Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16-03-2024 09:06
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
cda8c2c485a7dd6b2198a59af42031a4.exe
Resource
win7-20240221-en
windows7-x64
28 signatures
150 seconds
Behavioral task
behavioral2
Sample
cda8c2c485a7dd6b2198a59af42031a4.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
cda8c2c485a7dd6b2198a59af42031a4.exe
-
Size
512KB
-
MD5
cda8c2c485a7dd6b2198a59af42031a4
-
SHA1
e20fea3405b1918b95ab22191b716679b72ba3a5
-
SHA256
42eb62bf385aa18c462f8c06d946e720fac141bbf95bfd34c3ef56a95aef24a0
-
SHA512
1ba5c622091d86ec076518874495e3cc33f7df348f0ff0c6527883c645fa16eb09efe918bd0c48872647350148e861b8d93996fb1d849c844285992c56d3d959
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6p:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5u
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" hshnhkhqcl.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" hshnhkhqcl.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" hshnhkhqcl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" hshnhkhqcl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" hshnhkhqcl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" hshnhkhqcl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" hshnhkhqcl.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" hshnhkhqcl.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation cda8c2c485a7dd6b2198a59af42031a4.exe -
Executes dropped EXE 5 IoCs
pid Process 1964 hshnhkhqcl.exe 1508 fhuwvvjdflveaeu.exe 660 ghtjcehf.exe 2888 qgxxyvreopljj.exe 552 ghtjcehf.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" hshnhkhqcl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" hshnhkhqcl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" hshnhkhqcl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" hshnhkhqcl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" hshnhkhqcl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" hshnhkhqcl.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gleherqo = "hshnhkhqcl.exe" fhuwvvjdflveaeu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mwrrtjix = "fhuwvvjdflveaeu.exe" fhuwvvjdflveaeu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "qgxxyvreopljj.exe" fhuwvvjdflveaeu.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\k: ghtjcehf.exe File opened (read-only) \??\j: hshnhkhqcl.exe File opened (read-only) \??\r: hshnhkhqcl.exe File opened (read-only) \??\j: ghtjcehf.exe File opened (read-only) \??\k: ghtjcehf.exe File opened (read-only) \??\l: ghtjcehf.exe File opened (read-only) \??\x: hshnhkhqcl.exe File opened (read-only) \??\q: ghtjcehf.exe File opened (read-only) \??\v: ghtjcehf.exe File opened (read-only) \??\m: ghtjcehf.exe File opened (read-only) \??\a: ghtjcehf.exe File opened (read-only) \??\j: ghtjcehf.exe File opened (read-only) \??\p: ghtjcehf.exe File opened (read-only) \??\i: ghtjcehf.exe File opened (read-only) \??\p: ghtjcehf.exe File opened (read-only) \??\v: ghtjcehf.exe File opened (read-only) \??\p: hshnhkhqcl.exe File opened (read-only) \??\s: hshnhkhqcl.exe File opened (read-only) \??\e: ghtjcehf.exe File opened (read-only) \??\b: ghtjcehf.exe File opened (read-only) \??\w: ghtjcehf.exe File opened (read-only) \??\g: hshnhkhqcl.exe File opened (read-only) \??\n: hshnhkhqcl.exe File opened (read-only) \??\w: hshnhkhqcl.exe File opened (read-only) \??\g: ghtjcehf.exe File opened (read-only) \??\o: ghtjcehf.exe File opened (read-only) \??\q: ghtjcehf.exe File opened (read-only) \??\b: ghtjcehf.exe File opened (read-only) \??\w: ghtjcehf.exe File opened (read-only) \??\n: ghtjcehf.exe File opened (read-only) \??\t: ghtjcehf.exe File opened (read-only) \??\x: ghtjcehf.exe File opened (read-only) \??\t: hshnhkhqcl.exe File opened (read-only) \??\h: ghtjcehf.exe File opened (read-only) \??\i: hshnhkhqcl.exe File opened (read-only) \??