60f41fb93576acb95218dea7e0d71335aa6f1aed8747c580bbe67585e412040f

Analysis

max time kernel
102s
max time network
154s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
28/10/2023, 19:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Size

1.2MB
MD5

a8b3e6726e785ec919f469daca0085c0
SHA1

68350dc9e43da9ce79a97af58d5c51629d7f341d
SHA256

60f41fb93576acb95218dea7e0d71335aa6f1aed8747c580bbe67585e412040f
SHA512

f7262e2e3e38c7d352007f81ec7bceadc2fe2bc0e372eb373766848e40c144e53405fbc276fea8746ed1673e5bfb28726ec6a88a971bcb2480b7966378140751
SSDEEP

12288:KXgvmzFHi0mo5aH0qMzd5807F7dsPJQPDHvd:KXgvOHi0mGaH0qSdPF7dG4V

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wiqwwfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	wiqwwfk.exe

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wiqwwfk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wiqwwfk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wiqwwfk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	wiqwwfk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wiqwwfk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wiqwwfk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wiqwwfk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	wiqwwfk.exe

Adds policy Run key to start application 2 TTPs 25 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lyhopzfv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\libsdxnnbqlyfqsuit.exe"	wiqwwfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qgscgtcvcky = "cyqgqjyxkysekuvwj.exe"	wiqwwfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qgscgtcvcky = "jidwjfxzpgdsboswmzfe.exe"	wiqwwfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lyhopzfv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cyqgqjyxkysekuvwj.exe"	wiqwwfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lyhopzfv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jidwjfxzpgdsboswmzfe.exe"	wiqwwfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lyhopzfv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqhwfxljvibmraaa.exe"	wiqwwfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qgscgtcvcky = "yyuoczsvmecscqvarfmmi.exe"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wiqwwfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lyhopzfv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cyqgqjyxkysekuvwj.exe"	wiqwwfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qgscgtcvcky = "vqhwfxljvibmraaa.exe"	wiqwwfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qgscgtcvcky = "wuogsnefukgucorujva.exe"	wiqwwfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qgscgtcvcky = "libsdxnnbqlyfqsuit.exe"	wiqwwfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lyhopzfv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wuogsnefukgucorujva.exe"	wiqwwfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lyhopzfv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jidwjfxzpgdsboswmzfe.exe"	wiqwwfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qgscgtcvcky = "wuogsnefukgucorujva.exe"	wiqwwfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lyhopzfv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\libsdxnnbqlyfqsuit.exe"	wiqwwfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qgscgtcvcky = "yyuoczsvmecscqvarfmmi.exe"	wiqwwfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qgscgtcvcky = "yyuoczsvmecscqvarfmmi.exe"	wiqwwfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wiqwwfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qgscgtcvcky = "jidwjfxzpgdsboswmzfe.exe"	wiqwwfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lyhopzfv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqhwfxljvibmraaa.exe"	wiqwwfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lyhopzfv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\libsdxnnbqlyfqsuit.exe"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lyhopzfv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wuogsnefukgucorujva.exe"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lyhopzfv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wuogsnefukgucorujva.exe"	wiqwwfk.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wiqwwfk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wiqwwfk.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wiqwwfk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wiqwwfk.exe

Executes dropped EXE 2 IoCs

pid	Process
2952	wiqwwfk.exe
2644	wiqwwfk.exe

Loads dropped DLL 4 IoCs

pid	Process
1108	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
1108	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
1108	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
1108	NEAS.a8b3e6726e785ec919f469daca0085c0.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cqaikvcty = "cyqgqjyxkysekuvwj.exe"	wiqwwfk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\cqaikvcty = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wuogsnefukgucorujva.exe"	wiqwwfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qkaownaxiumwaih = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqhwfxljvibmraaa.exe"	wiqwwfk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\nerchvfzhqfm = "cyqgqjyxkysekuvwj.exe"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vkvehtbtzg = "jidwjfxzpgdsboswmzfe.exe ."	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vkvehtbtzg = "yyuoczsvmecscqvarfmmi.exe ."	wiqwwfk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vkvehtbtzg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jidwjfxzpgdsboswmzfe.exe ."	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\cqaikvcty = "C:\\Users\\Admin\\AppData\\Local\\Temp\\libsdxnnbqlyfqsuit.exe"	wiqwwfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qkaownaxiumwaih = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cyqgqjyxkysekuvwj.exe"	wiqwwfk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mesekzkfoyowy = "yyuoczsvmecscqvarfmmi.exe ."	wiqwwfk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mesekzkfoyowy = "jidwjfxzpgdsboswmzfe.exe ."	wiqwwfk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mesekzkfoyowy = "wuogsnefukgucorujva.exe ."	wiqwwfk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mesekzkfoyowy = "vqhwfxljvibmraaa.exe ."	wiqwwfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ngvipfrnxizils = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqhwfxljvibmraaa.exe ."	wiqwwfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qkaownaxiumwaih = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wuogsnefukgucorujva.exe"	wiqwwfk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\cqaikvcty = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cyqgqjyxkysekuvwj.exe"	wiqwwfk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vkvehtbtzg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wuogsnefukgucorujva.exe ."	wiqwwfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vkvehtbtzg = "vqhwfxljvibmraaa.exe ."	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\cqaikvcty = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cyqgqjyxkysekuvwj.exe"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\nerchvfzhqfm = "libsdxnnbqlyfqsuit.exe"	wiqwwfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cqaikvcty = "jidwjfxzpgdsboswmzfe.exe"	wiqwwfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ngvipfrnxizils = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wuogsnefukgucorujva.exe ."	wiqwwfk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vkvehtbtzg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cyqgqjyxkysekuvwj.exe ."	wiqwwfk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\nerchvfzhqfm = "yyuoczsvmecscqvarfmmi.exe"	wiqwwfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ngvipfrnxizils = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqhwfxljvibmraaa.exe ."	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qkaownaxiumwaih = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cyqgqjyxkysekuvwj.exe"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qkaownaxiumwaih = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wuogsnefukgucorujva.exe"	wiqwwfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qkaownaxiumwaih = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cyqgqjyxkysekuvwj.exe"	wiqwwfk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\cqaikvcty = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cyqgqjyxkysekuvwj.exe"	wiqwwfk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vkvehtbtzg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yyuoczsvmecscqvarfmmi.exe ."	wiqwwfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vkvehtbtzg = "yyuoczsvmecscqvarfmmi.exe ."	wiqwwfk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\nerchvfzhqfm = "wuogsnefukgucorujva.exe"	wiqwwfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cqaikvcty = "libsdxnnbqlyfqsuit.exe"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mesekzkfoyowy = "wuogsnefukgucorujva.exe ."	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mesekzkfoyowy = "libsdxnnbqlyfqsuit.exe ."	wiqwwfk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vkvehtbtzg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqhwfxljvibmraaa.exe ."	wiqwwfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qkaownaxiumwaih = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jidwjfxzpgdsboswmzfe.exe"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mesekzkfoyowy = "vqhwfxljvibmraaa.exe ."	wiqwwfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vkvehtbtzg = "vqhwfxljvibmraaa.exe ."	wiqwwfk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\cqaikvcty = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yyuoczsvmecscqvarfmmi.exe"	wiqwwfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ngvipfrnxizils = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yyuoczsvmecscqvarfmmi.exe ."	wiqwwfk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\nerchvfzhqfm = "cyqgqjyxkysekuvwj.exe"	wiqwwfk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vkvehtbtzg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jidwjfxzpgdsboswmzfe.exe ."	wiqwwfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cqaikvcty = "libsdxnnbqlyfqsuit.exe"	wiqwwfk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\cqaikvcty = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqhwfxljvibmraaa.exe"	wiqwwfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cqaikvcty = "cyqgqjyxkysekuvwj.exe"	wiqwwfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cqaikvcty = "jidwjfxzpgdsboswmzfe.exe"	wiqwwfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ngvipfrnxizils = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yyuoczsvmecscqvarfmmi.exe ."	wiqwwfk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vkvehtbtzg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\libsdxnnbqlyfqsuit.exe ."	wiqwwfk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mesekzkfoyowy = "wuogsnefukgucorujva.exe ."	wiqwwfk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mesekzkfoyowy = "yyuoczsvmecscqvarfmmi.exe ."	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vkvehtbtzg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yyuoczsvmecscqvarfmmi.exe ."	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\nerchvfzhqfm = "wuogsnefukgucorujva.exe"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ngvipfrnxizils = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yyuoczsvmecscqvarfmmi.exe ."	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mesekzkfoyowy = "yyuoczsvmecscqvarfmmi.exe ."	wiqwwfk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\nerchvfzhqfm = "yyuoczsvmecscqvarfmmi.exe"	wiqwwfk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vkvehtbtzg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wuogsnefukgucorujva.exe ."	wiqwwfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qkaownaxiumwaih = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yyuoczsvmecscqvarfmmi.exe"	wiqwwfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qkaownaxiumwaih = "C:\\Users\\Admin\\AppData\\Local\\Temp\\libsdxnnbqlyfqsuit.exe"	wiqwwfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vkvehtbtzg = "libsdxnnbqlyfqsuit.exe ."	wiqwwfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ngvipfrnxizils = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wuogsnefukgucorujva.exe ."	wiqwwfk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vkvehtbtzg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\libsdxnnbqlyfqsuit.exe ."	wiqwwfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vkvehtbtzg = "libsdxnnbqlyfqsuit.exe ."	wiqwwfk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cqaikvcty = "libsdxnnbqlyfqsuit.exe"	wiqwwfk.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiqwwfk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wiqwwfk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wiqwwfk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wiqwwfk.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	whatismyip.everdot.org
5	whatismyipaddress.com
11	www.showmyipaddress.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\qkaownaxiumwaihgrzaukygxkhsewgksrqbjk.uiq	wiqwwfk.exe
File opened for modification	C:\Windows\SysWOW64\pydgdjlxxyfexuiwwtjsxaxdfr.szy	wiqwwfk.exe
File created	C:\Windows\SysWOW64\pydgdjlxxyfexuiwwtjsxaxdfr.szy	wiqwwfk.exe
File opened for modification	C:\Windows\SysWOW64\qkaownaxiumwaihgrzaukygxkhsewgksrqbjk.uiq	wiqwwfk.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\pydgdjlxxyfexuiwwtjsxaxdfr.szy	wiqwwfk.exe
File created	C:\Program Files (x86)\pydgdjlxxyfexuiwwtjsxaxdfr.szy	wiqwwfk.exe
File opened for modification	C:\Program Files (x86)\qkaownaxiumwaihgrzaukygxkhsewgksrqbjk.uiq	wiqwwfk.exe
File created	C:\Program Files (x86)\qkaownaxiumwaihgrzaukygxkhsewgksrqbjk.uiq	wiqwwfk.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\pydgdjlxxyfexuiwwtjsxaxdfr.szy	wiqwwfk.exe
File created	C:\Windows\pydgdjlxxyfexuiwwtjsxaxdfr.szy	wiqwwfk.exe
File opened for modification	C:\Windows\qkaownaxiumwaihgrzaukygxkhsewgksrqbjk.uiq	wiqwwfk.exe
File created	C:\Windows\qkaownaxiumwaihgrzaukygxkhsewgksrqbjk.uiq	wiqwwfk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe
2952	wiqwwfk.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2952	wiqwwfk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 2952	1108	NEAS.a8b3e6726e785ec919f469daca0085c0.exe	28
PID 1108 wrote to memory of 2952	1108	NEAS.a8b3e6726e785ec919f469daca0085c0.exe	28
PID 1108 wrote to memory of 2952	1108	NEAS.a8b3e6726e785ec919f469daca0085c0.exe	28
PID 1108 wrote to memory of 2952	1108	NEAS.a8b3e6726e785ec919f469daca0085c0.exe	28
PID 1108 wrote to memory of 2644	1108	NEAS.a8b3e6726e785ec919f469daca0085c0.exe	29
PID 1108 wrote to memory of 2644	1108	NEAS.a8b3e6726e785ec919f469daca0085c0.exe	29
PID 1108 wrote to memory of 2644	1108	NEAS.a8b3e6726e785ec919f469daca0085c0.exe	29
PID 1108 wrote to memory of 2644	1108	NEAS.a8b3e6726e785ec919f469daca0085c0.exe	29

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	wiqwwfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	wiqwwfk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	wiqwwfk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wiqwwfk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	wiqwwfk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	wiqwwfk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wiqwwfk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	wiqwwfk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wiqwwfk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	wiqwwfk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	wiqwwfk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wiqwwfk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	wiqwwfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	wiqwwfk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wiqwwfk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	wiqwwfk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	wiqwwfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wiqwwfk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	wiqwwfk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wiqwwfk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	wiqwwfk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wiqwwfk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	wiqwwfk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	wiqwwfk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	NEAS.a8b3e6726e785ec919f469daca0085c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wiqwwfk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wiqwwfk.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.a8b3e6726e785ec919f469daca0085c0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.a8b3e6726e785ec919f469daca0085c0.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1108
- C:\Users\Admin\AppData\Local\Temp\wiqwwfk.exe
  "C:\Users\Admin\AppData\Local\Temp\wiqwwfk.exe" "-"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:2952
- C:\Users\Admin\AppData\Local\Temp\wiqwwfk.exe
  "C:\Users\Admin\AppData\Local\Temp\wiqwwfk.exe" "-"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - System policy modification
  PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\pydgdjlxxyfexuiwwtjsxaxdfr.szy

Filesize
280B

MD5
f2dc1a54ca238824e2b938ecab4acec4

SHA1
530d0c212b6cb821a7586d8dd7b73bedb49efc94

SHA256
7a1754c4bd82bbf894f1b90ac6b5a42c0776c4bb350ab4c9bb0bb47379bc8d4b

SHA512
698b7b2b6b8f743f607a2d922b20b5929a5e09056319d8ad082b826b8973ffefde0acd15632d9ad90a214be12fdc6cecd3c5de5b4d2fcb71bebf05c6fd289fce

Download Submit
C:\Program Files (x86)\pydgdjlxxyfexuiwwtjsxaxdfr.szy

Filesize
280B

MD5
aea7d999da71c6a7b775b7ba537ed3af

SHA1
5c494459d034614d1bf9fbc49da022ddc2ba8417

SHA256
1d28c69019d643ec9a739f179eeb593f578fe5038188b1743b2f6b6d476b0441

SHA512
9e4c19356cf95c315b42b102a2144e059cae781db581e3b58bf203cdd2cfaa3bc24d09afbd33b80b4e66fb9cfcceed8bb2571eb36b434b3a850d1381f44d411b

Download Submit
C:\Program Files (x86)\pydgdjlxxyfexuiwwtjsxaxdfr.szy

Filesize
280B

MD5
adf8b907d764b09f029bf9520b775db2

SHA1
0ebb1e908c4b1eb88c0bd0e4fee1b73e23e668cf

SHA256
3421523b4178297f5bdc6db69ab7e3e605ce673ac879598350a894f14028e5a6

SHA512
7066c57ab153cbfbd8897a08f8951c2ddeccc5d5cd9fea2acf3d8c6a84464ecd965d5087c5573c97ea6f2a366b1d86205ba779a51d794db2113edf6e97cda101

Download Submit
C:\Program Files (x86)\pydgdjlxxyfexuiwwtjsxaxdfr.szy

Filesize
280B

MD5
7e5dc55d175198cf6e372e5b6e3a9f15

SHA1
c646b16e0a63a28006f94cb4ea566a977b258f32

SHA256
c3fe8356c55a12b6abbf27efc27532188c506e4b1b1e2e422434d6972d528a01

SHA512
6d2a33b7bee38d0f5ad3999ff8267d39bcffc413a0fc1d58730384ba49f55d4dc304e4d441573f28043c9d418e66cac1bd99807796ce277dc2a5e66b6f2f1b20

Download Submit
C:\Program Files (x86)\pydgdjlxxyfexuiwwtjsxaxdfr.szy

Filesize
280B

MD5
00f5b601fb9fdaa6ac07b58259e037c5

SHA1
29ecf17120ea6f7d0ab32ded39d6ca0a30e85b23

SHA256
65400b818b84faa6738357c84191dbe79738a1c75143460ff6fe13bcc4ec21cd

SHA512
093ebd101fe8488d7f0e252d385bbe23d1278e8343bb008bea7dc459ee624c6d616f80418d5c9ec08279e7e29b2023de09c44efa298b891f4dfb939fc683cf92

Download Submit
C:\Program Files (x86)\pydgdjlxxyfexuiwwtjsxaxdfr.szy

Filesize
280B

MD5
09a3870b37b1005fb47c7e046f93de51

SHA1
36115272877a1ead7d8c5194c1f3e238398e2e91

SHA256
a1968a8b1f706aec9f7bf9d8eb558ac8a0df9b0fbd90704d6d789ac830547654

SHA512
2557ebaa8b51ab365fe0acc152c5675699b9ff6679e7357c788c5a1ba518dc9560833d1ba5d041a112771d78b1131fd8d50c0c9077e7c7071a9d8c234ae20733

Download Submit
C:\Program Files (x86)\pydgdjlxxyfexuiwwtjsxaxdfr.szy

Filesize
280B

MD5
31dc7372eaca567ff375f74fe5461d3a

SHA1
36e56bca5a49db8c9460d486d778339222252a52

SHA256
4890ca3c73f6f6079eb294d2189be9031d553dc4914dcf3dbb3db11895cacbfe

SHA512
c06a0c068252ef687d2d00626d2599e0d592979281c0a9e6728010aa408572303e66ffc72d7759e877fafc3beba6f31c997d34b8e58c1a7982d4327cec582376

Download Submit
C:\Users\Admin\AppData\Local\Temp\wiqwwfk.exe

Filesize
2.0MB

MD5
45a9304b8b7ad8fbcc7474645564c6c0

SHA1
87b71e778063f74a2f3a10327a063612eefd7071

SHA256
445ed9a50d4eda3c16d2a07e4c5ca23fc908df2248871bc1f25de35d8db8f2be

SHA512
75b3410770a69659f01b6bd0b06861649ba0095ae73e436481e4d9fcf3541957168351bfe1ffb09453cadb3882ac5a194cae255ec0bb1a61765e8b46fc66ef8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wiqwwfk.exe

Filesize
2.0MB

MD5
45a9304b8b7ad8fbcc7474645564c6c0

SHA1
87b71e778063f74a2f3a10327a063612eefd7071

SHA256
445ed9a50d4eda3c16d2a07e4c5ca23fc908df2248871bc1f25de35d8db8f2be

SHA512
75b3410770a69659f01b6bd0b06861649ba0095ae73e436481e4d9fcf3541957168351bfe1ffb09453cadb3882ac5a194cae255ec0bb1a61765e8b46fc66ef8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wiqwwfk.exe

Filesize
2.0MB

MD5
45a9304b8b7ad8fbcc7474645564c6c0

SHA1
87b71e778063f74a2f3a10327a063612eefd7071

SHA256
445ed9a50d4eda3c16d2a07e4c5ca23fc908df2248871bc1f25de35d8db8f2be

SHA512
75b3410770a69659f01b6bd0b06861649ba0095ae73e436481e4d9fcf3541957168351bfe1ffb09453cadb3882ac5a194cae255ec0bb1a61765e8b46fc66ef8c

Download Submit
C:\Users\Admin\AppData\Local\pydgdjlxxyfexuiwwtjsxaxdfr.szy

Filesize
280B

MD5
11d50f864af0104fd3b6a3c44efb1fbf

SHA1
5f791343ad90c4866be4b94f046e5882b3386324

SHA256
9b23d6507afaf817a796b5ace48222b9a8fd097b3bca54405f12d22e7a1b9264

SHA512
33986181fd66912ae3a974608316bf4ee1d249928f51362234c8edaaf24c372090267c1902a3cbfafab854cdd7b83ec38c33aac1ad17bd785459df36b6feb5e6

Download Submit
C:\Users\Admin\AppData\Local\qkaownaxiumwaihgrzaukygxkhsewgksrqbjk.uiq

Filesize
4KB

MD5
67ef4e5b4c4bc9892fc6df6917a514e7

SHA1
2292cfaf099cd4693932d194668e26aa563ed4f0

SHA256
33dfcdea80fff933ba9b43a1fb3c614da2fcbadf9f9548705b5c5fe3fc0afe58

SHA512
fd7a443271341964614fe488e1915de6afbc8bad746c09af15d39a3d6021e96c84a20dc104323a25f0e5b01a010f18f945185682e0ed1790922ec6e5aad12060

Download Submit
\Users\Admin\AppData\Local\Temp\wiqwwfk.exe

Filesize
2.0MB

MD5
45a9304b8b7ad8fbcc7474645564c6c0

SHA1
87b71e778063f74a2f3a10327a063612eefd7071

SHA256
445ed9a50d4eda3c16d2a07e4c5ca23fc908df2248871bc1f25de35d8db8f2be

SHA512
75b3410770a69659f01b6bd0b06861649ba0095ae73e436481e4d9fcf3541957168351bfe1ffb09453cadb3882ac5a194cae255ec0bb1a61765e8b46fc66ef8c

Download Submit
\Users\Admin\AppData\Local\Temp\wiqwwfk.exe

Filesize
2.0MB

MD5
45a9304b8b7ad8fbcc7474645564c6c0

SHA1
87b71e778063f74a2f3a10327a063612eefd7071

SHA256
445ed9a50d4eda3c16d2a07e4c5ca23fc908df2248871bc1f25de35d8db8f2be

SHA512
75b3410770a69659f01b6bd0b06861649ba0095ae73e436481e4d9fcf3541957168351bfe1ffb09453cadb3882ac5a194cae255ec0bb1a61765e8b46fc66ef8c

Download Submit
\Users\Admin\AppData\Local\Temp\wiqwwfk.exe

Filesize
2.0MB

MD5
45a9304b8b7ad8fbcc7474645564c6c0

SHA1
87b71e778063f74a2f3a10327a063612eefd7071

SHA256
445ed9a50d4eda3c16d2a07e4c5ca23fc908df2248871bc1f25de35d8db8f2be

SHA512
75b3410770a69659f01b6bd0b06861649ba0095ae73e436481e4d9fcf3541957168351bfe1ffb09453cadb3882ac5a194cae255ec0bb1a61765e8b46fc66ef8c

Download Submit
\Users\Admin\AppData\Local\Temp\wiqwwfk.exe

Filesize
2.0MB

MD5
45a9304b8b7ad8fbcc7474645564c6c0

SHA1
87b71e778063f74a2f3a10327a063612eefd7071

SHA256
445ed9a50d4eda3c16d2a07e4c5ca23fc908df2248871bc1f25de35d8db8f2be

SHA512
75b3410770a69659f01b6bd0b06861649ba0095ae73e436481e4d9fcf3541957168351bfe1ffb09453cadb3882ac5a194cae255ec0bb1a61765e8b46fc66ef8c

Download Submit