Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16/03/2024, 11:17
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
cdee219572827a20303e2174e95c22cd.exe
Resource
win7-20240221-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
cdee219572827a20303e2174e95c22cd.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
cdee219572827a20303e2174e95c22cd.exe
-
Size
512KB
-
MD5
cdee219572827a20303e2174e95c22cd
-
SHA1
a29275bd004d173aa4d9bf27af5e72678ad86bdc
-
SHA256
3ea972462e7234f7c7907edbeb809ac0c5f66b1fc3f62d155e7b769b4dfd5d09
-
SHA512
79611c0a3b24c51c8f210ae668977f46aad3be3d340451da2abc6306dbe824bc51b617dce767951545f5c217eb9ad130d1e1c2ebd7988aae785d7a07e5f3f640
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6t:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5G
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" mszxezpyie.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" mszxezpyie.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" mszxezpyie.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" mszxezpyie.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" mszxezpyie.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" mszxezpyie.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" mszxezpyie.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mszxezpyie.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation cdee219572827a20303e2174e95c22cd.exe -
Executes dropped EXE 5 IoCs
pid Process 4656 mszxezpyie.exe 2128 ejyzyqvggqxlcsp.exe 216 jqwlygyy.exe 4616 dgqtuapnsmhat.exe 1408 jqwlygyy.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" mszxezpyie.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" mszxezpyie.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" mszxezpyie.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" mszxezpyie.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" mszxezpyie.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" mszxezpyie.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lalqkzkd = "mszxezpyie.exe" ejyzyqvggqxlcsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mwksqyjm = "ejyzyqvggqxlcsp.exe" ejyzyqvggqxlcsp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "dgqtuapnsmhat.exe" ejyzyqvggqxlcsp.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\o: mszxezpyie.exe File opened (read-only) \??\j: jqwlygyy.exe File opened (read-only) \??\t: jqwlygyy.exe File opened (read-only) \??\w: jqwlygyy.exe File opened (read-only) \??\j: mszxezpyie.exe File opened (read-only) \??\e: jqwlygyy.exe File opened (read-only) \??\j: jqwlygyy.exe File opened (read-only) \??\y: jqwlygyy.exe File opened (read-only) \??\s: jqwlygyy.exe File opened (read-only) \??\r: jqwlygyy.exe File opened (read-only) \??\i: mszxezpyie.exe File opened (read-only) \??\l: mszxezpyie.exe File opened (read-only) \??\r: mszxezpyie.exe File opened (read-only) \??\z: mszxezpyie.exe File opened (read-only) \??\y: mszxezpyie.exe File opened (read-only) \??\a: jqwlygyy.exe File opened (read-only) \??\n: jqwlygyy.exe File opened (read-only) \??\b: jqwlygyy.exe File opened (read-only) \??\e: jqwlygyy.exe File opened (read-only) \??\g: jqwlygyy.exe File opened (read-only) \??\l: jqwlygyy.exe File opened (read-only) \??\p: mszxezpyie.exe File opened (read-only) \??\r: jqwlygyy.exe File opened (read-only) \??\q: jqwlygyy.exe File opened (read-only) \??\s: jqwlygyy.exe File opened (read-only) \??\g: mszxezpyie.exe File opened (read-only) \??\m: mszxezpyie.exe File opened (read-only) \??\w: jqwlygyy.exe File opened (read-only) \??\a: jqwlygyy.exe File opened (read-only) \??\q: mszxezpyie.exe File opened (read-only) \??\t: mszxezpyie.exe File opened (read-only) \??\u: jqwlygyy.exe File opened (read-only) \??\x: jqwlygyy.exe File opened (read-only) \??\z: jqwlygyy.exe File opened (read-only) \??\p: jqwlygyy.exe File opened (read-only) \??