\u: hshnhkhqcl.exe File opened (read-only) \??\m: ghtjcehf.exe File opened (read-only) \??\o: ghtjcehf.exe File opened (read-only) \??\u: ghtjcehf.exe File opened (read-only) \??\r: ghtjcehf.exe File opened (read-only) \??\h: hshnhkhqcl.exe File opened (read-only) \??\y: hshnhkhqcl.exe File opened (read-only) \??\y: ghtjcehf.exe File opened (read-only) \??\h: ghtjcehf.exe File opened (read-only) \??\l: ghtjcehf.exe File opened (read-only) \??\u: ghtjcehf.exe File opened (read-only) \??\y: ghtjcehf.exe File opened (read-only) \??\s: ghtjcehf.exe File opened (read-only) \??\b: hshnhkhqcl.exe File opened (read-only) \??\e: hshnhkhqcl.exe File opened (read-only) \??\z: ghtjcehf.exe File opened (read-only) \??\s: ghtjcehf.exe File opened (read-only) \??\m: hshnhkhqcl.exe File opened (read-only) \??\v: hshnhkhqcl.exe File opened (read-only) \??\g: ghtjcehf.exe File opened (read-only) \??\i: ghtjcehf.exe File opened (read-only) \??\x: ghtjcehf.exe File opened (read-only) \??\a: ghtjcehf.exe File opened (read-only) \??\e: ghtjcehf.exe File opened (read-only) \??\z: ghtjcehf.exe File opened (read-only) \??\k: hshnhkhqcl.exe File opened (read-only) \??\n: ghtjcehf.exe File opened (read-only) \??\t: ghtjcehf.exe File opened (read-only) \??\a: hshnhkhqcl.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" hshnhkhqcl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" hshnhkhqcl.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2392-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000d00000002311f-5.dat autoit_exe behavioral2/files/0x000700000001ebc7-18.dat autoit_exe behavioral2/files/0x000d00000002311f-26.dat autoit_exe behavioral2/files/0x000a000000023187-27.dat autoit_exe behavioral2/files/0x00070000000231d3-32.dat autoit_exe behavioral2/files/0x00030000000226fd-68.dat autoit_exe behavioral2/files/0x0015000000022789-73.dat autoit_exe behavioral2/files/0x0007000000023219-94.dat autoit_exe behavioral2/files/0x0007000000023219-98.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ghtjcehf.exe File created C:\Windows\SysWOW64\qgxxyvreopljj.exe cda8c2c485a7dd6b2198a59af42031a4.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ghtjcehf.exe File created C:\Windows\SysWOW64\fhuwvvjdflveaeu.exe cda8c2c485a7dd6b2198a59af42031a4.exe File opened for modification C:\Windows\SysWOW64\fhuwvvjdflveaeu.exe cda8c2c485a7dd6b2198a59af42031a4.exe File created C:\Windows\SysWOW64\ghtjcehf.exe cda8c2c485a7dd6b2198a59af42031a4.exe File opened for modification C:\Windows\SysWOW64\ghtjcehf.exe cda8c2c485a7dd6b2198a59af42031a4.exe File opened for modification C:\Windows\SysWOW64\qgxxyvreopljj.exe cda8c2c485a7dd6b2198a59af42031a4.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll hshnhkhqcl.exe File created C:\Windows\SysWOW64\hshnhkhqcl.exe cda8c2c485a7dd6b2198a59af42031a4.exe File opened for modification C:\Windows\SysWOW64\hshnhkhqcl.exe cda8c2c485a7dd6b2198a59af42031a4.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ghtjcehf.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ghtjcehf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ghtjcehf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ghtjcehf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ghtjcehf.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ghtjcehf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ghtjcehf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ghtjcehf.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ghtjcehf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ghtjcehf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ghtjcehf.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ghtjcehf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ghtjcehf.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ghtjcehf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ghtjcehf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ghtjcehf.