8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5

Analysis

max time kernel
151s
max time network
154s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 08:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
Size

1016KB
MD5

72b5bde90f2196e493674f72560bcfe0
SHA1

a6b1f9554e3ec42e3f08ed2a67cecb2d488f5053
SHA256

8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5
SHA512

e8ccd05744ab202d3e6a7609f224c0273b443a44e1dd915a2066d10a94b453f944a333703376d44339ee1e9e9a7de06731b461903ebed3e63c6e1bba20777d23
SSDEEP

6144:yIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHU:yIXsgtvm1De5YlOx6lzBH46U

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	iffdguquspp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	dfkks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	dfkks.exe

UAC bypass 3 TTPs 11 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	dfkks.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dfkks.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dfkks.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dfkks.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dfkks.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dfkks.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dfkks.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	dfkks.exe

Adds policy Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ahrwjvftyh = "dvqgebwvlfszjreciwrje.exe"	iffdguquspp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	iffdguquspp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dfkks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ahrwjvftyh = "andohzpjujrtybjc.exe"	dfkks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfmoyho = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfxkfzrnarbfmrbwzk.exe"	dfkks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfmoyho = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofzolhbzohtzipbydqkb.exe"	dfkks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ahrwjvftyh = "hvmyslcxjzilrveya.exe"	dfkks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfmoyho = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvqgebwvlfszjreciwrje.exe"	dfkks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfmoyho = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brkyupiftlwbjpawamf.exe"	dfkks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfmoyho = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvqgebwvlfszjreciwrje.exe"	iffdguquspp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ahrwjvftyh = "dvqgebwvlfszjreciwrje.exe"	dfkks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfmoyho = "C:\\Users\\Admin\\AppData\\Local\\Temp\\andohzpjujrtybjc.exe"	dfkks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ahrwjvftyh = "qfxkfzrnarbfmrbwzk.exe"	dfkks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ahrwjvftyh = "hvmyslcxjzilrveya.exe"	dfkks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ahrwjvftyh = "ofzolhbzohtzipbydqkb.exe"	dfkks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dfkks.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	dfkks.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	dfkks.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	dfkks.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	iffdguquspp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	dfkks.exe

