Analysis
-
max time kernel
120s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/09/2024, 07:29
Behavioral task
behavioral1
Sample
71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe
Resource
win7-20240903-en
windows7-x64
26 signatures
120 seconds
General
-
Target
71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe
-
Size
255KB
-
MD5
ebc30a0cd36ed471c60a5cebe33da7a0
-
SHA1
48c0ab1776ae3aa329aca33d53a56804a7e316f0
-
SHA256
71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcd
-
SHA512
013450901304be5c9944c5f5c89045b9a7077f335d6383e61a46c514ab88e51df26f5641819eb2abc423ff2f0862d8210e0253970259c2c1afba3d46f188cbc9
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJn:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIA
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" tctfqanxoc.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" tctfqanxoc.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" tctfqanxoc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" tctfqanxoc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" tctfqanxoc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" tctfqanxoc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" tctfqanxoc.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tctfqanxoc.exe -
Executes dropped EXE 5 IoCs
pid Process 2028 tctfqanxoc.exe 2624 nmjpxfqdprymuqh.exe 2676 cscgnwrd.exe 2824 awirpidlvoznp.exe 2836 cscgnwrd.exe -
Loads dropped DLL 5 IoCs
pid Process 2616 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe 2616 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe 2616 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe 2616 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe 2028 tctfqanxoc.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" tctfqanxoc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" tctfqanxoc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" tctfqanxoc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" tctfqanxoc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" tctfqanxoc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" tctfqanxoc.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ihpvquus = "tctfqanxoc.exe" nmjpxfqdprymuqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yznottra = "nmjpxfqdprymuqh.exe" nmjpxfqdprymuqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "awirpidlvoznp.exe" nmjpxfqdprymuqh.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\q: tctfqanxoc.exe File opened (read-only) \??\z: tctfqanxoc.exe File opened (read-only) \??\w: cscgnwrd.exe File opened (read-only) \??\r: cscgnwrd.exe File opened (read-only) \??\n: tctfqanxoc.exe File opened (read-only) \??\k: tctfqanxoc.exe File opened (read-only) \??\s: tctfqanxoc.exe File opened (read-only) \??\y: tctfqanxoc.exe File opened (read-only) \??\m: cscgnwrd.exe File opened (read-only) \??\q: cscgnwrd.exe File opened (read-only) \??\z: cscgnwrd.exe File opened (read-only) \??\e: tctfqanxoc.exe File opened (read-only) \??\m: tctfqanxoc.exe File opened (read-only) \??\h: cscgnwrd.exe File opened (read-only) \??\l: cscgnwrd.exe File opened (read-only) \??\o: cscgnwrd.exe File opened (read-only) \??\j: tctfqanxoc.exe File opened (read-only) \??\r: tctfqanxoc.exe File opened (read-only) \??\n: cscgnwrd.exe File opened (read-only) \??\r: cscgnwrd.exe File opened (read-only) \??\e: cscgnwrd.exe File opened (read-only) \??\l: tctfqanxoc.exe File opened (read-only) \??\v: tctfqanxoc.exe File opened (read-only) \??\i: cscgnwrd.exe File opened (read-only) \??\b: cscgnwrd.exe File opened (read-only) \??\k: cscgnwrd.exe File opened (read-only) \??\h: tctfqanxoc.exe File opened (read-only) \??\u: tctfqanxoc.exe File opened (read-only) \??\x: tctfqanxoc.exe File opened (read-only) \??\y: cscgnwrd.exe File opened (read-only) \??\v: cscgnwrd.exe File opened (read-only) \??\t: tctfqanxoc.exe File opened (read-only) \??\j: cscgnwrd.exe File opened (read-only) \??\z: cscgnwrd.exe File opened (read-only) \??\o: cscgnwrd.exe File opened (read-only) \??\o: tctfqanxoc.exe File opened (read-only) \??\p: tctfqanxoc.exe File opened (read-only) \??\x: cscgnwrd.exe File opened (read-only) \??\a: cscgnwrd.exe File opened (read-only) \??\h: cscgnwrd.exe File opened (read-only) \??\j: cscgnwrd.exe File opened (read-only) \??\l: cscgnwrd.exe File opened (read-only) \??\g: tctfqanxoc.exe File opened (read-only) \??\e: cscgnwrd.exe File opened (read-only) \??\g: cscgnwrd.exe File opened (read-only) \??\a: tctfqanxoc.exe File opened (read-only) \??\t: cscgnwrd.exe File opened (read-only) \??\g: cscgnwrd.exe File opened (read-only) \??\m: cscgnwrd.exe File opened (read-only) \??\n: cscgnwrd.exe File opened (read-only) \??\t: cscgnwrd.exe File opened (read-only) \??\w: tctfqanxoc.exe File opened (read-only) \??\b: cscgnwrd.exe File opened (read-only) \??\v: cscgnwrd.exe File opened (read-only) \??\w: cscgnwrd.exe File opened (read-only) \??\y: cscgnwrd.exe File opened (read-only) \??\s: cscgnwrd.exe File opened (read-only) \??\k: cscgnwrd.exe File opened (read-only) \??\p: cscgnwrd.exe File opened (read-only) \??\i: cscgnwrd.exe File opened (read-only) \??\p: cscgnwrd.exe File opened (read-only) \??\q: cscgnwrd.exe File opened (read-only) \??\a: cscgnwrd.exe File opened (read-only) \??\u: cscgnwrd.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" tctfqanxoc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" tctfqanxoc.exe -
AutoIT Executable 49 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2824-41-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2676-40-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2624-32-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2836-46-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2616-48-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2028-62-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2624-83-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2676-84-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2824-85-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2836-86-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2824-90-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2836-91-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2676-89-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2624-88-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2028-87-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2824-95-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2836-96-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2676-94-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2624-93-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2028-92-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2836-99-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2676-100-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2824-104-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2624-103-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2028-102-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2028-105-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2624-106-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2824-107-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2624-109-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2028-108-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2824-110-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2624-112-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2028-111-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2824-113-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2624-116-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2824-117-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2028-115-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2824-120-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2624-119-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2028-118-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2624-122-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2824-123-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2028-121-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2624-143-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2824-144-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2028-142-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2624-146-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2824-147-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2028-145-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\tctfqanxoc.exe 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe File created C:\Windows\SysWOW64\nmjpxfqdprymuqh.exe 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll tctfqanxoc.exe File opened for modification C:\Windows\SysWOW64\awirpidlvoznp.exe 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe File opened for modification C:\Windows\SysWOW64\tctfqanxoc.exe 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe File opened for modification C:\Windows\SysWOW64\nmjpxfqdprymuqh.exe 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe File created C:\Windows\SysWOW64\cscgnwrd.exe 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe File opened for modification C:\Windows\SysWOW64\cscgnwrd.exe 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe File created C:\Windows\SysWOW64\awirpidlvoznp.exe 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe -
resource yara_rule behavioral1/memory/2616-0-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x0007000000019278-9.dat upx behavioral1/files/0x000c0000000122e4-17.dat upx behavioral1/files/0x0008000000019275-23.dat upx behavioral1/memory/2028-22-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x0006000000019319-39.dat upx behavioral1/memory/2824-41-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2676-40-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2624-32-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2836-46-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2616-48-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2028-62-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x00080000000193a4-71.dat upx behavioral1/files/0x00060000000194df-77.dat upx behavioral1/memory/2624-83-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2676-84-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2824-85-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2836-86-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2824-90-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2836-91-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2676-89-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2624-88-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2028-87-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2824-95-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2836-96-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2676-94-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2624-93-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2028-92-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2836-99-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2676-100-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2824-104-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2624-103-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2028-102-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2028-105-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2624-106-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2824-107-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2624-109-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2028-108-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2824-110-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2624-112-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2028-111-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2824-113-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2624-116-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2824-117-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2028-115-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2824-120-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2624-119-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2028-118-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2624-122-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2824-123-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2028-121-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2624-143-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2824-144-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2028-142-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2624-146-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2824-147-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2028-145-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe cscgnwrd.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe cscgnwrd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe cscgnwrd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe cscgnwrd.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe cscgnwrd.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe cscgnwrd.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe cscgnwrd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal cscgnwrd.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe cscgnwrd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal cscgnwrd.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe cscgnwrd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal cscgnwrd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe cscgnwrd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal cscgnwrd.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tctfqanxoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nmjpxfqdprymuqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language awirpidlvoznp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscgnwrd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscgnwrd.exe -
Office loads VBA resources, possible macro or embedded object present
-
Modifies registry class 19 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABBFAB9F967F29984783B47819A3995B38F038F4261034FE2CB459A08A2" 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB1B0294794399E53BFB9D533E8D7BB" 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1949C77B15ECDAB4B9C07FE0ECE734C8" 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" tctfqanxoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" tctfqanxoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc tctfqanxoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" tctfqanxoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg tctfqanxoc.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E89FCFB482982139047D72E7D91BDE1E634593166366330D6EB" 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat tctfqanxoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh tctfqanxoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" tctfqanxoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs tctfqanxoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32472C7B9D2D83596D4676D170512DD67D8164DA" 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7816BC4FF1F22DED108D1D28B7C9010" 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" tctfqanxoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf tctfqanxoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" tctfqanxoc.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 596 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2616 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe 2616 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe 2616 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe 2616 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe 2616 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe 2616 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe 2616 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe 2616 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe 2624 nmjpxfqdprymuqh.exe 2624 nmjpxfqdprymuqh.exe 2624 nmjpxfqdprymuqh.exe 2624 nmjpxfqdprymuqh.exe 2624 nmjpxfqdprymuqh.exe 2028 tctfqanxoc.exe 2028 tctfqanxoc.exe 2028 tctfqanxoc.exe 2028 tctfqanxoc.exe 2028 tctfqanxoc.exe 2676 cscgnwrd.exe 2676 cscgnwrd.exe 2676 cscgnwrd.exe 2676 cscgnwrd.exe 2824 awirpidlvoznp.exe 2824 awirpidlvoznp.exe 2824 awirpidlvoznp.exe 2824 awirpidlvoznp.exe 2824 awirpidlvoznp.exe 2824 awirpidlvoznp.exe 2836 cscgnwrd.exe 2836 cscgnwrd.exe 2836 cscgnwrd.exe 2836 cscgnwrd.exe 2624 nmjpxfqdprymuqh.exe 2624 nmjpxfqdprymuqh.exe 2824 awirpidlvoznp.exe 2824 awirpidlvoznp.exe 2624 nmjpxfqdprymuqh.exe 2824 awirpidlvoznp.exe 2824 awirpidlvoznp.exe 2624 nmjpxfqdprymuqh.exe 2824 awirpidlvoznp.exe 2824 awirpidlvoznp.exe 2624 nmjpxfqdprymuqh.exe 2824 awirpidlvoznp.exe 2824 awirpidlvoznp.exe 2624 nmjpxfqdprymuqh.exe 2824 awirpidlvoznp.exe 2824 awirpidlvoznp.exe 2624 nmjpxfqdprymuqh.exe 2824 awirpidlvoznp.exe 2824 awirpidlvoznp.exe 2624 nmjpxfqdprymuqh.exe 2824 awirpidlvoznp.exe 2824 awirpidlvoznp.exe 2624 nmjpxfqdprymuqh.exe 2824 awirpidlvoznp.exe 2824 awirpidlvoznp.exe 2624 nmjpxfqdprymuqh.exe 2824 awirpidlvoznp.exe 2824 awirpidlvoznp.exe 2624 nmjpxfqdprymuqh.exe 2824 awirpidlvoznp.exe 2824 awirpidlvoznp.exe 2624 nmjpxfqdprymuqh.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2616 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe 2616 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe 2616 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe 2028 tctfqanxoc.exe 2028 tctfqanxoc.exe 2028 tctfqanxoc.exe 2624 nmjpxfqdprymuqh.exe 2624 nmjpxfqdprymuqh.exe 2624 nmjpxfqdprymuqh.exe 2824 awirpidlvoznp.exe 2676 cscgnwrd.exe 2824 awirpidlvoznp.exe 2676 cscgnwrd.exe 2676 cscgnwrd.exe 2824 awirpidlvoznp.exe 2836 cscgnwrd.exe 2836 cscgnwrd.exe 2836 cscgnwrd.