34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
14/11/2023, 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Size

708KB
MD5

5f0f11d3c43ccfed72d58bfb1f5edffe
SHA1

ea29ffaa3366e1f859cbea33d66b6be9b800a167
SHA256

34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043
SHA512

12681f16d332c53519225ff3b4c17371e024f030e15b709e16a2101e4ab29816783ea9082aa672dc8e42142690da32bdb049aab29bc28895d9ccf76b55685b95
SSDEEP

12288:wXgvmzFHi0mo5aH0qMzd5807FSmPJQPDHvd:wXgvOHi0mGaH0qSdPFS44V

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vjott.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vjott.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	vjott.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	vjott.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	vjott.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	vjott.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vjott.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vjott.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	vjott.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	vjott.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe

Adds policy Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vjott.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\slvfkyfncr = "tvohvsizxvqfjafklng.exe"	vjott.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tjqxzko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vzupfewpppmdjcjqtxsnd.exe"	vjott.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vjott.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\slvfkyfncr = "zzqhtocrnjcprgjml.exe"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\slvfkyfncr = "tvohvsizxvqfjafklng.exe"	vjott.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\slvfkyfncr = "srhxicpdytlxymoq.exe"	vjott.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\slvfkyfncr = "srhxicpdytlxymoq.exe"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tjqxzko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\srhxicpdytlxymoq.exe"	vjott.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\slvfkyfncr = "gjdxmkbtsrndiagmorlf.exe"	vjott.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tjqxzko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijbtgcrhebvjmcgkkl.exe"	vjott.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\slvfkyfncr = "ijbtgcrhebvjmcgkkl.exe"	vjott.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tjqxzko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vzupfewpppmdjcjqtxsnd.exe"	vjott.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tjqxzko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\srhxicpdytlxymoq.exe"	vjott.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tjqxzko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gjdxmkbtsrndiagmorlf.exe"	vjott.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tjqxzko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zzqhtocrnjcprgjml.exe"	vjott.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tjqxzko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gjdxmkbtsrndiagmorlf.exe"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\slvfkyfncr = "zzqhtocrnjcprgjml.exe"	vjott.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tjqxzko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijbtgcrhebvjmcgkkl.exe"	vjott.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\slvfkyfncr = "gjdxmkbtsrndiagmorlf.exe"	vjott.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tjqxzko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tvohvsizxvqfjafklng.exe"	vjott.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\slvfkyfncr = "ijbtgcrhebvjmcgkkl.exe"	vjott.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tjqxzko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zzqhtocrnjcprgjml.exe"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\slvfkyfncr = "srhxicpdytlxymoq.exe"	vjott.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\slvfkyfncr = "vzupfewpppmdjcjqtxsnd.exe"	vjott.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\slvfkyfncr = "zzqhtocrnjcprgjml.exe"	vjott.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vjott.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vjott.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vjott.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vjott.exe

Executes dropped EXE 2 IoCs

pid	Process
2648	vjott.exe
2932	vjott.exe

Loads dropped DLL 4 IoCs

pid	Process
1452	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
1452	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
1452	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
1452	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\izhpsejp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tvohvsizxvqfjafklng.exe"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\nhsdjygpfvi = "ijbtgcrhebvjmcgkkl.exe"	vjott.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\izhpsejp = "zzqhtocrnjcprgjml.exe"	vjott.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jfsfneozrjyhf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gjdxmkbtsrndiagmorlf.exe ."	vjott.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kfrdkajtkbpx = "srhxicpdytlxymoq.exe ."	vjott.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\izhpsejp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tvohvsizxvqfjafklng.exe"	vjott.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zrajnagnb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vzupfewpppmdjcjqtxsnd.exe ."	vjott.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zrajnagnb = "ijbtgcrhebvjmcgkkl.exe ."	vjott.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jfsfneozrjyhf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijbtgcrhebvjmcgkkl.exe ."	vjott.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zrajnagnb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tvohvsizxvqfjafklng.exe ."	vjott.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\izhpsejp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijbtgcrhebvjmcgkkl.exe"	vjott.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\izhpsejp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vzupfewpppmdjcjqtxsnd.exe"	vjott.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zrajnagnb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vzupfewpppmdjcjqtxsnd.exe ."	vjott.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\izhpsejp = "srhxicpdytlxymoq.exe"	vjott.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zrajnagnb = "tvohvsizxvqfjafklng.exe ."	vjott.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kfrdkajtkbpx = "vzupfewpppmdjcjqtxsnd.exe ."	vjott.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jfsfneozrjyhf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vzupfewpppmdjcjqtxsnd.exe ."	vjott.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zrajnagnb = "zzqhtocrnjcprgjml.exe ."	vjott.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\izhpsejp = "gjdxmkbtsrndiagmorlf.exe"	vjott.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zrajnagnb = "srhxicpdytlxymoq.exe ."	vjott.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kfrdkajtkbpx = "srhxicpdytlxymoq.exe ."	vjott.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jfsfneozrjyhf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zzqhtocrnjcprgjml.exe ."	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\izhpsejp = "vzupfewpppmdjcjqtxsnd.exe"	vjott.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\izhpsejp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gjdxmkbtsrndiagmorlf.exe"	vjott.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\izhpsejp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tvohvsizxvqfjafklng.exe"	vjott.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\izhpsejp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zzqhtocrnjcprgjml.exe"	vjott.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kfrdkajtkbpx = "gjdxmkbtsrndiagmorlf.exe ."	vjott.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\izhpsejp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vzupfewpppmdjcjqtxsnd.exe"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jfsfneozrjyhf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tvohvsizxvqfjafklng.exe ."	vjott.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kfrdkajtkbpx = "ijbtgcrhebvjmcgkkl.exe ."	vjott.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\izhpsejp = "gjdxmkbtsrndiagmorlf.exe"	vjott.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\izhpsejp = "zzqhtocrnjcprgjml.exe"	vjott.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zrajnagnb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tvohvsizxvqfjafklng.exe ."	vjott.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\izhpsejp = "ijbtgcrhebvjmcgkkl.exe"	vjott.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zrajnagnb = "tvohvsizxvqfjafklng.exe ."	vjott.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\nhsdjygpfvi = "ijbtgcrhebvjmcgkkl.exe"	vjott.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zrajnagnb = "gjdxmkbtsrndiagmorlf.exe ."	vjott.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\nhsdjygpfvi = "zzqhtocrnjcprgjml.exe"	vjott.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jfsfneozrjyhf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gjdxmkbtsrndiagmorlf.exe ."	vjott.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zrajnagnb = "ijbtgcrhebvjmcgkkl.exe ."	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zrajnagnb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\srhxicpdytlxymoq.exe ."	vjott.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\khvjskvhatjtse = "C:\\Users\\Admin\\AppData\\Local\\Temp\\srhxicpdytlxymoq.exe"	vjott.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zrajnagnb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\srhxicpdytlxymoq.exe ."	vjott.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zrajnagnb = "vzupfewpppmdjcjqtxsnd.exe ."	vjott.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\khvjskvhatjtse = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijbtgcrhebvjmcgkkl.exe"	vjott.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zrajnagnb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijbtgcrhebvjmcgkkl.exe ."	vjott.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zrajnagnb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zzqhtocrnjcprgjml.exe ."	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\izhpsejp = "tvohvsizxvqfjafklng.exe"	vjott.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\nhsdjygpfvi = "srhxicpdytlxymoq.exe"	vjott.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\khvjskvhatjtse = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gjdxmkbtsrndiagmorlf.exe"	vjott.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jfsfneozrjyhf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\srhxicpdytlxymoq.exe ."	vjott.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zrajnagnb = "vzupfewpppmdjcjqtxsnd.exe ."	vjott.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\izhpsejp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijbtgcrhebvjmcgkkl.exe"	vjott.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\nhsdjygpfvi = "vzupfewpppmdjcjqtxsnd.exe"	vjott.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kfrdkajtkbpx = "ijbtgcrhebvjmcgkkl.exe ."	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jfsfneozrjyhf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tvohvsizxvqfjafklng.exe ."	vjott.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\izhpsejp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vzupfewpppmdjcjqtxsnd.exe"	vjott.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\izhpsejp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\srhxicpdytlxymoq.exe"	vjott.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\nhsdjygpfvi = "gjdxmkbtsrndiagmorlf.exe"	vjott.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jfsfneozrjyhf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zzqhtocrnjcprgjml.exe ."	vjott.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kfrdkajtkbpx = "tvohvsizxvqfjafklng.exe ."	vjott.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\izhpsejp = "vzupfewpppmdjcjqtxsnd.exe"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jfsfneozrjyhf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\srhxicpdytlxymoq.exe ."	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\nhsdjygpfvi = "tvohvsizxvqfjafklng.exe"	vjott.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vjott.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vjott.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vjott.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vjott.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	www.showmyipaddress.com
5	whatismyip.everdot.org
10	whatismyipaddress.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mzdhgoprajppegwmylptsabdmv.bqs	vjott.exe
File created	C:\Windows\SysWOW64\mzdhgoprajppegwmylptsabdmv.bqs	vjott.exe
File opened for modification	C:\Windows\SysWOW64\nlapzserlfwhhuvwtrgvfykxrlcnnabczxmbl.qdx	vjott.exe
File created	C:\Windows\SysWOW64\nlapzserlfwhhuvwtrgvfykxrlcnnabczxmbl.qdx	vjott.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\nlapzserlfwhhuvwtrgvfykxrlcnnabczxmbl.qdx	vjott.exe
File opened for modification	C:\Program Files (x86)\mzdhgoprajppegwmylptsabdmv.bqs	vjott.exe
File created	C:\Program Files (x86)\mzdhgoprajppegwmylptsabdmv.bqs	vjott.exe
File opened for modification	C:\Program Files (x86)\nlapzserlfwhhuvwtrgvfykxrlcnnabczxmbl.qdx	vjott.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mzdhgoprajppegwmylptsabdmv.bqs	vjott.exe
File created	C:\Windows\mzdhgoprajppegwmylptsabdmv.bqs	vjott.exe
File opened for modification	C:\Windows\nlapzserlfwhhuvwtrgvfykxrlcnnabczxmbl.qdx	vjott.exe
File created	C:\Windows\nlapzserlfwhhuvwtrgvfykxrlcnnabczxmbl.qdx	vjott.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe
2648	vjott.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2648	vjott.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 2648	1452	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe	28
PID 1452 wrote to memory of 2648	1452	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe	28
PID 1452 wrote to memory of 2648	1452	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe	28
PID 1452 wrote to memory of 2648	1452	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe	28
PID 1452 wrote to memory of 2932	1452	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe	29
PID 1452 wrote to memory of 2932	1452	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe	29
PID 1452 wrote to memory of 2932	1452	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe	29
PID 1452 wrote to memory of 2932	1452	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe	29

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vjott.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	vjott.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	vjott.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	vjott.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vjott.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	vjott.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	vjott.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	vjott.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	vjott.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	vjott.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	vjott.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	vjott.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	vjott.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vjott.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	vjott.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	vjott.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	vjott.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	vjott.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vjott.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	vjott.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	vjott.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	vjott.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vjott.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	vjott.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	vjott.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vjott.exe

C:\Users\Admin\AppData\Local\Temp\34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe
"C:\Users\Admin\AppData\Local\Temp\34607ae833e97ad9bfc1ab87fc3556e6e939c083ee0a4bd23f00637442f23043.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1452
- C:\Users\Admin\AppData\Local\Temp\vjott.exe
  "C:\Users\Admin\AppData\Local\Temp\vjott.exe" "-"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:2648
- C:\Users\Admin\AppData\Local\Temp\vjott.exe
  "C:\Users\Admin\AppData\Local\Temp\vjott.exe" "-"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - System policy modification
  PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\mzdhgoprajppegwmylptsabdmv.bqs

Filesize
280B

MD5
073f1013bf7343937b5495710d6ae6da

SHA1
63c814338690dce5871ebe7fdcf8a9ca32701ce1

SHA256
039943363852c0f29855530eacf7a45c0f52c833740a09b1a5321c4c62289e9d

SHA512
43e5395718dda26a008418025817e8a64f4f7c81149e5e908f2a8f2edbe186878ce4947f0a6a3197c707675c31436406808f354db4bc56c564f3e1e80eedac63

