56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717

General

Target

56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe
Size

704KB
MD5

e7f9d6dd424f33059dda93a35ab3f69c
SHA1

617c2988a2149f71c185d0e5f2f0a3a2f31225ec
SHA256

56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717
SHA512

cd24b7603efa82f0cda296bddb96e6361c73de071545ab59e51ce779ceda87e85dce8b97edd12be06a8ec0b743629673360150e67f3ccec618bd14b22e5826fd

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exejnscgq.exejnscgq.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	jnscgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	jnscgq.exe

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Adds policy Run key to start application 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

jnscgq.exejnscgq.exe56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wbhsxio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wnfctqixulhfxzefshy.exe"	jnscgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wbhsxio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crhcrmcpkztpffihs.exe"	jnscgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdmaiwflzh = "wnfctqixulhfxzefshy.exe"	jnscgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wbhsxio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrlkdcwnmfddxbilarked.exe"	jnscgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdmaiwflzh = "lbsoearfbrmjabffrf.exe"	jnscgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wbhsxio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vjysgapbvjcxmlnl.exe"	jnscgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wbhsxio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vjysgapbvjcxmlnl.exe"	jnscgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wbhsxio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrlkdcwnmfddxbilarked.exe"	jnscgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdmaiwflzh = "yrlkdcwnmfddxbilarked.exe"	56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdmaiwflzh = "jbuskibrphedwzfhvldw.exe"	jnscgq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jnscgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdmaiwflzh = "jbuskibrphedwzfhvldw.exe"	jnscgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdmaiwflzh = "yrlkdcwnmfddxbilarked.exe"	jnscgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wbhsxio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jbuskibrphedwzfhvldw.exe"	jnscgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wbhsxio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lbsoearfbrmjabffrf.exe"	56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jnscgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdmaiwflzh = "vjysgapbvjcxmlnl.exe"	jnscgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdmaiwflzh = "wnfctqixulhfxzefshy.exe"	jnscgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdmaiwflzh = "lbsoearfbrmjabffrf.exe"	jnscgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdmaiwflzh = "crhcrmcpkztpffihs.exe"	jnscgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdmaiwflzh = "vjysgapbvjcxmlnl.exe"	jnscgq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdmaiwflzh = "wnfctqixulhfxzefshy.exe"	56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdmaiwflzh = "crhcrmcpkztpffihs.exe"	jnscgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wbhsxio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crhcrmcpkztpffihs.exe"	jnscgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wbhsxio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jbuskibrphedwzfhvldw.exe"	jnscgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wbhsxio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lbsoearfbrmjabffrf.exe"	jnscgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wbhsxio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lbsoearfbrmjabffrf.exe"	jnscgq.exe

Disables RegEdit via registry modification
evasion
Executes dropped EXE 2 IoCs

Processes:

jnscgq.exejnscgq.exe

pid process

568 jnscgq.exe
1704 jnscgq.exe

Loads dropped DLL 4 IoCs

Processes:

56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe

pid	process
1120	56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe
1120	56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe
1120	56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe
1120	56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

