Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19/03/2024, 15:35
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
d67add1de2a10c7e5f9eb64ed143005e.exe
Resource
win7-20240221-en
windows7-x64
28 signatures
150 seconds
Behavioral task
behavioral2
Sample
d67add1de2a10c7e5f9eb64ed143005e.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
d67add1de2a10c7e5f9eb64ed143005e.exe
-
Size
512KB
-
MD5
d67add1de2a10c7e5f9eb64ed143005e
-
SHA1
c13cba438d4c6def213d16b348f8066a9568f44d
-
SHA256
a96605e0b5c535b2aa7fe9c530a7b75c2b9f2ff5fcac7cbe1a3f5337631f68a2
-
SHA512
a109a3dc77727269ba8c8c6c9036a8c835ce0f2896886b9efa3c18e86e28174678cdeb8ef3739131175167f306f0300e6575b7972837aabe647dc73e01173223
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6v:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5+
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" tghrucstxp.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" tghrucstxp.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" tghrucstxp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" tghrucstxp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" tghrucstxp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" tghrucstxp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" tghrucstxp.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tghrucstxp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation d67add1de2a10c7e5f9eb64ed143005e.exe -
Executes dropped EXE 5 IoCs
pid Process 2560 tghrucstxp.exe 996 jwxpzirotkqwwep.exe 2696 amgavrdb.exe 3024 hvooeomzgychc.exe 1604 amgavrdb.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" tghrucstxp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" tghrucstxp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" tghrucstxp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" tghrucstxp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" tghrucstxp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" tghrucstxp.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gedpbrpx = "tghrucstxp.exe" jwxpzirotkqwwep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\boontrvz = "jwxpzirotkqwwep.exe" jwxpzirotkqwwep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "hvooeomzgychc.exe" jwxpzirotkqwwep.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\r: tghrucstxp.exe File opened (read-only) \??\b: amgavrdb.exe File opened (read-only) \??\n: amgavrdb.exe File opened (read-only) \??\p: amgavrdb.exe File opened (read-only) \??\b: tghrucstxp.exe File opened (read-only) \??\m: tghrucstxp.exe File opened (read-only) \??\n: tghrucstxp.exe File opened (read-only) \??\x: amgavrdb.exe File opened (read-only) \??\e: amgavrdb.exe File opened (read-only) \??\i: tghrucstxp.exe File opened (read-only) \??\w: tghrucstxp.exe File opened (read-only) \??\m: amgavrdb.exe File opened (read-only) \??\r: amgavrdb.exe File opened (read-only) \??\z: amgavrdb.exe File opened (read-only) \??\a: amgavrdb.exe File opened (read-only) \??\l: amgavrdb.exe File opened (read-only) \??\j: amgavrdb.exe File opened (read-only) \??\l: amgavrdb.exe File opened (read-only) \??\i: amgavrdb.exe File opened (read-only) \??\k: tghrucstxp.exe File opened (read-only) \??\o: tghrucstxp.exe File opened (read-only) \??\h: tghrucstxp.exe File opened (read-only) \??\k: amgavrdb.exe File opened (read-only) \??\u: amgavrdb.exe File opened (read-only) \??