Download Submit
C:\Program Files (x86)\mzdhgoprajppegwmylptsabdmv.bqs

Filesize
280B

MD5
32dd4d6e3873e1c5ab63d718b87fc938

SHA1
972eaa2e4be7a9d641410ff0f4c0db7662982aaa

SHA256
4b86de2ac12d892304dcb36b38843621afb943189aa40abbc10d143c0b987bd3

SHA512
c5a11894ea13ad15db9303724bc94316c85929a0e83a840c816054beb71c36e0428a901ccf7aa7346b7a07224cffe2ed955ff1c6c59117a48ed00ee6eb6e067b

Download Submit
C:\Program Files (x86)\mzdhgoprajppegwmylptsabdmv.bqs

Filesize
280B

MD5
9d906552a1499d3550a305c975ed0e8d

SHA1
ce14ee708e2e89ab051674d7c140b7889a9d0928

SHA256
cacdca2ace0472711bfa8974e99d3aa1409235eb230527ff25c135da8396ed16

SHA512
995dcb541d26fd621b722dd141343be30fc4020aa042906e7a77e1c5d9e4424bd86a6c86b719048e2013982956efbcb360eb11c8d79427b52ac69a3f16757bb1

Download Submit
C:\Program Files (x86)\mzdhgoprajppegwmylptsabdmv.bqs

Filesize
280B

MD5
de4688245de93b43542a8ed39c791534

SHA1
6567055ab92efde8e73a30f34d0ee8af2ecfbb0f

SHA256
081798b92caba6ba0b486684c8a52e7ed2690412964b16d541854619d8a9d937

SHA512
dea2840f70a9101e79cbdf9e0623bf822cdf436eb81173ff9bafddd3f59101ebc4ab8cb7eaf86953b413458e02b29d1ce1622fd97124b9683370c36d778d9486

Download Submit
C:\Program Files (x86)\mzdhgoprajppegwmylptsabdmv.bqs

Filesize
280B

MD5
62571a8b2fd8d2013cb21a00c5cae108

SHA1
d3c2c18140bb0f5c3b46519e587c3590bb441600

SHA256
f7bcd49e55b78b89376f4074aa863391e0b01564e64041a0923bff08cdeb74f7

SHA512
88ee923763cb6536ca4b06cc31935f308978c7fbaacc05fd11626156bc8a2d0f463ec2b9d2c87bc4944c103f756134edd147fa509ef2a3a3b4c586c856158d3a

Download Submit
C:\Program Files (x86)\mzdhgoprajppegwmylptsabdmv.bqs

Filesize
280B

MD5
19d3256443daa5cc4909f6ed14920416

SHA1
31b58e09284aea14cc1086cab9591d441b0abaf4

SHA256
95fd2c920522a00145218cba88269cb271c1302d63c9c81b66a3df16cc8235c7

SHA512
d906f3f05064b47af2650488dcb130ca8de74b2cb36b195719ce32e19018ea79d45315284d8f771bb95b25fb03c10e1f43f5da518f8d56698a7c07794565052a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vjott.exe

Filesize
1.3MB

MD5
0c7f3290e7eed778b31d97742a09bc3f

SHA1
e2b75ce97ddbccf7dce9a162b5165f58c7f2c9a2

SHA256
2194798a33a5b9a465bf589ac233e8f39769c2e84d82018f51284fb0f27219f2

SHA512
9861bc4a66289824001532f2f678b1e0f8ae32664ce247d7c2e1737684bac631fc9418448c0db7c73f038afe2f07a2a6de965faed5efeaec861dceb8c6bd7e87

Download Submit
C:\Users\Admin\AppData\Local\Temp\vjott.exe

Filesize
1.3MB

MD5
0c7f3290e7eed778b31d97742a09bc3f

SHA1
e2b75ce97ddbccf7dce9a162b5165f58c7f2c9a2

SHA256
2194798a33a5b9a465bf589ac233e8f39769c2e84d82018f51284fb0f27219f2

SHA512
9861bc4a66289824001532f2f678b1e0f8ae32664ce247d7c2e1737684bac631fc9418448c0db7c73f038afe2f07a2a6de965faed5efeaec861dceb8c6bd7e87

