Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19/03/2024, 17:52
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
d6c02228b951c4943cea2c6913e9c2dc.exe
Resource
win7-20240221-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
d6c02228b951c4943cea2c6913e9c2dc.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
d6c02228b951c4943cea2c6913e9c2dc.exe
-
Size
512KB
-
MD5
d6c02228b951c4943cea2c6913e9c2dc
-
SHA1
6916ad5a0b3de36dfd8b777d35c8e80d529015bb
-
SHA256
6c04097e57fcba5839e72a758d65ec8aa8c02ff611a792fb9760398e3d30da90
-
SHA512
ee7a82c19dbd0836e23f6555fce04ae8d29d94d5df5c61186451502aa9a33d36ba11f1a1a20c3c126f8324c7dd191a6089269c8d26da272f4a63249fcc66c8ed
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6q:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5F
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" hnvukndyun.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" hnvukndyun.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" hnvukndyun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" hnvukndyun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" hnvukndyun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" hnvukndyun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" hnvukndyun.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" hnvukndyun.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation d6c02228b951c4943cea2c6913e9c2dc.exe -
Executes dropped EXE 5 IoCs
pid Process 4688 hnvukndyun.exe 3920 smmhvtlhiiflhna.exe 2820 ldasofpt.exe 4108 azlhfvvuxdaoe.exe 4044 ldasofpt.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" hnvukndyun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" hnvukndyun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" hnvukndyun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" hnvukndyun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" hnvukndyun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" hnvukndyun.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "azlhfvvuxdaoe.exe" smmhvtlhiiflhna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rynlyudw = "hnvukndyun.exe" smmhvtlhiiflhna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tkranrkj = "smmhvtlhiiflhna.exe" smmhvtlhiiflhna.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\g: ldasofpt.exe File opened (read-only) \??\p: ldasofpt.exe File opened (read-only) \??\q: ldasofpt.exe File opened (read-only) \??\v: ldasofpt.exe File opened (read-only) \??\n: ldasofpt.exe File opened (read-only) \??\a: ldasofpt.exe File opened (read-only) \??\z: ldasofpt.exe File opened (read-only) \??\h: ldasofpt.exe File opened (read-only) \??\a: ldasofpt.exe File opened (read-only) \??\x: ldasofpt.exe File opened (read-only) \??\r: hnvukndyun.exe File opened (read-only) \??\u: hnvukndyun.exe File opened (read-only) \??\w: ldasofpt.exe File opened (read-only) \??\j: ldasofpt.exe File opened (read-only) \??\y: ldasofpt.exe File opened (read-only) \??\b: hnvukndyun.exe File opened (read-only) \??\s: hnvukndyun.exe File opened (read-only) \??\s: ldasofpt.exe File opened (read-only) \??\r: ldasofpt.exe File opened (read-only) \??\j: hnvukndyun.exe File opened (read-only) \??\e: ldasofpt.exe File opened (read-only) \??\k: ldasofpt.exe File opened (read-only) \??\t: ldasofpt.exe File opened (read-only) \??\u: ldasofpt.exe File opened (read-only) \??\e: hnvukndyun.exe File opened (read-only) \??\m: hnvukndyun.exe File opened (read-only) \??\b: ldasofpt.exe File opened (read-only) \??\o: ldasofpt.exe File opened (read-only) \??\u: ldasofpt.exe File opened (read-only) \??\k: ldasofpt.exe File opened (read-only) \??\i: hnvukndyun.exe File opened (read-only) \??\w: hnvukndyun.exe File opened (read-only) \??\j: ldasofpt.exe File opened (read-only) \??\y: ldasofpt.exe File opened (read-only) \??\x: ldasofpt.exe File opened (read-only) \??\q: hnvukndyun.exe File opened (read-only) \??