\h: jqwlygyy.exe File opened (read-only) \??\o: jqwlygyy.exe File opened (read-only) \??\q: jqwlygyy.exe File opened (read-only) \??\b: mszxezpyie.exe File opened (read-only) \??\e: mszxezpyie.exe File opened (read-only) \??\h: mszxezpyie.exe File opened (read-only) \??\v: mszxezpyie.exe File opened (read-only) \??\b: jqwlygyy.exe File opened (read-only) \??\u: jqwlygyy.exe File opened (read-only) \??\v: jqwlygyy.exe File opened (read-only) \??\x: jqwlygyy.exe File opened (read-only) \??\k: mszxezpyie.exe File opened (read-only) \??\i: jqwlygyy.exe File opened (read-only) \??\k: jqwlygyy.exe File opened (read-only) \??\n: jqwlygyy.exe File opened (read-only) \??\o: jqwlygyy.exe File opened (read-only) \??\p: jqwlygyy.exe File opened (read-only) \??\m: jqwlygyy.exe File opened (read-only) \??\t: jqwlygyy.exe File opened (read-only) \??\v: jqwlygyy.exe File opened (read-only) \??\h: jqwlygyy.exe File opened (read-only) \??\y: jqwlygyy.exe File opened (read-only) \??\i: jqwlygyy.exe File opened (read-only) \??\z: jqwlygyy.exe File opened (read-only) \??\a: mszxezpyie.exe File opened (read-only) \??\u: mszxezpyie.exe File opened (read-only) \??\x: mszxezpyie.exe File opened (read-only) \??\m: jqwlygyy.exe File opened (read-only) \??\n: mszxezpyie.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" mszxezpyie.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" mszxezpyie.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2264-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x001000000002313b-5.dat autoit_exe behavioral2/files/0x000400000001e980-18.dat autoit_exe behavioral2/files/0x000a0000000231e9-26.dat autoit_exe behavioral2/files/0x00070000000231f4-31.dat autoit_exe behavioral2/files/0x000a0000000231e9-35.dat autoit_exe behavioral2/files/0x0002000000022718-69.dat autoit_exe behavioral2/files/0x000700000002275e-75.dat autoit_exe behavioral2/files/0x0007000000023210-96.dat autoit_exe behavioral2/files/0x0007000000023210-102.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\ejyzyqvggqxlcsp.exe cdee219572827a20303e2174e95c22cd.exe File created C:\Windows\SysWOW64\mszxezpyie.exe cdee219572827a20303e2174e95c22cd.exe File created C:\Windows\SysWOW64\jqwlygyy.exe cdee219572827a20303e2174e95c22cd.exe File opened for modification C:\Windows\SysWOW64\dgqtuapnsmhat.exe cdee219572827a20303e2174e95c22cd.exe File opened for modification C:\Windows\SysWOW64\mszxezpyie.exe cdee219572827a20303e2174e95c22cd.exe File opened for modification C:\Windows\SysWOW64\jqwlygyy.exe cdee219572827a20303e2174e95c22cd.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll mszxezpyie.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe jqwlygyy.exe File opened for modification C:\Windows\SysWOW64\ejyzyqvggqxlcsp.exe cdee219572827a20303e2174e95c22cd.exe File created C:\Windows\SysWOW64\dgqtuapnsmhat.exe cdee219572827a20303e2174e95c22cd.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe jqwlygyy.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe jqwlygyy.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe jqwlygyy.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jqwlygyy.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jqwlygyy.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jqwlygyy.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal jqwlygyy.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jqwlygyy.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jqwlygyy.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jqwlygyy.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jqwlygyy.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jqwlygyy.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe jqwlygyy.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe jqwlygyy.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal jqwlygyy.