bf7b28989ddb52cfbbc4bc58acdd33121fe8d95f081185f825ca05085789a5bd

Analysis

max time kernel
187s
max time network
194s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-10-2022 23:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf7b28989ddb52cfbbc4bc58acdd33121fe8d95f081185f825ca05085789a5bd.exe
Size

684KB
MD5

a2956dfca9be381f1184f9ce81845ab0
SHA1

a92d3c8c18b08f1fa2be87d850799c6c271bb8ec
SHA256

bf7b28989ddb52cfbbc4bc58acdd33121fe8d95f081185f825ca05085789a5bd
SHA512

4fd4c221910cb6d1f577fa427e479ba677c77c592f6b0cca6cb94081357cc56c185df5d233614a1bd867de60520b3320c8b5e0fce7297504e2cda5985bc07789
SSDEEP

12288:UpgvmzFHi0mo5aH0qMzd5807F4PJQPDHvd:UpgvOHi0mGaH0qSdPFq4V

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	bf7b28989ddb52cfbbc4bc58acdd33121fe8d95f081185f825ca05085789a5bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wehtbfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wehtbfo.exe

UAC bypass 3 TTPs 11 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	wehtbfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bf7b28989ddb52cfbbc4bc58acdd33121fe8d95f081185f825ca05085789a5bd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wehtbfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wehtbfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bf7b28989ddb52cfbbc4bc58acdd33121fe8d95f081185f825ca05085789a5bd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wehtbfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	bf7b28989ddb52cfbbc4bc58acdd33121fe8d95f081185f825ca05085789a5bd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wehtbfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	wehtbfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wehtbfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wehtbfo.exe

Adds policy Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wehtbfo = "wqfdxniexlwtmkdgtba.exe"	wehtbfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wehtbfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\puud = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuhdvjcwnziduqhit.exe"	wehtbfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wehtbfo = "jeutofbyshtrlkeiwffa.exe"	wehtbfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wehtbfo = "jeutofbyshtrlkeiwffa.exe"	wehtbfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\puud = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lespixrmerbxpmegsz.exe"	wehtbfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\puud = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yullhzwupfsrmmhmblmiz.exe"	bf7b28989ddb52cfbbc4bc58acdd33121fe8d95f081185f825ca05085789a5bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wehtbfo = "wqfdxniexlwtmkdgtba.exe"	bf7b28989ddb52cfbbc4bc58acdd33121fe8d95f081185f825ca05085789a5bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wehtbfo = "lespixrmerbxpmegsz.exe"	wehtbfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\puud = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yullhzwupfsrmmhmblmiz.exe"	wehtbfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\puud = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lespixrmerbxpmegsz.exe"	wehtbfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\puud = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqfdxniexlwtmkdgtba.exe"	wehtbfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\puud = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yullhzwupfsrmmhmblmiz.exe"	wehtbfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bf7b28989ddb52cfbbc4bc58acdd33121fe8d95f081185f825ca05085789a5bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wehtbfo = "vmytkxpiyjrlbwmm.exe"	wehtbfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\puud = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jeutofbyshtrlkeiwffa.exe"	wehtbfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wehtbfo = "lespixrmerbxpmegsz.exe"	wehtbfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wehtbfo.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bf7b28989ddb52cfbbc4bc58acdd33121fe8d95f081185f825ca05085789a5bd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bf7b28989ddb52cfbbc4bc58acdd33121fe8d95f081185f825ca05085789a5bd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wehtbfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wehtbfo.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wehtbfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wehtbfo.exe

Executes dropped EXE 2 IoCs

pid	Process
1540	wehtbfo.exe
1648	wehtbfo.exe

Loads dropped DLL 4 IoCs

pid	Process
1092	bf7b28989ddb52cfbbc4bc58acdd33121fe8d95f081185f825ca05085789a5bd.exe
1092	bf7b28989ddb52cfbbc4bc58acdd33121fe8d95f081185f825ca05085789a5bd.exe
1092	bf7b28989ddb52cfbbc4bc58acdd33121fe8d95f081185f825ca05085789a5bd.exe
1092	bf7b28989ddb52cfbbc4bc58acdd33121fe8d95f081185f825ca05085789a5bd.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\yefpv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jeutofbyshtrlkeiwffa.exe"	wehtbfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yefpv = "wqfdxniexlwtmkdgtba.exe"	bf7b28989ddb52cfbbc4bc58acdd33121fe8d95f081185f825ca05085789a5bd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	bf7b28989ddb52cfbbc4bc58acdd33121fe8d95f081185f825ca05085789a5bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jqsdkn = "yullhzwupfsrmmhmblmiz.exe ."	bf7b28989ddb52cfbbc4bc58acdd33121fe8d95f081185f825ca05085789a5bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cmrfpvgsb = "yullhzwupfsrmmhmblmiz.exe ."	wehtbfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jqsdkn = "cuhdvjcwnziduqhit.exe ."	wehtbfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\luyluzju = "yullhzwupfsrmmhmblmiz.exe"	wehtbfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\yefpv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jeutofbyshtrlkeiwffa.exe"	wehtbfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yefpv = "jeutofbyshtrlkeiwffa.exe"	wehtbfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vgmbmtfsch = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vmytkxpiyjrlbwmm.exe ."	wehtbfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qcjzltguflo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqfdxniexlwtmkdgtba.exe"	wehtbfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vgmbmtfsch = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jeutofbyshtrlkeiwffa.exe ."	wehtbfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\jqsdkn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqfdxniexlwtmkdgtba.exe ."	wehtbfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\jqsdkn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vmytkxpiyjrlbwmm.exe ."	wehtbfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jqsdkn = "yullhzwupfsrmmhmblmiz.exe ."	wehtbfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qcjzltguflo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqfdxniexlwtmkdgtba.exe"	bf7b28989ddb52cfbbc4bc58acdd33121fe8d95f081185f825ca05085789a5bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vgmbmtfsch = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vmytkxpiyjrlbwmm.exe ."	bf7b28989ddb52cfbbc4bc58acdd33121fe8d95f081185f825ca05085789a5bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qcjzltguflo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vmytkxpiyjrlbwmm.exe"	wehtbfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vgmbmtfsch = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqfdxniexlwtmkdgtba.exe ."	wehtbfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qcjzltguflo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jeutofbyshtrlkeiwffa.exe"	wehtbfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cmrfpvgsb = "yullhzwupfsrmmhmblmiz.exe ."	wehtbfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vgmbmtfsch = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lespixrmerbxpmegsz.exe ."	wehtbfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\luyluzju = "wqfdxniexlwtmkdgtba.exe"	bf7b28989ddb52cfbbc4bc58acdd33121fe8d95f081185f825ca05085789a5bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jqsdkn = "wqfdxniexlwtmkdgtba.exe ."	wehtbfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\jqsdkn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jeutofbyshtrlkeiwffa.exe ."	wehtbfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cmrfpvgsb = "vmytkxpiyjrlbwmm.exe ."	wehtbfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	wehtbfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\yefpv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqfdxniexlwtmkdgtba.exe"	wehtbfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\yefpv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vmytkxpiyjrlbwmm.exe"	wehtbfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	bf7b28989ddb52cfbbc4bc58acdd33121fe8d95f081185f825ca05085789a5bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\yefpv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuhdvjcwnziduqhit.exe"	bf7b28989ddb52cfbbc4bc58acdd33121fe8d95f081185f825ca05085789a5bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yefpv = "cuhdvjcwnziduqhit.exe"	wehtbfo.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	wehtbfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qcjzltguflo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuhdvjcwnziduqhit.exe"	wehtbfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yefpv = "wqfdxniexlwtmkdgtba.exe"	wehtbfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\jqsdkn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuhdvjcwnziduqhit.exe ."	bf7b28989ddb52cfbbc4bc58acdd33121fe8d95f081185f825ca05085789a5bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\luyluzju = "lespixrmerbxpmegsz.exe"	wehtbfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\luyluzju = "jeutofbyshtrlkeiwffa.exe"	wehtbfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cmrfpvgsb = "lespixrmerbxpmegsz.exe ."	wehtbfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vgmbmtfsch = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqfdxniexlwtmkdgtba.exe ."	wehtbfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\luyluzju = "jeutofbyshtrlkeiwffa.exe"	wehtbfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qcjzltguflo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yullhzwupfsrmmhmblmiz.exe"	wehtbfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vgmbmtfsch = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lespixrmerbxpmegsz.exe ."	wehtbfo.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	wehtbfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\luyluzju = "yullhzwupfsrmmhmblmiz.exe"	wehtbfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cmrfpvgsb = "lespixrmerbxpmegsz.exe ."	wehtbfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\jqsdkn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqfdxniexlwtmkdgtba.exe ."	wehtbfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\yefpv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuhdvjcwnziduqhit.exe"	wehtbfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cmrfpvgsb = "wqfdxniexlwtmkdgtba.exe ."	wehtbfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	wehtbfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jqsdkn = "lespixrmerbxpmegsz.exe ."	wehtbfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qcjzltguflo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lespixrmerbxpmegsz.exe"	wehtbfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\jqsdkn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jeutofbyshtrlkeiwffa.exe ."	wehtbfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vgmbmtfsch = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yullhzwupfsrmmhmblmiz.exe ."	wehtbfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qcjzltguflo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vmytkxpiyjrlbwmm.exe"	wehtbfo.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	bf7b28989ddb52cfbbc4bc58acdd33121fe8d95f081185f825ca05085789a5bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cmrfpvgsb = "jeutofbyshtrlkeiwffa.exe ."	bf7b28989ddb52cfbbc4bc58acdd33121fe8d95f081185f825ca05085789a5bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jqsdkn = "jeutofbyshtrlkeiwffa.exe ."	wehtbfo.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	wehtbfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yefpv = "vmytkxpiyjrlbwmm.exe"	wehtbfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\cmrfpvgsb = "cuhdvjcwnziduqhit.exe ."	wehtbfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yefpv = "cuhdvjcwnziduqhit.exe"	wehtbfo.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	bf7b28989ddb52cfbbc4bc58acdd33121fe8d95f081185f825ca05085789a5bd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	wehtbfo.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wehtbfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bf7b28989ddb52cfbbc4bc58acdd33121fe8d95f081185f825ca05085789a5bd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bf7b28989ddb52cfbbc4bc58acdd33121fe8d95f081185f825ca05085789a5bd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wehtbfo.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wehtbfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wehtbfo.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	www.showmyipaddress.com
11	whatismyipaddress.com
13	whatismyip.everdot.org

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\dgelonrwyvpvxegsofnqovyx.gif	wehtbfo.exe
File created	C:\Windows\SysWOW64\dgelonrwyvpvxegsofnqovyx.gif	wehtbfo.exe
File opened for modification	C:\Windows\SysWOW64\majbpzoerzeviankrtmajbpzoerzeviankr.maj	wehtbfo.exe
File created	C:\Windows\SysWOW64\majbpzoerzeviankrtmajbpzoerzeviankr.maj	wehtbfo.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\dgelonrwyvpvxegsofnqovyx.gif	wehtbfo.exe
File created	C:\Program Files (x86)\dgelonrwyvpvxegsofnqovyx.gif	wehtbfo.exe
File opened for modification	C:\Program Files (x86)\majbpzoerzeviankrtmajbpzoerzeviankr.maj	wehtbfo.exe
File created	C:\Program Files (x86)\majbpzoerzeviankrtmajbpzoerzeviankr.maj	wehtbfo.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\majbpzoerzeviankrtmajbpzoerzeviankr.maj	wehtbfo.exe
File created	C:\Windows\majbpzoerzeviankrtmajbpzoerzeviankr.maj	wehtbfo.exe
File opened for modification	C:\Windows\dgelonrwyvpvxegsofnqovyx.gif	wehtbfo.exe
File created	C:\Windows\dgelonrwyvpvxegsofnqovyx.gif	wehtbfo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1540	wehtbfo.exe
1540	wehtbfo.exe
1540	wehtbfo.exe
1540	wehtbfo.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1540	wehtbfo.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 1540	1092	bf7b28989ddb52cfbbc4bc58acdd33121fe8d95f081185f825ca05085789a5bd.exe	27
PID 1092 wrote to memory of 1540	1092	bf7b28989ddb52cfbbc4bc58acdd33121fe8d95f081185f825ca05085789a5bd.exe	27
PID 1092 wrote to memory of 1540	1092	bf7b28989ddb52cfbbc4bc58acdd33121fe8d95f081185f825ca05085789a5bd.exe	27
PID 1092 wrote to memory of 1540	1092	bf7b28989ddb52cfbbc4bc58acdd33121fe8d95f081185f825ca05085789a5bd.exe	27
PID 1092 wrote to memory of 1648	1092	bf7b28989ddb52cfbbc4bc58acdd33121fe8d95f081185f825ca05085789a5bd.exe	28
PID 1092 wrote to memory of 1648	1092	bf7b28989ddb52cfbbc4bc58acdd33121fe8d95f081185f825ca05085789a5bd.exe	28
PID 1092 wrote to memory of 1648	1092	bf7b28989ddb52cfbbc4bc58acdd33121fe8d95f081185f825ca05085789a5bd.exe	28
PID 1092 wrote to memory of 1648	1092	bf7b28989ddb52cfbbc4bc58acdd33121fe8d95f081185f825ca05085789a5bd.exe	28

