Analysis
-
max time kernel
155s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
20/03/2024, 02:40
Static task
static1
Behavioral task
behavioral1
Sample
d7adb1daba128797ab489ad0ae9e5736.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d7adb1daba128797ab489ad0ae9e5736.exe
Resource
win10v2004-20240226-en
General
-
Target
d7adb1daba128797ab489ad0ae9e5736.exe
-
Size
512KB
-
MD5
d7adb1daba128797ab489ad0ae9e5736
-
SHA1
957ead087a18656830defb1684829ef2978fe8e0
-
SHA256
0f488de757bb0f01f23b5c0344730f30560064552a1bba6a307cebc1871df1ee
-
SHA512
dbe7b4f8bdef7412c9e2c77f304de0d0f5e31fa0389c326def0c95774e89e8502e9be3cada258e858c948e5867bd406f6b28c0784983302312e58d37552df4df
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6y:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5/
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" aahdjmwvfh.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" aahdjmwvfh.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" aahdjmwvfh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" aahdjmwvfh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" aahdjmwvfh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" aahdjmwvfh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" aahdjmwvfh.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" aahdjmwvfh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation d7adb1daba128797ab489ad0ae9e5736.exe -
Executes dropped EXE 5 IoCs
pid Process 4876 aahdjmwvfh.exe 4168 wyhglqpwgeclzoe.exe 8 xcdcmqjg.exe 4232 flrzduvebczww.exe 556 xcdcmqjg.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" aahdjmwvfh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" aahdjmwvfh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" aahdjmwvfh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" aahdjmwvfh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" aahdjmwvfh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" aahdjmwvfh.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pazwmdfk = "aahdjmwvfh.exe" wyhglqpwgeclzoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hxzadaob = "wyhglqpwgeclzoe.exe" wyhglqpwgeclzoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "flrzduvebczww.exe" wyhglqpwgeclzoe.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\t: xcdcmqjg.exe File opened (read-only) \??\u: xcdcmqjg.exe File opened (read-only) \??\n: xcdcmqjg.exe File opened (read-only) \??\x: xcdcmqjg.exe File opened (read-only) \??\i: xcdcmqjg.exe File opened (read-only) \??\p: xcdcmqjg.exe File opened (read-only) \??\q: xcdcmqjg.exe File opened (read-only) \??\o: xcdcmqjg.exe File opened (read-only) \??\a: aahdjmwvfh.exe File opened (read-only) \??\y: aahdjmwvfh.exe File opened (read-only) \??\z: aahdjmwvfh.exe File opened (read-only) \??\s: aahdjmwvfh.exe File opened (read-only) \??\e: xcdcmqjg.exe File opened (read-only) \??\h: xcdcmqjg.exe File opened (read-only) \??\r: xcdcmqjg.exe File opened (read-only) \??\w: xcdcmqjg.exe File opened (read-only) \??\n: xcdcmqjg.exe File opened (read-only) \??\s: xcdcmqjg.exe File opened (read-only) \??\p: aahdjmwvfh.exe File opened (read-only) \??\g: aahdjmwvfh.exe File opened (read-only) \??\i: aahdjmwvfh.exe File opened (read-only) \??\x: aahdjmwvfh.exe File opened (read-only) \??\b: xcdcmqjg.exe File opened (read-only) \??\q: xcdcmqjg.exe File opened (read-only) \??\e: xcdcmqjg.exe File opened (read-only) \??\l: xcdcmqjg.exe File opened (read-only) \??\z: xcdcmqjg.exe File opened (read-only) \??\v: xcdcmqjg.exe File opened (read-only) \??\n: aahdjmwvfh.exe File opened (read-only) \??\v: aahdjmwvfh.exe File opened (read-only) \??\m: xcdcmqjg.exe File opened (read-only) \??\p: xcdcmqjg.exe File opened (read-only) \??