9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-10-2022 07:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
Size

1016KB
MD5

62b2e0d8bd5b0380d5ccb843196df2d0
SHA1

c6beb82fae4fb229c6c3de4a20f9324ebc4d1a09
SHA256

9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470
SHA512

20c6f2f0546d619a2118948ec3ac01774afb0bd976af70fe3e99ed2142923f5ad60e5dd63be611cc00426cdf9d6acca4809b2d36c79878a6dd5e953c70a34e07
SSDEEP

6144:XIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHU:XIXsgtvm1De5YlOx6lzBH46U

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	lvyefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	lvyefp.exe

UAC bypass 3 TTPs 11 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lvyefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lvyefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	lvyefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lvyefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lvyefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lvyefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lvyefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	lvyefp.exe

Adds policy Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	lvyefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzempbnp = "njyqdzvhzqostldafs.exe"	lvyefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	lvyefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajlqq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljaujhftnggmpjdcjyhf.exe"	lvyefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzempbnp = "azrmcbapkefmqlggoeonf.exe"	lvyefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzempbnp = "azrmcbapkefmqlggoeonf.exe"	lvyefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzempbnp = "xreufztdtiegfvlg.exe"	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajlqq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\azrmcbapkefmqlggoeonf.exe"	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzempbnp = "ezneqlgriyvyypgcg.exe"	lvyefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzempbnp = "ezneqlgriyvyypgcg.exe"	lvyefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajlqq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ezneqlgriyvyypgcg.exe"	lvyefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajlqq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xreufztdtiegfvlg.exe"	lvyefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajlqq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xreufztdtiegfvlg.exe"	lvyefp.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lvyefp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lvyefp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lvyefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lvyefp.exe

Executes dropped EXE 3 IoCs

pid	Process
1960	vsmxiywcfcw.exe
1748	lvyefp.exe
1736	lvyefp.exe

Loads dropped DLL 6 IoCs

pid	Process
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1960	vsmxiywcfcw.exe
1960	vsmxiywcfcw.exe
1960	vsmxiywcfcw.exe
1960	vsmxiywcfcw.exe

Adds Run key to start application 2 TTPs 61 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xlschvjnxg = "ljaujhftnggmpjdcjyhf.exe ."	lvyefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\erxgkxknw = "xreufztdtiegfvlg.exe"	lvyefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\shpagvkpakb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ezneqlgriyvyypgcg.exe ."	lvyefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yjnuwhs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xreufztdtiegfvlg.exe ."	lvyefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\yjnuwhs = "yvlespmzskjoqjcaguc.exe ."	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pfoahxntfqig = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xreufztdtiegfvlg.exe"	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yjnuwhs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvlespmzskjoqjcaguc.exe ."	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\shpagvkpakb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvlespmzskjoqjcaguc.exe ."	lvyefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\lvyefp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\azrmcbapkefmqlggoeonf.exe"	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\shpagvkpakb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvlespmzskjoqjcaguc.exe ."	lvyefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yjnuwhs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljaujhftnggmpjdcjyhf.exe ."	lvyefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\erxgkxknw = "azrmcbapkefmqlggoeonf.exe"	lvyefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\erxgkxknw = "ljaujhftnggmpjdcjyhf.exe"	lvyefp.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	lvyefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lvyefp = "ljaujhftnggmpjdcjyhf.exe"	lvyefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	lvyefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lvyefp = "ezneqlgriyvyypgcg.exe"	lvyefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pfoahxntfqig = "C:\\Users\\Admin\\AppData\\Local\\Temp\\azrmcbapkefmqlggoeonf.exe"	lvyefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pfoahxntfqig = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ezneqlgriyvyypgcg.exe"	lvyefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lvyefp = "njyqdzvhzqostldafs.exe"	lvyefp.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	lvyefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\yjnuwhs = "njyqdzvhzqostldafs.exe ."	lvyefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\erxgkxknw = "ezneqlgriyvyypgcg.exe"	lvyefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\yjnuwhs = "yvlespmzskjoqjcaguc.exe ."	lvyefp.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	lvyefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\shpagvkpakb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljaujhftnggmpjdcjyhf.exe ."	lvyefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\lvyefp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvlespmzskjoqjcaguc.exe"	lvyefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\yjnuwhs = "ezneqlgriyvyypgcg.exe ."	lvyefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\yjnuwhs = "xreufztdtiegfvlg.exe ."	lvyefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\lvyefp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\azrmcbapkefmqlggoeonf.exe"	lvyefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pfoahxntfqig = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvlespmzskjoqjcaguc.exe"	lvyefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\shpagvkpakb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljaujhftnggmpjdcjyhf.exe ."	lvyefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lvyefp = "azrmcbapkefmqlggoeonf.exe"	lvyefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xlschvjnxg = "njyqdzvhzqostldafs.exe ."	vsmxiywcfcw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	lvyefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lvyefp = "yvlespmzskjoqjcaguc.exe"	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lvyefp = "xreufztdtiegfvlg.exe"	lvyefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pfoahxntfqig = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvlespmzskjoqjcaguc.exe"	lvyefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yjnuwhs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\azrmcbapkefmqlggoeonf.exe ."	lvyefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xlschvjnxg = "ezneqlgriyvyypgcg.exe ."	lvyefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xlschvjnxg = "xreufztdtiegfvlg.exe ."	lvyefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	lvyefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\lvyefp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xreufztdtiegfvlg.exe"	lvyefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yjnuwhs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvlespmzskjoqjcaguc.exe ."	lvyefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\erxgkxknw = "njyqdzvhzqostldafs.exe"	vsmxiywcfcw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lvyefp = "azrmcbapkefmqlggoeonf.exe"	lvyefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\lvyefp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljaujhftnggmpjdcjyhf.exe"	lvyefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\yjnuwhs = "yvlespmzskjoqjcaguc.exe ."	lvyefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xlschvjnxg = "xreufztdtiegfvlg.exe ."	lvyefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yjnuwhs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvlespmzskjoqjcaguc.exe ."	lvyefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lvyefp = "ljaujhftnggmpjdcjyhf.exe"	lvyefp.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	lvyefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pfoahxntfqig = "C:\\Users\\Admin\\AppData\\Local\\Temp\\azrmcbapkefmqlggoeonf.exe"	lvyefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\shpagvkpakb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ezneqlgriyvyypgcg.exe ."	vsmxiywcfcw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	lvyefp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xlschvjnxg = "azrmcbapkefmqlggoeonf.exe ."	lvyefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pfoahxntfqig = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljaujhftnggmpjdcjyhf.exe"	lvyefp.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	vsmxiywcfcw.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	vsmxiywcfcw.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lvyefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lvyefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lvyefp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lvyefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vsmxiywcfcw.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	whatismyipaddress.com
8	www.showmyipaddress.com
14	whatismyip.everdot.org

Drops file in System32 directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\xreufztdtiegfvlg.exe	lvyefp.exe
File opened for modification	C:\Windows\SysWOW64\azrmcbapkefmqlggoeonf.exe	lvyefp.exe
File created	C:\Windows\SysWOW64\pfoahxntfqigbnzqpwxnwipfvbnyqojvhy.efv	lvyefp.exe
File opened for modification	C:\Windows\SysWOW64\njyqdzvhzqostldafs.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\SysWOW64\xreufztdtiegfvlg.exe	lvyefp.exe
File opened for modification	C:\Windows\SysWOW64\ljaujhftnggmpjdcjyhf.exe	lvyefp.exe
File opened for modification	C:\Windows\SysWOW64\ljaujhftnggmpjdcjyhf.exe	lvyefp.exe
File opened for modification	C:\Windows\SysWOW64\rrkgxxxnjegotplmvmxxqm.exe	lvyefp.exe
File opened for modification	C:\Windows\SysWOW64\chfgchmhiipcmnouieuzxyu.eza	lvyefp.exe
File opened for modification	C:\Windows\SysWOW64\rrkgxxxnjegotplmvmxxqm.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\SysWOW64\rrkgxxxnjegotplmvmxxqm.exe	lvyefp.exe
File opened for modification	C:\Windows\SysWOW64\njyqdzvhzqostldafs.exe	lvyefp.exe
File opened for modification	C:\Windows\SysWOW64\ezneqlgriyvyypgcg.exe	lvyefp.exe
File opened for modification	C:\Windows\SysWOW64\yvlespmzskjoqjcaguc.exe	lvyefp.exe
File opened for modification	C:\Windows\SysWOW64\pfoahxntfqigbnzqpwxnwipfvbnyqojvhy.efv	lvyefp.exe
File opened for modification	C:\Windows\SysWOW64\yvlespmzskjoqjcaguc.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\SysWOW64\ljaujhftnggmpjdcjyhf.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\SysWOW64\njyqdzvhzqostldafs.exe	lvyefp.exe
File opened for modification	C:\Windows\SysWOW64\ezneqlgriyvyypgcg.exe	lvyefp.exe
File opened for modification	C:\Windows\SysWOW64\yvlespmzskjoqjcaguc.exe	lvyefp.exe
File opened for modification	C:\Windows\SysWOW64\azrmcbapkefmqlggoeonf.exe	lvyefp.exe
File created	C:\Windows\SysWOW64\chfgchmhiipcmnouieuzxyu.eza	lvyefp.exe
File opened for modification	C:\Windows\SysWOW64\xreufztdtiegfvlg.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\SysWOW64\ezneqlgriyvyypgcg.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\SysWOW64\azrmcbapkefmqlggoeonf.exe	vsmxiywcfcw.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\pfoahxntfqigbnzqpwxnwipfvbnyqojvhy.efv	lvyefp.exe
File opened for modification	C:\Program Files (x86)\chfgchmhiipcmnouieuzxyu.eza	lvyefp.exe
File created	C:\Program Files (x86)\chfgchmhiipcmnouieuzxyu.eza	lvyefp.exe
File opened for modification	C:\Program Files (x86)\pfoahxntfqigbnzqpwxnwipfvbnyqojvhy.efv	lvyefp.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ezneqlgriyvyypgcg.exe	lvyefp.exe
File opened for modification	C:\Windows\ezneqlgriyvyypgcg.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\njyqdzvhzqostldafs.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\rrkgxxxnjegotplmvmxxqm.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\ljaujhftnggmpjdcjyhf.exe	lvyefp.exe
File opened for modification	C:\Windows\azrmcbapkefmqlggoeonf.exe	lvyefp.exe
File created	C:\Windows\pfoahxntfqigbnzqpwxnwipfvbnyqojvhy.efv	lvyefp.exe
File opened for modification	C:\Windows\xreufztdtiegfvlg.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\njyqdzvhzqostldafs.exe	lvyefp.exe
File opened for modification	C:\Windows\yvlespmzskjoqjcaguc.exe	lvyefp.exe
File opened for modification	C:\Windows\yvlespmzskjoqjcaguc.exe	lvyefp.exe
File opened for modification	C:\Windows\azrmcbapkefmqlggoeonf.exe	lvyefp.exe
File opened for modification	C:\Windows\xreufztdtiegfvlg.exe	lvyefp.exe
File opened for modification	C:\Windows\rrkgxxxnjegotplmvmxxqm.exe	lvyefp.exe
File opened for modification	C:\Windows\njyqdzvhzqostldafs.exe	lvyefp.exe
File opened for modification	C:\Windows\chfgchmhiipcmnouieuzxyu.eza	lvyefp.exe
File opened for modification	C:\Windows\ljaujhftnggmpjdcjyhf.exe	lvyefp.exe
File opened for modification	C:\Windows\rrkgxxxnjegotplmvmxxqm.exe	lvyefp.exe
File created	C:\Windows\chfgchmhiipcmnouieuzxyu.eza	lvyefp.exe
File opened for modification	C:\Windows\yvlespmzskjoqjcaguc.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\ljaujhftnggmpjdcjyhf.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\azrmcbapkefmqlggoeonf.exe	vsmxiywcfcw.exe
File opened for modification	C:\Windows\ezneqlgriyvyypgcg.exe	lvyefp.exe
File opened for modification	C:\Windows\xreufztdtiegfvlg.exe	lvyefp.exe
File opened for modification	C:\Windows\pfoahxntfqigbnzqpwxnwipfvbnyqojvhy.efv	lvyefp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1748	lvyefp.exe
1748	lvyefp.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1748	lvyefp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 1960	1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe	28
PID 1584 wrote to memory of 1960	1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe	28
PID 1584 wrote to memory of 1960	1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe	28
PID 1584 wrote to memory of 1960	1584	9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe	28
PID 1960 wrote to memory of 1748	1960	vsmxiywcfcw.exe	29
PID 1960 wrote to memory of 1748	1960	vsmxiywcfcw.exe	29
PID 1960 wrote to memory of 1748	1960	vsmxiywcfcw.exe	29
PID 1960 wrote to memory of 1748	1960	vsmxiywcfcw.exe	29
PID 1960 wrote to memory of 1736	1960	vsmxiywcfcw.exe	30
PID 1960 wrote to memory of 1736	1960	vsmxiywcfcw.exe	30
PID 1960 wrote to memory of 1736	1960	vsmxiywcfcw.exe	30
PID 1960 wrote to memory of 1736	1960	vsmxiywcfcw.exe	30

System policy modification 1 TTPs 31 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lvyefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lvyefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	lvyefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	lvyefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vsmxiywcfcw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lvyefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	lvyefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lvyefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lvyefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	lvyefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	lvyefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	lvyefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	lvyefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	lvyefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	lvyefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	lvyefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	lvyefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lvyefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	lvyefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	lvyefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	lvyefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	vsmxiywcfcw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	lvyefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	lvyefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	lvyefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lvyefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lvyefp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	lvyefp.exe

C:\Users\Admin\AppData\Local\Temp\9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe
"C:\Users\Admin\AppData\Local\Temp\9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Users\Admin\AppData\Local\Temp\vsmxiywcfcw.exe
  "C:\Users\Admin\AppData\Local\Temp\vsmxiywcfcw.exe" "c:\users\admin\appdata\local\temp\9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1960
- - C:\Users\Admin\AppData\Local\Temp\lvyefp.exe
    "C:\Users\Admin\AppData\Local\Temp\lvyefp.exe" "-C:\Users\Admin\AppData\Local\Temp\xreufztdtiegfvlg.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1748
- - C:\Users\Admin\AppData\Local\Temp\lvyefp.exe
    "C:\Users\Admin\AppData\Local\Temp\lvyefp.exe" "-C:\Users\Admin\AppData\Local\Temp\xreufztdtiegfvlg.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\azrmcbapkefmqlggoeonf.exe

Filesize
1016KB

MD5
62b2e0d8bd5b0380d5ccb843196df2d0

SHA1
c6beb82fae4fb229c6c3de4a20f9324ebc4d1a09

SHA256
9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470

SHA512
20c6f2f0546d619a2118948ec3ac01774afb0bd976af70fe3e99ed2142923f5ad60e5dd63be611cc00426cdf9d6acca4809b2d36c79878a6dd5e953c70a34e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\ezneqlgriyvyypgcg.exe

Filesize
1016KB

MD5
62b2e0d8bd5b0380d5ccb843196df2d0

SHA1
c6beb82fae4fb229c6c3de4a20f9324ebc4d1a09

SHA256
9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470

SHA512
20c6f2f0546d619a2118948ec3ac01774afb0bd976af70fe3e99ed2142923f5ad60e5dd63be611cc00426cdf9d6acca4809b2d36c79878a6dd5e953c70a34e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\ljaujhftnggmpjdcjyhf.exe

Filesize
1016KB

MD5
62b2e0d8bd5b0380d5ccb843196df2d0

SHA1
c6beb82fae4fb229c6c3de4a20f9324ebc4d1a09

SHA256
9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470

SHA512
20c6f2f0546d619a2118948ec3ac01774afb0bd976af70fe3e99ed2142923f5ad60e5dd63be611cc00426cdf9d6acca4809b2d36c79878a6dd5e953c70a34e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\lvyefp.exe

Filesize
704KB

MD5
1ce3867b445b4cb292b0ec63df6c6eab

SHA1
ae71e8783142b539522b223aeb638965160de2e4

SHA256
48256cbc82626399e9b87fa296930cdd78782c7eceabf630b1ff774c6bbc10d3

SHA512
071e43a5f9ff0ae3215f39007ffc7020ed9979a2384944c12a1be446cba37c63f193ed0d7562f6085642a43ac47c00a121d40d33d1fd92391eac8270f1aeda37

Download Submit
C:\Users\Admin\AppData\Local\Temp\lvyefp.exe

Filesize
704KB

MD5
1ce3867b445b4cb292b0ec63df6c6eab

SHA1
ae71e8783142b539522b223aeb638965160de2e4

SHA256
48256cbc82626399e9b87fa296930cdd78782c7eceabf630b1ff774c6bbc10d3

SHA512
071e43a5f9ff0ae3215f39007ffc7020ed9979a2384944c12a1be446cba37c63f193ed0d7562f6085642a43ac47c00a121d40d33d1fd92391eac8270f1aeda37

Download Submit
C:\Users\Admin\AppData\Local\Temp\njyqdzvhzqostldafs.exe

Filesize
1016KB

MD5
62b2e0d8bd5b0380d5ccb843196df2d0

SHA1
c6beb82fae4fb229c6c3de4a20f9324ebc4d1a09

SHA256
9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470

SHA512
20c6f2f0546d619a2118948ec3ac01774afb0bd976af70fe3e99ed2142923f5ad60e5dd63be611cc00426cdf9d6acca4809b2d36c79878a6dd5e953c70a34e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\rrkgxxxnjegotplmvmxxqm.exe

Filesize
1016KB

MD5
62b2e0d8bd5b0380d5ccb843196df2d0

SHA1
c6beb82fae4fb229c6c3de4a20f9324ebc4d1a09

SHA256
9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470

SHA512
20c6f2f0546d619a2118948ec3ac01774afb0bd976af70fe3e99ed2142923f5ad60e5dd63be611cc00426cdf9d6acca4809b2d36c79878a6dd5e953c70a34e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsmxiywcfcw.exe

Filesize
320KB

MD5
4d632e99cd3d5d4d44c1283d30b8526d

SHA1
745286e4d50c5e3b478d9933c576a3a625d047d4

SHA256
b544f9a50ed12dbd24f94c1a5ccc49fd756cf0ccbfca7214a9307b6ccba60eb4

SHA512
7b7d4757e16c12eeff03c1dbdb82f39c5ade9cff4967662122ac15cb740becaacfe61aa72e24e279fcd22c5995afaccf0d1ef33ff1e79242143dc478caa1bd91

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsmxiywcfcw.exe

Filesize
320KB

MD5
4d632e99cd3d5d4d44c1283d30b8526d

SHA1
745286e4d50c5e3b478d9933c576a3a625d047d4

SHA256
b544f9a50ed12dbd24f94c1a5ccc49fd756cf0ccbfca7214a9307b6ccba60eb4

SHA512
7b7d4757e16c12eeff03c1dbdb82f39c5ade9cff4967662122ac15cb740becaacfe61aa72e24e279fcd22c5995afaccf0d1ef33ff1e79242143dc478caa1bd91

Download Submit
C:\Users\Admin\AppData\Local\Temp\xreufztdtiegfvlg.exe

Filesize
1016KB

MD5
62b2e0d8bd5b0380d5ccb843196df2d0

SHA1
c6beb82fae4fb229c6c3de4a20f9324ebc4d1a09

SHA256
9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470

SHA512
20c6f2f0546d619a2118948ec3ac01774afb0bd976af70fe3e99ed2142923f5ad60e5dd63be611cc00426cdf9d6acca4809b2d36c79878a6dd5e953c70a34e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\yvlespmzskjoqjcaguc.exe

Filesize
1016KB

MD5
62b2e0d8bd5b0380d5ccb843196df2d0

SHA1
c6beb82fae4fb229c6c3de4a20f9324ebc4d1a09

SHA256
9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470

SHA512
20c6f2f0546d619a2118948ec3ac01774afb0bd976af70fe3e99ed2142923f5ad60e5dd63be611cc00426cdf9d6acca4809b2d36c79878a6dd5e953c70a34e07

Download Submit
C:\Windows\SysWOW64\azrmcbapkefmqlggoeonf.exe

Filesize
1016KB

MD5
62b2e0d8bd5b0380d5ccb843196df2d0

SHA1
c6beb82fae4fb229c6c3de4a20f9324ebc4d1a09

SHA256
9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470

SHA512
20c6f2f0546d619a2118948ec3ac01774afb0bd976af70fe3e99ed2142923f5ad60e5dd63be611cc00426cdf9d6acca4809b2d36c79878a6dd5e953c70a34e07

Download Submit
C:\Windows\SysWOW64\ezneqlgriyvyypgcg.exe

Filesize
1016KB

MD5
62b2e0d8bd5b0380d5ccb843196df2d0

SHA1
c6beb82fae4fb229c6c3de4a20f9324ebc4d1a09

SHA256
9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470

SHA512
20c6f2f0546d619a2118948ec3ac01774afb0bd976af70fe3e99ed2142923f5ad60e5dd63be611cc00426cdf9d6acca4809b2d36c79878a6dd5e953c70a34e07

Download Submit
C:\Windows\SysWOW64\ljaujhftnggmpjdcjyhf.exe

Filesize
1016KB

MD5
62b2e0d8bd5b0380d5ccb843196df2d0

SHA1
c6beb82fae4fb229c6c3de4a20f9324ebc4d1a09

SHA256
9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470

SHA512
20c6f2f0546d619a2118948ec3ac01774afb0bd976af70fe3e99ed2142923f5ad60e5dd63be611cc00426cdf9d6acca4809b2d36c79878a6dd5e953c70a34e07

Download Submit
C:\Windows\SysWOW64\njyqdzvhzqostldafs.exe

Filesize
1016KB

MD5
62b2e0d8bd5b0380d5ccb843196df2d0

SHA1
c6beb82fae4fb229c6c3de4a20f9324ebc4d1a09

SHA256
9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470

SHA512
20c6f2f0546d619a2118948ec3ac01774afb0bd976af70fe3e99ed2142923f5ad60e5dd63be611cc00426cdf9d6acca4809b2d36c79878a6dd5e953c70a34e07

Download Submit
C:\Windows\SysWOW64\rrkgxxxnjegotplmvmxxqm.exe

Filesize
1016KB

MD5
62b2e0d8bd5b0380d5ccb843196df2d0

SHA1
c6beb82fae4fb229c6c3de4a20f9324ebc4d1a09

SHA256
9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470

SHA512
20c6f2f0546d619a2118948ec3ac01774afb0bd976af70fe3e99ed2142923f5ad60e5dd63be611cc00426cdf9d6acca4809b2d36c79878a6dd5e953c70a34e07

Download Submit
C:\Windows\SysWOW64\xreufztdtiegfvlg.exe

Filesize
1016KB

MD5
62b2e0d8bd5b0380d5ccb843196df2d0

SHA1
c6beb82fae4fb229c6c3de4a20f9324ebc4d1a09

SHA256
9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470

SHA512
20c6f2f0546d619a2118948ec3ac01774afb0bd976af70fe3e99ed2142923f5ad60e5dd63be611cc00426cdf9d6acca4809b2d36c79878a6dd5e953c70a34e07

Download Submit
C:\Windows\SysWOW64\yvlespmzskjoqjcaguc.exe

Filesize
1016KB

MD5
62b2e0d8bd5b0380d5ccb843196df2d0

SHA1
c6beb82fae4fb229c6c3de4a20f9324ebc4d1a09

SHA256
9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470

SHA512
20c6f2f0546d619a2118948ec3ac01774afb0bd976af70fe3e99ed2142923f5ad60e5dd63be611cc00426cdf9d6acca4809b2d36c79878a6dd5e953c70a34e07

Download Submit
C:\Windows\azrmcbapkefmqlggoeonf.exe

Filesize
1016KB

MD5
62b2e0d8bd5b0380d5ccb843196df2d0

SHA1
c6beb82fae4fb229c6c3de4a20f9324ebc4d1a09

SHA256
9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470

SHA512
20c6f2f0546d619a2118948ec3ac01774afb0bd976af70fe3e99ed2142923f5ad60e5dd63be611cc00426cdf9d6acca4809b2d36c79878a6dd5e953c70a34e07

Download Submit
C:\Windows\azrmcbapkefmqlggoeonf.exe

Filesize
1016KB

MD5
62b2e0d8bd5b0380d5ccb843196df2d0

SHA1
c6beb82fae4fb229c6c3de4a20f9324ebc4d1a09

SHA256
9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470

SHA512
20c6f2f0546d619a2118948ec3ac01774afb0bd976af70fe3e99ed2142923f5ad60e5dd63be611cc00426cdf9d6acca4809b2d36c79878a6dd5e953c70a34e07

Download Submit
C:\Windows\ezneqlgriyvyypgcg.exe

Filesize
1016KB

MD5
62b2e0d8bd5b0380d5ccb843196df2d0

SHA1
c6beb82fae4fb229c6c3de4a20f9324ebc4d1a09

SHA256
9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470

SHA512
20c6f2f0546d619a2118948ec3ac01774afb0bd976af70fe3e99ed2142923f5ad60e5dd63be611cc00426cdf9d6acca4809b2d36c79878a6dd5e953c70a34e07

Download Submit
C:\Windows\ezneqlgriyvyypgcg.exe

Filesize
1016KB

MD5
62b2e0d8bd5b0380d5ccb843196df2d0

SHA1
c6beb82fae4fb229c6c3de4a20f9324ebc4d1a09

SHA256
9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470

SHA512
20c6f2f0546d619a2118948ec3ac01774afb0bd976af70fe3e99ed2142923f5ad60e5dd63be611cc00426cdf9d6acca4809b2d36c79878a6dd5e953c70a34e07

Download Submit
C:\Windows\ljaujhftnggmpjdcjyhf.exe

Filesize
1016KB

MD5
62b2e0d8bd5b0380d5ccb843196df2d0

SHA1
c6beb82fae4fb229c6c3de4a20f9324ebc4d1a09

SHA256
9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470

SHA512
20c6f2f0546d619a2118948ec3ac01774afb0bd976af70fe3e99ed2142923f5ad60e5dd63be611cc00426cdf9d6acca4809b2d36c79878a6dd5e953c70a34e07

Download Submit
C:\Windows\ljaujhftnggmpjdcjyhf.exe

Filesize
1016KB

MD5
62b2e0d8bd5b0380d5ccb843196df2d0

SHA1
c6beb82fae4fb229c6c3de4a20f9324ebc4d1a09

SHA256
9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470

SHA512
20c6f2f0546d619a2118948ec3ac01774afb0bd976af70fe3e99ed2142923f5ad60e5dd63be611cc00426cdf9d6acca4809b2d36c79878a6dd5e953c70a34e07

Download Submit
C:\Windows\njyqdzvhzqostldafs.exe

Filesize
1016KB

MD5
62b2e0d8bd5b0380d5ccb843196df2d0

SHA1
c6beb82fae4fb229c6c3de4a20f9324ebc4d1a09

SHA256
9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470

SHA512
20c6f2f0546d619a2118948ec3ac01774afb0bd976af70fe3e99ed2142923f5ad60e5dd63be611cc00426cdf9d6acca4809b2d36c79878a6dd5e953c70a34e07

Download Submit
C:\Windows\njyqdzvhzqostldafs.exe

Filesize
1016KB

MD5
62b2e0d8bd5b0380d5ccb843196df2d0

SHA1
c6beb82fae4fb229c6c3de4a20f9324ebc4d1a09

SHA256
9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470

SHA512
20c6f2f0546d619a2118948ec3ac01774afb0bd976af70fe3e99ed2142923f5ad60e5dd63be611cc00426cdf9d6acca4809b2d36c79878a6dd5e953c70a34e07

Download Submit
C:\Windows\rrkgxxxnjegotplmvmxxqm.exe

Filesize
1016KB

MD5
62b2e0d8bd5b0380d5ccb843196df2d0

SHA1
c6beb82fae4fb229c6c3de4a20f9324ebc4d1a09

SHA256
9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470

SHA512
20c6f2f0546d619a2118948ec3ac01774afb0bd976af70fe3e99ed2142923f5ad60e5dd63be611cc00426cdf9d6acca4809b2d36c79878a6dd5e953c70a34e07

Download Submit
C:\Windows\rrkgxxxnjegotplmvmxxqm.exe

Filesize
1016KB

MD5
62b2e0d8bd5b0380d5ccb843196df2d0

SHA1
c6beb82fae4fb229c6c3de4a20f9324ebc4d1a09

SHA256
9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470

SHA512
20c6f2f0546d619a2118948ec3ac01774afb0bd976af70fe3e99ed2142923f5ad60e5dd63be611cc00426cdf9d6acca4809b2d36c79878a6dd5e953c70a34e07

Download Submit
C:\Windows\xreufztdtiegfvlg.exe

Filesize
1016KB

MD5
62b2e0d8bd5b0380d5ccb843196df2d0

SHA1
c6beb82fae4fb229c6c3de4a20f9324ebc4d1a09

SHA256
9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470

SHA512
20c6f2f0546d619a2118948ec3ac01774afb0bd976af70fe3e99ed2142923f5ad60e5dd63be611cc00426cdf9d6acca4809b2d36c79878a6dd5e953c70a34e07

Download Submit
C:\Windows\xreufztdtiegfvlg.exe

Filesize
1016KB

MD5
62b2e0d8bd5b0380d5ccb843196df2d0

SHA1
c6beb82fae4fb229c6c3de4a20f9324ebc4d1a09

SHA256
9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470

SHA512
20c6f2f0546d619a2118948ec3ac01774afb0bd976af70fe3e99ed2142923f5ad60e5dd63be611cc00426cdf9d6acca4809b2d36c79878a6dd5e953c70a34e07

Download Submit
C:\Windows\yvlespmzskjoqjcaguc.exe

Filesize
1016KB

MD5
62b2e0d8bd5b0380d5ccb843196df2d0

SHA1
c6beb82fae4fb229c6c3de4a20f9324ebc4d1a09

SHA256
9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470

SHA512
20c6f2f0546d619a2118948ec3ac01774afb0bd976af70fe3e99ed2142923f5ad60e5dd63be611cc00426cdf9d6acca4809b2d36c79878a6dd5e953c70a34e07

Download Submit
C:\Windows\yvlespmzskjoqjcaguc.exe

Filesize
1016KB

MD5
62b2e0d8bd5b0380d5ccb843196df2d0

SHA1
c6beb82fae4fb229c6c3de4a20f9324ebc4d1a09

SHA256
9201eabe3f51259efec00983e9161ae74e9ebb977d397c7cacb49613abeaa470

SHA512
20c6f2f0546d619a2118948ec3ac01774afb0bd976af70fe3e99ed2142923f5ad60e5dd63be611cc00426cdf9d6acca4809b2d36c79878a6dd5e953c70a34e07

Download Submit
\Users\Admin\AppData\Local\Temp\lvyefp.exe

Filesize
704KB

MD5
1ce3867b445b4cb292b0ec63df6c6eab

SHA1
ae71e8783142b539522b223aeb638965160de2e4

SHA256
48256cbc82626399e9b87fa296930cdd78782c7eceabf630b1ff774c6bbc10d3

SHA512
071e43a5f9ff0ae3215f39007ffc7020ed9979a2384944c12a1be446cba37c63f193ed0d7562f6085642a43ac47c00a121d40d33d1fd92391eac8270f1aeda37

Download Submit
\Users\Admin\AppData\Local\Temp\lvyefp.exe

Filesize
704KB

MD5
1ce3867b445b4cb292b0ec63df6c6eab

SHA1
ae71e8783142b539522b223aeb638965160de2e4

SHA256
48256cbc82626399e9b87fa296930cdd78782c7eceabf630b1ff774c6bbc10d3

SHA512
071e43a5f9ff0ae3215f39007ffc7020ed9979a2384944c12a1be446cba37c63f193ed0d7562f6085642a43ac47c00a121d40d33d1fd92391eac8270f1aeda37

Download Submit
\Users\Admin\AppData\Local\Temp\lvyefp.exe

Filesize
704KB

MD5
1ce3867b445b4cb292b0ec63df6c6eab

SHA1
ae71e8783142b539522b223aeb638965160de2e4

SHA256
48256cbc82626399e9b87fa296930cdd78782c7eceabf630b1ff774c6bbc10d3

SHA512
071e43a5f9ff0ae3215f39007ffc7020ed9979a2384944c12a1be446cba37c63f193ed0d7562f6085642a43ac47c00a121d40d33d1fd92391eac8270f1aeda37

Download Submit
\Users\Admin\AppData\Local\Temp\lvyefp.exe

Filesize
704KB

MD5
1ce3867b445b4cb292b0ec63df6c6eab

SHA1
ae71e8783142b539522b223aeb638965160de2e4

SHA256
48256cbc82626399e9b87fa296930cdd78782c7eceabf630b1ff774c6bbc10d3

SHA512
071e43a5f9ff0ae3215f39007ffc7020ed9979a2384944c12a1be446cba37c63f193ed0d7562f6085642a43ac47c00a121d40d33d1fd92391eac8270f1aeda37

Download Submit
\Users\Admin\AppData\Local\Temp\vsmxiywcfcw.exe

Filesize
320KB

MD5
4d632e99cd3d5d4d44c1283d30b8526d

SHA1
745286e4d50c5e3b478d9933c576a3a625d047d4

SHA256
b544f9a50ed12dbd24f94c1a5ccc49fd756cf0ccbfca7214a9307b6ccba60eb4

SHA512
7b7d4757e16c12eeff03c1dbdb82f39c5ade9cff4967662122ac15cb740becaacfe61aa72e24e279fcd22c5995afaccf0d1ef33ff1e79242143dc478caa1bd91

Download Submit
\Users\Admin\AppData\Local\Temp\vsmxiywcfcw.exe

Filesize
320KB

MD5
4d632e99cd3d5d4d44c1283d30b8526d

SHA1
745286e4d50c5e3b478d9933c576a3a625d047d4

SHA256
b544f9a50ed12dbd24f94c1a5ccc49fd756cf0ccbfca7214a9307b6ccba60eb4

SHA512
7b7d4757e16c12eeff03c1dbdb82f39c5ade9cff4967662122ac15cb740becaacfe61aa72e24e279fcd22c5995afaccf0d1ef33ff1e79242143dc478caa1bd91

Download Submit
memory/1584-54-0x0000000075241000-0x0000000075243000-memory.dmp

Filesize
8KB

Download