4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a

Analysis

max time kernel
1800s
max time network
1778s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
07-07-2022 00:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
Size

502KB
MD5

d1f11654b552fc73c74548de914aaad5
SHA1

61cab1d17ae4cccdb6e7a1d8c50a830c7a1a9042
SHA256

4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a
SHA512

76865b1fc5c027327fe958caa0ecca7b119b2170976816a2fc343eafdbe3d7ee6e4d9661263e9184fd065e979905767aee118b3b0f65f605b886a7d50d20e74c

Score

10^/10

evasion persistence suricata trojan upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

HCfm323

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,,C:\\Users\\Admin\\AppData\\Local\\qxwurbnq\\yeohcbwh.exe"	HCfm323

Modifies firewall policy service 2 TTPs 6 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

svchost.exeHCfm323

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	HCfm323
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	HCfm323
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	HCfm323
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	svchost.exe

Modifies security service 2 TTPs 6 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

svchost.exeHCfm323

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Start = "4"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	HCfm323
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Start = "4"	HCfm323
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	HCfm323
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	svchost.exe

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

HCfm323svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	HCfm323
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

HCfm323svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	HCfm323
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	HCfm323
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	HCfm323
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	HCfm323
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	HCfm323
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	HCfm323
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svchost.exe

suricata: ET MALWARE Win32/Ramnit Checkin
suricata: ET MALWARE Win32/Ramnit Checkin
suricata
Executes dropped EXE 4 IoCs

Processes:

HCfm323iagmjndn.exeHCfm323pgnfhirf.exe

pid process

2200 HCfm323
4948 iagmjndn.exe
3940 HCfm323
2224 pgnfhirf.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2200-135-0x0000000015190000-0x00000000151D3000-memory.dmp	upx
behavioral2/memory/2200-137-0x0000000015190000-0x00000000151D3000-memory.dmp	upx
behavioral2/memory/4576-140-0x0000000015190000-0x0000000015212000-memory.dmp	upx
behavioral2/memory/4576-145-0x0000000015190000-0x0000000015212000-memory.dmp	upx
behavioral2/memory/3940-157-0x0000000015190000-0x00000000151D3000-memory.dmp	upx
behavioral2/memory/2224-162-0x0000000015190000-0x00000000151D3000-memory.dmp	upx
behavioral2/memory/4948-182-0x0000000015190000-0x0000000015212000-memory.dmp	upx
behavioral2/memory/1000-183-0x0000000015190000-0x00000000151CD000-memory.dmp	upx
behavioral2/memory/4260-184-0x0000000015190000-0x00000000151CD000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

iagmjndn.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	iagmjndn.exe

Drops startup file 5 IoCs

Processes:

svchost.exeHCfm323pgnfhirf.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yeohcbwh.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yeohcbwh.exe	HCfm323
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yeohcbwh.exe	HCfm323
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yeohcbwh.exe	pgnfhirf.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yeohcbwh.exe	pgnfhirf.exe

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

HCfm323

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	HCfm323
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	HCfm323
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	HCfm323
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	HCfm323
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	HCfm323
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	HCfm323

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

HCfm323svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YeoHcbwh = "C:\\Users\\Admin\\AppData\\Local\\qxwurbnq\\yeohcbwh.exe"	HCfm323
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YeoHcbwh = "C:\\Users\\Admin\\AppData\\Local\\qxwurbnq\\yeohcbwh.exe"	svchost.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

HCfm323

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HCfm323

Suspicious use of SetThreadContext 2 IoCs

Processes:

iagmjndn.exe

description	pid	process	target process
PID 4948 set thread context of 1000	4948	iagmjndn.exe	svchost.exe
PID 4948 set thread context of 4260	4948	iagmjndn.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

HCfm323svchost.exe

pid	process
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe
1000	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exeHCfm323iagmjndn.exeHCfm323pgnfhirf.exe

pid process

4576 4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
2200 HCfm323
4948 iagmjndn.exe
3940 HCfm323
2224 pgnfhirf.exe

pid	process
4576	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
2200	HCfm323
4948	iagmjndn.exe
3940	HCfm323
2224	pgnfhirf.exe

Suspicious use of AdjustPrivilegeToken 61 IoCs

Processes:

HCfm3234a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exeiagmjndn.exeHCfm323pgnfhirf.exesvchost.exesvchost.exe

description	pid	process
Token: SeSecurityPrivilege	2200	HCfm323
Token: SeSecurityPrivilege	2200	HCfm323
Token: SeSecurityPrivilege	2200	HCfm323
Token: SeSecurityPrivilege	2200	HCfm323
Token: SeSecurityPrivilege	2200	HCfm323
Token: SeSecurityPrivilege	2200	HCfm323
Token: SeSecurityPrivilege	4576	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
Token: SeSecurityPrivilege	4576	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
Token: SeSecurityPrivilege	4576	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
Token: SeSecurityPrivilege	4576	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
Token: SeSecurityPrivilege	4576	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
Token: SeSecurityPrivilege	4576	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
Token: SeSecurityPrivilege	2200	HCfm323
Token: SeSecurityPrivilege	4576	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
Token: SeSecurityPrivilege	4948	iagmjndn.exe
Token: SeSecurityPrivilege	4948	iagmjndn.exe
Token: SeSecurityPrivilege	4948	iagmjndn.exe
Token: SeSecurityPrivilege	4948	iagmjndn.exe
Token: SeSecurityPrivilege	4948	iagmjndn.exe
Token: SeSecurityPrivilege	4948	iagmjndn.exe
Token: SeSecurityPrivilege	4948	iagmjndn.exe
Token: SeSecurityPrivilege	4948	iagmjndn.exe
Token: SeSecurityPrivilege	4948	iagmjndn.exe
Token: SeSecurityPrivilege	4948	iagmjndn.exe
Token: SeSecurityPrivilege	4948	iagmjndn.exe
Token: SeSecurityPrivilege	4948	iagmjndn.exe
Token: SeSecurityPrivilege	3940	HCfm323
Token: SeSecurityPrivilege	3940	HCfm323
Token: SeSecurityPrivilege	3940	HCfm323
Token: SeSecurityPrivilege	3940	HCfm323
Token: SeSecurityPrivilege	3940	HCfm323
Token: SeSecurityPrivilege	3940	HCfm323
Token: SeSecurityPrivilege	3940	HCfm323
Token: SeSecurityPrivilege	3940	HCfm323
Token: SeSecurityPrivilege	3940	HCfm323
Token: SeSecurityPrivilege	3940	HCfm323
Token: SeSecurityPrivilege	3940	HCfm323
Token: SeSecurityPrivilege	3940	HCfm323
Token: SeSecurityPrivilege	3940	HCfm323
Token: SeSecurityPrivilege	2224	pgnfhirf.exe
Token: SeSecurityPrivilege	2224	pgnfhirf.exe
Token: SeSecurityPrivilege	2224	pgnfhirf.exe
Token: SeSecurityPrivilege	2224	pgnfhirf.exe
Token: SeSecurityPrivilege	2224	pgnfhirf.exe
Token: SeSecurityPrivilege	2224	pgnfhirf.exe
Token: SeSecurityPrivilege	2224	pgnfhirf.exe
Token: SeSecurityPrivilege	2224	pgnfhirf.exe
Token: SeSecurityPrivilege	2224	pgnfhirf.exe
Token: SeSecurityPrivilege	2224	pgnfhirf.exe
Token: SeSecurityPrivilege	2224	pgnfhirf.exe
Token: SeSecurityPrivilege	2224	pgnfhirf.exe
Token: SeSecurityPrivilege	2224	pgnfhirf.exe
Token: SeSecurityPrivilege	4948	iagmjndn.exe
Token: SeDebugPrivilege	4948	iagmjndn.exe
Token: SeSecurityPrivilege	1000	svchost.exe
Token: SeDebugPrivilege	1000	svchost.exe
Token: SeSecurityPrivilege	4260	svchost.exe
Token: SeDebugPrivilege	1000	svchost.exe
Token: SeRestorePrivilege	1000	svchost.exe
Token: SeBackupPrivilege	1000	svchost.exe
Token: SeDebugPrivilege	1000	svchost.exe

Suspicious use of SetWindowsHookAW 64 IoCs

Processes:

HCfm3234a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe

pid	process
2200	HCfm323
4576	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323
2200	HCfm323