\s: xcdcmqjg.exe File opened (read-only) \??\z: xcdcmqjg.exe File opened (read-only) \??\e: aahdjmwvfh.exe File opened (read-only) \??\k: aahdjmwvfh.exe File opened (read-only) \??\o: aahdjmwvfh.exe File opened (read-only) \??\l: aahdjmwvfh.exe File opened (read-only) \??\l: xcdcmqjg.exe File opened (read-only) \??\y: xcdcmqjg.exe File opened (read-only) \??\u: aahdjmwvfh.exe File opened (read-only) \??\a: xcdcmqjg.exe File opened (read-only) \??\b: xcdcmqjg.exe File opened (read-only) \??\r: aahdjmwvfh.exe File opened (read-only) \??\w: aahdjmwvfh.exe File opened (read-only) \??\k: xcdcmqjg.exe File opened (read-only) \??\o: xcdcmqjg.exe File opened (read-only) \??\v: xcdcmqjg.exe File opened (read-only) \??\q: aahdjmwvfh.exe File opened (read-only) \??\u: xcdcmqjg.exe File opened (read-only) \??\y: xcdcmqjg.exe File opened (read-only) \??\w: xcdcmqjg.exe File opened (read-only) \??\b: aahdjmwvfh.exe File opened (read-only) \??\j: aahdjmwvfh.exe File opened (read-only) \??\g: xcdcmqjg.exe File opened (read-only) \??\a: xcdcmqjg.exe File opened (read-only) \??\x: xcdcmqjg.exe File opened (read-only) \??\m: aahdjmwvfh.exe File opened (read-only) \??\i: xcdcmqjg.exe File opened (read-only) \??\r: xcdcmqjg.exe File opened (read-only) \??\h: aahdjmwvfh.exe File opened (read-only) \??\t: aahdjmwvfh.exe File opened (read-only) \??\g: xcdcmqjg.exe File opened (read-only) \??\j: xcdcmqjg.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" aahdjmwvfh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" aahdjmwvfh.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/208-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x0007000000023217-5.dat autoit_exe behavioral2/files/0x0007000000023216-18.dat autoit_exe behavioral2/files/0x0007000000023218-26.dat autoit_exe behavioral2/files/0x0007000000023219-30.dat autoit_exe behavioral2/files/0x000700000002321d-69.dat autoit_exe behavioral2/files/0x000700000002321c-67.dat autoit_exe behavioral2/files/0x0008000000023228-98.dat autoit_exe behavioral2/files/0x0007000000023242-116.dat autoit_exe behavioral2/files/0x0007000000023242-118.dat autoit_exe -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\flrzduvebczww.exe d7adb1daba128797ab489ad0ae9e5736.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll aahdjmwvfh.exe File created C:\Windows\SysWOW64\aahdjmwvfh.exe d7adb1daba128797ab489ad0ae9e5736.exe File opened for modification C:\Windows\SysWOW64\aahdjmwvfh.exe d7adb1daba128797ab489ad0ae9e5736.exe File created C:\Windows\SysWOW64\wyhglqpwgeclzoe.exe d7adb1daba128797ab489ad0ae9e5736.exe File opened for modification C:\Windows\SysWOW64\wyhglqpwgeclzoe.exe d7adb1daba128797ab489ad0ae9e5736.exe File created C:\Windows\SysWOW64\xcdcmqjg.exe d7adb1daba128797ab489ad0ae9e5736.exe File created C:\Windows\SysWOW64\flrzduvebczww.exe d7adb1daba128797ab489ad0ae9e5736.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe xcdcmqjg.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe xcdcmqjg.exe File opened for modification C:\Windows\SysWOW64\xcdcmqjg.exe d7adb1daba128797ab489ad0ae9e5736.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe xcdcmqjg.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xcdcmqjg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal xcdcmqjg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xcdcmqjg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xcdcmqjg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal xcdcmqjg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal xcdcmqjg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xcdcmqjg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xcdcmqjg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xcdcmqjg.