System policy modification 1 TTPs 32 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	wehtbfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	wehtbfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bf7b28989ddb52cfbbc4bc58acdd33121fe8d95f081185f825ca05085789a5bd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wehtbfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bf7b28989ddb52cfbbc4bc58acdd33121fe8d95f081185f825ca05085789a5bd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	wehtbfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	wehtbfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wehtbfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	wehtbfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wehtbfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	wehtbfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wehtbfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wehtbfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	wehtbfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	wehtbfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	wehtbfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wehtbfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wehtbfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wehtbfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	wehtbfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	bf7b28989ddb52cfbbc4bc58acdd33121fe8d95f081185f825ca05085789a5bd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	wehtbfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	wehtbfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	bf7b28989ddb52cfbbc4bc58acdd33121fe8d95f081185f825ca05085789a5bd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wehtbfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wehtbfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	wehtbfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	bf7b28989ddb52cfbbc4bc58acdd33121fe8d95f081185f825ca05085789a5bd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	wehtbfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	wehtbfo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bf7b28989ddb52cfbbc4bc58acdd33121fe8d95f081185f825ca05085789a5bd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	wehtbfo.exe

C:\Users\Admin\AppData\Local\Temp\bf7b28989ddb52cfbbc4bc58acdd33121fe8d95f081185f825ca05085789a5bd.exe
"C:\Users\Admin\AppData\Local\Temp\bf7b28989ddb52cfbbc4bc58acdd33121fe8d95f081185f825ca05085789a5bd.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1092
- C:\Users\Admin\AppData\Local\Temp\wehtbfo.exe
  "C:\Users\Admin\AppData\Local\Temp\wehtbfo.exe" "-"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:1540
- C:\Users\Admin\AppData\Local\Temp\wehtbfo.exe
  "C:\Users\Admin\AppData\Local\Temp\wehtbfo.exe" "-"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - System policy modification
  PID:1648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wehtbfo.exe

Filesize
1.2MB

MD5
c04eeb1ffee63d268d77cbdf5ab9fc88

SHA1
b0d56cdcc32a3ac1c8cd79aa57309e82663b217d

SHA256
83c74cfc2acefcfd7f32f4bafdb151baee63e2ecba6a4331d8932849e1d9babe

SHA512
f4651e12d93e9e7cf8a4c66f9c9f8f29ba03f6a67eeb1c548616bd1e26871adcd44175989cd062d0cff29888885b00fd93ecda9b7e3ef3fee745947802f59114

Download Submit
C:\Users\Admin\AppData\Local\Temp\wehtbfo.exe

Filesize
1.2MB

MD5
c04eeb1ffee63d268d77cbdf5ab9fc88

SHA1
b0d56cdcc32a3ac1c8cd79aa57309e82663b217d

SHA256
83c74cfc2acefcfd7f32f4bafdb151baee63e2ecba6a4331d8932849e1d9babe

SHA512
f4651e12d93e9e7cf8a4c66f9c9f8f29ba03f6a67eeb1c548616bd1e26871adcd44175989cd062d0cff29888885b00fd93ecda9b7e3ef3fee745947802f59114