jnscgq.exejnscgq.exe56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	jnscgq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nxiyiyjrhrgx = "jbuskibrphedwzfhvldw.exe ."	jnscgq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nxiyiyjrhrgx = "wnfctqixulhfxzefshy.exe ."	jnscgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nzmeqivfxjatgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crhcrmcpkztpffihs.exe"	jnscgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lrykqcjn = "vjysgapbvjcxmlnl.exe"	jnscgq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\lrykqcjn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crhcrmcpkztpffihs.exe"	jnscgq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cjrelygly = "lbsoearfbrmjabffrf.exe ."	56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	jnscgq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\qzjyhwgnclz = "jbuskibrphedwzfhvldw.exe"	jnscgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\mxjalcoxozpht = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lbsoearfbrmjabffrf.exe ."	jnscgq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cjrelygly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lbsoearfbrmjabffrf.exe ."	jnscgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lrykqcjn = "wnfctqixulhfxzefshy.exe"	jnscgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\mxjalcoxozpht = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jbuskibrphedwzfhvldw.exe ."	jnscgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cjrelygly = "wnfctqixulhfxzefshy.exe ."	jnscgq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\lrykqcjn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wnfctqixulhfxzefshy.exe"	jnscgq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	jnscgq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	jnscgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cjrelygly = "yrlkdcwnmfddxbilarked.exe ."	jnscgq.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	jnscgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\mxjalcoxozpht = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vjysgapbvjcxmlnl.exe ."	jnscgq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nxiyiyjrhrgx = "lbsoearfbrmjabffrf.exe ."	jnscgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cjrelygly = "jbuskibrphedwzfhvldw.exe ."	jnscgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\mxjalcoxozpht = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wnfctqixulhfxzefshy.exe ."	56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\mxjalcoxozpht = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vjysgapbvjcxmlnl.exe ."	jnscgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nzmeqivfxjatgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lbsoearfbrmjabffrf.exe"	jnscgq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\qzjyhwgnclz = "vjysgapbvjcxmlnl.exe"	jnscgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\mxjalcoxozpht = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lbsoearfbrmjabffrf.exe ."	jnscgq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\lrykqcjn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crhcrmcpkztpffihs.exe"	jnscgq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cjrelygly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lbsoearfbrmjabffrf.exe ."	jnscgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\mxjalcoxozpht = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrlkdcwnmfddxbilarked.exe ."	jnscgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lrykqcjn = "crhcrmcpkztpffihs.exe"	56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\qzjyhwgnclz = "vjysgapbvjcxmlnl.exe"	56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nzmeqivfxjatgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lbsoearfbrmjabffrf.exe"	56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nxiyiyjrhrgx = "jbuskibrphedwzfhvldw.exe ."	jnscgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nzmeqivfxjatgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vjysgapbvjcxmlnl.exe"	jnscgq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cjrelygly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wnfctqixulhfxzefshy.exe ."	jnscgq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cjrelygly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrlkdcwnmfddxbilarked.exe ."	jnscgq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\lrykqcjn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jbuskibrphedwzfhvldw.exe"	jnscgq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cjrelygly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jbuskibrphedwzfhvldw.exe ."	jnscgq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nxiyiyjrhrgx = "vjysgapbvjcxmlnl.exe ."	jnscgq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cjrelygly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vjysgapbvjcxmlnl.exe ."	jnscgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lrykqcjn = "crhcrmcpkztpffihs.exe"	jnscgq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nxiyiyjrhrgx = "crhcrmcpkztpffihs.exe ."	jnscgq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\qzjyhwgnclz = "yrlkdcwnmfddxbilarked.exe"	56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	jnscgq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\lrykqcjn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrlkdcwnmfddxbilarked.exe"	jnscgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lrykqcjn = "jbuskibrphedwzfhvldw.exe"	56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cjrelygly = "crhcrmcpkztpffihs.exe ."	jnscgq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\lrykqcjn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jbuskibrphedwzfhvldw.exe"	jnscgq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\qzjyhwgnclz = "wnfctqixulhfxzefshy.exe"	jnscgq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nxiyiyjrhrgx = "vjysgapbvjcxmlnl.exe ."	jnscgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lrykqcjn = "jbuskibrphedwzfhvldw.exe"	jnscgq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nxiyiyjrhrgx = "yrlkdcwnmfddxbilarked.exe ."	jnscgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\mxjalcoxozpht = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wnfctqixulhfxzefshy.exe ."	jnscgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\mxjalcoxozpht = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crhcrmcpkztpffihs.exe ."	jnscgq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\qzjyhwgnclz = "crhcrmcpkztpffihs.exe"	jnscgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lrykqcjn = "crhcrmcpkztpffihs.exe"	jnscgq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nxiyiyjrhrgx = "lbsoearfbrmjabffrf.exe ."	jnscgq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\lrykqcjn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vjysgapbvjcxmlnl.exe"	jnscgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\mxjalcoxozpht = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jbuskibrphedwzfhvldw.exe ."	jnscgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lrykqcjn = "lbsoearfbrmjabffrf.exe"	jnscgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cjrelygly = "crhcrmcpkztpffihs.exe ."	jnscgq.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

jnscgq.exejnscgq.exe56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jnscgq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jnscgq.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jnscgq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jnscgq.exe

