Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16/03/2024, 01:57
Static task
static1
Behavioral task
behavioral1
Sample
ccd29632beb558de4af374096999d00a.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
ccd29632beb558de4af374096999d00a.exe
Resource
win10v2004-20240226-en
General
-
Target
ccd29632beb558de4af374096999d00a.exe
-
Size
512KB
-
MD5
ccd29632beb558de4af374096999d00a
-
SHA1
461df1b2dcd4c4e4714168aa0badec66cb938f21
-
SHA256
da694c6618e5774ae282ec15f49b77424182202599c02de84db97a1f4d42cfe8
-
SHA512
93d818d364af12d81e18f3ed08017f1ac5e7126765e1b982defd982291374107ee85f15b8adabec47263143de71cda39ba01edb19dbbae947b42d956314c9d83
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6N:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5q
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" ziadralkly.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ziadralkly.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ziadralkly.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ziadralkly.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ziadralkly.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ziadralkly.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ziadralkly.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ziadralkly.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation ccd29632beb558de4af374096999d00a.exe -
Executes dropped EXE 5 IoCs
pid Process 1036 ziadralkly.exe 3312 vndkdokiptkzlxb.exe 1684 rvoxtgji.exe 4612 fsdczgcuxvvon.exe 5104 rvoxtgji.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ziadralkly.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ziadralkly.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ziadralkly.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" ziadralkly.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ziadralkly.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ziadralkly.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mmhdfxja = "ziadralkly.exe" vndkdokiptkzlxb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lgqxawfw = "vndkdokiptkzlxb.exe" vndkdokiptkzlxb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "fsdczgcuxvvon.exe" vndkdokiptkzlxb.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\l: ziadralkly.exe File opened (read-only) \??\m: ziadralkly.exe File opened (read-only) \??\r: ziadralkly.exe File opened (read-only) \??\e: ziadralkly.exe File opened (read-only) \??\u: rvoxtgji.exe File opened (read-only) \??\y: rvoxtgji.exe File opened (read-only) \??\z: rvoxtgji.exe File opened (read-only) \??\b: ziadralkly.exe File opened (read-only) \??\j: ziadralkly.exe File opened (read-only) \??\a: rvoxtgji.exe File opened (read-only) \??\s: rvoxtgji.exe File opened (read-only) \??\z: ziadralkly.exe File opened (read-only) \??\k: rvoxtgji.exe File opened (read-only) \??\x: rvoxtgji.exe File opened (read-only) \??\j: rvoxtgji.exe File opened (read-only) \??\s: ziadralkly.exe File opened (read-only) \??\h: rvoxtgji.exe File opened (read-only) \??\j: rvoxtgji.exe File opened (read-only) \??\y: rvoxtgji.exe File opened (read-only) \??\a: rvoxtgji.exe File opened (read-only) \??\q: rvoxtgji.exe File opened (read-only) \??\p: rvoxtgji.exe File opened (read-only) \??\v: rvoxtgji.exe File opened (read-only) \??\i: rvoxtgji.exe File opened (read-only) \??\r: rvoxtgji.exe File opened (read-only) \??\x: ziadralkly.exe File opened (read-only) \??\z: rvoxtgji.exe File opened (read-only) \??\h: rvoxtgji.exe File opened (read-only) \??\w: rvoxtgji.exe File opened (read-only) \??\o: rvoxtgji.exe File opened (read-only) \??\g: ziadralkly.exe File opened (read-only) \??\k: ziadralkly.exe File opened (read-only) \??\w: ziadralkly.exe File opened (read-only) \??\l: rvoxtgji.exe File opened (read-only) \??\l: rvoxtgji.exe File opened (read-only) \??