\w: ldasofpt.exe File opened (read-only) \??\h: hnvukndyun.exe File opened (read-only) \??\l: hnvukndyun.exe File opened (read-only) \??\o: hnvukndyun.exe File opened (read-only) \??\v: hnvukndyun.exe File opened (read-only) \??\q: ldasofpt.exe File opened (read-only) \??\g: ldasofpt.exe File opened (read-only) \??\i: ldasofpt.exe File opened (read-only) \??\i: ldasofpt.exe File opened (read-only) \??\b: ldasofpt.exe File opened (read-only) \??\o: ldasofpt.exe File opened (read-only) \??\t: hnvukndyun.exe File opened (read-only) \??\x: hnvukndyun.exe File opened (read-only) \??\m: ldasofpt.exe File opened (read-only) \??\e: ldasofpt.exe File opened (read-only) \??\k: hnvukndyun.exe File opened (read-only) \??\h: ldasofpt.exe File opened (read-only) \??\v: ldasofpt.exe File opened (read-only) \??\n: ldasofpt.exe File opened (read-only) \??\p: hnvukndyun.exe File opened (read-only) \??\z: ldasofpt.exe File opened (read-only) \??\l: ldasofpt.exe File opened (read-only) \??\g: hnvukndyun.exe File opened (read-only) \??\s: ldasofpt.exe File opened (read-only) \??\t: ldasofpt.exe File opened (read-only) \??\a: hnvukndyun.exe File opened (read-only) \??\n: hnvukndyun.exe File opened (read-only) \??\y: hnvukndyun.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" hnvukndyun.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" hnvukndyun.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1248-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0008000000023345-5.dat autoit_exe behavioral2/files/0x0008000000023341-18.dat autoit_exe behavioral2/files/0x0007000000023346-27.dat autoit_exe behavioral2/files/0x0007000000023347-31.dat autoit_exe behavioral2/files/0x00020000000226e2-83.dat autoit_exe behavioral2/files/0x000700000002335a-103.dat autoit_exe behavioral2/files/0x0008000000023368-122.dat autoit_exe behavioral2/files/0x0008000000023368-127.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\smmhvtlhiiflhna.exe d6c02228b951c4943cea2c6913e9c2dc.exe File opened for modification C:\Windows\SysWOW64\smmhvtlhiiflhna.exe d6c02228b951c4943cea2c6913e9c2dc.exe File created C:\Windows\SysWOW64\ldasofpt.exe d6c02228b951c4943cea2c6913e9c2dc.exe File opened for modification C:\Windows\SysWOW64\ldasofpt.exe d6c02228b951c4943cea2c6913e9c2dc.exe File created C:\Windows\SysWOW64\azlhfvvuxdaoe.exe d6c02228b951c4943cea2c6913e9c2dc.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll hnvukndyun.exe File created C:\Windows\SysWOW64\hnvukndyun.exe d6c02228b951c4943cea2c6913e9c2dc.exe File opened for modification C:\Windows\SysWOW64\hnvukndyun.exe d6c02228b951c4943cea2c6913e9c2dc.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ldasofpt.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ldasofpt.exe File opened for modification C:\Windows\SysWOW64\azlhfvvuxdaoe.exe d6c02228b951c4943cea2c6913e9c2dc.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ldasofpt.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created \??\c:\Program Files\OptimizeExpand.doc.exe ldasofpt.exe File opened for modification C:\Program Files\OptimizeExpand.nal ldasofpt.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ldasofpt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ldasofpt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ldasofpt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ldasofpt.exe File opened for modification C:\Program Files\OptimizeExpand.doc.exe ldasofpt.exe File opened for modification C:\Program Files\OptimizeExpand.nal ldasofpt.exe File opened for modification \??\c:\Program Files\OptimizeExpand.doc.exe ldasofpt.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ldasofpt.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ldasofpt.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ldasofpt.exe File opened for modification C:\Program Files\OptimizeExpand.doc.exe ldasofpt.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ldasofpt.exe File opened for modification \??