Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
14-03-2024 15:51
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
c902ff8027889f117546949b5102d22b.exe
Resource
win7-20240221-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
c902ff8027889f117546949b5102d22b.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
c902ff8027889f117546949b5102d22b.exe
-
Size
512KB
-
MD5
c902ff8027889f117546949b5102d22b
-
SHA1
fd9d982a21e17c18da8031b2cd1be24a3b88dd76
-
SHA256
9cea96e68569d6680bd98f0ca1b537063925b24088486931a496651340f2c0ff
-
SHA512
b01290f8165257d2ef4f857870a2a41dc10fe09adcb11ec0273e290f3cda80d00f79f2aa27a834d84e7acb0bb5ee8bc032acb007f265e280653d0abf210bdf1a
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6B:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5O
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" vrjiycuqgz.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" vrjiycuqgz.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" vrjiycuqgz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" vrjiycuqgz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" vrjiycuqgz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" vrjiycuqgz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" vrjiycuqgz.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vrjiycuqgz.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation c902ff8027889f117546949b5102d22b.exe -
Executes dropped EXE 5 IoCs
pid Process 4132 vrjiycuqgz.exe 5028 kcsnxmqmykmcrmg.exe 4736 wwjwqqhr.exe 4856 aekyvjtpivdkn.exe 3520 wwjwqqhr.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" vrjiycuqgz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" vrjiycuqgz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" vrjiycuqgz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" vrjiycuqgz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" vrjiycuqgz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" vrjiycuqgz.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\azghlmju = "vrjiycuqgz.exe" kcsnxmqmykmcrmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\myjrjokn = "kcsnxmqmykmcrmg.exe" kcsnxmqmykmcrmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "aekyvjtpivdkn.exe" kcsnxmqmykmcrmg.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\k: wwjwqqhr.exe File opened (read-only) \??\l: wwjwqqhr.exe File opened (read-only) \??\y: wwjwqqhr.exe File opened (read-only) \??\o: vrjiycuqgz.exe File opened (read-only) \??\o: wwjwqqhr.exe File opened (read-only) \??\a: wwjwqqhr.exe File opened (read-only) \??\b: wwjwqqhr.exe File opened (read-only) \??\h: wwjwqqhr.exe File opened (read-only) \??\s: wwjwqqhr.exe File opened (read-only) \??\v: wwjwqqhr.exe File opened (read-only) \??\h: wwjwqqhr.exe File opened (read-only) \??\k: vrjiycuqgz.exe File opened (read-only) \??\l: vrjiycuqgz.exe File opened (read-only) \??\q: vrjiycuqgz.exe File opened (read-only) \??\b: wwjwqqhr.exe File opened (read-only) \??\w: wwjwqqhr.exe File opened (read-only) \??\m: wwjwqqhr.exe File opened (read-only) \??\n: wwjwqqhr.exe File opened (read-only) \??\w: wwjwqqhr.exe File opened (read-only) \??\s: wwjwqqhr.exe File opened (read-only) \??\n: vrjiycuqgz.exe File opened (read-only) \??\r: wwjwqqhr.exe File opened (read-only) \??\q: wwjwqqhr.exe File opened (read-only) \??\g: vrjiycuqgz.exe File opened (read-only) \??\u: vrjiycuqgz.exe File opened (read-only) \??\j: wwjwqqhr.exe File opened (read-only) \??\k: wwjwqqhr.exe File opened (read-only) \??\q: wwjwqqhr.exe File opened (read-only) \??\v: vrjiycuqgz.exe File opened (read-only) \??\z: vrjiycuqgz.exe File opened (read-only) \??\g: wwjwqqhr.exe File opened (read-only) \??\g: wwjwqqhr.exe File opened (read-only) \??\a: wwjwqqhr.exe File opened (read-only) \??\x: wwjwqqhr.exe File opened (read-only) \??\z: wwjwqqhr.exe File opened (read-only) \??\i: vrjiycuqgz.exe File opened (read-only) \??\p: wwjwqqhr.exe File opened (read-only) \??\t: wwjwqqhr.exe File opened (read-only) \??\x: wwjwqqhr.exe File opened (read-only) \??\o: wwjwqqhr.exe File opened (read-only) \??\h: vrjiycuqgz.exe File opened (read-only) \??\r: vrjiycuqgz.exe File opened (read-only) \??\t: vrjiycuqgz.exe File opened (read-only) \??\l: wwjwqqhr.exe File opened (read-only) \??\m: vrjiycuqgz.exe File opened (read-only) \??\m: wwjwqqhr.exe File opened (read-only) \??\u: wwjwqqhr.exe File opened (read-only) \??\v: wwjwqqhr.exe File opened (read-only) \??\x: vrjiycuqgz.exe File opened (read-only) \??\z: wwjwqqhr.exe File opened (read-only) \??\i: wwjwqqhr.exe File opened (read-only) \??\n: wwjwqqhr.exe File opened (read-only) \??\b: vrjiycuqgz.exe File opened (read-only) \??\p: vrjiycuqgz.exe File opened (read-only) \??\y: wwjwqqhr.exe File opened (read-only) \??\e: wwjwqqhr.exe File opened (read-only) \??\j: vrjiycuqgz.exe File opened (read-only) \??\p: wwjwqqhr.exe File opened (read-only) \??\j: wwjwqqhr.exe File opened (read-only) \??\r: wwjwqqhr.exe File opened (read-only) \??\u: wwjwqqhr.exe File opened (read-only) \??\a: vrjiycuqgz.exe File opened (read-only) \??\y: vrjiycuqgz.exe File opened (read-only) \??\i: wwjwqqhr.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" vrjiycuqgz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" vrjiycuqgz.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2444-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00080000000231e7-5.dat autoit_exe behavioral2/files/0x001000000002313c-18.dat autoit_exe behavioral2/files/0x00060000000231ec-28.dat autoit_exe behavioral2/files/0x00060000000231ed-32.dat autoit_exe behavioral2/files/0x0005000000016961-83.dat autoit_exe behavioral2/files/0x000500000001695c-73.dat autoit_exe behavioral2/files/0x000300000001e5a7-107.dat autoit_exe behavioral2/files/0x000300000001e5a7-112.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\vrjiycuqgz.exe c902ff8027889f117546949b5102d22b.exe File created C:\Windows\SysWOW64\wwjwqqhr.exe c902ff8027889f117546949b5102d22b.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe wwjwqqhr.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe wwjwqqhr.exe File created C:\Windows\SysWOW64\vrjiycuqgz.exe c902ff8027889f117546949b5102d22b.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe wwjwqqhr.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe wwjwqqhr.exe File opened for modification C:\Windows\SysWOW64\kcsnxmqmykmcrmg.exe c902ff8027889f117546949b5102d22b.exe File created C:\Windows\SysWOW64\aekyvjtpivdkn.exe c902ff8027889f117546949b5102d22b.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll vrjiycuqgz.exe File created C:\Windows\SysWOW64\kcsnxmqmykmcrmg.exe c902ff8027889f117546949b5102d22b.exe File opened for modification C:\Windows\SysWOW64\wwjwqqhr.exe c902ff8027889f117546949b5102d22b.exe File opened for modification C:\Windows\SysWOW64\aekyvjtpivdkn.exe c902ff8027889f117546949b5102d22b.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wwjwqqhr.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wwjwqqhr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wwjwqqhr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wwjwqqhr.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wwjwqqhr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal wwjwqqhr.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wwjwqqhr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal wwjwqqhr.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wwjwqqhr.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wwjwqqhr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal wwjwqqhr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal wwjwqqhr.