00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498

Analysis

max time kernel
112s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
14/11/2023, 18:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498.exe
Size

704KB
MD5

e5327fbbe6865c0f708e259a353512cf
SHA1

59592253d190506b9d34f23f779653857a1e0800
SHA256

00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498
SHA512

79c55503d715c070620fddbf582fbb8a5a1b2ae0dc4b033504a3c2817879fab6eddceda35a1a5582cfbaa9c35002f668a90134f371b5d3796f1a776baef11dd7
SSDEEP

12288:VXgvmzFHi0mo5aH0qMzd5807F9PJQPDHvd:VXgvOHi0mGaH0qSdPFv4V

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	cfiudhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	cfiudhk.exe

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cfiudhk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cfiudhk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cfiudhk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cfiudhk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cfiudhk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	cfiudhk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	cfiudhk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cfiudhk.exe

Adds policy Run key to start application 2 TTPs 23 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhncovbnbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iviexlyrmznkrmtha.exe"	cfiudhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbkcrbkzqzjcf = "pfvuqhxtrhyyigqhdclb.exe"	cfiudhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhncovbnbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rftqkznhdrgemiqfzw.exe"	cfiudhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbkcrbkzqzjcf = "bnzumzldxjwsysyl.exe"	cfiudhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhncovbnbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfvuqhxtrhyyigqhdclb.exe"	cfiudhk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbkcrbkzqzjcf = "pfvuqhxtrhyyigqhdclb.exe"	00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	cfiudhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbkcrbkzqzjcf = "rftqkznhdrgemiqfzw.exe"	cfiudhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhncovbnbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evmmjbspofxyjitliisja.exe"	cfiudhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbkcrbkzqzjcf = "evmmjbspofxyjitliisja.exe"	cfiudhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhncovbnbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rftqkznhdrgemiqfzw.exe"	cfiudhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhncovbnbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnzumzldxjwsysyl.exe"	cfiudhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhncovbnbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iviexlyrmznkrmtha.exe"	cfiudhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbkcrbkzqzjcf = "evmmjbspofxyjitliisja.exe"	cfiudhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhncovbnbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnzumzldxjwsysyl.exe"	00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbkcrbkzqzjcf = "crgezpezwlbajgpfayg.exe"	00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhncovbnbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evmmjbspofxyjitliisja.exe"	00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbkcrbkzqzjcf = "rftqkznhdrgemiqfzw.exe"	cfiudhk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	cfiudhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbkcrbkzqzjcf = "iviexlyrmznkrmtha.exe"	cfiudhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhncovbnbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnzumzldxjwsysyl.exe"	cfiudhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhncovbnbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evmmjbspofxyjitliisja.exe"	cfiudhk.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cfiudhk.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cfiudhk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cfiudhk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cfiudhk.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498.exe

