214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d

Analysis

max time kernel
174s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
14-11-2023 18:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe
Size

1.3MB
MD5

bf08b2b016613d90c4ac0295c6b75fdf
SHA1

841a8902ec5b7c41758d4e1d78d9527a67fe471d
SHA256

214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d
SHA512

845e00ee2737a2811b877a801a9e5a74daf5fef29efc54f9bed11bc416f93a9fb1cc066def7ce952128a866377358dba5193d399b66cf672b8108fcd719b8442
SSDEEP

6144:p3ue8ySm8hQAAIfFrRXuEE+0l97mKwKRqHVqlWo86JQPDHDdx/Qtqa:z/zkFF+EExZmKbRuVqlWoPJQPDHvd

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	zejmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	zejmu.exe

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zejmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zejmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	zejmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	zejmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	zejmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	zejmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	zejmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	zejmu.exe

Adds policy Run key to start application 2 TTPs 25 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xelqags = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmcqjytgskvlvisj.exe"	zejmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xelqags = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmcqjytgskvlvisj.exe"	zejmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xelqags = "C:\\Users\\Admin\\AppData\\Local\\Temp\\keyqngfwmixrfwkfjega.exe"	zejmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xelqags = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zupigaasjgwrgynjoknid.exe"	zejmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xelqags = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dulaukguhamdocnfg.exe"	zejmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wgqylujqwi = "wmcqjytgskvlvisj.exe"	zejmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xelqags = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmcqjytgskvlvisj.exe"	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xelqags = "C:\\Users\\Admin\\AppData\\Local\\Temp\\keyqngfwmixrfwkfjega.exe"	zejmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wgqylujqwi = "mewmhyvkysfxjykdfy.exe"	zejmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xelqags = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mewmhyvkysfxjykdfy.exe"	zejmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xelqags = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqjawomcrmatgwjdgab.exe"	zejmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wgqylujqwi = "dulaukguhamdocnfg.exe"	zejmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wgqylujqwi = "keyqngfwmixrfwkfjega.exe"	zejmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wgqylujqwi = "mewmhyvkysfxjykdfy.exe"	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	zejmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wgqylujqwi = "zupigaasjgwrgynjoknid.exe"	zejmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xelqags = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mewmhyvkysfxjykdfy.exe"	zejmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wgqylujqwi = "wmcqjytgskvlvisj.exe"	zejmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xelqags = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqjawomcrmatgwjdgab.exe"	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xelqags = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mewmhyvkysfxjykdfy.exe"	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wgqylujqwi = "xqjawomcrmatgwjdgab.exe"	zejmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wgqylujqwi = "wmcqjytgskvlvisj.exe"	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	zejmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wgqylujqwi = "xqjawomcrmatgwjdgab.exe"	zejmu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	zejmu.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	zejmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	zejmu.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	zejmu.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe

Executes dropped EXE 2 IoCs

pid	Process
2844	zejmu.exe
3760	zejmu.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dmvcowkqv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mewmhyvkysfxjykdfy.exe ."	zejmu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oamwlwnweszl = "keyqngfwmixrfwkfjega.exe ."	zejmu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mucitans = "C:\\Users\\Admin\\AppData\\Local\\Temp\\keyqngfwmixrfwkfjega.exe"	zejmu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dmvcowkqv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\keyqngfwmixrfwkfjega.exe ."	zejmu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rcnwkukszms = "keyqngfwmixrfwkfjega.exe"	zejmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mucitans = "xqjawomcrmatgwjdgab.exe"	zejmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nanyoasclaivc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dulaukguhamdocnfg.exe ."	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rcnwkukszms = "zupigaasjgwrgynjoknid.exe"	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rcnwkukszms = "mewmhyvkysfxjykdfy.exe"	zejmu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dmvcowkqv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\keyqngfwmixrfwkfjega.exe ."	zejmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nanyoasclaivc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\keyqngfwmixrfwkfjega.exe ."	zejmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ocqctgzkukthpa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmcqjytgskvlvisj.exe"	zejmu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oamwlwnweszl = "zupigaasjgwrgynjoknid.exe ."	zejmu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rcnwkukszms = "dulaukguhamdocnfg.exe"	zejmu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dmvcowkqv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmcqjytgskvlvisj.exe ."	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mucitans = "keyqngfwmixrfwkfjega.exe"	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ocqctgzkukthpa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dulaukguhamdocnfg.exe"	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ocqctgzkukthpa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mewmhyvkysfxjykdfy.exe"	zejmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mucitans = "mewmhyvkysfxjykdfy.exe"	zejmu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rcnwkukszms = "xqjawomcrmatgwjdgab.exe"	zejmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mucitans = "dulaukguhamdocnfg.exe"	zejmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nanyoasclaivc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mewmhyvkysfxjykdfy.exe ."	zejmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mucitans = "xqjawomcrmatgwjdgab.exe"	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ocqctgzkukthpa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zupigaasjgwrgynjoknid.exe"	zejmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dmvcowkqv = "wmcqjytgskvlvisj.exe ."	zejmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nanyoasclaivc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\keyqngfwmixrfwkfjega.exe ."	zejmu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mucitans = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmcqjytgskvlvisj.exe"	zejmu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dmvcowkqv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmcqjytgskvlvisj.exe ."	zejmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dmvcowkqv = "mewmhyvkysfxjykdfy.exe ."	zejmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dmvcowkqv = "xqjawomcrmatgwjdgab.exe ."	zejmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nanyoasclaivc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqjawomcrmatgwjdgab.exe ."	zejmu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dmvcowkqv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zupigaasjgwrgynjoknid.exe ."	zejmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dmvcowkqv = "dulaukguhamdocnfg.exe ."	zejmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nanyoasclaivc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dulaukguhamdocnfg.exe ."	zejmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dmvcowkqv = "zupigaasjgwrgynjoknid.exe ."	zejmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ocqctgzkukthpa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmcqjytgskvlvisj.exe"	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oamwlwnweszl = "mewmhyvkysfxjykdfy.exe ."	zejmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mucitans = "zupigaasjgwrgynjoknid.exe"	zejmu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dmvcowkqv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mewmhyvkysfxjykdfy.exe ."	zejmu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oamwlwnweszl = "zupigaasjgwrgynjoknid.exe ."	zejmu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rcnwkukszms = "wmcqjytgskvlvisj.exe"	zejmu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oamwlwnweszl = "mewmhyvkysfxjykdfy.exe ."	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oamwlwnweszl = "keyqngfwmixrfwkfjega.exe ."	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nanyoasclaivc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zupigaasjgwrgynjoknid.exe ."	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mucitans = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqjawomcrmatgwjdgab.exe"	zejmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nanyoasclaivc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zupigaasjgwrgynjoknid.exe ."	zejmu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dmvcowkqv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dulaukguhamdocnfg.exe ."	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oamwlwnweszl = "zupigaasjgwrgynjoknid.exe ."	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dmvcowkqv = "wmcqjytgskvlvisj.exe ."	zejmu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oamwlwnweszl = "mewmhyvkysfxjykdfy.exe ."	zejmu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rcnwkukszms = "wmcqjytgskvlvisj.exe"	zejmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ocqctgzkukthpa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmcqjytgskvlvisj.exe"	zejmu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oamwlwnweszl = "dulaukguhamdocnfg.exe ."	zejmu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rcnwkukszms = "dulaukguhamdocnfg.exe"	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ocqctgzkukthpa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dulaukguhamdocnfg.exe"	zejmu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mucitans = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zupigaasjgwrgynjoknid.exe"	zejmu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mucitans = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmcqjytgskvlvisj.exe"	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nanyoasclaivc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mewmhyvkysfxjykdfy.exe ."	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ocqctgzkukthpa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dulaukguhamdocnfg.exe"	zejmu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mucitans = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dulaukguhamdocnfg.exe"	zejmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nanyoasclaivc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmcqjytgskvlvisj.exe ."	zejmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mucitans = "mewmhyvkysfxjykdfy.exe"	zejmu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dmvcowkqv = "zupigaasjgwrgynjoknid.exe ."	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nanyoasclaivc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqjawomcrmatgwjdgab.exe ."	zejmu.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zejmu.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	zejmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zejmu.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	zejmu.exe

