eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 15:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Trojan-Ransom.Win32.Blocker.exe
Size

564KB
MD5

08f1c0665abb76735cf733a018f3c76e
SHA1

14966a4e6c22337c05487bfb732a588733616ef0
SHA256

eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974
SHA512

08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791
SSDEEP

6144:B8XXRUw9Oz5+iUU03pej1YpTYzOb0kLXhlJFTaLTGu0yvHcr+JB8aU:qnRy+ZyYpaCDJFuPyAHcqrU

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	iffdguquspp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	xeisxko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	xeisxko.exe

UAC bypass 3 TTPs 10 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	xeisxko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	xeisxko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	xeisxko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	xeisxko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xeisxko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xeisxko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	xeisxko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	xeisxko.exe

Adds policy Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kqtcgs = "xqgctsiyqjwbjpawamb.exe"	xeisxko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kqtcgs = "kevskkbslftzipbydqga.exe"	xeisxko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jmm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmzsgcpcrhrtybjc.exe"	xeisxko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jmm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kevskkbslftzipbydqga.exe"	xeisxko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jmm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zumkdewoidszjreciwnia.exe"	xeisxko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	iffdguquspp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jmm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqgctsiyqjwbjpawamb.exe"	iffdguquspp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	xeisxko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kqtcgs = "duicrocqgxilrveya.exe"	xeisxko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kqtcgs = "wmzsgcpcrhrtybjc.exe"	iffdguquspp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kqtcgs = "wmzsgcpcrhrtybjc.exe"	xeisxko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kqtcgs = "kevskkbslftzipbydqga.exe"	xeisxko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	xeisxko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jmm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zumkdewoidszjreciwnia.exe"	xeisxko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jmm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqgctsiyqjwbjpawamb.exe"	xeisxko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jmm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kevskkbslftzipbydqga.exe"	xeisxko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jmm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\duicrocqgxilrveya.exe"	xeisxko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kqtcgs = "duicrocqgxilrveya.exe"	xeisxko.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xeisxko.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	iffdguquspp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xeisxko.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xeisxko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xeisxko.exe