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xcdcmqjg.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal xcdcmqjg.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe xcdcmqjg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xcdcmqjg.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe xcdcmqjg.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe xcdcmqjg.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe xcdcmqjg.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe xcdcmqjg.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe xcdcmqjg.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe xcdcmqjg.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe xcdcmqjg.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe xcdcmqjg.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe xcdcmqjg.exe File opened for modification C:\Windows\mydoc.rtf d7adb1daba128797ab489ad0ae9e5736.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8CFF8B4F5D821B913CD65B7E93BD93E130594466366242D6EA" d7adb1daba128797ab489ad0ae9e5736.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1848C7791491DAC5B8C07CE5ED9134CB" d7adb1daba128797ab489ad0ae9e5736.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" aahdjmwvfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf aahdjmwvfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" aahdjmwvfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33422C799C2183206A3676DD77212DD87DF164A8" d7adb1daba128797ab489ad0ae9e5736.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" aahdjmwvfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" aahdjmwvfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg aahdjmwvfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BC9F9BDF965F1E7837C3A40819B3E96B08802F14312034CE2C442EF08D6" d7adb1daba128797ab489ad0ae9e5736.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC3B1294795399A53BAB9D3329FD7BE" d7adb1daba128797ab489ad0ae9e5736.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" aahdjmwvfh.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings d7adb1daba128797ab489ad0ae9e5736.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes d7adb1daba128797ab489ad0ae9e5736.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F16BB4FF6E22DFD27DD0D18A7F9161" d7adb1daba128797ab489ad0ae9e5736.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat aahdjmwvfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" aahdjmwvfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh aahdjmwvfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc aahdjmwvfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs aahdjmwvfh.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4484 WINWORD.EXE 4484 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 208 d7adb1daba128797ab489ad0ae9e5736.exe 208 d7adb1daba128797ab489ad0ae9e5736.exe 208 d7adb1daba128797ab489ad0ae9e5736.exe 208 d7adb1daba128797ab489ad0ae9e5736.exe 208 d7adb1daba128797ab489ad0ae9e5736.exe 208 d7adb1daba128797ab489ad0ae9e5736.exe 208 d7adb1daba128797ab489ad0ae9e5736.exe 208 d7adb1daba128797ab489ad0ae9e5736.exe 208 d7adb1daba128797ab489ad0ae9e5736.exe 208 d7adb1daba128797ab489ad0ae9e5736.exe 208 d7adb1daba128797ab489ad0ae9e5736.exe 208 d7adb1daba128797ab489ad0ae9e5736.exe 208 d7adb1daba128797ab489ad0ae9e5736.exe 208 d7adb1daba128797ab489ad0ae9e5736.exe 208 d7adb1daba128797ab489ad0ae9e5736.exe 208 d7adb1daba128797ab489ad0ae9e5736.exe 4876 aahdjmwvfh.exe 4876 aahdjmwvfh.exe 4876 aahdjmwvfh.exe 4876 aahdjmwvfh.exe 4168 wyhglqpwgeclzoe.exe 4168 wyhglqpwgeclzoe.exe 4876 aahdjmwvfh.exe 4876 aahdjmwvfh.exe 4168 wyhglqpwgeclzoe.exe 4168 wyhglqpwgeclzoe.exe 4876 aahdjmwvfh.exe 4876 aahdjmwvfh.exe 