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe wwjwqqhr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe wwjwqqhr.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe wwjwqqhr.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe wwjwqqhr.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe wwjwqqhr.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe wwjwqqhr.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe wwjwqqhr.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe wwjwqqhr.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe wwjwqqhr.exe File opened for modification C:\Windows\mydoc.rtf c902ff8027889f117546949b5102d22b.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe wwjwqqhr.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe wwjwqqhr.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe wwjwqqhr.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe wwjwqqhr.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe wwjwqqhr.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe wwjwqqhr.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe wwjwqqhr.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe wwjwqqhr.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe wwjwqqhr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat vrjiycuqgz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" vrjiycuqgz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" vrjiycuqgz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32452D7A9C2383566D3576D377232DDF7DF265AA" c902ff8027889f117546949b5102d22b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABEFACEFE11F19784783B35819A39E3B3FD02FF4365033AE2CC42ED08D4" c902ff8027889f117546949b5102d22b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" vrjiycuqgz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh vrjiycuqgz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" vrjiycuqgz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB5B02D47E4389E52CFB9D3329DD4C4" c902ff8027889f117546949b5102d22b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E89FF82482B82189045D72D7E91BC94E140584167436335D79A" c902ff8027889f117546949b5102d22b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184DC7781591DBC0B8CE7C90ED9534C7" c902ff8027889f117546949b5102d22b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" vrjiycuqgz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf vrjiycuqgz.exe Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings c902ff8027889f117546949b5102d22b.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes c902ff8027889f117546949b5102d22b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F068C6FE1A21D0D27CD0A38A089016" c902ff8027889f117546949b5102d22b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc vrjiycuqgz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" vrjiycuqgz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs vrjiycuqgz.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg vrjiycuqgz.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1324 WINWORD.EXE 1324 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2444 c902ff8027889f117546949b5102d22b.exe 2444 c902ff8027889f117546949b5102d22b.exe 2444 c902ff8027889f117546949b5102d22b.exe 2444 c902ff8027889f117546949b5102d22b.exe 2444 c902ff8027889f117546949b5102d22b.exe 2444 c902ff8027889f117546949b5102d22b.exe 2444 c902ff8027889f117546949b5102d22b.exe 2444 c902ff8027889f117546949b5102d22b.exe 2444 c902ff8027889f117546949b5102d22b.exe 2444 c902ff8027889f117546949b5102d22b.exe 2444 c902ff8027889f117546949b5102d22b.exe 2444 c902ff8027889f117546949b5102d22b.exe 2444 c902ff8027889f117546949b5102d22b.exe 2444 c902ff8027889f117546949b5102d22b.exe 