Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19/03/2024, 12:23
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
d61a8a72f30d02169466ee7505b2bede.exe
Resource
win7-20240221-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
d61a8a72f30d02169466ee7505b2bede.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
26 signatures
150 seconds
General
-
Target
d61a8a72f30d02169466ee7505b2bede.exe
-
Size
512KB
-
MD5
d61a8a72f30d02169466ee7505b2bede
-
SHA1
37e4b6fd74b9819d38fef09f32ee67f2699e26af
-
SHA256
1e9ed6e72e351fc39cf9e3d16d5b5d1c288295d11bfec6909100343028a62bb0
-
SHA512
f71e9349f8c42fc9bfb6b678bbe5baf0e1c6d402519689d35a3983e3f0310c7c8fbfd4afe2ff91f3616508b548bb172d4786f662be524410d955f3d58b56d277
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6g:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5H
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" rycuwewghr.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" rycuwewghr.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rycuwewghr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rycuwewghr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rycuwewghr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rycuwewghr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rycuwewghr.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rycuwewghr.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation d61a8a72f30d02169466ee7505b2bede.exe -
Executes dropped EXE 5 IoCs
pid Process 3928 rycuwewghr.exe 3436 bzugvhmndiogcwv.exe 4300 qjuabhtq.exe 2488 noytcjaoofwoq.exe 2412 qjuabhtq.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rycuwewghr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rycuwewghr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rycuwewghr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rycuwewghr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" rycuwewghr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rycuwewghr.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ngnvniaz = "rycuwewghr.exe" bzugvhmndiogcwv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hrcpqtjb = "bzugvhmndiogcwv.exe" bzugvhmndiogcwv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "noytcjaoofwoq.exe" bzugvhmndiogcwv.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\b: rycuwewghr.exe File opened (read-only) \??\o: rycuwewghr.exe File opened (read-only) \??\j: qjuabhtq.exe File opened (read-only) \??\r: qjuabhtq.exe File opened (read-only) \??\k: qjuabhtq.exe File opened (read-only) \??\s: qjuabhtq.exe File opened (read-only) \??\i: rycuwewghr.exe File opened (read-only) \??\p: rycuwewghr.exe File opened (read-only) \??\q: rycuwewghr.exe File opened (read-only) \??\s: qjuabhtq.exe File opened (read-only) \??\t: qjuabhtq.exe File opened (read-only) \??\u: qjuabhtq.exe File opened (read-only) \??\g: qjuabhtq.exe File opened (read-only) \??\y: qjuabhtq.exe File opened (read-only) \??\n: qjuabhtq.exe File opened (read-only) \??\p: qjuabhtq.exe File opened (read-only) \??\i: qjuabhtq.exe File opened (read-only) \??\v: rycuwewghr.exe File opened (read-only) \??\q: qjuabhtq.exe File opened (read-only) \??\m: qjuabhtq.exe File opened (read-only) \??\b: qjuabhtq.exe File opened (read-only) \??\n: qjuabhtq.exe File opened (read-only) \??\r: qjuabhtq.exe File opened (read-only) \??\z: qjuabhtq.exe File opened (read-only) \??\e: rycuwewghr.exe File opened (read-only) \??\w: rycuwewghr.exe File opened (read-only) \??\l: qjuabhtq.exe File opened (read-only) \??\p: qjuabhtq.exe File opened (read-only) \??\a: rycuwewghr.exe File opened (read-only) \??\m: rycuwewghr.exe File opened (read-only) \??\x: rycuwewghr.exe File opened (read-only) \??\i: qjuabhtq.exe File opened (read-only) \??\u: qjuabhtq.exe File opened (read-only) \??\x: qjuabhtq.exe File opened (read-only) \??\j: rycuwewghr.exe File opened (read-only) \??\z: qjuabhtq.exe File opened (read-only) \??\x: qjuabhtq.exe File opened (read-only) \??\m: qjuabhtq.exe File opened (read-only) \??