\x: rvoxtgji.exe File opened (read-only) \??\h: ziadralkly.exe File opened (read-only) \??\q: rvoxtgji.exe File opened (read-only) \??\w: rvoxtgji.exe File opened (read-only) \??\k: rvoxtgji.exe File opened (read-only) \??\a: ziadralkly.exe File opened (read-only) \??\v: ziadralkly.exe File opened (read-only) \??\y: ziadralkly.exe File opened (read-only) \??\r: rvoxtgji.exe File opened (read-only) \??\e: rvoxtgji.exe File opened (read-only) \??\i: ziadralkly.exe File opened (read-only) \??\n: ziadralkly.exe File opened (read-only) \??\m: rvoxtgji.exe File opened (read-only) \??\n: rvoxtgji.exe File opened (read-only) \??\n: rvoxtgji.exe File opened (read-only) \??\v: rvoxtgji.exe File opened (read-only) \??\g: rvoxtgji.exe File opened (read-only) \??\s: rvoxtgji.exe File opened (read-only) \??\g: rvoxtgji.exe File opened (read-only) \??\t: rvoxtgji.exe File opened (read-only) \??\o: ziadralkly.exe File opened (read-only) \??\p: ziadralkly.exe File opened (read-only) \??\u: ziadralkly.exe File opened (read-only) \??\t: rvoxtgji.exe File opened (read-only) \??\p: rvoxtgji.exe File opened (read-only) \??\t: ziadralkly.exe File opened (read-only) \??\b: rvoxtgji.exe File opened (read-only) \??\o: rvoxtgji.exe File opened (read-only) \??\b: rvoxtgji.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" ziadralkly.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" ziadralkly.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2992-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000700000002320e-5.dat autoit_exe behavioral2/files/0x000c0000000226fd-18.dat autoit_exe behavioral2/files/0x000700000002320f-27.dat autoit_exe behavioral2/files/0x0007000000023210-30.dat autoit_exe behavioral2/files/0x0007000000023216-67.dat autoit_exe behavioral2/files/0x000900000002307a-93.dat autoit_exe behavioral2/files/0x0012000000023233-111.dat autoit_exe behavioral2/files/0x0012000000023233-115.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe rvoxtgji.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe rvoxtgji.exe File created C:\Windows\SysWOW64\ziadralkly.exe ccd29632beb558de4af374096999d00a.exe File opened for modification C:\Windows\SysWOW64\ziadralkly.exe ccd29632beb558de4af374096999d00a.exe File created C:\Windows\SysWOW64\vndkdokiptkzlxb.exe ccd29632beb558de4af374096999d00a.exe File created C:\Windows\SysWOW64\rvoxtgji.exe ccd29632beb558de4af374096999d00a.exe File opened for modification C:\Windows\SysWOW64\rvoxtgji.exe ccd29632beb558de4af374096999d00a.exe File opened for modification C:\Windows\SysWOW64\fsdczgcuxvvon.exe ccd29632beb558de4af374096999d00a.exe File opened for modification C:\Windows\SysWOW64\vndkdokiptkzlxb.exe ccd29632beb558de4af374096999d00a.exe File created C:\Windows\SysWOW64\fsdczgcuxvvon.exe ccd29632beb558de4af374096999d00a.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll ziadralkly.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe rvoxtgji.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rvoxtgji.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rvoxtgji.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal rvoxtgji.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rvoxtgji.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rvoxtgji.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal rvoxtgji.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rvoxtgji.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rvoxtgji.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rvoxtgji.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal rvoxtgji.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rvoxtgji.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe rvoxtgji.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal rvoxtgji.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe rvoxtgji.