82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/10/2024, 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe
Size

512KB
MD5

9be0ba7b2e2ada8bf29f8460c451b1b0
SHA1

763f4c9651b6b14b9c4e0763971aacc7b0ca7335
SHA256

82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516
SHA512

10e9dcd5025e536133c8866eb331a29c2639463f0cce281bcbb7303672398122e33c3b7dcbaa3dd96a41f798fcb13026b915cbdae26e36d02ef629b29b4b6e4a
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj66:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5v

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	xknqivoptj.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	xknqivoptj.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	xknqivoptj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	xknqivoptj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	xknqivoptj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	xknqivoptj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	xknqivoptj.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xknqivoptj.exe

Executes dropped EXE 5 IoCs

pid	Process
2380	xknqivoptj.exe
2056	cynjtfhqwfpndvv.exe
1784	gwuzrhea.exe
2776	frkpdcczxfvqm.exe
2888	gwuzrhea.exe

Loads dropped DLL 5 IoCs

pid	Process
1928	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe
1928	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe
1928	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe
1928	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe
2380	xknqivoptj.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	xknqivoptj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	xknqivoptj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	xknqivoptj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	xknqivoptj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	xknqivoptj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	xknqivoptj.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\shpbnsbv = "cynjtfhqwfpndvv.exe"	cynjtfhqwfpndvv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "frkpdcczxfvqm.exe"	cynjtfhqwfpndvv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yzpdgemm = "xknqivoptj.exe"	cynjtfhqwfpndvv.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\y:	xknqivoptj.exe
File opened (read-only)	\??\b:	gwuzrhea.exe
File opened (read-only)	\??\i:	gwuzrhea.exe
File opened (read-only)	\??\u:	gwuzrhea.exe
File opened (read-only)	\??\e:	gwuzrhea.exe
File opened (read-only)	\??\z:	gwuzrhea.exe
File opened (read-only)	\??\n:	gwuzrhea.exe
File opened (read-only)	\??\o:	gwuzrhea.exe
File opened (read-only)	\??\b:	xknqivoptj.exe
File opened (read-only)	\??\k:	xknqivoptj.exe
File opened (read-only)	\??\l:	xknqivoptj.exe
File opened (read-only)	\??\o:	xknqivoptj.exe
File opened (read-only)	\??\p:	xknqivoptj.exe
File opened (read-only)	\??\q:	xknqivoptj.exe
File opened (read-only)	\??\z:	gwuzrhea.exe
File opened (read-only)	\??\b:	gwuzrhea.exe
File opened (read-only)	\??\o:	gwuzrhea.exe
File opened (read-only)	\??\e:	xknqivoptj.exe
File opened (read-only)	\??\a:	gwuzrhea.exe
File opened (read-only)	\??\g:	gwuzrhea.exe
File opened (read-only)	\??\w:	gwuzrhea.exe
File opened (read-only)	\??\h:	gwuzrhea.exe
File opened (read-only)	\??\u:	gwuzrhea.exe
File opened (read-only)	\??\k:	gwuzrhea.exe
File opened (read-only)	\??\n:	gwuzrhea.exe
File opened (read-only)	\??\a:	xknqivoptj.exe
File opened (read-only)	\??\x:	xknqivoptj.exe
File opened (read-only)	\??\x:	gwuzrhea.exe
File opened (read-only)	\??\q:	gwuzrhea.exe
File opened (read-only)	\??\s:	gwuzrhea.exe
File opened (read-only)	\??\t:	gwuzrhea.exe
File opened (read-only)	\??\p:	gwuzrhea.exe
File opened (read-only)	\??\x:	gwuzrhea.exe
File opened (read-only)	\??\y:	gwuzrhea.exe
File opened (read-only)	\??\s:	gwuzrhea.exe
File opened (read-only)	\??\i:	xknqivoptj.exe
File opened (read-only)	\??\j:	gwuzrhea.exe
File opened (read-only)	\??\q:	gwuzrhea.exe
File opened (read-only)	\??\v:	gwuzrhea.exe
File opened (read-only)	\??\n:	xknqivoptj.exe
File opened (read-only)	\??\v:	gwuzrhea.exe
File opened (read-only)	\??\i:	gwuzrhea.exe
File opened (read-only)	\??\s:	xknqivoptj.exe
File opened (read-only)	\??\z:	xknqivoptj.exe
File opened (read-only)	\??\j:	gwuzrhea.exe
File opened (read-only)	\??\h:	xknqivoptj.exe
File opened (read-only)	\??\j:	xknqivoptj.exe
File opened (read-only)	\??\t:	xknqivoptj.exe
File opened (read-only)	\??\m:	gwuzrhea.exe
File opened (read-only)	\??\p:	gwuzrhea.exe
File opened (read-only)	\??\w:	gwuzrhea.exe
File opened (read-only)	\??\m:	gwuzrhea.exe
File opened (read-only)	\??\r:	xknqivoptj.exe
File opened (read-only)	\??\u:	xknqivoptj.exe
File opened (read-only)	\??\v:	xknqivoptj.exe
File opened (read-only)	\??\e:	gwuzrhea.exe
File opened (read-only)	\??\h:	gwuzrhea.exe
File opened (read-only)	\??\l:	gwuzrhea.exe
File opened (read-only)	\??\r:	gwuzrhea.exe
File opened (read-only)	\??\g:	xknqivoptj.exe
File opened (read-only)	\??\m:	xknqivoptj.exe
File opened (read-only)	\??\r:	gwuzrhea.exe
File opened (read-only)	\??\t:	gwuzrhea.exe
File opened (read-only)	\??\k:	gwuzrhea.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	xknqivoptj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	xknqivoptj.exe

AutoIT Executable 8 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1928-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x0008000000016d9f-5.dat	autoit_exe
behavioral1/files/0x000c00000001225b-17.dat	autoit_exe
behavioral1/files/0x0007000000016e74-28.dat	autoit_exe
behavioral1/files/0x0007000000016f9c-33.dat	autoit_exe
behavioral1/files/0x0008000000013aa5-62.dat	autoit_exe
behavioral1/files/0x0009000000016d3f-68.dat	autoit_exe
behavioral1/files/0x000700000001739c-74.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xknqivoptj.exe	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	xknqivoptj.exe
File opened for modification	C:\Windows\SysWOW64\cynjtfhqwfpndvv.exe	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe
File created	C:\Windows\SysWOW64\gwuzrhea.exe	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe
File opened for modification	C:\Windows\SysWOW64\gwuzrhea.exe	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe
File created	C:\Windows\SysWOW64\frkpdcczxfvqm.exe	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe
File opened for modification	C:\Windows\SysWOW64\frkpdcczxfvqm.exe	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe
File opened for modification	C:\Windows\SysWOW64\xknqivoptj.exe	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe
File created	C:\Windows\SysWOW64\cynjtfhqwfpndvv.exe	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	gwuzrhea.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	gwuzrhea.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	gwuzrhea.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	gwuzrhea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	gwuzrhea.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	gwuzrhea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	gwuzrhea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	gwuzrhea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	gwuzrhea.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	gwuzrhea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	gwuzrhea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	gwuzrhea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	gwuzrhea.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	gwuzrhea.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gwuzrhea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xknqivoptj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cynjtfhqwfpndvv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gwuzrhea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	frkpdcczxfvqm.exe

Office loads VBA resources, possible macro or embedded object present

Modifies registry class 19 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	xknqivoptj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	xknqivoptj.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB5B02D449238E852CCBAA132E9D7BC"	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193AC67914E2DAC0B8CA7FE7EDE737CF"	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	xknqivoptj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	xknqivoptj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	xknqivoptj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	xknqivoptj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32322C0A9C2782276A3577D670522DDE7CF364AA"	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8CFCFC482B826A913CD75D7D96BCE7E64359416641623FD799"	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	xknqivoptj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	xknqivoptj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	xknqivoptj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	xknqivoptj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACDF9BDF963F19384743B4786EC3E90B388028B4268034EE1CA45E609D3"	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E08168C6FF1F21DCD20ED0D28A749167"	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	xknqivoptj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	xknqivoptj.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2604	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1928	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe
1928	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe
1928	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe
1928	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe
1928	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe
1928	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe
1928	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe
1928	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe
2380	xknqivoptj.exe
2380	xknqivoptj.exe
2380	xknqivoptj.exe
2380	xknqivoptj.exe
2380	xknqivoptj.exe
1784	gwuzrhea.exe
1784	gwuzrhea.exe
1784	gwuzrhea.exe
1784	gwuzrhea.exe
2056	cynjtfhqwfpndvv.exe
2056	cynjtfhqwfpndvv.exe
2056	cynjtfhqwfpndvv.exe
2056	cynjtfhqwfpndvv.exe
2056	cynjtfhqwfpndvv.exe
2776	frkpdcczxfvqm.exe
2776	frkpdcczxfvqm.exe
2776	frkpdcczxfvqm.exe
2776	frkpdcczxfvqm.exe
2776	frkpdcczxfvqm.exe
2776	frkpdcczxfvqm.exe
2888	gwuzrhea.exe
2888	gwuzrhea.exe
2888	gwuzrhea.exe
2888	gwuzrhea.exe
2056	cynjtfhqwfpndvv.exe
2776	frkpdcczxfvqm.exe
2776	frkpdcczxfvqm.exe
2056	cynjtfhqwfpndvv.exe
2056	cynjtfhqwfpndvv.exe
2776	frkpdcczxfvqm.exe
2776	frkpdcczxfvqm.exe
2056	cynjtfhqwfpndvv.exe
2776	frkpdcczxfvqm.exe
2776	frkpdcczxfvqm.exe
2056	cynjtfhqwfpndvv.exe
2776	frkpdcczxfvqm.exe
2776	frkpdcczxfvqm.exe
2056	cynjtfhqwfpndvv.exe
2776	frkpdcczxfvqm.exe
2776	frkpdcczxfvqm.exe
2056	cynjtfhqwfpndvv.exe
2776	frkpdcczxfvqm.exe
2776	frkpdcczxfvqm.exe
2056	cynjtfhqwfpndvv.exe
2776	frkpdcczxfvqm.exe
2776	frkpdcczxfvqm.exe
2056	cynjtfhqwfpndvv.exe
2776	frkpdcczxfvqm.exe
2776	frkpdcczxfvqm.exe
2056	cynjtfhqwfpndvv.exe
2776	frkpdcczxfvqm.exe
2776	frkpdcczxfvqm.exe
2056	cynjtfhqwfpndvv.exe
2776	frkpdcczxfvqm.exe
2776	frkpdcczxfvqm.exe
2056	cynjtfhqwfpndvv.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
1928	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe
1928	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe
1928	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe
2380	xknqivoptj.exe
2380	xknqivoptj.exe
2380	xknqivoptj.exe
1784	gwuzrhea.exe
1784	gwuzrhea.exe
1784	gwuzrhea.exe
2056	cynjtfhqwfpndvv.exe
2056	cynjtfhqwfpndvv.exe
2056	cynjtfhqwfpndvv.exe
2776	frkpdcczxfvqm.exe
2776	frkpdcczxfvqm.exe
2776	frkpdcczxfvqm.exe
2888	gwuzrhea.exe
2888	gwuzrhea.exe
2888	gwuzrhea.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
1928	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe
1928	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe
1928	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe
2380	xknqivoptj.exe
2380	xknqivoptj.exe
2380	xknqivoptj.exe
1784	gwuzrhea.exe
1784	gwuzrhea.exe
1784	gwuzrhea.exe
2056	cynjtfhqwfpndvv.exe
2056	cynjtfhqwfpndvv.exe
2056	cynjtfhqwfpndvv.exe
2776	frkpdcczxfvqm.exe
2776	frkpdcczxfvqm.exe
2776	frkpdcczxfvqm.exe
2888	gwuzrhea.exe
2888	gwuzrhea.exe
2888	gwuzrhea.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2604	WINWORD.EXE
2604	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 2380	1928	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe	31
PID 1928 wrote to memory of 2380	1928	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe	31
PID 1928 wrote to memory of 2380	1928	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe	31
PID 1928 wrote to memory of 2380	1928	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe	31
PID 1928 wrote to memory of 2056	1928	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe	32
PID 1928 wrote to memory of 2056	1928	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe	32
PID 1928 wrote to memory of 2056	1928	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe	32
PID 1928 wrote to memory of 2056	1928	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe	32
PID 1928 wrote to memory of 1784	1928	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe	33
PID 1928 wrote to memory of 1784	1928	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe	33
PID 1928 wrote to memory of 1784	1928	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe	33
PID 1928 wrote to memory of 1784	1928	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe	33
PID 1928 wrote to memory of 2776	1928	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe	34
PID 1928 wrote to memory of 2776	1928	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe	34
PID 1928 wrote to memory of 2776	1928	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe	34
PID 1928 wrote to memory of 2776	1928	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe	34
PID 2380 wrote to memory of 2888	2380	xknqivoptj.exe	35
PID 2380 wrote to memory of 2888	2380	xknqivoptj.exe	35
PID 2380 wrote to memory of 2888	2380	xknqivoptj.exe	35
PID 2380 wrote to memory of 2888	2380	xknqivoptj.exe	35
PID 1928 wrote to memory of 2604	1928	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe	36
PID 1928 wrote to memory of 2604	1928	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe	36
PID 1928 wrote to memory of 2604	1928	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe	36
PID 1928 wrote to memory of 2604	1928	82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe	36
PID 2604 wrote to memory of 2104	2604	WINWORD.EXE	38
PID 2604 wrote to memory of 2104	2604	WINWORD.EXE	38
PID 2604 wrote to memory of 2104	2604	WINWORD.EXE	38
PID 2604 wrote to memory of 2104	2604	WINWORD.EXE	38