Executes dropped EXE 3 IoCs

pid	Process
1128	iffdguquspp.exe
600	xeisxko.exe
1472	xeisxko.exe

Loads dropped DLL 6 IoCs

pid	Process
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1128	iffdguquspp.exe
1128	iffdguquspp.exe
1128	iffdguquspp.exe
1128	iffdguquspp.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zegor = "C:\\Users\\Admin\\AppData\\Local\\Temp\\duicrocqgxilrveya.exe ."	xeisxko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wgnaiyfmvf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmzsgcpcrhrtybjc.exe"	xeisxko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dmselagmu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kevskkbslftzipbydqga.exe ."	xeisxko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dmselagmu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kevskkbslftzipbydqga.exe ."	xeisxko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\quvc = "zumkdewoidszjreciwnia.exe"	xeisxko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zegor = "metoecrgxpbfmrbwzk.exe ."	xeisxko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zegor = "metoecrgxpbfmrbwzk.exe ."	xeisxko.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\muzkqejo = "metoecrgxpbfmrbwzk.exe ."	xeisxko.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\quvc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\duicrocqgxilrveya.exe"	xeisxko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dmselagmu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\duicrocqgxilrveya.exe ."	iffdguquspp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeisxko = "kevskkbslftzipbydqga.exe"	xeisxko.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeisxko = "zumkdewoidszjreciwnia.exe"	xeisxko.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeisxko = "xqgctsiyqjwbjpawamb.exe"	xeisxko.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\quvc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kevskkbslftzipbydqga.exe"	xeisxko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zegor = "zumkdewoidszjreciwnia.exe ."	xeisxko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zegor = "xqgctsiyqjwbjpawamb.exe ."	iffdguquspp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeisxko = "metoecrgxpbfmrbwzk.exe"	iffdguquspp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	xeisxko.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zegor = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kevskkbslftzipbydqga.exe ."	xeisxko.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeisxko = "xqgctsiyqjwbjpawamb.exe"	xeisxko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zegor = "kevskkbslftzipbydqga.exe ."	xeisxko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zegor = "kevskkbslftzipbydqga.exe ."	xeisxko.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\quvc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqgctsiyqjwbjpawamb.exe"	xeisxko.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\quvc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\duicrocqgxilrveya.exe"	xeisxko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	iffdguquspp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	iffdguquspp.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	iffdguquspp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\quvc = "duicrocqgxilrveya.exe"	xeisxko.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	xeisxko.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\muzkqejo = "zumkdewoidszjreciwnia.exe ."	xeisxko.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\xeisxko = "wmzsgcpcrhrtybjc.exe"	xeisxko.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zegor = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zumkdewoidszjreciwnia.exe ."	xeisxko.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\quvc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\metoecrgxpbfmrbwzk.exe"	xeisxko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dmselagmu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\metoecrgxpbfmrbwzk.exe ."	xeisxko.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\quvc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\metoecrgxpbfmrbwzk.exe"	xeisxko.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\quvc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\duicrocqgxilrveya.exe"	iffdguquspp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	xeisxko.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	xeisxko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dmselagmu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqgctsiyqjwbjpawamb.exe ."	xeisxko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wgnaiyfmvf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zumkdewoidszjreciwnia.exe"	xeisxko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\quvc = "kevskkbslftzipbydqga.exe"	xeisxko.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zegor = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zumkdewoidszjreciwnia.exe ."	xeisxko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\quvc = "wmzsgcpcrhrtybjc.exe"	xeisxko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\quvc = "wmzsgcpcrhrtybjc.exe"	xeisxko.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\muzkqejo = "kevskkbslftzipbydqga.exe ."	xeisxko.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	iffdguquspp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wgnaiyfmvf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqgctsiyqjwbjpawamb.exe"	xeisxko.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zegor = "C:\\Users\\Admin\\AppData\\Local\\Temp\\metoecrgxpbfmrbwzk.exe ."	xeisxko.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	xeisxko.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\muzkqejo = "wmzsgcpcrhrtybjc.exe ."	xeisxko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dmselagmu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmzsgcpcrhrtybjc.exe ."	xeisxko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dmselagmu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\metoecrgxpbfmrbwzk.exe ."	xeisxko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dmselagmu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmzsgcpcrhrtybjc.exe ."	xeisxko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dmselagmu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\duicrocqgxilrveya.exe ."	xeisxko.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\muzkqejo = "metoecrgxpbfmrbwzk.exe ."	iffdguquspp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wgnaiyfmvf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kevskkbslftzipbydqga.exe"	iffdguquspp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zegor = "C:\\Users\\Admin\\AppData\\Local\\Temp\\metoecrgxpbfmrbwzk.exe ."	iffdguquspp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	xeisxko.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zegor = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kevskkbslftzipbydqga.exe ."	xeisxko.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	xeisxko.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\quvc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqgctsiyqjwbjpawamb.exe"	xeisxko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\quvc = "zumkdewoidszjreciwnia.exe"	xeisxko.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\quvc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zumkdewoidszjreciwnia.exe"	xeisxko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zegor = "zumkdewoidszjreciwnia.exe ."	xeisxko.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	iffdguquspp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xeisxko.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xeisxko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xeisxko.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xeisxko.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	whatismyipaddress.com
6	whatismyip.everdot.org
15	www.showmyipaddress.com

Drops file in System32 directory 46 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wmzsgcpcrhrtybjc.exe	iffdguquspp.exe
File opened for modification	C:\Windows\SysWOW64\metoecrgxpbfmrbwzk.exe	iffdguquspp.exe
File created	C:\Windows\SysWOW64\metoecrgxpbfmrbwzk.exe	iffdguquspp.exe
File opened for modification	C:\Windows\SysWOW64\xqgctsiyqjwbjpawamb.exe	iffdguquspp.exe
File opened for modification	C:\Windows\SysWOW64\kevskkbslftzipbydqga.exe	iffdguquspp.exe
File created	C:\Windows\SysWOW64\zumkdewoidszjreciwnia.exe	iffdguquspp.exe
File created	C:\Windows\SysWOW64\wmzsgcpcrhrtybjc.exe	xeisxko.exe
File opened for modification	C:\Windows\SysWOW64\qmfeyatmhdtbmvjipewslk.exe	xeisxko.exe
File opened for modification	C:\Windows\SysWOW64\duicrocqgxilrveya.exe	xeisxko.exe
File opened for modification	C:\Windows\SysWOW64\duicrocqgxilrveya.exe	iffdguquspp.exe
File opened for modification	C:\Windows\SysWOW64\metoecrgxpbfmrbwzk.exe	xeisxko.exe
File opened for modification	C:\Windows\SysWOW64\wmzsgcpcrhrtybjc.exe	xeisxko.exe
File created	C:\Windows\SysWOW64\metoecrgxpbfmrbwzk.exe	xeisxko.exe
File opened for modification	C:\Windows\SysWOW64\kevskkbslftzipbydqga.exe	xeisxko.exe
File opened for modification	C:\Windows\SysWOW64\wmzsgcpcrhrtybjc.exe	xeisxko.exe
File opened for modification	C:\Windows\SysWOW64\zumkdewoidszjreciwnia.exe	xeisxko.exe
File created	C:\Windows\SysWOW64\rgskxseqetcdhjqiiqbqcuhcoaodmnrtassal.mer	xeisxko.exe
File created	C:\Windows\SysWOW64\kevskkbslftzipbydqga.exe	xeisxko.exe
File opened for modification	C:\Windows\SysWOW64\qmfeyatmhdtbmvjipewslk.exe	xeisxko.exe
File created	C:\Windows\SysWOW64\kevskkbslftzipbydqga.exe	xeisxko.exe
File created	C:\Windows\SysWOW64\zumkdewoidszjreciwnia.exe	xeisxko.exe
File created	C:\Windows\SysWOW64\zumkdewoidszjreciwnia.exe	xeisxko.exe
File created	C:\Windows\SysWOW64\quvceopqtxvlevrynkkopwyijk.rpf	xeisxko.exe
File created	C:\Windows\SysWOW64\duicrocqgxilrveya.exe	iffdguquspp.exe
File created	C:\Windows\SysWOW64\xqgctsiyqjwbjpawamb.exe	iffdguquspp.exe
File opened for modification	C:\Windows\SysWOW64\duicrocqgxilrveya.exe	xeisxko.exe
File opened for modification	C:\Windows\SysWOW64\xqgctsiyqjwbjpawamb.exe	xeisxko.exe
File created	C:\Windows\SysWOW64\xqgctsiyqjwbjpawamb.exe	xeisxko.exe
File opened for modification	C:\Windows\SysWOW64\kevskkbslftzipbydqga.exe	xeisxko.exe
File opened for modification	C:\Windows\SysWOW64\zumkdewoidszjreciwnia.exe	xeisxko.exe
File created	C:\Windows\SysWOW64\qmfeyatmhdtbmvjipewslk.exe	xeisxko.exe
File created	C:\Windows\SysWOW64\kevskkbslftzipbydqga.exe	iffdguquspp.exe
File opened for modification	C:\Windows\SysWOW64\zumkdewoidszjreciwnia.exe	iffdguquspp.exe
File opened for modification	C:\Windows\SysWOW64\qmfeyatmhdtbmvjipewslk.exe	iffdguquspp.exe
File created	C:\Windows\SysWOW64\duicrocqgxilrveya.exe	xeisxko.exe
File created	C:\Windows\SysWOW64\metoecrgxpbfmrbwzk.exe	xeisxko.exe
File created	C:\Windows\SysWOW64\wmzsgcpcrhrtybjc.exe	xeisxko.exe
File created	C:\Windows\SysWOW64\xqgctsiyqjwbjpawamb.exe	xeisxko.exe
File opened for modification	C:\Windows\SysWOW64\wmzsgcpcrhrtybjc.exe	iffdguquspp.exe
File created	C:\Windows\SysWOW64\qmfeyatmhdtbmvjipewslk.exe	iffdguquspp.exe
File created	C:\Windows\SysWOW64\qmfeyatmhdtbmvjipewslk.exe	xeisxko.exe
File created	C:\Windows\SysWOW64\duicrocqgxilrveya.exe	xeisxko.exe
File opened for modification	C:\Windows\SysWOW64\metoecrgxpbfmrbwzk.exe	xeisxko.exe
File opened for modification	C:\Windows\SysWOW64\xqgctsiyqjwbjpawamb.exe	xeisxko.exe
File opened for modification	C:\Windows\SysWOW64\quvceopqtxvlevrynkkopwyijk.rpf	xeisxko.exe
File opened for modification	C:\Windows\SysWOW64\rgskxseqetcdhjqiiqbqcuhcoaodmnrtassal.mer	xeisxko.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\quvceopqtxvlevrynkkopwyijk.rpf	xeisxko.exe
File created	C:\Program Files (x86)\quvceopqtxvlevrynkkopwyijk.rpf	xeisxko.exe
File opened for modification	C:\Program Files (x86)\rgskxseqetcdhjqiiqbqcuhcoaodmnrtassal.mer	xeisxko.exe
File created	C:\Program Files (x86)\rgskxseqetcdhjqiiqbqcuhcoaodmnrtassal.mer	xeisxko.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\kevskkbslftzipbydqga.exe	xeisxko.exe
File opened for modification	C:\Windows\metoecrgxpbfmrbwzk.exe	xeisxko.exe
File opened for modification	C:\Windows\wmzsgcpcrhrtybjc.exe	iffdguquspp.exe
File opened for modification	C:\Windows\kevskkbslftzipbydqga.exe	iffdguquspp.exe
File opened for modification	C:\Windows\wmzsgcpcrhrtybjc.exe	xeisxko.exe
File opened for modification	C:\Windows\qmfeyatmhdtbmvjipewslk.exe	xeisxko.exe
File opened for modification	C:\Windows\quvceopqtxvlevrynkkopwyijk.rpf	xeisxko.exe
File opened for modification	C:\Windows\duicrocqgxilrveya.exe	iffdguquspp.exe
File opened for modification	C:\Windows\wmzsgcpcrhrtybjc.exe	xeisxko.exe
File opened for modification	C:\Windows\metoecrgxpbfmrbwzk.exe	iffdguquspp.exe
File opened for modification	C:\Windows\xqgctsiyqjwbjpawamb.exe	iffdguquspp.exe
File opened for modification	C:\Windows\zumkdewoidszjreciwnia.exe	iffdguquspp.exe
File opened for modification	C:\Windows\kevskkbslftzipbydqga.exe	xeisxko.exe
File opened for modification	C:\Windows\zumkdewoidszjreciwnia.exe	xeisxko.exe
File opened for modification	C:\Windows\rgskxseqetcdhjqiiqbqcuhcoaodmnrtassal.mer	xeisxko.exe
File created	C:\Windows\rgskxseqetcdhjqiiqbqcuhcoaodmnrtassal.mer	xeisxko.exe
File created	C:\Windows\xqgctsiyqjwbjpawamb.exe	iffdguquspp.exe
File created	C:\Windows\zumkdewoidszjreciwnia.exe	iffdguquspp.exe
File opened for modification	C:\Windows\metoecrgxpbfmrbwzk.exe	xeisxko.exe
File opened for modification	C:\Windows\zumkdewoidszjreciwnia.exe	xeisxko.exe
File opened for modification	C:\Windows\duicrocqgxilrveya.exe	xeisxko.exe
File created	C:\Windows\quvceopqtxvlevrynkkopwyijk.rpf	xeisxko.exe
File created	C:\Windows\wmzsgcpcrhrtybjc.exe	iffdguquspp.exe
File created	C:\Windows\duicrocqgxilrveya.exe	iffdguquspp.exe
File created	C:\Windows\qmfeyatmhdtbmvjipewslk.exe	iffdguquspp.exe
File opened for modification	C:\Windows\xqgctsiyqjwbjpawamb.exe	xeisxko.exe
File created	C:\Windows\kevskkbslftzipbydqga.exe	iffdguquspp.exe
File opened for modification	C:\Windows\qmfeyatmhdtbmvjipewslk.exe	iffdguquspp.exe
File opened for modification	C:\Windows\qmfeyatmhdtbmvjipewslk.exe	xeisxko.exe
File created	C:\Windows\metoecrgxpbfmrbwzk.exe	iffdguquspp.exe
File opened for modification	C:\Windows\duicrocqgxilrveya.exe	xeisxko.exe
File opened for modification	C:\Windows\xqgctsiyqjwbjpawamb.exe	xeisxko.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1472	xeisxko.exe
1472	xeisxko.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1472	xeisxko.exe
1472	xeisxko.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe
1464	Trojan-Ransom.Win32.Blocker.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1472	xeisxko.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 1128	1464	Trojan-Ransom.Win32.Blocker.exe	27
PID 1464 wrote to memory of 1128	1464	Trojan-Ransom.Win32.Blocker.exe	27
PID 1464 wrote to memory of 1128	1464	Trojan-Ransom.Win32.Blocker.exe	27
PID 1464 wrote to memory of 1128	1464	Trojan-Ransom.Win32.Blocker.exe	27
PID 1128 wrote to memory of 600	1128	iffdguquspp.exe	28
PID 1128 wrote to memory of 600	1128	iffdguquspp.exe	28
PID 1128 wrote to memory of 600	1128	iffdguquspp.exe	28
PID 1128 wrote to memory of 600	1128	iffdguquspp.exe	28
PID 1128 wrote to memory of 1472	1128	iffdguquspp.exe	29
PID 1128 wrote to memory of 1472	1128	iffdguquspp.exe	29
PID 1128 wrote to memory of 1472	1128	iffdguquspp.exe	29
PID 1128 wrote to memory of 1472	1128	iffdguquspp.exe	29