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf ccd29632beb558de4af374096999d00a.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe rvoxtgji.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe rvoxtgji.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe rvoxtgji.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe rvoxtgji.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe rvoxtgji.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe rvoxtgji.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe rvoxtgji.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe rvoxtgji.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe rvoxtgji.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe rvoxtgji.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe rvoxtgji.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe rvoxtgji.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe rvoxtgji.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe rvoxtgji.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe rvoxtgji.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe rvoxtgji.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings ccd29632beb558de4af374096999d00a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" ziadralkly.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" ziadralkly.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" ziadralkly.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf ziadralkly.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCAFABAF910F19283743B3786E93998B38F03F043630233E1B945E808A8" ccd29632beb558de4af374096999d00a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB2B02C47E138EA52CABAD5329FD7CF" ccd29632beb558de4af374096999d00a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184CC60F14E3DBB3B8BC7FE3EDE337CE" ccd29632beb558de4af374096999d00a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat ziadralkly.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" ziadralkly.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" ziadralkly.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes ccd29632beb558de4af374096999d00a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32302C089C5783206D3E76D170532CAE7D8265AB" ccd29632beb558de4af374096999d00a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8CFCFF485F85129032D7207D96BC93E643584166416331D79A" ccd29632beb558de4af374096999d00a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh ziadralkly.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs ziadralkly.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7FC6BB8FE6C21DCD209D1A68A08916B" ccd29632beb558de4af374096999d00a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc ziadralkly.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" ziadralkly.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg ziadralkly.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3512 WINWORD.EXE 3512 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2992 ccd29632beb558de4af374096999d00a.exe 2992 ccd29632beb558de4af374096999d00a.exe 2992 ccd29632beb558de4af374096999d00a.exe 2992 ccd29632beb558de4af374096999d00a.exe 2992 ccd29632beb558de4af374096999d00a.exe 2992 ccd29632beb558de4af374096999d00a.exe 2992 ccd29632beb558de4af374096999d00a.exe 2992 ccd29632beb558de4af374096999d00a.exe 2992 ccd29632beb558de4af374096999d00a.exe 2992 ccd29632beb558de4af374096999d00a.exe 2992 ccd29632beb558de4af374096999d00a.exe 2992 ccd29632beb558de4af374096999d00a.exe 2992 ccd29632beb558de4af374096999d00a.exe 2992 ccd29632beb558de4af374096999d00a.exe 2992 ccd29632beb558de4af374096999d00a.exe 2992 ccd29632beb558de4af374096999d00a.exe 1036 ziadralkly.exe 1036 ziadralkly.exe 1036 ziadralkly.exe 1036 ziadralkly.exe 1036 ziadralkly.exe 1036 ziadralkly.exe 1036 ziadralkly.exe 1036 