Executes dropped EXE 3 IoCs

pid	Process
1992	iffdguquspp.exe
544	dfkks.exe
512	dfkks.exe

Loads dropped DLL 6 IoCs

pid	Process
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1992	iffdguquspp.exe
1992	iffdguquspp.exe
1992	iffdguquspp.exe
1992	iffdguquspp.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hnwamxgtx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\andohzpjujrtybjc.exe ."	dfkks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	iffdguquspp.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	dfkks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbowmbofnzedf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvqgebwvlfszjreciwrje.exe ."	dfkks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sdrarhvnwjppst = "C:\\Users\\Admin\\AppData\\Local\\Temp\\andohzpjujrtybjc.exe"	dfkks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hnwamxgtx = "dvqgebwvlfszjreciwrje.exe ."	dfkks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sdrarhvnwjppst = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvmyslcxjzilrveya.exe"	dfkks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sbnujxjzgrvt = "andohzpjujrtybjc.exe ."	dfkks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	iffdguquspp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hnwamxgtx = "brkyupiftlwbjpawamf.exe ."	iffdguquspp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sbnujxjzgrvt = "andohzpjujrtybjc.exe ."	iffdguquspp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sbnujxjzgrvt = "andohzpjujrtybjc.exe ."	dfkks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	dfkks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vdouivgvblo = "brkyupiftlwbjpawamf.exe"	dfkks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sdrarhvnwjppst = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofzolhbzohtzipbydqkb.exe"	dfkks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hnwamxgtx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvqgebwvlfszjreciwrje.exe ."	dfkks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbowmbofnzedf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofzolhbzohtzipbydqkb.exe ."	iffdguquspp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	dfkks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hnwamxgtx = "andohzpjujrtybjc.exe ."	dfkks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qvdgrbjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvmyslcxjzilrveya.exe"	dfkks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hnwamxgtx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfxkfzrnarbfmrbwzk.exe ."	iffdguquspp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	dfkks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vdouivgvblo = "qfxkfzrnarbfmrbwzk.exe"	dfkks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sdrarhvnwjppst = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfxkfzrnarbfmrbwzk.exe"	dfkks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	dfkks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbowmbofnzedf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfxkfzrnarbfmrbwzk.exe ."	dfkks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hnwamxgtx = "brkyupiftlwbjpawamf.exe ."	dfkks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hnwamxgtx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvmyslcxjzilrveya.exe ."	dfkks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qvdgrbjv = "brkyupiftlwbjpawamf.exe"	dfkks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hnwamxgtx = "brkyupiftlwbjpawamf.exe ."	dfkks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sdrarhvnwjppst = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfxkfzrnarbfmrbwzk.exe"	dfkks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hnwamxgtx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brkyupiftlwbjpawamf.exe ."	dfkks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vdouivgvblo = "hvmyslcxjzilrveya.exe"	dfkks.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	iffdguquspp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qvdgrbjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfxkfzrnarbfmrbwzk.exe"	iffdguquspp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hnwamxgtx = "andohzpjujrtybjc.exe ."	dfkks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbowmbofnzedf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brkyupiftlwbjpawamf.exe ."	dfkks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qvdgrbjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brkyupiftlwbjpawamf.exe"	dfkks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vdouivgvblo = "dvqgebwvlfszjreciwrje.exe"	dfkks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sdrarhvnwjppst = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvmyslcxjzilrveya.exe"	iffdguquspp.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	dfkks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hnwamxgtx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvmyslcxjzilrveya.exe ."	dfkks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qvdgrbjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brkyupiftlwbjpawamf.exe"	dfkks.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	iffdguquspp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qvdgrbjv = "andohzpjujrtybjc.exe"	dfkks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sdrarhvnwjppst = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofzolhbzohtzipbydqkb.exe"	dfkks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qvdgrbjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\andohzpjujrtybjc.exe"	dfkks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sbnujxjzgrvt = "dvqgebwvlfszjreciwrje.exe ."	dfkks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbowmbofnzedf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvmyslcxjzilrveya.exe ."	dfkks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sbnujxjzgrvt = "ofzolhbzohtzipbydqkb.exe ."	dfkks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qvdgrbjv = "qfxkfzrnarbfmrbwzk.exe"	dfkks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hnwamxgtx = "dvqgebwvlfszjreciwrje.exe ."	dfkks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hnwamxgtx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfxkfzrnarbfmrbwzk.exe ."	dfkks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qvdgrbjv = "brkyupiftlwbjpawamf.exe"	dfkks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sbnujxjzgrvt = "ofzolhbzohtzipbydqkb.exe ."	dfkks.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	dfkks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\qvdgrbjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfxkfzrnarbfmrbwzk.exe"	dfkks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vdouivgvblo = "brkyupiftlwbjpawamf.exe"	iffdguquspp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hnwamxgtx = "qfxkfzrnarbfmrbwzk.exe ."	dfkks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sbnujxjzgrvt = "hvmyslcxjzilrveya.exe ."	dfkks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vdouivgvblo = "hvmyslcxjzilrveya.exe"	dfkks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sdrarhvnwjppst = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brkyupiftlwbjpawamf.exe"	dfkks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbowmbofnzedf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvqgebwvlfszjreciwrje.exe ."	dfkks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qvdgrbjv = "andohzpjujrtybjc.exe"	iffdguquspp.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dfkks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dfkks.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dfkks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dfkks.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	iffdguquspp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iffdguquspp.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	whatismyip.everdot.org
2	www.showmyipaddress.com
4	whatismyipaddress.com

