10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
14-11-2023 18:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe
Size

2.0MB
MD5

8e65ea65872f75ccfd39c9b3a976a4ea
SHA1

da6db35943ca0c75cd7031495c40204fe3875ef9
SHA256

10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689
SHA512

b1c2e09595dbf8453310b5a547235965b86b2252db02ce1c6e0abe9017e844174c4596855ee3a414e9e49258651139624bb2e2900a92c3e839289b7580bc874b
SSDEEP

6144:P3ve8ySm8hQAAIfFrRXuEE+0l97mKwKR6HVGI86JQPDHDdx/Qtqa:u/zkFF+EExZmKbReVzPJQPDHvd

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	onahjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	onahjo.exe

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	onahjo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	onahjo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	onahjo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	onahjo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	onahjo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	onahjo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	onahjo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	onahjo.exe

Adds policy Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vzrdkuctdjb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\obcxngxxqfggpemalfkx.exe"	onahjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szujtgrlyhcwzi = "drtpgastndfgqgpeqlrfh.exe"	onahjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szujtgrlyhcwzi = "qbathynlcpomtgmyhz.exe"	onahjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szujtgrlyhcwzi = "obcxngxxqfggpemalfkx.exe"	onahjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szujtgrlyhcwzi = "hrphukyvlxvsykpai.exe"	onahjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vzrdkuctdjb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hrphukyvlxvsykpai.exe"	onahjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szujtgrlyhcwzi = "qbathynlcpomtgmyhz.exe"	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szujtgrlyhcwzi = "obcxngxxqfggpemalfkx.exe"	onahjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vzrdkuctdjb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\drtpgastndfgqgpeqlrfh.exe"	onahjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vzrdkuctdjb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnnhwoedvjjiqelyibf.exe"	onahjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szujtgrlyhcwzi = "ajgxjylhwheafque.exe"	onahjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	onahjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szujtgrlyhcwzi = "drtpgastndfgqgpeqlrfh.exe"	onahjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szujtgrlyhcwzi = "bnnhwoedvjjiqelyibf.exe"	onahjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szujtgrlyhcwzi = "hrphukyvlxvsykpai.exe"	onahjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vzrdkuctdjb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\drtpgastndfgqgpeqlrfh.exe"	onahjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szujtgrlyhcwzi = "qbathynlcpomtgmyhz.exe"	onahjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vzrdkuctdjb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qbathynlcpomtgmyhz.exe"	onahjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vzrdkuctdjb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnnhwoedvjjiqelyibf.exe"	onahjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	onahjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vzrdkuctdjb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hrphukyvlxvsykpai.exe"	onahjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vzrdkuctdjb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\obcxngxxqfggpemalfkx.exe"	onahjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vzrdkuctdjb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\obcxngxxqfggpemalfkx.exe"	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szujtgrlyhcwzi = "ajgxjylhwheafque.exe"	onahjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vzrdkuctdjb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ajgxjylhwheafque.exe"	onahjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szujtgrlyhcwzi = "ajgxjylhwheafque.exe"	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	onahjo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	onahjo.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	onahjo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	onahjo.exe

