Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14/03/2024, 17:22
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
c92ea58ebc8b3d1a8dea1483d01a7763.exe
Resource
win7-20240221-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
c92ea58ebc8b3d1a8dea1483d01a7763.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
c92ea58ebc8b3d1a8dea1483d01a7763.exe
-
Size
512KB
-
MD5
c92ea58ebc8b3d1a8dea1483d01a7763
-
SHA1
0e874501653f8b4482e9fb2a03816c9a4f6dbeef
-
SHA256
84ab41fa3902f5503d41df7774fe849a312277649f40f5a6474f28d9ea3d0eaa
-
SHA512
20d6c43f53d7d11474f00dcf4d97aba572788682580e3307a83564f1725918151d5a4abd90f4add8ca1969ef28b3e78e2dfc17f5cb64a529b2c00ba51da02ea4
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6D:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5S
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" cpjlaksdvy.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" cpjlaksdvy.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" cpjlaksdvy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" cpjlaksdvy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" cpjlaksdvy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" cpjlaksdvy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" cpjlaksdvy.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cpjlaksdvy.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation c92ea58ebc8b3d1a8dea1483d01a7763.exe -
Executes dropped EXE 5 IoCs
pid Process 1644 cpjlaksdvy.exe 4380 vfbpngwrfdngzpj.exe 4384 sohoxgey.exe 2652 asfjztpgqsdex.exe 2744 sohoxgey.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" cpjlaksdvy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" cpjlaksdvy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" cpjlaksdvy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" cpjlaksdvy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" cpjlaksdvy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" cpjlaksdvy.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\chcsqbyq = "cpjlaksdvy.exe" vfbpngwrfdngzpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vbythglk = "vfbpngwrfdngzpj.exe" vfbpngwrfdngzpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "asfjztpgqsdex.exe" vfbpngwrfdngzpj.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\e: sohoxgey.exe File opened (read-only) \??\n: sohoxgey.exe File opened (read-only) \??\o: sohoxgey.exe File opened (read-only) \??\z: sohoxgey.exe File opened (read-only) \??\h: cpjlaksdvy.exe File opened (read-only) \??\n: cpjlaksdvy.exe File opened (read-only) \??\z: cpjlaksdvy.exe File opened (read-only) \??\t: sohoxgey.exe File opened (read-only) \??\a: cpjlaksdvy.exe File opened (read-only) \??\l: sohoxgey.exe File opened (read-only) \??\t: sohoxgey.exe File opened (read-only) \??\t: cpjlaksdvy.exe File opened (read-only) \??\r: sohoxgey.exe File opened (read-only) \??\i: cpjlaksdvy.exe File opened (read-only) \??\l: cpjlaksdvy.exe File opened (read-only) \??\b: sohoxgey.exe File opened (read-only) \??\y: cpjlaksdvy.exe File opened (read-only) \??\j: sohoxgey.exe File opened (read-only) \??\y: sohoxgey.exe File opened (read-only) \??\j: sohoxgey.exe File opened (read-only) \??\q: sohoxgey.exe File opened (read-only) \??\s: sohoxgey.exe File opened (read-only) \??\v: sohoxgey.exe File opened (read-only) \??\s: cpjlaksdvy.exe File opened (read-only) \??\x: cpjlaksdvy.exe File opened (read-only) \??\i: sohoxgey.exe File opened (read-only) \??\m: sohoxgey.exe File opened (read-only) \??\g: cpjlaksdvy.exe File opened (read-only) \??\o: sohoxgey.exe File opened (read-only) \??\z: sohoxgey.exe File opened (read-only) \??\l: sohoxgey.exe File opened (read-only) \??\e: cpjlaksdvy.exe File opened (read-only) \??\h: sohoxgey.exe File opened (read-only) \??