4168 wyhglqpwgeclzoe.exe 4168 wyhglqpwgeclzoe.exe 4876 aahdjmwvfh.exe 4876 aahdjmwvfh.exe 4168 wyhglqpwgeclzoe.exe 4168 wyhglqpwgeclzoe.exe 4168 wyhglqpwgeclzoe.exe 4168 wyhglqpwgeclzoe.exe 4232 flrzduvebczww.exe 4232 flrzduvebczww.exe 4232 flrzduvebczww.exe 4232 flrzduvebczww.exe 4232 flrzduvebczww.exe 8 xcdcmqjg.exe 8 xcdcmqjg.exe 4232 flrzduvebczww.exe 4232 flrzduvebczww.exe 4232 flrzduvebczww.exe 4232 flrzduvebczww.exe 4232 flrzduvebczww.exe 8 xcdcmqjg.exe 8 xcdcmqjg.exe 4232 flrzduvebczww.exe 4232 flrzduvebczww.exe 8 xcdcmqjg.exe 8 xcdcmqjg.exe 8 xcdcmqjg.exe 8 xcdcmqjg.exe 4168 wyhglqpwgeclzoe.exe 4168 wyhglqpwgeclzoe.exe 556 xcdcmqjg.exe 556 xcdcmqjg.exe 556 xcdcmqjg.exe 556 xcdcmqjg.exe 556 xcdcmqjg.exe 556 xcdcmqjg.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 208 d7adb1daba128797ab489ad0ae9e5736.exe 208 d7adb1daba128797ab489ad0ae9e5736.exe 208 d7adb1daba128797ab489ad0ae9e5736.exe 4876 aahdjmwvfh.exe 4876 aahdjmwvfh.exe 4876 aahdjmwvfh.exe 4168 wyhglqpwgeclzoe.exe 4168 wyhglqpwgeclzoe.exe 4168 wyhglqpwgeclzoe.exe 8 xcdcmqjg.exe 4232 flrzduvebczww.exe 8 xcdcmqjg.exe 4232 flrzduvebczww.exe 8 xcdcmqjg.exe 4232 flrzduvebczww.exe 556 xcdcmqjg.exe 556 xcdcmqjg.exe 556 xcdcmqjg.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 208 d7adb1daba128797ab489ad0ae9e5736.exe 208 d7adb1daba128797ab489ad0ae9e5736.exe 208 d7adb1daba128797ab489ad0ae9e5736.exe 4876 aahdjmwvfh.exe 4876 aahdjmwvfh.exe 4876 aahdjmwvfh.exe 4168 wyhglqpwgeclzoe.exe 4168 wyhglqpwgeclzoe.exe 4168 wyhglqpwgeclzoe.exe 8 xcdcmqjg.exe 4232 flrzduvebczww.exe 8 xcdcmqjg.exe 4232 flrzduvebczww.exe 8 xcdcmqjg.exe 4232 flrzduvebczww.exe 556 xcdcmqjg.exe 556 xcdcmqjg.exe 556 xcdcmqjg.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4484 WINWORD.EXE 4484 WINWORD.EXE 4484 WINWORD.EXE 4484 WINWORD.EXE 4484 WINWORD.EXE 4484 WINWORD.EXE 4484 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 208 wrote to memory of 4876 208 d7adb1daba128797ab489ad0ae9e5736.exe 89 PID 208 wrote to memory of 4876 208 d7adb1daba128797ab489ad0ae9e5736.exe 89 PID 208 wrote to memory of 4876 208 d7adb1daba128797ab489ad0ae9e5736.exe 89 PID 208 wrote to memory of 4168 208 d7adb1daba128797ab489ad0ae9e5736.exe 90 PID 208 wrote to memory of 4168 208 d7adb1daba128797ab489ad0ae9e5736.exe 90 PID 208 wrote to memory of 4168 208 d7adb1daba128797ab489ad0ae9e5736.exe 90 PID 208 wrote to memory of 8 208 d7adb1daba128797ab489ad0ae9e5736.exe 91 PID 208 wrote to memory of 8 208 d7adb1daba128797ab489ad0ae9e5736.exe 91 PID 208 wrote to memory of 8 208 d7adb1daba128797ab489ad0ae9e5736.exe 91 PID 208 wrote to memory of 4232 208 d7adb1daba128797ab489ad0ae9e5736.exe 92 PID 208 wrote to memory of 4232 208 d7adb1daba128797ab489ad0ae9e5736.exe 92 PID 208 wrote to memory of 4232 208 d7adb1daba128797ab489ad0ae9e5736.exe 92 PID 4876 wrote to memory of 556 4876 aahdjmwvfh.exe 94 PID 4876 wrote to memory of 556 4876 aahdjmwvfh.exe 94 PID 4876 wrote to memory of 556 4876 aahdjmwvfh.exe 94 PID 208 wrote to memory of 4484 208 d7adb1daba128797ab489ad0ae9e5736.exe 95 PID 208 wrote to memory of 4484 208 d7adb1daba128797ab489ad0ae9e5736.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7adb1daba128797ab489ad0ae9e5736.exe"C:\Users\Admin\AppData\Local\Temp\d7adb1daba128797ab489ad0ae9e5736.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\SysWOW64\aahdjmwvfh.exeaahdjmwvfh.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\SysWOW64\xcdcmqjg.exeC:\Windows\system32\xcdcmqjg.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:556
-
-
-
C:\Windows\SysWOW64\wyhglqpwgeclzoe.exewyhglqpwgeclzoe.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4168
-
-
C:\Windows\SysWOW64\xcdcmqjg.exexcdcmqjg.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:8
