83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195

Analysis

max time kernel
267s
max time network
342s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2022 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
Size

500KB
MD5

7f1f8de5b4b569c182bfe60b293b1812
SHA1

82f31b92c999c490d4752e354e8647df6233adc1
SHA256

83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195
SHA512

cd71c8c0a19bb76d56f0a70e63b7b7a8b44efe7d5b65096fb6b56a73ac44bcbc173d9dfe22c1d7d0d2cba04e233e094c9a5ecf3bdb50d404c4db0614172c1c53
SSDEEP

12288:36bvdl0zCB8EDItMTzwg7lMQsvNuqZBRbZEYTwdD7IjLgWd5:YvdezCByqTtlMQsFuqzRbzI7In

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	fdiwjegfpns.exe

UAC bypass 3 TTPs 4 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fdiwjegfpns.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fdiwjegfpns.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fdiwjegfpns.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	fdiwjegfpns.exe

Adds policy Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zdomw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtqawgyxgosdxqrze.exe"	fdiwjegfpns.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zdomw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xpoaykefqagtpknxeia.exe"	fdiwjegfpns.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	fdiwjegfpns.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mthivwfv = "kddqpcxzlwdrokozhmff.exe"	fdiwjegfpns.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zdomw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztuiiwsviucrpmrdmsmnb.exe"	fdiwjegfpns.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mthivwfv = "dtqawgyxgosdxqrze.exe"	fdiwjegfpns.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zdomw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wlhqluljryblewwd.exe"	fdiwjegfpns.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mthivwfv = "ztuiiwsviucrpmrdmsmnb.exe"	fdiwjegfpns.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zdomw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kddqpcxzlwdrokozhmff.exe"	fdiwjegfpns.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mthivwfv = "xpoaykefqagtpknxeia.exe"	fdiwjegfpns.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	fdiwjegfpns.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	fdiwjegfpns.exe

Executes dropped EXE 1 IoCs

pid	Process
520	fdiwjegfpns.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe

Adds Run key to start application 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbswmqcvyay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztuiiwsviucrpmrdmsmnb.exe ."	fdiwjegfpns.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dlacqsctu = "mdbmjunnxglxsmoxdg.exe"	fdiwjegfpns.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ozrwnsfzdgfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xpoaykefqagtpknxeia.exe"	fdiwjegfpns.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xdqqcck = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mdbmjunnxglxsmoxdg.exe ."	fdiwjegfpns.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	fdiwjegfpns.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dlacqsctu = "ztuiiwsviucrpmrdmsmnb.exe"	fdiwjegfpns.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfvynqbtvw = "kddqpcxzlwdrokozhmff.exe ."	fdiwjegfpns.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xdqqcck = "ztuiiwsviucrpmrdmsmnb.exe ."	fdiwjegfpns.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kpbalk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtqawgyxgosdxqrze.exe"	fdiwjegfpns.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ozrwnsfzdgfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztuiiwsviucrpmrdmsmnb.exe"	fdiwjegfpns.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xdqqcck = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xpoaykefqagtpknxeia.exe ."	fdiwjegfpns.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ozrwnsfzdgfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kddqpcxzlwdrokozhmff.exe"	fdiwjegfpns.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xdqqcck = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kddqpcxzlwdrokozhmff.exe ."	fdiwjegfpns.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	fdiwjegfpns.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ozrwnsfzdgfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtqawgyxgosdxqrze.exe"	fdiwjegfpns.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kpbalk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ztuiiwsviucrpmrdmsmnb.exe"	fdiwjegfpns.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kpbalk = "ztuiiwsviucrpmrdmsmnb.exe"	fdiwjegfpns.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kpbalk = "kddqpcxzlwdrokozhmff.exe"	fdiwjegfpns.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xdqqcck = "xpoaykefqagtpknxeia.exe ."	fdiwjegfpns.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dlacqsctu = "wlhqluljryblewwd.exe"	fdiwjegfpns.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbswmqcvyay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xpoaykefqagtpknxeia.exe ."	fdiwjegfpns.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xdqqcck = "wlhqluljryblewwd.exe ."	fdiwjegfpns.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	fdiwjegfpns.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	fdiwjegfpns.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfvynqbtvw = "ztuiiwsviucrpmrdmsmnb.exe ."	fdiwjegfpns.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xdqqcck = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtqawgyxgosdxqrze.exe ."	fdiwjegfpns.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kpbalk = "wlhqluljryblewwd.exe"	fdiwjegfpns.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfvynqbtvw = "mdbmjunnxglxsmoxdg.exe ."	fdiwjegfpns.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ozrwnsfzdgfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mdbmjunnxglxsmoxdg.exe"	fdiwjegfpns.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xdqqcck = "mdbmjunnxglxsmoxdg.exe ."	fdiwjegfpns.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbswmqcvyay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kddqpcxzlwdrokozhmff.exe ."	fdiwjegfpns.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kpbalk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kddqpcxzlwdrokozhmff.exe"	fdiwjegfpns.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kpbalk = "dtqawgyxgosdxqrze.exe"	fdiwjegfpns.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dlacqsctu = "xpoaykefqagtpknxeia.exe"	fdiwjegfpns.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fdiwjegfpns.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fdiwjegfpns.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ztuiiwsviucrpmrdmsmnb.exe	fdiwjegfpns.exe
File opened for modification	C:\Windows\SysWOW64\qlncdspthudtsqwjtavxmn.exe	fdiwjegfpns.exe
File opened for modification	C:\Windows\SysWOW64\wlhqluljryblewwd.exe	fdiwjegfpns.exe
File opened for modification	C:\Windows\SysWOW64\dtqawgyxgosdxqrze.exe	fdiwjegfpns.exe
File opened for modification	C:\Windows\SysWOW64\mdbmjunnxglxsmoxdg.exe	fdiwjegfpns.exe
File opened for modification	C:\Windows\SysWOW64\xpoaykefqagtpknxeia.exe	fdiwjegfpns.exe
File opened for modification	C:\Windows\SysWOW64\kddqpcxzlwdrokozhmff.exe	fdiwjegfpns.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\kddqpcxzlwdrokozhmff.exe	fdiwjegfpns.exe
File opened for modification	C:\Windows\ztuiiwsviucrpmrdmsmnb.exe	fdiwjegfpns.exe
File opened for modification	C:\Windows\qlncdspthudtsqwjtavxmn.exe	fdiwjegfpns.exe
File opened for modification	C:\Windows\wlhqluljryblewwd.exe	fdiwjegfpns.exe
File opened for modification	C:\Windows\dtqawgyxgosdxqrze.exe	fdiwjegfpns.exe
File opened for modification	C:\Windows\mdbmjunnxglxsmoxdg.exe	fdiwjegfpns.exe
File opened for modification	C:\Windows\xpoaykefqagtpknxeia.exe	fdiwjegfpns.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3480 wrote to memory of 520	3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe	83
PID 3480 wrote to memory of 520	3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe	83
PID 3480 wrote to memory of 520	3480	83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe	83