\w: sohoxgey.exe File opened (read-only) \??\y: sohoxgey.exe File opened (read-only) \??\b: cpjlaksdvy.exe File opened (read-only) \??\n: sohoxgey.exe File opened (read-only) \??\x: sohoxgey.exe File opened (read-only) \??\p: sohoxgey.exe File opened (read-only) \??\g: sohoxgey.exe File opened (read-only) \??\q: sohoxgey.exe File opened (read-only) \??\w: cpjlaksdvy.exe File opened (read-only) \??\s: sohoxgey.exe File opened (read-only) \??\x: sohoxgey.exe File opened (read-only) \??\i: sohoxgey.exe File opened (read-only) \??\m: cpjlaksdvy.exe File opened (read-only) \??\p: cpjlaksdvy.exe File opened (read-only) \??\u: cpjlaksdvy.exe File opened (read-only) \??\r: sohoxgey.exe File opened (read-only) \??\k: sohoxgey.exe File opened (read-only) \??\u: sohoxgey.exe File opened (read-only) \??\r: cpjlaksdvy.exe File opened (read-only) \??\k: sohoxgey.exe File opened (read-only) \??\a: sohoxgey.exe File opened (read-only) \??\h: sohoxgey.exe File opened (read-only) \??\k: cpjlaksdvy.exe File opened (read-only) \??\o: cpjlaksdvy.exe File opened (read-only) \??\v: cpjlaksdvy.exe File opened (read-only) \??\e: sohoxgey.exe File opened (read-only) \??\u: sohoxgey.exe File opened (read-only) \??\p: sohoxgey.exe File opened (read-only) \??\w: sohoxgey.exe File opened (read-only) \??\j: cpjlaksdvy.exe File opened (read-only) \??\q: cpjlaksdvy.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" cpjlaksdvy.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" cpjlaksdvy.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1504-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000700000002322b-5.dat autoit_exe behavioral2/files/0x000700000002322c-27.dat autoit_exe behavioral2/files/0x000700000002322d-31.dat autoit_exe behavioral2/files/0x0008000000023228-19.dat autoit_exe behavioral2/files/0x0007000000023232-55.dat autoit_exe behavioral2/files/0x0007000000023233-61.dat autoit_exe behavioral2/files/0x000c000000023246-97.dat autoit_exe behavioral2/files/0x000b000000023254-103.dat autoit_exe behavioral2/files/0x000b000000023254-109.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\sohoxgey.exe c92ea58ebc8b3d1a8dea1483d01a7763.exe File opened for modification C:\Windows\SysWOW64\cpjlaksdvy.exe c92ea58ebc8b3d1a8dea1483d01a7763.exe File opened for modification C:\Windows\SysWOW64\vfbpngwrfdngzpj.exe c92ea58ebc8b3d1a8dea1483d01a7763.exe File created C:\Windows\SysWOW64\sohoxgey.exe c92ea58ebc8b3d1a8dea1483d01a7763.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll cpjlaksdvy.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe sohoxgey.exe File created C:\Windows\SysWOW64\vfbpngwrfdngzpj.exe c92ea58ebc8b3d1a8dea1483d01a7763.exe File opened for modification C:\Windows\SysWOW64\asfjztpgqsdex.exe c92ea58ebc8b3d1a8dea1483d01a7763.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe sohoxgey.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe sohoxgey.exe File created C:\Windows\SysWOW64\cpjlaksdvy.exe c92ea58ebc8b3d1a8dea1483d01a7763.exe File created C:\Windows\SysWOW64\asfjztpgqsdex.exe c92ea58ebc8b3d1a8dea1483d01a7763.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe sohoxgey.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe sohoxgey.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal sohoxgey.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe sohoxgey.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal sohoxgey.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe sohoxgey.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe sohoxgey.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal sohoxgey.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe sohoxgey.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal sohoxgey.