\c:\Program Files\OptimizeExpand.doc.exe ldasofpt.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ldasofpt.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ldasofpt.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ldasofpt.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ldasofpt.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ldasofpt.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ldasofpt.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ldasofpt.exe File opened for modification C:\Windows\mydoc.rtf d6c02228b951c4943cea2c6913e9c2dc.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ldasofpt.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ldasofpt.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ldasofpt.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ldasofpt.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ldasofpt.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ldasofpt.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ldasofpt.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ldasofpt.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ldasofpt.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC7B12E47EF389A53B8BAD433EED4BB" d6c02228b951c4943cea2c6913e9c2dc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F368C3FE6A21ABD179D1D28A7D9014" d6c02228b951c4943cea2c6913e9c2dc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf hnvukndyun.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" hnvukndyun.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg hnvukndyun.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" hnvukndyun.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" hnvukndyun.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs hnvukndyun.exe Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings d6c02228b951c4943cea2c6913e9c2dc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh hnvukndyun.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" hnvukndyun.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" hnvukndyun.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes d6c02228b951c4943cea2c6913e9c2dc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCDFAB9F960F191840F3A4586973999B0FD02FD4315034CE1BD42EE08D2" d6c02228b951c4943cea2c6913e9c2dc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E89FC8D482C85199145D6217E93BC93E643594367466331D791" d6c02228b951c4943cea2c6913e9c2dc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1944C67A14E0DAC5B8CA7FE6ED9534BC" d6c02228b951c4943cea2c6913e9c2dc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat hnvukndyun.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33322C769D5682236A3776A570222DD77CF464D7" d6c02228b951c4943cea2c6913e9c2dc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc hnvukndyun.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" hnvukndyun.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2636 WINWORD.EXE 2636 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1248 d6c02228b951c4943cea2c6913e9c2dc.exe 1248 d6c02228b951c4943cea2c6913e9c2dc.exe 1248 d6c02228b951c4943cea2c6913e9c2dc.exe 1248 d6c02228b951c4943cea2c6913e9c2dc.exe 1248 d6c02228b951c4943cea2c6913e9c2dc.exe 1248 d6c02228b951c4943cea2c6913e9c2dc.exe 1248 d6c02228b951c4943cea2c6913e9c2dc.exe 1248 d6c02228b951c4943cea2c6913e9c2dc.exe 1248 d6c02228b951c4943cea2c6913e9c2dc.exe 1248 d6c02228b951c4943cea2c6913e9c2dc.exe 1248 d6c02228b951c4943cea2c6913e9c2dc.exe 1248 d6c02228b951c4943cea2c6913e9c2dc.exe 1248 d6c02228b951c4943cea2c6913e9c2dc.exe 1248 d6c02228b951c4943cea2c6913e9c2dc.exe 1248 d6c02228b951c4943cea2c6913e9c2dc.exe 1248 d6c02228b951c4943cea2c6913e9c2dc.exe 3920 smmhvtlhiiflhna.exe 3920 smmhvtlhiiflhna.exe 3920 smmhvtlhiiflhna.exe 3920 smmhvtlhiiflhna.exe 3920 smmhvtlhiiflhna.exe 3920 smmhvtlhiiflhna.exe 3920 smmhvtlhiiflhna.exe 3920 