2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1

Analysis

max time kernel
73s
max time network
80s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
14/11/2023, 19:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
Size

2.0MB
MD5

9fd909b9252da347edb2c71b1c75dbb9
SHA1

cfbcf7181f4abe9a747aaad432cc32655a1d764e
SHA256

2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1
SHA512

b7b7f1036471d1f24836ca206b44c7cf07d2168e62fab276615a1876f894573eff38544c504ff182f206df8c483c5a30dcf7752bf94babececf6337aa122a0c6
SSDEEP

12288:dTgvmzFHi0mo5aH0qMzd5807FUJV1PJQPDHvd:dTgvOHi0mGaH0qSdPFUJh4V

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	xgpubds.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	xgpubds.exe

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xgpubds.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	xgpubds.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	xgpubds.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	xgpubds.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xgpubds.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	xgpubds.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	xgpubds.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	xgpubds.exe

Adds policy Run key to start application 2 TTPs 23 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ksaekl = "dwpevhgwgxnivritj.exe"	xgpubds.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ksaekl = "zwtmhxauidxwnnixrinkh.exe"	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ksaekl = "dwpevhgwgxnivritj.exe"	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ksaekl = "zwtmhxauidxwnnixrinkh.exe"	xgpubds.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jot = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwtmhxauidxwnnixrinkh.exe"	xgpubds.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ksaekl = "wogukvtirhwqcxnx.exe"	xgpubds.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ksaekl = "xsnexlmeqjbynlerjyb.exe"	xgpubds.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jot = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wogukvtirhwqcxnx.exe"	xgpubds.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jot = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kgcuodfylfywmlftmcgc.exe"	xgpubds.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jot = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dwpevhgwgxnivritj.exe"	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	xgpubds.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ksaekl = "wogukvtirhwqcxnx.exe"	xgpubds.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jot = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kgcuodfylfywmlftmcgc.exe"	xgpubds.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	xgpubds.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ksaekl = "mgaqivvmxpgcqnfriw.exe"	xgpubds.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ksaekl = "kgcuodfylfywmlftmcgc.exe"	xgpubds.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jot = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dwpevhgwgxnivritj.exe"	xgpubds.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jot = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwtmhxauidxwnnixrinkh.exe"	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ksaekl = "xsnexlmeqjbynlerjyb.exe"	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jot = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgaqivvmxpgcqnfriw.exe"	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ksaekl = "mgaqivvmxpgcqnfriw.exe"	xgpubds.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jot = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dwpevhgwgxnivritj.exe"	xgpubds.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xgpubds.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xgpubds.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xgpubds.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xgpubds.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe

Executes dropped EXE 2 IoCs

pid	Process
1800	xgpubds.exe
940	xgpubds.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgnqv = "kgcuodfylfywmlftmcgc.exe ."	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mwgmuxnu = "kgcuodfylfywmlftmcgc.exe ."	xgpubds.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgnqv = "dwpevhgwgxnivritj.exe ."	xgpubds.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qwce = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kgcuodfylfywmlftmcgc.exe"	xgpubds.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qwce = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwtmhxauidxwnnixrinkh.exe"	xgpubds.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xgpubds = "dwpevhgwgxnivritj.exe"	xgpubds.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgnqv = "mgaqivvmxpgcqnfriw.exe ."	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qwce = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kgcuodfylfywmlftmcgc.exe"	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgnqv = "xsnexlmeqjbynlerjyb.exe ."	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwce = "xsnexlmeqjbynlerjyb.exe"	xgpubds.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zgnqv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgaqivvmxpgcqnfriw.exe ."	xgpubds.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dozgptksu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kgcuodfylfywmlftmcgc.exe ."	xgpubds.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zgnqv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xsnexlmeqjbynlerjyb.exe ."	xgpubds.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgnqv = "zwtmhxauidxwnnixrinkh.exe ."	xgpubds.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dozgptksu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgaqivvmxpgcqnfriw.exe ."	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zgnqv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wogukvtirhwqcxnx.exe ."	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qwce = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xsnexlmeqjbynlerjyb.exe"	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zgnqv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwtmhxauidxwnnixrinkh.exe ."	xgpubds.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xgpubds = "kgcuodfylfywmlftmcgc.exe"	xgpubds.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zgnqv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xsnexlmeqjbynlerjyb.exe ."	xgpubds.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwce = "zwtmhxauidxwnnixrinkh.exe"	xgpubds.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xgpubds = "xsnexlmeqjbynlerjyb.exe"	xgpubds.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dozgptksu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wogukvtirhwqcxnx.exe ."	xgpubds.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qwce = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xsnexlmeqjbynlerjyb.exe"	xgpubds.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qwce = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgaqivvmxpgcqnfriw.exe"	xgpubds.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wiucmrjsvf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgaqivvmxpgcqnfriw.exe"	xgpubds.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zgnqv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wogukvtirhwqcxnx.exe ."	xgpubds.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xgpubds = "zwtmhxauidxwnnixrinkh.exe"	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zgnqv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xsnexlmeqjbynlerjyb.exe ."	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xgpubds = "wogukvtirhwqcxnx.exe"	xgpubds.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mwgmuxnu = "dwpevhgwgxnivritj.exe ."	xgpubds.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgnqv = "kgcuodfylfywmlftmcgc.exe ."	xgpubds.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwce = "mgaqivvmxpgcqnfriw.exe"	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwce = "xsnexlmeqjbynlerjyb.exe"	xgpubds.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwce = "zwtmhxauidxwnnixrinkh.exe"	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xgpubds = "zwtmhxauidxwnnixrinkh.exe"	xgpubds.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xgpubds = "kgcuodfylfywmlftmcgc.exe"	xgpubds.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zgnqv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwtmhxauidxwnnixrinkh.exe ."	xgpubds.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwce = "zwtmhxauidxwnnixrinkh.exe"	xgpubds.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wiucmrjsvf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dwpevhgwgxnivritj.exe"	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mwgmuxnu = "zwtmhxauidxwnnixrinkh.exe ."	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mwgmuxnu = "xsnexlmeqjbynlerjyb.exe ."	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wiucmrjsvf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xsnexlmeqjbynlerjyb.exe"	xgpubds.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dozgptksu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xsnexlmeqjbynlerjyb.exe ."	xgpubds.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qwce = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dwpevhgwgxnivritj.exe"	xgpubds.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dozgptksu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dwpevhgwgxnivritj.exe ."	xgpubds.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mwgmuxnu = "xsnexlmeqjbynlerjyb.exe ."	xgpubds.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mwgmuxnu = "zwtmhxauidxwnnixrinkh.exe ."	xgpubds.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xgpubds = "xsnexlmeqjbynlerjyb.exe"	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xgpubds = "dwpevhgwgxnivritj.exe"	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgnqv = "xsnexlmeqjbynlerjyb.exe ."	xgpubds.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wiucmrjsvf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dwpevhgwgxnivritj.exe"	xgpubds.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwce = "wogukvtirhwqcxnx.exe"	xgpubds.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mwgmuxnu = "kgcuodfylfywmlftmcgc.exe ."	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dozgptksu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgaqivvmxpgcqnfriw.exe ."	xgpubds.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qwce = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgaqivvmxpgcqnfriw.exe"	xgpubds.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwce = "mgaqivvmxpgcqnfriw.exe"	xgpubds.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgnqv = "wogukvtirhwqcxnx.exe ."	xgpubds.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mwgmuxnu = "xsnexlmeqjbynlerjyb.exe ."	xgpubds.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qwce = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dwpevhgwgxnivritj.exe"	xgpubds.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mwgmuxnu = "mgaqivvmxpgcqnfriw.exe ."	xgpubds.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wiucmrjsvf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xsnexlmeqjbynlerjyb.exe"	xgpubds.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dozgptksu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kgcuodfylfywmlftmcgc.exe ."	xgpubds.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwce = "mgaqivvmxpgcqnfriw.exe"	xgpubds.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xgpubds.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xgpubds.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xgpubds.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xgpubds.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
65	whatismyip.everdot.org
69	www.showmyipaddress.com
79	whatismyipaddress.com
92	whatismyip.everdot.org