Executes dropped EXE 2 IoCs

pid	Process
2096	onahjo.exe
2748	onahjo.exe

Loads dropped DLL 4 IoCs

pid	Process
2176	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe
2176	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe
2176	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe
2176	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rxrfoakdpxrkm = "qbathynlcpomtgmyhz.exe ."	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rxrfoakdpxrkm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnnhwoedvjjiqelyibf.exe ."	onahjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hrphukyvlxvsykpai = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hrphukyvlxvsykpai.exe ."	onahjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rxrfoakdpxrkm = "ajgxjylhwheafque.exe ."	onahjo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ajgxjylhwheafque = "ajgxjylhwheafque.exe ."	onahjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qbathynlcpomtgmyhz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hrphukyvlxvsykpai.exe"	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\vdzpaoavjtpkoyb = "hrphukyvlxvsykpai.exe"	onahjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qbathynlcpomtgmyhz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\obcxngxxqfggpemalfkx.exe"	onahjo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\vdzpaoavjtpkoyb = "drtpgastndfgqgpeqlrfh.exe"	onahjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hrphukyvlxvsykpai = "C:\\Users\\Admin\\AppData\\Local\\Temp\\obcxngxxqfggpemalfkx.exe ."	onahjo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ajgxjylhwheafque = "hrphukyvlxvsykpai.exe ."	onahjo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\vdzpaoavjtpkoyb = "ajgxjylhwheafque.exe"	onahjo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rxrfoakdpxrkm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ajgxjylhwheafque.exe ."	onahjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rxrfoakdpxrkm = "drtpgastndfgqgpeqlrfh.exe ."	onahjo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ajgxjylhwheafque = "obcxngxxqfggpemalfkx.exe ."	onahjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hrphukyvlxvsykpai = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hrphukyvlxvsykpai.exe ."	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rxrfoakdpxrkm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\obcxngxxqfggpemalfkx.exe ."	onahjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rxrfoakdpxrkm = "bnnhwoedvjjiqelyibf.exe ."	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\sxqdlwfxipia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnnhwoedvjjiqelyibf.exe"	onahjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rxrfoakdpxrkm = "bnnhwoedvjjiqelyibf.exe ."	onahjo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\vdzpaoavjtpkoyb = "obcxngxxqfggpemalfkx.exe"	onahjo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ajgxjylhwheafque = "drtpgastndfgqgpeqlrfh.exe ."	onahjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qbathynlcpomtgmyhz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qbathynlcpomtgmyhz.exe"	onahjo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ajgxjylhwheafque = "hrphukyvlxvsykpai.exe ."	onahjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hrphukyvlxvsykpai = "C:\\Users\\Admin\\AppData\\Local\\Temp\\obcxngxxqfggpemalfkx.exe ."	onahjo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ajgxjylhwheafque = "drtpgastndfgqgpeqlrfh.exe ."	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hrphukyvlxvsykpai = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnnhwoedvjjiqelyibf.exe ."	onahjo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ajgxjylhwheafque = "obcxngxxqfggpemalfkx.exe ."	onahjo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rxrfoakdpxrkm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hrphukyvlxvsykpai.exe ."	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qbathynlcpomtgmyhz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hrphukyvlxvsykpai.exe"	onahjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sxqdlwfxipia = "hrphukyvlxvsykpai.exe"	onahjo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\vdzpaoavjtpkoyb = "hrphukyvlxvsykpai.exe"	onahjo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\vdzpaoavjtpkoyb = "ajgxjylhwheafque.exe"	onahjo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\vdzpaoavjtpkoyb = "bnnhwoedvjjiqelyibf.exe"	onahjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qbathynlcpomtgmyhz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnnhwoedvjjiqelyibf.exe"	onahjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sxqdlwfxipia = "drtpgastndfgqgpeqlrfh.exe"	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ajgxjylhwheafque = "qbathynlcpomtgmyhz.exe ."	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sxqdlwfxipia = "hrphukyvlxvsykpai.exe"	onahjo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rxrfoakdpxrkm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qbathynlcpomtgmyhz.exe ."	onahjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rxrfoakdpxrkm = "qbathynlcpomtgmyhz.exe ."	onahjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qbathynlcpomtgmyhz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hrphukyvlxvsykpai.exe"	onahjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sxqdlwfxipia = "qbathynlcpomtgmyhz.exe"	onahjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sxqdlwfxipia = "obcxngxxqfggpemalfkx.exe"	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hrphukyvlxvsykpai = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hrphukyvlxvsykpai.exe ."	onahjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rxrfoakdpxrkm = "hrphukyvlxvsykpai.exe ."	onahjo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\sxqdlwfxipia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qbathynlcpomtgmyhz.exe"	onahjo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\sxqdlwfxipia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\obcxngxxqfggpemalfkx.exe"	onahjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sxqdlwfxipia = "ajgxjylhwheafque.exe"	onahjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qbathynlcpomtgmyhz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\drtpgastndfgqgpeqlrfh.exe"	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rxrfoakdpxrkm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\obcxngxxqfggpemalfkx.exe ."	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\sxqdlwfxipia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hrphukyvlxvsykpai.exe"	onahjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rxrfoakdpxrkm = "obcxngxxqfggpemalfkx.exe ."	onahjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sxqdlwfxipia = "drtpgastndfgqgpeqlrfh.exe"	onahjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hrphukyvlxvsykpai = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnnhwoedvjjiqelyibf.exe ."	onahjo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rxrfoakdpxrkm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\drtpgastndfgqgpeqlrfh.exe ."	onahjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rxrfoakdpxrkm = "obcxngxxqfggpemalfkx.exe ."	onahjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hrphukyvlxvsykpai = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ajgxjylhwheafque.exe ."	onahjo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\vdzpaoavjtpkoyb = "qbathynlcpomtgmyhz.exe"	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rxrfoakdpxrkm = "drtpgastndfgqgpeqlrfh.exe ."	onahjo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\sxqdlwfxipia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ajgxjylhwheafque.exe"	onahjo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ajgxjylhwheafque = "qbathynlcpomtgmyhz.exe ."	onahjo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\sxqdlwfxipia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\drtpgastndfgqgpeqlrfh.exe"	onahjo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rxrfoakdpxrkm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\obcxngxxqfggpemalfkx.exe ."	onahjo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\sxqdlwfxipia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qbathynlcpomtgmyhz.exe"	onahjo.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	onahjo.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	onahjo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	onahjo.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	onahjo.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	whatismyipaddress.com
8	www.showmyipaddress.com
22	whatismyip.everdot.org