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ghtjcehf.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ghtjcehf.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ghtjcehf.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ghtjcehf.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ghtjcehf.exe File opened for modification C:\Windows\mydoc.rtf cda8c2c485a7dd6b2198a59af42031a4.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ghtjcehf.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ghtjcehf.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ghtjcehf.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ghtjcehf.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ghtjcehf.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ghtjcehf.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ghtjcehf.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ghtjcehf.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ghtjcehf.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ghtjcehf.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ghtjcehf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33322D7B9C2183516A3476A2702E2DDF7DF664AC" cda8c2c485a7dd6b2198a59af42031a4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACAFABCFE13F2E7840F3A4786EA3995B08902F84215033CE1CF429E09D6" cda8c2c485a7dd6b2198a59af42031a4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB5B15B449539E853CDBAD7329DD7B9" cda8c2c485a7dd6b2198a59af42031a4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184DC70F14E0DBC0B9C07C97ED9737BA" cda8c2c485a7dd6b2198a59af42031a4.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes cda8c2c485a7dd6b2198a59af42031a4.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings cda8c2c485a7dd6b2198a59af42031a4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh hshnhkhqcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" hshnhkhqcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" hshnhkhqcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" hshnhkhqcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F89FFFB4F2882199031D6217E97BD93E13D584767346334D79E" cda8c2c485a7dd6b2198a59af42031a4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" hshnhkhqcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc hshnhkhqcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs hshnhkhqcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg hshnhkhqcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F66BB9FE1821D0D20CD1D38B789165" cda8c2c485a7dd6b2198a59af42031a4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf hshnhkhqcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" hshnhkhqcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" hshnhkhqcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat hshnhkhqcl.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3596 WINWORD.EXE 3596 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2392 cda8c2c485a7dd6b2198a59af42031a4.exe 2392 cda8c2c485a7dd6b2198a59af42031a4.exe 2392 cda8c2c485a7dd6b2198a59af42031a4.exe 2392 cda8c2c485a7dd6b2198a59af42031a4.exe 2392 cda8c2c485a7dd6b2198a59af42031a4.exe 2392 cda8c2c485a7dd6b2198a59af42031a4.exe 2392 cda8c2c485a7dd6b2198a59af42031a4.exe 2392 cda8c2c485a7dd6b2198a59af42031a4.exe 2392 cda8c2c485a7dd6b2198a59af42031a4.exe 2392 cda8c2c485a7dd6b2198a59af42031a4.exe 2392 cda8c2c485a7dd6b2198a59af42031a4.exe 2392 cda8c2c485a7dd6b2198a59af42031a4.exe 2392 cda8c2c485a7dd6b2198a59af42031a4.exe 2392 cda8c2c485a7dd6b2198a59af42031a4.exe 2392 cda8c2c485a7dd6b2198a59af42031a4.exe 2392 cda8c2c485a7dd6b2198a59af42031a4.exe 660 ghtjcehf.exe 660 ghtjcehf.exe 660 ghtjcehf.exe 660 ghtjcehf.exe 660 ghtjcehf.exe 660 ghtjcehf.exe 660 ghtjcehf.exe 660 ghtjcehf.exe 2888 qgxxyvreopljj.exe 2888 qgxxyvreopljj.exe 2888 qgxxyvreopljj.exe 2888 qgxxyvreopljj.exe 2888 qgxxyvreopljj.exe 2888 