System policy modification 1 TTPs 30 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xeisxko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	xeisxko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	xeisxko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	xeisxko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	xeisxko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	xeisxko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	xeisxko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	xeisxko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	xeisxko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	xeisxko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	xeisxko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xeisxko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	xeisxko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	xeisxko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	xeisxko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	xeisxko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	xeisxko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	xeisxko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	xeisxko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	iffdguquspp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	xeisxko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	xeisxko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	xeisxko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	xeisxko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xeisxko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xeisxko.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	xeisxko.exe

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Blocker.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Blocker.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Users\Admin\AppData\Local\Temp\iffdguquspp.exe
  "C:\Users\Admin\AppData\Local\Temp\iffdguquspp.exe" "c:\users\admin\appdata\local\temp\trojan-ransom.win32.blocker.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1128
- - C:\Users\Admin\AppData\Local\Temp\xeisxko.exe
    "C:\Users\Admin\AppData\Local\Temp\xeisxko.exe" "-c:\users\admin\appdata\local\temp\trojan-ransom.win32.blocker.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:600
- - C:\Users\Admin\AppData\Local\Temp\xeisxko.exe
    "C:\Users\Admin\AppData\Local\Temp\xeisxko.exe" "-c:\users\admin\appdata\local\temp\trojan-ransom.win32.blocker.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\duicrocqgxilrveya.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Users\Admin\AppData\Local\Temp\iffdguquspp.exe

Filesize
308KB

MD5
85cb856b920e7b0b7b75115336fc2af2

SHA1
1d1a207efec2f5187583b652c35aef74ee4c473f

SHA256
6fff20aabe8265b6e811c9dbcb987f9c15cf07d1d8b80ced7b287d96900f5c62

SHA512
120ff9c77c19216e5691b6ba812f09f7db7b46685a391027fff56e5b73200f4211b6bac2c2d28cdfe461d1fbf10f1a3204adeedbd0a34a034a862c6278d901e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\iffdguquspp.exe