Executes dropped EXE 2 IoCs

pid	Process
4500	cfiudhk.exe
452	cfiudhk.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tdngwhrhzjuosk = "crgezpezwlbajgpfayg.exe"	cfiudhk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdkanvcpelt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfvuqhxtrhyyigqhdclb.exe"	cfiudhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iviexlyrmznkrmtha = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crgezpezwlbajgpfayg.exe"	cfiudhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iviexlyrmznkrmtha = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evmmjbspofxyjitliisja.exe"	00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdkanvcpelt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crgezpezwlbajgpfayg.exe"	00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tbjaoxftjras = "iviexlyrmznkrmtha.exe ."	cfiudhk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdkanvcpelt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evmmjbspofxyjitliisja.exe"	cfiudhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wdkanvcpelt = "bnzumzldxjwsysyl.exe"	cfiudhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tbjaoxftjras = "iviexlyrmznkrmtha.exe ."	00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wdkanvcpelt = "pfvuqhxtrhyyigqhdclb.exe"	cfiudhk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdkanvcpelt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iviexlyrmznkrmtha.exe"	cfiudhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tbjaoxftjras = "crgezpezwlbajgpfayg.exe ."	cfiudhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iviexlyrmznkrmtha = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnzumzldxjwsysyl.exe"	00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tdngwhrhzjuosk = "rftqkznhdrgemiqfzw.exe"	cfiudhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bnzumzldxjwsysyl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfvuqhxtrhyyigqhdclb.exe ."	cfiudhk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tbjaoxftjras = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evmmjbspofxyjitliisja.exe ."	cfiudhk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tdngwhrhzjuosk = "iviexlyrmznkrmtha.exe"	cfiudhk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tbjaoxftjras = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnzumzldxjwsysyl.exe ."	cfiudhk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdkanvcpelt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evmmjbspofxyjitliisja.exe"	00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdkanvcpelt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iviexlyrmznkrmtha.exe"	cfiudhk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\whsmdparkvhchaf = "bnzumzldxjwsysyl.exe ."	cfiudhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iviexlyrmznkrmtha = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evmmjbspofxyjitliisja.exe"	cfiudhk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tbjaoxftjras = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crgezpezwlbajgpfayg.exe ."	cfiudhk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tbjaoxftjras = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfvuqhxtrhyyigqhdclb.exe ."	cfiudhk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tbjaoxftjras = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfvuqhxtrhyyigqhdclb.exe ."	cfiudhk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdkanvcpelt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rftqkznhdrgemiqfzw.exe"	cfiudhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tbjaoxftjras = "crgezpezwlbajgpfayg.exe ."	00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tbjaoxftjras = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnzumzldxjwsysyl.exe ."	00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdkanvcpelt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crgezpezwlbajgpfayg.exe"	cfiudhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iviexlyrmznkrmtha = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iviexlyrmznkrmtha.exe"	cfiudhk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdkanvcpelt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crgezpezwlbajgpfayg.exe"	cfiudhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iviexlyrmznkrmtha = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iviexlyrmznkrmtha.exe"	cfiudhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bnzumzldxjwsysyl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rftqkznhdrgemiqfzw.exe ."	cfiudhk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tbjaoxftjras = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rftqkznhdrgemiqfzw.exe ."	cfiudhk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tbjaoxftjras = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnzumzldxjwsysyl.exe ."	cfiudhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tbjaoxftjras = "bnzumzldxjwsysyl.exe ."	cfiudhk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\whsmdparkvhchaf = "bnzumzldxjwsysyl.exe ."	cfiudhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bnzumzldxjwsysyl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfvuqhxtrhyyigqhdclb.exe ."	cfiudhk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tdngwhrhzjuosk = "pfvuqhxtrhyyigqhdclb.exe"	cfiudhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wdkanvcpelt = "rftqkznhdrgemiqfzw.exe"	cfiudhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iviexlyrmznkrmtha = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evmmjbspofxyjitliisja.exe"	cfiudhk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\whsmdparkvhchaf = "iviexlyrmznkrmtha.exe ."	cfiudhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iviexlyrmznkrmtha = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rftqkznhdrgemiqfzw.exe"	cfiudhk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdkanvcpelt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evmmjbspofxyjitliisja.exe"	cfiudhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iviexlyrmznkrmtha = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfvuqhxtrhyyigqhdclb.exe"	cfiudhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wdkanvcpelt = "evmmjbspofxyjitliisja.exe"	cfiudhk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdkanvcpelt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnzumzldxjwsysyl.exe"	cfiudhk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tbjaoxftjras = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iviexlyrmznkrmtha.exe ."	cfiudhk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tdngwhrhzjuosk = "iviexlyrmznkrmtha.exe"	cfiudhk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\whsmdparkvhchaf = "crgezpezwlbajgpfayg.exe ."	cfiudhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wdkanvcpelt = "iviexlyrmznkrmtha.exe"	cfiudhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bnzumzldxjwsysyl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crgezpezwlbajgpfayg.exe ."	cfiudhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iviexlyrmznkrmtha = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfvuqhxtrhyyigqhdclb.exe"	cfiudhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wdkanvcpelt = "crgezpezwlbajgpfayg.exe"	cfiudhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tbjaoxftjras = "iviexlyrmznkrmtha.exe ."	cfiudhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iviexlyrmznkrmtha = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnzumzldxjwsysyl.exe"	cfiudhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bnzumzldxjwsysyl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iviexlyrmznkrmtha.exe ."	cfiudhk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdkanvcpelt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnzumzldxjwsysyl.exe"	cfiudhk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tdngwhrhzjuosk = "evmmjbspofxyjitliisja.exe"	cfiudhk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\whsmdparkvhchaf = "evmmjbspofxyjitliisja.exe ."	cfiudhk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\whsmdparkvhchaf = "iviexlyrmznkrmtha.exe ."	cfiudhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tbjaoxftjras = "bnzumzldxjwsysyl.exe ."	cfiudhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bnzumzldxjwsysyl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evmmjbspofxyjitliisja.exe ."	cfiudhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wdkanvcpelt = "pfvuqhxtrhyyigqhdclb.exe"	00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cfiudhk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cfiudhk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cfiudhk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cfiudhk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
36	whatismyipaddress.com
22	www.showmyipaddress.com
34	whatismyip.everdot.org

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\efgqxzahqrtezidfmwqrscjlmtc.fql	cfiudhk.exe
File created	C:\Windows\SysWOW64\efgqxzahqrtezidfmwqrscjlmtc.fql	cfiudhk.exe
File opened for modification	C:\Windows\SysWOW64\bnzumzldxjwsysyldydpbwobnfzlyuauanfafr.yqd	cfiudhk.exe
File created	C:\Windows\SysWOW64\bnzumzldxjwsysyldydpbwobnfzlyuauanfafr.yqd	cfiudhk.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\efgqxzahqrtezidfmwqrscjlmtc.fql	cfiudhk.exe
File created	C:\Program Files (x86)\efgqxzahqrtezidfmwqrscjlmtc.fql	cfiudhk.exe
File opened for modification	C:\Program Files (x86)\bnzumzldxjwsysyldydpbwobnfzlyuauanfafr.yqd	cfiudhk.exe
File created	C:\Program Files (x86)\bnzumzldxjwsysyldydpbwobnfzlyuauanfafr.yqd	cfiudhk.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\efgqxzahqrtezidfmwqrscjlmtc.fql	cfiudhk.exe
File created	C:\Windows\efgqxzahqrtezidfmwqrscjlmtc.fql	cfiudhk.exe
File opened for modification	C:\Windows\bnzumzldxjwsysyldydpbwobnfzlyuauanfafr.yqd	cfiudhk.exe
File created	C:\Windows\bnzumzldxjwsysyldydpbwobnfzlyuauanfafr.yqd	cfiudhk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings	cfiudhk.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings	00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings	cfiudhk.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4500	cfiudhk.exe
4500	cfiudhk.exe
4500	cfiudhk.exe
4500	cfiudhk.exe
4500	cfiudhk.exe
4500	cfiudhk.exe
4500	cfiudhk.exe
4500	cfiudhk.exe
4500	cfiudhk.exe
4500	cfiudhk.exe
4500	cfiudhk.exe
4500	cfiudhk.exe
4500	cfiudhk.exe
4500	cfiudhk.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4500	cfiudhk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 4500	2292	00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498.exe	91
PID 2292 wrote to memory of 4500	2292	00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498.exe	91
PID 2292 wrote to memory of 4500	2292	00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498.exe	91
PID 2292 wrote to memory of 452	2292	00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498.exe	92
PID 2292 wrote to memory of 452	2292	00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498.exe	92
PID 2292 wrote to memory of 452	2292	00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498.exe	92

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	cfiudhk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	cfiudhk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cfiudhk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cfiudhk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cfiudhk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	cfiudhk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	cfiudhk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	cfiudhk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cfiudhk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	cfiudhk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	cfiudhk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cfiudhk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	cfiudhk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	cfiudhk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	cfiudhk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cfiudhk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	cfiudhk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cfiudhk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cfiudhk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	cfiudhk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	cfiudhk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	cfiudhk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cfiudhk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cfiudhk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	cfiudhk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	cfiudhk.exe

C:\Users\Admin\AppData\Local\Temp\00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498.exe
"C:\Users\Admin\AppData\Local\Temp\00e739eaebc68c8760f43194b409c9dbdf0c2011cc61778d5ed73323e93a8498.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2292
- C:\Users\Admin\AppData\Local\Temp\cfiudhk.exe
  "C:\Users\Admin\AppData\Local\Temp\cfiudhk.exe" "-"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:4500
- C:\Users\Admin\AppData\Local\Temp\cfiudhk.exe
  "C:\Users\Admin\AppData\Local\Temp\cfiudhk.exe" "-"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Modifies registry class
  - System policy modification
  PID:452

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\efgqxzahqrtezidfmwqrscjlmtc.fql

Filesize
280B

MD5
ac677cab4f1852f47b959cb57c90d14d

SHA1
07fc4ba0eeb816ec0daf3c1cf387eba94d1cfebb

SHA256
b5584482357d3b0187fa614ca28a1bcf81e418fc635204a375d3b7045cdb95a1

SHA512
fd484d51fa6a1f79561addbff70fe6b920b5e2d3d24ab3914b503fccb696bbfef46c79a757b6bf680f99aacd986d9bd97350eb853f1c3fc7498678d65a0b186b

Download Submit
C:\Program Files (x86)\efgqxzahqrtezidfmwqrscjlmtc.fql

Filesize
280B

MD5
ccd0c01f1868b54da1c143a76e84a8c8

SHA1
37d560bfb5fca3dcc760eef519dd8d092decfa3f

SHA256
d85f77d430aa647641892b291a7781f2b73ab6fbb793c463ff06302037d4cb4e

SHA512
9c23e94387909cd259c66535f6ec1a05fd0e1d6059f955ffeefa430d04ac6e41e0ba3378f2061a9ca52c96a0ded0ff5d567fb31e1e5d7bd2a5445bcb67f9ff30

Download Submit
C:\Program Files (x86)\efgqxzahqrtezidfmwqrscjlmtc.fql

Filesize
280B

MD5
19f94bc3ad4dad59488017d00c1ed9df

SHA1
870aa24d9ebad9b8df36775b5684e1955568a9ef

SHA256
c01f6b9c064e9dd5b289ae0760c316b049c7f6c40275c72f36355aa51d2ad20f

SHA512
d486255321ef46221dcf0f457286aa7b0b782565aaa927ba10fa2cf437c64524a18dd04e91fb7fa4d43d60f39d671fea5c7a55599db78c3135409a302a0b655d

Download Submit
C:\Program Files (x86)\efgqxzahqrtezidfmwqrscjlmtc.fql

Filesize
280B

MD5
4090e9ba1f053275edd222f4b24e20f7

SHA1
fc1f9909c10e45f4a1e10e84fd8069c2ce1feb24

SHA256
a57526a2271cf42fd16c5f4eeac8559a5c0f0de6ff548306be1e95f57757a41c

SHA512
eae76634b3d226f9830c9318277ea4b3e5454ab0992571d2bea8d07797a0267ccc9e800742ddf0b107824fe6cc90fe9e55214be54f2ae8d7f565c52a9caf321a

Download Submit
C:\Program Files (x86)\efgqxzahqrtezidfmwqrscjlmtc.fql

Filesize
280B

MD5
a33a3cdf0ec1ed4af818eabb4154385e

SHA1
07702268fe62550c1cd223665227253389d7e284

SHA256
93b350ff88db51907e494d6743edd143e845cc0653700e1fe85017535cba5c00

SHA512
30c66b4f1b778c936301faea8dd806aaee6c3fbf0ea35fd47d79adedbf56f1a8d8011cc369bde3537663ad530b383872253fef5651502151a3f083364f8b515b

Download Submit
C:\Program Files (x86)\efgqxzahqrtezidfmwqrscjlmtc.fql

Filesize
280B

MD5
6ff297570387ee3de33efd025e70f0b4

SHA1
ca69d67fbebb4c1d75ddbcdbd29e712094154aaa

SHA256
779a33f1388cc9fdc470a1c5688674f3a6a18ff6f0f49292027dca1f3bb08b04

SHA512
f14b672266bb28950234a9be7258e3e36cef76f4c07db0632f9db496740a0807a685f52d0467ab9625f94c465a6d957727ff9460564e82c48b6d7e7633db1d93