qgxxyvreopljj.exe 2888 qgxxyvreopljj.exe 2888 qgxxyvreopljj.exe 2888 qgxxyvreopljj.exe 2888 qgxxyvreopljj.exe 2888 qgxxyvreopljj.exe 2888 qgxxyvreopljj.exe 1508 fhuwvvjdflveaeu.exe 1508 fhuwvvjdflveaeu.exe 1508 fhuwvvjdflveaeu.exe 1508 fhuwvvjdflveaeu.exe 1508 fhuwvvjdflveaeu.exe 1508 fhuwvvjdflveaeu.exe 1508 fhuwvvjdflveaeu.exe 1508 fhuwvvjdflveaeu.exe 1508 fhuwvvjdflveaeu.exe 1508 fhuwvvjdflveaeu.exe 1964 hshnhkhqcl.exe 1964 hshnhkhqcl.exe 1964 hshnhkhqcl.exe 1964 hshnhkhqcl.exe 1964 hshnhkhqcl.exe 1964 hshnhkhqcl.exe 1964 hshnhkhqcl.exe 1964 hshnhkhqcl.exe 1964 hshnhkhqcl.exe 1964 hshnhkhqcl.exe 1508 fhuwvvjdflveaeu.exe 1508 fhuwvvjdflveaeu.exe 552 ghtjcehf.exe 552 ghtjcehf.exe 552 ghtjcehf.exe 552 ghtjcehf.exe 552 ghtjcehf.exe 552 ghtjcehf.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2392 cda8c2c485a7dd6b2198a59af42031a4.exe 2392 cda8c2c485a7dd6b2198a59af42031a4.exe 2392 cda8c2c485a7dd6b2198a59af42031a4.exe 660 ghtjcehf.exe 660 ghtjcehf.exe 660 ghtjcehf.exe 2888 qgxxyvreopljj.exe 2888 qgxxyvreopljj.exe 2888 qgxxyvreopljj.exe 1508 fhuwvvjdflveaeu.exe 1964 hshnhkhqcl.exe 1508 fhuwvvjdflveaeu.exe 1964 hshnhkhqcl.exe 1508 fhuwvvjdflveaeu.exe 1964 hshnhkhqcl.exe 552 ghtjcehf.exe 552 ghtjcehf.exe 552 ghtjcehf.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2392 cda8c2c485a7dd6b2198a59af42031a4.exe 2392 cda8c2c485a7dd6b2198a59af42031a4.exe 2392 cda8c2c485a7dd6b2198a59af42031a4.exe 660 ghtjcehf.exe 660 ghtjcehf.exe 660 ghtjcehf.exe 2888 qgxxyvreopljj.exe 2888 qgxxyvreopljj.exe 2888 qgxxyvreopljj.exe 1508 fhuwvvjdflveaeu.exe 1964 hshnhkhqcl.exe 1508 fhuwvvjdflveaeu.exe 1964 hshnhkhqcl.exe 1508 fhuwvvjdflveaeu.exe 1964 hshnhkhqcl.exe 552 ghtjcehf.exe 552 ghtjcehf.exe 552 ghtjcehf.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3596 WINWORD.EXE 3596 WINWORD.EXE 3596 WINWORD.EXE 3596 WINWORD.EXE 3596 WINWORD.EXE 3596 WINWORD.EXE 3596 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2392 wrote to memory of 1964 2392 cda8c2c485a7dd6b2198a59af42031a4.exe 89 PID 2392 wrote to memory of 1964 2392 cda8c2c485a7dd6b2198a59af42031a4.exe 89 PID 2392 wrote to memory of 1964 2392 cda8c2c485a7dd6b2198a59af42031a4.exe 89 PID 2392 wrote to memory of 1508 2392 cda8c2c485a7dd6b2198a59af42031a4.exe 90 PID 2392 wrote to memory of 1508 2392 cda8c2c485a7dd6b2198a59af42031a4.exe 90 PID 2392 wrote to memory of 1508 2392 cda8c2c485a7dd6b2198a59af42031a4.exe 90 PID 2392 wrote to memory of 660 2392 cda8c2c485a7dd6b2198a59af42031a4.exe 91 PID 2392 wrote to memory of 660 2392 cda8c2c485a7dd6b2198a59af42031a4.exe 91 PID 2392 wrote to memory of 660 2392 cda8c2c485a7dd6b2198a59af42031a4.exe 91 PID 2392 wrote to memory of 2888 2392 cda8c2c485a7dd6b2198a59af42031a4.exe 92 PID 2392 wrote to memory of 2888 2392 cda8c2c485a7dd6b2198a59af42031a4.exe 92 PID 2392 wrote to memory of 2888 2392 cda8c2c485a7dd6b2198a59af42031a4.exe 92 PID 2392 wrote to memory of 3596 2392 cda8c2c485a7dd6b2198a59af42031a4.exe 93 PID 2392 wrote to memory of 3596 2392 cda8c2c485a7dd6b2198a59af42031a4.exe 93 PID 1964 wrote to memory of 552 1964 hshnhkhqcl.exe 95 PID 1964 wrote to memory of 552 1964 hshnhkhqcl.exe 95 PID 1964 wrote to memory of 552 1964 hshnhkhqcl.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\cda8c2c485a7dd6b2198a59af42031a4.exe"C:\Users\Admin\AppData\Local\Temp\cda8c2c485a7dd6b2198a59af42031a4.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\hshnhkhqcl.exehshnhkhqcl.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\ghtjcehf.exeC:\Windows\system32\ghtjcehf.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:552
-
-
-
C:\Windows\SysWOW64\fhuwvvjdflveaeu.exefhuwvvjdflveaeu.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1508
-
-
C:\Windows\SysWOW64\ghtjcehf.exeghtjcehf.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:660
-
-
C:\Windows\SysWOW64\qgxxyvreopljj.exeqgxxyvreopljj.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2888