\b: amgavrdb.exe File opened (read-only) \??\t: amgavrdb.exe File opened (read-only) \??\v: amgavrdb.exe File opened (read-only) \??\s: tghrucstxp.exe File opened (read-only) \??\i: amgavrdb.exe File opened (read-only) \??\p: amgavrdb.exe File opened (read-only) \??\w: amgavrdb.exe File opened (read-only) \??\a: tghrucstxp.exe File opened (read-only) \??\q: tghrucstxp.exe File opened (read-only) \??\g: amgavrdb.exe File opened (read-only) \??\o: amgavrdb.exe File opened (read-only) \??\s: amgavrdb.exe File opened (read-only) \??\y: amgavrdb.exe File opened (read-only) \??\t: amgavrdb.exe File opened (read-only) \??\g: amgavrdb.exe File opened (read-only) \??\t: tghrucstxp.exe File opened (read-only) \??\e: amgavrdb.exe File opened (read-only) \??\q: amgavrdb.exe File opened (read-only) \??\u: amgavrdb.exe File opened (read-only) \??\p: tghrucstxp.exe File opened (read-only) \??\y: tghrucstxp.exe File opened (read-only) \??\j: tghrucstxp.exe File opened (read-only) \??\l: tghrucstxp.exe File opened (read-only) \??\q: amgavrdb.exe File opened (read-only) \??\r: amgavrdb.exe File opened (read-only) \??\x: tghrucstxp.exe File opened (read-only) \??\h: amgavrdb.exe File opened (read-only) \??\j: amgavrdb.exe File opened (read-only) \??\n: amgavrdb.exe File opened (read-only) \??\m: amgavrdb.exe File opened (read-only) \??\k: amgavrdb.exe File opened (read-only) \??\g: tghrucstxp.exe File opened (read-only) \??\a: amgavrdb.exe File opened (read-only) \??\v: tghrucstxp.exe File opened (read-only) \??\z: tghrucstxp.exe File opened (read-only) \??\s: amgavrdb.exe File opened (read-only) \??\w: amgavrdb.exe File opened (read-only) \??\y: amgavrdb.exe File opened (read-only) \??\z: amgavrdb.exe File opened (read-only) \??\e: tghrucstxp.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" tghrucstxp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" tghrucstxp.exe -
AutoIT Executable 12 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2856-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0008000000023208-5.dat autoit_exe behavioral2/files/0x00090000000231fb-18.dat autoit_exe behavioral2/files/0x0006000000023215-29.dat autoit_exe behavioral2/files/0x0006000000023214-30.dat autoit_exe behavioral2/files/0x0006000000023214-48.dat autoit_exe behavioral2/files/0x000600000001db43-65.dat autoit_exe behavioral2/files/0x000200000001e6ae-68.dat autoit_exe behavioral2/files/0x000400000001e3d9-91.dat autoit_exe behavioral2/files/0x000200000001e5a7-98.dat autoit_exe behavioral2/files/0x000400000001e455-119.dat autoit_exe behavioral2/files/0x000400000001e455-124.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\tghrucstxp.exe d67add1de2a10c7e5f9eb64ed143005e.exe File created C:\Windows\SysWOW64\jwxpzirotkqwwep.exe d67add1de2a10c7e5f9eb64ed143005e.exe File created C:\Windows\SysWOW64\amgavrdb.exe d67add1de2a10c7e5f9eb64ed143005e.exe File opened for modification C:\Windows\SysWOW64\amgavrdb.exe d67add1de2a10c7e5f9eb64ed143005e.exe File created C:\Windows\SysWOW64\hvooeomzgychc.exe d67add1de2a10c7e5f9eb64ed143005e.exe File opened for modification C:\Windows\SysWOW64\tghrucstxp.exe d67add1de2a10c7e5f9eb64ed143005e.exe File opened for modification C:\Windows\SysWOW64\jwxpzirotkqwwep.exe d67add1de2a10c7e5f9eb64ed143005e.exe File opened for modification C:\Windows\SysWOW64\hvooeomzgychc.exe d67add1de2a10c7e5f9eb64ed143005e.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll tghrucstxp.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe amgavrdb.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe amgavrdb.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe amgavrdb.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal amgavrdb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe amgavrdb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal amgavrdb.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe amgavrdb.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe amgavrdb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe amgavrdb.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe amgavrdb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe amgavrdb.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe amgavrdb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe amgavrdb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal amgavrdb.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe amgavrdb.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe amgavrdb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal amgavrdb.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe amgavrdb.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe amgavrdb.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe amgavrdb.exe File opened for modification C:\Windows\mydoc.rtf d67add1de2a10c7e5f9eb64ed143005e.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe amgavrdb.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe amgavrdb.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe amgavrdb.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe amgavrdb.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe amgavrdb.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe amgavrdb.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe amgavrdb.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe amgavrdb.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe amgavrdb.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe amgavrdb.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe amgavrdb.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe amgavrdb.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe amgavrdb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat tghrucstxp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc tghrucstxp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" tghrucstxp.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes d67add1de2a10c7e5f9eb64ed143005e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FCAB15C479039E352C8B9D032EAD7C4" d67add1de2a10c7e5f9eb64ed143005e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" tghrucstxp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf tghrucstxp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs tghrucstxp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" tghrucstxp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg tghrucstxp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32472C7F9C2182226D4276D377252DDA7C8665D9" d67add1de2a10c7e5f9eb64ed143005e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABFF9CAFE65F299847A3B31819939E5B38B02FF4269023EE2C9429E09D1" d67add1de2a10c7e5f9eb64ed143005e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F66BB0FE1B22D8D272D1D38B799062" d67add1de2a10c7e5f9eb64ed143005e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh tghrucstxp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" tghrucstxp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF9FCF8482F851E913DD7287DE7BCE7E135583767446336D7EE" d67add1de2a10c7e5f9eb64ed143005e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1839C67E15EDDAB5B9C07FE6ECE337BC" d67add1de2a10c7e5f9eb64ed143005e.exe Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings d67add1de2a10c7e5f9eb64ed143005e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" tghrucstxp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" tghrucstxp.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2632 WINWORD.EXE 2632 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2856 d67add1de2a10c7e5f9eb64ed143005e.exe 2856 d67add1de2a10c7e5f9eb64ed143005e.exe 2856 d67add1de2a10c7e5f9eb64ed143005e.exe 2856 d67add1de2a10c7e5f9eb64ed143005e.exe 2856 d67add1de2a10c7e5f9eb64ed143005e.exe 2856 d67add1de2a10c7e5f9eb64ed143005e.exe 2856 d67add1de2a10c7e5f9eb64ed143005e.exe 2856 d67add1de2a10c7e5f9eb64ed143005e.exe 2856 d67add1de2a10c7e5f9eb64ed143005e.exe 2856 d67add1de2a10c7e5f9eb64ed143005e.exe 2856 d67add1de2a10c7e5f9eb64ed143005e.exe 2856 d67add1de2a10c7e5f9eb64ed143005e.exe 2856 d67add1de2a10c7e5f9eb64ed143005e.exe 2856 d67add1de2a10c7e5f9eb64ed143005e.exe 2856 d67add1de2a10c7e5f9eb64ed143005e.exe 2856 d67add1de2a10c7e5f9eb64ed143005e.exe 2560 tghrucstxp.exe 2560 tghrucstxp.exe 2560 tghrucstxp.exe 2560 tghrucstxp.exe 2560 tghrucstxp.exe 2560 tghrucstxp.exe 2560 tghrucstxp.exe 2560 tghrucstxp.exe 2560 tghrucstxp.exe 2560 tghrucstxp.exe 2696 amgavrdb.exe 2696 amgavrdb.exe 2696 amgavrdb.exe 2696 amgavrdb.exe 2696 amgavrdb.exe 2696 amgavrdb.exe 2696 amgavrdb.exe 2696 amgavrdb.exe 3024 hvooeomzgychc.exe 3024 hvooeomzgychc.exe 3024 hvooeomzgychc.exe 3024 hvooeomzgychc.exe 3024 hvooeomzgychc.exe 3024 hvooeomzgychc.exe 3024 hvooeomzgychc.exe 3024 hvooeomzgychc.exe 3024 hvooeomzgychc.exe 3024 hvooeomzgychc.exe 3024 hvooeomzgychc.exe 3024 hvooeomzgychc.exe 996 jwxpzirotkqwwep.exe 996 jwxpzirotkqwwep.exe 996 jwxpzirotkqwwep.exe 996 jwxpzirotkqwwep.exe 996 jwxpzirotkqwwep.exe 996 jwxpzirotkqwwep.exe 996 jwxpzirotkqwwep.exe 996 jwxpzirotkqwwep.exe 996 jwxpzirotkqwwep.exe 996 jwxpzirotkqwwep.exe 996 jwxpzirotkqwwep.exe 996 jwxpzirotkqwwep.exe 1604 amgavrdb.exe 1604 amgavrdb.exe 1604 amgavrdb.exe 1604 amgavrdb.exe 1604 amgavrdb.exe 1604 amgavrdb.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2856 d67add1de2a10c7e5f9eb64ed143005e.exe 2856 d67add1de2a10c7e5f9eb64ed143005e.exe 2856 d67add1de2a10c7e5f9eb64ed143005e.exe 2560 tghrucstxp.exe 2560 tghrucstxp.exe 2560 tghrucstxp.exe 996 jwxpzirotkqwwep.exe 2696 amgavrdb.exe 996 jwxpzirotkqwwep.exe 3024 hvooeomzgychc.exe 2696 amgavrdb.exe 996 jwxpzirotkqwwep.exe 3024 hvooeomzgychc.exe 2696 amgavrdb.exe 3024 hvooeomzgychc.exe 1604 amgavrdb.exe 1604 amgavrdb.exe 1604 amgavrdb.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2856 d67add1de2a10c7e5f9eb64ed143005e.exe 2856 d67add1de2a10c7e5f9eb64ed143005e.exe 2856 d67add1de2a10c7e5f9eb64ed143005e.exe 2560 tghrucstxp.exe 2560 tghrucstxp.exe 2560 tghrucstxp.exe 996 jwxpzirotkqwwep.exe 2696 amgavrdb.exe 996 jwxpzirotkqwwep.exe 3024 hvooeomzgychc.exe 2696 amgavrdb.exe 996 jwxpzirotkqwwep.exe 3024 hvooeomzgychc.exe 2696 amgavrdb.exe 3024 hvooeomzgychc.exe 1604 amgavrdb.exe 1604 amgavrdb.exe 1604 amgavrdb.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2632 WINWORD.EXE 2632 WINWORD.EXE 2632 WINWORD.EXE 2632 WINWORD.EXE 2632 WINWORD.EXE 2632 WINWORD.EXE 2632 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2856 wrote to memory of 2560 2856 d67add1de2a10c7e5f9eb64ed143005e.exe 87 PID 2856 wrote to memory of 2560 2856 d67add1de2a10c7e5f9eb64ed143005e.exe 87 PID 2856 wrote to memory of 2560 2856 d67add1de2a10c7e5f9eb64ed143005e.exe 87 PID 2856 wrote to memory of 996 2856 d67add1de2a10c7e5f9eb64ed143005e.exe 88 PID 2856 wrote to memory of 996 2856 d67add1de2a10c7e5f9eb64ed143005e.exe 88 PID 2856 wrote to memory of 996 2856 d67add1de2a10c7e5f9eb64ed143005e.exe 88 PID 2856 wrote to memory of 2696 2856 d67add1de2a10c7e5f9eb64ed143005e.exe 89 PID 2856 wrote to memory of 2696 2856 d67add1de2a10c7e5f9eb64ed143005e.exe 89 PID 2856 wrote to memory of 2696 2856 d67add1de2a10c7e5f9eb64ed143005e.exe 89 PID 2856 wrote to memory of 3024 2856 d67add1de2a10c7e5f9eb64ed143005e.exe 90 PID 2856 wrote to memory of 3024 2856 d67add1de2a10c7e5f9eb64ed143005e.exe 90 PID 2856 wrote to memory of 3024 2856 d67add1de2a10c7e5f9eb64ed143005e.exe 90 PID 2856 wrote to memory of 2632 2856 d67add1de2a10c7e5f9eb64ed143005e.exe 91 PID 2856 wrote to memory of 2632 2856 d67add1de2a10c7e5f9eb64ed143005e.exe 91 PID 2560 wrote to memory of 1604 2560 tghrucstxp.exe 93 PID 2560 wrote to memory of 1604 2560 tghrucstxp.exe 93 PID 2560 wrote to memory of 1604 2560 tghrucstxp.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\d67add1de2a10c7e5f9eb64ed143005e.exe"C:\Users\Admin\AppData\Local\Temp\d67add1de2a10c7e5f9eb64ed143005e.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\tghrucstxp.exetghrucstxp.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\amgavrdb.exeC:\Windows\system32\amgavrdb.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1604
-
-
-
C:\Windows\SysWOW64\jwxpzirotkqwwep.exejwxpzirotkqwwep.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:996
-
-
C:\Windows\SysWOW64\amgavrdb.exeamgavrdb.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2696
-
-
C:\Windows\SysWOW64\hvooeomzgychc.exehvooeomzgychc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3024
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2632
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5cf172eae18161bd0d8be76d0a0780e0a
SHA123666458bdfacddaa6885ea0899a04b0e66f1309
SHA256560e48e7c12da3e33721d5cc8f5e012a06f15baddd70ccc16db309a99c6e0599
SHA51228bf4212035062ac062304d420e43616a6b1b5cf49d949af123866208b4df17d87bd65c8e86b4eebd279fe9f8c312b7caf64d72d098da42615dc1e0b7dcd2d92
-
Filesize
512KB
MD5f3fd48333c6c2350a067971bb5ed033e
SHA1adeaab5019eb90df7826847ea60f1d05e098d37e
SHA256d9185b4c1fd1a8d3d57f32cdd6460e1886b4bfd63f88e4cb44a94b7c561b4024
SHA5120a2a52367033c40f5f18ab3bc6917c7cb7b73a5eb895da8ab688063c26e3ccba13c7222ce771c78387d4d63b35d6588ef6dcc510e256ce45bebe22f42e02ec40
-
Filesize
239B
MD560e7e2e6832bca3c3a1520b0ee5fa568
SHA134804685947303527a3d344e593654da8e949bcb
SHA2565f58a2c0e82be8abd8810ada1a12b022d8fad21e02ab0b8d755b47858241f776
SHA512f2ba4896c6cac6bf997b298bdc230b4ddc6b89f8a2ea0a1f55822f046bf93edda957cbe5b4139244d2aad944ce2b21d36c8973246215f4140ce787a3bd60c3f5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD53f251e63b589d0dac998dd00fa6b7634
SHA12b42d8113dada673ba5e1a05749f248e10628337