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
10	whatismyipaddress.com
13	whatismyipaddress.com
14	whatismyipaddress.com
15	www.showmyipaddress.com
4	whatismyip.everdot.org
5	whatismyip.everdot.org
9	whatismyip.everdot.org

Drops file in System32 directory 4 IoCs

Processes:

jnscgq.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\zxwaycbxbzchgpbjdzxway.bxb	jnscgq.exe
File created	C:\Windows\SysWOW64\zxwaycbxbzchgpbjdzxway.bxb	jnscgq.exe
File opened for modification	C:\Windows\SysWOW64\qzjyhwgnclzpztqjoveodmblshqeueyvo.ajt	jnscgq.exe
File created	C:\Windows\SysWOW64\qzjyhwgnclzpztqjoveodmblshqeueyvo.ajt	jnscgq.exe

Drops file in Program Files directory 4 IoCs

Processes:

jnscgq.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\qzjyhwgnclzpztqjoveodmblshqeueyvo.ajt	jnscgq.exe
File created	C:\Program Files (x86)\qzjyhwgnclzpztqjoveodmblshqeueyvo.ajt	jnscgq.exe
File opened for modification	C:\Program Files (x86)\zxwaycbxbzchgpbjdzxway.bxb	jnscgq.exe
File created	C:\Program Files (x86)\zxwaycbxbzchgpbjdzxway.bxb	jnscgq.exe

Drops file in Windows directory 4 IoCs

Processes:

jnscgq.exe

description	ioc	process
File opened for modification	C:\Windows\qzjyhwgnclzpztqjoveodmblshqeueyvo.ajt	jnscgq.exe
File created	C:\Windows\qzjyhwgnclzpztqjoveodmblshqeueyvo.ajt	jnscgq.exe
File opened for modification	C:\Windows\zxwaycbxbzchgpbjdzxway.bxb	jnscgq.exe
File created	C:\Windows\zxwaycbxbzchgpbjdzxway.bxb	jnscgq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

jnscgq.exe

pid	process
568	jnscgq.exe
568	jnscgq.exe
568	jnscgq.exe
568	jnscgq.exe
568	jnscgq.exe
568	jnscgq.exe
568	jnscgq.exe
568	jnscgq.exe
568	jnscgq.exe
568	jnscgq.exe
568	jnscgq.exe
568	jnscgq.exe
568	jnscgq.exe
568	jnscgq.exe
568	jnscgq.exe
568	jnscgq.exe
568	jnscgq.exe
568	jnscgq.exe
568	jnscgq.exe
568	jnscgq.exe
568	jnscgq.exe
568	jnscgq.exe
568	jnscgq.exe
568	jnscgq.exe
568	jnscgq.exe
568	jnscgq.exe
568	jnscgq.exe
568	jnscgq.exe
568	jnscgq.exe
568	jnscgq.exe
568	jnscgq.exe
568	jnscgq.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

jnscgq.exe

description pid process

Token: SeDebugPrivilege 568 jnscgq.exe

description	pid	process
Token: SeDebugPrivilege	568	jnscgq.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe

description	pid	process	target process
PID 1120 wrote to memory of 568	1120	56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe	jnscgq.exe
PID 1120 wrote to memory of 568	1120	56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe	jnscgq.exe
PID 1120 wrote to memory of 568	1120	56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe	jnscgq.exe
PID 1120 wrote to memory of 568	1120	56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe	jnscgq.exe
PID 1120 wrote to memory of 1704	1120	56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe	jnscgq.exe
PID 1120 wrote to memory of 1704	1120	56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe	jnscgq.exe
PID 1120 wrote to memory of 1704	1120	56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe	jnscgq.exe
PID 1120 wrote to memory of 1704	1120	56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe	jnscgq.exe

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

Processes:

56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exejnscgq.exejnscgq.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	jnscgq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	jnscgq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	jnscgq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	jnscgq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	jnscgq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jnscgq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	jnscgq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	jnscgq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	jnscgq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	jnscgq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jnscgq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	jnscgq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	jnscgq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	jnscgq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	jnscgq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	jnscgq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	jnscgq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	jnscgq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jnscgq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jnscgq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	jnscgq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jnscgq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	jnscgq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	jnscgq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jnscgq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	jnscgq.exe