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
103	whatismyip.everdot.org
106	whatismyip.everdot.org
59	whatismyipaddress.com
76	www.showmyipaddress.com
89	www.showmyipaddress.com
92	whatismyipaddress.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wgqylujqwinxbimxrcueowjshouglvzg.vpa	zejmu.exe
File opened for modification	C:\Windows\SysWOW64\bazwywawrsmleattccjih.gei	zejmu.exe
File created	C:\Windows\SysWOW64\bazwywawrsmleattccjih.gei	zejmu.exe
File opened for modification	C:\Windows\SysWOW64\wgqylujqwinxbimxrcueowjshouglvzg.vpa	zejmu.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\bazwywawrsmleattccjih.gei	zejmu.exe
File opened for modification	C:\Program Files (x86)\wgqylujqwinxbimxrcueowjshouglvzg.vpa	zejmu.exe
File created	C:\Program Files (x86)\wgqylujqwinxbimxrcueowjshouglvzg.vpa	zejmu.exe
File opened for modification	C:\Program Files (x86)\bazwywawrsmleattccjih.gei	zejmu.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\bazwywawrsmleattccjih.gei	zejmu.exe
File created	C:\Windows\bazwywawrsmleattccjih.gei	zejmu.exe
File opened for modification	C:\Windows\wgqylujqwinxbimxrcueowjshouglvzg.vpa	zejmu.exe
File created	C:\Windows\wgqylujqwinxbimxrcueowjshouglvzg.vpa	zejmu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings	zejmu.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings	zejmu.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2844	zejmu.exe
2844	zejmu.exe
2844	zejmu.exe
2844	zejmu.exe
2844	zejmu.exe
2844	zejmu.exe
2844	zejmu.exe
2844	zejmu.exe
2844	zejmu.exe
2844	zejmu.exe
2844	zejmu.exe
2844	zejmu.exe
2844	zejmu.exe
2844	zejmu.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2844	zejmu.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4632 wrote to memory of 2844	4632	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe	96
PID 4632 wrote to memory of 2844	4632	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe	96
PID 4632 wrote to memory of 2844	4632	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe	96
PID 4632 wrote to memory of 3760	4632	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe	97
PID 4632 wrote to memory of 3760	4632	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe	97
PID 4632 wrote to memory of 3760	4632	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe	97

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	zejmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	zejmu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	zejmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	zejmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	zejmu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	zejmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zejmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	zejmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	zejmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	zejmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	zejmu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	zejmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	zejmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	zejmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	zejmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	zejmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	zejmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	zejmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	zejmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	zejmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zejmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	zejmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	zejmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	zejmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	zejmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	zejmu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe

C:\Users\Admin\AppData\Local\Temp\214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe
"C:\Users\Admin\AppData\Local\Temp\214ee6f6acbc386d55689dd7d35387a8d597ce8ec0a735919ab984a3338ea95d.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4632
- C:\Users\Admin\AppData\Local\Temp\zejmu.exe
  "C:\Users\Admin\AppData\Local\Temp\zejmu.exe" "-"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:2844
- C:\Users\Admin\AppData\Local\Temp\zejmu.exe
  "C:\Users\Admin\AppData\Local\Temp\zejmu.exe" "-"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Modifies registry class
  - System policy modification
  PID:3760

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\bazwywawrsmleattccjih.gei

Filesize
272B

MD5
4859f711f0c92f17acc8d518b7c42027

SHA1
8852fea2582985146d5ca36b6bdc30abb1089110

SHA256
76cb7791f672146264251e3d903c18583dc39d049f05419a15e567198042d810

SHA512
7ada124c020666709883b88024a2d02ea7d0ea4ebe4561010ee658c969d672289d61e83a815ccccf617aae837cb4ea89ae56ad714f01f1b23cceb82083921b86

Download Submit
C:\Program Files (x86)\bazwywawrsmleattccjih.gei

Filesize
272B

MD5
d5b63bfb44e79b14c86c355ced759479

SHA1
f8b68c92ab55f545adc89288fee05a3c5c0c2491

SHA256
2f21385f6df4203a17cfb375e51c6261ec14275a639247361453174071a1a1c2

SHA512
ab0792ac69f67fe7f2be6b03d89c4b9c60cf1c32e4e5a732c32ed37da150785c6baf09372a75db3d5fb517a41d29143cff0ebd395da0408c5cf17cff571aafe8

Download Submit
C:\Program Files (x86)\bazwywawrsmleattccjih.gei

Filesize
272B

MD5
9ff5b44d11ee938eb8a73454342040d4

SHA1
83d61d0531b79ca5d672f7cd58e98fb982eb7946

SHA256
5b6de59e1ab775109d2535cdefe7e662861568e2408f4d7c9f95fdcecb9a05de

SHA512
618040d70e985ed315441539a051dfaf75ab92c830df13e0791186769fafb153044f81ba8c682169c8dcfd2c2eb70207965697a33472953f208d17cf2f0dd7c3

