Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 20:06
Static task
static1
Behavioral task
behavioral1
Sample
b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe
Resource
win10v2004-20240426-en
General
-
Target
b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe
-
Size
512KB
-
MD5
6f91d104958a5ca488ef235eec0c5cb4
-
SHA1
da2b08f41effa470dc52346de414c245ecd7a464
-
SHA256
b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee
-
SHA512
d267842ff5fd158fe1700cfa7be1c6b086e9cb12a86f836e068adddc1574793a5a08f1b8d299c188ca597a036bd191612df3f32c0a9f360a99eb3f183be6527d
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6z:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5G
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
tlvefcbudc.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" tlvefcbudc.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
tlvefcbudc.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" tlvefcbudc.exe -
Processes:
tlvefcbudc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" tlvefcbudc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" tlvefcbudc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" tlvefcbudc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" tlvefcbudc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" tlvefcbudc.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
tlvefcbudc.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tlvefcbudc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe -
Executes dropped EXE 5 IoCs
Processes:
tlvefcbudc.execvydpsmphrroqbx.exeuorekaug.exeovxdytklcukde.exeuorekaug.exepid process 2016 tlvefcbudc.exe 1368 cvydpsmphrroqbx.exe 1496 uorekaug.exe 968 ovxdytklcukde.exe 4248 uorekaug.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
tlvefcbudc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" tlvefcbudc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" tlvefcbudc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" tlvefcbudc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" tlvefcbudc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" tlvefcbudc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" tlvefcbudc.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
cvydpsmphrroqbx.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qmuvvxvp = "tlvefcbudc.exe" cvydpsmphrroqbx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xnqryrlp = "cvydpsmphrroqbx.exe" cvydpsmphrroqbx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ovxdytklcukde.exe" cvydpsmphrroqbx.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
uorekaug.exeuorekaug.exetlvefcbudc.exedescription ioc process File opened (read-only) \??\v: uorekaug.exe File opened (read-only) \??\p: uorekaug.exe File opened (read-only) \??\j: tlvefcbudc.exe File opened (read-only) \??\p: tlvefcbudc.exe File opened (read-only) \??\m: uorekaug.exe File opened (read-only) \??\i: tlvefcbudc.exe File opened (read-only) \??\j: uorekaug.exe File opened (read-only) \??\o: tlvefcbudc.exe File opened (read-only) \??\q: uorekaug.exe File opened (read-only) \??\s: uorekaug.exe File opened (read-only) \??\i: uorekaug.exe File opened (read-only) \??\o: uorekaug.exe File opened (read-only) \??\u: tlvefcbudc.exe File opened (read-only) \??\e: uorekaug.exe File opened (read-only) \??\b: uorekaug.exe File opened (read-only) \??\o: uorekaug.exe File opened (read-only) \??\p: uorekaug.exe File opened (read-only) \??\h: uorekaug.exe File opened (read-only) \??\j: uorekaug.exe File opened (read-only) \??\q: uorekaug.exe File opened (read-only) \??\m: tlvefcbudc.exe File opened (read-only) \??\v: tlvefcbudc.exe File opened (read-only) \??\i: uorekaug.exe File opened (read-only) \??\r: uorekaug.exe File opened (read-only) \??\s: uorekaug.exe File opened (read-only) \??\u: uorekaug.exe File opened (read-only) \??\g: uorekaug.exe File opened (read-only) \??\w: tlvefcbudc.exe File opened (read-only) \??\x: tlvefcbudc.exe File opened (read-only) \??\r: uorekaug.exe File opened (read-only) \??\n: uorekaug.exe File opened (read-only) \??\a: tlvefcbudc.exe File opened (read-only) \??\s: tlvefcbudc.exe File opened (read-only) \??\t: tlvefcbudc.exe File opened (read-only) \??\b: tlvefcbudc.exe File opened (read-only) \??\y: tlvefcbudc.exe File opened (read-only) \??\h: uorekaug.exe File opened (read-only) \??\v: uorekaug.exe File opened (read-only) \??\z: uorekaug.exe File opened (read-only) \??\k: uorekaug.exe File opened (read-only) \??\w: uorekaug.exe File opened (read-only) \??\e: uorekaug.exe File opened (read-only) \??\t: uorekaug.exe File opened (read-only) \??