5410c77ad0244714eda03ca8d338566d69149133a9f97bd86dc0c04479a4d2c7

Processes:

7czHdyzn

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,,C:\\Users\\Admin\\AppData\\Local\\raiesyql\\agaqdyay.exe"	7czHdyzn

Modifies firewall policy service 2 TTPs 6 IoCs

evasion

Modify Registry

Modify Existing Service

T1031

Processes:

svchost.exe7czHdyzn

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	7czHdyzn
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	7czHdyzn
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	7czHdyzn
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	svchost.exe

Modifies security service 2 TTPs 6 IoCs

evasion

Modify Registry

Modify Existing Service

T1031

Processes:

7czHdyznsvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Start = "4"	7czHdyzn
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	7czHdyzn
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Start = "4"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	7czHdyzn

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry

Processes:

7czHdyznsvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7czHdyzn
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disabling Security Tools

Modify Registry

Processes:

svchost.exe7czHdyzn

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	7czHdyzn
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	7czHdyzn
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	7czHdyzn
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	7czHdyzn
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	7czHdyzn
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	7czHdyzn
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	svchost.exe

suricata: ET MALWARE Win32/Ramnit Checkin
suricata: ET MALWARE Win32/Ramnit Checkin
suricata
Executes dropped EXE 2 IoCs

Processes:

7czHdyznjcrvklgf.exe

pid process

3848 7czHdyzn
4288 jcrvklgf.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3848-135-0x0000000015190000-0x00000000151D3000-memory.dmp	upx
behavioral2/memory/1800-137-0x0000000015190000-0x0000000015212000-memory.dmp	upx
behavioral2/memory/3848-142-0x0000000015190000-0x00000000151D3000-memory.dmp	upx
behavioral2/memory/1800-143-0x0000000015190000-0x0000000015212000-memory.dmp	upx
behavioral2/memory/4288-165-0x0000000015190000-0x0000000015212000-memory.dmp	upx
behavioral2/memory/2016-166-0x0000000015190000-0x00000000151CD000-memory.dmp	upx
behavioral2/memory/2020-167-0x0000000015190000-0x00000000151CD000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

jcrvklgf.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	jcrvklgf.exe

Drops startup file 3 IoCs

Processes:

7czHdyznsvchost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\agaqdyay.exe	7czHdyzn
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\agaqdyay.exe	7czHdyzn
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\agaqdyay.exe	svchost.exe

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

Modify Registry

Processes:

7czHdyzn

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	7czHdyzn
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	7czHdyzn
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	7czHdyzn
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	7czHdyzn
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	7czHdyzn
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	7czHdyzn

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

7czHdyznsvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AgaQdyay = "C:\\Users\\Admin\\AppData\\Local\\raiesyql\\agaqdyay.exe"	7czHdyzn
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AgaQdyay = "C:\\Users\\Admin\\AppData\\Local\\raiesyql\\agaqdyay.exe"	svchost.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

7czHdyzn

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7czHdyzn

Suspicious use of SetThreadContext 2 IoCs

Processes:

jcrvklgf.exe

description	pid	process	target process
PID 4288 set thread context of 2016	4288	jcrvklgf.exe	svchost.exe
PID 4288 set thread context of 2020	4288	jcrvklgf.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7czHdyznsvchost.exe

pid	process
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

7czHdyzn5410c77ad0244714eda03ca8d338566d69149133a9f97bd86dc0c04479a4d2c7.exejcrvklgf.exe

pid process

3848 7czHdyzn
1800 5410c77ad0244714eda03ca8d338566d69149133a9f97bd86dc0c04479a4d2c7.exe
4288 jcrvklgf.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