C:\Users\Admin\AppData\Local\Temp\82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe
"C:\Users\Admin\AppData\Local\Temp\82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\SysWOW64\xknqivoptj.exe
  xknqivoptj.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\SysWOW64\gwuzrhea.exe
    C:\Windows\system32\gwuzrhea.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2888
- C:\Windows\SysWOW64\cynjtfhqwfpndvv.exe
  cynjtfhqwfpndvv.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2056
- C:\Windows\SysWOW64\gwuzrhea.exe
  gwuzrhea.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1784
- C:\Windows\SysWOW64\frkpdcczxfvqm.exe
  frkpdcczxfvqm.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2776
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
512KB

MD5
77ec3c9b5d401b46d40d94b441e34354

SHA1
036a9fe7c8b04f02181b0d0184aa0e4f2e053366

SHA256
11f862a905c17df11310573ee521b5ff893d67fdbb87883bf46ec6dfdcfeadbf

SHA512
39594a4e2229eb095886134eb924a8cf724f966ed261130cc1331dfe46bd1cb96ead6e14e452c67e2b63a0a5b9a55202c437ccbb2ef47d2bb004f1863d2bc692

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
512KB

MD5
d902263fdbf2137cd649d61185d53027

SHA1
74a3370dea2a1853f03ade060f7fa8d514495c8f

SHA256
3eb5442f229cc14d9fdf9390738059f1312953834c1694a24df5e51e8e612e6d

SHA512
053209d52d123f96691b7a0c39c49ea21f4a6c45fe5f6908b38a36411244fb4c19effd1bce8273d8866cc276368a4503396fc470d4d1896eb7697cd8f44c5982

Download Submit
C:\Users\Admin\Music\ResumeInvoke.doc.exe

Filesize
512KB

MD5
51c518c024fa49d67f918778a912e447

SHA1
2d419de89ca15b0519fee1b2d77fbe09c1cc89ed

SHA256
2c1dccce6e8c84be60ac2f889f51cf1f863db7d02aecd6b9e82352e85ded0b21

SHA512
44297e8735531e833b66b818b15761a4c1b7356bff0fe9d620152756ee5ed1281fe165eec71495482e5ae957fbe02ccd44fba66ae9763e080797d8d53b6f12e4

Download Submit
C:\Windows\SysWOW64\cynjtfhqwfpndvv.exe

Filesize
512KB

MD5
6caba7f38184149f51d5c7a3634f2408

SHA1
d3f5566d1585557d49012e1e26c56e77ec459d86

SHA256
9e1b6a8161c8ceed22896a5722f351270f9c7ee874cdce8fbfd653863b0bc6d5

SHA512
e99b867476c9d6088ba558d5e55d30bea34f6d0adf5d1c67e44d5d10b1bb3e7200919ca0614ad78580edef7d218f37e24a0115002d3d24b52cca8a83ce37a6a3

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\frkpdcczxfvqm.exe

Filesize
512KB

MD5
db412dac63813ec1198c80eec1d9e068

SHA1
a284b44f5ad9a05525990e8d904c981b16097d0c

SHA256
0a18999bb070b21806a295bd909d6f7f9a4c16502ce1886e867ede9cb91c1792

SHA512
0780357c83969ed78b9ba860ddcae29c3192502bf4f351d511439ceac1101c4be117e56639b89a3a37099799d6dc37fe1480a0a239eea676fa3f890b2738ac9f

Download Submit
\Windows\SysWOW64\gwuzrhea.exe

Filesize
512KB

MD5
9e962e70b7f7fe9436552e5aec993b06

SHA1
0ff91b27a59c2cc366263f0700fc058a7be0efcc

SHA256
f8fa95a7e3eaf592482827197d96170ac7a7be9175f89277e7e0ba667c9ff470

SHA512
294d2b7a80be75fffb6417f85e4be0fec75c3a3deebf45fe44eb872fe4cbea77761044450043a472be19627f36efc5bf20379e5e7e29064a5d0c0bf6ec379d1d

Download Submit
\Windows\SysWOW64\xknqivoptj.exe

Filesize
512KB

MD5
20bd33ee67ae75ab29f8bc3580379c68

SHA1
9479f03f3544876c25390ae78ee4b57342e03fe2

SHA256
b640fc87df2a5616b5eb7a00aeb609c69e410ef5849eafd60a0e848bd9395371

SHA512
c9471da9568bde724775213e30ec372597acc9298433401b5b044a95d9342de2e0a5219f64a75c2cf144901f1db62923ccb0baf08ff431884db39e00f867bce1

Download Submit
memory/1928-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2604-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download