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal jqwlygyy.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal jqwlygyy.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf cdee219572827a20303e2174e95c22cd.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe jqwlygyy.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe jqwlygyy.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe jqwlygyy.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe jqwlygyy.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe jqwlygyy.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe jqwlygyy.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe jqwlygyy.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe jqwlygyy.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe jqwlygyy.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe jqwlygyy.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe jqwlygyy.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe jqwlygyy.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe jqwlygyy.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe jqwlygyy.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe jqwlygyy.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe jqwlygyy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" mszxezpyie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh mszxezpyie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc mszxezpyie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf mszxezpyie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs mszxezpyie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "334E2D7B9D2382576A4277A177262DD77D8764DC" cdee219572827a20303e2174e95c22cd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184DC70F1596DBC3B9BC7F92ED9434BD" cdee219572827a20303e2174e95c22cd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" mszxezpyie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg mszxezpyie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat mszxezpyie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" mszxezpyie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" mszxezpyie.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes cdee219572827a20303e2174e95c22cd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACFFABEFE64F29384793A40819D3996B088038A4260034CE1CD459C09D1" cdee219572827a20303e2174e95c22cd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7FD6BB4FE6822D9D27BD1A48A0B9111" cdee219572827a20303e2174e95c22cd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" mszxezpyie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" mszxezpyie.exe Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings cdee219572827a20303e2174e95c22cd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC1B02B449039EE52BEBAD5339CD4CF" cdee219572827a20303e2174e95c22cd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF5FFFB4F58826E903DD75F7E95BDE3E631594A674F633FD690" cdee219572827a20303e2174e95c22cd.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1916 WINWORD.EXE 1916 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2264 cdee219572827a20303e2174e95c22cd.exe 2264 cdee219572827a20303e2174e95c22cd.exe 2264 cdee219572827a20303e2174e95c22cd.exe 2264 cdee219572827a20303e2174e95c22cd.exe 2264 cdee219572827a20303e2174e95c22cd.exe 2264 cdee219572827a20303e2174e95c22cd.exe 2264 cdee219572827a20303e2174e95c22cd.exe 2264 cdee219572827a20303e2174e95c22cd.exe 2264 cdee219572827a20303e2174e95c22cd.exe 2264 cdee219572827a20303e2174e95c22cd.exe 2264 cdee219572827a20303e2174e95c22cd.exe 2264 cdee219572827a20303e2174e95c22cd.exe 2264 cdee219572827a20303e2174e95c22cd.exe 2264 cdee219572827a20303e2174e95c22cd.exe 2264 cdee219572827a20303e2174e95c22cd.exe 2264 cdee219572827a20303e2174e95c22cd.exe 2128 ejyzyqvggqxlcsp.exe 4656 mszxezpyie.exe 2128 ejyzyqvggqxlcsp.exe 