Download Submit
\Users\Admin\AppData\Local\Temp\wehtbfo.exe

Filesize
1.2MB

MD5
c04eeb1ffee63d268d77cbdf5ab9fc88

SHA1
b0d56cdcc32a3ac1c8cd79aa57309e82663b217d

SHA256
83c74cfc2acefcfd7f32f4bafdb151baee63e2ecba6a4331d8932849e1d9babe

SHA512
f4651e12d93e9e7cf8a4c66f9c9f8f29ba03f6a67eeb1c548616bd1e26871adcd44175989cd062d0cff29888885b00fd93ecda9b7e3ef3fee745947802f59114

Download Submit
\Users\Admin\AppData\Local\Temp\wehtbfo.exe

Filesize
1.2MB

MD5
c04eeb1ffee63d268d77cbdf5ab9fc88

SHA1
b0d56cdcc32a3ac1c8cd79aa57309e82663b217d

SHA256
83c74cfc2acefcfd7f32f4bafdb151baee63e2ecba6a4331d8932849e1d9babe

SHA512
f4651e12d93e9e7cf8a4c66f9c9f8f29ba03f6a67eeb1c548616bd1e26871adcd44175989cd062d0cff29888885b00fd93ecda9b7e3ef3fee745947802f59114

Download Submit
\Users\Admin\AppData\Local\Temp\wehtbfo.exe

Filesize
1.2MB

MD5
c04eeb1ffee63d268d77cbdf5ab9fc88

SHA1
b0d56cdcc32a3ac1c8cd79aa57309e82663b217d

SHA256
83c74cfc2acefcfd7f32f4bafdb151baee63e2ecba6a4331d8932849e1d9babe

SHA512
f4651e12d93e9e7cf8a4c66f9c9f8f29ba03f6a67eeb1c548616bd1e26871adcd44175989cd062d0cff29888885b00fd93ecda9b7e3ef3fee745947802f59114

Download Submit
\Users\Admin\AppData\Local\Temp\wehtbfo.exe

Filesize
1.2MB

MD5
c04eeb1ffee63d268d77cbdf5ab9fc88

SHA1
b0d56cdcc32a3ac1c8cd79aa57309e82663b217d

SHA256
83c74cfc2acefcfd7f32f4bafdb151baee63e2ecba6a4331d8932849e1d9babe

SHA512
f4651e12d93e9e7cf8a4c66f9c9f8f29ba03f6a67eeb1c548616bd1e26871adcd44175989cd062d0cff29888885b00fd93ecda9b7e3ef3fee745947802f59114

Download Submit
memory/1092-65-0x0000000074631000-0x0000000074633000-memory.dmp

Filesize
8KB

Download
memory/1092-54-0x0000000075201000-0x0000000075203000-memory.dmp

Filesize
8KB

Download
memory/1540-57-0x0000000000000000-mapping.dmp

Download
memory/1540-90-0x0000000074301000-0x0000000074303000-memory.dmp

Filesize
8KB

Download
memory/1540-92-0x0000000074301000-0x0000000074303000-memory.dmp

Filesize
8KB

Download
memory/1648-66-0x0000000074641000-0x0000000074643000-memory.dmp

Filesize
8KB

Download
memory/1648-62-0x0000000000000000-mapping.dmp

Download
memory/1648-67-0x0000000074691000-0x0000000074693000-memory.dmp

Filesize
8KB

Download
memory/1648-68-0x0000000074471000-0x0000000074473000-memory.dmp

Filesize
8KB

Download
memory/1648-71-0x0000000074301000-0x0000000074303000-memory.dmp

Filesize
8KB

Download
memory/1648-72-0x0000000074471000-0x0000000074473000-memory.dmp

Filesize
8KB

Download
memory/1648-91-0x0000000074471000-0x0000000074473000-memory.dmp

Filesize
8KB

Download