2444 c902ff8027889f117546949b5102d22b.exe 2444 c902ff8027889f117546949b5102d22b.exe 5028 kcsnxmqmykmcrmg.exe 5028 kcsnxmqmykmcrmg.exe 5028 kcsnxmqmykmcrmg.exe 5028 kcsnxmqmykmcrmg.exe 5028 kcsnxmqmykmcrmg.exe 5028 kcsnxmqmykmcrmg.exe 5028 kcsnxmqmykmcrmg.exe 5028 kcsnxmqmykmcrmg.exe 4132 vrjiycuqgz.exe 4132 vrjiycuqgz.exe 4132 vrjiycuqgz.exe 4132 vrjiycuqgz.exe 4132 vrjiycuqgz.exe 4132 vrjiycuqgz.exe 4132 vrjiycuqgz.exe 4132 vrjiycuqgz.exe 4132 vrjiycuqgz.exe 4132 vrjiycuqgz.exe 5028 kcsnxmqmykmcrmg.exe 5028 kcsnxmqmykmcrmg.exe 4856 aekyvjtpivdkn.exe 4856 aekyvjtpivdkn.exe 4856 aekyvjtpivdkn.exe 4856 aekyvjtpivdkn.exe 4856 aekyvjtpivdkn.exe 4856 aekyvjtpivdkn.exe 4856 aekyvjtpivdkn.exe 4856 aekyvjtpivdkn.exe 4856 aekyvjtpivdkn.exe 4856 aekyvjtpivdkn.exe 4856 aekyvjtpivdkn.exe 4856 aekyvjtpivdkn.exe 4736 wwjwqqhr.exe 4736 wwjwqqhr.exe 4736 wwjwqqhr.exe 4736 wwjwqqhr.exe 4736 wwjwqqhr.exe 4736 wwjwqqhr.exe 4736 wwjwqqhr.exe 4736 wwjwqqhr.exe 5028 kcsnxmqmykmcrmg.exe 5028 kcsnxmqmykmcrmg.exe 4856 aekyvjtpivdkn.exe 4856 aekyvjtpivdkn.exe 4856 aekyvjtpivdkn.exe 4856 aekyvjtpivdkn.exe 3520 wwjwqqhr.exe 3520 wwjwqqhr.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2444 c902ff8027889f117546949b5102d22b.exe 2444 c902ff8027889f117546949b5102d22b.exe 2444 c902ff8027889f117546949b5102d22b.exe 4132 vrjiycuqgz.exe 4132 vrjiycuqgz.exe 4132 vrjiycuqgz.exe 5028 kcsnxmqmykmcrmg.exe 5028 kcsnxmqmykmcrmg.exe 5028 kcsnxmqmykmcrmg.exe 4856 aekyvjtpivdkn.exe 4736 wwjwqqhr.exe 4856 aekyvjtpivdkn.exe 4736 wwjwqqhr.exe 4856 aekyvjtpivdkn.exe 4736 wwjwqqhr.exe 3520 wwjwqqhr.exe 3520 wwjwqqhr.exe 3520 wwjwqqhr.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2444 c902ff8027889f117546949b5102d22b.exe 2444 c902ff8027889f117546949b5102d22b.exe 2444 c902ff8027889f117546949b5102d22b.exe 4132 vrjiycuqgz.exe 4132 vrjiycuqgz.exe 4132 vrjiycuqgz.exe 5028 kcsnxmqmykmcrmg.exe 5028 kcsnxmqmykmcrmg.exe 5028 kcsnxmqmykmcrmg.exe 4856 aekyvjtpivdkn.exe 4736 wwjwqqhr.exe 4856 aekyvjtpivdkn.exe 4736 wwjwqqhr.exe 4856 aekyvjtpivdkn.exe 4736 wwjwqqhr.exe 3520 wwjwqqhr.exe 3520 wwjwqqhr.exe 3520 wwjwqqhr.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1324 WINWORD.EXE 1324 WINWORD.EXE 1324 WINWORD.EXE 1324 WINWORD.EXE 1324 WINWORD.EXE 1324 WINWORD.EXE 1324 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2444 wrote to memory of 4132 2444 c902ff8027889f117546949b5102d22b.exe 84 PID 2444 wrote to memory of 4132 2444 c902ff8027889f117546949b5102d22b.exe 84 PID 2444 wrote to memory of 4132 2444 c902ff8027889f117546949b5102d22b.exe 84 PID 2444 wrote to memory of 5028 2444 c902ff8027889f117546949b5102d22b.exe 85 PID 2444 wrote to memory of 5028 2444 c902ff8027889f117546949b5102d22b.exe 85 PID 2444 wrote to memory of 5028 2444 c902ff8027889f117546949b5102d22b.exe 85 PID 2444 wrote to memory of 4736 2444 c902ff8027889f117546949b5102d22b.exe 86 PID 2444 wrote to memory of 4736 2444 c902ff8027889f117546949b5102d22b.exe 86 PID 2444 wrote to memory of 4736 2444 c902ff8027889f117546949b5102d22b.exe 86 PID 2444 wrote to memory of 4856 2444 c902ff8027889f117546949b5102d22b.exe 87 PID 2444 wrote to memory of 4856 2444 c902ff8027889f117546949b5102d22b.exe 87 PID 2444 wrote to memory of 4856 2444 c902ff8027889f117546949b5102d22b.exe 87 PID 2444 wrote to memory of 1324 2444 c902ff8027889f117546949b5102d22b.exe 88 PID 2444 wrote to memory of 1324 2444 c902ff8027889f117546949b5102d22b.exe 88 PID 4132 wrote to memory of 3520 4132 vrjiycuqgz.exe 90 PID 4132 wrote to memory of 3520 4132 vrjiycuqgz.exe 90 PID 4132 wrote to memory of 3520 4132 vrjiycuqgz.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\c902ff8027889f117546949b5102d22b.exe"C:\Users\Admin\AppData\Local\Temp\c902ff8027889f117546949b5102d22b.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\vrjiycuqgz.exevrjiycuqgz.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Windows\SysWOW64\wwjwqqhr.exeC:\Windows\system32\wwjwqqhr.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3520