4656 mszxezpyie.exe 2128 ejyzyqvggqxlcsp.exe 2128 ejyzyqvggqxlcsp.exe 4656 mszxezpyie.exe 4656 mszxezpyie.exe 4656 mszxezpyie.exe 4656 mszxezpyie.exe 4656 mszxezpyie.exe 4656 mszxezpyie.exe 2128 ejyzyqvggqxlcsp.exe 4656 mszxezpyie.exe 2128 ejyzyqvggqxlcsp.exe 4656 mszxezpyie.exe 2128 ejyzyqvggqxlcsp.exe 2128 ejyzyqvggqxlcsp.exe 2128 ejyzyqvggqxlcsp.exe 2128 ejyzyqvggqxlcsp.exe 216 jqwlygyy.exe 216 jqwlygyy.exe 216 jqwlygyy.exe 216 jqwlygyy.exe 216 jqwlygyy.exe 216 jqwlygyy.exe 216 jqwlygyy.exe 216 jqwlygyy.exe 4616 dgqtuapnsmhat.exe 4616 dgqtuapnsmhat.exe 4616 dgqtuapnsmhat.exe 4616 dgqtuapnsmhat.exe 4616 dgqtuapnsmhat.exe 4616 dgqtuapnsmhat.exe 4616 dgqtuapnsmhat.exe 4616 dgqtuapnsmhat.exe 4616 dgqtuapnsmhat.exe 4616 dgqtuapnsmhat.exe 4616 dgqtuapnsmhat.exe 4616 dgqtuapnsmhat.exe 2128 ejyzyqvggqxlcsp.exe 2128 ejyzyqvggqxlcsp.exe 4616 dgqtuapnsmhat.exe 4616 dgqtuapnsmhat.exe 4616 dgqtuapnsmhat.exe 4616 dgqtuapnsmhat.exe 1408 jqwlygyy.exe 1408 jqwlygyy.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2264 cdee219572827a20303e2174e95c22cd.exe 2264 cdee219572827a20303e2174e95c22cd.exe 2264 cdee219572827a20303e2174e95c22cd.exe 2128 ejyzyqvggqxlcsp.exe 2128 ejyzyqvggqxlcsp.exe 2128 ejyzyqvggqxlcsp.exe 4656 mszxezpyie.exe 4656 mszxezpyie.exe 4656 mszxezpyie.exe 216 jqwlygyy.exe 216 jqwlygyy.exe 216 jqwlygyy.exe 4616 dgqtuapnsmhat.exe 4616 dgqtuapnsmhat.exe 4616 dgqtuapnsmhat.exe 1408 jqwlygyy.exe 1408 jqwlygyy.exe 1408 jqwlygyy.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2264 cdee219572827a20303e2174e95c22cd.exe 2264 cdee219572827a20303e2174e95c22cd.exe 2264 cdee219572827a20303e2174e95c22cd.exe 2128 ejyzyqvggqxlcsp.exe 2128 ejyzyqvggqxlcsp.exe 2128 ejyzyqvggqxlcsp.exe 4656 mszxezpyie.exe 4656 mszxezpyie.exe 4656 mszxezpyie.exe 216 jqwlygyy.exe 216 jqwlygyy.exe 216 jqwlygyy.exe 4616 dgqtuapnsmhat.exe 4616 dgqtuapnsmhat.exe 4616 dgqtuapnsmhat.exe 1408 jqwlygyy.exe 1408 jqwlygyy.exe 1408 jqwlygyy.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1916 WINWORD.EXE 1916 WINWORD.EXE 1916 WINWORD.EXE 1916 WINWORD.EXE 1916 WINWORD.EXE 1916 WINWORD.EXE 1916 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2264 wrote to memory of 4656 2264 cdee219572827a20303e2174e95c22cd.exe 89 PID 2264 wrote to memory of 4656 2264 cdee219572827a20303e2174e95c22cd.exe 89 PID 2264 wrote to memory of 4656 2264 cdee219572827a20303e2174e95c22cd.exe 89 PID 2264 wrote to memory of 2128 2264 cdee219572827a20303e2174e95c22cd.exe 90 PID 2264 wrote to memory of 2128 2264 cdee219572827a20303e2174e95c22cd.exe 90 PID 2264 wrote to memory of 2128 2264 cdee219572827a20303e2174e95c22cd.exe 90 PID 2264 wrote to memory of 216 2264 cdee219572827a20303e2174e95c22cd.exe 91 PID 2264 wrote to memory of 216 2264 cdee219572827a20303e2174e95c22cd.exe 91 PID 2264 wrote to memory of 216 2264 cdee219572827a20303e2174e95c22cd.exe 91 PID 2264 wrote to memory of 4616 2264 cdee219572827a20303e2174e95c22cd.exe 92 PID 2264 wrote to memory of 4616 2264 cdee219572827a20303e2174e95c22cd.exe 92 PID 2264 wrote to memory of 4616 2264 cdee219572827a20303e2174e95c22cd.exe 92 PID 2264 wrote to memory of 1916 2264 cdee219572827a20303e2174e95c22cd.exe 93 PID 2264 wrote to memory of 1916 2264 cdee219572827a20303e2174e95c22cd.exe 93 PID 4656 wrote to memory of 1408 4656 mszxezpyie.exe 95 PID 4656 wrote to memory of 1408 4656 mszxezpyie.exe 95 PID 4656 wrote to memory of 1408 4656 mszxezpyie.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\cdee219572827a20303e2174e95c22cd.exe"C:\Users\Admin\AppData\Local\Temp\cdee219572827a20303e2174e95c22cd.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\mszxezpyie.exemszxezpyie.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\SysWOW64\jqwlygyy.exeC:\Windows\system32\jqwlygyy.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1408
-
-
-