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfiudhk.exe

Filesize
1.3MB

MD5
ce0e43d0fbb96312949ef741bd200574

SHA1
3ee575646c86b6445754c95558ccad28a67b403d

SHA256
329ccf300e430b6522c420c38252fcc05782e7912409b8e04fb05462235cfc3f

SHA512
2af16625ad06f3d1cd4e8c54d4f2df34da41e15f024adbd523fde230b913a058a572303f7d52c54e767e30983a75509aedb6459ca05b561ba7e2abad0fa37f76

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfiudhk.exe

Filesize
1.3MB

MD5
ce0e43d0fbb96312949ef741bd200574

SHA1
3ee575646c86b6445754c95558ccad28a67b403d

SHA256
329ccf300e430b6522c420c38252fcc05782e7912409b8e04fb05462235cfc3f

SHA512
2af16625ad06f3d1cd4e8c54d4f2df34da41e15f024adbd523fde230b913a058a572303f7d52c54e767e30983a75509aedb6459ca05b561ba7e2abad0fa37f76

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfiudhk.exe

Filesize
1.3MB

MD5
ce0e43d0fbb96312949ef741bd200574

SHA1
3ee575646c86b6445754c95558ccad28a67b403d

SHA256
329ccf300e430b6522c420c38252fcc05782e7912409b8e04fb05462235cfc3f

SHA512
2af16625ad06f3d1cd4e8c54d4f2df34da41e15f024adbd523fde230b913a058a572303f7d52c54e767e30983a75509aedb6459ca05b561ba7e2abad0fa37f76

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfiudhk.exe

Filesize
1.3MB

MD5
ce0e43d0fbb96312949ef741bd200574

SHA1
3ee575646c86b6445754c95558ccad28a67b403d

SHA256
329ccf300e430b6522c420c38252fcc05782e7912409b8e04fb05462235cfc3f

SHA512
2af16625ad06f3d1cd4e8c54d4f2df34da41e15f024adbd523fde230b913a058a572303f7d52c54e767e30983a75509aedb6459ca05b561ba7e2abad0fa37f76

Download Submit
C:\Users\Admin\AppData\Local\bnzumzldxjwsysyldydpbwobnfzlyuauanfafr.yqd

Filesize
4KB

MD5
3a5ac2ddfc8980cc9aadde7b24dcb757

SHA1
31e35eaafaab409fa441bb9e54a45bdc8905c94c

SHA256
9bda23353ec2acf4e4f1cc2e3b6768727e4348ee748afb63e0edb3ff013f224e

SHA512
637c52042cd2d3bc5d9a553584fc2a1b0e882f2338b582e1e6eedb9855c8200d16f831f114bae2031375aacf615030fe069d73efc5cc51db562e87de9e119900

Download Submit
C:\Users\Admin\AppData\Local\efgqxzahqrtezidfmwqrscjlmtc.fql

Filesize
280B

MD5
3f63f5b93cb042479c7c381c1ae094f7

SHA1
2b3b24bd6e65d0904e648aacf596b4b251499310

SHA256
e31456f968f442365faaf7179bb1f6157b6953bd351eb7cd3a063b94fcc075a3

SHA512
91d291cd5fe4bf394374987f6529ee2ea388566ae659d325c14c0ce3a805b4191a598ed89adadf003358be46300947eb3a3b81ed97035fe7146c3d3156557101

Download Submit
C:\Users\Admin\AppData\Local\efgqxzahqrtezidfmwqrscjlmtc.fql

Filesize
280B

MD5
51d72fa09499602ebe5f03f33aafd153

SHA1
765c5d012c51238e3cd8974e28df7a08c7123daa

SHA256
9d8e4c5124434465943e5001aa326f7687320f9578cdd3162dd0a3a916415338

SHA512
898b608b1a0c0140db7365f5e9960fa02de5c6cbbf396652aff2f418192b89b5f5d2d1a1b6364b6c48cc42c30fa95c2abb23356ed70cfce5fc8e369f0ab3760f

Download Submit