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe sohoxgey.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe sohoxgey.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe sohoxgey.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe sohoxgey.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe sohoxgey.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe sohoxgey.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe sohoxgey.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe sohoxgey.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe sohoxgey.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe sohoxgey.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe sohoxgey.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe sohoxgey.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe sohoxgey.exe File opened for modification C:\Windows\mydoc.rtf c92ea58ebc8b3d1a8dea1483d01a7763.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe sohoxgey.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB1B15A47E639ED52BDBAD532E9D4CF" c92ea58ebc8b3d1a8dea1483d01a7763.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E89FCFF4826851B9032D6587E95BD95E633584467436344D69C" c92ea58ebc8b3d1a8dea1483d01a7763.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" cpjlaksdvy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc cpjlaksdvy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" cpjlaksdvy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg cpjlaksdvy.exe Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000_Classes\Local Settings c92ea58ebc8b3d1a8dea1483d01a7763.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33402D789C2383536A4676A277252CDA7CF165AB" c92ea58ebc8b3d1a8dea1483d01a7763.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCAFAC9F916F299837E3B46819C3E93B08902F04366033EE2C4459908A0" c92ea58ebc8b3d1a8dea1483d01a7763.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat cpjlaksdvy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" cpjlaksdvy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh cpjlaksdvy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs cpjlaksdvy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" cpjlaksdvy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F26BC4FE6722DBD108D0D38B09906B" c92ea58ebc8b3d1a8dea1483d01a7763.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" cpjlaksdvy.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes c92ea58ebc8b3d1a8dea1483d01a7763.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193DC6081490DBBFB8CC7CE3ED9234BB" c92ea58ebc8b3d1a8dea1483d01a7763.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" cpjlaksdvy.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf cpjlaksdvy.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1052 WINWORD.EXE 1052 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1504 c92ea58ebc8b3d1a8dea1483d01a7763.exe 1504 c92ea58ebc8b3d1a8dea1483d01a7763.exe 1504 c92ea58ebc8b3d1a8dea1483d01a7763.exe 1504 c92ea58ebc8b3d1a8dea1483d01a7763.exe 1504 c92ea58ebc8b3d1a8dea1483d01a7763.exe 1504 c92ea58ebc8b3d1a8dea1483d01a7763.exe 1504 c92ea58ebc8b3d1a8dea1483d01a7763.exe 1504 c92ea58ebc8b3d1a8dea1483d01a7763.exe 1504 c92ea58ebc8b3d1a8dea1483d01a7763.exe 1504 c92ea58ebc8b3d1a8dea1483d01a7763.exe 1504 c92ea58ebc8b3d1a8dea1483d01a7763.exe 1504 c92ea58ebc8b3d1a8dea1483d01a7763.exe 1504 c92ea58ebc8b3d1a8dea1483d01a7763.exe 1504 c92ea58ebc8b3d1a8dea1483d01a7763.exe 1504 c92ea58ebc8b3d1a8dea1483d01a7763.exe 1504 c92ea58ebc8b3d1a8dea1483d01a7763.exe 1644 cpjlaksdvy.exe 1644 cpjlaksdvy.exe 1644 cpjlaksdvy.exe 1644 cpjlaksdvy.exe 1644 cpjlaksdvy.exe 1644 cpjlaksdvy.exe 1644 cpjlaksdvy.exe 1644 cpjlaksdvy.exe 1644 cpjlaksdvy.exe 1644 cpjlaksdvy.exe 4380 vfbpngwrfdngzpj.exe 