Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
14/11/2023, 18:51
Static task
static1
Behavioral task
behavioral1
Sample
851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe
Resource
win10v2004-20231020-en
General
-
Target
851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe
-
Size
7.3MB
-
MD5
82cf1c1a6e7f52327e4a01651cb22a8d
-
SHA1
2a57061f724bb650bd961d63cf3e93f60c158eb5
-
SHA256
851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39
-
SHA512
89e422babe9e310e10da8c15dd8a33dbc994585b93d0265bce7e14d17cf2b7bb8f5dd5ac072cbd4d69ff0ce3ab2b3a9ec3d3ed024b70b51c1f08cb0e5605d8c4
-
SSDEEP
12288:2XgvmzFHi0mo5aH0qMzd58c7FcquPJQPDHvd:2XgvOHi0mGaH0qSdDFcT4V
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" 851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" agkps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" agkps.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" 851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" agkps.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" agkps.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" agkps.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" agkps.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" agkps.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" agkps.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" agkps.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" agkps.exe -
Adds policy Run key to start application 2 TTPs 31 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\siwlysipkupjall = "ngxpfcvfdqolftwmqu.exe" agkps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pcnzjanrjqiz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewmdsogpmyvrkxzor.exe" agkps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pcnzjanrjqiz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yskdusmxwkjhcrvmrwc.exe" agkps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pcnzjanrjqiz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awqleeanoeffctzszgoke.exe" agkps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pcnzjanrjqiz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xodthctbxiezrdes.exe" agkps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\siwlysipkupjall = "xodthctbxiezrdes.exe" agkps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\siwlysipkupjall = "yskdusmxwkjhcrvmrwc.exe" agkps.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run agkps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\siwlysipkupjall = "xodthctbxiezrdes.exe" 851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pcnzjanrjqiz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ngxpfcvfdqolftwmqu.exe" agkps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\siwlysipkupjall = "yskdusmxwkjhcrvmrwc.exe" agkps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\siwlysipkupjall = "xodthctbxiezrdes.exe" agkps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pcnzjanrjqiz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lgztlkfrrggfbrwouahc.exe" agkps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\siwlysipkupjall = "awqleeanoeffctzszgoke.exe" agkps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pcnzjanrjqiz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awqleeanoeffctzszgoke.exe" 851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pcnzjanrjqiz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xodthctbxiezrdes.exe" agkps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\siwlysipkupjall = "lgztlkfrrggfbrwouahc.exe" agkps.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run agkps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\siwlysipkupjall = "ngxpfcvfdqolftwmqu.exe" agkps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\siwlysipkupjall = "ewmdsogpmyvrkxzor.exe" agkps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pcnzjanrjqiz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lgztlkfrrggfbrwouahc.exe" agkps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\siwlysipkupjall = "awqleeanoeffctzszgoke.exe" agkps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\siwlysipkupjall = "lgztlkfrrggfbrwouahc.exe" 851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\siwlysipkupjall = "lgztlkfrrggfbrwouahc.exe" agkps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pcnzjanrjqiz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awqleeanoeffctzszgoke.exe" agkps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pcnzjanrjqiz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ngxpfcvfdqolftwmqu.exe" agkps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\siwlysipkupjall = "ewmdsogpmyvrkxzor.exe" agkps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pcnzjanrjqiz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewmdsogpmyvrkxzor.exe" agkps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pcnzjanrjqiz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewmdsogpmyvrkxzor.exe" 851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pcnzjanrjqiz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yskdusmxwkjhcrvmrwc.exe" agkps.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" agkps.exe Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" agkps.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" agkps.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" agkps.exe -