ziadralkly.exe 1036 ziadralkly.exe 1036 ziadralkly.exe 4612 fsdczgcuxvvon.exe 4612 fsdczgcuxvvon.exe 4612 fsdczgcuxvvon.exe 4612 fsdczgcuxvvon.exe 4612 fsdczgcuxvvon.exe 4612 fsdczgcuxvvon.exe 4612 fsdczgcuxvvon.exe 4612 fsdczgcuxvvon.exe 4612 fsdczgcuxvvon.exe 4612 fsdczgcuxvvon.exe 4612 fsdczgcuxvvon.exe 4612 fsdczgcuxvvon.exe 1684 rvoxtgji.exe 1684 rvoxtgji.exe 1684 rvoxtgji.exe 1684 rvoxtgji.exe 1684 rvoxtgji.exe 1684 rvoxtgji.exe 1684 rvoxtgji.exe 1684 rvoxtgji.exe 3312 vndkdokiptkzlxb.exe 3312 vndkdokiptkzlxb.exe 3312 vndkdokiptkzlxb.exe 3312 vndkdokiptkzlxb.exe 3312 vndkdokiptkzlxb.exe 3312 vndkdokiptkzlxb.exe 3312 vndkdokiptkzlxb.exe 3312 vndkdokiptkzlxb.exe 3312 vndkdokiptkzlxb.exe 3312 vndkdokiptkzlxb.exe 3312 vndkdokiptkzlxb.exe 3312 vndkdokiptkzlxb.exe 4612 fsdczgcuxvvon.exe 4612 fsdczgcuxvvon.exe 4612 fsdczgcuxvvon.exe 4612 fsdczgcuxvvon.exe 3312 vndkdokiptkzlxb.exe 3312 vndkdokiptkzlxb.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2992 ccd29632beb558de4af374096999d00a.exe 2992 ccd29632beb558de4af374096999d00a.exe 2992 ccd29632beb558de4af374096999d00a.exe 1036 ziadralkly.exe 1036 ziadralkly.exe 1036 ziadralkly.exe 1684 rvoxtgji.exe 1684 rvoxtgji.exe 1684 rvoxtgji.exe 4612 fsdczgcuxvvon.exe 4612 fsdczgcuxvvon.exe 4612 fsdczgcuxvvon.exe 3312 vndkdokiptkzlxb.exe 3312 vndkdokiptkzlxb.exe 3312 vndkdokiptkzlxb.exe 5104 rvoxtgji.exe 5104 rvoxtgji.exe 5104 rvoxtgji.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2992 ccd29632beb558de4af374096999d00a.exe 2992 ccd29632beb558de4af374096999d00a.exe 2992 ccd29632beb558de4af374096999d00a.exe 1036 ziadralkly.exe 1036 ziadralkly.exe 1036 ziadralkly.exe 1684 rvoxtgji.exe 1684 rvoxtgji.exe 1684 rvoxtgji.exe 4612 fsdczgcuxvvon.exe 4612 fsdczgcuxvvon.exe 4612 fsdczgcuxvvon.exe 3312 vndkdokiptkzlxb.exe 3312 vndkdokiptkzlxb.exe 3312 vndkdokiptkzlxb.exe 5104 rvoxtgji.exe 5104 rvoxtgji.exe 5104 rvoxtgji.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3512 WINWORD.EXE 3512 WINWORD.EXE 3512 WINWORD.EXE 3512 WINWORD.EXE 3512 WINWORD.EXE 3512 WINWORD.EXE 3512 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2992 wrote to memory of 1036 2992 ccd29632beb558de4af374096999d00a.exe 87 PID 2992 wrote to memory of 1036 2992 ccd29632beb558de4af374096999d00a.exe 87 PID 2992 wrote to memory of 1036 2992 ccd29632beb558de4af374096999d00a.exe 87 PID 2992 wrote to memory of 3312 2992 ccd29632beb558de4af374096999d00a.exe 88 PID 2992 wrote to memory of 3312 2992 ccd29632beb558de4af374096999d00a.exe 88 PID 2992 wrote to memory of 3312 2992 ccd29632beb558de4af374096999d00a.exe 88 PID 2992 wrote to memory of 1684 2992 ccd29632beb558de4af374096999d00a.exe 89 PID 2992 wrote to memory of 1684 2992 ccd29632beb558de4af374096999d00a.exe 89 PID 2992 wrote to memory of 1684 2992 ccd29632beb558de4af374096999d00a.exe 89 PID 2992 wrote to memory of 4612 2992 ccd29632beb558de4af374096999d00a.exe 90 PID 2992 wrote to memory of 4612 2992 ccd29632beb558de4af374096999d00a.exe 90 PID 2992 wrote to memory of 4612 2992 ccd29632beb558de4af374096999d00a.exe 90 PID 2992 wrote to memory of 3512 2992 ccd29632beb558de4af374096999d00a.exe 91 PID 2992 wrote to memory of 3512 2992 ccd29632beb558de4af374096999d00a.exe 91 PID 1036 wrote to memory of 5104 1036 ziadralkly.exe 93 PID 1036 wrote to memory of 5104 1036 ziadralkly.exe 93 PID 1036 wrote to memory of 5104 1036 ziadralkly.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\ccd29632beb558de4af374096999d00a.exe"C:\Users\Admin\AppData\Local\Temp\ccd29632beb558de4af374096999d00a.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\ziadralkly.exeziadralkly.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\rvoxtgji.exeC:\Windows\system32\rvoxtgji.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5104
-
-
-
C:\Windows\SysWOW64\vndkdokiptkzlxb.exevndkdokiptkzlxb.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3312