Drops file in System32 directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\qfxkfzrnarbfmrbwzk.exe	iffdguquspp.exe
File opened for modification	C:\Windows\SysWOW64\unjazxttkftbmvjipeatpg.exe	iffdguquspp.exe
File opened for modification	C:\Windows\SysWOW64\qfxkfzrnarbfmrbwzk.exe	dfkks.exe
File opened for modification	C:\Windows\SysWOW64\unjazxttkftbmvjipeatpg.exe	dfkks.exe
File opened for modification	C:\Windows\SysWOW64\andohzpjujrtybjcdmcpfqjbrlwltvadlefoer.sld	dfkks.exe
File opened for modification	C:\Windows\SysWOW64\andohzpjujrtybjc.exe	iffdguquspp.exe
File opened for modification	C:\Windows\SysWOW64\ofzolhbzohtzipbydqkb.exe	iffdguquspp.exe
File opened for modification	C:\Windows\SysWOW64\dvqgebwvlfszjreciwrje.exe	iffdguquspp.exe
File opened for modification	C:\Windows\SysWOW64\andohzpjujrtybjc.exe	dfkks.exe
File opened for modification	C:\Windows\SysWOW64\hvmyslcxjzilrveya.exe	dfkks.exe
File opened for modification	C:\Windows\SysWOW64\qfxkfzrnarbfmrbwzk.exe	dfkks.exe
File opened for modification	C:\Windows\SysWOW64\brkyupiftlwbjpawamf.exe	dfkks.exe
File opened for modification	C:\Windows\SysWOW64\dvqgebwvlfszjreciwrje.exe	dfkks.exe
File opened for modification	C:\Windows\SysWOW64\brkyupiftlwbjpawamf.exe	iffdguquspp.exe
File created	C:\Windows\SysWOW64\andohzpjujrtybjcdmcpfqjbrlwltvadlefoer.sld	dfkks.exe
File opened for modification	C:\Windows\SysWOW64\andohzpjujrtybjc.exe	dfkks.exe
File opened for modification	C:\Windows\SysWOW64\ofzolhbzohtzipbydqkb.exe	dfkks.exe
File opened for modification	C:\Windows\SysWOW64\brkyupiftlwbjpawamf.exe	dfkks.exe
File opened for modification	C:\Windows\SysWOW64\hvmyslcxjzilrveya.exe	dfkks.exe
File opened for modification	C:\Windows\SysWOW64\ofzolhbzohtzipbydqkb.exe	dfkks.exe
File opened for modification	C:\Windows\SysWOW64\dvqgebwvlfszjreciwrje.exe	dfkks.exe
File opened for modification	C:\Windows\SysWOW64\unjazxttkftbmvjipeatpg.exe	dfkks.exe
File opened for modification	C:\Windows\SysWOW64\dfkkszennrofzrowmkprwwelqzz.arl	dfkks.exe
File created	C:\Windows\SysWOW64\dfkkszennrofzrowmkprwwelqzz.arl	dfkks.exe
File opened for modification	C:\Windows\SysWOW64\hvmyslcxjzilrveya.exe	iffdguquspp.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\andohzpjujrtybjcdmcpfqjbrlwltvadlefoer.sld	dfkks.exe
File opened for modification	C:\Program Files (x86)\dfkkszennrofzrowmkprwwelqzz.arl	dfkks.exe
File created	C:\Program Files (x86)\dfkkszennrofzrowmkprwwelqzz.arl	dfkks.exe
File opened for modification	C:\Program Files (x86)\andohzpjujrtybjcdmcpfqjbrlwltvadlefoer.sld	dfkks.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\andohzpjujrtybjc.exe	dfkks.exe
File created	C:\Windows\andohzpjujrtybjcdmcpfqjbrlwltvadlefoer.sld	dfkks.exe
File opened for modification	C:\Windows\dvqgebwvlfszjreciwrje.exe	iffdguquspp.exe
File opened for modification	C:\Windows\brkyupiftlwbjpawamf.exe	iffdguquspp.exe
File opened for modification	C:\Windows\ofzolhbzohtzipbydqkb.exe	iffdguquspp.exe
File opened for modification	C:\Windows\andohzpjujrtybjc.exe	dfkks.exe
File opened for modification	C:\Windows\brkyupiftlwbjpawamf.exe	dfkks.exe
File opened for modification	C:\Windows\dvqgebwvlfszjreciwrje.exe	dfkks.exe
File opened for modification	C:\Windows\unjazxttkftbmvjipeatpg.exe	dfkks.exe
File opened for modification	C:\Windows\qfxkfzrnarbfmrbwzk.exe	dfkks.exe
File opened for modification	C:\Windows\andohzpjujrtybjc.exe	iffdguquspp.exe
File created	C:\Windows\dfkkszennrofzrowmkprwwelqzz.arl	dfkks.exe
File opened for modification	C:\Windows\andohzpjujrtybjcdmcpfqjbrlwltvadlefoer.sld	dfkks.exe
File opened for modification	C:\Windows\dvqgebwvlfszjreciwrje.exe	dfkks.exe
File opened for modification	C:\Windows\unjazxttkftbmvjipeatpg.exe	iffdguquspp.exe
File opened for modification	C:\Windows\hvmyslcxjzilrveya.exe	dfkks.exe
File opened for modification	C:\Windows\qfxkfzrnarbfmrbwzk.exe	dfkks.exe
File opened for modification	C:\Windows\ofzolhbzohtzipbydqkb.exe	dfkks.exe
File opened for modification	C:\Windows\hvmyslcxjzilrveya.exe	dfkks.exe
File opened for modification	C:\Windows\brkyupiftlwbjpawamf.exe	dfkks.exe
File opened for modification	C:\Windows\ofzolhbzohtzipbydqkb.exe	dfkks.exe
File opened for modification	C:\Windows\hvmyslcxjzilrveya.exe	iffdguquspp.exe
File opened for modification	C:\Windows\unjazxttkftbmvjipeatpg.exe	dfkks.exe
File opened for modification	C:\Windows\dfkkszennrofzrowmkprwwelqzz.arl	dfkks.exe
File opened for modification	C:\Windows\qfxkfzrnarbfmrbwzk.exe	iffdguquspp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
544	dfkks.exe
544	dfkks.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
544	dfkks.exe
544	dfkks.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	544	dfkks.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 1992	1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe	27
PID 1720 wrote to memory of 1992	1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe	27
PID 1720 wrote to memory of 1992	1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe	27
PID 1720 wrote to memory of 1992	1720	8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe	27
PID 1992 wrote to memory of 544	1992	iffdguquspp.exe	28
PID 1992 wrote to memory of 544	1992	iffdguquspp.exe	28
PID 1992 wrote to memory of 544	1992	iffdguquspp.exe	28
PID 1992 wrote to memory of 544	1992	iffdguquspp.exe	28
PID 1992 wrote to memory of 512	1992	iffdguquspp.exe	29
PID 1992 wrote to memory of 512	1992	iffdguquspp.exe	29
PID 1992 wrote to memory of 512	1992	iffdguquspp.exe	29
PID 1992 wrote to memory of 512	1992	iffdguquspp.exe	29

System policy modification 1 TTPs 31 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dfkks.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	dfkks.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	dfkks.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dfkks.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	dfkks.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	dfkks.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	dfkks.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	dfkks.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	dfkks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	dfkks.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	dfkks.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	dfkks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	dfkks.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dfkks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	dfkks.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dfkks.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	dfkks.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	dfkks.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	dfkks.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	dfkks.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	dfkks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dfkks.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	dfkks.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dfkks.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	dfkks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	dfkks.exe

C:\Users\Admin\AppData\Local\Temp\8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe
"C:\Users\Admin\AppData\Local\Temp\8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Local\Temp\iffdguquspp.exe
  "C:\Users\Admin\AppData\Local\Temp\iffdguquspp.exe" "c:\users\admin\appdata\local\temp\8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1992
- - C:\Users\Admin\AppData\Local\Temp\dfkks.exe
    "C:\Users\Admin\AppData\Local\Temp\dfkks.exe" "-C:\Users\Admin\AppData\Local\Temp\andohzpjujrtybjc.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:544
- - C:\Users\Admin\AppData\Local\Temp\dfkks.exe
    "C:\Users\Admin\AppData\Local\Temp\dfkks.exe" "-C:\Users\Admin\AppData\Local\Temp\andohzpjujrtybjc.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\andohzpjujrtybjc.exe

Filesize
1016KB

MD5
72b5bde90f2196e493674f72560bcfe0

SHA1
a6b1f9554e3ec42e3f08ed2a67cecb2d488f5053

SHA256
8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5

SHA512
e8ccd05744ab202d3e6a7609f224c0273b443a44e1dd915a2066d10a94b453f944a333703376d44339ee1e9e9a7de06731b461903ebed3e63c6e1bba20777d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\brkyupiftlwbjpawamf.exe

Filesize
1016KB

MD5
72b5bde90f2196e493674f72560bcfe0

SHA1
a6b1f9554e3ec42e3f08ed2a67cecb2d488f5053

SHA256
8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5

SHA512
e8ccd05744ab202d3e6a7609f224c0273b443a44e1dd915a2066d10a94b453f944a333703376d44339ee1e9e9a7de06731b461903ebed3e63c6e1bba20777d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfkks.exe

Filesize
708KB

MD5
3debe47c67a44a2f1493fc637d1d9911

SHA1
50cf547aa78c55669859e733470d44634ddc65d7

SHA256
73fac4b712c1ae98048a0c6f7cdcb810d441910cf12c907c5763fc068476b2e6

SHA512
6a9093fefffdec692434ca58bdb8a9a89681b46d4f73b0493894178aa92359a2d644a0b207518e84d08bf88106001309c8ee7e7c56109a2c9c56aa72c3d58e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfkks.exe

Filesize
708KB

MD5
3debe47c67a44a2f1493fc637d1d9911

SHA1
50cf547aa78c55669859e733470d44634ddc65d7

SHA256
73fac4b712c1ae98048a0c6f7cdcb810d441910cf12c907c5763fc068476b2e6

SHA512
6a9093fefffdec692434ca58bdb8a9a89681b46d4f73b0493894178aa92359a2d644a0b207518e84d08bf88106001309c8ee7e7c56109a2c9c56aa72c3d58e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dvqgebwvlfszjreciwrje.exe

Filesize
1016KB

MD5
72b5bde90f2196e493674f72560bcfe0

SHA1
a6b1f9554e3ec42e3f08ed2a67cecb2d488f5053

SHA256
8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5

SHA512
e8ccd05744ab202d3e6a7609f224c0273b443a44e1dd915a2066d10a94b453f944a333703376d44339ee1e9e9a7de06731b461903ebed3e63c6e1bba20777d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\hvmyslcxjzilrveya.exe

Filesize
1016KB

MD5
72b5bde90f2196e493674f72560bcfe0

SHA1
a6b1f9554e3ec42e3f08ed2a67cecb2d488f5053

SHA256
8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5

SHA512
e8ccd05744ab202d3e6a7609f224c0273b443a44e1dd915a2066d10a94b453f944a333703376d44339ee1e9e9a7de06731b461903ebed3e63c6e1bba20777d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\iffdguquspp.exe

Filesize
320KB

MD5
838fec9ff4ea9f36357974c16799b7a1

SHA1
67b8a79083d245a76e6012e125db90568c84a236

SHA256
093e05fef1c3d6e411832aea2da91522ad386f88874b76f07e50ad5b3db653d3

SHA512
e468f96b61982d272a0a4f06242198d62c366a720f3696fc425b73ddab975eac8117297ccf2ffd3c936ab09297140d8615b29616e7c615adad91c52f8e86363b

Download Submit
C:\Users\Admin\AppData\Local\Temp\iffdguquspp.exe

Filesize
320KB

MD5
838fec9ff4ea9f36357974c16799b7a1

SHA1
67b8a79083d245a76e6012e125db90568c84a236

SHA256
093e05fef1c3d6e411832aea2da91522ad386f88874b76f07e50ad5b3db653d3

SHA512
e468f96b61982d272a0a4f06242198d62c366a720f3696fc425b73ddab975eac8117297ccf2ffd3c936ab09297140d8615b29616e7c615adad91c52f8e86363b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ofzolhbzohtzipbydqkb.exe

Filesize
1016KB

MD5
72b5bde90f2196e493674f72560bcfe0

SHA1
a6b1f9554e3ec42e3f08ed2a67cecb2d488f5053

SHA256
8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5

SHA512
e8ccd05744ab202d3e6a7609f224c0273b443a44e1dd915a2066d10a94b453f944a333703376d44339ee1e9e9a7de06731b461903ebed3e63c6e1bba20777d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\qfxkfzrnarbfmrbwzk.exe

Filesize
1016KB

MD5
72b5bde90f2196e493674f72560bcfe0

SHA1
a6b1f9554e3ec42e3f08ed2a67cecb2d488f5053

SHA256
8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5

SHA512
e8ccd05744ab202d3e6a7609f224c0273b443a44e1dd915a2066d10a94b453f944a333703376d44339ee1e9e9a7de06731b461903ebed3e63c6e1bba20777d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\unjazxttkftbmvjipeatpg.exe

Filesize
1016KB

MD5
72b5bde90f2196e493674f72560bcfe0

SHA1
a6b1f9554e3ec42e3f08ed2a67cecb2d488f5053

SHA256
8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5

SHA512
e8ccd05744ab202d3e6a7609f224c0273b443a44e1dd915a2066d10a94b453f944a333703376d44339ee1e9e9a7de06731b461903ebed3e63c6e1bba20777d23

Download Submit
C:\Windows\SysWOW64\andohzpjujrtybjc.exe

Filesize
1016KB

MD5
72b5bde90f2196e493674f72560bcfe0

SHA1
a6b1f9554e3ec42e3f08ed2a67cecb2d488f5053

SHA256
8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5

SHA512
e8ccd05744ab202d3e6a7609f224c0273b443a44e1dd915a2066d10a94b453f944a333703376d44339ee1e9e9a7de06731b461903ebed3e63c6e1bba20777d23

Download Submit
C:\Windows\SysWOW64\brkyupiftlwbjpawamf.exe

Filesize
1016KB

MD5
72b5bde90f2196e493674f72560bcfe0

SHA1
a6b1f9554e3ec42e3f08ed2a67cecb2d488f5053

SHA256
8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5

SHA512
e8ccd05744ab202d3e6a7609f224c0273b443a44e1dd915a2066d10a94b453f944a333703376d44339ee1e9e9a7de06731b461903ebed3e63c6e1bba20777d23

Download Submit
C:\Windows\SysWOW64\dvqgebwvlfszjreciwrje.exe

Filesize
1016KB

MD5
72b5bde90f2196e493674f72560bcfe0

SHA1
a6b1f9554e3ec42e3f08ed2a67cecb2d488f5053

SHA256
8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5

SHA512
e8ccd05744ab202d3e6a7609f224c0273b443a44e1dd915a2066d10a94b453f944a333703376d44339ee1e9e9a7de06731b461903ebed3e63c6e1bba20777d23

Download Submit
C:\Windows\SysWOW64\hvmyslcxjzilrveya.exe

Filesize
1016KB

MD5
72b5bde90f2196e493674f72560bcfe0

SHA1
a6b1f9554e3ec42e3f08ed2a67cecb2d488f5053

SHA256
8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5

SHA512
e8ccd05744ab202d3e6a7609f224c0273b443a44e1dd915a2066d10a94b453f944a333703376d44339ee1e9e9a7de06731b461903ebed3e63c6e1bba20777d23

Download Submit
C:\Windows\SysWOW64\ofzolhbzohtzipbydqkb.exe

Filesize
1016KB

MD5
72b5bde90f2196e493674f72560bcfe0

SHA1
a6b1f9554e3ec42e3f08ed2a67cecb2d488f5053

SHA256
8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5

SHA512
e8ccd05744ab202d3e6a7609f224c0273b443a44e1dd915a2066d10a94b453f944a333703376d44339ee1e9e9a7de06731b461903ebed3e63c6e1bba20777d23

Download Submit
C:\Windows\SysWOW64\qfxkfzrnarbfmrbwzk.exe

Filesize
1016KB

MD5
72b5bde90f2196e493674f72560bcfe0

SHA1
a6b1f9554e3ec42e3f08ed2a67cecb2d488f5053

SHA256
8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5

SHA512
e8ccd05744ab202d3e6a7609f224c0273b443a44e1dd915a2066d10a94b453f944a333703376d44339ee1e9e9a7de06731b461903ebed3e63c6e1bba20777d23

Download Submit
C:\Windows\SysWOW64\unjazxttkftbmvjipeatpg.exe

Filesize
1016KB

MD5
72b5bde90f2196e493674f72560bcfe0

SHA1
a6b1f9554e3ec42e3f08ed2a67cecb2d488f5053

SHA256
8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5

SHA512
e8ccd05744ab202d3e6a7609f224c0273b443a44e1dd915a2066d10a94b453f944a333703376d44339ee1e9e9a7de06731b461903ebed3e63c6e1bba20777d23

Download Submit
C:\Windows\andohzpjujrtybjc.exe

Filesize
1016KB

MD5
72b5bde90f2196e493674f72560bcfe0

SHA1
a6b1f9554e3ec42e3f08ed2a67cecb2d488f5053

SHA256
8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5

SHA512
e8ccd05744ab202d3e6a7609f224c0273b443a44e1dd915a2066d10a94b453f944a333703376d44339ee1e9e9a7de06731b461903ebed3e63c6e1bba20777d23

Download Submit
C:\Windows\andohzpjujrtybjc.exe

Filesize
1016KB

MD5
72b5bde90f2196e493674f72560bcfe0

SHA1
a6b1f9554e3ec42e3f08ed2a67cecb2d488f5053

SHA256
8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5

SHA512
e8ccd05744ab202d3e6a7609f224c0273b443a44e1dd915a2066d10a94b453f944a333703376d44339ee1e9e9a7de06731b461903ebed3e63c6e1bba20777d23

Download Submit
C:\Windows\brkyupiftlwbjpawamf.exe

Filesize
1016KB

MD5
72b5bde90f2196e493674f72560bcfe0

SHA1
a6b1f9554e3ec42e3f08ed2a67cecb2d488f5053

SHA256
8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5

SHA512
e8ccd05744ab202d3e6a7609f224c0273b443a44e1dd915a2066d10a94b453f944a333703376d44339ee1e9e9a7de06731b461903ebed3e63c6e1bba20777d23

Download Submit
C:\Windows\brkyupiftlwbjpawamf.exe

Filesize
1016KB

MD5
72b5bde90f2196e493674f72560bcfe0

SHA1
a6b1f9554e3ec42e3f08ed2a67cecb2d488f5053

SHA256
8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5

SHA512
e8ccd05744ab202d3e6a7609f224c0273b443a44e1dd915a2066d10a94b453f944a333703376d44339ee1e9e9a7de06731b461903ebed3e63c6e1bba20777d23

Download Submit
C:\Windows\dvqgebwvlfszjreciwrje.exe

Filesize
1016KB

MD5
72b5bde90f2196e493674f72560bcfe0

SHA1
a6b1f9554e3ec42e3f08ed2a67cecb2d488f5053

SHA256
8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5

SHA512
e8ccd05744ab202d3e6a7609f224c0273b443a44e1dd915a2066d10a94b453f944a333703376d44339ee1e9e9a7de06731b461903ebed3e63c6e1bba20777d23

Download Submit
C:\Windows\dvqgebwvlfszjreciwrje.exe

Filesize
1016KB

MD5
72b5bde90f2196e493674f72560bcfe0

SHA1
a6b1f9554e3ec42e3f08ed2a67cecb2d488f5053

SHA256
8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5

SHA512
e8ccd05744ab202d3e6a7609f224c0273b443a44e1dd915a2066d10a94b453f944a333703376d44339ee1e9e9a7de06731b461903ebed3e63c6e1bba20777d23

Download Submit
C:\Windows\hvmyslcxjzilrveya.exe

Filesize
1016KB

MD5
72b5bde90f2196e493674f72560bcfe0

SHA1
a6b1f9554e3ec42e3f08ed2a67cecb2d488f5053

SHA256
8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5

SHA512
e8ccd05744ab202d3e6a7609f224c0273b443a44e1dd915a2066d10a94b453f944a333703376d44339ee1e9e9a7de06731b461903ebed3e63c6e1bba20777d23

Download Submit
C:\Windows\hvmyslcxjzilrveya.exe

Filesize
1016KB

MD5
72b5bde90f2196e493674f72560bcfe0

SHA1
a6b1f9554e3ec42e3f08ed2a67cecb2d488f5053

SHA256
8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5

SHA512
e8ccd05744ab202d3e6a7609f224c0273b443a44e1dd915a2066d10a94b453f944a333703376d44339ee1e9e9a7de06731b461903ebed3e63c6e1bba20777d23

Download Submit
C:\Windows\ofzolhbzohtzipbydqkb.exe

Filesize
1016KB

MD5
72b5bde90f2196e493674f72560bcfe0

SHA1
a6b1f9554e3ec42e3f08ed2a67cecb2d488f5053

SHA256
8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5

SHA512
e8ccd05744ab202d3e6a7609f224c0273b443a44e1dd915a2066d10a94b453f944a333703376d44339ee1e9e9a7de06731b461903ebed3e63c6e1bba20777d23

Download Submit
C:\Windows\ofzolhbzohtzipbydqkb.exe

Filesize
1016KB

MD5
72b5bde90f2196e493674f72560bcfe0

SHA1
a6b1f9554e3ec42e3f08ed2a67cecb2d488f5053

SHA256
8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5

SHA512
e8ccd05744ab202d3e6a7609f224c0273b443a44e1dd915a2066d10a94b453f944a333703376d44339ee1e9e9a7de06731b461903ebed3e63c6e1bba20777d23

Download Submit
C:\Windows\qfxkfzrnarbfmrbwzk.exe

Filesize
1016KB

MD5
72b5bde90f2196e493674f72560bcfe0

SHA1
a6b1f9554e3ec42e3f08ed2a67cecb2d488f5053

SHA256
8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5

SHA512
e8ccd05744ab202d3e6a7609f224c0273b443a44e1dd915a2066d10a94b453f944a333703376d44339ee1e9e9a7de06731b461903ebed3e63c6e1bba20777d23

Download Submit
C:\Windows\qfxkfzrnarbfmrbwzk.exe

Filesize
1016KB

MD5
72b5bde90f2196e493674f72560bcfe0

SHA1
a6b1f9554e3ec42e3f08ed2a67cecb2d488f5053

SHA256
8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5

SHA512
e8ccd05744ab202d3e6a7609f224c0273b443a44e1dd915a2066d10a94b453f944a333703376d44339ee1e9e9a7de06731b461903ebed3e63c6e1bba20777d23