Executes dropped EXE 2 IoCs
pid Process 2980 agkps.exe 2248 agkps.exe -
Loads dropped DLL 4 IoCs
pid Process 1164 851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe 1164 851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe 1164 851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe 1164 851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\ocobmesxqyrjy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awqleeanoeffctzszgoke.exe" 851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\perfrkzfzicvlv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lgztlkfrrggfbrwouahc.exe ." 851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ocobmesxqyrjy = "ewmdsogpmyvrkxzor.exe" agkps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\perfrkzfzicvlv = "awqleeanoeffctzszgoke.exe ." agkps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ocobmesxqyrjy = "xodthctbxiezrdes.exe" agkps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yskdusmxwkjhcrvmrwc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewmdsogpmyvrkxzor.exe" 851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ewmdsogpmyvrkxzor = "yskdusmxwkjhcrvmrwc.exe ." agkps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ngxpfcvfdqolftwmqu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lgztlkfrrggfbrwouahc.exe ." agkps.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\perfrkzfzicvlv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awqleeanoeffctzszgoke.exe ." 851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yskdusmxwkjhcrvmrwc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yskdusmxwkjhcrvmrwc.exe" 851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\xodthctbxiezrdes = "yskdusmxwkjhcrvmrwc.exe" 851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\perfrkzfzicvlv = "ewmdsogpmyvrkxzor.exe ." agkps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ngxpfcvfdqolftwmqu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ngxpfcvfdqolftwmqu.exe ." agkps.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\perfrkzfzicvlv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awqleeanoeffctzszgoke.exe ." agkps.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\xodthctbxiezrdes = "ewmdsogpmyvrkxzor.exe" agkps.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\ocobmesxqyrjy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewmdsogpmyvrkxzor.exe" agkps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\perfrkzfzicvlv = "yskdusmxwkjhcrvmrwc.exe ." agkps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ocobmesxqyrjy = "xodthctbxiezrdes.exe" 851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ewmdsogpmyvrkxzor = "ngxpfcvfdqolftwmqu.exe ." agkps.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\ocobmesxqyrjy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awqleeanoeffctzszgoke.exe" agkps.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\perfrkzfzicvlv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awqleeanoeffctzszgoke.exe ." agkps.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\xodthctbxiezrdes = "yskdusmxwkjhcrvmrwc.exe" agkps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ngxpfcvfdqolftwmqu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yskdusmxwkjhcrvmrwc.exe ." agkps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ocobmesxqyrjy = "yskdusmxwkjhcrvmrwc.exe" agkps.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\perfrkzfzicvlv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lgztlkfrrggfbrwouahc.exe ." agkps.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\ocobmesxqyrjy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xodthctbxiezrdes.exe" agkps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yskdusmxwkjhcrvmrwc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lgztlkfrrggfbrwouahc.exe" agkps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yskdusmxwkjhcrvmrwc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xodthctbxiezrdes.exe" agkps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yskdusmxwkjhcrvmrwc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xodthctbxiezrdes.exe" agkps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\perfrkzfzicvlv = "yskdusmxwkjhcrvmrwc.exe ." agkps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ngxpfcvfdqolftwmqu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awqleeanoeffctzszgoke.exe ." agkps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\perfrkzfzicvlv = "ngxpfcvfdqolftwmqu.exe ." agkps.