5410c77ad0244714eda03ca8d338566d69149133a9f97bd86dc0c04479a4d2c7.exe7czHdyznjcrvklgf.exesvchost.exesvchost.exe

description	pid	process
Token: SeSecurityPrivilege	1800	5410c77ad0244714eda03ca8d338566d69149133a9f97bd86dc0c04479a4d2c7.exe
Token: SeSecurityPrivilege	1800	5410c77ad0244714eda03ca8d338566d69149133a9f97bd86dc0c04479a4d2c7.exe
Token: SeSecurityPrivilege	1800	5410c77ad0244714eda03ca8d338566d69149133a9f97bd86dc0c04479a4d2c7.exe
Token: SeSecurityPrivilege	1800	5410c77ad0244714eda03ca8d338566d69149133a9f97bd86dc0c04479a4d2c7.exe
Token: SeSecurityPrivilege	1800	5410c77ad0244714eda03ca8d338566d69149133a9f97bd86dc0c04479a4d2c7.exe
Token: SeSecurityPrivilege	1800	5410c77ad0244714eda03ca8d338566d69149133a9f97bd86dc0c04479a4d2c7.exe
Token: SeSecurityPrivilege	3848	7czHdyzn
Token: SeSecurityPrivilege	3848	7czHdyzn
Token: SeSecurityPrivilege	3848	7czHdyzn
Token: SeSecurityPrivilege	3848	7czHdyzn
Token: SeSecurityPrivilege	3848	7czHdyzn
Token: SeSecurityPrivilege	3848	7czHdyzn
Token: SeSecurityPrivilege	3848	7czHdyzn
Token: SeSecurityPrivilege	1800	5410c77ad0244714eda03ca8d338566d69149133a9f97bd86dc0c04479a4d2c7.exe
Token: SeSecurityPrivilege	4288	jcrvklgf.exe
Token: SeSecurityPrivilege	4288	jcrvklgf.exe
Token: SeSecurityPrivilege	4288	jcrvklgf.exe
Token: SeSecurityPrivilege	4288	jcrvklgf.exe
Token: SeSecurityPrivilege	4288	jcrvklgf.exe
Token: SeSecurityPrivilege	4288	jcrvklgf.exe
Token: SeSecurityPrivilege	4288	jcrvklgf.exe
Token: SeSecurityPrivilege	4288	jcrvklgf.exe
Token: SeSecurityPrivilege	4288	jcrvklgf.exe
Token: SeSecurityPrivilege	4288	jcrvklgf.exe
Token: SeSecurityPrivilege	4288	jcrvklgf.exe
Token: SeSecurityPrivilege	4288	jcrvklgf.exe
Token: SeSecurityPrivilege	4288	jcrvklgf.exe
Token: SeDebugPrivilege	4288	jcrvklgf.exe
Token: SeSecurityPrivilege	2016	svchost.exe
Token: SeDebugPrivilege	2016	svchost.exe
Token: SeSecurityPrivilege	2020	svchost.exe
Token: SeDebugPrivilege	2016	svchost.exe
Token: SeRestorePrivilege	2016	svchost.exe
Token: SeBackupPrivilege	2016	svchost.exe
Token: SeDebugPrivilege	2016	svchost.exe

Suspicious use of SetWindowsHookAW 64 IoCs

Processes:

7czHdyzn5410c77ad0244714eda03ca8d338566d69149133a9f97bd86dc0c04479a4d2c7.exe

pid	process
3848	7czHdyzn
1800	5410c77ad0244714eda03ca8d338566d69149133a9f97bd86dc0c04479a4d2c7.exe
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn
3848	7czHdyzn