-
-
-
C:\Windows\SysWOW64\kcsnxmqmykmcrmg.exekcsnxmqmykmcrmg.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5028
-
-
C:\Windows\SysWOW64\wwjwqqhr.exewwjwqqhr.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4736
-
-
C:\Windows\SysWOW64\aekyvjtpivdkn.exeaekyvjtpivdkn.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4856
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1324
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5417bd31fe8b539b5981ce739e5b9a494
SHA156e63957dc0250730f19a872488b612b30dcef29
SHA2569dccd17d7f7074999a6d2dccc38b4d9ec705ab13910ee85fc699d4e0dd21c1ff
SHA5123ab38b2d4c2c7b171acbf4573c2c709ad1f8a2ae15557688abfbffea7fc5546d6744d8fe1104a8c570224eda6acd58380a93b0d92f9dd3e5fadcd25cc8a480b8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5a67ab2eee409d14d7c0b6c63073f58f9
SHA1ceede7dbfb50578426c3b62634799dc2f6457423
SHA256c8b8d967f530fffde16823052c2887047923866dd40ac5d7851dc27417394fe3
SHA51241e93a1209d590444f7b734de134b01028116fc9be17971346dccdefb6f4c7f94de6dea50e6481ccc97c23e4a88a6d23ff85fae988e970a5906dc64da9f4a521
-
Filesize
512KB
MD5f0b77463f07560caf48b9006f826f0ca
SHA1c6235aa11ae731754e910a1fb18ad5216b30b3df
SHA256db44596f32381c78f31edb727f4aa41b6e77678bf6979a9d4e24a97420bb0ecd
SHA5129960e5d1b195288c3dfe16d59c5add47f2a439ce5c20bc9d484b490931d89e560831526c0f8ba9c47a4b565b050286e70e24bd8fe9e246096eb8e865c335f1d6
-
Filesize
512KB
MD50a983c3b66ec8bdc6e66bb6a8d9925e1
SHA15d1e70c5f934a55c6088bf106404fbba472d1f4a
SHA25625560837543d08263a7acf9a2ea9957829561039c5d1fdea32e964f73ae10671
SHA51246d91561c31a0a57f8e8fa7772fb4f1dae31f31591ed5eb37b1f6532a3fc026ea9a27f1efc14aaa2e3c07ad598c6b08d12e758c6a181da9a366cb1ea9a714a8e
-
Filesize
512KB
MD504a75fbb8ab107021bdd0abe445152dd
SHA151b01d9c9120736ffc10f47c7f59e43401f57ee8
SHA256f114c1e84df736f0ab35e47ea92acd635cb116b997e08a1d2bfeb54d179a8d5d
SHA5120e1505b9107bfbedd11b006b4e03dcd140496168f8509d64d0e1108c195092202ad4fab5b3db7ab40d5b4546a1b2dc7ea5262ac48da5cd48eff4a4528d44df72
-
Filesize
512KB
MD53f21cc52941a928b82618d41bf92940d
SHA1d9f45096eb8eb3a03d5423a5105e59747e7d50d2
SHA2568d69e7ae466eea0196af525ae1d356c1f7c5d199dfe9f9bef6d5f2f685836251
SHA5128a8b3aca30f8fae1b5f692f2da9ce2777ddf00cdcd6e32ab578fef73112e09701b892ceab0c9e39c51d5d8197822f8ffd5a95db190c40d500411dd7b52f7894a
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5f63101ee3f06acf36b54731095feb380
SHA15cf2685d2c839e2aec9352e0a9d4d2b8a0211c3e
SHA2563bd26591a716db754dc9bec529e5f0ce2e106167c3f434063b90bb7a4219d0e7
SHA512b553dd6b3d387a73d8c88514bb4999ea17dbff27cdf7e8f93c452988d8170468f225b3dc152c543fd7553ec061ed269fe7336ab4360e4924b096d97fb46c45dc
-
Filesize
512KB
MD5d7a7975e7a658297421ad38c0ffbe84c
SHA1f0b0d094cf9e08ec9f9dd4a402f6ba62006b21ac
SHA256e67d51625d864376faf7eadd213ba95e4918b2c2e901e2ed1e8f0e24809bc055
SHA5127b860b33483f7ee35ed31ab9b1a9ba3db05fffd71fe7b599ed0bab83c72b7c98a3d8b483e8d048c416fe1b057f92e797d2b924c465d1a240aacc2198f3920237
-
Filesize
512KB
MD5a841aa1acfeb6b01a156b879c15d8325
SHA1f903e0e1de8087a34fdd94f08a6a87ba82da787b
SHA2563738ea8c37eb7d01ef3ccd0cf3ef050684da76c909db84e8336cfaaefa12c9ea
SHA51250acb836e3a9d81b27d66ddca36033136a090d5b737ee5c7cffdb3ba18f253cb9d0c2de9dc6c60419799852e5f8d173d1f3962f619ee9c02304e8477b65525ab
-
Filesize
512KB
MD5620dd2e8b8408d86a15c1030326aa3f0
SHA13859720beadc580a1fc304431242dedfb626de50
SHA2562f39ba1e9c0d1cce9a3641e747680c572ebb47578dbb0f365f299b0a0b353639
SHA512f8bd99e15b665414f727326fd7f0189ea76c9b52b25d04ee4b650c9d2e02fe89e406cdbf6e83cf0057316773b9ae845185026d878dff6fd1a405bf4953dc5cf7