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\bcdaztayqpnqlpohfajkl.hbi	xgpubds.exe
File created	C:\Windows\SysWOW64\bcdaztayqpnqlpohfajkl.hbi	xgpubds.exe
File opened for modification	C:\Windows\SysWOW64\wiucmrjsvfocixhluaugsakphqtdmagv.jsy	xgpubds.exe
File created	C:\Windows\SysWOW64\wiucmrjsvfocixhluaugsakphqtdmagv.jsy	xgpubds.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\bcdaztayqpnqlpohfajkl.hbi	xgpubds.exe
File created	C:\Program Files (x86)\bcdaztayqpnqlpohfajkl.hbi	xgpubds.exe
File opened for modification	C:\Program Files (x86)\wiucmrjsvfocixhluaugsakphqtdmagv.jsy	xgpubds.exe
File created	C:\Program Files (x86)\wiucmrjsvfocixhluaugsakphqtdmagv.jsy	xgpubds.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\bcdaztayqpnqlpohfajkl.hbi	xgpubds.exe
File created	C:\Windows\bcdaztayqpnqlpohfajkl.hbi	xgpubds.exe
File opened for modification	C:\Windows\wiucmrjsvfocixhluaugsakphqtdmagv.jsy	xgpubds.exe
File created	C:\Windows\wiucmrjsvfocixhluaugsakphqtdmagv.jsy	xgpubds.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
Key created	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings	xgpubds.exe
Key created	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings	xgpubds.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1800	xgpubds.exe
1800	xgpubds.exe
1800	xgpubds.exe
1800	xgpubds.exe
1800	xgpubds.exe
1800	xgpubds.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1800	xgpubds.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3712 wrote to memory of 1800	3712	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe	92
PID 3712 wrote to memory of 1800	3712	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe	92
PID 3712 wrote to memory of 1800	3712	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe	92
PID 3712 wrote to memory of 940	3712	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe	93
PID 3712 wrote to memory of 940	3712	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe	93
PID 3712 wrote to memory of 940	3712	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe	93

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xgpubds.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	xgpubds.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	xgpubds.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	xgpubds.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xgpubds.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xgpubds.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	xgpubds.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	xgpubds.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	xgpubds.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	xgpubds.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	xgpubds.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	xgpubds.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	xgpubds.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	xgpubds.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	xgpubds.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	xgpubds.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	xgpubds.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	xgpubds.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xgpubds.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	xgpubds.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	xgpubds.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	xgpubds.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	xgpubds.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	xgpubds.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	xgpubds.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	xgpubds.exe

C:\Users\Admin\AppData\Local\Temp\2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe
"C:\Users\Admin\AppData\Local\Temp\2581a2a35a68adc2e56befc5a7ecf24c1f3bb3278eb9da1e9ed5b5ff6acc0ea1.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3712
- C:\Users\Admin\AppData\Local\Temp\xgpubds.exe
  "C:\Users\Admin\AppData\Local\Temp\xgpubds.exe" "-"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:1800
- C:\Users\Admin\AppData\Local\Temp\xgpubds.exe
  "C:\Users\Admin\AppData\Local\Temp\xgpubds.exe" "-"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Modifies registry class
  - System policy modification
  PID:940

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\bcdaztayqpnqlpohfajkl.hbi

Filesize
280B

MD5
49aca8df2a04c6535207f06905f5ac40

SHA1
0a83e4e74ecbfc48c4549ce1d9649718c20be554

SHA256
29ba773e243f85ac7c2bee9faca41ec1ccb9fcc6933d4a6caeee9a9ebac7cd83

SHA512
36ab2f18fe3930d18bce0593245a8bfd97d877f7c1e62c36c8622ec0da6f3f2ec0a5fe1d8751ebd2afded1e1b8b8c3af90b7f06b1e4fcf0e57b3b0e8c9146769