C:\Users\Admin\AppData\Local\Temp\56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe
"C:\Users\Admin\AppData\Local\Temp\56ad1418f470bc5e6667574e054649d85cbb1242818baf62a294bdfca90df717.exe"
1⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1120

C:\Users\Admin\AppData\Local\Temp\jnscgq.exe
"C:\Users\Admin\AppData\Local\Temp\jnscgq.exe" "-"
2⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:568

C:\Users\Admin\AppData\Local\Temp\jnscgq.exe
"C:\Users\Admin\AppData\Local\Temp\jnscgq.exe" "-"
2⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- System policy modification
PID:1704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jnscgq.exe

MD5
689cfd63058d9adefff226e98c947d2d

SHA1
52338b643d4404efa8b9642beef497d780db1eea

SHA256
73826ea9ca945b28967d1332dba9cc86af5b4d09f391c745563d9ca07bea6e7c

SHA512
85a40c2980af2a187a17e12e7404538824196f800c61b07d1f8daecf6f7b347480c7e17870f9d934aa5a61b30638b7bad6130d5cdf71f5d1cb0ef1de55d3819e

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnscgq.exe

MD5
689cfd63058d9adefff226e98c947d2d

SHA1
52338b643d4404efa8b9642beef497d780db1eea

SHA256
73826ea9ca945b28967d1332dba9cc86af5b4d09f391c745563d9ca07bea6e7c

SHA512
85a40c2980af2a187a17e12e7404538824196f800c61b07d1f8daecf6f7b347480c7e17870f9d934aa5a61b30638b7bad6130d5cdf71f5d1cb0ef1de55d3819e

Download Submit
\Users\Admin\AppData\Local\Temp\jnscgq.exe

MD5
689cfd63058d9adefff226e98c947d2d

SHA1
52338b643d4404efa8b9642beef497d780db1eea

SHA256
73826ea9ca945b28967d1332dba9cc86af5b4d09f391c745563d9ca07bea6e7c

SHA512
85a40c2980af2a187a17e12e7404538824196f800c61b07d1f8daecf6f7b347480c7e17870f9d934aa5a61b30638b7bad6130d5cdf71f5d1cb0ef1de55d3819e

Download Submit
\Users\Admin\AppData\Local\Temp\jnscgq.exe

MD5
689cfd63058d9adefff226e98c947d2d

SHA1
52338b643d4404efa8b9642beef497d780db1eea

SHA256
73826ea9ca945b28967d1332dba9cc86af5b4d09f391c745563d9ca07bea6e7c

SHA512
85a40c2980af2a187a17e12e7404538824196f800c61b07d1f8daecf6f7b347480c7e17870f9d934aa5a61b30638b7bad6130d5cdf71f5d1cb0ef1de55d3819e

Download Submit
\Users\Admin\AppData\Local\Temp\jnscgq.exe

MD5
689cfd63058d9adefff226e98c947d2d

SHA1
52338b643d4404efa8b9642beef497d780db1eea

SHA256
73826ea9ca945b28967d1332dba9cc86af5b4d09f391c745563d9ca07bea6e7c

SHA512
85a40c2980af2a187a17e12e7404538824196f800c61b07d1f8daecf6f7b347480c7e17870f9d934aa5a61b30638b7bad6130d5cdf71f5d1cb0ef1de55d3819e

Download Submit
\Users\Admin\AppData\Local\Temp\jnscgq.exe

MD5
689cfd63058d9adefff226e98c947d2d

SHA1
52338b643d4404efa8b9642beef497d780db1eea

SHA256
73826ea9ca945b28967d1332dba9cc86af5b4d09f391c745563d9ca07bea6e7c

SHA512
85a40c2980af2a187a17e12e7404538824196f800c61b07d1f8daecf6f7b347480c7e17870f9d934aa5a61b30638b7bad6130d5cdf71f5d1cb0ef1de55d3819e

Download Submit
memory/568-63-0x0000000000000000-mapping.dmp

Download
memory/1120-60-0x0000000074D91000-0x0000000074D93000-memory.dmp

Filesize
8KB

Download
memory/1120-71-0x0000000074201000-0x0000000074203000-memory.dmp

Filesize
8KB

Download
memory/1704-68-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads