Analysis
-
max time kernel
150s -
max time network
163s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
20-10-2022 00:45
Static task
static1
Behavioral task
behavioral1
Sample
453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe
Resource
win10v2004-20220901-en
General
-
Target
453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe
-
Size
540KB
-
MD5
913d91952bab5c15cee7112d8d94b0f8
-
SHA1
8fffd6f000a0422b26dd8bad0c350ca28eb126a3
-
SHA256
453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1
-
SHA512
1446bcfddde57e39ada78a7bd1cb99e39050efbef17b6aea2d944fb21e8d06028bb20516f764afebd094bff42263a5a90fea6177d15088eb4bad012d7b8776c7
-
SSDEEP
12288:CpUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqsyrfKxFs:CpUNr6YkVRFkgbeqeo68FhqlKPs
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ixiyjejjshs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xaglt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xaglt.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ixiyjejjshs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" xaglt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xaglt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" xaglt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ixiyjejjshs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ixiyjejjshs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ixiyjejjshs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xaglt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xaglt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xaglt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xaglt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xaglt.exe -
Adds policy Run key to start application 2 TTPs 16 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bisbnbcpo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\katlgdnjrnfcuwipmc.exe" xaglt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mwjvkbfvxnzq = "uizpidlflfvqggqv.exe" xaglt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mwjvkbfvxnzq = "vmgzvtebkhayruhpney.exe" xaglt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mwjvkbfvxnzq = "iavpmlxvfdxwquirqidx.exe" ixiyjejjshs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mwjvkbfvxnzq = "bqiztpytavmizalrn.exe" xaglt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bisbnbcpo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqiztpytavmizalrn.exe" xaglt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ixiyjejjshs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mwjvkbfvxnzq = "xqmhffsrcbwwrwlvvokfd.exe" xaglt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bisbnbcpo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vmgzvtebkhayruhpney.exe" xaglt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mwjvkbfvxnzq = "uizpidlflfvqggqv.exe" xaglt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bisbnbcpo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\katlgdnjrnfcuwipmc.exe" xaglt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xaglt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xaglt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mwjvkbfvxnzq = "iavpmlxvfdxwquirqidx.exe" xaglt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mwjvkbfvxnzq = "xqmhffsrcbwwrwlvvokfd.exe" xaglt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bisbnbcpo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iavpmlxvfdxwquirqidx.exe" ixiyjejjshs.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xaglt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xaglt.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ixiyjejjshs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ixiyjejjshs.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xaglt.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xaglt.exe -
Executes dropped EXE 3 IoCs
pid Process 956 ixiyjejjshs.exe 2016 xaglt.exe 1984 xaglt.exe -
Loads dropped DLL 6 IoCs
pid Process 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 956 ixiyjejjshs.exe 956 ixiyjejjshs.exe 956 ixiyjejjshs.exe 956 ixiyjejjshs.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ucnxkzbppd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iavpmlxvfdxwquirqidx.exe" xaglt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uizpidlflfvqggqv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqmhffsrcbwwrwlvvokfd.exe" xaglt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcshztatyrgapox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqiztpytavmizalrn.exe ." xaglt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ucnxkzbppd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uizpidlflfvqggqv.exe" xaglt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mynbslrjnftmay = "vmgzvtebkhayruhpney.exe ." xaglt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcshztatyrgapox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vmgzvtebkhayruhpney.exe ." ixiyjejjshs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwkxnfkbevian = "uizpidlflfvqggqv.exe" xaglt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mynbslrjnftmay = "uizpidlflfvqggqv.exe ." xaglt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mynbslrjnftmay = "vmgzvtebkhayruhpney.exe ." xaglt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uizpidlflfvqggqv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqiztpytavmizalrn.exe" xaglt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uizpidlflfvqggqv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqmhffsrcbwwrwlvvokfd.exe" xaglt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mynbslrjnftmay = "vmgzvtebkhayruhpney.exe ." ixiyjejjshs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcshztatyrgapox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iavpmlxvfdxwquirqidx.exe ." xaglt.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ixiyjejjshs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pykvjzcrshs = "katlgdnjrnfcuwipmc.exe ." xaglt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mynbslrjnftmay = "bqiztpytavmizalrn.exe ." xaglt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ucnxkzbppd = "iavpmlxvfdxwquirqidx.exe" xaglt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwkxnfkbevian = "bqiztpytavmizalrn.exe" ixiyjejjshs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pykvjzcrshs = "katlgdnjrnfcuwipmc.exe ." xaglt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwkxnfkbevian = "vmgzvtebkhayruhpney.exe" xaglt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwkxnfkbevian = "uizpidlflfvqggqv.exe" xaglt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uizpidlflfvqggqv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uizpidlflfvqggqv.exe" ixiyjejjshs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ucnxkzbppd = "bqiztpytavmizalrn.exe" xaglt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pykvjzcrshs = "iavpmlxvfdxwquirqidx.exe ." xaglt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ucnxkzbppd = "iavpmlxvfdxwquirqidx.exe" xaglt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uizpidlflfvqggqv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uizpidlflfvqggqv.exe" xaglt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce ixiyjejjshs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ucnxkzbppd = "katlgdnjrnfcuwipmc.exe" ixiyjejjshs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pykvjzcrshs = "bqiztpytavmizalrn.exe ." xaglt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uizpidlflfvqggqv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqiztpytavmizalrn.exe" xaglt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pykvjzcrshs = "uizpidlflfvqggqv.exe ." xaglt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwkxnfkbevian = "xqmhffsrcbwwrwlvvokfd.exe" xaglt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run ixiyjejjshs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mynbslrjnftmay = "katlgdnjrnfcuwipmc.exe ." xaglt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uizpidlflfvqggqv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iavpmlxvfdxwquirqidx.exe" xaglt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uizpidlflfvqggqv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vmgzvtebkhayruhpney.exe" xaglt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pykvjzcrshs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uizpidlflfvqggqv.exe ." xaglt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pykvjzcrshs = "bqiztpytavmizalrn.exe ." xaglt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwkxnfkbevian = "katlgdnjrnfcuwipmc.exe" xaglt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run xaglt.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run xaglt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ucnxkzbppd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iavpmlxvfdxwquirqidx.exe" xaglt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ucnxkzbppd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqiztpytavmizalrn.exe" xaglt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ucnxkzbppd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqmhffsrcbwwrwlvvokfd.exe" xaglt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uizpidlflfvqggqv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\katlgdnjrnfcuwipmc.exe" xaglt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce xaglt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwkxnfkbevian = "bqiztpytavmizalrn.exe" xaglt.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce xaglt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce xaglt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ucnxkzbppd = "vmgzvtebkhayruhpney.exe" xaglt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ucnxkzbppd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vmgzvtebkhayruhpney.exe" ixiyjejjshs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcshztatyrgapox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vmgzvtebkhayruhpney.exe ." xaglt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcshztatyrgapox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\katlgdnjrnfcuwipmc.exe ." xaglt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pykvjzcrshs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqmhffsrcbwwrwlvvokfd.exe ." xaglt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run xaglt.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ixiyjejjshs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pykvjzcrshs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqiztpytavmizalrn.exe ." ixiyjejjshs.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run xaglt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pykvjzcrshs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqmhffsrcbwwrwlvvokfd.exe ." xaglt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\lwkxnfkbevian = "katlgdnjrnfcuwipmc.exe" xaglt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcshztatyrgapox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqiztpytavmizalrn.exe ." xaglt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pykvjzcrshs = "uizpidlflfvqggqv.exe ." ixiyjejjshs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pykvjzcrshs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqiztpytavmizalrn.exe ." xaglt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mynbslrjnftmay = "xqmhffsrcbwwrwlvvokfd.exe ." xaglt.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xaglt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xaglt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xaglt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xaglt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ixiyjejjshs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ixiyjejjshs.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 whatismyip.everdot.org 3 whatismyipaddress.com 6 www.showmyipaddress.com -
Drops file in System32 directory 25 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\bqiztpytavmizalrn.exe ixiyjejjshs.exe File opened for modification C:\Windows\SysWOW64\iavpmlxvfdxwquirqidx.exe ixiyjejjshs.exe File opened for modification C:\Windows\SysWOW64\bqiztpytavmizalrn.exe xaglt.exe File opened for modification C:\Windows\SysWOW64\katlgdnjrnfcuwipmc.exe xaglt.exe File opened for modification C:\Windows\SysWOW64\xqmhffsrcbwwrwlvvokfd.exe xaglt.exe File created C:\Windows\SysWOW64\pykvjzcrshsitottjsepdtwlmbmcninnd.yjx xaglt.exe File opened for modification C:\Windows\SysWOW64\uizpidlflfvqggqv.exe ixiyjejjshs.exe File opened for modification C:\Windows\SysWOW64\katlgdnjrnfcuwipmc.exe ixiyjejjshs.exe File opened for modification C:\Windows\SysWOW64\iavpmlxvfdxwquirqidx.exe xaglt.exe File opened for modification C:\Windows\SysWOW64\vmgzvtebkhayruhpney.exe xaglt.exe File opened for modification C:\Windows\SysWOW64\iavpmlxvfdxwquirqidx.exe xaglt.exe File opened for modification C:\Windows\SysWOW64\oifbabppbbxyuaqbcwtpop.exe xaglt.exe File created C:\Windows\SysWOW64\ywxxafxbrvvaaketywxxaf.brv xaglt.exe File opened for modification C:\Windows\SysWOW64\pykvjzcrshsitottjsepdtwlmbmcninnd.yjx xaglt.exe File opened for modification C:\Windows\SysWOW64\oifbabppbbxyuaqbcwtpop.exe ixiyjejjshs.exe File opened for modification C:\Windows\SysWOW64\uizpidlflfvqggqv.exe xaglt.exe File opened for modification C:\Windows\SysWOW64\oifbabppbbxyuaqbcwtpop.exe xaglt.exe File opened for modification C:\Windows\SysWOW64\bqiztpytavmizalrn.exe xaglt.exe File opened for modification C:\Windows\SysWOW64\xqmhffsrcbwwrwlvvokfd.exe xaglt.exe File opened for modification C:\Windows\SysWOW64\ywxxafxbrvvaaketywxxaf.brv xaglt.exe File opened for modification C:\Windows\SysWOW64\vmgzvtebkhayruhpney.exe ixiyjejjshs.exe File opened for modification C:\Windows\SysWOW64\xqmhffsrcbwwrwlvvokfd.exe ixiyjejjshs.exe File opened for modification C:\Windows\SysWOW64\vmgzvtebkhayruhpney.exe xaglt.exe File opened for modification C:\Windows\SysWOW64\uizpidlflfvqggqv.exe xaglt.exe File opened for modification C:\Windows\SysWOW64\katlgdnjrnfcuwipmc.exe xaglt.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\ywxxafxbrvvaaketywxxaf.brv xaglt.exe File created C:\Program Files (x86)\ywxxafxbrvvaaketywxxaf.brv xaglt.exe File opened for modification C:\Program Files (x86)\pykvjzcrshsitottjsepdtwlmbmcninnd.yjx xaglt.exe File created C:\Program Files (x86)\pykvjzcrshsitottjsepdtwlmbmcninnd.yjx xaglt.exe -
Drops file in Windows directory 25 IoCs
description ioc Process File opened for modification C:\Windows\bqiztpytavmizalrn.exe ixiyjejjshs.exe File opened for modification C:\Windows\katlgdnjrnfcuwipmc.exe ixiyjejjshs.exe File opened for modification C:\Windows\xqmhffsrcbwwrwlvvokfd.exe ixiyjejjshs.exe File opened for modification C:\Windows\iavpmlxvfdxwquirqidx.exe xaglt.exe File opened for modification C:\Windows\oifbabppbbxyuaqbcwtpop.exe xaglt.exe File opened for modification C:\Windows\ywxxafxbrvvaaketywxxaf.brv xaglt.exe File created C:\Windows\pykvjzcrshsitottjsepdtwlmbmcninnd.yjx xaglt.exe File opened for modification C:\Windows\vmgzvtebkhayruhpney.exe ixiyjejjshs.exe File opened for modification C:\Windows\bqiztpytavmizalrn.exe xaglt.exe File opened for modification C:\Windows\iavpmlxvfdxwquirqidx.exe xaglt.exe File opened for modification C:\Windows\vmgzvtebkhayruhpney.exe xaglt.exe File created C:\Windows\ywxxafxbrvvaaketywxxaf.brv xaglt.exe File opened for modification C:\Windows\pykvjzcrshsitottjsepdtwlmbmcninnd.yjx xaglt.exe File opened for modification C:\Windows\iavpmlxvfdxwquirqidx.exe ixiyjejjshs.exe File opened for modification C:\Windows\uizpidlflfvqggqv.exe xaglt.exe File opened for modification C:\Windows\oifbabppbbxyuaqbcwtpop.exe xaglt.exe File opened for modification C:\Windows\uizpidlflfvqggqv.exe xaglt.exe File opened for modification C:\Windows\bqiztpytavmizalrn.exe xaglt.exe File opened for modification C:\Windows\katlgdnjrnfcuwipmc.exe xaglt.exe File opened for modification C:\Windows\xqmhffsrcbwwrwlvvokfd.exe xaglt.exe File opened for modification C:\Windows\uizpidlflfvqggqv.exe ixiyjejjshs.exe File opened for modification C:\Windows\oifbabppbbxyuaqbcwtpop.exe ixiyjejjshs.exe File opened for modification C:\Windows\katlgdnjrnfcuwipmc.exe xaglt.exe File opened for modification C:\Windows\vmgzvtebkhayruhpney.exe xaglt.exe File opened for modification C:\Windows\xqmhffsrcbwwrwlvvokfd.exe xaglt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 2016 xaglt.exe 2016 xaglt.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 2016 xaglt.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2016 xaglt.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 904 wrote to memory of 956 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 27 PID 904 wrote to memory of 956 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 27 PID 904 wrote to memory of 956 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 27 PID 904 wrote to memory of 956 904 453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe 27 PID 956 wrote to memory of 2016 956 ixiyjejjshs.exe 28 PID 956 wrote to memory of 2016 956 ixiyjejjshs.exe 28 PID 956 wrote to memory of 2016 956 ixiyjejjshs.exe 28 PID 956 wrote to memory of 2016 956 ixiyjejjshs.exe 28 PID 956 wrote to memory of 1984 956 ixiyjejjshs.exe 29 PID 956 wrote to memory of 1984 956 ixiyjejjshs.exe 29 PID 956 wrote to memory of 1984 956 ixiyjejjshs.exe 29 PID 956 wrote to memory of 1984 956 ixiyjejjshs.exe 29 -
System policy modification 1 TTPs 37 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xaglt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xaglt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xaglt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" ixiyjejjshs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xaglt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xaglt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" xaglt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xaglt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xaglt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" xaglt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ixiyjejjshs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ixiyjejjshs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xaglt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" xaglt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" xaglt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" ixiyjejjshs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" xaglt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" xaglt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer xaglt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" xaglt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" xaglt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" xaglt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" xaglt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ixiyjejjshs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ixiyjejjshs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" ixiyjejjshs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" xaglt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" xaglt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" ixiyjejjshs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xaglt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" xaglt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer xaglt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ixiyjejjshs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ixiyjejjshs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xaglt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" ixiyjejjshs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" xaglt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe"C:\Users\Admin\AppData\Local\Temp\453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Users\Admin\AppData\Local\Temp\ixiyjejjshs.exe"C:\Users\Admin\AppData\Local\Temp\ixiyjejjshs.exe" "c:\users\admin\appdata\local\temp\453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:956 -
C:\Users\Admin\AppData\Local\Temp\xaglt.exe"C:\Users\Admin\AppData\Local\Temp\xaglt.exe" "-C:\Users\Admin\AppData\Local\Temp\uizpidlflfvqggqv.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2016
-
-
C:\Users\Admin\AppData\Local\Temp\xaglt.exe"C:\Users\Admin\AppData\Local\Temp\xaglt.exe" "-C:\Users\Admin\AppData\Local\Temp\uizpidlflfvqggqv.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1984
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
540KB
MD5913d91952bab5c15cee7112d8d94b0f8
SHA18fffd6f000a0422b26dd8bad0c350ca28eb126a3
SHA256453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1
SHA5121446bcfddde57e39ada78a7bd1cb99e39050efbef17b6aea2d944fb21e8d06028bb20516f764afebd094bff42263a5a90fea6177d15088eb4bad012d7b8776c7
-
Filesize
540KB
MD5913d91952bab5c15cee7112d8d94b0f8
SHA18fffd6f000a0422b26dd8bad0c350ca28eb126a3
SHA256453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1
SHA5121446bcfddde57e39ada78a7bd1cb99e39050efbef17b6aea2d944fb21e8d06028bb20516f764afebd094bff42263a5a90fea6177d15088eb4bad012d7b8776c7
-
Filesize
320KB
MD5ee692e9af80158fce48baa551a3632a9
SHA1aafcb1a266e9dedba3797cd5c7ecea1421c47e4f
SHA2566011223203af4c5f32bd1bd4a022030f1ac86d0bc4ec3acaabe6384e3f3b694d
SHA5128d3be3ec760629788e5fd3bd1bc4b60bd6f9852b9dabf2d51939b51a1bd69fd398758599e0e62bc2a64c63762dca68c543d47a6bdf98656254a7a7a13b2092d6
-
Filesize
320KB
MD5ee692e9af80158fce48baa551a3632a9
SHA1aafcb1a266e9dedba3797cd5c7ecea1421c47e4f
SHA2566011223203af4c5f32bd1bd4a022030f1ac86d0bc4ec3acaabe6384e3f3b694d
SHA5128d3be3ec760629788e5fd3bd1bc4b60bd6f9852b9dabf2d51939b51a1bd69fd398758599e0e62bc2a64c63762dca68c543d47a6bdf98656254a7a7a13b2092d6
-
Filesize
540KB
MD5913d91952bab5c15cee7112d8d94b0f8
SHA18fffd6f000a0422b26dd8bad0c350ca28eb126a3
SHA256453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1
SHA5121446bcfddde57e39ada78a7bd1cb99e39050efbef17b6aea2d944fb21e8d06028bb20516f764afebd094bff42263a5a90fea6177d15088eb4bad012d7b8776c7
-
Filesize
540KB
MD5913d91952bab5c15cee7112d8d94b0f8
SHA18fffd6f000a0422b26dd8bad0c350ca28eb126a3
SHA256453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1
SHA5121446bcfddde57e39ada78a7bd1cb99e39050efbef17b6aea2d944fb21e8d06028bb20516f764afebd094bff42263a5a90fea6177d15088eb4bad012d7b8776c7
-
Filesize
540KB
MD5913d91952bab5c15cee7112d8d94b0f8
SHA18fffd6f000a0422b26dd8bad0c350ca28eb126a3
SHA256453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1
SHA5121446bcfddde57e39ada78a7bd1cb99e39050efbef17b6aea2d944fb21e8d06028bb20516f764afebd094bff42263a5a90fea6177d15088eb4bad012d7b8776c7
-
Filesize
540KB
MD5913d91952bab5c15cee7112d8d94b0f8
SHA18fffd6f000a0422b26dd8bad0c350ca28eb126a3
SHA256453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1
SHA5121446bcfddde57e39ada78a7bd1cb99e39050efbef17b6aea2d944fb21e8d06028bb20516f764afebd094bff42263a5a90fea6177d15088eb4bad012d7b8776c7
-
Filesize
700KB
MD5ff280c6c9cf52c46ed6ae31a96f6fea3
SHA1860d390118cbea34c35a658e2483998997794975
SHA2560bbb616cc1f3693ec5fbdcc77d9cad48c2b4bae53b01da0da915d11289c3c82e
SHA512984e5d06a397b49e09582faea1acaef65047a9ba0e6cb3cdeaa8d2f3afcbf713676799eee5ea9cc484a8b7b04b2f7ac5c4172b73d930f392762487802986fed7
-
Filesize
700KB
MD5ff280c6c9cf52c46ed6ae31a96f6fea3
SHA1860d390118cbea34c35a658e2483998997794975
SHA2560bbb616cc1f3693ec5fbdcc77d9cad48c2b4bae53b01da0da915d11289c3c82e
SHA512984e5d06a397b49e09582faea1acaef65047a9ba0e6cb3cdeaa8d2f3afcbf713676799eee5ea9cc484a8b7b04b2f7ac5c4172b73d930f392762487802986fed7
-
Filesize
540KB
MD5913d91952bab5c15cee7112d8d94b0f8
SHA18fffd6f000a0422b26dd8bad0c350ca28eb126a3
SHA256453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1
SHA5121446bcfddde57e39ada78a7bd1cb99e39050efbef17b6aea2d944fb21e8d06028bb20516f764afebd094bff42263a5a90fea6177d15088eb4bad012d7b8776c7
-
Filesize
540KB
MD5913d91952bab5c15cee7112d8d94b0f8
SHA18fffd6f000a0422b26dd8bad0c350ca28eb126a3
SHA256453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1
SHA5121446bcfddde57e39ada78a7bd1cb99e39050efbef17b6aea2d944fb21e8d06028bb20516f764afebd094bff42263a5a90fea6177d15088eb4bad012d7b8776c7
-
Filesize
540KB
MD5913d91952bab5c15cee7112d8d94b0f8
SHA18fffd6f000a0422b26dd8bad0c350ca28eb126a3
SHA256453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1
SHA5121446bcfddde57e39ada78a7bd1cb99e39050efbef17b6aea2d944fb21e8d06028bb20516f764afebd094bff42263a5a90fea6177d15088eb4bad012d7b8776c7
-
Filesize
540KB
MD5913d91952bab5c15cee7112d8d94b0f8
SHA18fffd6f000a0422b26dd8bad0c350ca28eb126a3
SHA256453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1
SHA5121446bcfddde57e39ada78a7bd1cb99e39050efbef17b6aea2d944fb21e8d06028bb20516f764afebd094bff42263a5a90fea6177d15088eb4bad012d7b8776c7
-
Filesize
540KB
MD5913d91952bab5c15cee7112d8d94b0f8
SHA18fffd6f000a0422b26dd8bad0c350ca28eb126a3
SHA256453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1
SHA5121446bcfddde57e39ada78a7bd1cb99e39050efbef17b6aea2d944fb21e8d06028bb20516f764afebd094bff42263a5a90fea6177d15088eb4bad012d7b8776c7
-
Filesize
540KB
MD5913d91952bab5c15cee7112d8d94b0f8
SHA18fffd6f000a0422b26dd8bad0c350ca28eb126a3
SHA256453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1
SHA5121446bcfddde57e39ada78a7bd1cb99e39050efbef17b6aea2d944fb21e8d06028bb20516f764afebd094bff42263a5a90fea6177d15088eb4bad012d7b8776c7
-
Filesize
540KB
MD5913d91952bab5c15cee7112d8d94b0f8
SHA18fffd6f000a0422b26dd8bad0c350ca28eb126a3
SHA256453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1
SHA5121446bcfddde57e39ada78a7bd1cb99e39050efbef17b6aea2d944fb21e8d06028bb20516f764afebd094bff42263a5a90fea6177d15088eb4bad012d7b8776c7
-
Filesize
540KB
MD5913d91952bab5c15cee7112d8d94b0f8
SHA18fffd6f000a0422b26dd8bad0c350ca28eb126a3
SHA256453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1
SHA5121446bcfddde57e39ada78a7bd1cb99e39050efbef17b6aea2d944fb21e8d06028bb20516f764afebd094bff42263a5a90fea6177d15088eb4bad012d7b8776c7
-
Filesize
540KB
MD5913d91952bab5c15cee7112d8d94b0f8
SHA18fffd6f000a0422b26dd8bad0c350ca28eb126a3
SHA256453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1
SHA5121446bcfddde57e39ada78a7bd1cb99e39050efbef17b6aea2d944fb21e8d06028bb20516f764afebd094bff42263a5a90fea6177d15088eb4bad012d7b8776c7
-
Filesize
540KB
MD5913d91952bab5c15cee7112d8d94b0f8
SHA18fffd6f000a0422b26dd8bad0c350ca28eb126a3
SHA256453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1
SHA5121446bcfddde57e39ada78a7bd1cb99e39050efbef17b6aea2d944fb21e8d06028bb20516f764afebd094bff42263a5a90fea6177d15088eb4bad012d7b8776c7
-
Filesize
540KB
MD5913d91952bab5c15cee7112d8d94b0f8
SHA18fffd6f000a0422b26dd8bad0c350ca28eb126a3
SHA256453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1
SHA5121446bcfddde57e39ada78a7bd1cb99e39050efbef17b6aea2d944fb21e8d06028bb20516f764afebd094bff42263a5a90fea6177d15088eb4bad012d7b8776c7
-
Filesize
540KB
MD5913d91952bab5c15cee7112d8d94b0f8
SHA18fffd6f000a0422b26dd8bad0c350ca28eb126a3
SHA256453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1
SHA5121446bcfddde57e39ada78a7bd1cb99e39050efbef17b6aea2d944fb21e8d06028bb20516f764afebd094bff42263a5a90fea6177d15088eb4bad012d7b8776c7
-
Filesize
540KB
MD5913d91952bab5c15cee7112d8d94b0f8
SHA18fffd6f000a0422b26dd8bad0c350ca28eb126a3
SHA256453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1
SHA5121446bcfddde57e39ada78a7bd1cb99e39050efbef17b6aea2d944fb21e8d06028bb20516f764afebd094bff42263a5a90fea6177d15088eb4bad012d7b8776c7
-
Filesize
540KB
MD5913d91952bab5c15cee7112d8d94b0f8
SHA18fffd6f000a0422b26dd8bad0c350ca28eb126a3
SHA256453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1
SHA5121446bcfddde57e39ada78a7bd1cb99e39050efbef17b6aea2d944fb21e8d06028bb20516f764afebd094bff42263a5a90fea6177d15088eb4bad012d7b8776c7
-
Filesize
540KB
MD5913d91952bab5c15cee7112d8d94b0f8
SHA18fffd6f000a0422b26dd8bad0c350ca28eb126a3
SHA256453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1
SHA5121446bcfddde57e39ada78a7bd1cb99e39050efbef17b6aea2d944fb21e8d06028bb20516f764afebd094bff42263a5a90fea6177d15088eb4bad012d7b8776c7
-
Filesize
540KB
MD5913d91952bab5c15cee7112d8d94b0f8
SHA18fffd6f000a0422b26dd8bad0c350ca28eb126a3
SHA256453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1
SHA5121446bcfddde57e39ada78a7bd1cb99e39050efbef17b6aea2d944fb21e8d06028bb20516f764afebd094bff42263a5a90fea6177d15088eb4bad012d7b8776c7
-
Filesize
540KB
MD5913d91952bab5c15cee7112d8d94b0f8
SHA18fffd6f000a0422b26dd8bad0c350ca28eb126a3
SHA256453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1
SHA5121446bcfddde57e39ada78a7bd1cb99e39050efbef17b6aea2d944fb21e8d06028bb20516f764afebd094bff42263a5a90fea6177d15088eb4bad012d7b8776c7
-
Filesize
540KB
MD5913d91952bab5c15cee7112d8d94b0f8
SHA18fffd6f000a0422b26dd8bad0c350ca28eb126a3
SHA256453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1
SHA5121446bcfddde57e39ada78a7bd1cb99e39050efbef17b6aea2d944fb21e8d06028bb20516f764afebd094bff42263a5a90fea6177d15088eb4bad012d7b8776c7
-
Filesize
540KB
MD5913d91952bab5c15cee7112d8d94b0f8
SHA18fffd6f000a0422b26dd8bad0c350ca28eb126a3
SHA256453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1
SHA5121446bcfddde57e39ada78a7bd1cb99e39050efbef17b6aea2d944fb21e8d06028bb20516f764afebd094bff42263a5a90fea6177d15088eb4bad012d7b8776c7
-
Filesize
540KB
MD5913d91952bab5c15cee7112d8d94b0f8
SHA18fffd6f000a0422b26dd8bad0c350ca28eb126a3
SHA256453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1
SHA5121446bcfddde57e39ada78a7bd1cb99e39050efbef17b6aea2d944fb21e8d06028bb20516f764afebd094bff42263a5a90fea6177d15088eb4bad012d7b8776c7
-
Filesize
540KB
MD5913d91952bab5c15cee7112d8d94b0f8
SHA18fffd6f000a0422b26dd8bad0c350ca28eb126a3
SHA256453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1
SHA5121446bcfddde57e39ada78a7bd1cb99e39050efbef17b6aea2d944fb21e8d06028bb20516f764afebd094bff42263a5a90fea6177d15088eb4bad012d7b8776c7
-
Filesize
540KB
MD5913d91952bab5c15cee7112d8d94b0f8
SHA18fffd6f000a0422b26dd8bad0c350ca28eb126a3
SHA256453c8b7bb09bd44c75fab9cd1ddc0e75187b9bbb3e00bf75d189ede1c0ce97f1
SHA5121446bcfddde57e39ada78a7bd1cb99e39050efbef17b6aea2d944fb21e8d06028bb20516f764afebd094bff42263a5a90fea6177d15088eb4bad012d7b8776c7
-
Filesize
320KB
MD5ee692e9af80158fce48baa551a3632a9
SHA1aafcb1a266e9dedba3797cd5c7ecea1421c47e4f
SHA2566011223203af4c5f32bd1bd4a022030f1ac86d0bc4ec3acaabe6384e3f3b694d
SHA5128d3be3ec760629788e5fd3bd1bc4b60bd6f9852b9dabf2d51939b51a1bd69fd398758599e0e62bc2a64c63762dca68c543d47a6bdf98656254a7a7a13b2092d6
-
Filesize
320KB
MD5ee692e9af80158fce48baa551a3632a9
SHA1aafcb1a266e9dedba3797cd5c7ecea1421c47e4f
SHA2566011223203af4c5f32bd1bd4a022030f1ac86d0bc4ec3acaabe6384e3f3b694d
SHA5128d3be3ec760629788e5fd3bd1bc4b60bd6f9852b9dabf2d51939b51a1bd69fd398758599e0e62bc2a64c63762dca68c543d47a6bdf98656254a7a7a13b2092d6
-
Filesize
700KB
MD5ff280c6c9cf52c46ed6ae31a96f6fea3
SHA1860d390118cbea34c35a658e2483998997794975
SHA2560bbb616cc1f3693ec5fbdcc77d9cad48c2b4bae53b01da0da915d11289c3c82e
SHA512984e5d06a397b49e09582faea1acaef65047a9ba0e6cb3cdeaa8d2f3afcbf713676799eee5ea9cc484a8b7b04b2f7ac5c4172b73d930f392762487802986fed7
-
Filesize
700KB
MD5ff280c6c9cf52c46ed6ae31a96f6fea3
SHA1860d390118cbea34c35a658e2483998997794975
SHA2560bbb616cc1f3693ec5fbdcc77d9cad48c2b4bae53b01da0da915d11289c3c82e
SHA512984e5d06a397b49e09582faea1acaef65047a9ba0e6cb3cdeaa8d2f3afcbf713676799eee5ea9cc484a8b7b04b2f7ac5c4172b73d930f392762487802986fed7
-
Filesize
700KB
MD5ff280c6c9cf52c46ed6ae31a96f6fea3
SHA1860d390118cbea34c35a658e2483998997794975
SHA2560bbb616cc1f3693ec5fbdcc77d9cad48c2b4bae53b01da0da915d11289c3c82e
SHA512984e5d06a397b49e09582faea1acaef65047a9ba0e6cb3cdeaa8d2f3afcbf713676799eee5ea9cc484a8b7b04b2f7ac5c4172b73d930f392762487802986fed7
-
Filesize
700KB
MD5ff280c6c9cf52c46ed6ae31a96f6fea3
SHA1860d390118cbea34c35a658e2483998997794975
SHA2560bbb616cc1f3693ec5fbdcc77d9cad48c2b4bae53b01da0da915d11289c3c82e
SHA512984e5d06a397b49e09582faea1acaef65047a9ba0e6cb3cdeaa8d2f3afcbf713676799eee5ea9cc484a8b7b04b2f7ac5c4172b73d930f392762487802986fed7