Download Submit
C:\Program Files (x86)\bcdaztayqpnqlpohfajkl.hbi

Filesize
280B

MD5
d9c4f1ffef94d4ab6b413c7462088062

SHA1
40a2cc98ce99b4943a207a7f825a9d3023549d78

SHA256
2e52bb7f521e827ec10269278cd4bbaec5623a5eb6f3708bf3a395e8dff201cf

SHA512
3b0c7bd070727eb042e5768cf28bfa0980768e3db79be8ee833649faafc549eb9d2a82468e3ea0100993981cfd8229716ef982486a1f22ad79334aabe94e3e23

Download Submit
C:\Users\Admin\AppData\Local\Temp\xgpubds.exe

Filesize
3.1MB

MD5
7e886825e126c81f1e617183c6a441c6

SHA1
a9b5b76c415a2b9f20793e044e25850e725eca88

SHA256
ca3ff2ae7aa81dbf3eebc91f59921d985643a89489162a231557db2f14f94950

SHA512
ca9f5d6b47c5ad1e73b43776cbc41b6890a0413371bdebdb793f19527f65bc3212629f529e113c8a6d16c039bbe48287152306ec1269cc52797af7939a66adc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xgpubds.exe

Filesize
3.1MB

MD5
7e886825e126c81f1e617183c6a441c6

SHA1
a9b5b76c415a2b9f20793e044e25850e725eca88

SHA256
ca3ff2ae7aa81dbf3eebc91f59921d985643a89489162a231557db2f14f94950

SHA512
ca9f5d6b47c5ad1e73b43776cbc41b6890a0413371bdebdb793f19527f65bc3212629f529e113c8a6d16c039bbe48287152306ec1269cc52797af7939a66adc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xgpubds.exe

Filesize
3.1MB

MD5
7e886825e126c81f1e617183c6a441c6

SHA1
a9b5b76c415a2b9f20793e044e25850e725eca88

SHA256
ca3ff2ae7aa81dbf3eebc91f59921d985643a89489162a231557db2f14f94950

SHA512
ca9f5d6b47c5ad1e73b43776cbc41b6890a0413371bdebdb793f19527f65bc3212629f529e113c8a6d16c039bbe48287152306ec1269cc52797af7939a66adc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xgpubds.exe

Filesize
3.1MB

MD5
7e886825e126c81f1e617183c6a441c6

SHA1
a9b5b76c415a2b9f20793e044e25850e725eca88

SHA256
ca3ff2ae7aa81dbf3eebc91f59921d985643a89489162a231557db2f14f94950

SHA512
ca9f5d6b47c5ad1e73b43776cbc41b6890a0413371bdebdb793f19527f65bc3212629f529e113c8a6d16c039bbe48287152306ec1269cc52797af7939a66adc6

Download Submit
C:\Users\Admin\AppData\Local\bcdaztayqpnqlpohfajkl.hbi

Filesize
280B

MD5
75418d5772030a60255e6ae6ef819eb7

SHA1
384c27e988f2b59812ee131a7e1bac06c57a9b1b

SHA256
f5f910c4dd6f74eb1f0ab4a63c99c196771a4c97cba81c2c62061f2f8688d5e5

SHA512
470115ed9e0bb785f4ef90477417169a81743a73d61a852448438056d70459c76652dd2b0731591f5019b8290db5233b33ceba67a4156a522d20e92c22702f04

Download Submit
C:\Users\Admin\AppData\Local\wiucmrjsvfocixhluaugsakphqtdmagv.jsy

Filesize
4KB

MD5
ab23ce4b14674576019e52a14dbc8692

SHA1
13e55a73b50a76d39a64a989d289687accc1ddf1

SHA256
df92e5a08496e7e94faafdaa2502745309769987f204da2e4ca2944361409b7e

SHA512
1c4bf29e87c4958c7f033ca088878f6e900448ae339e04c9ae8ac4c17f22fd70564aedb6e65682065582e8bf6c9d3ae7efd65568fbfb783d450308bca16576cc

Download Submit