Download Submit
C:\Program Files (x86)\bazwywawrsmleattccjih.gei

Filesize
272B

MD5
33c8c5ab557e88258d463f3d2844606d

SHA1
a7c197518ad3e77c0f617a0a7e4e859d6d981a24

SHA256
b60c5e59acf806bd6160adbae78e4e4c670ee5d6276a571a6e122ab813c4ff82

SHA512
9975a2ab63ee9fbaa71dd11d2648450b7d423404c719efc2eb44afe0ef6a6b127bb874280623027a392d51bac819d951f5773a9c04c59bb7cfa08e95fad1610a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zejmu.exe

Filesize
2.1MB

MD5
d302552ac3c2db543dafb1f29051b146

SHA1
694d53f684fe6fe069bb96a8901aeddaabb7708e

SHA256
0f3b5dd27b2b3d101389cc3f65f6ebd5ee89c4792bb2631217da3f55da1b22b2

SHA512
5fdfe6917129a1363f441f13e2d3499ccb3c4f3d93d663a73f1166b055677ef5637ecfe4fe7246c39394e5c78ee6641d07890c97bcbd9fcd0e0eab5325a33c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zejmu.exe

Filesize
2.1MB

MD5
d302552ac3c2db543dafb1f29051b146

SHA1
694d53f684fe6fe069bb96a8901aeddaabb7708e

SHA256
0f3b5dd27b2b3d101389cc3f65f6ebd5ee89c4792bb2631217da3f55da1b22b2

SHA512
5fdfe6917129a1363f441f13e2d3499ccb3c4f3d93d663a73f1166b055677ef5637ecfe4fe7246c39394e5c78ee6641d07890c97bcbd9fcd0e0eab5325a33c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zejmu.exe

Filesize
2.1MB

MD5
d302552ac3c2db543dafb1f29051b146

SHA1
694d53f684fe6fe069bb96a8901aeddaabb7708e

SHA256
0f3b5dd27b2b3d101389cc3f65f6ebd5ee89c4792bb2631217da3f55da1b22b2

SHA512
5fdfe6917129a1363f441f13e2d3499ccb3c4f3d93d663a73f1166b055677ef5637ecfe4fe7246c39394e5c78ee6641d07890c97bcbd9fcd0e0eab5325a33c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zejmu.exe

Filesize
2.1MB

MD5
d302552ac3c2db543dafb1f29051b146

SHA1
694d53f684fe6fe069bb96a8901aeddaabb7708e

SHA256
0f3b5dd27b2b3d101389cc3f65f6ebd5ee89c4792bb2631217da3f55da1b22b2

SHA512
5fdfe6917129a1363f441f13e2d3499ccb3c4f3d93d663a73f1166b055677ef5637ecfe4fe7246c39394e5c78ee6641d07890c97bcbd9fcd0e0eab5325a33c3e

Download Submit
C:\Users\Admin\AppData\Local\bazwywawrsmleattccjih.gei

Filesize
272B

MD5
135f2c8eaa31658a7ef33f923f63ff6d

SHA1
5f6a76614f2577c5a2393cb6153ebc9a5d0520be

SHA256
cc19a2db26f8c4e8576575b342265fbf5295f04c8c3b9981875f98944daecb24

SHA512
a1bc3087e8083c7aced8a39ee1f6d0ca0ab55bc2e839424f41d27470c513bd65b346009ab161eca4ef2325170d364472bdbbbe01f675de68bd3bc4ccd974bfdb

Download Submit
C:\Users\Admin\AppData\Local\wgqylujqwinxbimxrcueowjshouglvzg.vpa

Filesize
3KB

MD5
75c7b84550e72ee230d76f423ec420a8

SHA1
b123ca173beaf25ee330bc2de8d39c901a157675

SHA256
f539f368b9967b4d92a0bce75b699ab3d73bfff23585793c15101ecb970242b0

SHA512
af643995ca9a58730561a9e7d11dcd556b9aabd97b0d5541b5543a47f3cb5eea828313573cec73e4b5c2fc1958feca0e2221a3d2d6e0ecaf33d607503e4dfb14

Download Submit