System policy modification 1 TTPs 13 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	fdiwjegfpns.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	fdiwjegfpns.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	fdiwjegfpns.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	fdiwjegfpns.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	fdiwjegfpns.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	fdiwjegfpns.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	fdiwjegfpns.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	fdiwjegfpns.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	fdiwjegfpns.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	fdiwjegfpns.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	fdiwjegfpns.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	fdiwjegfpns.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fdiwjegfpns.exe

C:\Users\Admin\AppData\Local\Temp\83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe
"C:\Users\Admin\AppData\Local\Temp\83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Users\Admin\AppData\Local\Temp\fdiwjegfpns.exe
  "C:\Users\Admin\AppData\Local\Temp\fdiwjegfpns.exe" "c:\users\admin\appdata\local\temp\83de08f484302d2a00a42cd0ce79bbdbdcab51d4d8a87d14b434136b8fa16195.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System policy modification
  PID:520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fdiwjegfpns.exe

Filesize
320KB

MD5
89ec3461ef4a893428c32f89de78b396

SHA1
8067cdc0901f0dc5bc1bb67a1c9037f502ea85f9

SHA256
1849989ee704cda3b552b5021f3165012978d26d0daf7d22a09805deb6be2d0b

SHA512
7804fa36e1f050115b00d21a9a94cf92436260a385da67106b0c73eb350abafca53f2dec42d377d4eccc095dd75ac92e841fb66e874e656e412cd71ed7909fe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\fdiwjegfpns.exe

Filesize
320KB

MD5
89ec3461ef4a893428c32f89de78b396

SHA1
8067cdc0901f0dc5bc1bb67a1c9037f502ea85f9

SHA256
1849989ee704cda3b552b5021f3165012978d26d0daf7d22a09805deb6be2d0b

SHA512
7804fa36e1f050115b00d21a9a94cf92436260a385da67106b0c73eb350abafca53f2dec42d377d4eccc095dd75ac92e841fb66e874e656e412cd71ed7909fe8

Download Submit
memory/520-132-0x0000000000000000-mapping.dmp

Download