\y: uorekaug.exe File opened (read-only) \??\z: tlvefcbudc.exe File opened (read-only) \??\g: uorekaug.exe File opened (read-only) \??\y: uorekaug.exe File opened (read-only) \??\a: uorekaug.exe File opened (read-only) \??\l: uorekaug.exe File opened (read-only) \??\m: uorekaug.exe File opened (read-only) \??\h: tlvefcbudc.exe File opened (read-only) \??\l: tlvefcbudc.exe File opened (read-only) \??\r: tlvefcbudc.exe File opened (read-only) \??\z: uorekaug.exe File opened (read-only) \??\e: tlvefcbudc.exe File opened (read-only) \??\g: tlvefcbudc.exe File opened (read-only) \??\n: uorekaug.exe File opened (read-only) \??\w: uorekaug.exe File opened (read-only) \??\x: uorekaug.exe File opened (read-only) \??\k: uorekaug.exe File opened (read-only) \??\t: uorekaug.exe File opened (read-only) \??\b: uorekaug.exe File opened (read-only) \??\l: uorekaug.exe File opened (read-only) \??\u: uorekaug.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
tlvefcbudc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" tlvefcbudc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" tlvefcbudc.exe -
AutoIT Executable 10 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/1764-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe C:\Windows\SysWOW64\cvydpsmphrroqbx.exe autoit_exe C:\Windows\SysWOW64\tlvefcbudc.exe autoit_exe C:\Windows\SysWOW64\uorekaug.exe autoit_exe C:\Windows\SysWOW64\ovxdytklcukde.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe autoit_exe C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe autoit_exe C:\Users\Admin\Documents\ShowFind.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe autoit_exe -
Drops file in System32 directory 12 IoCs
Processes:
b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exeuorekaug.exetlvefcbudc.exeuorekaug.exedescription ioc process File created C:\Windows\SysWOW64\tlvefcbudc.exe b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe File opened for modification C:\Windows\SysWOW64\cvydpsmphrroqbx.exe b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe File opened for modification C:\Windows\SysWOW64\uorekaug.exe b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe uorekaug.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe uorekaug.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll tlvefcbudc.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe uorekaug.exe File opened for modification C:\Windows\SysWOW64\tlvefcbudc.exe b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe File created C:\Windows\SysWOW64\cvydpsmphrroqbx.exe b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe File created C:\Windows\SysWOW64\uorekaug.exe b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe File created C:\Windows\SysWOW64\ovxdytklcukde.exe b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe File opened for modification C:\Windows\SysWOW64\ovxdytklcukde.exe b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe -
Drops file in Program Files directory 21 IoCs
Processes:
uorekaug.exeuorekaug.exedescription ioc process File opened for modification C:\Program Files\InitializeRead.nal uorekaug.exe File opened for modification C:\Program Files\InitializeRead.nal uorekaug.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe uorekaug.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe uorekaug.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal uorekaug.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe uorekaug.exe File opened for modification C:\Program Files\InitializeRead.doc.exe uorekaug.exe File opened for modification \??\c:\Program Files\InitializeRead.doc.exe uorekaug.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe uorekaug.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe uorekaug.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal uorekaug.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal uorekaug.exe File opened for modification \??\c:\Program Files\InitializeRead.doc.exe uorekaug.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe uorekaug.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal uorekaug.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe uorekaug.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe uorekaug.exe File created \??\c:\Program Files\InitializeRead.doc.exe uorekaug.exe File opened for modification C:\Program Files\InitializeRead.doc.exe uorekaug.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe uorekaug.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe uorekaug.exe -
Drops file in Windows directory 19 IoCs
Processes:
uorekaug.exeWINWORD.EXEuorekaug.exeb6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exedescription ioc process File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe uorekaug.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe uorekaug.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe uorekaug.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe uorekaug.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe uorekaug.exe File opened for modification C:\Windows\mydoc.rtf b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe uorekaug.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe uorekaug.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe uorekaug.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe uorekaug.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe uorekaug.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe uorekaug.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe uorekaug.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe uorekaug.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe uorekaug.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe uorekaug.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe uorekaug.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
Processes:
b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exetlvefcbudc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFEFCF84F28856E9031D6587DE5BDE1E131584267356343D791" b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F06BB8FF1822DED109D1A68B7F906A" b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1948C67F14E3DBC0B9CD7FE6ED9237C9" b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg tlvefcbudc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" tlvefcbudc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB7B15A4497399853C5BAD333E9D7BE" b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" tlvefcbudc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh tlvefcbudc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" tlvefcbudc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" tlvefcbudc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf tlvefcbudc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs tlvefcbudc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat tlvefcbudc.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32472C0F9D5683236A4376D370242DDB7DF364DA" b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACDF9C9FE64F1E284093A4286963E91B0FE038F42110349E2CF429B09A2" b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc tlvefcbudc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" tlvefcbudc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" tlvefcbudc.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4516 WINWORD.EXE 4516 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exetlvefcbudc.execvydpsmphrroqbx.exeovxdytklcukde.exeuorekaug.exeuorekaug.exepid process 1764 b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe 1764 b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe 1764 b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe 1764 b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe 1764 b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe 1764 b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe 1764 b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe 1764 b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe 1764 b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe 1764 b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe 1764 b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe 1764 b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe 1764 b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe 1764 b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe 1764 b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe 1764 b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe 2016 tlvefcbudc.exe 2016 tlvefcbudc.exe 2016 tlvefcbudc.exe 2016 tlvefcbudc.exe 2016 tlvefcbudc.exe 2016 tlvefcbudc.exe 2016 tlvefcbudc.exe 2016 tlvefcbudc.exe 2016 tlvefcbudc.exe 2016 tlvefcbudc.exe 1368 cvydpsmphrroqbx.exe 1368 cvydpsmphrroqbx.exe 1368 cvydpsmphrroqbx.exe 1368 cvydpsmphrroqbx.exe 1368 cvydpsmphrroqbx.exe 1368 cvydpsmphrroqbx.exe 1368 cvydpsmphrroqbx.exe 1368 cvydpsmphrroqbx.exe 1368 cvydpsmphrroqbx.exe 1368 cvydpsmphrroqbx.exe 968 ovxdytklcukde.exe 968 ovxdytklcukde.exe 968 ovxdytklcukde.exe 968 ovxdytklcukde.exe 968 ovxdytklcukde.exe 968 ovxdytklcukde.exe 968 ovxdytklcukde.exe 968 ovxdytklcukde.exe 968 ovxdytklcukde.exe 968 ovxdytklcukde.exe 968 ovxdytklcukde.exe 968 ovxdytklcukde.exe 1496 uorekaug.exe 1496 uorekaug.exe 1496 uorekaug.exe 1496 uorekaug.exe 1496 uorekaug.exe 1496 uorekaug.exe 1496 uorekaug.exe 1496 uorekaug.exe 1368 cvydpsmphrroqbx.exe 1368 cvydpsmphrroqbx.exe 4248 uorekaug.exe 4248 uorekaug.exe 4248 uorekaug.exe 4248 uorekaug.exe 4248 uorekaug.exe 4248 uorekaug.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exetlvefcbudc.execvydpsmphrroqbx.exeovxdytklcukde.exeuorekaug.exeuorekaug.exepid process 1764 b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe 1764 b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe 1764 b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe 2016 tlvefcbudc.exe 2016 tlvefcbudc.exe 2016 tlvefcbudc.exe 1368 cvydpsmphrroqbx.exe 1368 cvydpsmphrroqbx.exe 1368 cvydpsmphrroqbx.exe 968 ovxdytklcukde.exe 1496 uorekaug.exe 968 ovxdytklcukde.exe 1496 uorekaug.exe 968 ovxdytklcukde.exe 1496 uorekaug.exe 4248 uorekaug.exe 4248 uorekaug.exe 4248 uorekaug.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exetlvefcbudc.execvydpsmphrroqbx.exeovxdytklcukde.exeuorekaug.exeuorekaug.exepid process 1764 b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe 1764 b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe 1764 b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe 2016 tlvefcbudc.exe 2016 tlvefcbudc.exe 2016 tlvefcbudc.exe 1368 cvydpsmphrroqbx.exe 1368 cvydpsmphrroqbx.exe 1368 cvydpsmphrroqbx.exe 968 ovxdytklcukde.exe 1496 uorekaug.exe 968 ovxdytklcukde.exe 1496 uorekaug.exe 968 ovxdytklcukde.exe 1496 uorekaug.exe 4248 uorekaug.exe 4248 uorekaug.exe 4248 uorekaug.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 4516 WINWORD.EXE 4516 WINWORD.EXE 4516 WINWORD.EXE 4516 WINWORD.EXE 4516 WINWORD.EXE 4516 WINWORD.EXE 4516 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exetlvefcbudc.exedescription pid process target process PID 1764 wrote to memory of 2016 1764 b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe tlvefcbudc.exe PID 1764 wrote to memory of 2016 1764 b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe tlvefcbudc.exe PID 1764 wrote to memory of 2016 1764 b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe tlvefcbudc.exe PID 1764 wrote to memory of 1368 1764 b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe cvydpsmphrroqbx.exe PID 1764 wrote to memory of 1368 1764 b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe cvydpsmphrroqbx.exe PID 1764 wrote to memory of 1368 1764 b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe cvydpsmphrroqbx.exe PID 1764 wrote to memory of 1496 1764 b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe uorekaug.exe PID 1764 wrote to memory of 1496 1764 b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe uorekaug.exe PID 1764 wrote to memory of 1496 1764 b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe uorekaug.exe PID 1764 wrote to memory of 968 1764 b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe ovxdytklcukde.exe PID 1764 wrote to memory of 968 1764 b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe ovxdytklcukde.exe PID 1764 wrote to memory of 968 1764 b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe ovxdytklcukde.exe PID 1764 wrote to memory of 4516 1764 b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe WINWORD.EXE PID 1764 wrote to memory of 4516 1764 b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe WINWORD.EXE PID 2016 wrote to memory of 4248 2016 tlvefcbudc.exe uorekaug.exe PID 2016 wrote to memory of 4248 2016 tlvefcbudc.exe uorekaug.exe PID 2016 wrote to memory of 4248 2016 tlvefcbudc.exe uorekaug.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe"C:\Users\Admin\AppData\Local\Temp\b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\tlvefcbudc.exetlvefcbudc.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\uorekaug.exeC:\Windows\system32\uorekaug.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4248 -
C:\Windows\SysWOW64\cvydpsmphrroqbx.execvydpsmphrroqbx.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1368 -
C:\Windows\SysWOW64\uorekaug.exeuorekaug.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1496 -
C:\Windows\SysWOW64\ovxdytklcukde.exeovxdytklcukde.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:968 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4516
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exeFilesize
512KB
MD54062a3074fe539df4daddf18e4630279
SHA185bdfd54777886be50d4441c428d6cffc71a0ed2
SHA2565a62edd1c632f8c8e05aa5fa73318581d666ccb486bee276ceb911d49bc76793
SHA512b14ee548b01eb249a6c34757d49d60b8a00cd0ea1b22f11b6f155839cddee3701019fc92a1aae51f6fde7b8bb7da0f2486f1f7c981815a135fe9aaa5eaf0d683
-
C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exeFilesize
512KB
MD511eddc1e80d9afc2477f654fae61ac20
SHA12b9ce433a59c3360ee0cfc08c39d79c2310ceba9
SHA256c34e1cf9666a3c5e7e8838483ea6589a5f9bd3241d8a62c87f2617e943578828
SHA512a712b3eaf095151576367e0393bb4123ee390d69ce997837c800b5ff70c2739b36c81570837b1a4664ff028089d4239dfb90d3ebe5f6bfb3bc226bbbc8dd1d65
-
C:\Users\Admin\AppData\Local\Temp\TCDC10B.tmp\iso690.xslFilesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD512e440df2cf3c29e7113939622b05193
SHA183b3fe6efb4ac918e998987e473485201c9a44fa
SHA256e8e343873a993588435590755a0f00069422f3eb44fe275b56f0c46f0f39ad26
SHA51231857b41c74dd3196dffcad277892e1e3a91dd7fdd5e18ecded8c0af8a2752f6a1400df6c07c460c1ab681ded4a2d700160eea87c8cbb3e678110da481b2a86a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msFilesize
3KB
MD52a0123926733d4943b0a0987008f04e5
SHA117459d2382d38abe6d3b9a9fe2d8b738a55ef863
SHA256e931317c5e441e4e09a89789109d7dfa7a6e78d003b70326929a109bd24a5acf
SHA5126886b2058754b7a80dd62d740ab792e2db812d059aeb602787dae0ab9a031603811d85f163bae1f934e897a5b387a4991330acb4df3c4d079b57162ed94fdc06
-
C:\Users\Admin\Documents\ShowFind.doc.exeFilesize
512KB
MD5b89a56b030a031af7ec6b147bdb61df5
SHA141a56d72c537274de3944eb61253998ad8beda36
SHA2560bbf5733866d51b9752cb0f5510b8dd7ceb1e33a77bbc2a692591ef6a0a59b18
SHA51267d17c84519025b019c944857fdd91966a74b0f1401af6a059745e95b74156659f0a432c7ca2b978b209c84475bad49fc90db5174ca1ce90f0d9ff0123f0753a
-
C:\Windows\SysWOW64\cvydpsmphrroqbx.exeFilesize
512KB
MD5a7b3ef6716633f0120bff68eafdf2fcf
SHA157e43e1fb1ad156cc89e37dcca59477aea778e76
SHA256cdca4f7333d872bbe0cfdaf5a6b9be4a5f24164471ce9cd92c1a070004bb3bbd
SHA512ab498966fbc82598bdcbd562c07402608dfaaee6983d92d03811454768667ffbe697217f9c85a3fad5864aab1d24ea1e336b4edbc2f755d3c2c81a0adbba8520
-
C:\Windows\SysWOW64\ovxdytklcukde.exeFilesize
512KB
MD5b602e8d8a5a8fb492fe7f708072b28d2
SHA1a4d22277739d15cdc5fda67e3290d884d7f5fea6
SHA256cdebac1af43e692d9585b39549269a8e8314a1b9b6487c19b512088a14bf54b3
SHA512c79fb2cb983f75d2c2d3b3dc3998364ab62453a2a98f40ba373797fdbf03cc7e49bb919c6f65451663dc0fec2a382d2f1b43033fde2bb80d6fd9ab4e58e55dfe
-
C:\Windows\SysWOW64\tlvefcbudc.exeFilesize
512KB
MD5335cebb7db20bc93c619a5098f3c3f5b
SHA1cd62bd24dee2e05cd15a6c921c9a557b2046ef4c
SHA2567e834b2b430149fb60c287878c204b525c5b9a2325e5fffeb5bca9b99e0e9a35
SHA5127909f3a282fb2ffe1f37b05ddfda9d60073fa45fd3bb77003b238f3866d35ab23b7d73760fc06d95ea9504da371e45de15fcc2b8906b07cf34a6755aba27fd66
-
C:\Windows\SysWOW64\uorekaug.exeFilesize
512KB
MD5e0b537ffb8e3d05675af3d5302a7caeb
SHA1bd6f68a7e81188c201f607d0bc652cfb376d8566
SHA2567e82081ab3c9dd972de4c85a4de42e54ec0aed59a4c765f9e272f857e65725c2
SHA512114a43cb1f7719039df33e519d84b899ec42232b353f463e910a915162649b316207db0bc1a379993424b2455cf8c73450a2e5d41efbaef4ae3070f0249364d2
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD57b62392070dc54ba1d8f6ed135dfca72
SHA11432026e3efe9ed10f369b794a8aa7dd58517adb
SHA256ebb5761dff61572a6c1896bf79271e31a09ce9662104af8471d02799517be21f
SHA512d7c76f408385a28b684dfe76e3d5b6b93f83561ccd8288871ea327b3579a40d730f84cf30dacd92158b8b7442fe4f943bdd0dbcbb5ca32effd760c3c033c3866
-
\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exeFilesize
512KB
MD5b973072feaaa13e7ff85102d691d2868
SHA1073c684c8c330f5d2feb3db587728548da0de655
SHA2566bd75a2bae6921320b7dff424c73968bb04f863e11360e9fa4d2364a92188ebe
SHA5126d8bc10ae04d5c57043e02e8cf26ef0dd9e012e44c0db61cfcb9609a137a18cf5f38ddef9727ac4ecd8245c2712839f3c9827823c19f78e3b5baef9065d7ce0c
-
memory/1764-0-0x0000000000400000-0x0000000000496000-memory.dmpFilesize
600KB
-
memory/4516-37-0x00007FFBDFE10000-0x00007FFBDFE20000-memory.dmpFilesize
64KB
-
memory/4516-38-0x00007FFBDFE10000-0x00007FFBDFE20000-memory.dmpFilesize
64KB
-
memory/4516-36-0x00007FFBDFE10000-0x00007FFBDFE20000-memory.dmpFilesize
64KB
-
memory/4516-39-0x00007FFBDFE10000-0x00007FFBDFE20000-memory.dmpFilesize
64KB
-
memory/4516-40-0x00007FFBDD4E0000-0x00007FFBDD4F0000-memory.dmpFilesize
64KB
-
memory/4516-43-0x00007FFBDD4E0000-0x00007FFBDD4F0000-memory.dmpFilesize
64KB
-
memory/4516-35-0x00007FFBDFE10000-0x00007FFBDFE20000-memory.dmpFilesize
64KB
-
memory/4516-603-0x00007FFBDFE10000-0x00007FFBDFE20000-memory.dmpFilesize
64KB
-
memory/4516-604-0x00007FFBDFE10000-0x00007FFBDFE20000-memory.dmpFilesize
64KB
-
memory/4516-606-0x00007FFBDFE10000-0x00007FFBDFE20000-memory.dmpFilesize
64KB
-
memory/4516-605-0x00007FFBDFE10000-0x00007FFBDFE20000-memory.dmpFilesize
64KB