Filesize
308KB

MD5
85cb856b920e7b0b7b75115336fc2af2

SHA1
1d1a207efec2f5187583b652c35aef74ee4c473f

SHA256
6fff20aabe8265b6e811c9dbcb987f9c15cf07d1d8b80ced7b287d96900f5c62

SHA512
120ff9c77c19216e5691b6ba812f09f7db7b46685a391027fff56e5b73200f4211b6bac2c2d28cdfe461d1fbf10f1a3204adeedbd0a34a034a862c6278d901e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\kevskkbslftzipbydqga.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Users\Admin\AppData\Local\Temp\metoecrgxpbfmrbwzk.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Users\Admin\AppData\Local\Temp\qmfeyatmhdtbmvjipewslk.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmzsgcpcrhrtybjc.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Users\Admin\AppData\Local\Temp\xeisxko.exe

Filesize
684KB

MD5
35b8ce991de7700b0af712ba832a3ffe

SHA1
968cd2f7fec8d71414e45c7f708532bd927b5430

SHA256
b92672c77d456ff3e40bd1b0a12cb1ea10791548b997f44728de7b6edb85281c

SHA512
8a4b618a94fe527527c4dad8ee516c36a9ecd091e96ac4b325d4fc9f08b4e6048d4473ad678439201cb9b3774de8468aefcdc9a72dbe74a505685fe0d0552ecf

Download Submit
C:\Users\Admin\AppData\Local\Temp\xeisxko.exe

Filesize
684KB

MD5
35b8ce991de7700b0af712ba832a3ffe

SHA1
968cd2f7fec8d71414e45c7f708532bd927b5430

SHA256
b92672c77d456ff3e40bd1b0a12cb1ea10791548b997f44728de7b6edb85281c

SHA512
8a4b618a94fe527527c4dad8ee516c36a9ecd091e96ac4b325d4fc9f08b4e6048d4473ad678439201cb9b3774de8468aefcdc9a72dbe74a505685fe0d0552ecf

Download Submit
C:\Users\Admin\AppData\Local\Temp\xqgctsiyqjwbjpawamb.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Users\Admin\AppData\Local\Temp\zumkdewoidszjreciwnia.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Windows\SysWOW64\duicrocqgxilrveya.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Windows\SysWOW64\kevskkbslftzipbydqga.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Windows\SysWOW64\metoecrgxpbfmrbwzk.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Windows\SysWOW64\qmfeyatmhdtbmvjipewslk.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Windows\SysWOW64\wmzsgcpcrhrtybjc.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Windows\SysWOW64\xqgctsiyqjwbjpawamb.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Windows\SysWOW64\zumkdewoidszjreciwnia.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Windows\duicrocqgxilrveya.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Windows\duicrocqgxilrveya.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Windows\kevskkbslftzipbydqga.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Windows\kevskkbslftzipbydqga.exe

Filesize
564KB

MD5
4fde7277f256d5b03dac8516cb3ba8e7

SHA1
b506cec90bd07b821a4c9d745b59701315edc457

SHA256
93e9a90d5cb8f3550691543ee0eeca61453c42c84decdad6e9dbf09575b903d7

SHA512
092b9e026a284ee7d7701ebbbf942fd7faac493357e867728c5387e388ff08b2ae7560948d4e278d1cfe10f134b1d8570baac4fe5df1b9b2972c9f4a1bfd7558

Download Submit
C:\Windows\metoecrgxpbfmrbwzk.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Windows\qmfeyatmhdtbmvjipewslk.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Windows\qmfeyatmhdtbmvjipewslk.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Windows\wmzsgcpcrhrtybjc.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Windows\wmzsgcpcrhrtybjc.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Windows\xqgctsiyqjwbjpawamb.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Windows\zumkdewoidszjreciwnia.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
C:\Windows\zumkdewoidszjreciwnia.exe