smmhvtlhiiflhna.exe 3920 smmhvtlhiiflhna.exe 4688 hnvukndyun.exe 3920 smmhvtlhiiflhna.exe 4688 hnvukndyun.exe 4688 hnvukndyun.exe 4688 hnvukndyun.exe 4688 hnvukndyun.exe 4688 hnvukndyun.exe 4108 azlhfvvuxdaoe.exe 4108 azlhfvvuxdaoe.exe 4688 hnvukndyun.exe 4688 hnvukndyun.exe 4688 hnvukndyun.exe 4688 hnvukndyun.exe 4108 azlhfvvuxdaoe.exe 4108 azlhfvvuxdaoe.exe 2820 ldasofpt.exe 4108 azlhfvvuxdaoe.exe 4108 azlhfvvuxdaoe.exe 2820 ldasofpt.exe 4108 azlhfvvuxdaoe.exe 2820 ldasofpt.exe 4108 azlhfvvuxdaoe.exe 2820 ldasofpt.exe 2820 ldasofpt.exe 4108 azlhfvvuxdaoe.exe 2820 ldasofpt.exe 4108 azlhfvvuxdaoe.exe 2820 ldasofpt.exe 4108 azlhfvvuxdaoe.exe 2820 ldasofpt.exe 4108 azlhfvvuxdaoe.exe 3920 smmhvtlhiiflhna.exe 3920 smmhvtlhiiflhna.exe 4044 ldasofpt.exe 4044 ldasofpt.exe 4044 ldasofpt.exe 4044 ldasofpt.exe 4044 ldasofpt.exe 4044 ldasofpt.exe -
Suspicious use of FindShellTrayWindow 19 IoCs
pid Process 1248 d6c02228b951c4943cea2c6913e9c2dc.exe 1248 d6c02228b951c4943cea2c6913e9c2dc.exe 1248 d6c02228b951c4943cea2c6913e9c2dc.exe 1248 d6c02228b951c4943cea2c6913e9c2dc.exe 4688 hnvukndyun.exe 3920 smmhvtlhiiflhna.exe 3920 smmhvtlhiiflhna.exe 4688 hnvukndyun.exe 3920 smmhvtlhiiflhna.exe 4688 hnvukndyun.exe 2820 ldasofpt.exe 2820 ldasofpt.exe 2820 ldasofpt.exe 4108 azlhfvvuxdaoe.exe 4108 azlhfvvuxdaoe.exe 4108 azlhfvvuxdaoe.exe 4044 ldasofpt.exe 4044 ldasofpt.exe 4044 ldasofpt.exe -
Suspicious use of SendNotifyMessage 19 IoCs
pid Process 1248 d6c02228b951c4943cea2c6913e9c2dc.exe 1248 d6c02228b951c4943cea2c6913e9c2dc.exe 1248 d6c02228b951c4943cea2c6913e9c2dc.exe 1248 d6c02228b951c4943cea2c6913e9c2dc.exe 3920 smmhvtlhiiflhna.exe 4688 hnvukndyun.exe 3920 smmhvtlhiiflhna.exe 4688 hnvukndyun.exe 3920 smmhvtlhiiflhna.exe 4688 hnvukndyun.exe 2820 ldasofpt.exe 2820 ldasofpt.exe 2820 ldasofpt.exe 4108 azlhfvvuxdaoe.exe 4108 azlhfvvuxdaoe.exe 4108 azlhfvvuxdaoe.exe 4044 ldasofpt.exe 4044 ldasofpt.exe 4044 ldasofpt.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2636 WINWORD.EXE 2636 WINWORD.EXE 2636 WINWORD.EXE 2636 WINWORD.EXE 2636 WINWORD.EXE 2636 WINWORD.EXE 2636 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1248 wrote to memory of 4688 1248 d6c02228b951c4943cea2c6913e9c2dc.exe 96 PID 1248 wrote to memory of 4688 1248 d6c02228b951c4943cea2c6913e9c2dc.exe 96 PID 1248 wrote to memory of 4688 1248 d6c02228b951c4943cea2c6913e9c2dc.exe 96 PID 1248 wrote to memory of 3920 1248 d6c02228b951c4943cea2c6913e9c2dc.exe 98 PID 1248 wrote to memory of 3920 1248 d6c02228b951c4943cea2c6913e9c2dc.exe 98 PID 1248 wrote to memory of 3920 1248 d6c02228b951c4943cea2c6913e9c2dc.exe 98 PID 1248 wrote to memory of 2820 1248 d6c02228b951c4943cea2c6913e9c2dc.exe 99 PID 1248 wrote to memory of 2820 1248 d6c02228b951c4943cea2c6913e9c2dc.exe 99 PID 1248 wrote to memory of 2820 1248 d6c02228b951c4943cea2c6913e9c2dc.exe 99 PID 1248 wrote to memory of 4108 1248 d6c02228b951c4943cea2c6913e9c2dc.exe 100 PID 1248 wrote to memory of 4108 1248 d6c02228b951c4943cea2c6913e9c2dc.exe 100 PID 1248 wrote to memory of 4108 1248 d6c02228b951c4943cea2c6913e9c2dc.exe 100 PID 1248 wrote to memory of 2636 1248 d6c02228b951c4943cea2c6913e9c2dc.exe 101 PID 1248 wrote to memory of 2636 1248 d6c02228b951c4943cea2c6913e9c2dc.exe 101 PID 4688 wrote to memory of 4044 4688 hnvukndyun.exe 103 PID 4688 wrote to memory of 4044 4688 hnvukndyun.exe 103 PID 4688 wrote to memory of 4044 4688 hnvukndyun.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6c02228b951c4943cea2c6913e9c2dc.exe"C:\Users\Admin\AppData\Local\Temp\d6c02228b951c4943cea2c6913e9c2dc.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\hnvukndyun.exehnvukndyun.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\SysWOW64\ldasofpt.exeC:\Windows\system32\ldasofpt.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4044
-
-
-
C:\Windows\SysWOW64\smmhvtlhiiflhna.exesmmhvtlhiiflhna.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3920