C:\Windows\SysWOW64\ejyzyqvggqxlcsp.exeejyzyqvggqxlcsp.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2128
-
-
C:\Windows\SysWOW64\jqwlygyy.exejqwlygyy.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:216
-
-
C:\Windows\SysWOW64\dgqtuapnsmhat.exedgqtuapnsmhat.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4616
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1916
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD528669f33b09734fb673a9daa85ae2dac
SHA17a21f28abe23872c616f69a45ab915d868ed9508
SHA25674bcd539bfb5599931dea25396fc0f7c8ad3658e39030163d092e058edb280ae
SHA512af43ea7f3f9cd945b34e4e187d8c1ab99f5e98c144f3b08efbd8f07fbae8938ca6595467e68ae10723c2f731fab04be05b6ecb27b799de7df91799d8da1238a4
-
Filesize
512KB
MD5b67eb2c20421be986c818965b321d315
SHA1d85f4e53d93c4d7209c1655ee45a4872b2cbe0e5
SHA256304a8d2fb80745d124f313a1f14d8564888760d12d1f379b9c09a9190ff59618
SHA512411ff5a5573b1fd1ff1e2d645badaae1397b0e0d3597def78087ae2d6c47dc96f02d2c693c65be451284bbe023a156097a4759397d3f8172893d04b683bbebcf
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5bbf577841de89348500c0bcab2c6ba9b
SHA163b9f3677aad105c67f0f288795ccf0a114b9d03
SHA2564cfac807213a58c1e6cac29b3fd56c260816483d53df5a589ad3f696d74d46e0
SHA5123a8dba40ddb10fb5e44a2409cb268665155060084e36a2356f6d0c864c896f5e9ed8a354ae75224cba272c6e652468d9ec3d309ece3167633af8fdeb783440f0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5066f9599a4ff4b2790b4f6961c460481
SHA18b102d81ff3e8ff7dd6454f1dfe4f12df7fbf1f9
SHA25614eeb1231aad92f91932269438a26ffc1fb105741a0482bd12ba47a6ee1f41c5
SHA51252d9c6efa0289d77acf4a4c36e75c5fdd29a7936c753ec6c1a93e2ff4112d56c6fbd619ea4f0113ce358ca0c93781df6914a8a004bb60da61327bdab18f3d759
-
Filesize
512KB
MD5f6d91ac6d48d014eec5b016333cf9769
SHA1389fa055318bafbb0e18838d28c7dc7190e68648
SHA2562f55ce3f414048c798e39a886c71408adf081ae5d21c9485bcddd940c716b2cc
SHA5128c1bb3a93af757744f3904e8b5aa06cd9f09d60428fa7ac0bc53ba7fc1855d3db21e40d3ce3cd25522b22ea8aebc9e075af2a584378cf33a57465cf261cefc9c
-
Filesize
512KB
MD537f9ebb2a54bfe4c25ffb48adf3cb5b9
SHA1b90ebfbafdcc721dd234608affc8b632f60aa9a3
SHA256240609135de5f69cd1c11445d8c7232bad166d07a934fcdfccf9aa10c9e6ba0a
SHA5124f7dc48628e865df13c0a5eb2636293a54933a1d8e080fabb54e490d52ab25c367e3c6f714136dd3f10d43b6599b179444db2db7118cc63dfa00b831456288d1
-
Filesize
512KB
MD5883ca2a809ffbb4dd7b87939b24dc063
SHA1cbfadbf9d81ac0eef3744d8ebd437f630a8be974
SHA256092e1ee6d590318831ca04470097daff2c9cd821e4d994594fd78436968cf6ac
SHA5121ed950fc2f16c45d612f759248a2a48f5519a1bee3ee285caebbfbb27b38bd3f76e32a91765d549a7a413865363b0fabb83c243c67f2e3e3a55fd40cb7f6e316
-
Filesize
253KB
MD5a6463f2ba93d2daf4285607e829eb381
SHA10913cbe05a0805413ea2b56d2539927d4f1ff14e
SHA256d36bb7cb64b1652c481bb0c072d7eef0b930dc13ba018ea0f0d691ae75fcba29
SHA5123abd60e4763d29f0d25f939617764d61a83e541e8493024129a54f234318877cd14f33b350665c4591fae93622afaa37ba4d985120bb5f9b620284b13b61b077
-
Filesize
512KB
MD5023f5b7f0d0261cd848b3e43f4f98f2e
SHA1809a1e16b2440cd7ce1edad4828370884c3c5d69
SHA2561b9ef2e659d944147c867c0a9903df5d9734bed99e4a5a3e60429ffaa2b1ad35
SHA512c592cf84379e3721dfa4c964713b5c7679cd4eb3f0acf37dfda154b3da50de495b02b97cbbff897fc51ac8c960ec449e23594e554f93898c7306f9e29399e411
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5ea226da2fdd24ad10ad90f61aaf1a3c8
SHA17e7ef8cc04b220137130eb15cb99d23d0477d5b8
SHA25670173631ecb03905298d2b2b3bd50c4d6716a8ae0274b6834a227caf8d14af1f
SHA512b31acb6d00bf439550365e4197bd673e560ce0672025c3201a6c5dfab5a17f703afdcb485db75e21d02cbeae3939d80982ccc3277640dbb106c846a7bcbf45f5
-
Filesize
512KB
MD534bf90ff444a91d0124a9bbc3fd4ba6b
SHA196533402314e9903faf8a97cdee9902963d62338
SHA256764ac570c636a9fe9eeb4b11418e77301b2a4609df9ea3d45974c38e48788b84
SHA51223c5ede6cfd247f5e7a77254859691146c905e63f1a6913dc5965d451e257b9a5e83140c36c8786d518cbb1062dd956091dc2a7b0ec8d9c3618f83c47374b53c