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

5410c77ad0244714eda03ca8d338566d69149133a9f97bd86dc0c04479a4d2c7.exejcrvklgf.exe

description	pid	process	target process
PID 1800 wrote to memory of 3848	1800	5410c77ad0244714eda03ca8d338566d69149133a9f97bd86dc0c04479a4d2c7.exe	7czHdyzn
PID 1800 wrote to memory of 3848	1800	5410c77ad0244714eda03ca8d338566d69149133a9f97bd86dc0c04479a4d2c7.exe	7czHdyzn
PID 1800 wrote to memory of 3848	1800	5410c77ad0244714eda03ca8d338566d69149133a9f97bd86dc0c04479a4d2c7.exe	7czHdyzn
PID 1800 wrote to memory of 4288	1800	5410c77ad0244714eda03ca8d338566d69149133a9f97bd86dc0c04479a4d2c7.exe	jcrvklgf.exe
PID 1800 wrote to memory of 4288	1800	5410c77ad0244714eda03ca8d338566d69149133a9f97bd86dc0c04479a4d2c7.exe	jcrvklgf.exe
PID 1800 wrote to memory of 4288	1800	5410c77ad0244714eda03ca8d338566d69149133a9f97bd86dc0c04479a4d2c7.exe	jcrvklgf.exe
PID 4288 wrote to memory of 2016	4288	jcrvklgf.exe	svchost.exe
PID 4288 wrote to memory of 2016	4288	jcrvklgf.exe	svchost.exe
PID 4288 wrote to memory of 2016	4288	jcrvklgf.exe	svchost.exe
PID 4288 wrote to memory of 2016	4288	jcrvklgf.exe	svchost.exe
PID 4288 wrote to memory of 2016	4288	jcrvklgf.exe	svchost.exe
PID 4288 wrote to memory of 2016	4288	jcrvklgf.exe	svchost.exe
PID 4288 wrote to memory of 2016	4288	jcrvklgf.exe	svchost.exe
PID 4288 wrote to memory of 2016	4288	jcrvklgf.exe	svchost.exe
PID 4288 wrote to memory of 2016	4288	jcrvklgf.exe	svchost.exe
PID 4288 wrote to memory of 2020	4288	jcrvklgf.exe	svchost.exe
PID 4288 wrote to memory of 2020	4288	jcrvklgf.exe	svchost.exe
PID 4288 wrote to memory of 2020	4288	jcrvklgf.exe	svchost.exe
PID 4288 wrote to memory of 2020	4288	jcrvklgf.exe	svchost.exe
PID 4288 wrote to memory of 2020	4288	jcrvklgf.exe	svchost.exe
PID 4288 wrote to memory of 2020	4288	jcrvklgf.exe	svchost.exe
PID 4288 wrote to memory of 2020	4288	jcrvklgf.exe	svchost.exe
PID 4288 wrote to memory of 2020	4288	jcrvklgf.exe	svchost.exe
PID 4288 wrote to memory of 2020	4288	jcrvklgf.exe	svchost.exe
PID 4288 wrote to memory of 4420	4288	jcrvklgf.exe	sdbinst.exe
PID 4288 wrote to memory of 4420	4288	jcrvklgf.exe	sdbinst.exe
PID 4288 wrote to memory of 4420	4288	jcrvklgf.exe	sdbinst.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

7czHdyzn

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7czHdyzn

C:\Users\Admin\AppData\Local\Temp\5410c77ad0244714eda03ca8d338566d69149133a9f97bd86dc0c04479a4d2c7.exe
"C:\Users\Admin\AppData\Local\Temp\5410c77ad0244714eda03ca8d338566d69149133a9f97bd86dc0c04479a4d2c7.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookAW
- Suspicious use of WriteProcessMemory
PID:1800

C:\Users\Admin\AppData\Local\Temp\7czHdyzn
"7czHdyzn"
2⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies security service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookAW
- System policy modification
PID:3848

C:\Users\Admin\AppData\Local\Temp\jcrvklgf.exe
C:\Users\Admin\AppData\Local\Temp\jcrvklgf.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4288

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
- Modifies firewall policy service
- Modifies security service
- UAC bypass
- Windows security bypass
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\SysWOW64\sdbinst.exe
"C:\Windows\system32\sdbinst.exe" /q /u "C:\Users\Admin\AppData\Local\Temp\\..\..\LocalLow\com.Admin.sdb"
3⤵
PID:4420

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Modify Existing Service

2

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

8

Bypass User Account Control

T1088

Disabling Security Tools

3

Credential Access

Discovery

Query Registry