-
-
C:\Windows\SysWOW64\ldasofpt.exeldasofpt.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2820
-
-
C:\Windows\SysWOW64\azlhfvvuxdaoe.exeazlhfvvuxdaoe.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4108
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3692 --field-trial-handle=2260,i,9938964625802268469,1928462186077019554,262144 --variations-seed-version /prefetch:81⤵PID:4252
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD54d2c53ce636edf0d103ae7ff7536ea96
SHA19661bd8e93805a6411e8f938eeeac894820401dd
SHA25675fc9ebb29a42713f01bc7bbed732717aa726fed3bdbdbf888bcc07252c6eb86
SHA512863623b8af25995dfcdcc6a71281a72485517d68c01ac586ab787bce2385e1b8f717ed2d6b83a77e58a0384aecba34ed8cc3ee9e7bd24a00214f1ccab157bc5f
-
Filesize
239B
MD542033c511bcc7e1970e3c45cb786f794
SHA185fd47e439588b9c25090a0b4e80708c70652403
SHA25662d541335dd2c855f8cf2c10b799aa5b4462fb9d799282a6a6acf5a747bdbfc6
SHA512c121ce2191dd3d934458ca89f7c2a9b533081e0675d1deaa703539b61424a3c47b8c2138bda3b31ecfcd05c520a5a23010e4c6d6b0e2d4c629ac76b22b163b26
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5f3d635359b9ec46e48609afff7927f57
SHA1942642b05c61c7a46d06e6d6a48650a9529f9244
SHA256eea329d32545441f05f10b7fe48251bdc0b6a023c5d4ff90bf1df823768f08bf
SHA512ebfb9f8e2f85ad5864697d30f0a88bf8c9ab6f3d4a8680fe0863f9eac21f012df381ef55578c3029fe9062217efc42df6bface30bc0beaf9634e16e4e1e63898
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD523210e21e0ee9d57dbce7a37cd1d7c81
SHA122a5bdd5b17ed7dde15020443e47b6f232d465ac
SHA256850ae4f0d171d519770912d22ddea03b087c8205ca9228a2c5dff94a3909e8a8
SHA51294a27af92a0b8ae7e7b97b708b200f1a3d0af1b8ea7d049385323f7b8dddcca135f23ffb760eddf717da55c317ef0762db21ed47fb4a9ba1e6fbb830e252df26
-
Filesize
512KB
MD5a779d270c5b25c2d3dad21c8682a0d3e
SHA1bd7297c67e0e4548651acacc9e62aae6fb3100f3
SHA25683475998974e13df7f880dd6449386533d3231132e18d15347244a2567f19064
SHA512a1d94ef306124af785d8e9ad81c5fb41b93d6b9aa828eaf4fd1ec3a6bf8c1057d44f4b22c94642ac1efe95f3512bd2aab2f13ba29b43fbe1f3f607fdea414273
-
Filesize
512KB
MD5cfb43367a9b1c6352c4062297841aa08
SHA17c66e6ef04ef64182ff4542fb90ff74a34c7a76e
SHA25657830f775baa1556f4773c744924ba25e56717e4f34c300feb71ba007d1107d6
SHA51263742813806989cb18ee3ca2dae51e4d544b217530ce8756705fa55450833fd04aafef6606a4551965a5570d83a2f757e235e7154081e04107e5c385c4add812
-
Filesize
512KB
MD53697afbb98cbf613c0f52024368dd256
SHA1517e210d4b3390ebec3679d0a3cd20943f1bd5cc
SHA25698dd3fdad962084005c6098234e192a0ffc4332b82f44c0541fd3a665bd6b2e4
SHA512bdf83492497d3a5db53adfcba16b352cfc487061f984a834d7fe5e5f4cd27253b4215b8ab2534c59b2962f8ae1779787371ae13fef928e790bf4b0bda9f80d4f
-
Filesize
512KB
MD5b5e580a2eb71a1d669631930917a24c7
SHA14c09b0eb007bf2eeed0f5b17c19e1dc5364de72c
SHA2564080283054c82f9126a3cff6f819cfaa6750ae123c05f3d5518f5eabcda1795e
SHA51273da3a1404ff79efbe0684827bf35a62f3d2883b753b533215f1828b0786aef4ba815d4c605b332e7fa3391d2ccf96b41b0bc6d148e57df284f40398d8164854
-
Filesize
512KB
MD5c16a58b00e2cdd2d1e3221bf82701291
SHA1ed774aa637d00735a1bc6ca2d401b71e5b5db365
SHA25699b795fc78320747e7a20c2bd61cd5c120db1850cdbe732d6b85192fb856a7e6
SHA512c0f4edd43f52a1a67a81d50d73d7b70d46708d7420f4a081a88d11584d8b26f752bb5889f7196172aa784a3de7f67172b603e5b935cd5cdcc581cc99b69f02f8
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5fbb157215e35f303559ea737f9deb008
SHA10ccfd5830f328cb1fc717c5921fce12e16116e72
SHA2565c6738a4f5f4418f7449ffbd7514ba7426df9c2be9e586f504c464c32e854939
SHA5122609fe31dffdc7297b7c87e5111c2b3c8d49adb011c9f027d3be7f65e39ce428aa6b701780e76a708f7a462c8e54ef553c014a846c4771782c141f8f86baed46
-
Filesize
512KB
MD5ef873a6177e5c5c7db2c9482e45c4a8b
SHA1317667528be930d8dea321f6bd46894db852406d
SHA2566bf8ac891e44a47fc2d636b9dfec7943b467c1bdff94f9d11368b24cec32bd13
SHA51223f69a13bcd9172ffde0d3d00f59c6e7be5a9e7a42fc30a695b099cdd016a67f4c6a41b10e258212e12afe529bb0f2f8cdba5647bdead1a38c1d3770486e59a4