SHA2562472438cd2157e77d56aba8f78aa69ec2ef7205c6e45eeb214b1eb84bbca8c79
SHA512c7c082ccc516bffeffe6dc92ed963b47e81c4be30e4116f03d73419a5061c315ab5c84a2a4d83431fa375f509333d60e90264cebcd61f2533ec6e8e93609c801
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms~RFe577937.TMP
Filesize3KB
MD5e94d6e201397b28c88de797fb1d178d9
SHA1dceb7e3f893b19c8c5bf6f58b168dfa6a4e40164
SHA256ee956657a68f7724b01ab1fd039b21fb9cc319c482ced0823b5ee9be7f8605f6
SHA5121fc96bb5978252719d91d22d99fc5d03f0084fe83405e6918c5687d1209eea48da7811d5d697d9fdea1a8d6cea5a981e3a518a241ee10902bd7638bb86211f55
-
Filesize
512KB
MD5b1de24085655680782cd59ef1c3629ac
SHA15fa817b58d571db4be4adf6ed8a584ce83bbc2c2
SHA256ff5f937f587cbd48f2e2063326015a3d45800d4c228b4824f90b13abb55c77f2
SHA5122f477673015f86e66016b436781d02586fe4591d47445b578ac82295a33e5ff989205a862155b555b1af7a9c4e8c7941eb36e5e5ae7441e2c0cc3916b5dec9ec
-
Filesize
512KB
MD54c9dbd64485c70fc424daae03df03dd7
SHA1ce7e6ce3924907e82bd77863e2ae988db3e9f1bc
SHA256927b845bc44b2599d0ed65ba6320536ebd54625a0c81bd31fba4980b2ea868b1
SHA51246c1a2d68865399deebcdaef139215712d84eb3fbb8f3d08e4f7fe784d9057aee09ac298766e161072cf18181bf2430135ed3de36eaf1149f8ddc8ce2403058d
-
Filesize
512KB
MD5e967ddecf44957e7ac199a8da11395d7
SHA15037338b64c9bcd04da8db7d3f8d946af28423a7
SHA25626fbf31a04a7d2ff0a41fe03e851bd4868b91280b7b9fe02b52b6f09da09f03f
SHA5127a547ff3f2c3a889111c30b08b92b7716078024a41cff83945d68be573617f65983f7fdf497f3c825d1d72b6b2f52bcf1859e1c4afde7aaab9e5e64416de7a86
-
Filesize
128KB
MD533be84de0fa03c6883fec2ead970e3ba
SHA1dbe35ed4343779aa93200c24966ccb805e18f223
SHA256ef0f2733bf476c4dc632a27627cb24681d552719aafcc969eec5db1a90996887
SHA5123e93ab8677009d404503e243038ae323b1bc55af56c8c53bd3d44f5313ed4383c987ccb1f1f0e86111fc36db67c7b1b76de4eb4b1c6742baadffd70d7dc6c093
-
Filesize
512KB
MD5cb8db18f3216edc034ff9d12bcc36d8b
SHA1b7ece4e5cfe51c479a313d9a1eaf3ec36dc94563
SHA256c9651a6235bb7caaf7d4ac006452f0818c626aea2b1e78bd087fbafdb53db5ed
SHA512c0019882073a943b6341b1a3e3d0bd7cb695dbd5514e27a11e420505cf343a65760f12a8ec450bace5590e22ba617a2ca05c9e8484c7a832876d49c76be2e189
-
Filesize
512KB
MD5e1f8dae56527bd0abbd8858b3d12a79a
SHA1be43cbe11ab346a1004e2a4003a1ffc26fbe1753
SHA256c1bb9afa62c5144c1122fc36b31d7c6273df9baaa86f354bbb91620b31f02ce2
SHA51232c3cc5b6b0192b07148b5a3509a124f50e60612fd95ddcb64dde81f0258fbafc90a732165e490b22df80ed9b2ed30eff6d55d71c736adce3a983a000c4dba02
-
Filesize
512KB
MD5718abde1cedb14a60626372e12aaed4a
SHA1f1d192af917d493b2b226c157c7c3725a377614d
SHA256f76e065f23f0dba86582d0bc5febc92d65d9b0a0b9531b42c80579afb329ad23
SHA5121e6db094f9ff24a9b8779854d2d1e0b4aa143ce2bf70f02695058c3ffb71c6f4a4edefbd508c7f7e76a89807f6304d92c75ef12b78d00d0cfbe2c31d4abea3d5
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD580394739cc2512e53c8f856240ad1e8b
SHA1afbef618245398b672047cbe6ff5ece06e36f91d
SHA25679b0600e68a6a182031dc8e53f08aad1d612d0eb6eba0615fa6aeb1712b353e9
SHA512d3d9b26852a8a14dfac759f36e3e1c5650100463a289d0f4a292cad47501f508f44f2a0492e5a1b28e887eea9a7b6eff52ad247a54b106f2a87ffae9c420ae2a
-
Filesize
512KB
MD512c59ea897a013a0ffe6b05d2943a8d5
SHA14241aea3ada0b6a6aa77a7663b57deba445fdd22
SHA2563ccde3a0ebe68d1ae8b35fe7840dab9a8d3f42e4974713b988499efae2cc3fb2
SHA512e0bbe0e21a692e1c301d87a2352d66a241aeb0f39f1c7aa9253e702033728baaddc7c48b84bb2584a6b061dafe0db0225d63daaf5e4ca266207e6f3618d8a8c2