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ewmdsogpmyvrkxzor = "ewmdsogpmyvrkxzor.exe ." agkps.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\xodthctbxiezrdes = "awqleeanoeffctzszgoke.exe" agkps.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\ocobmesxqyrjy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ngxpfcvfdqolftwmqu.exe" agkps.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ewmdsogpmyvrkxzor = "lgztlkfrrggfbrwouahc.exe ." agkps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ocobmesxqyrjy = "awqleeanoeffctzszgoke.exe" agkps.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\perfrkzfzicvlv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xodthctbxiezrdes.exe ." agkps.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\ocobmesxqyrjy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yskdusmxwkjhcrvmrwc.exe" agkps.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\ocobmesxqyrjy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xodthctbxiezrdes.exe" agkps.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\ocobmesxqyrjy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lgztlkfrrggfbrwouahc.exe" agkps.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\ocobmesxqyrjy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ngxpfcvfdqolftwmqu.exe" agkps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yskdusmxwkjhcrvmrwc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewmdsogpmyvrkxzor.exe" agkps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\perfrkzfzicvlv = "xodthctbxiezrdes.exe ." agkps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ocobmesxqyrjy = "lgztlkfrrggfbrwouahc.exe" agkps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ocobmesxqyrjy = "ngxpfcvfdqolftwmqu.exe" agkps.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\perfrkzfzicvlv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yskdusmxwkjhcrvmrwc.exe ." agkps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\perfrkzfzicvlv = "awqleeanoeffctzszgoke.exe ." agkps.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\xodthctbxiezrdes = "awqleeanoeffctzszgoke.exe" agkps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yskdusmxwkjhcrvmrwc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewmdsogpmyvrkxzor.exe" agkps.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ewmdsogpmyvrkxzor = "xodthctbxiezrdes.exe ." agkps.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\xodthctbxiezrdes = "ngxpfcvfdqolftwmqu.exe" agkps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ngxpfcvfdqolftwmqu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yskdusmxwkjhcrvmrwc.exe ." agkps.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\xodthctbxiezrdes = "xodthctbxiezrdes.exe" agkps.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\perfrkzfzicvlv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ngxpfcvfdqolftwmqu.exe ." agkps.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ocobmesxqyrjy = "awqleeanoeffctzszgoke.exe" 851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yskdusmxwkjhcrvmrwc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awqleeanoeffctzszgoke.exe" agkps.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ewmdsogpmyvrkxzor = "ngxpfcvfdqolftwmqu.exe ." 851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\perfrkzfzicvlv = "xodthctbxiezrdes.exe ." agkps.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\perfrkzfzicvlv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yskdusmxwkjhcrvmrwc.exe ." agkps.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\perfrkzfzicvlv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xodthctbxiezrdes.exe ." agkps.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\ocobmesxqyrjy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lgztlkfrrggfbrwouahc.exe" agkps.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\xodthctbxiezrdes = "ngxpfcvfdqolftwmqu.exe" agkps.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\xodthctbxiezrdes = "ngxpfcvfdqolftwmqu.exe" 851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" agkps.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA agkps.