440 rtednxwjax.exe 4440 rtednxwjax.exe 4440 rtednxwjax.exe 4440 rtednxwjax.exe 4440 rtednxwjax.exe 4440 rtednxwjax.exe 4508 jlabmunmqywsjpg.exe 4508 jlabmunmqywsjpg.exe 4508 jlabmunmqywsjpg.exe 4508 jlabmunmqywsjpg.exe 4508 jlabmunmqywsjpg.exe 4508 jlabmunmqywsjpg.exe 4508 jlabmunmqywsjpg.exe 4508 jlabmunmqywsjpg.exe 4508 jlabmunmqywsjpg.exe 4508 jlabmunmqywsjpg.exe 4912 iozuhxeildgcd.exe 4912 iozuhxeildgcd.exe 4912 iozuhxeildgcd.exe 4912 iozuhxeildgcd.exe 4912 iozuhxeildgcd.exe 4912 iozuhxeildgcd.exe 4912 iozuhxeildgcd.exe 4912 iozuhxeildgcd.exe 4912 iozuhxeildgcd.exe 4912 iozuhxeildgcd.exe 4912 iozuhxeildgcd.exe 4912 iozuhxeildgcd.exe 4032 fhvmpobo.exe 4032 fhvmpobo.exe 4032 fhvmpobo.exe 4032 fhvmpobo.exe 4032 fhvmpobo.exe 4032 fhvmpobo.exe 4032 fhvmpobo.exe 4032 fhvmpobo.exe 4980 fhvmpobo.exe 4980 fhvmpobo.exe 4980 fhvmpobo.exe 4980 fhvmpobo.exe 4980 fhvmpobo.exe 4980 fhvmpobo.exe 4980 fhvmpobo.exe 4980 fhvmpobo.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2692 c919a4c0d3a168ef0b01943276876cdd.exe 2692 c919a4c0d3a168ef0b01943276876cdd.exe 2692 c919a4c0d3a168ef0b01943276876cdd.exe 4508 jlabmunmqywsjpg.exe 4508 jlabmunmqywsjpg.exe 4508 jlabmunmqywsjpg.exe 4440 rtednxwjax.exe 4440 rtednxwjax.exe 4440 rtednxwjax.exe 4912 iozuhxeildgcd.exe 4032 fhvmpobo.exe 4912 iozuhxeildgcd.exe 4032 fhvmpobo.exe 4912 iozuhxeildgcd.exe 4032 fhvmpobo.exe 4980 fhvmpobo.exe 4980 fhvmpobo.exe 4980 fhvmpobo.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2692 c919a4c0d3a168ef0b01943276876cdd.exe 2692 c919a4c0d3a168ef0b01943276876cdd.exe 2692 c919a4c0d3a168ef0b01943276876cdd.exe 4508 jlabmunmqywsjpg.exe 4508 jlabmunmqywsjpg.exe 4508 jlabmunmqywsjpg.exe 4440 rtednxwjax.exe 4440 rtednxwjax.exe 4440 rtednxwjax.exe 4912 iozuhxeildgcd.exe 4032 fhvmpobo.exe 4912 iozuhxeildgcd.exe 4032 fhvmpobo.exe 4912 iozuhxeildgcd.exe 4032 fhvmpobo.exe 4980 fhvmpobo.exe 4980 fhvmpobo.exe 4980 fhvmpobo.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3908 WINWORD.EXE 3908 WINWORD.EXE 3908 WINWORD.EXE 3908 WINWORD.EXE 3908 WINWORD.EXE 3908 WINWORD.EXE 3908 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2692 wrote to memory of 4440 2692 c919a4c0d3a168ef0b01943276876cdd.exe 90 PID 2692 wrote to memory of 4440 2692 c919a4c0d3a168ef0b01943276876cdd.exe 90 PID 2692 wrote to memory of 4440 2692 c919a4c0d3a168ef0b01943276876cdd.exe 90 PID 2692 wrote to memory of 4508 2692 c919a4c0d3a168ef0b01943276876cdd.exe 91 PID 2692 wrote to memory of 4508 2692 c919a4c0d3a168ef0b01943276876cdd.exe 91 PID 2692 wrote to memory of 4508 2692 c919a4c0d3a168ef0b01943276876cdd.exe 91 PID 2692 wrote to memory of 4032 2692 c919a4c0d3a168ef0b01943276876cdd.exe 92 PID 2692 wrote to memory of 4032 2692 c919a4c0d3a168ef0b01943276876cdd.exe 92 PID 2692 wrote to memory of 4032 2692 c919a4c0d3a168ef0b01943276876cdd.exe 92 PID 2692 wrote to memory of 4912 2692 c919a4c0d3a168ef0b01943276876cdd.exe 93 PID 2692 wrote to memory of 4912 2692 c919a4c0d3a168ef0b01943276876cdd.exe 93 PID 2692 wrote to memory of 4912 2692 c919a4c0d3a168ef0b01943276876cdd.exe 93 PID 2692 wrote to memory of 3908 2692 c919a4c0d3a168ef0b01943276876cdd.exe 94 PID 2692 wrote to memory of 3908 2692 c919a4c0d3a168ef0b01943276876cdd.exe 94 PID 4440 wrote to memory of 4980 4440 rtednxwjax.exe 96 PID 4440 wrote to memory of 4980 4440 rtednxwjax.exe 96 PID 4440 wrote to memory of 4980 4440 rtednxwjax.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\c919a4c0d3a168ef0b01943276876cdd.exe"C:\Users\Admin\AppData\Local\Temp\c919a4c0d3a168ef0b01943276876cdd.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\rtednxwjax.exertednxwjax.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\fhvmpobo.exeC:\Windows\system32\fhvmpobo.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4980