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exeiagmjndn.exeHCfm323

description	pid	process	target process
PID 4576 wrote to memory of 2200	4576	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe	HCfm323
PID 4576 wrote to memory of 2200	4576	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe	HCfm323
PID 4576 wrote to memory of 2200	4576	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe	HCfm323
PID 4576 wrote to memory of 4948	4576	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe	iagmjndn.exe
PID 4576 wrote to memory of 4948	4576	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe	iagmjndn.exe
PID 4576 wrote to memory of 4948	4576	4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe	iagmjndn.exe
PID 4948 wrote to memory of 3940	4948	iagmjndn.exe	HCfm323
PID 4948 wrote to memory of 3940	4948	iagmjndn.exe	HCfm323
PID 4948 wrote to memory of 3940	4948	iagmjndn.exe	HCfm323
PID 3940 wrote to memory of 2224	3940	HCfm323	pgnfhirf.exe
PID 3940 wrote to memory of 2224	3940	HCfm323	pgnfhirf.exe
PID 3940 wrote to memory of 2224	3940	HCfm323	pgnfhirf.exe
PID 4948 wrote to memory of 1000	4948	iagmjndn.exe	svchost.exe
PID 4948 wrote to memory of 1000	4948	iagmjndn.exe	svchost.exe
PID 4948 wrote to memory of 1000	4948	iagmjndn.exe	svchost.exe
PID 4948 wrote to memory of 1000	4948	iagmjndn.exe	svchost.exe
PID 4948 wrote to memory of 1000	4948	iagmjndn.exe	svchost.exe
PID 4948 wrote to memory of 1000	4948	iagmjndn.exe	svchost.exe
PID 4948 wrote to memory of 1000	4948	iagmjndn.exe	svchost.exe
PID 4948 wrote to memory of 1000	4948	iagmjndn.exe	svchost.exe
PID 4948 wrote to memory of 1000	4948	iagmjndn.exe	svchost.exe
PID 4948 wrote to memory of 4260	4948	iagmjndn.exe	svchost.exe
PID 4948 wrote to memory of 4260	4948	iagmjndn.exe	svchost.exe
PID 4948 wrote to memory of 4260	4948	iagmjndn.exe	svchost.exe
PID 4948 wrote to memory of 4260	4948	iagmjndn.exe	svchost.exe
PID 4948 wrote to memory of 4260	4948	iagmjndn.exe	svchost.exe
PID 4948 wrote to memory of 4260	4948	iagmjndn.exe	svchost.exe
PID 4948 wrote to memory of 4260	4948	iagmjndn.exe	svchost.exe
PID 4948 wrote to memory of 4260	4948	iagmjndn.exe	svchost.exe
PID 4948 wrote to memory of 4260	4948	iagmjndn.exe	svchost.exe
PID 4948 wrote to memory of 444	4948	iagmjndn.exe	sdbinst.exe
PID 4948 wrote to memory of 444	4948	iagmjndn.exe	sdbinst.exe
PID 4948 wrote to memory of 444	4948	iagmjndn.exe	sdbinst.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

HCfm323

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HCfm323

C:\Users\Admin\AppData\Local\Temp\4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe
"C:\Users\Admin\AppData\Local\Temp\4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookAW
- Suspicious use of WriteProcessMemory
PID:4576

C:\Users\Admin\AppData\Local\Temp\HCfm323
"HCfm323"
2⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies security service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookAW
- System policy modification
PID:2200

C:\Users\Admin\AppData\Local\Temp\iagmjndn.exe
C:\Users\Admin\AppData\Local\Temp\iagmjndn.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4948

C:\Users\Admin\AppData\Local\Temp\HCfm323
"HCfm323"
3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3940

C:\Users\Admin\AppData\Local\Temp\Low\pgnfhirf.exe
C:\Users\Admin\AppData\Local\Temp\\Low\pgnfhirf.exe
4⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
- Modifies firewall policy service
- Modifies security service
- UAC bypass
- Windows security bypass
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4260

C:\Windows\SysWOW64\sdbinst.exe
"C:\Windows\system32\sdbinst.exe" /q /u "C:\Users\Admin\AppData\Local\Temp\\..\..\LocalLow\com.Admin.sdb"
3⤵
PID:444

