a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd

Analysis

max time kernel
151s
max time network
155s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 14:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd.exe
Size

320KB
MD5

005a118ee57ef05180252398693a90c6
SHA1

4895f77495f0e4f888d761d87a9a3cf1072572aa
SHA256

a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd
SHA512

c716c6b0c16b61130e89899c8a71c112fe8a9a1c0f044f346baa8ba13f2d4dc4632f4ed9f46f239c6ae554e980f00507012f0be228189f068774a429b1396cd5
SSDEEP

6144:CTwZo1IV3puaibGKFHi0mofhaH05kipz016580bHFbl86JQPDHDdx/QtqR:MXgvmzFHi0mo5aH0qMzd5807FRPJQPDV

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	jptamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	jptamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd.exe

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	jptamo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	jptamo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jptamo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jptamo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	jptamo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	jptamo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	jptamo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	jptamo.exe

Adds policy Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wdiqdgq = "ytmijayoovntofrgyrmfb.exe"	a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jptamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wdiqdgq = "jdvqqgdsrxotndoctlfx.exe"	jptamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ptva = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctiaxkeqmpdfwjrcq.exe"	jptamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ptva = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ytmijayoovntofrgyrmfb.exe"	jptamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wdiqdgq = "vlzqmyrcxzmndpwg.exe"	jptamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ptva = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldtmkytgdhwzrfoapf.exe"	a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ptva = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdvqqgdsrxotndoctlfx.exe"	jptamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wdiqdgq = "ldtmkytgdhwzrfoapf.exe"	jptamo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jptamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wdiqdgq = "ytmijayoovntofrgyrmfb.exe"	jptamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wdiqdgq = "wpgazokywbrvodnaqha.exe"	jptamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ptva = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctiaxkeqmpdfwjrcq.exe"	jptamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wdiqdgq = "ldtmkytgdhwzrfoapf.exe"	jptamo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ptva = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vlzqmyrcxzmndpwg.exe"	jptamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wdiqdgq = "wpgazokywbrvodnaqha.exe"	jptamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ptva = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldtmkytgdhwzrfoapf.exe"	jptamo.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jptamo.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jptamo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jptamo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jptamo.exe

