Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14/10/2024, 18:27
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe
Resource
win7-20240903-en
windows7-x64
25 signatures
150 seconds
General
-
Target
82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe
-
Size
512KB
-
MD5
9be0ba7b2e2ada8bf29f8460c451b1b0
-
SHA1
763f4c9651b6b14b9c4e0763971aacc7b0ca7335
-
SHA256
82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516
-
SHA512
10e9dcd5025e536133c8866eb331a29c2639463f0cce281bcbb7303672398122e33c3b7dcbaa3dd96a41f798fcb13026b915cbdae26e36d02ef629b29b4b6e4a
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj66:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5v
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" kydsbnurhg.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" kydsbnurhg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" kydsbnurhg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" kydsbnurhg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" kydsbnurhg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" kydsbnurhg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" kydsbnurhg.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" kydsbnurhg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe -
Executes dropped EXE 5 IoCs
pid Process 4944 kydsbnurhg.exe 840 chepgjnbzxlqvfi.exe 556 euxpbnbd.exe 3324 hqjgveqlujdnz.exe 1072 euxpbnbd.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" kydsbnurhg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" kydsbnurhg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" kydsbnurhg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" kydsbnurhg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" kydsbnurhg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" kydsbnurhg.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\plaqubtv = "kydsbnurhg.exe" chepgjnbzxlqvfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdemoymy = "chepgjnbzxlqvfi.exe" chepgjnbzxlqvfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "hqjgveqlujdnz.exe" chepgjnbzxlqvfi.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\e: euxpbnbd.exe File opened (read-only) \??\m: euxpbnbd.exe File opened (read-only) \??\p: euxpbnbd.exe File opened (read-only) \??\k: kydsbnurhg.exe File opened (read-only) \??\n: kydsbnurhg.exe File opened (read-only) \??\o: kydsbnurhg.exe File opened (read-only) \??\v: euxpbnbd.exe File opened (read-only) \??\h: euxpbnbd.exe File opened (read-only) \??\j: euxpbnbd.exe File opened (read-only) \??\j: euxpbnbd.exe File opened (read-only) \??\x: euxpbnbd.exe File opened (read-only) \??\z: euxpbnbd.exe File opened (read-only) \??\b: kydsbnurhg.exe File opened (read-only) \??\j: kydsbnurhg.exe File opened (read-only) \??\z: kydsbnurhg.exe File opened (read-only) \??\u: euxpbnbd.exe File opened (read-only) \??\s: euxpbnbd.exe File opened (read-only) \??\h: kydsbnurhg.exe File opened (read-only) \??\s: kydsbnurhg.exe File opened (read-only) \??\r: euxpbnbd.exe File opened (read-only) \??\k: euxpbnbd.exe File opened (read-only) \??\q: euxpbnbd.exe File opened (read-only) \??\y: euxpbnbd.exe File opened (read-only) \??\l: kydsbnurhg.exe File opened (read-only) \??\g: euxpbnbd.exe File opened (read-only) \??\x: euxpbnbd.exe File opened (read-only) \??\b: euxpbnbd.exe File opened (read-only) \??\n: euxpbnbd.exe File opened (read-only) \??\e: euxpbnbd.exe File opened (read-only) \??\r: euxpbnbd.exe File opened (read-only) \??\i: kydsbnurhg.exe File opened (read-only) \??\r: kydsbnurhg.exe File opened (read-only) \??\o: euxpbnbd.exe File opened (read-only) \??\z: euxpbnbd.exe File opened (read-only) \??\g: euxpbnbd.exe File opened (read-only) \??\a: kydsbnurhg.exe File opened (read-only) \??\m: kydsbnurhg.exe File opened (read-only) \??\p: kydsbnurhg.exe File opened (read-only) \??\i: euxpbnbd.exe File opened (read-only) \??\o: euxpbnbd.exe File opened (read-only) \??\q: kydsbnurhg.exe File opened (read-only) \??\m: euxpbnbd.exe File opened (read-only) \??\q: euxpbnbd.exe File opened (read-only) \??\u: kydsbnurhg.exe File opened (read-only) \??\l: euxpbnbd.exe File opened (read-only) \??\t: kydsbnurhg.exe File opened (read-only) \??\h: euxpbnbd.exe File opened (read-only) \??\w: euxpbnbd.exe File opened (read-only) \??\u: euxpbnbd.exe File opened (read-only) \??\v: euxpbnbd.exe File opened (read-only) \??\w: euxpbnbd.exe File opened (read-only) \??\a: euxpbnbd.exe File opened (read-only) \??\l: euxpbnbd.exe File opened (read-only) \??\a: euxpbnbd.exe File opened (read-only) \??\b: euxpbnbd.exe File opened (read-only) \??\t: euxpbnbd.exe File opened (read-only) \??\t: euxpbnbd.exe File opened (read-only) \??\v: kydsbnurhg.exe File opened (read-only) \??\w: kydsbnurhg.exe File opened (read-only) \??\y: kydsbnurhg.exe File opened (read-only) \??\i: euxpbnbd.exe File opened (read-only) \??