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

T1112

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HCfm323
Filesize
250KB

MD5
6eb541712dc7b736de250c89a915410f

SHA1
a7d63500e18c5f8778254702d6ba553543b0f0ff

SHA256
021656184a9194bb020725b3b6115c5f4cd320e96375e08222db5c5317a9a187

SHA512
5d137be5405d2d0abd138ac0628d70a3dec4cec9a951f5fcd416d93a232b628841fc06ef34f2ad2884016b4300a148a5e311d062e012d3544ff6a6a36e5e2de7

Download Submit
C:\Users\Admin\AppData\Local\Temp\HCfm323
Filesize
250KB

MD5
6eb541712dc7b736de250c89a915410f

SHA1
a7d63500e18c5f8778254702d6ba553543b0f0ff

SHA256
021656184a9194bb020725b3b6115c5f4cd320e96375e08222db5c5317a9a187

SHA512
5d137be5405d2d0abd138ac0628d70a3dec4cec9a951f5fcd416d93a232b628841fc06ef34f2ad2884016b4300a148a5e311d062e012d3544ff6a6a36e5e2de7

Download Submit
C:\Users\Admin\AppData\Local\Temp\HCfm323
Filesize
250KB

MD5
6eb541712dc7b736de250c89a915410f

SHA1
a7d63500e18c5f8778254702d6ba553543b0f0ff

SHA256
021656184a9194bb020725b3b6115c5f4cd320e96375e08222db5c5317a9a187

SHA512
5d137be5405d2d0abd138ac0628d70a3dec4cec9a951f5fcd416d93a232b628841fc06ef34f2ad2884016b4300a148a5e311d062e012d3544ff6a6a36e5e2de7

Download Submit
C:\Users\Admin\AppData\Local\Temp\HCfm323
Filesize
250KB

MD5
6eb541712dc7b736de250c89a915410f

SHA1
a7d63500e18c5f8778254702d6ba553543b0f0ff

SHA256
021656184a9194bb020725b3b6115c5f4cd320e96375e08222db5c5317a9a187

SHA512
5d137be5405d2d0abd138ac0628d70a3dec4cec9a951f5fcd416d93a232b628841fc06ef34f2ad2884016b4300a148a5e311d062e012d3544ff6a6a36e5e2de7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\pgnfhirf.exe
Filesize
250KB

MD5
6eb541712dc7b736de250c89a915410f

SHA1
a7d63500e18c5f8778254702d6ba553543b0f0ff

SHA256
021656184a9194bb020725b3b6115c5f4cd320e96375e08222db5c5317a9a187

SHA512
5d137be5405d2d0abd138ac0628d70a3dec4cec9a951f5fcd416d93a232b628841fc06ef34f2ad2884016b4300a148a5e311d062e012d3544ff6a6a36e5e2de7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\pgnfhirf.exe
Filesize
250KB

MD5
6eb541712dc7b736de250c89a915410f

SHA1
a7d63500e18c5f8778254702d6ba553543b0f0ff

SHA256
021656184a9194bb020725b3b6115c5f4cd320e96375e08222db5c5317a9a187

SHA512
5d137be5405d2d0abd138ac0628d70a3dec4cec9a951f5fcd416d93a232b628841fc06ef34f2ad2884016b4300a148a5e311d062e012d3544ff6a6a36e5e2de7

Download Submit
C:\Users\Admin\AppData\Local\Temp\iagmjndn.exe
Filesize
502KB

MD5
d1f11654b552fc73c74548de914aaad5

SHA1
61cab1d17ae4cccdb6e7a1d8c50a830c7a1a9042

SHA256
4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a

SHA512
76865b1fc5c027327fe958caa0ecca7b119b2170976816a2fc343eafdbe3d7ee6e4d9661263e9184fd065e979905767aee118b3b0f65f605b886a7d50d20e74c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iagmjndn.exe
Filesize
502KB

MD5
d1f11654b552fc73c74548de914aaad5

SHA1
61cab1d17ae4cccdb6e7a1d8c50a830c7a1a9042

SHA256
4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a

SHA512
76865b1fc5c027327fe958caa0ecca7b119b2170976816a2fc343eafdbe3d7ee6e4d9661263e9184fd065e979905767aee118b3b0f65f605b886a7d50d20e74c