-
-
-
C:\Windows\SysWOW64\jlabmunmqywsjpg.exejlabmunmqywsjpg.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4508
-
-
C:\Windows\SysWOW64\fhvmpobo.exefhvmpobo.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4032
-
-
C:\Windows\SysWOW64\iozuhxeildgcd.exeiozuhxeildgcd.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4912
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3908
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD59dc5ba30fa96bcde979019636e85dd40
SHA175f7c6826e71668c6a407bef6584ce8ba0faf604
SHA2561f6a4926b0b3ba182608d7ce7446780738615c12c32f3c1d96d4371f852c331b
SHA512e95bfd955db54bbaaa21ecf0434dc8473d69f7020ea737d5ba58f0dcb2151ea8078996dd6cd6c82f3d105c7b8e85d7947c7740ac6ebf8b5c2e56423d9935029e
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD597ca4df033a29f9b21a65bd9fd2e2af7
SHA1ae0fd23fabf009d3e54f9cd3f78f25b0cbf15163
SHA256c7828bbc972617ce7f9bd534da1698d19c242a9bfc77fc0a0f41104abc3eb81e
SHA5127abb228fa7b8792c646b3016230b42bb72573dd65cbb2b530396bb91b24ec3e73af37bc78b8b1ab642d5fe373da9585dd0e28eb2c5e63f23c7c228e67c11667e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD570e797a9274e78fa20403bf9874fd6dd
SHA1eb61aa617cb9bcbc90829719307a845f2b1ff7d8
SHA2565145e4445a4580beaa33fc7b3979499ca3b9dc402c0710ebd510a43e47eafc7a
SHA5122a9e157ffcab614213360af93217ecfb1095e59479c3721ac5a80bc42084365ce9101c1123873a4fedbdb0ae679a13af34f872b21ca087048fa8ede57388ecc2
-
Filesize
512KB
MD553d7063cb942b274db624d6eea7e2c34
SHA1617f6174440c4d078fda1c36cbade38eabfe56f6
SHA2564294ab2cb102bbf146666361f4ffaac19a1596c77fcecab4f94133375b26833a
SHA512d0a4667ccf35e947ac93a9590c5c68bd708149287880097f8856df65446e45fa4cf25cdac48b9c0428956a6d56eb680970bddc910adb6d3104d79bf2808602c6
-
Filesize
512KB
MD564d738d9a647bae04f2a27507a942699
SHA125e2ef5598c5135265bc2939237a975e7e725660
SHA256d5cf961d9a0d4b2be3a89e51bd985da6dcbee95cc7281715ea764db24c809606
SHA5128b09ac58a58e6fd45cf13c647cf806d5d11acb232f57a5962bc1629a9e728e5c3ffbd6cba34c3761c936e539382c7fbb65e381a8f2b8d9a011acf7eff2457ca4
-
Filesize
512KB
MD59eca8c6a9965324aff8056e092103b0a
SHA1b163c233390ae8652d0c88dc1a6b10ed7f11cf35
SHA256bb4e646d2c4cb4a64c31eb7c11201e7337b97e47cf3cb216fc781fec0fbd3ca5
SHA5128f0767f99b0e1c123a365f84a5eec021cda5e5bf3693f7bfe6fc6ee7b05ce7cfdf2be122ae14943b163f2c1557aab7ba7b0f87d1fbf36075161de8258eb8738f
-
Filesize
512KB
MD56e2b0fa1e6f7d76e27c1a3dadef8b51e
SHA12432848a42a10e67b6bdb679f98fd78bd4671a52
SHA256c9ac1b4b23e36c11d6005a413aa71f582d37a8fe219854180675200cdfb0675d
SHA5121bc62d0af1c78fa63bd18dbc72a46d87bb3646b956af1e787ee89b7320929e822a5976edc513dc7207abfc2f0777193576adccb5acb4c5a626d11d9c62a4d4ca
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5fbb091ff0bd7e6f2cd5b4c9b040dc0d8
SHA14801895a6a2f2eb8e2038b9713fb97b83695afac
SHA256669b17e61c94f146d6c72937ec226a04f183156573f86ef37c9b18f57a346429
SHA5125ca44e8099562ed3f2aad5e0cefceb71360961f5c301077c0fd36940c243d9a0698a7c8fccc9f24b26edb8dd59aca2f771c7f4ec791457eef9c4691dfe9f27f2
-
Filesize
512KB
MD52f67e51a861012abbaa5754fce1018e4
SHA1d380a1e0fecfb7120f24e8d18080d8821ce784e5
SHA256867cc9a197afe6c68422b7f03d72a90b4afd332378a974f66ce1e88823f99fd2
SHA512e7b236396d603ff65980919d48533249a8d84a10b038a5f714684491fc8f4e4a403b54879af2881c5199ba64acba076cb1d3fd5c2bef05a9864ab107114cd354
-
Filesize
512KB
MD55a3144d83a633c113fc2bd24ba7c0675
SHA13529c1c5e159d00fc7fabdf1b57e849dcfb9a56d
SHA256c0dbe8198f2af5ac425ce5cc7a212a559def984c0c8f28c46327816cf73db4b3
SHA5128731b971c84f82b4ba55993f0daa8ed03db5c027f05a868cb2874b65eba4408d721e292b782c7f22a430a0bc84cd7edea8864691f4f0ff961a8b60d6b10dd7e6