Download Submit
C:\Windows\unjazxttkftbmvjipeatpg.exe

Filesize
1016KB

MD5
72b5bde90f2196e493674f72560bcfe0

SHA1
a6b1f9554e3ec42e3f08ed2a67cecb2d488f5053

SHA256
8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5

SHA512
e8ccd05744ab202d3e6a7609f224c0273b443a44e1dd915a2066d10a94b453f944a333703376d44339ee1e9e9a7de06731b461903ebed3e63c6e1bba20777d23

Download Submit
C:\Windows\unjazxttkftbmvjipeatpg.exe

Filesize
1016KB

MD5
72b5bde90f2196e493674f72560bcfe0

SHA1
a6b1f9554e3ec42e3f08ed2a67cecb2d488f5053

SHA256
8592575dc544817d18545a0e71486d7b01497093870450d54528a7ada083c6d5

SHA512
e8ccd05744ab202d3e6a7609f224c0273b443a44e1dd915a2066d10a94b453f944a333703376d44339ee1e9e9a7de06731b461903ebed3e63c6e1bba20777d23

Download Submit
\Users\Admin\AppData\Local\Temp\dfkks.exe

Filesize
708KB

MD5
3debe47c67a44a2f1493fc637d1d9911

SHA1
50cf547aa78c55669859e733470d44634ddc65d7

SHA256
73fac4b712c1ae98048a0c6f7cdcb810d441910cf12c907c5763fc068476b2e6

SHA512
6a9093fefffdec692434ca58bdb8a9a89681b46d4f73b0493894178aa92359a2d644a0b207518e84d08bf88106001309c8ee7e7c56109a2c9c56aa72c3d58e3a

Download Submit
\Users\Admin\AppData\Local\Temp\dfkks.exe

Filesize
708KB

MD5
3debe47c67a44a2f1493fc637d1d9911

SHA1
50cf547aa78c55669859e733470d44634ddc65d7

SHA256
73fac4b712c1ae98048a0c6f7cdcb810d441910cf12c907c5763fc068476b2e6

SHA512
6a9093fefffdec692434ca58bdb8a9a89681b46d4f73b0493894178aa92359a2d644a0b207518e84d08bf88106001309c8ee7e7c56109a2c9c56aa72c3d58e3a

Download Submit
\Users\Admin\AppData\Local\Temp\dfkks.exe

Filesize
708KB

MD5
3debe47c67a44a2f1493fc637d1d9911

SHA1
50cf547aa78c55669859e733470d44634ddc65d7

SHA256
73fac4b712c1ae98048a0c6f7cdcb810d441910cf12c907c5763fc068476b2e6

SHA512
6a9093fefffdec692434ca58bdb8a9a89681b46d4f73b0493894178aa92359a2d644a0b207518e84d08bf88106001309c8ee7e7c56109a2c9c56aa72c3d58e3a

Download Submit
\Users\Admin\AppData\Local\Temp\dfkks.exe

Filesize
708KB

MD5
3debe47c67a44a2f1493fc637d1d9911

SHA1
50cf547aa78c55669859e733470d44634ddc65d7

SHA256
73fac4b712c1ae98048a0c6f7cdcb810d441910cf12c907c5763fc068476b2e6

SHA512
6a9093fefffdec692434ca58bdb8a9a89681b46d4f73b0493894178aa92359a2d644a0b207518e84d08bf88106001309c8ee7e7c56109a2c9c56aa72c3d58e3a

Download Submit
\Users\Admin\AppData\Local\Temp\iffdguquspp.exe

Filesize
320KB

MD5
838fec9ff4ea9f36357974c16799b7a1

SHA1
67b8a79083d245a76e6012e125db90568c84a236

SHA256
093e05fef1c3d6e411832aea2da91522ad386f88874b76f07e50ad5b3db653d3

SHA512
e468f96b61982d272a0a4f06242198d62c366a720f3696fc425b73ddab975eac8117297ccf2ffd3c936ab09297140d8615b29616e7c615adad91c52f8e86363b

Download Submit
\Users\Admin\AppData\Local\Temp\iffdguquspp.exe

Filesize
320KB

MD5
838fec9ff4ea9f36357974c16799b7a1

SHA1
67b8a79083d245a76e6012e125db90568c84a236

SHA256
093e05fef1c3d6e411832aea2da91522ad386f88874b76f07e50ad5b3db653d3

SHA512
e468f96b61982d272a0a4f06242198d62c366a720f3696fc425b73ddab975eac8117297ccf2ffd3c936ab09297140d8615b29616e7c615adad91c52f8e86363b

Download Submit
memory/1720-54-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download