\v: qjuabhtq.exe File opened (read-only) \??\r: rycuwewghr.exe File opened (read-only) \??\u: rycuwewghr.exe File opened (read-only) \??\l: qjuabhtq.exe File opened (read-only) \??\o: qjuabhtq.exe File opened (read-only) \??\t: qjuabhtq.exe File opened (read-only) \??\z: rycuwewghr.exe File opened (read-only) \??\h: rycuwewghr.exe File opened (read-only) \??\s: rycuwewghr.exe File opened (read-only) \??\y: rycuwewghr.exe File opened (read-only) \??\b: qjuabhtq.exe File opened (read-only) \??\g: qjuabhtq.exe File opened (read-only) \??\j: qjuabhtq.exe File opened (read-only) \??\n: rycuwewghr.exe File opened (read-only) \??\a: qjuabhtq.exe File opened (read-only) \??\w: qjuabhtq.exe File opened (read-only) \??\h: qjuabhtq.exe File opened (read-only) \??\k: rycuwewghr.exe File opened (read-only) \??\k: qjuabhtq.exe File opened (read-only) \??\o: qjuabhtq.exe File opened (read-only) \??\y: qjuabhtq.exe File opened (read-only) \??\a: qjuabhtq.exe File opened (read-only) \??\w: qjuabhtq.exe File opened (read-only) \??\h: qjuabhtq.exe File opened (read-only) \??\v: qjuabhtq.exe File opened (read-only) \??\e: qjuabhtq.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" rycuwewghr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" rycuwewghr.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4392-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00090000000224f7-8.dat autoit_exe behavioral2/files/0x000300000001e9a0-18.dat autoit_exe behavioral2/files/0x000a000000023189-29.dat autoit_exe behavioral2/files/0x00090000000224f7-26.dat autoit_exe behavioral2/files/0x00070000000231e6-32.dat autoit_exe behavioral2/files/0x000a000000023189-51.dat autoit_exe behavioral2/files/0x0002000000022720-74.dat autoit_exe behavioral2/files/0x00030000000227c3-79.dat autoit_exe behavioral2/files/0x0007000000023204-102.dat autoit_exe behavioral2/files/0x0007000000023204-105.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\bzugvhmndiogcwv.exe d61a8a72f30d02169466ee7505b2bede.exe File opened for modification C:\Windows\SysWOW64\qjuabhtq.exe d61a8a72f30d02169466ee7505b2bede.exe File created C:\Windows\SysWOW64\rycuwewghr.exe d61a8a72f30d02169466ee7505b2bede.exe File created C:\Windows\SysWOW64\bzugvhmndiogcwv.exe d61a8a72f30d02169466ee7505b2bede.exe File created C:\Windows\SysWOW64\qjuabhtq.exe d61a8a72f30d02169466ee7505b2bede.exe File created C:\Windows\SysWOW64\noytcjaoofwoq.exe d61a8a72f30d02169466ee7505b2bede.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe qjuabhtq.exe File opened for modification C:\Windows\SysWOW64\noytcjaoofwoq.exe d61a8a72f30d02169466ee7505b2bede.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll rycuwewghr.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe qjuabhtq.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe qjuabhtq.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe qjuabhtq.exe File opened for modification C:\Windows\SysWOW64\rycuwewghr.exe d61a8a72f30d02169466ee7505b2bede.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qjuabhtq.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qjuabhtq.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qjuabhtq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qjuabhtq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qjuabhtq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal qjuabhtq.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qjuabhtq.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qjuabhtq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qjuabhtq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe qjuabhtq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal qjuabhtq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal qjuabhtq.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe qjuabhtq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal qjuabhtq.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf d61a8a72f30d02169466ee7505b2bede.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe qjuabhtq.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe qjuabhtq.