\k: euxpbnbd.exe File opened (read-only) \??\e: kydsbnurhg.exe File opened (read-only) \??\g: kydsbnurhg.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" kydsbnurhg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" kydsbnurhg.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/3164-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x000a000000023b9d-5.dat autoit_exe behavioral2/files/0x000a000000023b9f-32.dat autoit_exe behavioral2/files/0x000a000000023b9e-27.dat autoit_exe behavioral2/files/0x000b000000023b99-19.dat autoit_exe behavioral2/files/0x000a000000023bd9-86.dat autoit_exe behavioral2/files/0x0010000000023bd7-80.dat autoit_exe behavioral2/files/0x0009000000023c19-110.dat autoit_exe behavioral2/files/0x0009000000023c19-112.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe euxpbnbd.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe euxpbnbd.exe File created C:\Windows\SysWOW64\kydsbnurhg.exe 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe File opened for modification C:\Windows\SysWOW64\chepgjnbzxlqvfi.exe 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe File opened for modification C:\Windows\SysWOW64\euxpbnbd.exe 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe File created C:\Windows\SysWOW64\hqjgveqlujdnz.exe 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe File opened for modification C:\Windows\SysWOW64\hqjgveqlujdnz.exe 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll kydsbnurhg.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe euxpbnbd.exe File opened for modification C:\Windows\SysWOW64\kydsbnurhg.exe 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe File created C:\Windows\SysWOW64\chepgjnbzxlqvfi.exe 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe File created C:\Windows\SysWOW64\euxpbnbd.exe 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe euxpbnbd.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe euxpbnbd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe euxpbnbd.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe euxpbnbd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal euxpbnbd.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe euxpbnbd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe euxpbnbd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal euxpbnbd.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe euxpbnbd.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe euxpbnbd.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe euxpbnbd.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe euxpbnbd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal euxpbnbd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe euxpbnbd.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal euxpbnbd.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe euxpbnbd.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe euxpbnbd.exe File opened for modification C:\Windows\mydoc.rtf 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe euxpbnbd.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe euxpbnbd.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe euxpbnbd.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe euxpbnbd.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe euxpbnbd.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe euxpbnbd.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe euxpbnbd.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe euxpbnbd.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe euxpbnbd.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe euxpbnbd.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe euxpbnbd.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe euxpbnbd.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe euxpbnbd.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe euxpbnbd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kydsbnurhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chepgjnbzxlqvfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language euxpbnbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hqjgveqlujdnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language euxpbnbd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" kydsbnurhg.