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3596
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD55f3b014bcd85806a82d20ed6a6345627
SHA1b77eec4957db5db3991ec90a4aca271a3092fc23
SHA256355c90f17d4984fcc87b03613bc3de3e36cf49290f8cbdc2df541ec824f63569
SHA5126c1109f8f2724b4e7cf6865889578b2da97cfd9e3d503de655764dd7a571ab11c1beece26aa650be1e22ec1c66d2088d5636e21f31a78492697c52bfd1cb55fa
-
Filesize
512KB
MD54ac9bf0f60a8d47d6d64d21394b2404b
SHA10cd77bd5bd164605f023df81c4298f6e281b483b
SHA25612669ee4ead1b784a6a3ab1cfc2f1953361f94fa7995ac318b478f2aacab52d4
SHA5125343b0da99f3e4cbd0389ece687a79cb4466af42e35e0d0e2dac3ab7e4cacbd6797fbd9dfd78e020a54866f231fab8e6ccbefe6058721f14821a0c909959bafc
-
Filesize
239B
MD574e41a6d7f0e54e89e1cf9c4ff600cd2
SHA13f056d1309f0f7a6ec2351b7e228843cbb66911c
SHA2560126c592c9b79167e792b3d042f60f137dbd3acd98066ad937342c51dc5f3830
SHA51274453e976c39271f2645db058e4f10d3d7df3255785350e30ccbb97cb24f3aed7fa9327e50c8ded462383c1aa9724a2cb2fb6dd339d156a423cd217b393e2945
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5fb686827e8180bde652e29858dd49025
SHA1731052181869a0dca702b71029468a398df82786
SHA25691ef41691d44ca463a08d6e084ea7b6b10a595d2eae88bf16afc864a6156f481
SHA51259fc25697da13c441658be112a16217cdd7fe2f19e9450d03aac770a2df2ffb924eaea626b24e89cceee6965915fe837eba33741a7fc898ef29d4d639ab89769
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD51006226ff1b1c51b0c3101ef9535251a
SHA154c3434384df0ccbfb6eeccbfc3dd1dd94131146
SHA25652752fd3b9ac130794417bd5a648965719346dd0c04e29cf40a827b6e1dfd5b7
SHA512dc27ed2101594ef044d2f7bbeee6c29970d639bc17e4df194d263e270017a41fef7e16fda7ee714f4382c32ab7a865ef0bf59ddd89b272311c909461997d2a8b
-
Filesize
448KB
MD59728739f509ce0f3b3b073c945c208bf
SHA131bf207a650a7f1bbb8e90552891f1a6f4e4783b
SHA256f252517c755af447fe73347dd23cd133e28c7a203d01382306a195c8ddda3dba
SHA51276e963f4d1b88528ebbdbc375372889efffba4768f6a99bccce4c1faa730e9515f93fa74bd10bb61c0034f2ceb9ef85ee8234f9d13df183ffc7e163ae3dd38e7
-
Filesize
512KB
MD55e3318fa85f83ec383e71fd75d9ddcf4
SHA160c659364a37b4235922c480d4b96d89436fdd8e
SHA256a72fea76c6eaaf5016997ecb4bb21a6da0fc186e68b3670b98c3fc8cd5806ea4
SHA5122dc35ad1289e903e1a173d610ae952bb56037b44b042ed11d7e4aec5a6dc96d44e705cb097165615e9df126af4d710075522bf4ccad2a191567ac56578da2c71
-
Filesize
512KB
MD5a31b570f209fc03a153dc28d95a41b55
SHA183e926a2a815c652ba4df41a2417ab7728d6de46
SHA2563ac9b51265dd3a70c179b205f4787ab6953aa4bc55cab8ab0d480335c7bd2c9b
SHA512ab03b546e926f3a2851fcbe495e4c8104c476a05c6bd278b3a0c1567207fae8af2cde6e0e994b9e36c2c558ff55493403b2a6f3ffab4bd46fe6b2b2d11c76042
-
Filesize
512KB
MD55417699840a18bdc1e3ad41a531c5eee
SHA1599ae153431e7c0176aef6711918e5b61e58a42a
SHA256b87130370afc6cf76f215c9dcd1cb39f0aebbe465833f2be2f8f3f9d73c9c7bf
SHA51264fa6f1fdb7ce802ce1731278cd7fded87dceaa7b40ff7d79a6a869f6d27e39b0628212eba28b13faa8f0a3d98025785186b1159f180589319376a29e969a819
-
Filesize
512KB
MD5b8a075a2d58891078c1dab18d0600f55
SHA13504b872698dd23f2d7b0682f2d2b7251d13528c
SHA2563bec16b962b51108684feca590fd4f7dc432535ab33f43d0e352baa15e5eb4c3
SHA5121583a4c8cabae9c484dd816a7a81ab9e7385eb55e7f2fd4e950fd3248024a572807560ae74076b0ca5ea08d8f5689a2b022ef393d335cf9c3740e258ae93acdd
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD54d924c0e6a61e5bcd3945022ca903022
SHA1d77791d5f1b58b20c57906bf727e386c5e4e417f
SHA256409fcf0b429d880c8e4f17ec55cb8df869645c558d39ae85271a4dfecf3bffd3
SHA51265256a3a23e38b79e8163180b7d130b3b15f7931361201905c169d3849219c070fe314714d24d649afcd86e9cc5beaafadddf66488834fdb26fb435094972277
-
Filesize
512KB
MD5c81f3f552c0cc715eababdd9d00576d9
SHA17cd4712a50c10deb30f37ac3cbfd7a5c7da0d7c8
SHA256dd2526e035f4ca8da4fc5c2d66d2d098e450206358c392618ba3aeae92abbd24
SHA51297f9e8a9bb5acb0410e5c46f1cd4e8f50acbe1e75f8f44336cd4c8e38503457925b1ffde02b74238d77175dc8583b9d795758a37362632f3ba2a6483b82387b9