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe qjuabhtq.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe qjuabhtq.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe qjuabhtq.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe qjuabhtq.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe qjuabhtq.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe qjuabhtq.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe qjuabhtq.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe qjuabhtq.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe qjuabhtq.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe qjuabhtq.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe qjuabhtq.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe qjuabhtq.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe qjuabhtq.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe qjuabhtq.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2ECAB120449239E353CCBAA133EAD4BC" d61a8a72f30d02169466ee7505b2bede.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7846BB2FE6A22DED27ED0A78A789060" d61a8a72f30d02169466ee7505b2bede.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh rycuwewghr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" rycuwewghr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" rycuwewghr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACEF9BEFE13F1E7840F3B32869639E6B08B02FD4367033EE1CD45E709D3" d61a8a72f30d02169466ee7505b2bede.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1848C70815E1DBC2B9BC7FE0ED9434CB" d61a8a72f30d02169466ee7505b2bede.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs rycuwewghr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFFFF884F29826E9142D72D7D94BDE2E13D594166406331D6EC" d61a8a72f30d02169466ee7505b2bede.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32412D089C5182236D4476D577212CD97D8665DB" d61a8a72f30d02169466ee7505b2bede.exe Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings d61a8a72f30d02169466ee7505b2bede.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat rycuwewghr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf rycuwewghr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" rycuwewghr.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes d61a8a72f30d02169466ee7505b2bede.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" rycuwewghr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc rycuwewghr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" rycuwewghr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg rycuwewghr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" rycuwewghr.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1856 WINWORD.EXE 1856 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4392 d61a8a72f30d02169466ee7505b2bede.exe 4392 d61a8a72f30d02169466ee7505b2bede.exe 4392 d61a8a72f30d02169466ee7505b2bede.exe 4392 d61a8a72f30d02169466ee7505b2bede.exe 4392 d61a8a72f30d02169466ee7505b2bede.exe 4392 d61a8a72f30d02169466ee7505b2bede.exe 4392 d61a8a72f30d02169466ee7505b2bede.exe 4392 d61a8a72f30d02169466ee7505b2bede.exe 4392 d61a8a72f30d02169466ee7505b2bede.exe 4392 d61a8a72f30d02169466ee7505b2bede.exe 4392 d61a8a72f30d02169466ee7505b2bede.exe 4392 d61a8a72f30d02169466ee7505b2bede.exe 4392 d61a8a72f30d02169466ee7505b2bede.exe 4392 d61a8a72f30d02169466ee7505b2bede.exe 4392 d61a8a72f30d02169466ee7505b2bede.exe 4392 d61a8a72f30d02169466ee7505b2bede.exe 3928 rycuwewghr.exe 3928 rycuwewghr.exe 3928 rycuwewghr.exe 3928 rycuwewghr.exe 3928 rycuwewghr.exe 3928 rycuwewghr.exe 3928 rycuwewghr.exe 3928 rycuwewghr.exe 3928 rycuwewghr.exe 3928 rycuwewghr.exe 2488 noytcjaoofwoq.exe 2488 noytcjaoofwoq.exe 2488 noytcjaoofwoq.exe 2488 noytcjaoofwoq.exe 2488 noytcjaoofwoq.exe 2488 noytcjaoofwoq.exe 2488 noytcjaoofwoq.exe 2488 noytcjaoofwoq.exe 2488 noytcjaoofwoq.exe 2488 noytcjaoofwoq.exe 2488 noytcjaoofwoq.exe 2488 noytcjaoofwoq.exe 4300 qjuabhtq.exe 4300 qjuabhtq.exe 4300 qjuabhtq.exe 4300 qjuabhtq.exe 4300 qjuabhtq.exe 4300 qjuabhtq.exe 4300 qjuabhtq.exe 4300 qjuabhtq.exe 3436 bzugvhmndiogcwv.exe 3436 bzugvhmndiogcwv.exe 3436 bzugvhmndiogcwv.exe 3436 bzugvhmndiogcwv.exe 3436 bzugvhmndiogcwv.exe 3436 bzugvhmndiogcwv.exe 3436 bzugvhmndiogcwv.exe 3436 bzugvhmndiogcwv.exe 3436 bzugvhmndiogcwv.exe 3436 bzugvhmndiogcwv.exe 3436 bzugvhmndiogcwv.exe 3436 bzugvhmndiogcwv.exe 2488 noytcjaoofwoq.exe 2488 noytcjaoofwoq.exe 2488 noytcjaoofwoq.exe 2488 noytcjaoofwoq.exe 2412 qjuabhtq.exe 2412 qjuabhtq.