4380 vfbpngwrfdngzpj.exe 4380 vfbpngwrfdngzpj.exe 4380 vfbpngwrfdngzpj.exe 4380 vfbpngwrfdngzpj.exe 4380 vfbpngwrfdngzpj.exe 4380 vfbpngwrfdngzpj.exe 4380 vfbpngwrfdngzpj.exe 4380 vfbpngwrfdngzpj.exe 4380 vfbpngwrfdngzpj.exe 4384 sohoxgey.exe 4384 sohoxgey.exe 4384 sohoxgey.exe 4384 sohoxgey.exe 4384 sohoxgey.exe 4384 sohoxgey.exe 4384 sohoxgey.exe 4384 sohoxgey.exe 2652 asfjztpgqsdex.exe 2652 asfjztpgqsdex.exe 2652 asfjztpgqsdex.exe 2652 asfjztpgqsdex.exe 2652 asfjztpgqsdex.exe 2652 asfjztpgqsdex.exe 2652 asfjztpgqsdex.exe 2652 asfjztpgqsdex.exe 2652 asfjztpgqsdex.exe 2652 asfjztpgqsdex.exe 2652 asfjztpgqsdex.exe 2652 asfjztpgqsdex.exe 2744 sohoxgey.exe 2744 sohoxgey.exe 2744 sohoxgey.exe 2744 sohoxgey.exe 2744 sohoxgey.exe 2744 sohoxgey.exe 2744 sohoxgey.exe 2744 sohoxgey.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1504 c92ea58ebc8b3d1a8dea1483d01a7763.exe 1504 c92ea58ebc8b3d1a8dea1483d01a7763.exe 1504 c92ea58ebc8b3d1a8dea1483d01a7763.exe 1644 cpjlaksdvy.exe 1644 cpjlaksdvy.exe 1644 cpjlaksdvy.exe 4380 vfbpngwrfdngzpj.exe 4380 vfbpngwrfdngzpj.exe 4380 vfbpngwrfdngzpj.exe 4384 sohoxgey.exe 4384 sohoxgey.exe 4384 sohoxgey.exe 2652 asfjztpgqsdex.exe 2652 asfjztpgqsdex.exe 2652 asfjztpgqsdex.exe 2744 sohoxgey.exe 2744 sohoxgey.exe 2744 sohoxgey.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1504 c92ea58ebc8b3d1a8dea1483d01a7763.exe 1504 c92ea58ebc8b3d1a8dea1483d01a7763.exe 1504 c92ea58ebc8b3d1a8dea1483d01a7763.exe 1644 cpjlaksdvy.exe 1644 cpjlaksdvy.exe 1644 cpjlaksdvy.exe 4380 vfbpngwrfdngzpj.exe 4380 vfbpngwrfdngzpj.exe 4380 vfbpngwrfdngzpj.exe 4384 sohoxgey.exe 4384 sohoxgey.exe 4384 sohoxgey.exe 2652 asfjztpgqsdex.exe 2652 asfjztpgqsdex.exe 2652 asfjztpgqsdex.exe 2744 sohoxgey.exe 2744 sohoxgey.exe 2744 sohoxgey.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1052 WINWORD.EXE 1052 WINWORD.EXE 1052 WINWORD.EXE 1052 WINWORD.EXE 1052 WINWORD.EXE 1052 WINWORD.EXE 1052 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1504 wrote to memory of 1644 1504 c92ea58ebc8b3d1a8dea1483d01a7763.exe 92 PID 1504 wrote to memory of 1644 1504 c92ea58ebc8b3d1a8dea1483d01a7763.exe 92 PID 1504 wrote to memory of 1644 1504 c92ea58ebc8b3d1a8dea1483d01a7763.exe 92 PID 1504 wrote to memory of 4380 1504 c92ea58ebc8b3d1a8dea1483d01a7763.exe 93 PID 1504 wrote to memory of 4380 1504 c92ea58ebc8b3d1a8dea1483d01a7763.exe 93 PID 1504 wrote to memory of 4380 1504 c92ea58ebc8b3d1a8dea1483d01a7763.exe 93 PID 1504 wrote to memory of 4384 1504 c92ea58ebc8b3d1a8dea1483d01a7763.exe 94 PID 1504 wrote to memory of 4384 1504 c92ea58ebc8b3d1a8dea1483d01a7763.exe 94 PID 1504 wrote to memory of 4384 1504 c92ea58ebc8b3d1a8dea1483d01a7763.exe 94 PID 1504 wrote to memory of 2652 1504 c92ea58ebc8b3d1a8dea1483d01a7763.exe 95 PID 1504 wrote to memory of 2652 1504 c92ea58ebc8b3d1a8dea1483d01a7763.exe 95 PID 1504 wrote to memory of 2652 1504 c92ea58ebc8b3d1a8dea1483d01a7763.exe 95 PID 1644 wrote to memory of 2744 1644 cpjlaksdvy.exe 96 PID 1644 wrote to memory of 2744 1644 cpjlaksdvy.exe 96 PID 1644 wrote to memory of 2744 1644 cpjlaksdvy.exe 96 PID 1504 wrote to memory of 1052 1504 c92ea58ebc8b3d1a8dea1483d01a7763.exe 97 PID 1504 wrote to memory of 1052 1504 c92ea58ebc8b3d1a8dea1483d01a7763.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\c92ea58ebc8b3d1a8dea1483d01a7763.exe"C:\Users\Admin\AppData\Local\Temp\c92ea58ebc8b3d1a8dea1483d01a7763.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\cpjlaksdvy.execpjlaksdvy.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\sohoxgey.exeC:\Windows\system32\sohoxgey.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2744
-
-
-
C:\Windows\SysWOW64\vfbpngwrfdngzpj.exevfbpngwrfdngzpj.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4380
-
-