-
-
C:\Windows\SysWOW64\flrzduvebczww.exeflrzduvebczww.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4232
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4484
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD53106a52762c19975dc96c0b0d072a085
SHA15c3527d1bd4bb7edde2689f7270fe5e33519aaa8
SHA256303d72b190efa11255d199ef5d1e1ad7e030a60f5370b8272927d3f5c8521ac2
SHA5127111b17a4027562e270148e39363004d01247fd9b62a907f22a6c92ad1a293cd1f701eb0cfbd5cb66a225f5f7c877f87ceddaaf681b91a19b2a0be6bb45f4dad
-
Filesize
512KB
MD504a82e3a288947c258153cd4bcccee87
SHA11ba663b3ec9b02c66fba690626011b7e63e9d0c5
SHA2563276fb4a5e4563218e4f84681aa508eaeef8e289ffcc03742cba74284d520603
SHA512885b756486e73d056a5f1b6e80313bd43c808dd1e270c1d8322a61bfbdea300573049b46e6b8124831982e1e76e00fca846dc5d252c615c63b24baa4fba028c8
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5fdced218cc3df71c990dcdebc356ce21
SHA1a3c6c5b0d8adcdb449952d86fe9ebb79b62cad06
SHA2564cd87672c68545c3929bff39ebafff91ffb2978390c08917350c978b23800577
SHA512aff5437234d5db8e32cc12f09caeb075f8b6f1cbc2e0bdcdcd75de4c4007ea6ddbc8a95858c085cde9c728d7eebd82bd7aeaaecead70805ef1f12f13491c855a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD57397e0b5f53a35b2219a6cc6ff91f0f6
SHA1634e4a72455a3b73efce01d4be5e3110fdb7b1b2
SHA256d87213bc62eab1c56fa1b36f8d1de6c26d355a0c98d1caf9befeadbfe6c926a8
SHA512784444bd50ee7e9e68ca98ea4da7a3d5f2d6e1d2fd5d9474843e4f172794bd6b6c1ed307506f496f9094100f68bdc88878dac11955c6cfdff3ba782828497fab
-
Filesize
512KB
MD5a646498578b2235b852d0e668c6c00f8
SHA16fb22a3d3c6688256f19bdcf243e65193a070a75
SHA2560471a1c31dc0bc42bf60c430d314afde118b3d05184957261abad1e3711d52d0
SHA512d2ea3ae1b7498c6493bd64364074863cdc4767dac5ba08a56a5d99c4c5fad2c96eae11d37fda72f6b8196acf9f658e5273bbfd8419ba3307e57dbfab01899c79
-
Filesize
512KB
MD566859b849184c61f8c608f405e8cb502
SHA12ae9f52312c8e1e4ac812bf1f8b3eede5a2c95f0
SHA2564fa0b5c07504f031ea46ae6daed0552fd76dd2178047b1fdb4b5b40f0cbe1ed7
SHA51279e1f9010084ad5031e2fb42bb196a32ef5eacd65ea7cae97fd18fefc032e8ac97145378f1df6b527cbf841f7a5ee8030504a698da52abf862a98410e82701bf
-
Filesize
512KB
MD5deb3ecef658af690f3b1efc216d62380
SHA10b03d369b5e93a8432a9c28d201f6cb571e89de9
SHA256bed87ee29586bd6cf4b5315567240ee56090939aa58001c326657de30abc7be2
SHA512a39f0828cad2da77cc3c6a030392699734da091c3166be71cc5e8f8a8a113206225589882ac79fdf91cddb3e696460be12b950f609e5d349f63afd936483fce0
-
Filesize
512KB
MD55c9be245b2e06414374d2ca1ab0229c0
SHA176ede318e9df40eccd01e7fef29064bb3b9f4a95
SHA2567bf95d4e29bd80e3c4176c1a00575d4389d4fdad75b672c1369f5afcdc1c0c09
SHA5128e4b1007d925c0cf297a46c94fda7a7f16d257bd2c054f228169a9873659dcf115166f9cd6bb782522e85d2588b88345cf371f431ed55bf9ee959ec38c3065e5
-
Filesize
512KB
MD5cf4f8fe5964ec39df42078ea3ee941c2
SHA1d2e57d183c282a63b3d8989156489fb58879078c
SHA256b726d4a0edf741a59abbba2a9abac767f0424c5d0844c7ced651dc270124a506
SHA51271673e7be2bcbb3400c0efb66d47a6a419a7e90d81daba9361f0cb0a9d3c8ef6d1266da494da01376a7555ddd6a68f1c196f6d08a440a19ac4626e980d2ec538
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5d373a8db251bd3a309328def4aaf068d
SHA140221f9e48e25cc8dd4e0ae98b5d915972cb952f
SHA256ab3af05e252c9687037fef0a5f59773090918fa068f87e280df2e391b5d450b3
SHA512bea77081550bd254025e798997289f18a049bd543af92903699bbde70551d1f3761c80b02f2e70a52698849ebcd470ea54db268b5c3d41aeda6add0cfe0cef1c
-
Filesize
512KB
MD5d35a82d6cc45979ea4a1fabd52b5e2b5
SHA17287d2cfb04f6380000f8763808143dce7854d3f
SHA256ce73566da259ef9d0a4859512a05a33b36acf104e8b4741dc771d46c92e8c03e
SHA512a95ed125b1415a644a16b711d7f184fca4b796109d382a9b7d08ac778e954beb69a1a48d03d31055712e17f1df8e9ca211e7415a8ac74173c18b05081d17efcf