Filesize
564KB

MD5
08f1c0665abb76735cf733a018f3c76e

SHA1
14966a4e6c22337c05487bfb732a588733616ef0

SHA256
eacfff847a40d29a12e17075b5e36bb741c6cd41c694556d14ed63be098ca974

SHA512
08859f9a0fb9dfa5c3a12d17a9df5ebe3cd32830456f294b97f6d309850345cfa869897ee8df3fcb5ffac2b083e20c2da4862d8362235f033d4bbd7e50647791

Download Submit
\Users\Admin\AppData\Local\Temp\iffdguquspp.exe

Filesize
308KB

MD5
85cb856b920e7b0b7b75115336fc2af2

SHA1
1d1a207efec2f5187583b652c35aef74ee4c473f

SHA256
6fff20aabe8265b6e811c9dbcb987f9c15cf07d1d8b80ced7b287d96900f5c62

SHA512
120ff9c77c19216e5691b6ba812f09f7db7b46685a391027fff56e5b73200f4211b6bac2c2d28cdfe461d1fbf10f1a3204adeedbd0a34a034a862c6278d901e8

Download Submit
\Users\Admin\AppData\Local\Temp\iffdguquspp.exe

Filesize
308KB

MD5
85cb856b920e7b0b7b75115336fc2af2

SHA1
1d1a207efec2f5187583b652c35aef74ee4c473f

SHA256
6fff20aabe8265b6e811c9dbcb987f9c15cf07d1d8b80ced7b287d96900f5c62

SHA512
120ff9c77c19216e5691b6ba812f09f7db7b46685a391027fff56e5b73200f4211b6bac2c2d28cdfe461d1fbf10f1a3204adeedbd0a34a034a862c6278d901e8

Download Submit
\Users\Admin\AppData\Local\Temp\xeisxko.exe

Filesize
684KB

MD5
35b8ce991de7700b0af712ba832a3ffe

SHA1
968cd2f7fec8d71414e45c7f708532bd927b5430

SHA256
b92672c77d456ff3e40bd1b0a12cb1ea10791548b997f44728de7b6edb85281c

SHA512
8a4b618a94fe527527c4dad8ee516c36a9ecd091e96ac4b325d4fc9f08b4e6048d4473ad678439201cb9b3774de8468aefcdc9a72dbe74a505685fe0d0552ecf

Download Submit
\Users\Admin\AppData\Local\Temp\xeisxko.exe

Filesize
684KB

MD5
35b8ce991de7700b0af712ba832a3ffe

SHA1
968cd2f7fec8d71414e45c7f708532bd927b5430

SHA256
b92672c77d456ff3e40bd1b0a12cb1ea10791548b997f44728de7b6edb85281c

SHA512
8a4b618a94fe527527c4dad8ee516c36a9ecd091e96ac4b325d4fc9f08b4e6048d4473ad678439201cb9b3774de8468aefcdc9a72dbe74a505685fe0d0552ecf

Download Submit
\Users\Admin\AppData\Local\Temp\xeisxko.exe

Filesize
684KB

MD5
35b8ce991de7700b0af712ba832a3ffe

SHA1
968cd2f7fec8d71414e45c7f708532bd927b5430

SHA256
b92672c77d456ff3e40bd1b0a12cb1ea10791548b997f44728de7b6edb85281c

SHA512
8a4b618a94fe527527c4dad8ee516c36a9ecd091e96ac4b325d4fc9f08b4e6048d4473ad678439201cb9b3774de8468aefcdc9a72dbe74a505685fe0d0552ecf

Download Submit
\Users\Admin\AppData\Local\Temp\xeisxko.exe

Filesize
684KB

MD5
35b8ce991de7700b0af712ba832a3ffe

SHA1
968cd2f7fec8d71414e45c7f708532bd927b5430

SHA256
b92672c77d456ff3e40bd1b0a12cb1ea10791548b997f44728de7b6edb85281c

SHA512
8a4b618a94fe527527c4dad8ee516c36a9ecd091e96ac4b325d4fc9f08b4e6048d4473ad678439201cb9b3774de8468aefcdc9a72dbe74a505685fe0d0552ecf

Download Submit
memory/1464-54-0x00000000758B1000-0x00000000758B3000-memory.dmp

Filesize
8KB

Download