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACDFABCF913F299830C3B4B86EE3993B3FC03FC43640238E2C842E608A3" 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF9FCF9482A856F9045D75B7E94BDE1E637593667436330D69E" 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh kydsbnurhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" kydsbnurhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc kydsbnurhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" kydsbnurhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs kydsbnurhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg kydsbnurhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" kydsbnurhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33332D089C2D82256A3E76A577232DDC7D8664DE" 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB7B02F44E638E253CCBADC32E8D7BB" 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1938C67515E7DAB6B8CB7F92ED9337B9" 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat kydsbnurhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" kydsbnurhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf kydsbnurhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F16BB9FE1C22D9D10CD0D38B7D9017" 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" kydsbnurhg.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4828 WINWORD.EXE 4828 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3164 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe 3164 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe 3164 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe 3164 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe 3164 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe 3164 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe 3164 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe 3164 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe 3164 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe 3164 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe 3164 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe 3164 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe 3164 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe 3164 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe 3164 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe 3164 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe 3324 hqjgveqlujdnz.exe 3324 hqjgveqlujdnz.exe 3324 hqjgveqlujdnz.exe 3324 hqjgveqlujdnz.exe 3324 hqjgveqlujdnz.exe 3324 hqjgveqlujdnz.exe 3324 hqjgveqlujdnz.exe 3324 hqjgveqlujdnz.exe 3324 hqjgveqlujdnz.exe 3324 hqjgveqlujdnz.exe 3324 hqjgveqlujdnz.exe 3324 hqjgveqlujdnz.exe 840 chepgjnbzxlqvfi.exe 840 chepgjnbzxlqvfi.exe 840 chepgjnbzxlqvfi.exe 840 chepgjnbzxlqvfi.exe 840 chepgjnbzxlqvfi.exe 840 chepgjnbzxlqvfi.exe 840 chepgjnbzxlqvfi.exe 840 chepgjnbzxlqvfi.exe 4944 kydsbnurhg.exe 556 euxpbnbd.exe 4944 kydsbnurhg.exe 556 euxpbnbd.exe 556 euxpbnbd.exe 556 euxpbnbd.exe 840 chepgjnbzxlqvfi.exe 840 chepgjnbzxlqvfi.exe 556 euxpbnbd.exe 556 euxpbnbd.exe 4944 kydsbnurhg.exe 4944 kydsbnurhg.exe 556 euxpbnbd.exe 556 euxpbnbd.exe 4944 kydsbnurhg.exe 4944 kydsbnurhg.exe 4944 kydsbnurhg.exe 4944 kydsbnurhg.exe 4944 kydsbnurhg.exe 4944 kydsbnurhg.exe 1072 euxpbnbd.exe 1072 euxpbnbd.exe 1072 euxpbnbd.exe 1072 euxpbnbd.exe 1072 euxpbnbd.exe 1072 euxpbnbd.exe 1072 euxpbnbd.exe 1072 euxpbnbd.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 3164 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe 3164 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe 3164 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe 3324 hqjgveqlujdnz.exe 840 chepgjnbzxlqvfi.exe 4944 kydsbnurhg.exe 556 euxpbnbd.exe 3324 hqjgveqlujdnz.exe 840 chepgjnbzxlqvfi.exe 4944 kydsbnurhg.exe 556 euxpbnbd.exe 3324 hqjgveqlujdnz.exe 840 chepgjnbzxlqvfi.exe 4944 kydsbnurhg.exe 556 euxpbnbd.exe 1072 euxpbnbd.exe 1072 euxpbnbd.exe 1072 euxpbnbd.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 3164 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe 3164 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe 3164 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe 3324 hqjgveqlujdnz.exe 840 chepgjnbzxlqvfi.exe 4944 kydsbnurhg.exe 556 euxpbnbd.exe 3324 hqjgveqlujdnz.exe 840 chepgjnbzxlqvfi.exe 4944 kydsbnurhg.exe 556 euxpbnbd.exe 3324 hqjgveqlujdnz.exe 840 chepgjnbzxlqvfi.exe 4944 kydsbnurhg.exe 556 euxpbnbd.exe 1072 euxpbnbd.exe 1072 euxpbnbd.exe 1072 euxpbnbd.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4828 WINWORD.EXE 4828 WINWORD.EXE 4828 WINWORD.EXE 4828 WINWORD.EXE 4828 WINWORD.EXE 4828 WINWORD.EXE 4828 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3164 wrote to memory of 4944 3164 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe 85 PID 3164 wrote to memory of 4944 3164 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe 85 PID 3164 wrote to memory of 4944 3164 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe 85 PID 3164 wrote to memory of 840 3164 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe 86 PID 3164 wrote to memory of 840 3164 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe 86 PID 3164 wrote to memory of 840 3164 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe 86 PID 3164 wrote to memory of 556 3164 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe 87 PID 3164 wrote to memory of 556 3164 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe 87 PID 3164 wrote to memory of 556 3164 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe 87 PID 3164 wrote to memory of 3324 3164 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe 88 PID 3164 wrote to memory of 3324 3164 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe 88 PID 3164 wrote to memory of 3324 3164 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe 88 PID 3164 wrote to memory of 4828 3164 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe 90 PID 3164 wrote to memory of 4828 3164 82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe 90 PID 4944 wrote to memory of 1072 4944 kydsbnurhg.exe 92 PID 4944 wrote to memory of 1072 4944 kydsbnurhg.exe 92 PID 4944 wrote to memory of 1072 4944 kydsbnurhg.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe"C:\Users\Admin\AppData\Local\Temp\82e371fd28959c3b08f8de9eba4b64f13f5497a0baa8555c5cbb21a058d59516N.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\SysWOW64\kydsbnurhg.exekydsbnurhg.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\euxpbnbd.exeC:\Windows\system32\euxpbnbd.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1072
-
-
-
C:\Windows\SysWOW64\chepgjnbzxlqvfi.exechepgjnbzxlqvfi.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:840
-
-
C:\Windows\SysWOW64\euxpbnbd.exeeuxpbnbd.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:556
-
-
C:\Windows\SysWOW64\hqjgveqlujdnz.exehqjgveqlujdnz.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3324
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4828
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5abbcb5db6370e104338079f106193a6f
SHA1ff2b737ee86c4f48aff40b3e8cd44a66915b6bb4
SHA256234d89b0a42f9d7bad0ca35eb7e9daf4552d2db69c008892a0ebb186f2afb709
SHA512b9cc04e91acf028000a75182c54b53a3c6c646979a39a8a48f3af7a32e53cefff062cee1e9e39b85195a5d42c2295bddaab1e5f42e10b0367f92e5a1fcf44965
-
Filesize
512KB
MD5a1d5f56b1402a58cc1ca99bda4ea80e1
SHA1073f71f98b0ac1ea8c5b83f26de898a944e86745
SHA25623195b8f60a9ea1b8f99eb9778bb7eeca7b0f3bec1bcb0c462455f3a876ca14d
SHA512a428554d6e67e1636fbcf1178b1f2e8714f9f254784ff3a694228af03e8681eb7d02bcceb3eddcfbcaf7b40693edcaa3ca1a604a3aa234806b3857a46faa559f
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
48B
MD5862153fa19de4ccefd3304283838e695
SHA18f1a144d177357ab4587ebd5cc750e41b92327e5
SHA2563a31969cb769463751245209bcada0a6f3c319a9b463a8264e8897662de43a35
SHA5125f71f8cb0178667886a935d689dbc617e6669f2ebee772f4572705d9a01ac7b747405048ba0e5f834e8a41b0167ea0b385f7b23be524472cb6d43c8f456a526d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize24B
MD54fcb2a3ee025e4a10d21e1b154873fe2
SHA157658e2fa594b7d0b99d02e041d0f3418e58856b
SHA25690bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228
SHA5124e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize679B
MD56420cafbd3fa519600a8efc63d82bc52
SHA1b316166e290eee1e6f6f027fd0b2b4f7ac6a854c
SHA2564521605ef2978372b248d0f580a374f4d860f75328192ffef6e112f8249a6059
SHA51238f2f1e994a662c96c47a3a4dc71f15c545abb8a5952836bf3ae4fd365cf6b5d4b1baa49609a0dd2fead83acc51cf880095b08d97dd9b8cc1f7e78effab30cab
-
Filesize
512KB
MD5483a0d91653dd94286352fb6e1b9eadc
SHA1dc709dfc6bf60fd256828b0109230ec1b3c15aa2
SHA25681c846ae8b407841679b1e8fcb5c4666c22b7a819fa447b3cf2e5343fa54d363
SHA5123c1598f381327513eefe65b9a11e881b6d2eb6a01cbc4eb34223c6cbbd3f3cebda03a8475ecdd509b9bb6a1122836fd3fa591c7a43e740184f368ec794166657
-
Filesize
512KB
MD5a5642f7f65a2e7b8fa7adff4e45af221
SHA1d7b77164c9d22d908b4a9ace2af8b8b4d7a370ad
SHA2569dd9e728683f7de4f40ae8a86eefcbaec8e46cc6f455077cd54ae59f9c0b7fab
SHA51254569171253278f0fca9fa7fefae70f13309df3e6f2528a507a5b1df32e37a8ef2e1130a633d7484e34375a683c030928d4693a89649de7e9a1606f8b94116f6
-
Filesize
512KB
MD585dff52ce6892d941d9ce4a7e99af1e1
SHA1deb6725b3e18593fd81a1fab2ecb4766b38925ce
SHA2566b2bdbd2342829c008cefc64e7615a26c5bf071a7d815a7264282b8b9f037712
SHA512801b38baa74a2ede2ecfce9f6131eec67e6201a61fefc94e0c8473d1eab4117928c2852ba52b96c87d7a0427b674ad3805a8a64293bec60857a6ddc4fb857b64
-
Filesize
512KB
MD557ad5a86b570314dde67ffef760407a2
SHA19f775099a89144e1e0c499dde00723b3f8b43e73
SHA256850a918de347fe75efba6f2fee385a00bf1f1fb3805d3843cf809bf03c4a9be5
SHA512127180a3c910ef047187fb457d6ebc6fbdf7d2e0757b3046952820fa66353e5298100087eb2cebcc23da8a6e36d58c0c1b466fc1d1cdf37e8fda3ace6f9eff93
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD51e592be20746f1ef0b9a995d8979ce88
SHA1b937abe097eca1b89a10ea7cbd2cd46ae0b0367d
SHA256d49a1bad2328b94a40c3caebd09833a5165310baa4db27ebb428a42b5a3d69e1
SHA512ae6f37a0a4ae47c8c1809257328df59c67633a2538d51e4030cb1d961dc726e14453e4bf354d0756f23d92f770c70f1c357e85bbda4149e849ebcf6b128bd170
-
Filesize
512KB
MD503c6d2e1bfb06a4fdbe75640328a3a9c
SHA19c9411e34d34477d9a83a883fbe74e40904b8644
SHA2561950fd3849c4704060c102a1c07f615d1a20a8b33432fda0689d4f1568e8fa49
SHA51236f11bf1ea4ebfbdfc833fb6b6c37207f5916b949e106d488f45a1d5e2529395a4d1971e612e697b4e6ad3040215a4e75dd87b699c849ca11f2e2958aec482f5