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ajgxjylhwheafquelbclizlanjyjgchswgnden.bnc	onahjo.exe
File opened for modification	C:\Windows\SysWOW64\dbntuyalppbmggzyuzpnzfgkmxb.nys	onahjo.exe
File created	C:\Windows\SysWOW64\dbntuyalppbmggzyuzpnzfgkmxb.nys	onahjo.exe
File opened for modification	C:\Windows\SysWOW64\ajgxjylhwheafquelbclizlanjyjgchswgnden.bnc	onahjo.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\dbntuyalppbmggzyuzpnzfgkmxb.nys	onahjo.exe
File created	C:\Program Files (x86)\dbntuyalppbmggzyuzpnzfgkmxb.nys	onahjo.exe
File opened for modification	C:\Program Files (x86)\ajgxjylhwheafquelbclizlanjyjgchswgnden.bnc	onahjo.exe
File created	C:\Program Files (x86)\ajgxjylhwheafquelbclizlanjyjgchswgnden.bnc	onahjo.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\dbntuyalppbmggzyuzpnzfgkmxb.nys	onahjo.exe
File created	C:\Windows\dbntuyalppbmggzyuzpnzfgkmxb.nys	onahjo.exe
File opened for modification	C:\Windows\ajgxjylhwheafquelbclizlanjyjgchswgnden.bnc	onahjo.exe
File created	C:\Windows\ajgxjylhwheafquelbclizlanjyjgchswgnden.bnc	onahjo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe
2096	onahjo.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2096	onahjo.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2096	2176	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe	28
PID 2176 wrote to memory of 2096	2176	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe	28
PID 2176 wrote to memory of 2096	2176	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe	28
PID 2176 wrote to memory of 2096	2176	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe	28
PID 2176 wrote to memory of 2748	2176	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe	29
PID 2176 wrote to memory of 2748	2176	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe	29
PID 2176 wrote to memory of 2748	2176	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe	29
PID 2176 wrote to memory of 2748	2176	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe	29

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	onahjo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	onahjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	onahjo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	onahjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	onahjo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	onahjo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	onahjo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	onahjo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	onahjo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	onahjo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	onahjo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	onahjo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	onahjo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	onahjo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	onahjo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	onahjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	onahjo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	onahjo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	onahjo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	onahjo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	onahjo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	onahjo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	onahjo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	onahjo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	onahjo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	onahjo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe

C:\Users\Admin\AppData\Local\Temp\10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe
"C:\Users\Admin\AppData\Local\Temp\10c8eefdb8344886070087f4522f92d33ee5cea76f0261fac60a5cb66354e689.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2176
- C:\Users\Admin\AppData\Local\Temp\onahjo.exe
  "C:\Users\Admin\AppData\Local\Temp\onahjo.exe" "-"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:2096
- C:\Users\Admin\AppData\Local\Temp\onahjo.exe
  "C:\Users\Admin\AppData\Local\Temp\onahjo.exe" "-"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - System policy modification
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\dbntuyalppbmggzyuzpnzfgkmxb.nys

Filesize
272B

MD5
a414d9e75e256467807237eb37be2a0f

SHA1
75045f3ec50a3e4fda0be4f7cd1aebe5d10ee98c

SHA256
9f8e303b7d653b1bc5fb76d5b4d65caaa1ec7d58f005a86631957ab1b28901f6

SHA512
979eb4bc7bdd5353e4d5618c8b769e9215f48585e2fb9d14361a442a0a6340914c5d6f21c675010c5fca11415fe93e3013a1d0b0b4a391252769a16d1fbb3610

Download Submit
C:\Users\Admin\AppData\Local\Temp\onahjo.exe

Filesize
3.0MB

MD5
ba8c9d4f53403eca930b1aea8bb12080

SHA1
fdf5e702327e6e01feafc80aafbbb04eb450e81a

SHA256
46445f0feb47d60f3155a4582d24c227d86f47ec8c22fe69e3d41628988bd491

SHA512
dffc25e9e815b82f65c4220a4481cee04bfa7a4d223879dc20d61e39ce95d9f3d786e27c74ce81195932c44c8fd931a2d3cbe1bd078d0db7522389d9edad891e

Download Submit
C:\Users\Admin\AppData\Local\Temp\onahjo.exe

Filesize
3.0MB

MD5
ba8c9d4f53403eca930b1aea8bb12080

SHA1
fdf5e702327e6e01feafc80aafbbb04eb450e81a

SHA256
46445f0feb47d60f3155a4582d24c227d86f47ec8c22fe69e3d41628988bd491

SHA512
dffc25e9e815b82f65c4220a4481cee04bfa7a4d223879dc20d61e39ce95d9f3d786e27c74ce81195932c44c8fd931a2d3cbe1bd078d0db7522389d9edad891e

Download Submit
C:\Users\Admin\AppData\Local\Temp\onahjo.exe

Filesize
3.0MB

MD5
ba8c9d4f53403eca930b1aea8bb12080

SHA1
fdf5e702327e6e01feafc80aafbbb04eb450e81a

SHA256
46445f0feb47d60f3155a4582d24c227d86f47ec8c22fe69e3d41628988bd491

SHA512
dffc25e9e815b82f65c4220a4481cee04bfa7a4d223879dc20d61e39ce95d9f3d786e27c74ce81195932c44c8fd931a2d3cbe1bd078d0db7522389d9edad891e

Download Submit
C:\Users\Admin\AppData\Local\ajgxjylhwheafquelbclizlanjyjgchswgnden.bnc

Filesize
3KB

MD5
308fcc4b44a8a39e44e6b91600a03950

SHA1
05af2b40e85b88f2c9d57ec10ccd1cfd7e3db774

SHA256
8d6bae0675245ae4744a425579ff41413bde725ec0b2722c9ba32afa5cdbca10

SHA512
c67505ec8abaa5354c13f400c73c245de87ee29b5cfa434aa39eb29c958fa3002538b03d0b8f517dd85ba3d35f34683c038e30fbc25677a29d6abe9dbb991c0f

Download Submit
C:\Users\Admin\AppData\Local\dbntuyalppbmggzyuzpnzfgkmxb.nys

Filesize
272B

MD5
d4805748afb27848ff1afff847705191

SHA1
aeb6861dfcb2366a17f71a94a60ef328993e1c3a

SHA256
36bf18a165f7078ebb7445919d3708aba232e1142f0c1574ce454cc654ab78b4

SHA512
6d9d19e300e89b281e766e0d8f6dddbd93b50b2f82c637746e998430ea9dcae356d520a4b74a82327a015949799105a650aeb76dc948d20822cf8530c32750ab

Download Submit
C:\Users\Admin\AppData\Local\dbntuyalppbmggzyuzpnzfgkmxb.nys

Filesize
272B

MD5
30e37de1069e8f0c4cd02d39cea8de95

SHA1
9fe01d1978aa9f8cc04a56208737be1b95819c68

SHA256
9712ff7fcf11d653033e76ab09da8a5d48e8e7432b15f0e0408092d994fdda47

SHA512
c89dd135be74667a2ae9f80408f769816ba2af1b1c023743f3136761ff1bcb62f4d2ffffdd59e8a337e34ca531126328705b00c9d77129db785c2a7662b08bfe

Download Submit
C:\Users\Admin\AppData\Local\dbntuyalppbmggzyuzpnzfgkmxb.nys

Filesize
272B

MD5
dee76da2e6deed1876f8aaa9f4310494

SHA1
818e39c3d02511be2d1284e48b88cb3246712302

SHA256
222ae9b726c6705879e7419bb1b25b7ab20a85869e8eb7ee7533f319de6b9954

SHA512
b8c2471c9db34c5a3b0e92b2c588a027cab6b5e9154a38c908c404d75695b3146b62471baf67535ab7bcd3e41e17f31a55f8bd9fb100b09bce605ffdd5009f07

Download Submit
\Users\Admin\AppData\Local\Temp\onahjo.exe

Filesize
3.0MB

MD5
ba8c9d4f53403eca930b1aea8bb12080

SHA1
fdf5e702327e6e01feafc80aafbbb04eb450e81a

SHA256
46445f0feb47d60f3155a4582d24c227d86f47ec8c22fe69e3d41628988bd491

SHA512
dffc25e9e815b82f65c4220a4481cee04bfa7a4d223879dc20d61e39ce95d9f3d786e27c74ce81195932c44c8fd931a2d3cbe1bd078d0db7522389d9edad891e

Download Submit
\Users\Admin\AppData\Local\Temp\onahjo.exe

Filesize
3.0MB

MD5
ba8c9d4f53403eca930b1aea8bb12080

SHA1
fdf5e702327e6e01feafc80aafbbb04eb450e81a

SHA256
46445f0feb47d60f3155a4582d24c227d86f47ec8c22fe69e3d41628988bd491

SHA512
dffc25e9e815b82f65c4220a4481cee04bfa7a4d223879dc20d61e39ce95d9f3d786e27c74ce81195932c44c8fd931a2d3cbe1bd078d0db7522389d9edad891e

Download Submit
\Users\Admin\AppData\Local\Temp\onahjo.exe

Filesize
3.0MB

MD5
ba8c9d4f53403eca930b1aea8bb12080

SHA1
fdf5e702327e6e01feafc80aafbbb04eb450e81a

SHA256
46445f0feb47d60f3155a4582d24c227d86f47ec8c22fe69e3d41628988bd491

SHA512
dffc25e9e815b82f65c4220a4481cee04bfa7a4d223879dc20d61e39ce95d9f3d786e27c74ce81195932c44c8fd931a2d3cbe1bd078d0db7522389d9edad891e

Download Submit
\Users\Admin\AppData\Local\Temp\onahjo.exe

Filesize
3.0MB

MD5
ba8c9d4f53403eca930b1aea8bb12080

SHA1
fdf5e702327e6e01feafc80aafbbb04eb450e81a

SHA256
46445f0feb47d60f3155a4582d24c227d86f47ec8c22fe69e3d41628988bd491

SHA512
dffc25e9e815b82f65c4220a4481cee04bfa7a4d223879dc20d61e39ce95d9f3d786e27c74ce81195932c44c8fd931a2d3cbe1bd078d0db7522389d9edad891e

Download Submit