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeManageVolumePrivilege 4972 svchost.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 4392 d61a8a72f30d02169466ee7505b2bede.exe 4392 d61a8a72f30d02169466ee7505b2bede.exe 4392 d61a8a72f30d02169466ee7505b2bede.exe 4300 qjuabhtq.exe 2488 noytcjaoofwoq.exe 3928 rycuwewghr.exe 4300 qjuabhtq.exe 2488 noytcjaoofwoq.exe 3928 rycuwewghr.exe 4300 qjuabhtq.exe 2488 noytcjaoofwoq.exe 3928 rycuwewghr.exe 3436 bzugvhmndiogcwv.exe 3436 bzugvhmndiogcwv.exe 3436 bzugvhmndiogcwv.exe 2412 qjuabhtq.exe 2412 qjuabhtq.exe 2412 qjuabhtq.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 4392 d61a8a72f30d02169466ee7505b2bede.exe 4392 d61a8a72f30d02169466ee7505b2bede.exe 4392 d61a8a72f30d02169466ee7505b2bede.exe 4300 qjuabhtq.exe 2488 noytcjaoofwoq.exe 3928 rycuwewghr.exe 4300 qjuabhtq.exe 2488 noytcjaoofwoq.exe 3928 rycuwewghr.exe 4300 qjuabhtq.exe 2488 noytcjaoofwoq.exe 3928 rycuwewghr.exe 3436 bzugvhmndiogcwv.exe 3436 bzugvhmndiogcwv.exe 3436 bzugvhmndiogcwv.exe 2412 qjuabhtq.exe 2412 qjuabhtq.exe 2412 qjuabhtq.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1856 WINWORD.EXE 1856 WINWORD.EXE 1856 WINWORD.EXE 1856 WINWORD.EXE 1856 WINWORD.EXE 1856 WINWORD.EXE 1856 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4392 wrote to memory of 3928 4392 d61a8a72f30d02169466ee7505b2bede.exe 90 PID 4392 wrote to memory of 3928 4392 d61a8a72f30d02169466ee7505b2bede.exe 90 PID 4392 wrote to memory of 3928 4392 d61a8a72f30d02169466ee7505b2bede.exe 90 PID 4392 wrote to memory of 3436 4392 d61a8a72f30d02169466ee7505b2bede.exe 91 PID 4392 wrote to memory of 3436 4392 d61a8a72f30d02169466ee7505b2bede.exe 91 PID 4392 wrote to memory of 3436 4392 d61a8a72f30d02169466ee7505b2bede.exe 91 PID 4392 wrote to memory of 4300 4392 d61a8a72f30d02169466ee7505b2bede.exe 92 PID 4392 wrote to memory of 4300 4392 d61a8a72f30d02169466ee7505b2bede.exe 92 PID 4392 wrote to memory of 4300 4392 d61a8a72f30d02169466ee7505b2bede.exe 92 PID 4392 wrote to memory of 2488 4392 d61a8a72f30d02169466ee7505b2bede.exe 93 PID 4392 wrote to memory of 2488 4392 d61a8a72f30d02169466ee7505b2bede.exe 93 PID 4392 wrote to memory of 2488 4392 d61a8a72f30d02169466ee7505b2bede.exe 93 PID 4392 wrote to memory of 1856 4392 d61a8a72f30d02169466ee7505b2bede.exe 94 PID 4392 wrote to memory of 1856 4392 d61a8a72f30d02169466ee7505b2bede.exe 94 PID 3928 wrote to memory of 2412 3928 rycuwewghr.exe 96 PID 3928 wrote to memory of 2412 3928 rycuwewghr.exe 96 PID 3928 wrote to memory of 2412 3928 rycuwewghr.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\d61a8a72f30d02169466ee7505b2bede.exe"C:\Users\Admin\AppData\Local\Temp\d61a8a72f30d02169466ee7505b2bede.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Windows\SysWOW64\rycuwewghr.exerycuwewghr.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\SysWOW64\qjuabhtq.exeC:\Windows\system32\qjuabhtq.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2412
-
-
-
C:\Windows\SysWOW64\bzugvhmndiogcwv.exebzugvhmndiogcwv.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3436
-
-
C:\Windows\SysWOW64\qjuabhtq.exeqjuabhtq.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4300
-
-
C:\Windows\SysWOW64\noytcjaoofwoq.exenoytcjaoofwoq.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2488
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1856
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:3772
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4972
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5f34301757204af9bbffa538fa9cb6ac8
SHA10cc332a07c5a536d22df73c1c5895f35b3f14a73
SHA256c262b6d47146d0fdd66d07df63051abd685f496699f6d76733945d8b16b0a5e1
SHA512e076c73a8d64356bc7baa5577af9e90423e2d6b3604e462dba071fcb0530447560222571548fb3ceb59beacd201a42425cd196182c44772588233600176657ea
-
Filesize
512KB
MD57f0ea9ccfb3a347345f80f7e077af49c
SHA16e3ac5aa25a3239866ca4c321a7d9a0672b756ee
SHA256458d605e8c5821af842fa7393a9bd42a701f600e21629bfecc9bac9ddced2bf5
SHA5125ae7db6b64375f8d4eb1d5ec6703f900f69a3616c4cecca133f8952744853db9a89565544f29e3231d4b99950a7a7c004ebf5d6cab1c05a0e109659de0e95e92
-
Filesize
239B
MD549f74cc177ed54cfe3ef5b6f015ab77c
SHA169b1509d8bcc7dfe19224e0f66dcec720f458332
SHA256675674eeb50c03efc58bd6165ef88f59408d56c7e7ddfa8d1a61bb264df26112
SHA51240eba13830b310ab6345a0e5b713f5df8023b7c38058dda21f390b949134bfaecddef802ff0297d27f7f4da99cc872c6c5eaa15f7ed2d84bc54c653d888cc67f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD58c2955dac51621153bd57c8099930c6e
SHA1e1bd6685cfa5f5df28b7d89214427ff3a9b7b468
SHA256bac67f6d6b60bd287eb22ef30e376f05f0517e1d3abae9aca5b403e0872ecd3b
SHA512777b8d5148286e19e0bb6d17140632203977e74dec54b9bcc1529ae8e60f4488653959d8f9b827f4f3602e7692a670f71ad2b457b802137a0b4c3fe8021a4928
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD540e04572c4ea70a25169ed4298025588
SHA1554f4ae7074359bdd08b563a1141bc90d19da828
SHA256b812a7ca92e96a802db5c5cc3f4ab6ac81667d1f07d7c2d679419809f3423f74
SHA512b729c54f07d10b82720a706f96ecc6ac19b6807e961af4df995cfd9f4a807fab7b5ad3262c8c2583fc374ce396b38f5ebd1b6ca11dae0f71f0f9574a0c2805cc
-
Filesize
320KB
MD540eccbf82b7b8fc916befc4f91646a41
SHA19b26728b4c732bfeb504f70ab523d90def972d37
SHA2561dc118e41bf637830be03d9bfe6d57960cf8dc9dbe9c8302a78e3406285bbaaa
SHA5124714d4a188098bfac7feb042ef4c6f0236e826c335c740df7f47d60f0e70d50c5eeaf73e1b94afb0408bd8c6b5ef6fa9d49577a6ac214ce115f4b6db0b341cdf
-
Filesize
512KB
MD5255d56e1b068c96677729048bf6f36ed
SHA192436bdff78a5227b8d88e4bd76ff5eb77a74c97
SHA256395bfb1b5a05366c9159bce36f61c045c44148ce1f1e7847873b039c94a5c3d2
SHA512895f026f007b59d6425fba7e6418cb61d04bd58ea981d9340372b02e28207a9785480d7226bdd900a868b34361cf9eabcc5905737681e2b91fbd1976143677dd
-
Filesize
448KB
MD59728739f509ce0f3b3b073c945c208bf
SHA131bf207a650a7f1bbb8e90552891f1a6f4e4783b
SHA256f252517c755af447fe73347dd23cd133e28c7a203d01382306a195c8ddda3dba
SHA51276e963f4d1b88528ebbdbc375372889efffba4768f6a99bccce4c1faa730e9515f93fa74bd10bb61c0034f2ceb9ef85ee8234f9d13df183ffc7e163ae3dd38e7
-
Filesize
192KB
MD5110f40dbeb901f612cee1dc242fdb309
SHA10d668d172ef81b3f17c1f870513988629c697600
SHA2562776ac73ff5e792a5a804395643f25e611d6eb66037ffd261caacd95ae084b82
SHA512076fda5dfa04f3c443f91657f607ef768185b7753767eb70d557635d398a76f85c8b3c19c7d864f9c342ced1af18c9c98f6f4da4b7bb86dca104230fa71b6df1
-
Filesize
512KB
MD58a15187bfe9df52f1ddaed1f7f533db4
SHA19e74a280becfcc5552dff0652591e7903ca017b1
SHA2568a09d8c9c061691f18e3df12b36518c820da3c45779eaae928fbdcbe93da22c2
SHA5122c994f498fc0e726c4186f7379719e0eff1d5f522850a61c8fc9ce4036a393d5e7d37c67b74c443660fb966c4056206cfbbfb0fbc732042d4af51e4960e33afe
-
Filesize
512KB
MD546c0c3330e04e06763fab8dc0630823d
SHA17bbf5ee7402311e48b94a66fecf7fad58ab5bd57
SHA256e74893ff58e07eafc6cfa91f09e369a373a07e1bf13f611b7f55fde07cd59a8d
SHA512a5203b798c966bfc6e582c8553ed1e1241a891b079da8bbf2cad435687ffa1e44ddbbb89addd2004b6141363b841614944777d61350ee1354752817ff316f9fb
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD54b61b24a75ae1422b62f72d8e5e0a56b
SHA1aa953674b9d995736ede7f73c8c797ea1549d7c7
SHA256365c7d6839be44420187813a7a8ac129f3b354c26b28f9a3c8d7d0e4c67b138a
SHA5120cf99143bfa4f0e2e2453ccd072d734e064938758cdc2879d5f9fb7abeec7c76ecbf6cf5afe5267570084feb2c1b479b2640aa3bb6db3d531d2f5dc43869671c
-
Filesize
512KB
MD56b62ec49adf807a7a53a449c456da969
SHA1870595540940928b779c9a625926f2ca8647c539
SHA2565f1409b4ada0832d4d878b0aae7b6eba3d3e903ba583c94c33681028651307b9
SHA5125996ad614d793098ea94efab9e4dd012f6b9e2f81afbd85c7020042f1174be8db9b30ad81236bc008c91a7760d089004dcefd8027eed92f1edaa94a653786b0c