-
-
C:\Windows\SysWOW64\rvoxtgji.exervoxtgji.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1684
-
-
C:\Windows\SysWOW64\fsdczgcuxvvon.exefsdczgcuxvvon.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4612
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3512
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD55d8e6bc603c92f84b6764e7f5224bb07
SHA102967ebcc2f03f107852057719bab14ced790d5c
SHA256a9754faa60e601ef0e23d1c934af1a093db034b2a5f0c003bb834699138a6f4b
SHA51230a6c66129b3c155d87362227ac15955bccf32af71573058f69885b42d6b0f929fd7db4dcc04471d2bff559922783a1d79cf8ae6ebe9f6a783f0664e8c56f362
-
Filesize
239B
MD5ff6f3e0b6935aec105412befe2def362
SHA128c253077973ef073a124d7618cbfe31f18fbe46
SHA256f6159eb04bb936c0cf3357bb7c2d614d1a33193c3e5b170ff69cac412ccb974f
SHA5125aebfcbfcc1e1080a6a3b7c5e7135abd54ae30b9c368a8094643595f6bc12ab366f7c0aa77e678ea721dadbb8d13bb9f79317e7c1d0b9883f63437639bb95966
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5eab1b5700767c3190c6d11076e5e0408
SHA1843ef23cef9eaeab615ded5b109dd2a35ff02b0d
SHA256701d4c8bb0b63004793903322f14b61de3959ff5f8f6fc418de5faa5f6f53a9d
SHA51278a86fe5e9853676d48392e6d30d85367ab5c9360497fa4bf1ef79e730dca7bd40502bbf17db0c62080f40650d79f985d193e9751e198087706cc7d8115d4b88
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5189d805c6a1f609852c24fa3c902a131
SHA1c9d341efcd3bfdc7bd3b28837ee8d4075484742a
SHA25609529cc2826831d591117da729794a73093eb0d7bedd86f55cd54e50214caf6a
SHA512fc4ecf37900217cc4fc24d54ff72f5d8fd3dafb4f91c5ec28fcf75177fb60a2d3becaeaefead24277be948db58a75f02215e564eaaf91ef66e7c3d835c299622
-
Filesize
512KB
MD5e3d417313bf65bf0ad3cccf5a18e6de4
SHA16ba3039e6c39e16df78c9be5d252b0650b737930
SHA2563bd327e343f93e7402712c1ec79a7143cabe30d1402c3de518d79f6945947d02
SHA512a7583d8194fbbf888ec4ead70cd942d2c8fa83acab3311675e1bb2a0965a830f19164a429bf4696516af4e85a07f704386b0a7970dca9d82f3c98e7938a21564
-
Filesize
512KB
MD536359cbd21763849d639bf92e31a4906
SHA14cfb0961d67f177f8b0f0d67c7718cc4c47067c8
SHA256e56e961d1eecf610552d67bc865f7399599ec9b09ec5590ec9791bde4a600833
SHA512c9b30866ac533bfc6d4a47fda0201c891d226179bb45a68ffa70b16b25a910c60697e8a8852ec4f8e5cdf4eb48cf95d2edf127b69c7c35dcb25b0945ecdd5907
-
Filesize
512KB
MD54d7711ce4bab3bfc5d18207f43859f0a
SHA17fb7705eda049fe72ced09494c31d6aaca2c4f67
SHA256dbabdfd5474b40448a5790dae2a4ac7de7ad17d19ceff07e3582844c7ab73229
SHA5124513914afbd1cab1bd3b604a6c82cd7b06ec292a85cf7af23da32e8e5dba3573d247d594a1a1ec7e095bf27e704bb085c08af25c954d812c1ff01096bf7f8ecf
-
Filesize
512KB
MD53d23b20b7ba00aefe3671fa4264b022d
SHA1ac72335f26cd4abfc09901f1b41e111ea8e2a836
SHA2567ed999084628423376e3b26a1de029bf10b5b030feb5a360f1cebfb1e22a62f2
SHA5121e2e1d773efbe964ce41ec299dc5af215dd857b74d6a3d7e4aad92367f577dc8902355c4014c239f06489b53fabb9cb65df4bb187a01af4492fce9432740d1fd
-
Filesize
512KB
MD50b7325fdd992d78f363ca58474ba55bb
SHA10506d73582a98c5098d1e71d182a2a6994bc6f83
SHA25687283eeeebf5630868fe45a81be4f3f6f9e633733f6b290a047b4dc359fc4625
SHA5123da89ab2d2d38a37596299838e993330279e2e6efaa9d37a526bc3c38c71b5fed36edeedc25996f4cfabd4e28cc5cabb77774839b3e52c8152d8dedc2b4e720c
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD544ae707545c75a255288846de5ceaa8b
SHA184481fd67c2fc6be37b747403db4255eddb08166
SHA256090ad5f61554593f9db353c0455a8c564311e54ac27ad53343fe98522732ed27
SHA51281276517b710df460e28ed9e8eab34c3e6dd3d542d748650ed9af4c5b905fcbcb391351fcd407333133ea9820ef8b80bfcaf247b19eb324517e98890fc883430
-
Filesize
512KB
MD56f05a062909c36c0dc46c77e142b7f31
SHA1a6ba796b3dd9685ef912b604bc2fdfa331fcc057
SHA256c9ced9949218663fe871050b4a58c482ccc0d0585143733cc14c1d74c19d5ea5
SHA5125cdd97ec72139a778ce79d73aec3c893e0266ea1b0b58b3f87b4e7338cf6a59e33db3ed1101afd0f579679dff94d8b839e3e630c797ad53daff167bb1c49b567