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" agkps.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA agkps.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 whatismyip.everdot.org 5 whatismyipaddress.com 7 www.showmyipaddress.com -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\seoziyknekbrelhqnkiuepyoaduarhubx.day agkps.exe File created C:\Windows\SysWOW64\seoziyknekbrelhqnkiuepyoaduarhubx.day agkps.exe File opened for modification C:\Windows\SysWOW64\bcbbzefxdyejlhsqcobcbb.efx agkps.exe File created C:\Windows\SysWOW64\bcbbzefxdyejlhsqcobcbb.efx agkps.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\bcbbzefxdyejlhsqcobcbb.efx agkps.exe File created C:\Program Files (x86)\bcbbzefxdyejlhsqcobcbb.efx agkps.exe File opened for modification C:\Program Files (x86)\seoziyknekbrelhqnkiuepyoaduarhubx.day agkps.exe File created C:\Program Files (x86)\seoziyknekbrelhqnkiuepyoaduarhubx.day agkps.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\bcbbzefxdyejlhsqcobcbb.efx agkps.exe File created C:\Windows\bcbbzefxdyejlhsqcobcbb.efx agkps.exe File opened for modification C:\Windows\seoziyknekbrelhqnkiuepyoaduarhubx.day agkps.exe File created C:\Windows\seoziyknekbrelhqnkiuepyoaduarhubx.day agkps.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe 2980 agkps.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2980 agkps.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1164 wrote to memory of 2980 1164 851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe 28 PID 1164 wrote to memory of 2980 1164 851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe 28 PID 1164 wrote to memory of 2980 1164 851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe 28 PID 1164 wrote to memory of 2980 1164 851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe 28 PID 1164 wrote to memory of 2248 1164 851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe 29 PID 1164 wrote to memory of 2248 1164 851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe 29 PID 1164 wrote to memory of 2248 1164 851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe 29 PID 1164 wrote to memory of 2248 1164 851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe 29 -
System policy modification 1 TTPs 39 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System agkps.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" agkps.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" agkps.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" agkps.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" agkps.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" agkps.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" agkps.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" agkps.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" agkps.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" agkps.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" 851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" 851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" 851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" 851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" agkps.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" agkps.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" agkps.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer agkps.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" 851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" agkps.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" agkps.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" agkps.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" agkps.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" agkps.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" agkps.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System agkps.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" agkps.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer agkps.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" agkps.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" 851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" agkps.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" agkps.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" 851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe"C:\Users\Admin\AppData\Local\Temp\851b08ee51d7efd37fe24a0a203d582de2461b0280c021972dd7beddacd67b39.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1164 -
C:\Users\Admin\AppData\Local\Temp\agkps.exe"C:\Users\Admin\AppData\Local\Temp\agkps.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2980
-
-
C:\Users\Admin\AppData\Local\Temp\agkps.exe"C:\Users\Admin\AppData\Local\Temp\agkps.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- System policy modification