Executes dropped EXE 2 IoCs

pid	Process
2036	jptamo.exe
1632	jptamo.exe

Loads dropped DLL 4 IoCs

pid	Process
1672	a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd.exe
1672	a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd.exe
1672	a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd.exe
1672	a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	jptamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qbkwnuioebj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldtmkytgdhwzrfoapf.exe"	jptamo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ydgmx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldtmkytgdhwzrfoapf.exe"	jptamo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\clscrwima = "ldtmkytgdhwzrfoapf.exe ."	jptamo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\clscrwima = "ctiaxkeqmpdfwjrcq.exe ."	a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ydgmx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ytmijayoovntofrgyrmfb.exe"	jptamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jptamo = "ctiaxkeqmpdfwjrcq.exe ."	jptamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vfnyouhmbx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldtmkytgdhwzrfoapf.exe ."	jptamo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\jptamo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldtmkytgdhwzrfoapf.exe ."	jptamo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\clscrwima = "ctiaxkeqmpdfwjrcq.exe ."	jptamo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\clscrwima = "vlzqmyrcxzmndpwg.exe ."	jptamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vfnyouhmbx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdvqqgdsrxotndoctlfx.exe ."	jptamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ydgmx = "ctiaxkeqmpdfwjrcq.exe"	jptamo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltziwalo = "jdvqqgdsrxotndoctlfx.exe"	jptamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qbkwnuioebj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldtmkytgdhwzrfoapf.exe"	a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ydgmx = "ytmijayoovntofrgyrmfb.exe"	jptamo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ydgmx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldtmkytgdhwzrfoapf.exe"	jptamo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltziwalo = "ctiaxkeqmpdfwjrcq.exe"	jptamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vfnyouhmbx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctiaxkeqmpdfwjrcq.exe ."	jptamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qbkwnuioebj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ytmijayoovntofrgyrmfb.exe"	jptamo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ydgmx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctiaxkeqmpdfwjrcq.exe"	jptamo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltziwalo = "ldtmkytgdhwzrfoapf.exe"	jptamo.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	jptamo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\jptamo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctiaxkeqmpdfwjrcq.exe ."	jptamo.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	jptamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ydgmx = "ldtmkytgdhwzrfoapf.exe"	jptamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ydgmx = "wpgazokywbrvodnaqha.exe"	jptamo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltziwalo = "ytmijayoovntofrgyrmfb.exe"	a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vfnyouhmbx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ytmijayoovntofrgyrmfb.exe ."	jptamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jptamo = "ldtmkytgdhwzrfoapf.exe ."	jptamo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\clscrwima = "jdvqqgdsrxotndoctlfx.exe ."	jptamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jptamo = "jdvqqgdsrxotndoctlfx.exe ."	jptamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jptamo = "ldtmkytgdhwzrfoapf.exe ."	jptamo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	jptamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jptamo = "wpgazokywbrvodnaqha.exe ."	jptamo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\jptamo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdvqqgdsrxotndoctlfx.exe ."	jptamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ydgmx = "ytmijayoovntofrgyrmfb.exe"	jptamo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\jptamo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vlzqmyrcxzmndpwg.exe ."	jptamo.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	jptamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vfnyouhmbx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdvqqgdsrxotndoctlfx.exe ."	jptamo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\clscrwima = "ldtmkytgdhwzrfoapf.exe ."	jptamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qbkwnuioebj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctiaxkeqmpdfwjrcq.exe"	jptamo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltziwalo = "ytmijayoovntofrgyrmfb.exe"	jptamo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\clscrwima = "wpgazokywbrvodnaqha.exe ."	jptamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qbkwnuioebj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpgazokywbrvodnaqha.exe"	jptamo.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vfnyouhmbx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ytmijayoovntofrgyrmfb.exe ."	a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	jptamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jptamo = "wpgazokywbrvodnaqha.exe ."	jptamo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\clscrwima = "ctiaxkeqmpdfwjrcq.exe ."	jptamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ydgmx = "jdvqqgdsrxotndoctlfx.exe"	a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ydgmx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpgazokywbrvodnaqha.exe"	a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\jptamo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ytmijayoovntofrgyrmfb.exe ."	a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	jptamo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\jptamo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wpgazokywbrvodnaqha.exe ."	jptamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ydgmx = "ctiaxkeqmpdfwjrcq.exe"	jptamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jptamo = "jdvqqgdsrxotndoctlfx.exe ."	a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qbkwnuioebj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdvqqgdsrxotndoctlfx.exe"	jptamo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltziwalo = "jdvqqgdsrxotndoctlfx.exe"	jptamo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ltziwalo = "vlzqmyrcxzmndpwg.exe"	jptamo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\clscrwima = "ytmijayoovntofrgyrmfb.exe ."	jptamo.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jptamo.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jptamo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jptamo.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jptamo.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	whatismyip.everdot.org
7	whatismyipaddress.com
10	www.showmyipaddress.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\zzxyeadydpmxxtkebzzxye.dyd	jptamo.exe
File created	C:\Windows\SysWOW64\zzxyeadydpmxxtkebzzxye.dyd	jptamo.exe
File opened for modification	C:\Windows\SysWOW64\qbkwnuioebjfqxzemvgpbszntjgokvcej.alu	jptamo.exe
File created	C:\Windows\SysWOW64\qbkwnuioebjfqxzemvgpbszntjgokvcej.alu	jptamo.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\zzxyeadydpmxxtkebzzxye.dyd	jptamo.exe
File created	C:\Program Files (x86)\zzxyeadydpmxxtkebzzxye.dyd	jptamo.exe
File opened for modification	C:\Program Files (x86)\qbkwnuioebjfqxzemvgpbszntjgokvcej.alu	jptamo.exe
File created	C:\Program Files (x86)\qbkwnuioebjfqxzemvgpbszntjgokvcej.alu	jptamo.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\qbkwnuioebjfqxzemvgpbszntjgokvcej.alu	jptamo.exe
File created	C:\Windows\qbkwnuioebjfqxzemvgpbszntjgokvcej.alu	jptamo.exe
File opened for modification	C:\Windows\zzxyeadydpmxxtkebzzxye.dyd	jptamo.exe
File created	C:\Windows\zzxyeadydpmxxtkebzzxye.dyd	jptamo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2036	jptamo.exe
2036	jptamo.exe
2036	jptamo.exe
2036	jptamo.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2036	jptamo.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 2036	1672	a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd.exe	27
PID 1672 wrote to memory of 2036	1672	a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd.exe	27
PID 1672 wrote to memory of 2036	1672	a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd.exe	27
PID 1672 wrote to memory of 2036	1672	a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd.exe	27
PID 1672 wrote to memory of 1632	1672	a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd.exe	28
PID 1672 wrote to memory of 1632	1672	a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd.exe	28
PID 1672 wrote to memory of 1632	1672	a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd.exe	28
PID 1672 wrote to memory of 1632	1672	a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd.exe	28

System policy modification 1 TTPs 36 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	jptamo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	jptamo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	jptamo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jptamo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	jptamo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	jptamo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	jptamo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	jptamo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	jptamo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jptamo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	jptamo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jptamo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jptamo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jptamo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	jptamo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	jptamo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	jptamo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	jptamo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	jptamo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	jptamo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	jptamo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	jptamo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	jptamo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	jptamo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jptamo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	jptamo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd.exe

C:\Users\Admin\AppData\Local\Temp\a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd.exe
"C:\Users\Admin\AppData\Local\Temp\a8beeab1b62c20e7c3188e923c60017b2573ab4c257e22503c2133968efd60dd.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1672
- C:\Users\Admin\AppData\Local\Temp\jptamo.exe
  "C:\Users\Admin\AppData\Local\Temp\jptamo.exe" "-"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:2036
- C:\Users\Admin\AppData\Local\Temp\jptamo.exe
  "C:\Users\Admin\AppData\Local\Temp\jptamo.exe" "-"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - System policy modification
  PID:1632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jptamo.exe

Filesize
728KB

MD5
0aa6d11de0e479c73f817b892b6b0ffc

SHA1
fad0aaa34f6a71dc362db015e056d0ac908a31e1

SHA256
c23a7614f36eac53ffcf5cccd8c8c24ccbb887becb3eb5516b655fa0244f10fd

SHA512
6d35c8905f214eb56484c359d007a309d250bfbbc0f5c8335d92af440cd5e8cabe87f7a9516368f240730833b876229a8c955ff3c41338577bfb20a5214e4b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jptamo.exe

Filesize
728KB

MD5
0aa6d11de0e479c73f817b892b6b0ffc

SHA1
fad0aaa34f6a71dc362db015e056d0ac908a31e1

SHA256
c23a7614f36eac53ffcf5cccd8c8c24ccbb887becb3eb5516b655fa0244f10fd

SHA512
6d35c8905f214eb56484c359d007a309d250bfbbc0f5c8335d92af440cd5e8cabe87f7a9516368f240730833b876229a8c955ff3c41338577bfb20a5214e4b4a

Download Submit
\Users\Admin\AppData\Local\Temp\jptamo.exe

Filesize
728KB

MD5
0aa6d11de0e479c73f817b892b6b0ffc

SHA1
fad0aaa34f6a71dc362db015e056d0ac908a31e1

SHA256
c23a7614f36eac53ffcf5cccd8c8c24ccbb887becb3eb5516b655fa0244f10fd

SHA512
6d35c8905f214eb56484c359d007a309d250bfbbc0f5c8335d92af440cd5e8cabe87f7a9516368f240730833b876229a8c955ff3c41338577bfb20a5214e4b4a

Download Submit
\Users\Admin\AppData\Local\Temp\jptamo.exe

Filesize
728KB

MD5
0aa6d11de0e479c73f817b892b6b0ffc

SHA1
fad0aaa34f6a71dc362db015e056d0ac908a31e1

SHA256
c23a7614f36eac53ffcf5cccd8c8c24ccbb887becb3eb5516b655fa0244f10fd

SHA512
6d35c8905f214eb56484c359d007a309d250bfbbc0f5c8335d92af440cd5e8cabe87f7a9516368f240730833b876229a8c955ff3c41338577bfb20a5214e4b4a

Download Submit
\Users\Admin\AppData\Local\Temp\jptamo.exe

Filesize
728KB

MD5
0aa6d11de0e479c73f817b892b6b0ffc

SHA1
fad0aaa34f6a71dc362db015e056d0ac908a31e1

SHA256
c23a7614f36eac53ffcf5cccd8c8c24ccbb887becb3eb5516b655fa0244f10fd

SHA512
6d35c8905f214eb56484c359d007a309d250bfbbc0f5c8335d92af440cd5e8cabe87f7a9516368f240730833b876229a8c955ff3c41338577bfb20a5214e4b4a

Download Submit
\Users\Admin\AppData\Local\Temp\jptamo.exe

Filesize
728KB

MD5
0aa6d11de0e479c73f817b892b6b0ffc

SHA1
fad0aaa34f6a71dc362db015e056d0ac908a31e1

SHA256
c23a7614f36eac53ffcf5cccd8c8c24ccbb887becb3eb5516b655fa0244f10fd

SHA512
6d35c8905f214eb56484c359d007a309d250bfbbc0f5c8335d92af440cd5e8cabe87f7a9516368f240730833b876229a8c955ff3c41338577bfb20a5214e4b4a

Download Submit
memory/1632-66-0x00000000747B1000-0x00000000747B3000-memory.dmp

Filesize
8KB

Download
memory/1632-67-0x00000000747E1000-0x00000000747E3000-memory.dmp

Filesize
8KB

Download
memory/1632-71-0x0000000074751000-0x0000000074753000-memory.dmp

Filesize
8KB

Download
memory/1632-72-0x00000000744B1000-0x00000000744B3000-memory.dmp

Filesize
8KB

Download
memory/1632-73-0x0000000074341000-0x0000000074343000-memory.dmp

Filesize
8KB

Download
memory/1632-74-0x00000000744B1000-0x00000000744B3000-memory.dmp

Filesize
8KB

Download
memory/1632-95-0x00000000744B1000-0x00000000744B3000-memory.dmp

Filesize
8KB

Download
memory/1672-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1672-65-0x0000000074791000-0x0000000074793000-memory.dmp

Filesize
8KB

Download
memory/2036-94-0x0000000074341000-0x0000000074343000-memory.dmp

Filesize
8KB

Download