C:\Windows\SysWOW64\sohoxgey.exesohoxgey.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4384
-
-
C:\Windows\SysWOW64\asfjztpgqsdex.exeasfjztpgqsdex.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2652
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1052
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD59888bb6b5da4ebc738faf8588d159f4e
SHA142853233c1576cbe9977dba8288b93c8d21c3c74
SHA256d2257a24b59677fbaeaa88faa2ede776a08389815456429fc4a3fbaab64d20af
SHA512b6f18dd9d9bb07781eb1659d76e54b2ea3713ffbdf6a32feb0584556c465af531146ca95a687e7142e4c98f3140235870c596581377362b73efe7819153abcad
-
Filesize
512KB
MD5de45b162f3f6d598bb1994c2d8c33822
SHA1d1738df127b15323e4f6bf2455859baa8a636256
SHA256f4654315ef354da8af82d0073008a7490e3ed5c7a430af4cea864f284a5eef7b
SHA512c5d4014d72f6d8e23086d7e4603cce02d4d4b057c52182a3fab1e5a491c746d0932fba9a0e066310f11f1e4b1ecb0ccd9576c9f2b4b5163d73994386d8709e9d
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD53e2ec56bf2e45a427b6335fd785cb622
SHA190d98e5169c6005e1ea7a763fd541ae4800ded79
SHA256ce0d9f9aa6bf460c122b46215e31cba363a029533000520bad117f6d7fdc6cfd
SHA51220413d7505eca4e84d26c9352d7a3ed5d73760ffdcb4de1bc194d1fcff45208188f23e031103d71cbaf6c0a247f94ba77143d110e6873cd6c213597064f564c8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5a2407ac231bfbe69f54fd5cf92a6c1b5
SHA108421a1051d83cbb38066d11a9bbab953e4837bc
SHA2561dda9e69910d6032b73d1cdcb02d3acd6938bc56e2a4f5983378915fb0a39c7f
SHA512c20e06fe01055f89d370d38a3c9d1a0b3503e63362ff9ce6e11f96ca53bdb2733a7e5bf1a38328952a9e6bfaa5e84918b30b509dd642a063c2baedce3a52a00e
-
Filesize
512KB
MD575ca74ef92cf9cfec4c9e019f59c502e
SHA1d90e5cf538a0b02daf82879bafee48e8c3cb4d3d
SHA256abdc6c8e391140e4eab97e89653d1b832c9a269925a17b1c1c2b8840c2ea28f2
SHA512ab32bfc464ba986de359fa40fedc9b12e1f6d4272a28b1b12e675818c44cb39cc2cfb152187621549668ebc5e7293838db837c49dab2b037e16d5ba6390cec9c
-
Filesize
512KB
MD5a64b8f28756beb0a6531fd3a5d5f71a8
SHA1b35e6eb0a5661815bed48db8a225db1693ef64a1
SHA256490d794b5997961722c76599d81a8fc64c202aa3e341099d6c8592eb30abc7ee
SHA5129ee1b4188a8961081e7c770148bf47450609781f7fe4a5e563b1388c26e459f14dba6650e9afe12c9a122c523c117a7566e45766fc4646ee755730c2552e9501
-
Filesize
512KB
MD5fec901d3ccad0d691b7abb18ce3a83d6
SHA12621ade969b61ffb889e893a11a5cfe2ac6a8ac2
SHA256133d85dcb06550720a3a030134e875b1ec760ea87e9ea3ac7e85dfa8bbc23e88
SHA512ac09ad68ffe4c753b67fe7e3686c3883291b715d3b24086f03136d992cc607f1d94b501e7b75f88fa7de971c466aaff850f7b28061d10c641dcb2e967b7f5a41
-
Filesize
512KB
MD59fb0d35c871148fb73317c422eabde2e
SHA1658f1ba02edb2eb5939d74f87511da863d54357e
SHA256f1d92e4e01b14e1ba11c7d2ad6e977624126c2e40e129ded4690db6f6f843ba0
SHA512aecdadcfcde43caece09d2b666342e4e30d23d8a2b805c36fcb1a4b6bf1612c0cc82ad392652a629008f4c44f4fc13003731034d5210bc792f35dc68125e7e66
-
Filesize
512KB
MD5ae0783d1fcc4d1a5a59dacfeab887254
SHA1d441d237b97100710e9ea451df1a4d58379ab26a
SHA2567ee412573dd4a9a7e9161fbb774f42c29fe546022220243535e51cd0cee55196
SHA51254bd5c88cc52628f2cc9e19cfdc7655e3a14c9e6b0a7fc3d45be899295f08b5562d54537cbbfd066d778596bdf4d818afb7c099f22241b13c2c93a1035f78fbc
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD55d08b91f215970dede3e66e7e0873c13
SHA1a8f2110ec36fbbe5e66fcc19f6efe535b2b6bfd9
SHA2561388d5f39acba6671323b4953344dfe07389407eae61fd5ffc573fb206da1417
SHA512efd0d212621ee5170c5884e574905252ac75d54d1ea8e42a92aeca061bf95d65ef3aa730f9ce5565daa6ab3abb29cf2f463b17bf054afeafce91fb72475f07a5
-
Filesize
512KB
MD528cfb583719aed3be9e7cfbd32017765
SHA1d47642fed879d8893ef1685934e88ac08ab76579
SHA2567a99184c2e6fefc95123a23ebeff13895d4b1794980d99e6547d2e34ca577421
SHA512b5c23f8159c674e2905b09e5210b6621d0e3229490c0f830603ebb31df5865b8556ae5ab70bf45a37f070825f999d9703369b13f0372b66248ee0a4b03022a30