PID:2248
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5b36d16459af72b0ee089c3d52fddd22b
SHA1bbe8604bc9725d1e45d78dd058332722394609b6
SHA256b3ed0c2d5943a2be666cafcedda787f72557748aa36eb066836e2d4f2c8878c6
SHA5128783334a7cadc8f1ee1aaa8e8f9859ca7cc8abb8e849ae210a0915054e61afa07c30e545d09b7167e9c2617b72d3b707c2fb5473ecec7b7b0a2cc53aff1c41e8
-
Filesize
280B
MD5c969fc99d63bd48ac7b517de639efa7b
SHA181c228dc57c4d1f611b8a63a4df8ed2fe349fb43
SHA2562cff85741166e34d907299dda409a86a2330cd6fa7a4e986e0fecfca2011ab75
SHA5121b21e4c912ff2e39a8cefe253b509e8b6f0a9c1aafda97678accfea4df8afe69eb4295a78ea29d81a503030ecc9d7ed6c6c32cfafb2a309f8e67d9e96af91b65
-
Filesize
280B
MD5b77180f6dd21f2f89498ecf6d45c036f
SHA13f91de73a9cc204536c6a0b33bab575c114ae1bc
SHA25648941c95f23e2ca0d350f65850b11a6fc74d87a7cea85ddea28eb8489a1c78d8
SHA512d3e010c40fd82fc5bb451d545b963e30e9bfb9eb6646b26f1b35b1ecaee44e2cc8f61f3229914c0da4da7bc2e5c84f99286c590c5c9ee680172ab4a2f50297a9
-
Filesize
280B
MD56515033da572d1dae8dc11320e34411a
SHA1206da525e70befe2c0c09caaf15da2add3234778
SHA256505fcb97af61525af29bd3bc82f6fead8b5df14b801d7509befe4e1800ff73b0
SHA5120db418627037374b128a33c08d237e37f8fad712cf9e5d11137f49cd27e6c91972bf9368f88dc22939ce6329d6e71122e8de46f8ec791df1c127c6ae93926ecd
-
Filesize
280B
MD50ae582f3fae8a954ba9f7ee34c3a9b7c
SHA1275eefc13f7963adbff4ead0aed78713349f5d84
SHA256b0fef6c40eebf41328abf54f08535e3d7a5d007b1a36b4f5078b50a4cb80662f
SHA512c7870b988402554736b8223f7837d2985651c3d8a9e119482eb7c150bcac204986cecde2ad603770b72f5d7b9864916702ade83f80970b42dd3109e029b5e479
-
Filesize
280B
MD5d425c42a94d1d3ba211751d4ab5ae2b3
SHA191537e88d1cec9379ac6959a6045a31c0affeeca
SHA25622cc8690df4fd4362e1a29049c1593f217777946668b12d7cab809d1f7fd7f7a
SHA512cce4257e3b3a622fd8edad736b50a58a47ae4c6c1114f210002cb9c414831a28c360330bccce4e7f2dd05eaa7c70ed4a27df9bb82fb6202fb7cb479cc96ed115
-
Filesize
9.2MB
MD5e6ad4a10ecdd8e210eab680d3c9f8c9e
SHA1e418a690665ee25f83168012faf798f67a76015d
SHA256c0d0535c15f614c6c15a445baa998c543d1f40d93267a3c4a38bf84f11f181dd
SHA5127b16342d6a05d5de9d1d26f462277e4309d135e87f9c585bd823d974e3a1064131cb5fe7969207c2d43c1782159bbd99b0ec54f27f590104e57b08f5a30828de
-
Filesize
9.2MB
MD5e6ad4a10ecdd8e210eab680d3c9f8c9e
SHA1e418a690665ee25f83168012faf798f67a76015d
SHA256c0d0535c15f614c6c15a445baa998c543d1f40d93267a3c4a38bf84f11f181dd
SHA5127b16342d6a05d5de9d1d26f462277e4309d135e87f9c585bd823d974e3a1064131cb5fe7969207c2d43c1782159bbd99b0ec54f27f590104e57b08f5a30828de
-
Filesize
9.2MB
MD5e6ad4a10ecdd8e210eab680d3c9f8c9e
SHA1e418a690665ee25f83168012faf798f67a76015d
SHA256c0d0535c15f614c6c15a445baa998c543d1f40d93267a3c4a38bf84f11f181dd
SHA5127b16342d6a05d5de9d1d26f462277e4309d135e87f9c585bd823d974e3a1064131cb5fe7969207c2d43c1782159bbd99b0ec54f27f590104e57b08f5a30828de
-
Filesize
280B
MD552020bd208269376a96a60a7adc42fec
SHA16ee83f9f0b64ec588f49e56341e0a085b544143d
SHA256c711dcb406139c81e73c9376f1f633f5aaee5fa206192ca2fbd6c3de377a87f6
SHA512b35954925834e85b6207e94ec0c891c20cd3d74169cfb045f184413a4f2d0836d77ce3706a9de82d180f785325be05d46f0b2da5ef5e2bfaa8087e0a33aa0606
-
Filesize
4KB
MD52f3c700d3aca0d8400dc94ff99870590
SHA1bb500ae18cea6a06cd40a4741711e019b8559c3d
SHA256804536df9a3c221a4315fc8edaeea753195faf2caad29d81bd65cab1e7b2b106
SHA512201df1e133ef96b8ad0125aa7881e687f494210a42556e18e098a3e132b548ec5aba1bc73299c7b662bbbc7863caa9224deeee9d7aed4b2763ac4233fec07d06
-
Filesize
9.2MB
MD5e6ad4a10ecdd8e210eab680d3c9f8c9e
SHA1e418a690665ee25f83168012faf798f67a76015d
SHA256c0d0535c15f614c6c15a445baa998c543d1f40d93267a3c4a38bf84f11f181dd
SHA5127b16342d6a05d5de9d1d26f462277e4309d135e87f9c585bd823d974e3a1064131cb5fe7969207c2d43c1782159bbd99b0ec54f27f590104e57b08f5a30828de
-
Filesize
9.2MB
MD5e6ad4a10ecdd8e210eab680d3c9f8c9e
SHA1e418a690665ee25f83168012faf798f67a76015d
SHA256c0d0535c15f614c6c15a445baa998c543d1f40d93267a3c4a38bf84f11f181dd
SHA5127b16342d6a05d5de9d1d26f462277e4309d135e87f9c585bd823d974e3a1064131cb5fe7969207c2d43c1782159bbd99b0ec54f27f590104e57b08f5a30828de
-
Filesize
9.2MB
MD5e6ad4a10ecdd8e210eab680d3c9f8c9e
SHA1e418a690665ee25f83168012faf798f67a76015d
SHA256c0d0535c15f614c6c15a445baa998c543d1f40d93267a3c4a38bf84f11f181dd
SHA5127b16342d6a05d5de9d1d26f462277e4309d135e87f9c585bd823d974e3a1064131cb5fe7969207c2d43c1782159bbd99b0ec54f27f590104e57b08f5a30828de
-
Filesize
9.2MB
MD5e6ad4a10ecdd8e210eab680d3c9f8c9e
SHA1e418a690665ee25f83168012faf798f67a76015d
SHA256c0d0535c15f614c6c15a445baa998c543d1f40d93267a3c4a38bf84f11f181dd
SHA5127b16342d6a05d5de9d1d26f462277e4309d135e87f9c585bd823d974e3a1064131cb5fe7969207c2d43c1782159bbd99b0ec54f27f590104e57b08f5a30828de