Download Submit
C:\Users\Admin\AppData\Local\qxwurbnq\yeohcbwh.exe
Filesize
250KB

MD5
6eb541712dc7b736de250c89a915410f

SHA1
a7d63500e18c5f8778254702d6ba553543b0f0ff

SHA256
021656184a9194bb020725b3b6115c5f4cd320e96375e08222db5c5317a9a187

SHA512
5d137be5405d2d0abd138ac0628d70a3dec4cec9a951f5fcd416d93a232b628841fc06ef34f2ad2884016b4300a148a5e311d062e012d3544ff6a6a36e5e2de7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yeohcbwh.exe
Filesize
502KB

MD5
d1f11654b552fc73c74548de914aaad5

SHA1
61cab1d17ae4cccdb6e7a1d8c50a830c7a1a9042

SHA256
4a8289532528cec1a4c6976a2b92cd15d17b88bf49e802af8005b42d350e3b7a

SHA512
76865b1fc5c027327fe958caa0ecca7b119b2170976816a2fc343eafdbe3d7ee6e4d9661263e9184fd065e979905767aee118b3b0f65f605b886a7d50d20e74c

Download Submit
memory/444-185-0x0000000000000000-mapping.dmp

Download
memory/1000-183-0x0000000015190000-0x00000000151CD000-memory.dmp

Filesize
244KB

Download
memory/1000-171-0x0000000020010000-0x000000002002F000-memory.dmp

Filesize
124KB

Download
memory/1000-167-0x0000000000000000-mapping.dmp

Download
memory/1000-166-0x0000000015190000-0x00000000151CD000-memory.dmp

Filesize
244KB

Download
memory/2200-138-0x0000000002160000-0x0000000002181000-memory.dmp

Filesize
132KB

Download
memory/2200-137-0x0000000015190000-0x00000000151D3000-memory.dmp

Filesize
268KB

Download
memory/2200-135-0x0000000015190000-0x00000000151D3000-memory.dmp

Filesize
268KB

Download
memory/2200-134-0x0000000002160000-0x0000000002181000-memory.dmp

Filesize
132KB

Download
memory/2200-130-0x0000000000000000-mapping.dmp

Download
memory/2224-163-0x0000000002770000-0x0000000002791000-memory.dmp

Filesize
132KB

Download
memory/2224-158-0x0000000002770000-0x0000000002791000-memory.dmp

Filesize
132KB

Download
memory/2224-162-0x0000000015190000-0x00000000151D3000-memory.dmp

Filesize
268KB

Download
memory/2224-153-0x0000000000000000-mapping.dmp

Download
memory/3940-149-0x0000000002200000-0x0000000002221000-memory.dmp

Filesize
132KB

Download
memory/3940-157-0x0000000015190000-0x00000000151D3000-memory.dmp

Filesize
268KB

Download
memory/3940-156-0x0000000002200000-0x0000000002221000-memory.dmp

Filesize
132KB

Download
memory/3940-146-0x0000000000000000-mapping.dmp

Download
memory/4260-170-0x0000000000000000-mapping.dmp

Download
memory/4260-176-0x0000000020010000-0x000000002001D000-memory.dmp

Filesize
52KB

Download
memory/4260-184-0x0000000015190000-0x00000000151CD000-memory.dmp

Filesize
244KB

Download
memory/4576-139-0x0000000002750000-0x0000000002771000-memory.dmp

Filesize
132KB

Download
memory/4576-133-0x0000000002750000-0x0000000002771000-memory.dmp

Filesize
132KB

Download
memory/4576-145-0x0000000015190000-0x0000000015212000-memory.dmp

Filesize
520KB

Download
memory/4576-140-0x0000000015190000-0x0000000015212000-memory.dmp

Filesize
520KB

Download
memory/4948-159-0x0000000001FE0000-0x0000000002001000-memory.dmp

Filesize
132KB

Download
memory/4948-182-0x0000000015190000-0x0000000015212000-memory.dmp

Filesize
520KB

Download
memory/4948-142-0x0000000000000000-mapping.dmp

Download
memory/4948-148-0x0000000001FE0000-0x0000000002001000-memory.dmp

Filesize
132KB

Download