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2616 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe 2616 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe 2616 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe 2028 tctfqanxoc.exe 2028 tctfqanxoc.exe 2028 tctfqanxoc.exe 2624 nmjpxfqdprymuqh.exe 2624 nmjpxfqdprymuqh.exe 2624 nmjpxfqdprymuqh.exe 2824 awirpidlvoznp.exe 2676 cscgnwrd.exe 2824 awirpidlvoznp.exe 2676 cscgnwrd.exe 2676 cscgnwrd.exe 2824 awirpidlvoznp.exe 2836 cscgnwrd.exe 2836 cscgnwrd.exe 2836 cscgnwrd.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 596 WINWORD.EXE 596 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2616 wrote to memory of 2028 2616 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe 31 PID 2616 wrote to memory of 2028 2616 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe 31 PID 2616 wrote to memory of 2028 2616 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe 31 PID 2616 wrote to memory of 2028 2616 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe 31 PID 2616 wrote to memory of 2624 2616 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe 32 PID 2616 wrote to memory of 2624 2616 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe 32 PID 2616 wrote to memory of 2624 2616 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe 32 PID 2616 wrote to memory of 2624 2616 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe 32 PID 2616 wrote to memory of 2676 2616 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe 33 PID 2616 wrote to memory of 2676 2616 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe 33 PID 2616 wrote to memory of 2676 2616 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe 33 PID 2616 wrote to memory of 2676 2616 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe 33 PID 2616 wrote to memory of 2824 2616 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe 34 PID 2616 wrote to memory of 2824 2616 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe 34 PID 2616 wrote to memory of 2824 2616 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe 34 PID 2616 wrote to memory of 2824 2616 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe 34 PID 2028 wrote to memory of 2836 2028 tctfqanxoc.exe 35 PID 2028 wrote to memory of 2836 2028 tctfqanxoc.exe 35 PID 2028 wrote to memory of 2836 2028 tctfqanxoc.exe 35 PID 2028 wrote to memory of 2836 2028 tctfqanxoc.exe 35 PID 2616 wrote to memory of 596 2616 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe 36 PID 2616 wrote to memory of 596 2616 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe 36 PID 2616 wrote to memory of 596 2616 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe 36 PID 2616 wrote to memory of 596 2616 71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe 36 PID 596 wrote to memory of 1400 596 WINWORD.EXE 38 PID 596 wrote to memory of 1400 596 WINWORD.EXE 38 PID 596 wrote to memory of 1400 596 WINWORD.EXE 38 PID 596 wrote to memory of 1400 596 WINWORD.EXE 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe"C:\Users\Admin\AppData\Local\Temp\71ff96f83116cb2c1beb9b6046851e4fa122fb87c4aa220829a17a42a8785fcdN.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\tctfqanxoc.exetctfqanxoc.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\cscgnwrd.exeC:\Windows\system32\cscgnwrd.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2836
-
-
-
C:\Windows\SysWOW64\nmjpxfqdprymuqh.exenmjpxfqdprymuqh.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2624
-
-
C:\Windows\SysWOW64\cscgnwrd.execscgnwrd.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2676
-
-
C:\Windows\SysWOW64\awirpidlvoznp.exeawirpidlvoznp.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2824
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:596 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:1400
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD57fb65e1522705282cb5cdd24b850831c
SHA15ffbabd4d713d1a969ce339e468d07c55d036afe
SHA25614290b9859a93630f9bd84a5e3aaf54943a0e7175b47bd036d1cc8e4a219c7c1
SHA512990b9242dbc510f87208656c1020f046da4f29f7861fb72a36c936a48fe7d7e94320f1e9946b6e89f70719f56abca1006aceb290403e9d1dce0e7d4965fdd474
-
Filesize
255KB
MD5a1b67072846a8e6f9af6780130e792f5
SHA1a626706c114ebc43b5f7ac88cec2f0d8ec96cae7
SHA2566ed1f2abaf7f571f130ba49085a422b86678e04afa7820b3ed2a25f72f767c4c
SHA51228326308b6728dee26de89bd17a95d19d48f1f3be059be7839bce5c13fab1583897a9c9f588d3bca1b8aa8a2707c8cae9361daf79a1bb5af16a10f7d738f7a16
-
Filesize
19KB
MD505edde6fec38f02de09decaee7469beb
SHA1b83fdead6522b71112f0962fb48a056eaa80cee2
SHA256c981557b37fdb457980f68d42f7a928a98f3f2f84978784f079b1c9c08e8dafd
SHA51201bd3cc06fba29b938af824b5a136cef5b53d5e4560070165f2308839ca636c90a59065d215ffcca21738cb09b1a341636ed961c754954f6aac7906f9004fb6b
-
Filesize
255KB
MD5e310f97d4588eb32708b5b70c7a328ca
SHA1d6633c5bb4110f6310d8f87c6961a50c40e29f67
SHA2567a48ef275587811d7de17ce5258b0c6125b80ad52a96d707377ee083fd588882
SHA512890cd2e7813c3b37ae52c1631848cf145013b3abcb0a36c2a89cc9ba9e9b1f2b0ed6300a945268c8b7a078f957425e037010fd1670e665eb4440a853c459fd29
-
Filesize
255KB
MD5697685aabba6fd6f9193f18d67f0c3ef
SHA1974fa13c22258e72f4d68bee44304621efb3a12f
SHA256e1f33b266940ac9299a9108dbc2a073506030d321e71f9bcfc3685c5b54f83b7
SHA512059b795011094453a047be428950c80bc8fe52ec1fd8f6e199b4a45a9bb7cec11dcaf2d325bf5771e0708a89ab99d1bd296e7b6763d283e9dd44d0816bc97113
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD55273cf071146938b95812d4bd482d2eb
SHA18b0070ded992eb4407f17f8b754603476246bdc8
SHA25607bec1a2c15441da5bf6a34511a139e74aa9142681f79558a276acb4fdccc99a
SHA5129e925e3a220b8a2a1203e404227729139058460ea3964ad7b6434d6008aed5cfbd3dc218667d135c98cdee4844631ac4a51226629ac4ccf636a2d1a42e69f89d
-
Filesize
255KB
MD55b3b6a54fef2b6289a3a139fd3e2e96a
SHA18a95265cbec79fa66017ca6f827d1935cb0c0852
SHA256a78189ee73d77ee13bb1af90716d5b507b4b21840274cb0848066da07a3404d2
SHA512f2cfea3544c41469f18942342fa1f1d8ff76d56f93c14bf43807a0887f94ac655352de12c53a396bfced4f19efb02bbd06cd0effd5d1de3977c3e25af12b2fa7