Download Submit
C:\Users\Admin\AppData\Local\Temp\vjott.exe

Filesize
1.3MB

MD5
0c7f3290e7eed778b31d97742a09bc3f

SHA1
e2b75ce97ddbccf7dce9a162b5165f58c7f2c9a2

SHA256
2194798a33a5b9a465bf589ac233e8f39769c2e84d82018f51284fb0f27219f2

SHA512
9861bc4a66289824001532f2f678b1e0f8ae32664ce247d7c2e1737684bac631fc9418448c0db7c73f038afe2f07a2a6de965faed5efeaec861dceb8c6bd7e87

Download Submit
C:\Users\Admin\AppData\Local\mzdhgoprajppegwmylptsabdmv.bqs

Filesize
280B

MD5
f4acf4d773d8dc605f5dfcd81241282e

SHA1
e61a73e3e69e3304baf8336087800edf63bf8329

SHA256
6b73a40fe0776f953a64e48bd906cd8ef9325cf3e81c807714a3e3623616bc1d

SHA512
c89fd8ec3f52adce13f245698f7d7b855a2c0c9810d16abbbc1bd0f68c4e6c1e9cce8ed8d136e11e16bee8c29429ee0dc048ab0fe99ab61f2f4189adde7e9bce

Download Submit
C:\Users\Admin\AppData\Local\nlapzserlfwhhuvwtrgvfykxrlcnnabczxmbl.qdx

Filesize
4KB

MD5
954b4753f047eae706a18cedff9bf4fc

SHA1
06d3b1b33d55b905bbcc631fa2c0a1eb4281ae3f

SHA256
2aa2846b58104ff7e589dcfeb9baf57d909cacabd98ad9e22c1f541fd1bef08f

SHA512
00d00a6716aef5e009a835fb29d5afaad3565191191aa4663ac8eceee476def1a4535eb5cc3a4c7d855875333375545c727bb7cf39d28d519bdaf8fb4b8cfe30

Download Submit
\Users\Admin\AppData\Local\Temp\vjott.exe

Filesize
1.3MB

MD5
0c7f3290e7eed778b31d97742a09bc3f

SHA1
e2b75ce97ddbccf7dce9a162b5165f58c7f2c9a2

SHA256
2194798a33a5b9a465bf589ac233e8f39769c2e84d82018f51284fb0f27219f2

SHA512
9861bc4a66289824001532f2f678b1e0f8ae32664ce247d7c2e1737684bac631fc9418448c0db7c73f038afe2f07a2a6de965faed5efeaec861dceb8c6bd7e87

Download Submit
\Users\Admin\AppData\Local\Temp\vjott.exe

Filesize
1.3MB

MD5
0c7f3290e7eed778b31d97742a09bc3f

SHA1
e2b75ce97ddbccf7dce9a162b5165f58c7f2c9a2

SHA256
2194798a33a5b9a465bf589ac233e8f39769c2e84d82018f51284fb0f27219f2

SHA512
9861bc4a66289824001532f2f678b1e0f8ae32664ce247d7c2e1737684bac631fc9418448c0db7c73f038afe2f07a2a6de965faed5efeaec861dceb8c6bd7e87

Download Submit
\Users\Admin\AppData\Local\Temp\vjott.exe

Filesize
1.3MB

MD5
0c7f3290e7eed778b31d97742a09bc3f

SHA1
e2b75ce97ddbccf7dce9a162b5165f58c7f2c9a2

SHA256
2194798a33a5b9a465bf589ac233e8f39769c2e84d82018f51284fb0f27219f2

SHA512
9861bc4a66289824001532f2f678b1e0f8ae32664ce247d7c2e1737684bac631fc9418448c0db7c73f038afe2f07a2a6de965faed5efeaec861dceb8c6bd7e87

Download Submit
\Users\Admin\AppData\Local\Temp\vjott.exe

Filesize
1.3MB

MD5
0c7f3290e7eed778b31d97742a09bc3f

SHA1
e2b75ce97ddbccf7dce9a162b5165f58c7f2c9a2

SHA256
2194798a33a5b9a465bf589ac233e8f39769c2e84d82018f51284fb0f27219f2

SHA512
9861bc4a66289824001532f2f678b1e0f8ae32664ce247d7c2e1737684bac631fc9418448c0db7c73f038afe2f07a2a6de965faed5efeaec861dceb8c6bd7e87

Download Submit